How to Install, Configure and Use Citrix Receiver For Windows 4.6

Installation and Configuration

  1. Navigate to in a web browser, then click Download Receiver. The newest version available would be Receiver 4.6.
    User-added image

  2. Find the downloaded file and launch it.

  3. Check the box next to “I accept the license agreement”, then click Next.

  4. Choose whether to enable single sign-on. Single sign-on remembers the user’s credential for the device, so the user can connect to other Citrix applications without logging on. Then begin the installation.

    User-added image

Configuration and Logging on

  1. After installation, you will find the receiver icon on the toolbar. Right click on it and select Open.

  2. You can choose to enter either the corporate email address if IT team has configured the address, or the server address provided by IT. Then click Add.

    User-added image

  3. Then enter the domain user name and password, then choose Log On.

    User-added image

Using Citrix Windows Receiver

Citrix receiver interface is now loaded, and all the resources can be seen from StoreFront.

  1. Click FAVORITES to view the desktops and apps you added to FAVORITES
    User-added image

  2. You can also view the assigned desktops by clicking the DESKTOPS
    User-added image

  3. Then click Details; You can add these desktops to FAVORITES, open and restart the desktops.
    User-added image

  4. After clicking APPS, you can view all available applications.
    User-added image

  5. Click Details to add the applications to FAVORITES and open the apps.
    User-added image

Citrix Receiver for Windows provides users with secure, self-service access to virtual desktops and apps provided by XenDesktop and XenApp. Apart from using the windows receiver interface, users can also use the receiver with storefront from the website.

User-added image

Secure User Environment

To maximize the security of the environment, the connections between Citrix Receiver for Windows and the resources you publish must be secured. You can configure various types of authentication for Citrix Receiver for Windows software, including smart card authentication, certificate revocation list checking, and Kerberos pass-through authentication.

1. Configure domain pass-through authentication

To enable domain pass-through using the graphical user interface:

  1. Locate the Citrix Receiver for Windows installation file (CitrixReceiver.exe).

  2. Double click CitrixReceiver.exe to launch the installer.

  3. In the Enable Single Sign-on installation wizard, select the Enable single sign-on checkbox to install Citrix Receiver for Windows with the SSON feature enabled. The image below illustrates how to enable single sign-on:

    User-added image

2. Configure domain pass-through authentication with Kerberos

Citrix Receiver for Windows supports Kerberos for domain pass-through authentication for deployments that use smart cards. Kerberos is one of the authentication methods included in Integrated Windows Authentication (IWA).

When users install Citrix Receiver for Windows, include the following command-line option: /includeSSON. This option installs the single sign-on component on the domain-joined computer, enabling Citrix Receiver for Windows to authenticate to StoreFront using IWA (Kerberos). The single sign-on component stores the smart card PIN, which is then used by the HDX engine when it remotes the smart card hardware and credentials to XenDesktop. A related option, ENABLE_SSON, is enabled by default and should remain enabled.

To apply the settings, restart Citrix Receiver for Windows on the user device. After that, users also need to configure StoreFront:

  1. In the default.ica file located on the StoreFront server, set DisableCtrlAltDel to false.
  2. When you configure the authentication service on the StoreFront server, select the Domain pass-through check box. That setting enables Integrated Windows Authentication. You do not need to select the Smart card check box unless you also have non domain joined clients connecting to Storefront with smart cards.

3. Configure smart card authentication

a. To enable single sign-on for smart card authentication

To configure Citrix Receiver for Windows, include the following command-line option when users install it: ENABLE_SSON=Yes. Single sign-on is another term for pass-through authentication. Enabling this setting prevents Citrix Receiver for Windows from displaying a second prompt for a PIN.

b. To enable user devices for smart card use

  1. Import the certificate authority root certificate into the device’s keystore.
  2. Install your vendor’s cryptographic middleware.
  3. Install and configure Citrix Receiver for Windows.
  4. Details on certification installation can be found here in –

​c. To change how certificates are selected

Change how certificates are selected by using either of the following methods:

  1. On the Citrix Receiver for Windows command line, specify the option AM_CERTIFICATESELECTIONMODE={ Prompt | SmartCardDefault | LatestExpiry }.
  2. Add the following key value to the registry key HKCU or HKLMSoftware[Wow6432Node]CitrixAuthManager: CertificateSelectionMode={ Prompt | SmartCardDefault | LatestExpiry }.

d. To use CSP PIN prompts

Change how PIN entry is handled by using either of the following methods:

  1. On the Citrix Receiver for Windows command line, specify the option AM_SMARTCARDPINENTRY=CSP.
  2. Add the following key value to the registry key HKLMSoftware[Wow6432Node]CitrixAuthManager: SmartCardPINEntry=CSP.

