StoreFront

User name and password authentication

With username and password authentication, users enter their active directory credentials.

Screenshot of username and password authentication screen.

To enable or disable username and password authentication for a store when connecting through Workspace apps, in the Authentication Methods window tick or untick User name and password.

Enabling username and password authentication for a store by default also enables it for all websites for that store. You can disable username and password authentication for a specific website on the Manage Receiver for Web Sites Authentication methods tab.

Configure trusted user domains

You can restrict access to stores for users logging on with explicit domain credentials, either directly or using pass-through authentication from Citrix Gateway.

  1. Select the Stores node in the left pane of the Citrix StoreFront management console and, in the results pane, select the appropriate authentication method. In the Actions pane, click Manage Authentication Methods.

  2. From the User name and password > Settings list, select Configure Trusted Domains.

  3. Select Trusted Domains only and click Add to enter the name of a trusted domain. Users with accounts in that domain are able to log on to all stores that use the authentication service. To modify a domain name, select the entry in the Trusted domains list and click Edit. To discontinue access to stores for user accounts in a domain, select the domain in the list and click Remove.

    The way in which you specify the domain name determines the format in which users must enter their credentials. If you want users to enter their credentials in domain user name format, add the NetBIOS name to the list. To require that users to enter their credentials in user principal name format, add the fully qualified domain name to the list. If you want to enable users to enter their credentials in both domain user name format and user principal name format, you must add both the NetBIOS name and the fully qualified domain name to the list.

  4. If you configure multiple trusted domains, select from the Default domain list the domain that is selected by default when users log on.

  5. If you want to list the trusted domains on the logon page, select the Show domains list in the logon page check box.

Screenshot of trusted domain screen

Enable users to change their passwords

You can allow users to change their passwords at any time. Alternatively, you can restrict password changes to users whose passwords have expired. This means you can ensure that users are never prevented from accessing their desktops and applications by an expired password.

Change password functionality is available in the following clients:

Citrix Workspace apps User can change an expired password if enabled on StoreFront User is notified that password will expire User can change password before it expires if enabled on StoreFront
Windows Yes    
Mac Yes    
Android      
iOS      
Linux Yes    
Web Yes Yes Yes

The default configuration prevents Citrix Workspace app and web browser users from changing their passwords, even if the passwords have expired. If you decide to enable this feature, ensure that the policies for the domains containing your servers do not prevent users from changing their passwords. Enabling users to change their passwords exposes sensitive security functions to anyone who can access any of the stores that use the authentication service. If your organization has a security policy that reserves user password change functions for internal use only, ensure that none of the stores are accessible from outside your corporate network.

If you allow users to change their passwords at any time, local users whose passwords are about to expire are shown a warning when they log on. By default, the notification period for a user is determined by the applicable Windows policy setting. Alternatively you can configure a custom notification period.

  1. In the Manage Authentication Methods window, from the User name and password > Settings drop-down menu, select Manage Password Options

  2. To allow users to change passwords, check Allow users to change passwords check box.

    Note: If you do not select this option, you must make your own arrangements to support users who can’t access their desktops and applications because their passwords have expired.

  3. Choose whether to allow users to change passwords Only when they expire or At any time.

  4. Choose whether to remind users before their passwords expire.

Screenshot of manage password options

Note 1:

StoreFront does not support Fine-Grained Password Policies in Active Directory.

Note 2:

Ensure that there’s sufficient disk space on your StoreFront servers to store profiles for all your users. To check whether a user’s password is about to expire, StoreFront creates a local profile for that user on the server. StoreFront must be able to contact the domain controller to change users’ passwords.

Note 3:

If you enable or disable changing passwords at any time, this also affects settings under Manage Password Options for Pass-through from Citrix Gateway authentication.

Credential password validation

Normally StoreFront communicates directly with Active Directory directly to validate the credentials.

When StoreFront is not in the same domain as Citrix Virtual Apps and Desktops, and it is not possible to put Active Directory trusts in place, you can configure StoreFront to use the Citrix Virtual Apps and Desktops delivery controllers to authenticate the user name and password credentials:

  1. In the Manage Authentication Methods window, from the User name and password > Settings drop-down menu, select Configure Password Validation.

