Citrix Content Collaboration Connector SSO for Network Shares and SharePoint on‐prem

Summary of items

  1. SharePoint Configuration
  2. NetScaler (internal load balancer) Configuration
  3. Configure SplitDNS
  4. Configure Citrix Storage Zone
  5. AD Delegation
  6. Browsers

SharePoint Configuration

Set the SPN for the SharePoint service account


This is a standard SharePoint requirement which references the service account used during the installation of SharePoint itself). The service account used below is usually the one that SharePoint has been initially installed with.

  1. From any server, open CMD (elevate with account with the appropriate SharePoint rights)
  2. Type the following:

SetSPN -S HTTP/SharePoint domainserviceaccountname

SetSPN -S HTTP/ domainserviceaccountname


KCD work is not required for the Network Connectors, this will be using NTLM.

SharePoint Configuration

  1. On the Central Administration page, under Quick Launch, click Security, and in the General Security section click Specify authentication providers.
  2. On the Authentication Providers page, select the zone for which you want to change authentication settings.
  3. On the Edit Authentication page, and in the Authentication Type section ensure this is set to Windows (selected by default).
  4. In the IIS Authentication Settings section, select Negotiate (Kerberos). Note: If you select Negotiate (Kerberos) you must perform additional steps to configure authentication (below).
  5. Click Save.

NetScaler (internal Load balancer) Configuration

The reason for this configuration is to split the to split the External and Internal traffic. Where AAA authentication is being used for external user authentication to Connectors, AAA is not a necessity for Internal use, especially where Web Access to Network shares/SharePoint SSO are required via web browsers.


AAA requires a NetScaler Enterprise and above license to use.

If the NetScaler wizard has been used to configure a storage zone, then you would typically see LBVIPs bound to a Content Switch, such as:

_SF_CS_ShareFile = External Content Switch

The External config would typically have:

  • 1 x Content Switch, with Policies, Responders, Callouts.
  • 3 x LBVIP’s
    • ShareFile Data LBVIP
    • Connectors LBVIP with AAA enabled


If Web Access to Connectors are required then additional configuration is needed in addition to the wizard, which adds the OPTIONS LBVIP to the Content Switch. Please see this article in section “
Configure NetScaler for restricted zones or web access to Connectors ”.

Now we would need an additional configuration to route the internal traffic. This would typically be a Load Balancing virtual server (LBVIP) rather than a Content Switch. In this instruction we are going to:

  • Create the Server(s) – create a connection to all the storage zone controllers within a single Zone.
  • Create a Service Group – group the servers into a group
  • Create an LBVIP – create the Load Balancing virtual server

Create the Server(s)

  1. Log into the NetScaler and browse to:
  1. Click Add.
  2. Create a name eg SZ_Server.
  3. Input the IP Address of the Citrix storage zone controller
  4. Click Create.
  1. Repeat for all storage zone controllers.

Create a Service Group

  1. Log into the NetScaler and browse to:
  1. Click Add.
  2. Create a name eg SZ_Service_Group.
  3. Protocol: SSL
  4. Click OK.
  1. Click on Service Group Members.
  2. Select Server Based option then click on Select Server.
  1. Click the checkboxes on each of the storage zone controller servers and then click Select
  2. Enter Port*: 443.
  1. Click Create.
  2. Click OK to continue
  3. Click Done.

Create an LBVIP

  1. Log into the NetScaler and browse to:
  1. Click Add to create the storage zone LBVIP:

Protocol: SSL

IP Address Type: IP Address (this should be internally accessible)
  1. Click OK.
  1. Under Services and Service Groups, click the Virtual Server Service Group Binding option
  2. Select the Service Group created earlier and click Bind.
  1. Click OK.
  2. Attach wildcard certificate.
  1. Click Bind.
  2. Click OK and Done.

Configure SplitDNS

Configure SplitDNS to resolve to the new Internal LBVIP (ie SZ_LB_INTERNAL), which is important as you need to direct traffic internally to the internal load balancing vserver created in the previous step. If this is done via Active Directory in your environment, here are some example below.