4. Enabling certificate revocation list checking

When certificate revocation list (CRL) checking is enabled, Citrix Receiver checks whether or not the server’s certificate is revoked. By forcing Citrix Receiver to check this, users can improve the cryptographic authentication of the server and the overall security of the TLS connection between a user device and a server.

Advanced Preferences

Users can right click on the receiver icon on the toolbar and select Advanced Preferences to view an advanced preferences list like the picture below.

User-added image

  1. The Citrix Connection Center displays all connections established from Citrix Receiver. The Connections window displays a list of active sessions. Each server entry in the list represents a session. For each seamless session, below each server entry, a list of the hosted resources you are running on that server appears. The Connection Center offers various options to view statistics and control sessions and applications.
    User-added image

  2. Resetting receiver will delete all apps, desktops, accounts and configurations, and will return receiver to default settings. It will also close all active sessions. This feature will only be used to serious problems.

  3. When users click Settings Options in the advanced Preferences menu, users then will have 2 tabs. Users can choose the application display settings and reconnect options in this two tabs.
    User-added image

  4. If users delete the passwords, users are asked for the password the next time they log in.

  5. Data collection is designed to ask users whether they agree to send anonymous data and usage statistics to Citrix, which help Citrix to provide better products.

  6. Starting with Release 4.5 of Citrix Receiver for Windows, Configuration Checker helps users to run a test to ensure Single sign-on is configured properly. The test runs on different checkpoints of the Single sign-on configuration and displays the configuration results.

    User-added image

When users log in to the Citrix Receiver for Windows, users can launch a published desktop session. From the Desktop Viewer toolbar, users can select Preference to configure some preferences.

  1. When click File access, users can choose the way that they want to use to access files on the computer. It contains 4 ways: read and write, read only ,no access and ask me each time.

    User-added image

  2. When comes to the connection part, users can choose how devices, including microphone, webcam, digital camera and scanner, will connect to the virtual session. Also, there is a Relative Mouse setting providing an option to interpret the mouse position in a relative rather than an absolute manner. This capability is required for applications that demand relative mouse input rather than absolute.
    User-added image

  3. The display part provides a choice about the way the virtual desktops display. We recommend our users to use the Best Resolution since this kind of resolution will fit the screen perfectly automatically.
    User-added image

  4. The flash part provides a choice about whether user want to optimize the content of flash player. If users optimize content, the playback quality will be improved but the security will be reduced. If not, just basic playback quality will provided but with high security.

    User-added image


Force authenticate when all authentication realm failed.

I need a solution



It is possible to force authenticate user to visit website with any option ( on policy) through the proxysg when all authentication realm failed. We have been using two authentication realm such as windows sso, iwa. If those authentications will failed then could users force authenticate to visit website with any options ? 

Web authentication layer1

Source Destination Action Track Comment
Any Any Windows SSO authentication and PermitAuthenticationError None  
Web authentication layer2

Source Destination Action Track Comment
Any User authentication Erros schema(http,https) Guest authentication ( IWA ) None  
SSL Access Layer

Source Destination Service Action Track Comment Any Allow None  
Any Any Allow None  


  • No Related Posts

issues setting up second managment server

I need a solution


first management server is using embeded database.

installing symantec endpoing on second server, selecting option to install additional managment server to existing site.

when I get to Database Server Authentication I have two options, SQL server authentication, and Windows Authentication.

tried windows authentication but no go, and try SQL server authentication and it fails as wellm error 11501.

notes show username for DB is DBA, and we have notes for the password, but not sure of the database name, it defautls to sem45.

how can I verify the correct database name for an embedded database on the other server.



How BCAAA contributes in NTLM user authentication

I need a solution

Hi All,

in this link from microsoft “”, there is way called Noninteractive authentication, which may be required to permit an already logged-on user to access a resource such as a server application, typically involves three systems: a client, a server, and a domain controller that does the authentication calculations on behalf of the server

it BCAAA works the same way as above?

if yes, can anyone provide more details?

if no, then how it works

thanks in advnace,





  • No Related Posts

SSL intercept authentication failed

I need a solution

Hello guys,

Good day

I had been intercepting ssl traffic and non domain computers were couldn’t authenticate with IWA authentication. Also domain users cannot authentication with windows sso. I want to intercept only specific destination address and other destination wouldn’t intercepted. 

