Use the Configure Store Settings > Kerberos delegation task to specify whether StoreFront uses single-domain Kerberos constrained delegation to authenticate to delivery controllers.
Important: In multiple server deployments, use only one server at a time to make changes to the configuration of the server group. Ensure that the Citrix StoreFront management console is not running on any of the other servers in the deployment. Once complete, propagate your configuration changes to the server group so that the other servers in the deployment are updated.
Configure Active Directory Trusted Delegation for each XenApp server.
- On the domain controller, open the MMC Active Directory Users and Computers snap-in.
- In the left pane, click the Computers node under the domain name and select the server running the Citrix XML Service (XenApp) that StoreFront is configured to contact.
- In the Action pane, click Properties.
- On the Delegation tab, click Trust this computer for delegation to specified services only and Use any authentication protocol, and then click Add.
- In the Add Services dialog box, click Users or Computers.
- In the Select Users or Computers dialog box, type the name of the server running the Citrix XML Service (XenApp) in the Enter the object names to select box, click OK.
- Select the HOST service type from the list, click OK, and then click Add.
- In the Select Users or Computers dialog box, type the name of the Domain Controller in the Enter the object names to select box and click OK.
- Select the cifs and ldap service types from the list and click OK. Note: If two choices appear for the ldapservice, select the one that matches the FQDN of the domain controller.
- Apply the changes and close the dialog box.
When you decide whether to use Kerberos constrained delegation, consider the following information.
Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
For 32-bit machines: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\AuthManagerProtocols\integratedwindows
Value: true or false
For 64-bit machines: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\AuthManagerProtocols\integratedwindows
Value: true or false