    Manage Authentication methods dialog

  2. From the Validation Password Via list, select Delivery Controllers, and then click Configure.

    Configure Password validation panel

  3. Follow the Configure Delivery Controllers screens to add one or more Delivery Controllers for validating the user credentials and click OK.

    Edit Delivery Controller panel

Use active directory

  1. On the Manage Authentication Methods page, from the User name and password > Settings list, select Configure Password Validation.
  2. From the Validation Password Via drop-down menu, select Active Directory, and then click OK.

Single sign-on to VDAs

When users launch a resource, StoreFront uses the credentials the user used to sign on to the store to single sign-on to the VDAs.

Customize the logon screen

The logon screen is generated from a template, typically located at C:\inetpub\wwwroot\Citrix\[Store name]Auth\App_Data\Templates\UsernamePassword.tfrm. You can customize the screen.

Title Text

When users log on to a store, by default no title text is displayed on the logon dialog box. You can display the text “Please log on” or compose your own custom message:

  1. Use a text editor to open the UsernamePassword.tfrm file for the authentication service.

  2. Locate the following lines in the file.

    @* @Heading("ExplicitAuth:AuthenticateHeadingText") *@
    <!--NeedCopy-->
    
  3. Uncomment the statement by removing the leading and trailing leading @* and trailing *@.

    @Heading("ExplicitAuth:AuthenticateHeadingText")
    <!--NeedCopy-->
    

    Citrix Workspace app users see the default title text “Please log on”, or the appropriate localized version of this text, when they log on to stores that use this authentication service.

  4. To modify the title text, use a text editor to open the ExplicitFormsCommon.xx.resx file for the authentication service, which is typically located in the C:\inetpub\wwwroot\Citrix\[Store name]Auth\App_Data\resources\ directory.

  5. Locate the following elements in the file. Edit the text enclosed within the <value> element to modify the title text that users see on the logon dialog box when they access stores that use this authentication service.

    <data name="AuthenticateHeadingText" xml:space="preserve">
        <value>My Company Name</value>
    </data>
    <!--NeedCopy-->
    

    To modify the logon dialog box title text for users in other locales, edit the localized files ExplicitAuth.languagecode.resx, where languagecode is the locale identifier.

Prevent Citrix Workspace app for Windows from caching passwords and usernames

By default, Citrix Workspace app for Windows stores users’ passwords when they log on to StoreFront stores. To prevent Citrix Workspace app for Windows from caching users’ passwords, you edit the files for the authentication service.

  1. Use a text editor to open the file inetpub\wwwroot\Citrix\[Store name]Auth\App_Data\Templates\UsernamePassword.tfrm.

  2. Locate the following line in the file.

    @SaveCredential(id: @GetTextValue("saveCredentialsId"), labelKey: "ExplicitFormsCommon:SaveCredentialsLabel", initiallyChecked: ControlValue("SaveCredentials"))
    <!--NeedCopy-->
    
  3. Comment the statement as shown below.

    <!-- @SaveCredential(id: @GetTextValue("saveCredentialsId"), labelKey: "ExplicitFormsCommon:SaveCredentialsLabel", initiallyChecked: ControlValue("SaveCredentials")) -->
    <!--NeedCopy-->
    

    Users must enter their passwords every time they log on to stores that use this authentication service.

    By default, Citrix Workspace app for Windows automatically populates the last username entered. To suppress population of the username field, or for an alternative mechanism for suppressing caching passwords, see Prevent Citrix Workspace app for Windows from caching passwords and usernames.

Remote access via Citrix Gateway

You can configure your Citrix Gateway so that users sign on to the gateway using their domain username and password. These credentials are passed through to StoreFront to sign on to the store. To configure your Citrix gateway for LDAP username and password authentication see NetScaler documentation - LDAP authentication. To configure StoreFront see Pass-through from Citrix Gateway.

User name and password authentication