Domain pass-through authentication

Users authenticate to their domain-joined Windows computers, and their credentials are used to log them into StoreFront automatically. This is supported through Citrix Workspace app for Windows and from the following web browsers on Windows:

  • Internet Explorer
  • Microsoft Edge
  • Google Chrome
  • Mozilla Firefox

To single sign-in to VDAs, you must use Workspace App for Windows with the Enable single sign-on component, see Configure domain pass-through authentication. If accessing a Store through a browser it must successfully detect Citrix Workspace app. Workspace app for HTML5 is not supported.

Enable domain pass-through authentication

To enable Gateway pass-through for Citrix Workspace Apps, in the Authentication Methods tick or untick Pass-through from Citrix Gateway.

Enabling domain pass-through authentication for a store by default also enables it for all websites for that store. You can disable domain pass-through authentication for a specific website on the Manage Receiver for Web Sites Authentication methods tab.

Enable Single sign-on in Workspace for Windows, Internet Explorer, Edge and Chrome

Citrix Workspace app and most web browsers use Windows Internet Explorer zones configuration to decide whether to enable single sign-on. By default it is only enabled for sites in the Local Intranet Zone.

  1. Open Control Panel
  2. Open Internet Options
  3. Go to the Security tab.
  4. Select Local intranet
  5. Click Sites.
  6. Click Advanced.
  7. Add your StoreFront website.

These settings can be deployed using group policy.

Enable Single sign-on for Mozilla FireFox

Modify the browser advanced settings to trust the StoreFront website URI for single sign-on.


Editing the advanced settings incorrectly can cause serious problems. Make edits at your own risk.

  1. Start Firefox, enter about:config in the address field and select “I accept the risk!”
  2. Type ntlm to the search box.
  3. Double-click on network.automatic-ntlm-auth.trusted-uris and type the StoreFront website into the pop-up dialog.
  4. Click OK.
Domain pass-through authentication