- Smart Card Support for Improved Security
- Enable pass-through authentication when sites are not in Trusted Sites or Intranet zones
- Configure domain pass-through authentication with Kerberos
This topic applies only to connections between Receiver and StoreFront, XenDesktop, or XenApp.
Receiver for Windows supports Kerberos for domain pass-through authentication for deployments that use smart cards. Kerberos is one of the authentication methods included in Integrated Windows Authentication (IWA).
When Kerberos authentication is enabled, Kerberos authenticates without passwords for Receiver, thus preventing Trojan horse-style attacks on the user device to gain access to passwords. Users can log on to the user device with any authentication method; for example, a biometric authenticator such as a fingerprint reader, and still access published resources without further authentication.
Receiver handles pass-through authentication with Kerberos as follows when Receiver, StoreFront, XenDesktop and XenApp are configured for smart card authentication and a user logs on with a smart card:
To use Kerberos authentication with Receiver, make sure your Kerberos configuration conforms to the following.
The remainder of this topic describes how to configure domain pass-through authentication for the most common scenarios. If you are migrating to StoreFront from Web Interface and previously used a customized authentication solution, contact your Citrix Support representative for more information.
If you are not familiar with smart card deployments in a XenDesktop environment, we recommend that you review the smart card information in the Secure your deployment section in the XenDesktop documentation before continuing.
When you install Receiver, include the following command-line option:
This option installs the single sign-on component on the domain-joined computer, enabling Receiver to authenticate to StoreFront using IWA (Kerberos). The single sign-on component stores the smart card PIN, which is then used by the HDX engine when it remotes the smart card hardware and credentials to XenDesktop. XenDesktop automatically selects a certificate from the smart card and obtains the PIN from the HDX engine.
A related option, ENABLE_SSON, is enabled by default and should remain enabled.
If a security policy prevents enabling single sign-on on a device, configure Receiver through the following policy:
Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > User authentication > Local user name and password
To apply the settings, restart Receiver on the user device.
To configure StoreFront:
For more information about using smart cards with StoreFront, refer to Configure the authentication service in the StoreFront documentation.
This topic does not apply to XenDesktop connections.
Use Kerberos with pass-through authentication if you want to use Kerberos with Receiver.
When Receiver configurations are set to use Kerberos with pass-through authentication, Receiver uses Kerberos authentication first and uses pass-through authentication if Kerberos fails.
The user cannot disable this Receiver configuration from the user interface.
To apply the setting, close and restart Receiver on the user device.