Configure domain pass-through authentication

Single Sign-on lets you authenticate to a domain and use apps and desktops delivered by that domain without having to re-authenticate to each app or desktop.

When you log on to Citrix Receiver, your credentials are passed through to StoreFront, along with the apps and desktops enumerated for you, including your Start menu settings. After configuring Single Sign-on, you can log on to Citrix Receiver and launch XenApp or XenDesktop sessions without having to type your credentials multiple times.

When you click an app icon, Citrix Receiver passes your domain credentials through to the Delivery Controller and the app or desktop launches.

You can configure Single Sign-on when installing Citrix Receiver using one of the following options:

  • Command line interface
  • Graphical user interface

Prerequisites

  1. Add the StoreFront server to the list of trusted sited using Internet Explorer. To do this:
    1. Launch Internet Explorer.
    2. Select Tools > Internet Options > Security > Local Internet and click Sites. The Local intranet window appears.
    3. Select Advanced.
    4. Add the URL of the StoreFront or Web Interface FQDN with the appropriate HTTP or HTTPS protocols.
    5. Click Apply and OK.
  2. Modify the User Authentication settings in Internet Explorer. To do this:
    1. Launch Internet Explorer.
    2. On the Internet Options > Security tab, click Trusted Sites.
    3. Click Custom level. The Security Settings – Trusted Sites Zone window appears.
    4. In the User Authentication pane, select Automatic logon with current user name and password.

alt_text

Configuring Single Sign-on using the command line interface

Install Citrix Receiver for Windows with the /includeSSON switch.

Restart Receiver for Windows for the changes to take effect.

Note

If Citrix Receiver is installed without the Single Sign-on component, upgrading to the latest version of Citrix Receiver with the /includeSSON switch is not supported.

Configuring Single Sign-on using the graphical user interface

  1. Locate the Citrix Receiver for Windows installation file (CitrixReceiver.exe).
  2. Double click CitrixReceiver.exe to launch the installer.
  3. In the Enable Single Sign-on installation wizard, select the Enable single sign-on checkbox to install Citrix Receiver for Windows with the SSON feature enabled; this is equivalent to installing Citrix Receiver for Windows using the command line switch /includeSSON.

The image below illustrates how to enable Single Sign-on:

alt_text

Configuring Single Sign-on on Receiver for Web

You can configure Single Sign-on for Receiver for Web using the Group Policy Object administrative template.

Note: When you upgrade or install Citrix Receiver for Windows for the first time, you must add the latest template files to the local GPO. For more information on adding template files to the local GPO, see https://docs.citrix.com/en-us/receiver/windows/current-release/configure/config-gpo-template.html. When you upgrade, the existing settings are retained while importing the latest files.

  1. Open the Citrix Receiver GPO administrative template by running gpedit.msc.
  2. Under the Computer Configuration node, go to Administrative Template > Citrix Component > Citrix Receiver > User Authentication.
  3. Select the Local user name password policy and set it to Enabled.
  4. Click Enable pass-through authentication. This option allows Citrix Receiver to use your login credentials for authentication on the remote server.
  5. Click Allow pass-through authentication for all ICA connections. This option bypasses any authentication restriction and allows credentials pass-through for all the connections.
  6. Click Apply and OK.
  7. Restart the Citrix Receiver for Windows for Web for the changes to take effect.

Verify that the Single Sign-on is enabled by launching Citrix Receiver. After launching Receiver, launch the Task Manager and check if the ssonsvr.exe process is running.

Configuring Single Sign-on on StoreFront and Web Interface

StoreFront configuration

To configure SSON on StoreFront and Web Interface, open Citrix Studio on the StoreFront Server and select Authentication->Add /Remove Methods. Select Domain pass-through.

alt_text

Web Interface configuration

To configure SSON on the Web Interface, select Citrix Web Interface Management > XenApp Sevices Sites > Authentication Methods and enable Pass-through.

alt_text

Using Configuration Checker to validate the Single Sign-on configuration

Configuration Checker lets you run a test to ensure that Single sign-on is configured properly. The test runs on different checkpoints of the Single sign-on configuration and displays the configuration results.

  1. Right-click Citrix Receiver for Windows in the notification area and click Advanced Preferences.
  2. Click Configuration Checker. The Citrix Configuration Checker window appears.

alt_text

  1. Select SSONChecker from the Select pane.
  2. Click Run. A progress bar appears, displaying the status of the test.

The Configuration Checker window has the following columns:

  1. Status: Displays the result of a test on a specific check point. • A green check mark indicates that the specific checkpoint is configured properly. • A blue I indicates information about the checkpoint. • A Red X indicates that the specific checkpoint is not configured properly.
  2. Provider: Displays the name of the module on which the test is run. In this case, Single Sign-on.
  3. Suite: Indicates the category of the test. For example, Installation.
  4. Test: Indicates the name of the specific test that is run.
  5. Details: Provides additional information about the test, irrespective of pass or fail.

The user gets more information about each checkpoint and the corresponding results.

The following tests are performed:

  1. Installed with Single Sign-on
  2. Logon credential capture
  3. Network Provider registration The test result against Network Provider registration displays a green check mark only when “Citrix Single Sign-on” is set to be first in the list of Network Providers. If Citrix Single Sign-on appears anywhere else in the list, the test result against Network Provider registration appears with a blue I and additional information.
  4. Single Sign-on process is running
  5. Group Policy By default, this policy is configured on the client.
  6. Internet Settings for Security Zones Ensure that you add the Store/XenApp Service URL to the list of Security Zones in the Internet Options. If the Security Zones is configured via Group policy, any change in the policy requires the Advanced Preference window to be reopened for the changes to take effect and to display the correct status of the test.
  7. Authentication method for Web Interface/StoreFront.

Note

  • If you are accessing Receiver for Web, the test results are not applicable. If Citrix Receiver for Windows is configured for multiple stores, the authentication method test runs on all configured stores.
  • You can save the test results as reports. The default report format is .txt.
  • If you are accessing Receiver for Web, the test results are not applicable.
  • If Citrix Receiver for Windows is configured for multiple stores, the authentication method test runs on all configured stores.
  • You can save the test results as reports. The default report format is .txt.
  • If you are accessing Receiver for Web, the test results are not applicable.
  • If Citrix Receiver for Windows is configured for multiple stores, the authentication method test runs on all configured stores.
  • You can save the test results as reports. The default report format is .txt.
    • If you are accessing Receiver for Web, the test results are not applicable.
    • If Citrix Receiver for Windows is configured for multiple stores, the authentication method test runs on all configured stores.
    • You can save the test results as reports. The default report format is .txt.

For information on configuring domain pass-through authentication, see Knowledge Center article CTX133982.

Hiding the Configuration Checker option from the Advanced Preferences window

  1. Open the Citrix Receiver Group Policy Object administrative template by running gpedit.msc.
  2. Go to Citrix Components > Citrix Receiver > Self Service > DisableConfigChecker.
  3. Click Enabled to hide the Configuration Checker option from the Advanced Preferences window.
  4. Click Apply and OK.
  5. Open a command prompt.
  6. Run the gpupdate /force command.

Limitation

Configuration Checker does not include the checkpoint for the configuration of Trust requests sent to the XML service on XenApp and XenDesktop servers.