Product documentation
StoreFront
2411-Current Release 2402 LTSR 2203 LTSR
View PDF

Domain pass-through authentication

February 3, 2025
Contributed by: 
C N S

Users authenticate to their domain-joined Windows computers, and their credentials are used to log them into Citrix Workspace app automatically. This is supported through Citrix Workspace app for Windows and from the following web browsers on Windows:

  • Internet Explorer
  • Microsoft Edge
  • Google Chrome
  • Mozilla Firefox

StoreFront Configuration

To enable domain pass-through for Citrix Workspace Apps for Windows, in the Authentication Methods select Domain pass-through.

Enabling domain pass-through authentication for a store by default also enables it for Citrix Workspace app for HTML5 for all websites for that store. You can disable domain pass-through authentication for a specific website on the Manage Receiver for Web Sites Authentication methods tab.

Configure Delivery Controller to trust StoreFront

When using domain pass-through authentication, StoreFront does not have access to the user’s credentials so is unable to authenticate to Citrix Virtual Apps and Desktops. You must therefore configure the Delivery Controller to trust requests from StoreFront, see Citrix Virtual Apps and Desktops Security considerations and best practices.

Web browser configuration

You might need to update users’ web browser configuration to allow domain pass-through authentication. You can use domain pass-through to sign into a store through a web browser.

Internet Explorer, Edge and Chrome

Most web browsers use Windows Internet Explorer zones configuration to decide whether to enable single sign-on. By default it is only enabled for sites in the Local Intranet Zone. To add your site to the intranet zone:

  1. Open Control Panel
  2. Open Internet Options
  3. Go to the Security tab.
  4. Select Local intranet
  5. Click Sites.
  6. Click Advanced.
  7. Add your StoreFront website.

These settings can be deployed using group policy.

For more information on configuring Microsoft Edge for Windows Integrated Authentication, see Microsoft documentation.

FireFox

Modify the browser advanced settings to trust the StoreFront website URI for single sign-on.

Warning:

Editing the advanced settings incorrectly can cause serious problems. Make edits at your own risk.

  1. Open Firefox on the computer that will authenticate using domain pass-through.
  2. In the address bar, type about:config.
  3. Click “I accept the risk!”.
  4. In the Search bar, type negotiate.
  5. Double-click network.negotiate-auth.delegation-uris.
  6. Enter the name of your corporate Windows domain (for example, mydomain.com).
  7. Click OK.
  8. Double-click network.negotiate-auth.trusted-uris.
  9. Enter the name of your corporate Windows domain (for example, mydomain.com).
  10. Click OK.
  11. Close and Restart Firefox.

Single sign-on to VDAs

To single sign-in to VDAs using domain credentials, you must use Citrix Workspace app for Windows with the Enable single sign-on component, see Configure domain pass-through authentication. Alternatively you can configure Federated Authentication Service to single sign-on to VDAs.

Domain pass-through authentication
February 3, 2025
Contributed by: 
C N S
February 3, 2025
Contributed by: 
C N S

In this article

Site feedback | Your privacy choices footer linkYour Privacy Choices | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999- Cloud Software Group, Inc. All rights reserved.