Citrix Cloud

Secure Workspace Access with Connector Appliance

Use Citrix Secure Workspace Access to provide a cohesive experience that integrates single sign-on, remote access, and content inspection into a single solution for end-to-end access control.

To configure Secure Workspace Access with Connector Appliance, complete the following steps:

  1. Install 2 or more Connector Appliances in your Resource Location.

    For more information about setting up your Connector Appliances, see Connector Appliance for Cloud Services.

  2. If you need to configure Secure Workspace Access to connect to on-premises web apps by using KCD, configure KCD by completing the following steps:

    1. Join your Connector Appliance to an Active Directory domain.

      Joining an Active Directory forest enables you to use Kerberos Constrained Delegation (KCD) when configuring Secure Workspace Access, but it does not enable identity requests or authentication to use the Connector Appliance.

      1. Connect to the Connector Appliance administration webpage in your browser by using the IP address provided in the Connector Appliance console.

      2. In the Active Directory domains section, click + Add Active Directory domain.

        If you don’t have an Active Directory domains section in your administration page, contact Citrix to request enrollment in the preview.

      3. Enter the domain name in the Domain Name field. Click Add.

      4. The Connector Appliance checks the domain. If the check is successful, the Join Active Directory dialog opens.

      5. Enter the user name and password of an Active Directory user that has join permission for this domain.

      6. The Connector Appliance suggests a machine name. You can choose to override the suggested name and provide your own machine name that is up to 15 characters in length. Make a note of the machine account name.

        This machine name is created in the Active Directory domain when the Connector Appliance joins it.

      7. Click Join.

    2. On your Active Directory controller, start from step 2 and follow the instructions from Prerequisites to set up KCD in your data center before configuring KCD on Citrix Gateway Connector.

      Use the machine account name instead of creating a new user account.

  3. Follow the Citrix Secure Workspace Access documentation to set up the Citrix Secure Workspace Access service. During setup, Citrix Cloud recognizes the presence of your Connector Appliances and uses them to connect your resource location.

    For more information, see the following webpages:

    1. Get started with Citrix Secure Workspace Access
    2. Configure Citrix Secure Workspace Access

      Where this article refers to information about the Cloud Connector (prerequisite #4), instead see the Connector Appliance documentation:

    3. Support for Enterprise web apps

Validating your Kerberos configuration

If you use Kerberos for single sign-on, you can verify that the configuration on your Active Directory controller is correct from the Connector Appliance administration page. The Kerberos validation feature enables you to validate a Kerberos realm-only mode configuration or a Kerberos Constrained Delegation (KCD) configuration.

  1. Go to the Connector Appliance administration page.
    1. From the Connector Appliance console in your hypervisor, copy the IP address to your browser address bar.
    2. Enter the password you set when you registered your Connector Appliance.
  2. From the Admin menu on the top right, select Kerberos Validation.
  3. In the Kerberos Validation dialog, choose the Kerberos Validation Mode.
  4. Specify or select the Active Directory Domain.
    • If you are validating a Kerberos realm-only mode configuration, you can specify any Active Directory domain.
    • If you are validating a Kerberos Constrained Delegation configuration, you must select from a list of domains in the joined forest.
  5. Specify the Service FQDN. The default service name is assumed to be “http”. If you specify “”, this is considered the same as “http/”.
  6. Specify the Username.
  7. If you are validating a Kerberos realm-only mode configuration, specify the Password for that user name.
  8. Click Test Kerberos.

If the Kerberos configuration is correct, you see the message “Successfully validated Kerberos setup”. If the Kerberos configuration is not correct, you see an error message that provides information about how the validation failed.

Secure Workspace Access with Connector Appliance