Provide access information to end users for iOS devices

You must provide users with the Citrix Receiver account information they need to access their hosted their applications, desktops, and data. You can provide this information by:

  • Configuring email-based account discovery
  • Providing users with a provisioning file
  • Providing users with account information to enter manually

Configure email-based account discovery

You can configure Citrix Receiver to use email-based account discovery. When configured, users enter their email address rather than a server URL during initial Citrix Receiver installation and configuration. Citrix Receiver determines the Access Gateway or StoreFront server, or AppController virtual appliance associated with the email address based on Domain Name System (DNS) Service (SRV) records and then prompts the user to log on to access their hosted applications, desktops, and data.


Email-based account discovery is not supported if Citrix Receiver is connecting to a Web Interface deployment.

Provide users with a provisioning file

You can use StoreFront to create provisioning files containing connection details for accounts. You make these files available to your users to enable them to configure Receiver automatically. After installing Citrix Receiver, users simply open the .cr file on the device to configure Citrix Receiver. If you configure Receiver for Web sites, users can also obtain Citrix Receiver provisioning files from those sites.

For more information, see the StoreFront documentation.

Provide users with account information to enter manually

If providing users with account details to enter manually, ensure you distribute the following information to enable them to connect to their hosted and desktops successfully:

  • The StoreFront URL or XenApp Services site hosting resources; for example:

  • For access using NetScaler Gateway, provide the NetScaler Gateway address and required authentication method.

    For more information about configuring NetScaler Gateway, see the NetScaler Gateway documentation.

When a user enters the details for a new account, Citrix Receiver attempts to verify the connection. If successful, Citrix Receiver prompts the user to log on to the account.

Session sharing

When users log off from a Citrix Receiver account, if there are still connections to applications or desktops, they have the option to disconnect or log off:

  • Disconnect: Logs off from the account, but leaves the Windows application or desktop running on the server, and the user can then start another device, launch Citrix Receiver, and reconnect to the last state before disconnecting from the iOS device. This option allows users to reconnect from one device to another device and resume working in running applications.
  • Log off: Logs off from the account, closes the Windows application, and logs off from the XenApp or XenDesktop server. This option allows users to disconnect from the server and log off the account; when they launch Citrix Receiver again, it opens in the default state.

Provide RSA SecurID authentication for iOS devices

RSA SecurID authentication for Citrix Receiver is supported for Secure Gateway configurations (through the Web Interface only) and all NetScaler Gateway configurations.

URL scheme required for the software token on Citrix Receiver: The RSA SecurID software token used by Citrix Receiver registers the URL scheme com.citrix.securid only.

If users have installed both the Citrix Receiver app and the RSA SecurID app on their iOS device, users must select the URL scheme “com.citrix.securid” to import the RSA SecurID Software Authenticator (software token) to Citrix Receiver on their devices.

To import an RSA SecurID soft token into Citrix Receiver

To use an RSA Soft Token with the Citrix Receiver, have your users follow this procedure.

The policy for PIN length, type of PIN (numeric only, alphanumeric), and limits on PIN reuse are specified on the RSA administration server.

Your users should only need to do this once, after they have successfully authenticated to the RSA server. After your users verify their PINs, they are are also authenticated with the StoreFront server, and it presents available, published applications and desktops.

To use an RSA soft token with Citrix Receiver

  1. Import the RSA soft token provided to you by your organization.

  2. From the email with your SecurID file attached, select Open in Receiver as the import destination. After the soft token is imported, Citrix Receiver opens automatically.

  3. If your organization provided a password to complete the import, enter the password provided to you by your organization and click OK. After clicking OK, you will see a message that the token was successfully imported.

  4. Close the import message, and in Citrix Receiver, click the Add Account.

  5. Enter the URL for the Store provided by your organization and click Next.

  6. On the Log On screen, enter your credentials: user name, password, and domain. For the Pin field, enter 0000, unless your organization has provided you with a different default PIN. (The PIN 0000 is an RSA default, but your organization may have changed it to comply with their security policies.)

  7. At the top left, click Log On. After you click Log On, you are prompted to create a new PIN.

  8. Enter a PIN from 4 to 8 digits and click OK.

  9. You are then prompted to verify your new PIN. Re-enter your PIN and click OK. After clicking OK, you will be able to access your apps and desktops.

Support for Next Token Mode

If you configure NetScaler Gateway for RSA SecurID authentication, Citrix Receiver supports Next Token Mode. With this feature enabled, if a user enters three (by default) incorrect passwords, the NetScaler Gateway plug-in prompts the user to wait until the next token is active before logging on. The RSA server can be configured to disable a user’s account if a user logs on too many times with an incorrect password.

Save Passwords

Using the Citrix Web Interface Management console, you can configure the XenApp authentication method to allow users to save their passwords. When you configure the user account, the encrypted password is saved until the first time the user connects. Consider the following:

  • If you enable password saving, Citrix Receiver stores the password on the device for future logons and does not prompt for passwords when users connect to applications.


The password is stored only if users enter a password when creating an account. If no password is entered for the account, no password is saved, regardless of the server setting.

