ShareConnect Settings

ShareConnect offers a variety of account and security settings that you can customize from the ShareConnect Web App. These settings can be used to customize how remote sessions behave.

Note: If you are connecting to a File Server, these preferences are not available. If you are connecting to a Mac computer, not all features may be available.

To view and edit account-wide settings:

  1. These settings can only be configured by an Admin user
  2. Sign into ShareConnect
  3. Access the Settings menu under Manage Team Account.

User-added image

Available Settings

User-added image

User-added image
User-added image

To view and edit user-specific settings:

  1. Sign into ShareConnect and access your username in the upper left.
  2. Click the Settings link.
  3. The settings displayed in this menu reflect the account-wide settings configured by an Admin user.
User-added image
User-added image


  • No Related Posts

Citrix Workspace app 1904 for Windows – Unable to connect to the server SSL Error 4

To resolve this issue:

Option 1 (recommended):

Update the Gateway with a compatible cipher suite (See Cryptographic Update for supported cipher suites), following the steps outlined in: CTX235509

Option 2:

Note: This should be considered a short-term workaround, since previous versions of CWA contains a security vulnerability; see CTX251986 for details

Uninstall Citrix Workspace app 1904 (See Control Panel –> Programs –> Uninstall a Program )

Download and install Citrix Workspace app 1903 from here: Download link


  • No Related Posts

How to Manually Install and Configure Citrix Receiver for Pass-Through Authentication

Single Sign-on authentication can be configured on both new and upgraded setup.

Configuring Single Sign-on on a new Citrix Receiver for Windows setup
Configuring Single Sign-on on an upgraded Citrix Receiver for Windows setup
Single Sign-on Troubleshooting and Diagnostics
More How Do I

To configure Single Sign-on on a new setup:

  1. Enable Domain pass-through and optionally User name and password authentication on StoreFront or the Web Interface.

  2. Configure XML trust services on the Delivery Controller.

  3. Modify Internet Explorer settings and Install Citrix Receiver for Windows with Single Sign-on.

1. Enable User name and password and Domain pass-through on StoreFront or the Web Interface

Depending on the XenApp/XenDesktop deployment, Single Sign-on authentication can be configured on StoreFront or the Web Interface using the Management Console.

  • StoreFront server: Launch StoreFront Studio, go to Store > Manage Authentication methods > enable Domain pass-through.

Note: Single Sign-on is not supported if Citrix Receiver for Windows is connected to XenApp/XenDesktop using NetScaler Gateway.

Scenario Steps Description
Configured on StoreFront or the Web Interface with Management Console StoreFront server: Launch StoreFront Studio, go to Store > Manage Authentication methods > enable Domain pass-through. When Citrix Receiver for Windows is not configured with Single Sign-on, it automatically switches the authentication method from Domain pass-through to Username and Password, if available.
Receiver for Web IS Required Launch Stores > Receiver for Websites > Manage Authentication methods > enable Domain pass-through.

User-added image

When Citrix Receiver for Web is not configured to allow Domain pass-through, it automatically switches the authentication method to Username and Password, if available.

If you are launching published applications using web browsers for Storeweb, enable the Single Sign-on feature as described in the sectionGroup Policy Settings.

StoreFront IS NOT configured If Web Interface is configured on a XenApp server, open XenApp Services Sites > Authentication Methods > enable Pass-through.

User-added image

When Citrix Receiver for Windows is not configured with Single Sign-on, it automatically switches the authentication method from Pass-through to Explicit, if available.

2. Configure XML trust services on the Delivery Controller

On XenDesktop 7 or later or XenApp 7.5 or later, run the following PowerShell command as an administrator on the Delivery Controller:

asnp Citrix*

Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True

Refer to the Knowledge Center article: Error: “An error occurred while making the requested connection“.

Note: On XenApp 6.5, XML Service Port and Trust is enabled using the Graphical User Interface. For more information, see Configuring the Citrix XML Service Port and Trust.

3. Modify Web Browsers settings and Install Citrix Receiver for Windows with Single Sign-on

3.1 Modify the web browsers settings

3.1.1 Configuring IE, Chrome, Edge browsers and Citrix Workspace for Windows for Single Sign-on

Modify the Internet Explorer settings to add StoreFront URL or Web Interface URL to the list of Security Zones in Internet Options. There are two methods to modify Security Zones:

NOTE: At any time, use only one of the following methods.

