Configure domain pass-through authentication with Kerberos

This topic applies only to connections between Citrix Workspace app for Windows and StoreFront, Citrix Virtual Apps and Desktops.

Citrix Workspace app supports Kerberos for domain pass-through authentication for deployments that use smart cards. Kerberos is one of the authentication methods included in Integrated Windows Authentication (IWA).

When enabled, Kerberos authenticates without passwords for Citrix Workspace app. Thereby, preventing Trojan horse-style attacks on the user device that try to gain access to passwords. Users can log on using any authentication method and access published resources. For example, a biometric authenticator such as a fingerprint reader.

When you login using a smart card to Citrix Workspace app, StoreFront, Citrix Virtual Apps and Desktops configured for smart card authentication- the Citrix Workspace app:

  1. Captures the smart card PIN during Single Sign-on
  2. Uses IWA (Kerberos) to authenticate the user to StoreFront. StoreFront then provides your Workspace app with information about available the Citrix Virtual Apps and Desktops.


    Enable Kerberos to avoid an extran PIN prompt. If Kerberos authentication is not used, Citrix Workspace app authenticates to StoreFront using the smart card credentials.

  3. The HDX engine (previously referred to as the ICA client) passes the smart card PIN to the VDA to log the user on to Citrix Workspace app session. Citrix Virtual Apps and Desktops then delivers the requested resources.

To use Kerberos authentication with Citrix Workspace app, make sure your Kerberos configuration conforms to the following.

  • Kerberos works only between Citrix Workspace app and servers that belong to the same or to trusted Windows Server domains. Servers must also be trusted for delegation, an option you configure through the Active Directory Users and Computers management tool.
  • Kerberos must be enabled both on the domain and Citrix Virtual Apps and Desktops. For enhanced security and to ensure that Kerberos is used, disable any non-Kerberos IWA options on the domain .
  • Kerberos log on is not available for Remote Desktop Services connections that are configured to use either Basic authentication, always use specified logon information, or always prompt for a password.


Using Registry editor incorrectly might cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry editor can be solved. Use Registry Editor at your own risk. Ensure you back up the registry before you edit it.

Configure domain pass-through authentication with Kerberos for use with smart cards

See the smart card information present in the Secure your deployment section in the Citrix Virtual Apps and Desktops documentation before continuing.

When you install Citrix Workspace app for Windows, include the following command-line option:

  • /includeSSON

    This option installs the Single Sign-on component on the domain-joined computer, enabling your workspace to authenticate to StoreFront using IWA (Kerberos). The Single Sign-on component stores the smart card PIN, which is used by the HDX engine when it remotes the smart card hardware and credentials to Citrix Virtual Apps and Desktops. Citrix Virtual Apps and Desktops automatically selects a certificate from the smart card and obtains the PIN from the HDX engine.

    A related option, ENABLE\_SSON, is enabled by default.

If a security policy prevents you from enabling Single Sign-on on a device, configure Citrix Workspace app using Group Policy Object administrative tempalte.

  1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.
  2. Choose Administrative Templates > Citrix Components > Citrix Workspace > User authentication > Local user name and password
  3. Select Enable pass-through authentication.
  4. Restart Citrix Workspace app for the changes to take effect.

    localized image

To configure StoreFront:

When you configure the authentication service on the StoreFront server, select the Domain pass-through option. That setting enables Integrated Windows Authentication. You do not need to select the Smart card option unless you also have non domain-joined clients connecting to StoreFront using smart cards.

For more information about using smart cards with StoreFront, see Configure the authentication service in the StoreFront documentation.

Configure domain pass-through authentication with Kerberos