The Citrix online plug-in features enhanced security for pass-through authentication. Rather than sending user passwords over the network, pass-through authentication leverages Kerberos authentication. Kerberos is an industry-standard network authentication protocol built into the Windows operating systems. Kerberos logon offers security-minded users the convenience of pass-through authentication combined with secret-key cryptography and data integrity provided by industry-standard network security solutions.
Kerberos logon works only between clients and servers that belong to the same or to trusted Windows domains. Servers must also be trusted for delegation, an option you configure through the Active Directory Users and Computers management tool.
Kerberos requires Citrix XML Service DNS address resolution to be enabled for the server farm or reverse DNS resolution to be enabled for the Active Directory domain.
Windows supports two authentication protocols, Kerberos and NTLM, so Windows applications such as Windows Explorer, Internet Explorer, Mozilla Firefox, Apple Safari, Google Chrome, Microsoft Office, and others, can use Windows pass-through authentication to access network resources without explicit user authentication prompts.
Most applications and network services that support Windows pass-through authentication accept both Kerberos and NTLM protocols, but some do not. In addition, Kerberos does not operate across certain types of domain trust links in which case applications automatically use the NTLM protocol. However the NTLM protocol does not operate in a XenApp session that is started using the Kerberos pass-through authentication, preventing applications that cannot use Kerberos from authenticating silently.
Kerberos is based on security tickets issued by domain controllers, which impose a maximum refresh period (typically one week). When the maximum refresh period has ended, Windows obtains a new Kerberos ticket automatically by using the cached network credentials that are required for the NTLM protocol. However these network credentials are not available when the XenApp session was started using Kerberos pass-through authentication.
Configure the Citrix Computer policy DNS address resolution setting.
To prevent Kerberos authentication for users on a specific server, create the following registry key as a DWORD Value on the server:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Logon\ DisableSSPI = 1
You can configure the Citrix online plug-ins to use Kerberos with or without pass-through authentication.