Secure Private Access installer
The Secure Private Access 2405 installer is available as a standalone installer that installs/upgrades only the Secure Private Access component.
Note:
Secure Private Access 2405 can also be installed through the meta installer using the MSIs. For details, see https://www.citrix.com/downloads/citrix-secure-private-access/spa-onprem-standalone/spa-2405.html.
Admin account requirements to install and manage Secure Private Access
- To install Secure Private Access, you must be logged in with a local machine administrator account.
- To set up Secure Private Access, you must sign into the Secure Private Access admin console with a domain user which is also a local machine administrator for the machine where Secure Private Access is installed.
- After the setup is complete, that user becomes the first Secure Private Access administrator and can then add other administrators.
- To manage Secure Private Access after the setup, you must sign into the Secure Private Access admin console with a Secure Private Access administrator account.
Perform the following steps to install Secure Private Access:
- Download the Secure Private Access 2405 installer from https://www.citrix.com/downloads/citrix-secure-private-access/spa-onprem-standalone/.
- Run the .exe as an administrator on a domain joined machine.
-
Follow the on-screen instructions to complete the installation.
Note:
For POC purposes, it is recommended that you install Secure Private Access on the same machine on which StoreFront is installed.
-
Follow the on-screen instructions to complete the installation.
Once the installation is complete, the first-time setup admin console opens automatically in the default browser window. You can click Continue to set up Secure Private Access.
You can also see the Secure Private Access shortcut on the desktop Start menu (Citrix > Citrix Secure Private Access).
SSO to admin console
It is recommended that you configure Kerberos authentication for the browser that you use for the Secure Private Access admin console. This is because Secure Private Access uses Integrated Windows Authentication (IWA) for its admin authentication.
If Kerberos authentication isn’t set, you’re prompted by the browser to enter your credentials when accessing the Secure Private Access admin console.
- If you enter your credentials, you enable Integrated Windows Authentication (IWA) sign on.
- If you do not enter your credentials, you’re presented with the Secure Private Access sign-on page.
You must sign into the admin console to continue with the Secure Private Access setup. You can set up Secure Private Access with any user who belongs to the same domain as the installation machine, if the user has local administrator privileges on the installation machine.
For Google Chrome and Microsoft Edge browsers, perform the following steps to enable Kerberos.
- Open Internet Options.
- Select the Security tab and click Local Intranet Zone.
-
Click Sites and add the Secure Private Access URL.
You can also use a wildcard if planning to install Secure Private Access on multiple machines. For example,
"https://*.fabrikam.local". -
Click Custom Level and in User Authentication > Logon, select Automatic logon with current user name and password.
Note:
- If using Chrome Incognito sessions, create a DWORD registry key Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\AmbientAuthenticationInPrivateModesEnabled and set to value 1.
- You must restart all Chrome windows (including non-Incognito windows) before Kerberos gets enabled for the Incognito mode.
- For other browsers, check the specific browser’s documentation on Kerberos authentication.