Product documentation
StoreFront
Current Release 2402 LTSR 2203 LTSR 1912 LTSR 3.12
View PDF

Domain pass-through authentication

April 3, 2024
Contributed by: 
C S

Users authenticate to their domain-joined Windows computers, and their credentials are used to log them into Citrix Workspace app automatically. This is supported through Citrix Workspace app for Windows and from the following web browsers on Windows:

  • Internet Explorer
  • Microsoft Edge
  • Google Chrome
  • Mozilla Firefox

StoreFront Configuration

To enable domain pass-through for Citrix Workspace Apps for Windows, in the Authentication Methods select Domain pass-through.

Enabling domain pass-through authentication for a store by default also enables it for Citrix Workspace app for HTML5 for all websites for that store. You can disable domain pass-through authentication for a specific website on the Manage Receiver for Web Sites Authentication methods tab.

Configure Delivery Controller to trust StoreFront

When using domain pass-through authentication, StoreFront does not have access to the user’s credentials so is unable to authenticate to Citrix Virtual Apps and Desktops. You must therefore configure the Delivery Controller to trust requests from StoreFront, see Citrix Virtual Apps and Desktops Security considerations and best practices.

Single sign-on to VDAs

To single sign-in to VDAs, you must use Citrix Workspace app for Windows with the Enable single sign-on component, see Configure domain pass-through authentication. If using Citrix Workspace app for HTML5 then it must be configured to connect to resources in Citrix Workspace app for Windows rather than the browser.

Citrix Workspace app for Windows configuration

To enable domain pass-through to single sign-on to the store and VDAs using Citrix Workspace app for Windows, see Citrix Workspace app for Windows documentation.

Citrix Workspace app for HTML5 configuration

You may need to update users’ web browser configuration to allow domain pass-through authentication. You can use domain pass-through to sign into a store through a web browser. To single sign-on to the VDAs, users must open resources in Citrix Citrix Workspace app for Windows rather than the web browser.

Internet Explorer, Edge and Chrome

Most web browsers use Windows Internet Explorer zones configuration to decide whether to enable single sign-on. By default it is only enabled for sites in the Local Intranet Zone. To add your site to the intranet zone:

  1. Open Control Panel
  2. Open Internet Options
  3. Go to the Security tab.
  4. Select Local intranet
  5. Click Sites.
  6. Click Advanced.
  7. Add your StoreFront website.

These settings can be deployed using group policy.

FireFox

Modify the browser advanced settings to trust the StoreFront website URI for single sign-on.

Warning:

Editing the advanced settings incorrectly can cause serious problems. Make edits at your own risk.

  1. Open Firefox on the computer that will authenticate using domain pass-through.
  2. In the address bar, type about:config.
  3. Click “I accept the risk!”.
  4. In the Search bar, type negotiate.
  5. Double-click network.negotiate-auth.delegation-uris.
  6. Enter the name of your corporate Windows domain (for example, mydomain.com).
  7. Click OK.
  8. Double-click network.negotiate-auth.trusted-uris.
  9. Enter the name of your corporate Windows domain (for example, mydomain.com).
  10. Click OK.
  11. Close and Restart Firefox.

Single sign-on to VDAs using FAS

Alternatively you can configure Federated Authentication Service to single sign-on to VDAs when using locally installed Citrix Workspace app but not Citrix Workspace app for HTML5.

Domain pass-through authentication
April 3, 2024
Contributed by: 
C S
April 3, 2024
Contributed by: 
C S

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.