Domain pass-through authentication
Users authenticate to their domain-joined Windows computers, and their credentials are used to log them into Citrix Workspace app automatically. This is supported through Citrix Workspace app for Windows and from the following web browsers on Windows:
- Internet Explorer
- Microsoft Edge
- Google Chrome
- Mozilla Firefox
StoreFront Configuration
To enable domain pass-through for Citrix Workspace Apps for Windows, in the Authentication Methods select Domain pass-through.
Enabling domain pass-through authentication for a store by default also enables it for Citrix Workspace app for HTML5 for all websites for that store. You can disable domain pass-through authentication for a specific website on the Manage Receiver for Web Sites Authentication methods tab.
Configure Delivery Controller to trust StoreFront
When using domain pass-through authentication, StoreFront does not have access to the user’s credentials so is unable to authenticate to Citrix Virtual Apps and Desktops. You must therefore configure the Delivery Controller to trust requests from StoreFront, see Citrix Virtual Apps and Desktops Security considerations and best practices.
Single sign-on to VDAs
To single sign-in to VDAs, you must use Citrix Workspace app for Windows with the Enable single sign-on component, see Configure domain pass-through authentication. If using Citrix Workspace app for HTML5 then it must be configured to connect to resources in Citrix Workspace app for Windows rather than the browser.
Citrix Workspace app for Windows configuration
To enable domain pass-through to single sign-on to the store and VDAs using Citrix Workspace app for Windows, see Citrix Workspace app for Windows documentation.
Citrix Workspace app for HTML5 configuration
You may need to update users’ web browser configuration to allow domain pass-through authentication. You can use domain pass-through to sign into a store through a web browser. To single sign-on to the VDAs, users must open resources in Citrix Citrix Workspace app for Windows rather than the web browser.
Internet Explorer, Edge and Chrome
Most web browsers use Windows Internet Explorer zones configuration to decide whether to enable single sign-on. By default it is only enabled for sites in the Local Intranet Zone. To add your site to the intranet zone:
- Open Control Panel
- Open Internet Options
- Go to the Security tab.
- Select Local intranet
- Click Sites.
- Click Advanced.
- Add your StoreFront website.
These settings can be deployed using group policy.
For more information on configuring Microsoft Edge for Windows Integrated Authentication, see Microsoft documentation.
FireFox
Modify the browser advanced settings to trust the StoreFront website URI for single sign-on.
Warning:
Editing the advanced settings incorrectly can cause serious problems. Make edits at your own risk.
- Open Firefox on the computer that will authenticate using domain pass-through.
- In the address bar, type about:config.
- Click “I accept the risk!”.
- In the Search bar, type negotiate.
- Double-click network.negotiate-auth.delegation-uris.
- Enter the name of your corporate Windows domain (for example, mydomain.com).
- Click OK.
- Double-click network.negotiate-auth.trusted-uris.
- Enter the name of your corporate Windows domain (for example, mydomain.com).
- Click OK.
- Close and Restart Firefox.
Single sign-on to VDAs using FAS
Alternatively you can configure Federated Authentication Service to single sign-on to VDAs when using locally installed Citrix Workspace app but not Citrix Workspace app for HTML5.