Option 1
  1. Local Intranet: Open Internet Explorer > Internet Options > Security > Local Intranet, Click Sites. The Local intranet window appears.
  2. Click Advanced.
  3. Add the URL of the StoreFront or Web Interface FQDN with appropriate http or https protocol.
Option 2
  1. Trusted Sites: Open Internet Explorer > Tools > Internet Options > Security >Trusted Sites > Sites
  2. Add StoreFront or Web Interface FQDN with appropriate http or https protocol.
  3. In the Internet Options > Security tab, select Trusted Sites.
  4. Click Custom level. The Security Settings – Trusted Sites Zone window appears.
  5. From the User Authentication options, select Automatic logon with current user name and password.

User-added image
Note: Automatic logon with current user name and password can be configured using Group Policy. For more details, see Managing Browser Settings with Group Policy Tools.

3.1.2 Configuring Firefox for Single Sign-on

  • Open Firefox
  • Type about:config in the address bar
  • A security warning page will appear. To continue, click “I accept the risk!”

  • List of configurations will be available. In the search bar type “network.automatic-ntlm-auth.trusted-uris” and add the store URL to that configuration

3.2 Install Citrix Receiver for Windows

  1. Download Citrix Receiver for Windows (CitrixReceiver.exe) from Citrix Downloads.
  2. Log onto the client device with administrator privilege.
  3. You can install Citrix Receiver for Windows in two ways:
    Using the Graphical User Interface Using the Command Line Interface
    1. Double-click CitrixReceiver.exe.
    2. In the Citrix Receiver Installation wizard, select Enable Single Sign-on.User-added image
    3. Click Next.
    4. After the installation is complete, log off from the client device and log on again.
    1. Open a command prompt as an administrator and change to the directory to where CitrixReceiver.exe is located.
    2. Run the following command to install Citrix Receiver for Windows with the Single Sign-on feature enabled:

      CitrixReceiver.exe /includeSSON /silent
  4. After the installation is complete, log off from the client machine and log on again.
  5. Launch the Task Manager to verify that the ssonsvr.exe process is running.

User-added image

Users should now be able to log on to an existing Store (or configure a new Store) using Citrix Receiver for Windows without providing credentials.

Group policy settings

Configuration described in this section is required in two cases:

• When access to StoreWeb using web browsers is required.

• Citrix Receiver for Windows version 4.3 or earlier is used.

For newer versions of Receiver (4.4 onwards) that do not require SSON via web browsers, the configuration is optional

Using Citrix Receiver for Windows Group Policy template files

• Add Citrix Receiver for Windows template files to the Local Group Policy Editor. For more information, see Configure Receiver with the Group Policy Object template . Be sure to use the ADM template of the same version as the Receiver on the Client.

Follow the below steps to configure the policy

1. Open Local Group Policy Editor. Navigate to Citrix Receiver > User authentication.

2. Open the Local user name password policy.

3. Select Enable pass-through authentication.

4. Click Apply and OK.

Note: If the existing version of Citrix Receiver for Windows does not have the Single Sign-on component installed, upgrading to the latest version with the /includeSSON switch is not supported.

After the installation is complete, log off from the client device and log on again.

Single Sign-on Diagnostics

In Citrix Receiver for Windows Version 4.5, you can use Configuration Checker to diagnose the Single Sign-on configuration.

  1. Right-click the Citrix Receiver icon in the notification area and select Advanced Preferences > Configuration Checker.

    The Configuration Checker window appears.

    User-added image

  2. Select SSONChecker and click Run.

    The test runs on all the SSON checkpoints.

After the test is complete, the results are displayed for each test.

The test describes if all the configuration requirements for Single Sign-on are met.

For more information, see Using Configuration Checker to validate Single Sign-on configuration

Verify the list of Network Providers

If users face any issues with Single Sign-on, Citrix recommends that you verify the list of network providers list on the client machin e as described below:

  1. Click Start.

  2. Enter View network connections. The Network Connection window appears.

  3. Press ALT to display the menu. Click Advanced > Advanced Settings

    Advanced Settings
    window appears.

  4. Click the Provider Order tab.

  5. Move “Citrix Single Sign On” to the top of the list to change the order of network providers.

    User-added image


  • No Related Posts

Citrix Content Collaboration Connector SSO for Network Shares and SharePoint on‐prem

Summary of items

  1. SharePoint Configuration
  2. NetScaler (internal load balancer) Configuration
  3. Configure SplitDNS
  4. Configure Citrix Storage Zone
  5. AD Delegation
  6. Browsers

SharePoint Configuration

Set the SPN for the SharePoint service account


This is a standard SharePoint requirement which references the service account used during the installation of SharePoint itself). The service account used below is usually the one that SharePoint has been initially installed with.

  1. From any server, open CMD (elevate with account with the appropriate SharePoint rights)
  2. Type the following:

SetSPN -S HTTP/SharePoint domainserviceaccountname

SetSPN -S HTTP/ domainserviceaccountname


KCD work is not required for the Network Connectors, this will be using NTLM.

