StoreFront

Authenticate using different domains

Some organizations have policies in place that do not allow them to give third-party developers or contractors access to published resources in a production environment. This article shows you how to give access to published resources in a test environment by authenticating through Citrix Gateway with one domain. You can then use a different domain to authenticate to StoreFront and the Receiver for Web site. Authentication through Citrix Gateway described in this article is supported for users logging on through the Receiver for Web site. This authentication method is not supported for users of native desktop or mobile Citrix Receiver or Citrix Workspace apps.

Set up a test environment

This example uses a production domain called production.com and a test domain called development.com.

production.com domain

The production.com domain in this example is set up as follows:

  • Citrix Gateway with production.com LDAP authentication policy configured.
  • Authentication through the gateway occurs using a production\testuser1 account and password.

development.com domain

The development.com domain in this example is set up as follows:

  • StoreFront, Citrix Virtual App and Desktops and VDAs are all on the development.com domain.
  • Authentication to the Citrix Receiver for Web site occurs using a development\testuser1 account and password.
  • There is no trust relationship between the two domains.

Configure a Citrix Gateway for the store

To configure a Citrix Gateway for the store:

  1. Select Stores in the left pane of the Citrix StoreFront management console, and in the Actions pane, click Manage Citrix Gateways.
  2. On the Manage Citrix Gateways screen, click Add.
  3. Complete the General Settings, Secure Ticket Authority, and Authentication steps.

    Screenshot of Add Citrix Gateway Appliance window, General Settings section

    Screenshot of Add Citrix Gateway Appliance window, Secure Ticket Authority section

    Screenshot of Add Citrix Gateway Appliance window, Authentication Settings section

Note:

DNS conditional forwarders may need to be added so that the DNS servers in use on both domains can resolve FQDNs on the other domain. The Citrix ADC appliance must be able to resolve the STA server FQDNs on the development.com domain using its production.com DNS server. StoreFront should also be able to resolve the callback URL on the production.com domain using its development.com DNS server. Alternatively, a development.com FQDN can be used which resolves to the Citrix Gateway virtual server virtual IP (VIP).

Enable pass-through from Citrix Gateway

  1. Select Stores in the left pane of the Citrix StoreFront management console, and in the Actions pane, click Manage Authentication Methods.
  2. On the Manage Authentication Methods screen, select Pass-through from Citrix Gateway.
  3. Click OK.

Screenshot of Manage Authentication Methods window

Configure the store for remote access using the Gateway

  1. Select the Stores node in the left pane of the Citrix StoreFront management console and, in the results pane, select a store. In the Actions pane, click Configure Remote Access Settings.
  2. Select Enable Remote Access.
  3. Ensure that you have registered the Citrix Gateway with your store. If you do not register the Citrix Gateway, the STA ticketing will not work.

Screenshot of Configure Remote Access Settings window

Disable token consistency

  1. Select the Stores node in the left pane of the Citrix StoreFront management console and, in the results pane, select a store. In the Actions pane, click Configure Store Settings.
  2. On the Configure Store Settings page, select Advanced Settings.
  3. Clear the Require token consistency check box. For more information, see Advanced store settings.

    Screenshot of advanced settings require token consistency setting

  4. Click OK.

Note:

The Require token consistency setting is selected (on) by default. If you disable this setting, SmartAccess features used for Citrix ADC End Point Analysis (EPA) stop working.

Disable pass-through from Citrix Gateway for the Receiver for Web site

Important:

Disabling pass-through from Citrix Gateway prevents Receiver for Web from trying to use the incorrect credentials from the production.com domain passed from the Citrix ADC appliance. Disabling pass-through from Citrix Gateway causes Receiver for Web to prompt the user to enter credentials. These credentials are different from the credentials used to log on through the Citrix Gateway.

  1. Select the Stores node in the left pane of the Citrix StoreFront management console.
  2. Select the store that you want to modify.
  3. In the Actions pane, click Manage Receiver for Web Sites.
  4. In Authentication Methods, clear Pass-through from Citrix Gateway.
  5. Click OK.

    Screenshot of Edit Receiver for Web site window, Authentication Methods section

Log on to Gateway using a production.com user and credentials

To test, log on to Gateway using a production.com user and credentials.

Screenshot of logon screen

After logon, the user is prompted to enter development.com credentials.

Screenshot of second logon screen

Add a trusted domain drop-down list in StoreFront (optional)

This setting is optional, but it may help prevent the user from accidentally entering the wrong domain to authenticate through the Citrix Gateway.

If the user name is the same for both domains, entering the wrong domain is more likely. New users may also be used to leaving out the domain when they log on through the Citrix Gateway. Users may then forget to enter domain\username for the second domain when they are prompted to log on to the Receiver for Web site.

  1. Select Stores in the left pane of the Citrix StoreFront management console, and in the Actions pane, click Manage Authentication Methods.
  2. Select the drop-down arrow next to User name and password.
  3. Click Add to add development.com as a trusted domain, and select the Show domains list in logon page check box.
  4. Click OK.

Screenshot of Configure Trusted Domains window

Screenshot of login screen with a domain drop down

Note:

Browser password caching is not recommended in this authentication scenario. If users have different passwords for the two different domain accounts, password caching can lead to a poor experience.

Citrix Gateway clientless VPN (CVPN) session action policy

  • If Single Sign-on to web applications is enabled within your Citrix Gateway session policy, incorrect credentials sent by Citrix ADC appliance to Receiver for Web are ignored because you disabled the Pass-through from Citrix Gateway authentication method on the Receiver for Web site. Receiver for Web prompts for credentials regardless of what this option is set to.
  • Populating the Single Sign-on entries in the Client Experience and Published App tabs in Citrix ADC appliance does not change the behavior described in this article.

    Screenshot of netscaler policy screen, client experience tab

    Screenshot of netscaler policy screen, published app tab