Configure domain pass-through authentication

Single Sign-on lets you authenticate to a domain and use the Citrix Virtual Apps and Desktops without having to reauthenticate again.

When you log on to Citrix Workspace app, your credentials are passed through to StoreFront, along with the enumerated apps and desktops and Start menu settings. After configuring Single Sign-on, you can log on to Citrix Workspace app and launch Citrix Virtual Apps and Desktops sessions without having to re-type your credentials.

You can configure Single Sign-on using one of the following options when installing Citrix Workspace app for Windows:

  • Command line interface
  • Graphical user interface

Prerequisites

  1. Add the StoreFront server to the list of trusted sites using Internet Explorer. To do this:
    1. Launch Internet Explorer.
    2. Select Tools > Internet Options > Security > Local Internet and click Sites. The Local intranet window appears.
    3. Select Advanced.
    4. Add the URL of the StoreFront or Web Interface FQDN with the appropriate HTTP or HTTPS protocols.
    5. Click Apply and OK.
  2. Modify the User Authentication settings in Internet Explorer. To do this:
    1. Launch Internet Explorer.
    2. On the Internet Options > Security tab, click Trusted Sites.
    3. Click Custom level. The Security Settings – Trusted Sites Zone window appears.
    4. In the User Authentication pane, select Automatic logon with current user name and password.

    alt_text

Configuring Single Sign-on using the command line interface

Install Citrix Workspace app for Windows with the /includeSSON switch and restart it for the changes to take effect.

Note

If Citrix Workspace app for Windows is installed without the Single Sign-on component, upgrading to the latest version of Citrix Workspace app with the /includeSSON switch is not supported.

Configuring Single Sign-on using the graphical user interface

  1. Locate the Citrix Workspace app installation file (CitrixWorkspaceApp.exe).
  2. Double click CitrixWorkspaceApp.exe to launch the installer.
  3. In the Enable Single Sign-on installation wizard, select the Enable Single Sign-on option.

Configuring Single Sign-on on Workspace for Web

You can configure Single Sign-on on Workspace for Web using the Group Policy Object administrative template.

  1. Open the Workspace for Web GPO administrative template by running gpedit.msc.
  2. Under the Computer Configuration node, go to Administrative Template > Citrix Component > Workspace for Windows > User Authentication.
  3. Select the Local user name password policy and set it to Enabled.
  4. Click Enable pass-through authentication. This option allows Workspace for Web to use your login credentials for authentication on the remote server.
  5. Click Allow pass-through authentication for all ICA connections. This option bypasses any authentication restriction and allows credentials to pass-through on all the connections.
  6. Click Apply and OK.
  7. Restart the Workspace for Web for the changes to take effect.

Verify that the Single Sign-on is enabled by launching the Task Manager and check if the ssonsvr.exe process is running.

Configuring Single Sign-on on StoreFront and Web Interface

StoreFront configuration

Open Citrix Studio on the StoreFront server and select Authentication->Add /Remove Authentication Methods. Select Domain pass-through.

alt_text

Using Configuration Checker to validate the Single Sign-on configuration

Configuration Checker lets you run a test to ensure that Single Sign-on is configured properly. The test runs on different checkpoints of the Single Sign-on configuration and displays the configuration results.

  1. Right-click Citrix Workspace app icon in the notification area and click Advanced Preferences. The Advanced Preferences dialog appears.
  2. Click Configuration Checker. The Citrix Configuration Checker window appears.

    alt_text

  3. Select SSONChecker from the Select pane.
  4. Click Run. A progress bar appears, displaying the status of the test.

The Configuration Checker window has the following columns:

  1. Status: Displays the result of a test on a specific check point.
    • A green check mark indicates that the specific checkpoint is configured properly.
    • A blue I indicates information about the checkpoint.
    • A Red X indicates that the specific checkpoint is not configured properly.
  2. Provider: Displays the name of the module on which the test is run. In this case, Single Sign-on.
  3. Suite: Indicates the category of the test. For example, Installation.
  4. Test: Indicates the name of the specific test that is run.
  5. Details: Provides additional information about the test, irrespective of pass or fail.

The user gets more information about each checkpoint and the corresponding results.

The following tests are performed:

  1. Installed with Single Sign-on
  2. Logon credential capture
  3. Network Provider registration: The test result against Network Provider registration displays a green check mark only when “Citrix Single Sign-on” is set to be first in the list of Network Providers. If Citrix Single Sign-on appears anywhere else in the list, the test result against Network Provider registration appears with a blue I and additional information.
  4. Single Sign-on process is running
  5. Group Policy: By default, this policy is configured on the client.
  6. Internet Settings for Security Zones: Ensure that you add the Store/XenApp Service URL to the list of Security Zones in the Internet Options.
    If the Security Zones is configured via Group policy, any change in the policy requires the Advanced Preferences window to be reopened for the changes to take effect and to display the correct status of the test.
  7. Authentication method for Web Interface/StoreFront.

Note

  • If you are accessing Workspace for Web, the test results are not applicable.
  • If Citrix Workspace app is configured with multiple stores, the authentication method test runs on all the configured stores.
  • You can save the test results as reports. The default report format is .txt.

For information on configuring domain pass-through authentication, see Knowledge Center article CTX133982.

Hiding the Configuration Checker option from the Advanced Preferences window

  1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.
  2. Go to Citrix Components > Workspace for Windows > Self Service > DisableConfigChecker.
  3. Click Enabled to hide the Configuration Checker option from the Advanced Preferences window.
  4. Click Apply and OK.
  5. Run the gpupdate /force command.

Limitation

Configuration Checker does not include the checkpoint for the configuration of Trust requests sent to the XML service on Citrix Virtual Apps and Desktops servers.