SharePoint Configuration

  1. On the Central Administration page, under Quick Launch, click Security, and in the General Security section click Specify authentication providers.
  2. On the Authentication Providers page, select the zone for which you want to change authentication settings.
  3. On the Edit Authentication page, and in the Authentication Type section ensure this is set to Windows (selected by default).
  4. In the IIS Authentication Settings section, select Negotiate (Kerberos). Note: If you select Negotiate (Kerberos) you must perform additional steps to configure authentication (below).
  5. Click Save.

NetScaler (internal Load balancer) Configuration

The reason for this configuration is to split the to split the External and Internal traffic. Where AAA authentication is being used for external user authentication to Connectors, AAA is not a necessity for Internal use, especially where Web Access to Network shares/SharePoint SSO are required via web browsers.


AAA requires a NetScaler Enterprise and above license to use.

If the NetScaler wizard has been used to configure a storage zone, then you would typically see LBVIPs bound to a Content Switch, such as:

_SF_CS_ShareFile = External Content Switch

The External config would typically have:

  • 1 x Content Switch, with Policies, Responders, Callouts.
  • 3 x LBVIP’s
    • ShareFile Data LBVIP
    • Connectors LBVIP with AAA enabled


If Web Access to Connectors are required then additional configuration is needed in addition to the wizard, which adds the OPTIONS LBVIP to the Content Switch. Please see this article in section “
Configure NetScaler for restricted zones or web access to Connectors ”.

Now we would need an additional configuration to route the internal traffic. This would typically be a Load Balancing virtual server (LBVIP) rather than a Content Switch. In this instruction we are going to:

  • Create the Server(s) – create a connection to all the storage zone controllers within a single Zone.
  • Create a Service Group – group the servers into a group
  • Create an LBVIP – create the Load Balancing virtual server

Create the Server(s)

  1. Log into the NetScaler and browse to:
  1. Click Add.
  2. Create a name eg SZ_Server.
  3. Input the IP Address of the Citrix storage zone controller
  4. Click Create.
  1. Repeat for all storage zone controllers.

Create a Service Group

  1. Log into the NetScaler and browse to:
  1. Click Add.
  2. Create a name eg SZ_Service_Group.
  3. Protocol: SSL
  4. Click OK.
  1. Click on Service Group Members.
  2. Select Server Based option then click on Select Server.
  1. Click the checkboxes on each of the storage zone controller servers and then click Select
  2. Enter Port*: 443.
  1. Click Create.
  2. Click OK to continue
  3. Click Done.

Create an LBVIP

  1. Log into the NetScaler and browse to:
  1. Click Add to create the storage zone LBVIP:

Protocol: SSL

IP Address Type: IP Address (this should be internally accessible)
  1. Click OK.
  1. Under Services and Service Groups, click the Virtual Server Service Group Binding option
  2. Select the Service Group created earlier and click Bind.
  1. Click OK.
  2. Attach wildcard certificate.
  1. Click Bind.
  2. Click OK and Done.

Configure SplitDNS

Configure SplitDNS to resolve to the new Internal LBVIP (ie SZ_LB_INTERNAL), which is important as you need to direct traffic internally to the internal load balancing vserver created in the previous step. If this is done via Active Directory in your environment, here are some example below.

Configure DNS in AD

  1. Log into the Domain Controller and open dsa.msc.
  2. Browse to Forward Lookup Zones to find the one which correlates to the StorageZone FQDN (
  3. Add a New Host (A or AAAA)… and enter the FQDN for the StorageZone.
  4. Enter the IP, this should be the one of the Internal LBVIP (i.e. SZ_LB_INTERNAL) created in the previous section
  5. To test, open CMD from another desktop/server, run ipconfig/flushdns and ping the StorageZone FQDN. Does it resolve to the correct IP?

Configure Citrix Storage Zone

StorageZone Controller IIS changes

Network Connectors only:

  1. Log onto the StorageZone Controller(s) and open IIS.
  2. Click on the Default web site then to the CIFS virtual directory.
  3. Click on Authentication, then ensure Anonymous and Windows Authentication are Enabled.
  4. Right-click on the Windows Authentication option and select Providers.
  5. Highlight NTLM and Move Up to the top of the list. Click OK.
  6. Ensure Basic Authentication is set to Disabled.

SharePoint KCD only or either with Network Connectors:

  1. Click on the CIFS virtual directory, then on Authentication.
  2. Ensure Anonymous and Windows Authentication are Enabled.
  3. Right-click on the Windows Authentication option and select Providers.
  4. Highlight Negotiate and Move Up to the top of the list. Click OK.
  5. Repeat for the SP virtual directory.
  6. Ensure Basic Authentication are Disabled on both.

