Configure domain pass-through authentication

For information on configuring domain pass-through authentication, see Knowledge Center article CTX133982.

Citrix Receiver for Windows installation with Single Sign-on

There are two ways to enable domain pass-through (SSON) when installing Citrix Receiver for Windows:

  • using the command line installation
  • using the graphical user interface

Enable domain pass-through using the command line interface

To enable domain pass-through (SSON) using the command line interface:

  1. Install Citrix Receiver 4.x with the /includeSSON switch.
    • Install one or more StoreFront stores (you can complete this step at a later stage); installing StoreFront stores is not a prerequisite for setting up domain pass-through authentication.
    • Verify that pass-through authentication is enabled by starting Citrix Receiver, then confirm that the ssonsvr.exe process is running in Task Manager after rebooting the end point where Citrix Receiver is installed.

Note

For information on the syntax for adding one or more StoreFront stores, see Configure and install Receiver for Windows using command-line parameters.

Enable domain pass-through using the graphical user interface

To enable domain pass-through using the graphical user interface:

  1. Locate the Citrix Receiver for Windows installation file (CitrixReceiver.exe).
  2. Double click CitrixReceiver.exe to launch the installer.
  3. In the Enable Single Sign-on installation wizard, select the Enable single sign-on checkbox to install Citrix Receiver for Windows with the SSON feature enabled; this is equivalent to installing Citrix Receiver for Windows using the command line switch /includeSSON.

The image below illustrates how to enable Single Sign-on:

Enable single sign on

Note

The Enable Single Sign-on installation wizard is available only for fresh installation on a domain joined machine.

Verify that pass-through authentication is enabled by restarting Citrix Receiver for Windows, and then confirm that the ssonsvr.exe process is running in Task Manager after rebooting the endpoint on which Citrix Receiver for Windows is installed.

Group policy settings for SSON

Use the information in this section to configure group policy settings for SSON authentication.

Note

The default value of the GPO policy setting related to SSON is Enable pass-through authentication.

Configuring SSON using Group Policy Object administrative template

  1. Open gpedit.msc, right-click Computer Configuration > Administrative Templates - > Citrix Component-> Citrix Receiver-> User Authentication.
  2. Enable the following local computer GPO settings (on the user’s local machine and/or on the VDA desktop golden image):
    • Choose the local user name and password.
    • Select Enabled.
    • Select Enable pass-through authentication.
  3. Reboot the endpoint (on which Citrix Receiver for Windows is installed) or the VDA desktop golden image.

local group policy editor

Using an ADM file for SSON group policy

Use the following procedure to configure group policy settings using an ADM file:

  1. Open the local group policy editor by selecting Computer Configuration > Right-click Administrative Templates > Choose Add/Remove Templates.
  2. Click Add to add a ADM template.
  3. After successfully adding the receiver.adm template, expand Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > User authentication.

    Local user name and password

  4. Open Internet Explorer on the local machine and/or on the VDA desktop golden image.

  5. In Internet Settings > Security > Trusted Sites, add the StoreFront server(s) fully qualified domain name (FQDN), without the store path, to the list. For example, https://storefront.example.com

    Note: You can also add the StoreFront server to the Trusted Sites using a Microsoft GPO. The GPO is called Site to Zone Assignment List; you can find this list in Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page.

  6. Log off, and log back on to the Citrix Receiver endpoint.

When Citrix Receiver opens, if the current user is logged on to the domain, the user’s credentials are passed through to StoreFront, along with enumerated apps and desktops within Citrix Receiver, including the user’s Start menu settings. When the user clicks an icon, Citrix Receiver passes through the user’s domain credentials to the Delivery Controller and the app (or desktop) opens.

Enable Delivery Controller to trust XML

Use the following procedure to configure SSON on StoreFront and Web Interface:

  1. Log onto the Delivery Controller(s) as an administrator.
  2. Open Windows PowerShell (with administrative privileges). Using PowerShell, you can issue commands to enable the Delivery Controller to trust XML requests sent from StoreFront.
  3. If not already loaded, load the Citrix cmdlets by typing Add-PSSnapin Citrix, and press Enter.
  4. Press Enter.
  5. Type Add-PSSnapin citrix.broker.admin.v2, and press Enter.
  6. Type Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True, and press Enter.
  7. Close PowerShell.

Configuring SSON on StoreFront and Web Interface

StoreFront configuration

To configure SSON on StoreFront and Web Interface, open Citrix Studio on the StoreFront Server and select Authentication->Add /Remove Methods. Select Domain pass-through.

Add remove authentication methods

Web Interface configuration

To configure SSON on the Web Interface, select Citrix Web Interface Management > XenApp Sevices Sites > Authentication Methods and enable Pass-through.

Configure authentication methods