Pass-through from Citrix Gateway

Users authenticate to Citrix Gateway and are automatically logged on when they access their stores. Pass-through from Citrix Gateway authentication is enabled by default when you first configure remote access to a store. Users can connect through Citrix Gateway to stores using Citrix Workspace app or a web browser. For more information about configuring StoreFront for Citrix Gateway, see Add a Citrix Gateway.

StoreFront supports pass-through with the following Citrix Gateway authentication methods.

  • Domain Users log on using their Active Directory username nad password.
  • RSA Users log on to Citrix Gateway using passcodes that are derived from tokencodes generated by security tokens combined, sometimes, with personal identification numbers. If you enable pass-through authentication by security token only, ensure that the resources you make available do not require extra or alternative forms of authentication, such as users’ Microsoft Active Directory domain credentials.
  • Smart card Users log on using smart cards
  • RSA + Domain Users logging on to Citrix Gateway are required to enter both their domain credentials and security token passcodes.

If on the Citrix Gateway you have disabled authentication or you have disabled single-sign-on then pass-through is not used and you must configure one of the other authentication methods.

If you configure double-source authentication to Citrix Gateway for remote users accessing stores from within Citrix Workspace app, you must create two authentication policies on Citrix Gateway. Configure RADIUS (Remote Authentication Dial-In User Service) as the primary authentication method and LDAP (Lightweight Directory Access Protocol) as the secondary method. Modify the credential index to use the secondary authentication method in the session profile so that LDAP credentials are passed to StoreFront. When you add the Citrix Gateway appliance to your StoreFront configuration, set the Logon type to Domain and security token. For more information, see

To enable multidomain authentication through Citrix Gateway to StoreFront, set SSO Name Attribute to userPrincipalName in the Citrix Gateway LDAP authentication policy for each domain. You can require users to specify a domain on the Citrix Gateway logon page so that the appropriate LDAP policy to use can be determined. When you configure the Citrix Gateway session profiles for connections to StoreFront, do not specify a single sign-on domain. You must configure trust relationships between each of the domains. Ensure that you allow users to log on to StoreFront from any domain by not restricting access to explicitly trusted domains only.

Where supported by your Citrix Gateway deployment, you can use SmartAccess to control user access to Citrix Virtual Apps and Desktops resources based on Citrix Gateway session policies. For more information about SmartAccess, see How SmartAccess works for Citrix Virtual Apps and Desktops.

Enable Gateway pass-through

To enable or disable gateway pass-through authentication for a store when connecting through Workspace apps, in the Authentication Methods window tick or untick Pass-through from Citrix Gateway.

Enabling Citrix gateway pass-through authentication for a store by default also enables it for all websites for that store. You can disable username and password authentication for a specific website on the Authentication methods tab.

Allow users to change expired passwords at logon

If your Citrix Gateway is configured to use LDAP (username and password) authentication then you can configure NetScaler to allow changing expired passwords on log-in.

  1. Log into the NetScaler administration website
  2. On the side menu go to Authentication > Dashboard.
  3. Click the authentication server.
  4. Under Other Settings tick Allow Password Change.

Allow users to change passwords after logon

With Pass-through from Citrix Gateway, the Citrix Gateway is responsible for handling authentication. You can configure StoreFront to allow users to change their passwords after logging on. This functionality is only available when accessing StoreFront stores through a browser, not Workspace apps.

The default StoreFront configuration prevents users from changing their passwords, even if the passwords have expired. If you decide to enable this feature, ensure that the policies for the domains containing your servers do not prevent users from changing their passwords. Enabling users to change their passwords exposes sensitive security functions to anyone who can access any of the stores that use the authentication service. If your organization has a security policy that reserves user password change functions for internal use only, ensure that none of the stores are accessible from outside your corporate network.

  1. In the Manage Authentication Methods window, from the Pass-through from Citrix Gateway > Settings drop-down menu, select Manage Password Options

  2. To allow users to change passwords, check Allow users to change passwords check box.

Screenshot of Manage password options

Delegate credential validation to Citrix Gateway

By default StoreFront validates the username and password it receives from the Gateway. If the Gateway is configured to use passwordless authentication methods such as smart card you must configure StoreFront so that it does not validate the credentials and so is reliant on the Gateway’s authentication. In this case, it is recommended that you enter a callback URL when configuring the gateway so StoreFront can verify the request came from the gateway, see Manage Citrix Gateways.

  1. In the Manage Authentication Methods window, from the Pass-through from Citrix Gateway > Settings drop-down menu, select Configure Delegated Authentication.

  2. Tick Fully delegate credential validation to citrix gateway.

Screenshot of Configure Delegated Authentication window.

Single sign-on using Federated Authentication Service

When the gateway is configured with LDAP authentication, it passes the credentials through to StoreFront so that it can single sign-on to VDAs. For other authentication methods, it does not have access to the credentials so single sign-on is not available by default. You can use Federated Authentication Service to provide single sign on.

Pass-through from Citrix Gateway