If using port 80 on your StorageZone Controller for Load Balancing communication, refer to the AD Delegation section.

  1. If using port 443, then on the StorageZone Controller, then right-click the Default Web Site and select Edit Bindings.
  2. Add a new binding on port 443, assign the IP address, and insert a host header (just the first part of your storage zone FQDN, i.e. where, then input only sz in the hostheader).

AD Delegation

Changes might need to be actioned on the SZC AD object(s), and all the servers used for Network Shares and SharePoint need to be added.



Ensure that any File servers hosting any Network Shares, are added to the delegation as CIFS.

Ensure any SharePoint servers that need to be accessed, are also entered as HTTP.


Internet Explorer

  1. Open Internet Options, Security, Local Intranet, Sites, Advanced then enter the following:
Citrix Content Collaboration URL – e.g.:

FQDN StorageZone – e.g.:

FQDN of AAAVIP – e.g.:

Note: If this is locked down, configure via GPO which will be actioned on the User Configuration.
  1. Open GPMC and select the GPO controlling the behaviour of IE.
  2. Browse to Computer Configuration/Administrative Templates/System/Group Policy and Enabled the policy Configure user group policy loopback processing mode and select Replace.
  3. Then browse to User Configuration/Administrative Templates/Windows Components/Internet Explorer/Internet Control Panel/Security Page and edit the Site to Zone Assignment List as follows:
Note: The number in the Value field denotes the number of the zone. MS breaks them down as follows:

1 – Intranet zone – sites on your local network.

2 – Trusted Sites zone – sites that have been added to your trusted sites.

3 – Internet zone – sites that are on the Internet.

4 – Restricted Sites zone – sites that have been specifically added to your restricted sites.
  1. For external IE browsers, extra configuration is required as follows:
Click on the Internet/Custom Level and ensure that:
  • Miscellaneous/Access data sources across domains is Enabled.
  • User Authentication/Log on/Prompt for Username and Password is selected.
  1. Click OK twice.


  1. Launch Firefox. In the Address Bar, instead of typing a URL, enter: about:config
This opens the configuration interface. You may need to agree to a security warning in order to proceed.
  1. Double-click the line labelled automatic-ntlm-auth.trusted-uris and enter the following:
ShareFile site –

FQDN StorageZone –


Note: Separate individual URLs with commas, but do not put spaces between them, for example:,

  1. Click OK when you’re finished.
  2. Double-click the line labelled negotiate-auth.trusted-uris.
  3. Enter the same information you entered in step 2 with the URLs separated by commas and with no spaces.
  4. Click OK.


This should work. CORS should be enabled by default on Chrome but you can add the plugin to Chrome here .


  • No Related Posts

ScrollBar size on XenApp 7.6 (Server 2012)

Customize the size of the Scrollbar on a VDA running 7.6.

Normal behaviour is as follows:

Change the Windows Metrics for Scrollbar on a Server VDA using the following Registry Key.

  • HKEY_CUControl PanelDesktopWindowsMetrics
  • ScrollHeight
  • ScrollWidth

When launching a Desktop from that VDA, the Windows Metrics are as you set them on the server.

When launching an application on its own, it does not take in the server metrics it takes in the client machine metrics


  • No Related Posts

EXE files locked on network share

I need a solution

Hi everyone

I have this weird problem and was wondering if anyone had any ideas where to go next.

In short, when I access network share EXE files get locked. If I try deleting any EXE (from Windows Explorer for example) it dissappears for a couple of seconds (or until Refresh) and then reappears. Cannot move it, cannot rename it. Only when I logoff (and, I guess, network connections get cut off) files are deleted.

If I try deleting these files locally (on the computer hosting network share) I get “File access denied” error. Unlocker/IObit Unlocker both report file(s) not in use, but cannot delete them, only after unlocking with Open File List utility (OFL.exe) file(s) can be deleted locally. Sometimes even OFL cannot unlock them, for example if I try deleting/refreshing few times.

Went through network share permissions/ACLs first, although nothing was changed to trigger this. Tried couple of other things, but only after CleanWipe-ing this particular computer (my admin workstation) things went back to normal. SEP client reinstallation reintroduced the issue. I tried to vary policies, our standard, SEP default, all off, tried unmanaged, tried disabling everything possible and its always the same. After that I went with second CleanWipe with thorough registry clean. Reinstalled the client, nothing is changed.

As far as I tested, none of the other SEP clients/LAN computers are affected. This one has fully updated Windows 7 Pro, 14.2 MP1 client, nothing (related to this) in Windows logs, nothing in SEP logs. I think this started happening with 14.2, but cannot say for sure.

Anyone has any idea? Seen something like this before?





  • No Related Posts