  • If you disable password saving (default setting), Citrix Receiver prompts users to enter passwords every time they connect.


For StoreFront direct connections, password saving is not available.

To override password saving

If you configure the server to save passwords, users who prefer to require passwords at logon can override password saving:

  • When creating the account, leave the password field blank.
  • When editing an account, delete the password and save the account.

Using the Save Password feature

Beginning with release 6.1.2, Citrix Receiver introduced a feature that streamlines the connection process by allowing you to save your password, which eliminates the extra step of having to authenticate a session everytime you open Citrix Receiver.


The save password functionality currently works with the PNA protocol. It does not work with StoreFront native mode; however, this functionality works when StoreFront enables PNA legacy mode.

Configuring StoreFront PNA legacy mode

To configure StoreFront PNA legacy mode to enable the save password functionality:

  1. If you are configuring an existing Store, go to step 3.

  2. To configure a new StoreFront deployment, follow the best practices described in Install, setup, and uninstall Citrix StoreFront.

  3. Open the Citrix StoreFront management console. Ensure the base URL uses HTTPS and is the same as the common name specified when generating your SSL certificate.

  4. Select the Store you want to configure.

  5. Click Configure XenApp Service Support.

  6. Enable Legacy Support, and Click OK.

  7. Navigate to the template configuration file located at c:\\inetpub\wwwroot\Citrix\<store name>\Views\PnaConfig\.

  8. Make a backup of Config.aspx.

  9. Open the original Config.aspx file.

  10. Edit the line <EnableSavePassword>false</EnableSavePassword> to change the false value to true.

  11. Save the edited Config.aspx file.

  12. On the StoreFront server, run PowerShell with administrative rights.

  13. In the PowerShell console:

    a. cd “c:\\Program Files\Citrix\Receiver StoreFront\Scripts”

    b. Type “Set-ExecutionPolicy RemoteSigned”

    c. Type “.\\ImportModules.ps1”

    d. Type “Set-DSDerviceMonitorFeature –ServiceUrl https://localhost:443/StorefrontMonitor

  14. If you have a StoreFront group, run the same commands on all the members in the group.

Configuring NetScaler to save passwords


This configuration uses NetScaler load balance servers.

To configure NetScaler to support the save password functionality:

  1. Log in to the NetScaler management console.

  2. Follow the Citrix best practices to create a certificate for your load balance virtual server(s).

  3. On the configuration tab, navigate to Traffic Management -> Load Balancing -> Servers and click Add.

  4. Enter the server name and IP address of the StoreFront server.

  5. Click Create. If you have a StoreFront group, repeat step 5 for all the servers in the group.

  6. On the configuration tab, navigate to Traffic Management -> Load Balancing -> Monitor and click Add.

  7. Enter a name for the monitor. Select STOREFRONT as the Type. At the bottom of the page, select Secure (this is required since the StoreFront server is using HTTPS).

  8. Click the Special Parameters Tab. Enter the StoreFront name configured earlier, and select the Check Backed Services and click Create.

  9. On the Configuration tab navigate to Traffic Management -> Load Balancing -> Service Groups and click Add.

  10. Enter a name for your Service Group and set the protocol to SSL. Click Ok.

  11. On the right-hand of the screen under Advanced Settings, select Settings.

  12. Enable Client IP and enter the following for the Header value: X-Forwarded-For and click OK.

  13. On the right-hand of the screen under Advanced Settings, select Monitors. Click the arrow to add new monitors.

  14. Click the Add button and then select the Select Monitor drop down; a list of monitors (those configured on NetScaler) appears.

  15. Click the radio button beside the monitor(s) you created earlier and click Select, then click Bind.

  16. On the right-hand of the screen (under Advanced Settings), select Members. Click the arrow to add new service group members.

  17. Click the Add button and then select the Select Member drop down.

  18. Select the Server Based radio button; a list of server members (those configured on NetScaler) appears. Click the radio button beside the StoreFront server(s) you created earlier.

  19. Enter 443 for the port number and specify a unique number for the Hash ID, then click Create, then click Done. If everything has been configured properly, the Effective State should show a green light, indicating that monitoring is functioning properly.

  20. Navigate to Traffic Management -> Load Balancing -> Virtual Servers and click Add. Enter a name for the server and select SSL as the protocol.

  21. Enter the IP address for the StoreFront load-balanced server and click OK.

  22. Select the Load Balancing Virtual Server Service Group binding, click the arrow then add the Service Group created previously. Click OK twice.

  23. Assign the SSL certificate created for the Load Balance virtual server. Select No Server Certificate.

  24. Select the Load Balance server certificate from the list and click Bind.

  25. Add the domain certificate to the Load Balance Server. Click No CA certificate.

  26. Select the domain certificate and click Bind.

  27. On the right side of the screen, select Persistence.

  28. Change the Persistence to SOURCEIP and set the time out to 20. Click Save, then click Done.

  29. On your domain DNS server, add the load balance server (if not already created).

  30. Launch Citrix Receiver on your iOS device and enter the full XenApp URL.