Configure Kerberos constrained delegation for XenApp 6.5

Use the Configure Store Settings > Kerberos delegation task to specify whether StoreFront uses single-domain Kerberos constrained delegation to authenticate to delivery controllers.

Important: In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.

  1. On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile.
  2. Select the Stores node in the left pane of the Citrix StoreFront management console and, in the results pane, select a store. In the Actions pane, click Configure Store Settings, and then click Kerberos Delegation.
  3. Select Enable or Disable Kerberos delegation to authenticate to delivery controllers, respectively, enable or disable Kerberos constrained delegation.

Configure the StoreFront server for delegation

Follow this procedure when StoreFront is not installed on the same machine as XenApp.

  1. On the domain controller, open the MMC Active Directory Users and Computers snap-in.
  2. On the View menu, click Advanced Features.
  3. In the left pane, click the Computers node under the domain name and select the StoreFront server.
  4. In the Action pane, click Properties.
  5. On the Delegation tab, click Trust this computer for delegation to specified services only and Use any authentication protocol, and then click Add.
  6. In the Add Services dialog box, click Users or Computers.
  7. In the Select Users or Computers dialog box, type the name of the server running the Citrix XML Service (XenApp) in the Enter the object names to select box, click OK.
  8. Select the HTTP service type from the list, click OK.
  9. Apply the changes and close the dialog box.

Configure XenApp server for delegation

Configure Active Directory Trusted Delegation for each XenApp server.

  1. On the domain controller, open the MMC Active Directory Users and Computers snap-in.
  2. In the left pane, click the Computers node under the domain name and select the server running the Citrix XML Service (XenApp) that StoreFront is configured to contact.
  3. In the Action pane, click Properties.
  4. On the Delegation tab, click Trust this computer for delegation to specified services only and Use any authentication protocol, and then click Add.
  5. In the Add Services dialog box, click Users or Computers.
  6. In the Select Users or Computers dialog box, type the name of the server running the Citrix XML Service (XenApp) in the Enter the object names to select box, click OK.
  7. Select the HOST service type from the list, click OK, and then click Add.
  8. In the Select Users or Computers dialog box, type the name of the Domain Controller in the Enter the object names to select box and click OK.
  9. Select the cifs and ldap service types from the list and click OK. Note: If two choices appear for the ldapservice, select the one that matches the FQDN of the domain controller.
  10. Apply the changes and close the dialog box.

Important considerations

When you decide whether to use Kerberos constrained delegation, consider the following information.

  • Key Notes:
    • You do not need ssonsvr.exe unless doing pass-through authentication (or smart card pin pass-through authentication) without Kerberos constrained delegation.
  • Storefront and Citrix Receiver for Web domain pass-through:
    • You do not need ssonsvr.exe on the client.
    • You can set the Local username and password in the Citrix icaclient.adm template to anything (controls ssonsvr.exe function).
    • The icaclient.adm template Kerberos setting is required.
    • Add the Storefront Fully Qualified Domain Name (FQDN) to Internet Explorer trusted sites list. Check the Use local username box in the Internet Explorer security settings for the trusted zone.
    • The client must be in a domain.
    • Enable the Domain pass-through authentication method on the StoreFront server and enable for Citrix Receiver for Web.
  • Storefront, Citrix Receiver for Web, and smart card authentication with PIN prompt:
    • You do not need ssonsvr.exe on the client.
    • Smart card authentication was configured.
    • You can set the Local username and password in the Citrix icaclient.adm template to anything (controls ssonsvr.exe function).
    • The icaclient.adm template Kerberos setting is required.
    • Enable the Smart card authentication method on the StoreFront server and enable for Citrix Receiver for Web.
    • To ensure smart card authentication is chosen, do not check the Use local username box in the Internet Explorer security settings for the StoreFront site zone.
    • The client must be in a domain.
  • NetScaler Gateway, StoreFront, Citrix Receiver for Web, and smart card authentication with PIN prompt:
    • You do not need ssonsvr.exe on the client.
    • Smart card authentication was configured.
    • You can set the Local username and password in the Citrix icaclient.adm template to anything (controls ssonsvr.exe function).
    • The icaclient.adm template Kerberos setting is required.
    • Enable the Pass-through from NetScaler Gateway authentication method on the StoreFront server and enable for Citrix Receiver for Web.
    • To ensure smart card authentication is chosen, do not check the Use local username box in the Internet Explorer security settings for the StoreFront site zone.
    • The client must be in a domain.
    • Configure NetScaler Gateway for smart card authentication and configure an additional vServer for launch using StoreFront HDX routing to route the ICA traffic through the unauthenticated NetScaler Gateway vServer.
  • Citrix Receiver for Windows (AuthManager), smart card authentication with PIN prompt, and StoreFront:
    • You do not need ssonsvr.exe on the client.
    • You can set the Local username and password in the Citrix icaclient.adm template to anything (controls ssonsvr.exe function).
    • The icaclient.adm template Kerberos setting is required.
    • The client must be in a domain.
    • Enable the Smart card authentication method on the StoreFront server.
  • Citrix Receiver for Windows (AuthManager), Kerberos, and StoreFront:
    • You do not need ssonsvr.exe on the client.
    • You can set the Local username and password in the Citrix icaclient.adm template to anything (controls ssonsvr.exe function).
    • The icaclient.adm template Kerberos setting is required.
    • Check the Use local username box in the Internet Explorer security settings for the trusted zone.
    • The client must be in a domain.
    • Enable the Domain pass-through authentication method on the StoreFront server.
    • Ensure this registry key is set:

      Caution:

      Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

      For 32-bit machines: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\AuthManagerProtocols\integratedwindows Name: SSONCheckEnabled Type: REG_SZ Value: true or false

      For 64-bit machines: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\AuthManagerProtocols\integratedwindows Name: SSONCheckEnabled Type: REG_SZ Value: true or false

Configure Kerberos constrained delegation for XenApp 6.5