Product Documentation

Configuring Kerberos Logon

Oct 09, 2015

The Citrix online plug-in features enhanced security for pass-through authentication. Rather than sending user passwords over the network, pass-through authentication leverages Kerberos authentication. Kerberos is an industry-standard network authentication protocol built into the Windows operating systems. Kerberos logon offers security-minded users the convenience of pass-through authentication combined with secret-key cryptography and data integrity provided by industry-standard network security solutions.

System requirements

Kerberos logon works only between clients and servers that belong to the same or to trusted Windows domains. Servers must also be trusted for delegation, an option you configure through the Active Directory Users and Computers management tool.

Kerberos logon is not available:
  • If you use the following Remote Desktop Services options:
    • Use standard Windows authentication
    • Always use the following logon information or Always prompt for password
  • If you route connections through Secure Gateway
  • If the server running XenApp requires smart card logon

Kerberos requires Citrix XML Service DNS address resolution to be enabled for the server farm or reverse DNS resolution to be enabled for the Active Directory domain.

User Access Control and Administrator Sessions

The User Access Control feature prompts users to enter credentials when all of the following requirements are met:
  • Kerberos logon is enabled on the server running XenApp
  • Users logging on to the computer running XenApp are members of the Administrator group on that computer
  • After logon, Administrator group users attempt to access network resources such as shared folders and printers

Limitations of Kerberos Pass-through Authentication to XenApp

Windows supports two authentication protocols, Kerberos and NTLM, so Windows applications such as Windows Explorer, Internet Explorer, Mozilla Firefox, Apple Safari, Google Chrome, Microsoft Office, and others, can use Windows pass-through authentication to access network resources without explicit user authentication prompts.

When Kerberos pass-through authentication is used to start a XenApp session, there are technical limitations that may affect application behavior.
  • Applications running on XenApp that depend on the NTLM protocol for authentication generate explicit user authentication prompts or fail.

    Most applications and network services that support Windows pass-through authentication accept both Kerberos and NTLM protocols, but some do not. In addition, Kerberos does not operate across certain types of domain trust links in which case applications automatically use the NTLM protocol. However the NTLM protocol does not operate in a XenApp session that is started using the Kerberos pass-through authentication, preventing applications that cannot use Kerberos from authenticating silently.

  • Kerberos pass-through authentication for applications expires if the XenApp session is left running for a very long time (typically one week) without being disconnected and reconnected.

    Kerberos is based on security tickets issued by domain controllers, which impose a maximum refresh period (typically one week). When the maximum refresh period has ended, Windows obtains a new Kerberos ticket automatically by using the cached network credentials that are required for the NTLM protocol. However these network credentials are not available when the XenApp session was started using Kerberos pass-through authentication.

To Enable Citrix XML Service DNS Address Resolution

Configure the Citrix Computer policy DNS address resolution setting.

To Disable Kerberos Logon to a Server

Caution: Using Registry Editor can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

To prevent Kerberos authentication for users on a specific server, create the following registry key as a DWORD Value on the server:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\Logon\ DisableSSPI = 1

You can configure the Citrix online plug-ins to use Kerberos with or without pass-through authentication.