I would like to discus the procedure for configuring and implementing Domain Pass-through with Citrix Storefront and Citrix Receiver.
First things first, let’s get a receiver installed on a test machine.
****Note, this machine and all subsequent machines must be a member of the domain that your storefront server is currently attached to in order for the pass-through to work.
Download the Citrix receiver Here
Once downloaded find the path of your download location. Now, we will need to install the receiver with the single sign on switch as follows:
This will install the receiver, enable and start the single sign-on service on that machine. After your installation is completed and the machine is rebooted, log back in to your workstation and double-check to make sure the ssonsvr.exe service was installed and is currently running under services.
Once you have confirmed. Lets move over to your Storefront server.
Launch the Storefront administration console from the storefront server and on the left side of the console, click on Authentication.
Once authentication is selected move over to the right side of the console screen and under actions > authentication, click on add/remove Methods.
After clicking on Add/Remove Methods, a dialog box should appear with options to select what methods you would like to enable in Storefront. The second option from the top is, “Domain pass-through”, click on the check box next to that option and click OK. This will enable Storefront to take the credentials from the ssonsvr service on your workstation and pass them through Storefront and enumerate the app list without authenticating twice.
Depending on your Citrix infrastructure, you might need to propagate the changes to the other Storefront servers in your Server Group. If you have more than one Storefront server and you do not propagate changes, you might see mixed results in your testing.
To do this, click on “Server Group” on the right side of the console and then on the left side under actions, click on “Propagate Changes”. This action will replicate all the changes you just made to your authentication policies over to the other Storefront servers in your Server Group.
Now that you have all the configuration pieces in play, reboot the workstation you installed the receiver to and log back in. Once logged in your should be able to right-click on the receiver and click open. Receiver will now prompt you for your Storefront FQDN or email address if you have email based discovery enabled. At this point your application list should enumerate without prompting for credentials. This also goes for the Web portal. Test both to make sure they are passing those credentials through appropriately.
********If your credentials still do not pass through, below are a few troubleshooting steps you can take. Of course this all depends on how your environment is set up and what access you have to modify certain components in your windows infrastructure.
Modifying local Policy to enable pass-through on the workstation
Apply the icaclient.adm template located in C:\Program Files\Citrix\ICA Client\Configuration to the client device through Local or Domain Group Policy.
Once the adm template is imported, Navigate to Computer Configuration\Administrative Templates\Classic Administrative Templates\Citrix Components\Citrix Receiver\User authentication\, then double-click on the “Local user name and password” setting.
The following box should appear and make sure to select both “Enable pass-through authentication” and “Allow pass-through authentication for all ICA connections”.
Adding Trusted Sites in your browser
On the same workstation you are testing the pass-through. Open IE and navigate to Tools > Internet Options. Click on Trusted Sites and add your Storefront FQDN (the same address you entered into the receiver when you set it up.
Also, it wouldn’t hurt to configure pass through in IE. In The Internet Options Security tab with Trust Sites selected, choose Custom level, security zone. Scroll to the bottom of the list and select Automatic logon with current user name and password.
Configure the NIC provider order
On the workstation you installed the receiver, launch control panel and click on Network Connections, choose Advanced > Advanced Settings > Provider Order tab and move the Citrix Single Sign-on entry to the top of the Network Providers list.
If you are still having problems with the receiver not passing the credentials, leave a comment with your specific issue.
Kevin B. Ottomeyer @OttoKnowsBest