Product Documentation

Configure authentication for XenApp Services URLs

Oct 06, 2015

XenApp Services URLs enable users of domain-joined desktop appliances and repurposed PCs running the Citrix Desktop Lock, along with users who have older Citrix clients that cannot be upgraded, to access stores. When you create a new store, the XenApp Services URL is enabled by default. The XenApp Services URL for a store has the form http[s]://serveraddress/Citrix/storename/PNAgent/config.xml, where serveraddress is the fully qualified domain name of the server or load balancing environment for your StoreFront deployment and storename is the name specified for the store when it was created.

XenApp Services URLs support explicit, domain pass-through, and pass-through with smart card authentication. Explicit authentication is enabled by default. You can change the authentication method, but only one authentication method can be configured for each XenApp Services URL. To enable multiple authentication methods, create separate stores, each with a XenApp Services URL, for each authentication method. To change the authentication method for a XenApp Services URL, you run a Windows PowerShell script.
Note: The StoreFront and PowerShell consoles cannot be open at the same time. Always close the StoreFront admin console before using the PowerShell console to administer your StoreFront configuration. Likewise, close all instances of PowerShell before opening the StoreFront console.
Important: In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.

 

Use an account with local administrator permissions to start Windows PowerShell and, at a command prompt, enter one of the following commands to configure the user authentication method for users accessing the store through the XenApp Services URL.

& "installationlocation\Scripts\EnablePnaForStore.ps1" –SiteId iisid 
  –ResourcesVirtualPath storepath –LogonMethod {prompt | sson | smartcard_sson | smartcard_prompt} 

Where installationlocation is the directory in which StoreFront is installed, typically C:\Program Files\Citrix\Receiver StoreFront\. For iisid, specify the numerical ID of the Microsoft Internet Information Services (IIS) site hosting StoreFront, which can be obtained from the Internet Information Services (IIS) Manager console. Replace storepath with the relative path to the store in IIS, for example, /Citrix/Store. To enable explicit authentication, set the -LogonMethod argument to prompt. For domain pass-through, use sson and for pass-through with smart card authentication, set the argument to smartcard_sson.

XenApp Services Support smart card authentication method

& "installationlocation\Scripts\EnablePnaForStore.ps1" –SiteId iisid 
  –ResourcesVirtualPath storepath –LogonMethod smartcard_prompt 

The installationlocation is the directory in which StoreFront is installed, typically C:\Program Files\Citrix\Receiver StoreFront\.

Replace storepath with the relative path to the store in IIS, for example, /Citrix/Store.

For domain pass-through with smart card authentication, set the argument to smartcard_prompt.