Product documentation
Citrix Workspace app for Windows
Current Release 2402 LTSR 2203.1 LTSR 1912 LTSR
View PDF

Update on enhanced domain pass-through for single sign-on feature

July 23, 2024
Contributed by: 
C

Starting with Citrix Workspace app version 2405.10, the enhanced domain pass-through for single sign-on feature is supported with Windows 11.

Enhanced domain pass-through for single sign-on uses Kerberos to enable single sign-on into Citrix Workspace app and into the virtual apps and desktop sessions when using Active Directory (AD) joined client devices and Citrix StoreFront.

Note:

  • This feature is not supported on 32-bit operating systems.

  • This feature is a replacement for the legacy pass-through authentication feature based on the Citrix Single Sign-on Service (ssonsvr.exe).

System requirements

  • Control plane
    • Citrix DaaS
    • Citrix Virtual Apps and Desktops 2311 or later
  • Virtual Delivery Agent
    • Windows: version 2407 or later
  • Workspace app
    • Citrix Workspace app for Windows 2405.1 or later
  • Client device
    • Joined to Active Directory domain
    • Windows 10 64-bit
    • Windows 11 64-bit
  • Multi-session session hosts:
    • Windows Server 2019
    • Windows Server 2022
    • Windows 10 Enterprise multi-session 22H2
    • Windows 11 Enterprise multi-session 22H2 or later
  • Single-session session hosts:
    • Windows 10 version 22H2
    • Windows 11 version 22H2 or later

Note:

  • The client device must have direct connectivity to domain controllers. If the device is outside the network, single sign-on isn’t supported.

  • If you are using the following versions of Citrix Workspace app and VDA, this feature will not be supported on Windows 11:

  • VDA: 2308, 2311, 2402
  • Citrix Workspace app: 2309, 2309.1, 2311, 2402

StoreFront configuration

You must enable domain pass-through authentication for the store and its corresponding website.

Perform the following steps to enable Domain pass-through for the store:

  1. Open the StoreFront management console.

  2. Go to Store > Manage Authentication methods. The Manage Authentication Methods - Web window appears.

  3. Select the Domain pass-through checkbox.

    Manage Authentication methods

  4. Click OK.

Perform the following steps to enable Domain pass-through for the website:

  1. Open the StoreFront management console.
  2. Open Stores > Receiver for Websites tab > Manage Receiver for Web Sites > Configure > Authentication Methods. The Edit Receiver for Web site - /Citrix/Web window appears.

  3. Select the Domain pass-through checkbox.

    Edit Receiver for Web site

  4. Click OK.

Citrix Policy configuration

You must enable the setting using Citrix policy:

  1. Navigate to Citrix Studio or the web console.
  2. Click Policies > Create Policy. The Create Policy dialog box appears.
  3. Search for the Enhanced domain pass-through for single sign-on policy. The Edit Settings dialog box appears.

  4. Select the Allowed option to enable the Enhanced domain pass-through for single sign-on policy. Edit Receiver for Web site

  5. Click OK.

Session host configuration

After enabling the Enhanced domain pass-through for single sign on feature using Citrix policy, you must also enable a Windows setting on the session hosts. You can enable the Windows setting through local policy or GPO:

  1. Navigate to Computer Configuration\Policies\Administrative Templates\System\CredentialsDelegation.

  2. Enable the Remote host allows delegation of non-exportable credentials setting.

    Remote host allows delegation of non-exportable credentials

  3. Reboot the session host for the setting to take effect.

Note:

The Remote host allows delegation of non-exportable credentials setting is not available on Windows Server 2016 local policy. If you need to configure this setting locally on the session host instead of using GPO, you must add the following registry values:

Key: HKLM\SOFTWARE\Citrix\Rcg

  • Value type: DWORD
  • Value name: ForceEnableRcg

  • Value data: 1 Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa

  • Value type: DWORD
  • Value name: DisableRestrictedAdmin
  • Value data: 0

Client device configuration

You must do the following on client device:

  • Enable Enhanced domain pass-through for single sign-on
  • Trust Storefront site

Enable Enhanced domain pass-through for single sign-on

You must enable the Enhanced domain pass-through for single sign on feature on the client device. You can do this through local policy or GPO.

  1. Navigate to Computer Configuration\Policies\Administrative Templates\Citrix Components\Citrix Workspace\User Authentication.

  2. Enable the Enhanced Domain pass-through for single sign-on setting.

    Selected enhanced domain

  3. Restart Citrix Workspace app for settings to take effect.

Trust Storefront site

You must make sure your Storefront URL is trusted by the client devices. If the URL is not part of an already trusted domain, you must add it as either a local intranet site or a trusted site. You can do this through local policy or GPO.

  1. Navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security page.

  2. Enable the Site to Zone Assignment List setting and add the appropriate URLs and corresponding zone assignment.

    Site to zone

  3. Enable the Logon options setting and set it to Automatic logon with current username and password.

    Logon options

    Logon options enabled

Update on enhanced domain pass-through for single sign-on feature
July 23, 2024
Contributed by: 
C
July 23, 2024
Contributed by: 
C

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.