Configure DNS in AD

  1. Log into the Domain Controller and open dsa.msc.
  2. Browse to Forward Lookup Zones to find the one which correlates to the StorageZone FQDN (
  3. Add a New Host (A or AAAA)… and enter the FQDN for the StorageZone.
  4. Enter the IP, this should be the one of the Internal LBVIP (i.e. SZ_LB_INTERNAL) created in the previous section
  5. To test, open CMD from another desktop/server, run ipconfig/flushdns and ping the StorageZone FQDN. Does it resolve to the correct IP?

Configure Citrix Storage Zone

StorageZone Controller IIS changes

Network Connectors only:

  1. Log onto the StorageZone Controller(s) and open IIS.
  2. Click on the Default web site then to the CIFS virtual directory.
  3. Click on Authentication, then ensure Anonymous and Windows Authentication are Enabled.
  4. Right-click on the Windows Authentication option and select Providers.
  5. Highlight NTLM and Move Up to the top of the list. Click OK.
  6. Ensure Basic Authentication is set to Disabled.

SharePoint KCD only or either with Network Connectors:

  1. Click on the CIFS virtual directory, then on Authentication.
  2. Ensure Anonymous and Windows Authentication are Enabled.
  3. Right-click on the Windows Authentication option and select Providers.
  4. Highlight Negotiate and Move Up to the top of the list. Click OK.
  5. Repeat for the SP virtual directory.
  6. Ensure Basic Authentication are Disabled on both.

If using port 80 on your StorageZone Controller for Load Balancing communication, refer to the AD Delegation section.

  1. If using port 443, then on the StorageZone Controller, then right-click the Default Web Site and select Edit Bindings.
  2. Add a new binding on port 443, assign the IP address, and insert a host header (just the first part of your storage zone FQDN, i.e. where, then input only sz in the hostheader).

AD Delegation

Changes might need to be actioned on the SZC AD object(s), and all the servers used for Network Shares and SharePoint need to be added.



Ensure that any File servers hosting any Network Shares, are added to the delegation as CIFS.

Ensure any SharePoint servers that need to be accessed, are also entered as HTTP.


Internet Explorer

  1. Open Internet Options, Security, Local Intranet, Sites, Advanced then enter the following:
Citrix Content Collaboration URL – e.g.:

FQDN StorageZone – e.g.:

FQDN of AAAVIP – e.g.:

Note: If this is locked down, configure via GPO which will be actioned on the User Configuration.
  1. Open GPMC and select the GPO controlling the behaviour of IE.
  2. Browse to Computer Configuration/Administrative Templates/System/Group Policy and Enabled the policy Configure user group policy loopback processing mode and select Replace.
  3. Then browse to User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page and edit the Site to Zone Assignment List as follows:
Note: The number in the Value field denotes the number of the zone. MS breaks them down as follows:

1 – Intranet zone – sites on your local network.

2 – Trusted Sites zone – sites that have been added to your trusted sites.

3 – Internet zone – sites that are on the Internet.

4 – Restricted Sites zone – sites that have been specifically added to your restricted sites.
  1. For external IE browsers, extra configuration is required as follows:
Click on the Internet/Custom Level and ensure that:
  • Miscellaneous/Access data sources across domains is Enabled.
  • User Authentication/Log on/Prompt for Username and Password is selected.
  1. Click OK twice.


  1. Launch Firefox. In the Address Bar, instead of typing a URL, enter: about:config
This opens the configuration interface. You may need to agree to a security warning in order to proceed.
  1. Double-click the line labelled automatic-ntlm-auth.trusted-uris and enter the following:
ShareFile site –

FQDN StorageZone –


Note: Separate individual URLs with commas, but do not put spaces between them, for example:,

  1. Click OK when you’re finished.
  2. Double-click the line labelled negotiate-auth.trusted-uris.
  3. Enter the same information you entered in step 2 with the URLs separated by commas and with no spaces.
  4. Click OK.


This should work. CORS should be enabled by default on Chrome but you can add the plugin to Chrome here .


Leave a Reply