Product Documentation

Create and configure the authentication service

Sep 08, 2014

Create the authentication service

Use the Create Authentication Service task to configure the StoreFront authentication service. The authentication service authenticates users to Microsoft Active Directory, ensuring that users do not need to log on again to access their desktops and applications.

You can only configure one authentication service per StoreFront deployment. This task is only available when the authentication service has not yet been configured.

To use HTTPS to secure communications between StoreFront and users' devices, you must configure Microsoft Internet Information Services (IIS) for HTTPS. In the absence of the appropriate IIS configuration, StoreFront uses HTTP for communications.

By default, Citrix Receiver requires HTTPS connections to stores. If StoreFront is not configured for HTTPS, users must carry out additional configuration steps to use HTTP connections. HTTPS is required for smart card authentication. You can change from HTTP to HTTPS at any time, provided the appropriate IIS configuration is in place. For more information, see Configure server groups.

Important: In multiple-server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.
  1. On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile.
  2. Select the Authentication node in the left pane of the Citrix StoreFront management console and, in the Actions pane, click Create Authentication Service.
  3. Specify the access methods that you want to enable for your users, and click Create.
    • Select the User name and password check box to enable explicit authentication. Users enter their credentials when they access their stores.
    • Select the Domain pass-through check box to enable pass-through of Active Directory domain credentials from users' devices. Users authenticate to their domain-joined Windows computers and are automatically logged on when they access their stores. In order to use this option, pass-through authentication must be enabled when Receiver for Windows is installed on users' devices.
    • Select the Smart card check box to enable smart card authentication. Users authenticate using smart cards and PINs when they access their stores.
    • Select the HTTP Basic check box to enable HTTP Basic authentication. Users authenticate with the StoreFront server's IIS web server.
    • Select the Pass-through from NetScaler Gateway check box to enable pass-through authentication from NetScaler Gateway. Users authenticate to NetScaler Gateway and are automatically logged on when they access their stores.

    To enable pass-through authentication for smart card users accessing stores through NetScaler Gateway, use the Configure Delegated Authentication task.

  4. Once the authentication service has been created, click Finish.

Configure the authentication service

The authentication service authenticates users to Microsoft Active Directory, ensuring that users do not need to log on again to access their desktops and applications. You can only configure one authentication service per StoreFront deployment.

The tasks below enable you to modify settings for the StoreFront authentication service. Some advanced settings can only be changed by editing the authentication service configuration files. For more information, see Configure StoreFront using the configuration files.

Important: In multiple-server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.

Manage authentication methods

You can enable or disable user authentication methods set up when the authentication service was created by selecting an authentication method in the results pane of the Citrix StoreFront management console and, in the Actions pane, clicking Enable Method or Disable Method, as appropriate. To remove an authentication method from the authentication service or to add a new one, use the Add/Remove Methods task.

  1. On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile.
  2. Select the Authentication node in the left pane of the Citrix StoreFront management console and, in the Actions pane, click Add/Remove Methods.
  3. Specify the access methods that you want to enable for your users.
    • Select the User name and password check box to enable explicit authentication. Users enter their credentials when they access their stores.
    • Select the Domain pass-through check box to enable pass-through of Active Directory domain credentials from users' devices. Users authenticate to their domain-joined Windows computers and are automatically logged on when they access their stores. In order to use this option, pass-through authentication must be enabled when Receiver for Windows is installed on users' devices.
    • Select the Smart card check box to enable smart card authentication. Users authenticate using smart cards and PINs when they access their stores.
    • Select the HTTP Basic check box to enable HTTP Basic authentication. Users authenticate with the StoreFront server's IIS web server.
    • Select the Pass-through from NetScaler Gateway check box to enable pass-through authentication from NetScaler Gateway. Users authenticate to NetScaler Gateway and are automatically logged on when they access their stores.

    To enable pass-through authentication for smart card users accessing stores through NetScaler Gateway, use the Configure Delegated Authentication task.

Configure trusted user domains

Use the Configure Trusted Domains task to restrict access to stores for users logging on with explicit domain credentials, either directly or using pass-through authentication from NetScaler Gateway.

  1. On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile.
  2. Select the Authentication node in the left pane of the Citrix StoreFront management console and, in the results pane, select the appropriate authentication method. In the Actions pane, click Configure Trusted Domains.
  3. Select Trusted domains only. Click Add to enter the name of a trusted domain. Users with accounts in that domain will be able to log on to all stores that use the authentication service. To modify a domain name, select the entry in the Trusted domains list and click Edit. Select a domain in the list and click Remove to discontinue access to stores for user accounts in that domain.

    The way in which you specify the domain name determines the format in which users must enter their credentials. If you want users to enter their credentials in domain user name format, add the NetBIOS name to the list. To require that users enter their credentials in user principal name format, add the fully qualified domain name to the list. If you want to enable users to enter their credentials in both domain user name format and user principal name format, you must add both the NetBIOS name and the fully qualified domain name to the list.

  4. If you configure multiple trusted domains, select from the Default domain list the domain that is selected by default when users log on.
  5. If you want to list the trusted domains on the logon page, select the Show domains list in logon page check box.

Enable users to change their passwords

Use the Manage Password Options task to enable Receiver for Web site users logging on with domain credentials to change their passwords. When you create the authentication service, the default configuration prevents Receiver for Web site users from changing their passwords, even if the passwords have expired. If you decide to enable this feature, ensure that the policies for the domains containing your servers do not prevent users from changing their passwords. Enabling users to change their passwords exposes sensitive security functions to anyone who can access any of the stores that use the authentication service. If your organization has a security policy that reserves user password change functions for internal use only, ensure that none of the stores are accessible from outside your corporate network.

  1. On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile.
  2. Select the Authentication node in the left pane of the Citrix StoreFront management console and, in the results pane, select User name and password. In the Actions pane, click Manage Password Options.
  3. Specify the circumstances under which Receiver for Web site users logging on with domain credentials are able to change their passwords.
    • To enable users to change their passwords whenever they want, select At any time. Local users whose passwords are about to expire are shown a warning when they log on. Password expiry warnings are only displayed to users connecting from the internal network. By default, the notification period for a user is determined by the applicable Windows policy setting. For more information about setting custom notification periods, see Configure the password expiry notification period.
    • To enable users to change their passwords only when the passwords have already expired, select When expired. Users who cannot log on because their passwords have expired are redirected to the Change Password dialog box.
    • To prevent users from changing their passwords, select Never. If you select this option, you must make your own arrangements to support users who cannot access their desktops and applications because their passwords have expired.

    If you enable Receiver for Web site users to change their passwords at any time, ensure that there is sufficient disk space on your StoreFront servers to store profiles for all your users. To check whether a user's password is about to expire, StoreFront creates a local profile for that user on the server. StoreFront must be able to contact the domain controller to change users' passwords.

Delegate credential validation to NetScaler Gateway

Use the Configure Delegated Authentication task to enable pass-through authentication for smart card users accessing stores through NetScaler Gateway. This task is only available when Pass-through from NetScaler Gateway is enabled and selected in the results pane.

When credential validation is delegated to NetScaler Gateway, users authenticate to NetScaler Gateway with their smart cards and are automatically logged on when they access their stores. This setting is disabled by default when you enable pass-through authentication from NetScaler Gateway, so that pass-through authentication only occurs when users log on to NetScaler Gateway with a password.