Enhanced domain pass-through for single sign-on
Enhanced domain pass-through for single sign-on uses Kerberos to enable single sign-on into Citrix Workspace app and into the virtual apps and desktop sessions when using Active Directory (AD) joined client devices and Citrix StoreFront.
Note:
This feature is not supported on 32-bit operating systems.
This feature is a replacement for the legacy pass-through authentication feature based on the Citrix Single Sign-on Service (ssonsvr.exe).
The legacy domain pass-through (SSON) authentication requires enabling the Enable MPR notifications for the System policy in the Group Policy Object template. Enhanced Domain Passthrough, however, allows pass-through authentication without needing to enable this policy.
System requirements
- Control plane
- Citrix DaaS
- Citrix Virtual Apps and Desktops 2311 or later
- Virtual Delivery Agent
- Windows: version 2407 or later
- Workspace app
- Citrix Workspace app for Windows 2405.10 or later
- Client device
- Joined to Active Directory domain
- Windows 10 64-bit
- Windows 11 64-bit
- Multi-session session hosts:
- Windows Server 2019
- Windows Server 2022
- Windows 10 Enterprise multi-session 22H2
- Windows 11 Enterprise multi-session 22H2 or later
- Single-session session hosts:
- Windows 10 version 22H2
- Windows 11 version 22H2 or later
Note:
The client device must have direct connectivity to domain controllers. If the device is outside the network, single sign-on isn’t supported.
If you are using the following versions of Citrix Workspace app and VDA, this feature will not be supported on Windows 11:
❖ VDA: 2308, 2311, 2402
❖ Citrix Workspace app: 2309, 2309.1, 2311, 2402 LTSR, 2403, 2403.10, and 2405
StoreFront configuration
You must enable domain pass-through authentication for the store and its corresponding website.
Perform the following steps to enable Domain pass-through for the store:
- Open the StoreFront management console.
-
Go to Store > Manage Authentication methods. The Manage Authentication Methods - Web window appears.
-
Select the Domain pass-through checkbox.
- Click OK.
Perform the following steps to enable Domain pass-through for the website:
- Open the StoreFront management console.
- Open Stores > Receiver for Websites tab > Manage Receiver for Web Sites > Configure > Authentication Methods. The Edit Receiver for Web site - /Citrix/Web window appears.
-
Select the Domain pass-through checkbox.
- Click OK.
Citrix Policy configuration
You must enable the setting using Citrix policy:
- Navigate to Citrix Studio or the web console.
- Click Policies > Create Policy. The Create Policy dialog box appears.
- Search for the Enhanced domain pass-through for single sign-on policy. The Edit Settings dialog box appears.
-
Select the Allowed option to enable the Enhanced domain pass-through for single sign-on policy.
- Click OK.
Session host configuration
After enabling the Enhanced domain pass-through for single sign on feature using Citrix policy, you must also enable a Windows setting on the session hosts. You can enable the Windows setting through local policy or GPO:
- Navigate to
Computer Configuration\Policies\Administrative Templates\System\CredentialsDelegation
. -
Enable the Remote host allows delegation of non-exportable credentials setting.
- Reboot the session host for the setting to take effect.
Note:
The Remote host allows delegation of non-exportable credentials setting is not available on Windows Server 2016 local policy. If you need to configure this setting locally on the session host instead of using GPO, you must add the following registry values:
Key: HKLM\SOFTWARE\Citrix\Rcg
- Value type: DWORD
- Value name: ForceEnableRcg
- Value data: 1
Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
- Value type: DWORD
- Value name: DisableRestrictedAdmin
- Value data: 0
Client device configuration
You must do the following on client device:
- Enable Enhanced domain pass-through for single sign-on
- Trust Storefront site
Enable Enhanced domain pass-through for single sign-on
You must enable the Enhanced domain pass-through for single sign on feature on the client device. You can do this through local policy or GPO.
- Navigate to
Computer Configuration\Policies\Administrative Templates\Citrix Components\Citrix Workspace\User Authentication
. -
Enable the Enhanced Domain pass-through for single sign-on setting.
- Restart Citrix Workspace app for settings to take effect.
Trust Storefront site
You must make sure your Storefront URL is trusted by the client devices. If the URL is not part of an already trusted domain, you must add it as either a local intranet site or a trusted site. You can do this through local policy or GPO.
- Navigate to
Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security
page. -
Enable the Site to Zone Assignment List setting and add the appropriate URLs and corresponding zone assignment.
-
Enable the Logon options setting and set it to Automatic logon with current username and password.