Single Sign-on authentication can be configured on both new and upgraded setup.
|Configuring Single Sign-on on a new Citrix Receiver for Windows setup|
|Configuring Single Sign-on on an upgraded Citrix Receiver for Windows setup|
|Single Sign-on Troubleshooting and Diagnostics|
To configure Single Sign-on on a new setup:
Depending on the XenApp/XenDesktop deployment, Single Sign-on authentication can be configured on StoreFront or the Web Interface using the Management Console.
StoreFront server: Launch StoreFront Studio, go to Store > Manage Authentication methods > enable Domain pass-through.
Note: Single Sign-on is not supported if Citrix Receiver for Windows is connected to XenApp/XenDesktop using NetScaler Gateway.
|Configured on StoreFront or the Web Interface with Management Console||StoreFront server: Launch StoreFront Studio, go to Store > Manage Authentication methods > enable Domain pass-through.||When Citrix Receiver for Windows is not configured with Single Sign-on, it automatically switches the authentication method from Domain pass-through to Username and Password, if available.|
|Receiver for Web IS Required||Launch Stores > Receiver for Websites > Manage Authentication methods > enable Domain pass-through.
When Citrix Receiver for Web is not configured to allow Domain pass-through, it automatically switches the authentication method to Username and Password, if available.
|StoreFront IS NOT configured||If Web Interface is configured on a XenApp server, open XenApp Services Sites > Authentication Methods > enable Pass-through.
|When Citrix Receiver for Windows is not configured with Single Sign-on, it automatically switches the authentication method from Pass-through to Explicit, if available.|
On XenDesktop 7 or later or XenApp 7.5 or later, run the following PowerShell command as an administrator on the Delivery Controller:
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True
Refer to the Knowledge Center article: Error: “An error occurred while making the requested connection“.
Note: On XenApp 6.5, XML Service Port and Trust is enabled using the Graphical User Interface. For more information, see Configuring the Citrix XML Service Port and Trust.
3.1 Modify the Internet Explorer settings
Modify the Internet Explorer settings to add StoreFront URL or Web Interface URL to the list of Security Zones in Internet Options. There are two methods to modify Security Zones:
NOTE: At any time, use only one of the following methods.
3.2 Install Citrix Receiver for Windows
- Download Citrix Receiver for Windows (CitrixReceiver.exe) from Citrix Downloads.
- Log onto the client device with administrator privilege.
- You can install Citrix Receiver for Windows in two ways:
Using the Graphical User Interface Using the Command Line Interface
- Double-click CitrixReceiver.exe.
- In the Citrix Receiver Installation wizard, select Enable Single Sign-on.
- Click Next.
- After the installation is complete, log off from the client device and log on again.
- Open a command prompt as an administrator and change to the directory to where CitrixReceiver.exe is located.
- Run the following command to install Citrix Receiver for Windows with the Single Sign-on feature enabled:
CitrixReceiver.exe /includeSSON /silent
- After the installation is complete, log off from the client machine and log on again.
- Launch the Task Manager to verify that the ssonsvr.exe process is running.
Users should now be able to log on to an existing Store (or configure a new Store) using Citrix Receiver for Windows without providing credentials.
Configuration described in this section is required in two cases:
- When access to StoreWeb using Internet Explorer (IE) is required.
- Citrix Receiver for Windows version 4.3 or earlier.
For newer versions of Receiver (4.4 onwards) that do not require IE access, the configuration is optional
On Citrix Receiver for Windows 4.3 and Earlier:
An additional configuration is required in the Group policy settings as described below:
Using Citrix Receiver for Windows Group Policy template files
Add Citrix Receiver for Windows template files to the Local Group Policy Editor. For more information, see Configure Receiver with the Group Policy Object template. Be sure to use the ADM template of the same version as the Receiver on the Client.
- Open Local Group Policy Editor by running the gpedit.msc command. Navigate to Citrix Receiver > User authentication.
- Open the Local user name password policy.
- Select Enable pass-through authentication and Allow pass-through authentication for all ICA connections.
- Click Apply and OK.
Note: If the existing version of Citrix Receiver for Windows does not have the Single Sign-on component installed, upgrading to the latest version with the /includeSSON switch is not supported.
After the installation is complete, log off from the client device and log on again.
Single Sign-on Diagnostics
In Citrix Receiver for Windows Version 4.5, you can use Configuration Checker to diagnose the Single Sign-on configuration.
Right-click the Citrix Receiver icon in the notification area and select Advanced Preferences > Configuration Checker.
The Configuration Checker window appears.
Select SSONChecker and click Run.
The test runs on all the SSON checkpoints.
After the test is complete, the results are displayed for each test.
The test describes if all the configuration requirements for Single Sign-on are met.
For more information, see Using Configuration Checker to validate Single Sign-on configuration
Verify the list of Network Providers
If users face any issues with Single Sign-on, Citrix recommends that you verify the list of network providers list on the client machin
e as described below:
Enter View network connections. The Network Connection window appears.
Press ALT to display the menu. Click Advanced > Advanced Settings
Advanced Settings window appears.
Click the Provider Order tab.
Move “Citrix Single Sign On” to the top of the list to change the order of network providers.