Configure domain pass-through authentication with Kerberos
This topic applies only to connections between Citrix Receiver for Windows and StoreFront, XenDesktop, or XenApp.
Citrix Receiver for Windows supports Kerberos for domain pass-through authentication for deployments that use smart cards. Kerberos is one of the authentication methods included in Integrated Windows Authentication (IWA).
When Kerberos authentication is enabled, Kerberos authenticates without passwords for Citrix Receiver for Windows, thus preventing Trojan horse-style attacks on the user device to gain access to passwords. Users can log on to the user device with any authentication method; for example, a biometric authenticator such as a fingerprint reader, and still access published resources without further authentication.
Citrix Receiver for Windows handles pass-through authentication with Kerberos as follows when Citrix Receiver for Windows, StoreFront, XenDesktop and XenApp are configured for smart card authentication and a user logs on with a smart card:
- The Citrix Receiver for Windows Single Sign-on service captures the smart card PIN.
- Citrix Receiver for Windows uses IWA (Kerberos) to authenticate the user to StoreFront. StoreFront then provides Citrix Receiver for Windows with information about available virtual desktops and apps. Note: You do not have to use Kerberos authentication for this step. Enabling Kerberos on Citrix Receiver for Windows is only needed to avoid an extra PIN prompt. If you do not use Kerberos authentication, Citrix Receiver for Windows authenticates to StoreFront using the smart card credentials.
- The HDX engine (previously referred to as the ICA client) passes the smart card PIN to XenDesktop or XenApp to log the user on to the Windows session. XenDesktop or XenApp then deliver the requested resources.
To use Kerberos authentication with Citrix Receiver for Windows, make sure your Kerberos configuration conforms to the following.
- Kerberos works only between Citrix Receiver for Windows and servers that belong to the same or to trusted Windows Server domains. Servers must also be trusted for delegation, an option you configure through the Active Directory Users and Computers management tool.
- Kerberos must be enabled on the domain and in XenDesktop and XenApp. For enhanced security and to ensure that Kerberos is used, disable on the domain any non-Kerberos IWA options.
- Kerberos logon is not available for Remote Desktop Services connections configured to use Basic authentication, to always use specified logon information, or to always prompt for a password.
The remainder of this topic describes how to configure domain pass-through authentication for the most common scenarios. If you are migrating to StoreFront from Web Interface and previously used a customized authentication solution, contact your Citrix Support representative for more information.
Some of the configurations described in this topic include registry edits. Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it.
To configure domain pass-through authentication with Kerberos for use with smart cards
If you are not familiar with smart card deployments in a XenDesktop environment, we recommend that you review the smart card information in the Secure your deployment section in the XenDesktop documentation before continuing.
When you install Citrix Receiver for Windows, include the following command-line option:
This option installs the single sign-on component on the domain-joined computer, enabling Citrix Receiver for Windows to authenticate to StoreFront using IWA (Kerberos). The single sign-on component stores the smart card PIN, which is then used by the HDX engine when it remotes the smart card hardware and credentials to XenDesktop. XenDesktop automatically selects a certificate from the smart card and obtains the PIN from the HDX engine.
A related option, ENABLE_SSON, is enabled by default and should remain enabled.
If a security policy prevents enabling single sign-on on a device, configure Citrix Receiver for Windows through the following policy:
Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > User authentication > Local user name and password
Note: In this scenario you want to allow the HDX engine to use smart card authentication and not Kerberos, so do not use the option ENABLE_KERBEROS=Yes, which would force the HDX engine to use Kerberos.
To apply the settings, restart Citrix Receiver for Windows on the user device.
To configure StoreFront:
- In the default.ica file located on the StoreFront server, set DisableCtrlAltDel to false. Note: This step is not required if all client machines are running Citrix Receiver for Windows 4.2 or above.
- When you configure the authentication service on the StoreFront server, select the Domain pass-through check box. That setting enables Integrated Windows Authentication. You do not need to select the Smart card check box unless you also have non domain joined clients connecting to Storefront with smart cards.
For more information about using smart cards with StoreFront, refer to Configure the authentication service in the StoreFront documentation.
About FastConnect API and HTTP basic authentication
The FastConnect API uses the HTTP Basic Authentication method, which is frequently confused with authentication methods associated with domain pass-through, Kerberos, and IWA. Citrix recommends that you disable IWA on StoreFront and in ICA group policy.