Domain pass-through authentication

Users authenticate to their domain-joined Windows computers, and their credentials are used to log them into StoreFront automatically. This is supported through Citrix Workspace app for Windows and from the following web browsers on Windows:

  • Internet Explorer
  • Microsoft Edge
  • Google Chrome
  • Mozilla Firefox

To single sign-in to VDAs, you must use Workspace App for Windows with the Enable single sign-on component, see Configure domain pass-through authentication. If accessing a Store through a browser it must successfully detect Citrix Workspace app. Workspace app for HTML5 is not supported.

StoreFront Configuration

To enable domain pass-through for Citrix Workspace Apps for Windows, in the Authentication Methods select Domain pass-through.

Enabling domain pass-through authentication for a store by default also enables it for Citrix Workspace app for HTML5 for all websites for that store. You can disable domain pass-through authentication for a specific website on the Manage Receiver for Web Sites Authentication methods tab.

Configure Delivery Controller to trust StoreFront

When using domain pass-through authentication, StoreFront does not have access to the user’s credentials so is unable to authenticate to Citrix Virtual Apps and Desktops. You must therefore configure the Delivery Controller to trust requests from StoreFront, see Citrix Virtual Apps and Desktops Security considerations and best practices.

Citrix Workspace App for Windows configuration

To enable domain pass-through to single sign-on to the store and VDAs using Citrix Workspace pap for Windows, see Citrix Workspace app for Windows documentation.

Workspace app for HTML5 browser configuration

You may need to update users’ web browser configuration to allow domain pass-through authentication. You can use domain pass-through to sign into a store through a web browser. To single sign-on to the VDAs, users must open resources in Citrix Workspace app for Windows rather than the web browser.

Internet Explorer, Edge and Chrome

Most web browsers use Windows Internet Explorer zones configuration to decide whether to enable single sign-on. By default it is only enabled for sites in the Local Intranet Zone.

  1. Open Control Panel
  2. Open Internet Options
  3. Go to the Security tab.
  4. Select Local intranet
  5. Click Sites.
  6. Click Advanced.
  7. Add your StoreFront website.

These settings can be deployed using group policy.


Modify the browser advanced settings to trust the StoreFront website URI for single sign-on.


Editing the advanced settings incorrectly can cause serious problems. Make edits at your own risk.

  1. Start Firefox, enter about:config in the address field and select “I accept the risk!”
  2. Type ntlm to the search box.
  3. Double-click on network.automatic-ntlm-auth.trusted-uris and type the StoreFront website into the pop-up dialog.
  4. Click OK.
Domain pass-through authentication