Enhanced domain pass-through for single sign-on (Enhanced SSO)
Previously, Citrix Workspace app for Windows supported only SSON or domain pass-through authentication for single sign-on to Citrix Virtual Apps and Desktops environments using user credentials. This authentication enables the user to authenticate to the domain on their device and use their virtual apps and desktops without having to reauthenticate again.
This approach of domain pass-through using user credentials has the following limitations:
- Doesn’t support passwordless authentication with modern authentication methods such as Windows Hello or FIDO2. An additional component called the Federated Authentication Service (FAS) is required for single sign-on (SSO).
- Installation or upgrade of Citrix Workspace app with SSON enabled requires a reboot of the device.
- Requires Multi Provider Router (MPR) notifications to be enabled on Windows 11 machines.
- Must be on the top of the list of network providers order.
With this release, Citrix Workspace app supports enhanced domain pass-through which is a new method of SSO. It leverages Kerberos authentication instead of user credentials and helps to overcome the previously mentioned limitations. Now user can sign in to Citrix Virtual Apps and Desktops and to StoreFront using integrated windows authentication.
Note:
This feature isn’t supported on 32-bit Windows 10 and on Windows Server 2016.
System requirements
- Citrix Workspace app 2309 or later
- Citrix Virtual Apps and Desktops 2308 or later
Supported VDA OS versions
-
For multi-session:
- Windows Server 2019
- Windows Server 2022
-
For single-session:
- Windows 10 version 22H2
- Windows 11 version 22H2
Prerequisites
- The client or endpoint must be connected to the domain.
- Requires a direct line of sight of Active Directory.
StoreFront and DDC settings
Setup a domain pass-through environment using the following settings:
Note:
You can skip this step if you have already configured the domain pass-through in your environment.
-
When Citrix Workspace app is configured on the StoreFront:
- Open StoreFront Studio.
- Go to Store > Manage Authentication methods.
- Enable Domain pass-through.
Or,
-
When using Citrix Workspace app through the browser:
- Open StoreFront.
- Open Stores > Receiver for Websites > Manage Authentication methods.
-
Enable Domain pass-through.
-
Enable Enhanced domain passthrough for single sign on policy on DDC.
-
Click OK.
VDA settings
- Navigate to Computer Configuration\Administrative Templates\System\Credentials Delegation on VDA.
-
Enable Remote host allows delegation of non-exportable credentials windows policy on VDA.
- Reboot the VDA machine.
Client settings
- Ensure that the client machine is domain joined.
- Ensue that the client machine is 64-bit.
- Open Group Policy Editor.
- Navigate to Computer Configuration\Administrative Templates\Citrix Components\Citrix Workspace\User Authentication.
-
Configure the Enhanced Domain passthrough for single sign-on group policy.
- Modify the Internet Options settings on the client.
Note:
You can skip this step if you have already configured the domain pass-through in your environment.
-
Add the StoreFront server to the list of trusted sites using Internet Options. To add:
- Open Internet Options from the Control Panel > Network and Internet.
- Click Security > Local Intranet and click Sites. The Local Intranet window appears.
- Click the Advanced tab.
- Add the URL of the StoreFront FQDN with the appropriate HTTP or HTTPS protocols.
- Click Close and OK.
-
Modify the User Authentication settings in Internet Explorer. To modify:
- Open Internet Options from the Control Panel > Network and Internet.
- Click Security tab > Local Intranet.
- Click Custom level. The Security Settings – Local Intranet Zone window appears.
- In the User Authentication pane, select Automatic logon with current user name and password.
-
Click OK.