Authenticate using different domains
Some organizations have policies in place that do not allow them to give third-party developers or contractors access to published resources in a production environment. This article shows you how to give access to published resources in a test environment by authenticating through Citrix Gateway with one domain. You can then use a different domain to authenticate to StoreFront and the Receiver for Web site. Authentication through Citrix Gateway described in this article is supported for users logging on through the Receiver for Web site. This authentication method is not supported for users of native desktop or mobile Citrix Receiver or Citrix Workspace apps.
Set up a test environment
This example uses a production domain called production.com and a test domain called development.com.
production.com
domain
The production.com
domain in this example is set up as follows:
- Citrix Gateway with
production.com
LDAP authentication policy configured. - Authentication through the gateway occurs using a production\testuser1 account and password.
development.com
domain
The development.com
domain in this example is set up as follows:
- StoreFront, Citrix Virtual App and Desktops and VDAs are all on the
development.com
domain. - Authentication to the Citrix Receiver for Web site occurs using a development\testuser1 account and password.
- There is no trust relationship between the two domains.
Configure a Citrix Gateway for the store
To configure a Citrix Gateway for the store:
- Select Stores in the left pane of the Citrix StoreFront management console, and in the Actions pane, click Manage Citrix Gateways.
- On the Manage Citrix Gateways screen, click Add.
-
Complete the General Settings, Secure Ticket Authority, and Authentication steps.
Note:
DNS conditional forwarders may need to be added so that the DNS servers in use on both domains can resolve FQDNs on the other domain. The Citrix ADC appliance must be able to resolve the STA server FQDNs on the
development.com
domain using itsproduction.com
DNS server. StoreFront should also be able to resolve the callback URL on theproduction.com
domain using itsdevelopment.com
DNS server. Alternatively, adevelopment.com
FQDN can be used which resolves to the Citrix Gateway virtual server virtual IP (VIP).
Enable pass-through from Citrix Gateway
- Select Stores in the left pane of the Citrix StoreFront management console, and in the Actions pane, click Manage Authentication Methods.
- On the Manage Authentication Methods screen, select Pass-through from Citrix Gateway.
- Click OK.
Configure the store for remote access using the Gateway
- Select the Stores node in the left pane of the Citrix StoreFront management console and, in the results pane, select a store. In the Actions pane, click Configure Remote Access Settings.
- Select Enable Remote Access.
- Ensure that you have registered the Citrix Gateway with your store. If you do not register the Citrix Gateway, the STA ticketing will not work.
Disable token consistency
- Select the Stores node in the left pane of the Citrix StoreFront management console and, in the results pane, select a store. In the Actions pane, click Configure Store Settings.
- On the Configure Store Settings page, select Advanced Settings.
-
Clear the Require token consistency check box. For more information, see Advanced store settings.
- Click OK.
Note:
The Require token consistency setting is selected (on) by default. If you disable this setting, SmartAccess features used for Citrix ADC End Point Analysis (EPA) stop working. For more information on SmartAccess, see CTX138110.
Disable pass-through from Citrix Gateway for the Receiver for Web site
Important:
Disabling pass-through from Citrix Gateway prevents Receiver for Web from trying to use the incorrect credentials from the
production.com
domain passed from the Citrix ADC appliance. Disabling pass-through from Citrix Gateway causes Receiver for Web to prompt the user to enter credentials. These credentials are different from the credentials used to log on through the Citrix Gateway.
- Select the Stores node in the left pane of the Citrix StoreFront management console.
- Select the store that you want to modify.
- In the Actions pane, click Manage Receiver for Web Sites.
- In Authentication Methods, clear Pass-through from Citrix Gateway.
-
Click OK.
production.com
user and credentials
Log on to Gateway using a To test, log on to Gateway using a production.com
user and credentials.
After logon, the user is prompted to enter development.com
credentials.
Add a trusted domain drop-down list in StoreFront (optional)
This setting is optional, but it may help prevent the user from accidentally entering the wrong domain to authenticate through the Citrix Gateway.
If the user name is the same for both domains, entering the wrong domain is more likely. New users may also be used to leaving out the domain when they log on through the Citrix Gateway. Users may then forget to enter domain\username for the second domain when they are prompted to log on to the Receiver for Web site.
- Select Stores in the left pane of the Citrix StoreFront management console, and in the Actions pane, click Manage Authentication Methods.
- Select the drop-down arrow next to User name and password.
- Click Add to add
development.com
as a trusted domain, and select the Show domains list in logon page check box. - Click OK.
Note:
Browser password caching is not recommended in this authentication scenario. If users have different passwords for the two different domain accounts, password caching can lead to a poor experience.
Citrix Gateway clientless VPN (CVPN) session action policy
- If Single Sign-on to web applications is enabled within your Citrix Gateway session policy, incorrect credentials sent by Citrix ADC appliance to Receiver for Web are ignored because you disabled the Pass-through from Citrix Gateway authentication method on the Receiver for Web site. Receiver for Web prompts for credentials regardless of what this option is set to.
-
Populating the Single Sign-on entries in the Client Experience and Published App tabs in Citrix ADC appliance does not change the behavior described in this article.
In this article
- Set up a test environment
- Configure a Citrix Gateway for the store
- Enable pass-through from Citrix Gateway
- Configure the store for remote access using the Gateway
- Disable token consistency
- Disable pass-through from Citrix Gateway for the Receiver for Web site
- Log on to Gateway using a production.com user and credentials
- Add a trusted domain drop-down list in StoreFront (optional)
- Citrix Gateway clientless VPN (CVPN) session action policy