1. Domain user’s received below error message from proxy. 

2. Non domain user’s received below error message from proxy. 

Proxy layer description:

Web authentication layer

Source Destination Action Track Comment
Any Any Windows sso and PermitAuthenticationError None  
Guest authentication layer

Source Destination Action Track Comment
Any User Authentication Error Any AuthenticateGuest(IWA) None  
Web Access layer

Source Destination Service Time Action Track Comment
Any http and https any Allow None http and https any  Allow  None  
SSL Intercept layer

Source Destination Service Action Track Comment
Any Any SSLInterception1 None  

Thank you



Problem with authentication / Virtual URL

I need a solution

Hi All,

My current proxySG deployment

 – forward proxy with transparent mode

 – Origin IP Ridirect 

 – virtual URL without domain 

–  virtual URL tursted inside IE intranet zone

I have issue with pop up authentication. For now I am using virtual url without domain ”  ( http://proxysg ) and this is work for all laptop and PC that joined domain.

But for mobile device to work with proxy I have to change the virtual url with domain ( ) so that users get prompted for username and password. If i using virtual URL without domain user did not get prompt authentication message and get authentication error page from http://proxysg

After used new virtual url, mobile user able to authenticated and it is worked as expected.

Issue arise when i changing to the  ( ) PC/laptop users getting pop up for authentication message which they dont like it. 

my question : 1. should i use origin cookies redirect to avoid frequent pop up authentication message ?

                      2. what is the best way for mobile traffic in case use proxy ?

                      3. which virtual URL should I use ?




  • No Related Posts

The user could not be determined by the Single Sign-on agent.

I need a solution

Hello guys, 

We have been using DCQ and CQ on windows sso authentication. If the client is running with not domain user then DCQ and CQ will fail. We were organizing policy of second layer to access websites for clients that didn’t matter for authentication successful by windows sso realm but client couldn’t get access to website with any rule. The client side receive error message of authentication. The client could get access to the website that has domain user and authentication successful.  

Are you guys have any idea for this issue ? 

Thank you for support.

Web authentication layer

Source Destination Action Track comment  
any any authSSO(auto) none    
Web access layer

Source Destination Service Time Action Track
any any any any Allow None any any any Allow None


How does ProxySG get the DN for an IWA user?

I need a solution

ProxySG is joined to a Windows domain with forest trusts to user domains. An IWA-direct realm is configured for split authorisation against an LDAP realm.

When a user from a trusted domain authenticates to an explicit proxy service, how does the proxy establish the user’s Distinguished Name to perform the LDAP search, for both Kerberos and NTLM clients?

The user’s DN is not in the NTLM negotiation, does the proxy need network access to the trusted domains to determine this or does it receive it from the DC (e.g. over s_channel)?





Cannot connect to company network” when accessing O365 accounts

Secure Mail for iOS supports modern authentication (OAuth token-based authentication with User name and password) with Microsoft Office 365.


1.Enable modern authentication (OAuth) for Microsoft Office 365For details, see

2.Migrate your on-premises mailboxes to Microsoft Office 365For details, see

Next, ensure that you have configured the following MDX policies in the XenMobile console listed under OAuth Support for Office 365:

Office 365 authentication mechanism. This policy indicates the OAuth mechanism used for authentication while configuring an account on Office 365.

Do not use OAuth. OAuth is not used and Secure Mail uses basic authentication (username and password) for Office 365 Exchange account configuration. This is the default setting.

Use OAuth with Username and Password. The user must provide their email, password, and a multi-factor authentication code on the Secure Mail authentication screen for Microsoft. Then, on the next screen, the user must grant Secure Mail permission to access the Office 365 mailbox.

•Trusted Exchange Online Hostnames. Define a list of trusted Exchange Online hostnames that use the OAuth mechanism for authentication while configuring an account. This is a comma-separated format, such as, If the list is empty, Secure Mail uses basic authentication for account configuration. Default value is

•Trusted AD FS Hostnames. Define a list of trusted AD FS hostnames for webpages where the password populates during Office 365 OAuth authentication. This is a comma-separated format such as, . If the list is empty, Secure Mail does not auto populate passwords. Secure Mail matches the listed hostnames with the hostname of the webpage encountered during Office 365 authentication and checks if the page uses HTTPS protocol. For instance, when is a listed hostname, if the user navigates to, Secure Mail populates the password if the page has a password field. Default value is

Secure Mail for iOS is now enabled with modern authentication when the policies are refreshed on the device.


Can WebSphere Full Profile scope Requiring Client Certificate authentication to certain paths?

I would like to know whether WebSphere Full Profile (8.5.5.x or 9.x) has any capability to make the SSL Settings QoP “Client authentication” Required for **only** a specific path of an application?

The use-case is that a customer wants to use it for mutual authentication of REST APIs, but not require it for a user interface application that users log in to using a totally different authentication method. Both applications are deployed in the same .ear file.

Currently it appears that the configuration of Client authentication is done at the Cell or Node level through


  • No Related Posts