Product Documentation

Configure domain pass-through authentication with Kerberos

May 08, 2015

This topic applies only to connections between Receiver and StoreFront, XenDesktop, or XenApp.

Receiver for Windows supports Kerberos for domain pass-through authentication for deployments that use smart cards. Kerberos is one of the authentication methods included in Integrated Windows Authentication (IWA).

When Kerberos authentication is enabled, Kerberos authenticates without passwords for Receiver, thus preventing Trojan horse-style attacks on the user device to gain access to passwords. Users can log on to the user device with any authentication method; for example, a biometric authenticator such as a fingerprint reader, and still access published resources without further authentication.

Receiver handles pass-through authentication with Kerberos as follows when Receiver, StoreFront, XenDesktop and XenApp are configured for smart card authentication and a user logs on with a smart card:

  1. The Receiver single sign-on service captures the smart card PIN.
  2. Receiver uses IWA (Kerberos) to authenticate the user to StoreFront. StoreFront then provides Receiver with information about available virtual desktops and apps.
    Note: You do not have to use Kerberos authentication for this step. Enabling Kerberos on Receiver is only needed to avoid an extra PIN prompt. If you do not use Kerberos authentication, Receiver authenticates to StoreFront using the smart card credentials.
  3. The HDX engine (previously referred to as the ICA client) passes the smart card PIN to XenDesktop or XenApp to log the user on to the Windows session. XenDesktop or XenApp then deliver the requested resources.

To use Kerberos authentication with Receiver, make sure your Kerberos configuration conforms to the following.

  • Kerberos works only between Receiver and servers that belong to the same or to trusted Windows Server domains. Servers must also be trusted for delegation, an option you configure through the Active Directory Users and Computers management tool.
  • Kerberos must be enabled on the domain and in XenDesktop and XenApp. For enhanced security and to ensure that Kerberos is used, disable on the domain any non-Kerberos IWA options.
  • Kerberos logon is not available for Remote Desktop Services connections configured to use Basic authentication, to always use specified logon information, or to always prompt for a password.

The remainder of this topic describes how to configure domain pass-through authentication for the most common scenarios. If you are migrating to StoreFront from Web Interface and previously used a customized authentication solution, contact your Citrix Support representative for more information.

Caution: Some of the configuration described in this topic include registry edits. Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it.

Configure domain pass-through authentication with Kerberos for use with smart cards

If you are not familiar with smart card deployments in a XenDesktop environment, we recommend that you review the smart card information in the Secure your deployment section in the XenDesktop documentation before continuing.

When you install Receiver, include the following command-line option:

  • /includeSSON

    This option installs the single sign-on component on the domain-joined computer, enabling Receiver to authenticate to StoreFront using IWA (Kerberos). The single sign-on component stores the smart card PIN, which is then used by the HDX engine when it remotes the smart card hardware and credentials to XenDesktop. XenDesktop automatically selects a certificate from the smart card and obtains the PIN from the HDX engine.

    A related option, ENABLE_SSON, is enabled by default and should remain enabled.

    If a security policy prevents enabling single sign-on on a device, configure Receiver through the following policy:

    Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > User authentication > Local user name and password

    Note: In this scenario you want to allow the HDX engine to use smart card authentication and not Kerberos, so do not use the option ENABLE_KERBEROS=Yes, which would force the HDX engine to use Kerberos.

To apply the settings, restart Receiver on the user device.

To configure StoreFront:

  • In the default.ica file located on the StoreFront server, set Set DisableCtrlAltDel to false.
  • When you configure the authentication service on the StoreFront server, select the Domain pass-through check box. That setting enables Integrated Windows Authentication. You do not need to select the Smart card check box unless you also have non domain joined clients connecting to Storefront with smart cards.

For more information about using smart cards with StoreFront, refer to Configure the authentication service in the StoreFront documentation.

Configure Kerberos with pass-through authentication

This topic does not apply to XenDesktop connections.

Use Kerberos with pass-through authentication if you want to use Kerberos with Receiver.

When Receiver configurations are set to use Kerberos with pass-through authentication, Receiver uses Kerberos authentication first and uses pass-through authentication if Kerberos fails.

The user cannot disable this Receiver configuration from the user interface.

  1. As an administrator, open the Group Policy Editor by either running gpedit.msc locally from the Start menu when applying policies to a single computer or by using the Group Policy Management Console when applying domain policies.
  2. In the left pane of the Group Policy Editor, select the Administrative Templates folder.
  3. From the Action menu, choose Add/Remove Templates.
  4. Choose Add and browse to the Receiver Configuration folder (usually C:\Program Files\Citrix\ICA Client\Configuration) and select icaclient.adm.
  5. Select Open to add the template and then Close to return to the Group Policy Editor.
  6. In the Group Policy Editor, go to Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > User authentication > Kerberos authentication and select Enabled.
  7. In the Group Policy Editor, go to Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > User authentication > Local user name and password.
  8. From the Action menu, choose Properties and select Enabled > Enable pass-through authentication.

To apply the setting, close and restart Receiver on the user device.