Connections, Certificates and Authentication

Connections

  • HTTP store
  • HTTPS store
  • Citrix Gateway 10.5 and later
  • Web Interface 5.4

Certificates

  • Private (self-signed)
  • Root
  • Wildcard
  • Intermediate

Private (self-signed) certificates

If a private certificate is installed on the remote gateway, the root certificate of the organization’s certificate authority must be installed on the user device from which you are accessing the Citrix resources.

Note

If the remote gateway’s certificate cannot be verified upon connection (because the root certificate is not included in the local Keystore.), an untrusted certificate warning appears. If a user chooses to continue through the warning, the apps are displayed but cannot be launched.

Installing root certificates

For domain-joined computers, you can use Group Policy Object administrative template to distribute and trust CA certificates.

For non-domain joined computers, the organization can create a custom install package to distribute and install the CA certificate. Contact your system administrator for assistance.

Wildcard certificates

Wildcard certificates are used on a server within the same domain.

Citrix Workspace app supports wildcard certificates; however, they must be used in accordance with your organization’s security policy. In practice, an alternative to wildcard certificates is a certificate containing the list of server names with the Subject Alternative Name (SAN) extension. Private and public certificate authorities issue these certificates.

Intermediate certificates

If your certificate chain includes an intermediate certificate, the intermediate certificate must be appended to the Citrix Gateway server certificate. For information, see Configuring Intermediate Certificates.

Authentication

Authentication to StoreFront

           
  Workspace for Web using browsers StoreFront Services site (native) StoreFront, Citrix Virtual Apps and Desktops (native) Citrix Gateway to Workspace for Web (browser) Citrix Gateway to StoreFront Services site (native)
Anonymous Yes Yes      
Domain Yes Yes Yes Yes* Yes*
Domain pass-through Yes Yes Yes    
Security token       Yes* Yes*
Two-factor authentication (domain with security token)       Yes* Yes*
SMS       Yes* Yes*
Smart card Yes Yes   Yes Yes
User certificate       Yes (Citrix Gateway plug-in) Yes (Citrix Gateway plug-in)

* With or without the Citrix Gateway plug-in installed on the device.

Note

Citrix Workspace app supports two-factor authentication (domain plus security token) using Citrix Gateway to the StoreFront native service.

Authentication to Web Interface

Citrix Workspace app supports the following authentication methods (Web Interface uses the term Explicit for domain and security token authentication):

         
  Web Interface (browsers) Web Interface Citrix Gateway Site Citrix Gateway to Web Interface (browser) Citrix Gateway to Web Interface Citrix Gateway Site
Anonymous Yes      
Domain Yes Yes Yes*  
Domain pass-through Yes Yes    
Security token     Yes*  
Two-factor authentication (domain with security token)     Yes*  
SMS     Yes*  
Smart card Yes Yes    
User certificate     Yes (Citrix Gateway plug-in)  

* Available only in deployments that include Citrix Gateway, with or without the associated plug-in installed on the device.

For information about authentication, see Configuring Authentication and Authorization in the Citrix Gateway documentation and Manage topics in the StoreFront documentation.