Kerberos delegation


Kerberos delegation is deprecated and can only be used with XenApp 6.5 and earlier. It cannot be used with any supported version of Citrix Virtual Apps and Desktops.

When using domain pass-through or smart card authentication, either directly or via a Citrix Gateway, storeFront does not have the user’s credentials so is unable to authenticate to the delivery controller with the user’s credentials. When using XenApp 6.5 and earlier, you can enable Kerberos delegation to allow StoreFront to impersonate the user to authenticate to the delivery controller. This requires delegation to be configured within Active Directory.

  1. Select a store and from the Actions pane and click Configure store settings.

  2. Select the Kerberos Delegation tab.

  3. Choose whether to Enable Kerberos Delegation or Disable Kerberos Delegation.

  4. Press Apply or OK to save the changes.

Screenshot of Configure Store Settings window Kerberos Delegation tab

PowerShell SDK

To configure Kerberos delegation, use cmdlet Set-STFStoreService with parameter -KerberosDelegation

Kerberos delegation