Citrix Receiver Single Sign On



Single Sign-on 5 Citrix Preview Documentation. You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement. The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change. Citrix Receiver for Chrome now supports single sign-on (SSON) on Chromebook devices and Citrix XenApp/XenDesktop backend. With this functionality, users do not have to retype their passwords within a Citrix environment. SSON configuration includes setting up SAML SSO on Chrome devices and Receiver for Chrome sessions using SAML cookies. Citrix Workspace app is a new client from Citrix that works similar to Citrix Receiver and is fully backward-compatible with your organization’s Citrix infrastructure. Citrix Workspace app provides the full capabilities of Citrix Receiver, as well as new capabilities based on your organization’s Citrix deployment. Single Sign-on to Web Applications should be enabled. If you need two-factor authentication, the session policy for Receiver for Web needs Credential Index set to PRIMARY. Only the Receiver Self-Service policy needs SECONDARY as detailed earlier. On the Security tab, the Default Authorization Action should still be Allow. Citrix Receiver Single-Sign-On (Pass-through Authentication) does not work with StoreFront 30. September 2013 During the last weeks I did a lot of testing with Citrix XenDesktop 7.

SSO Overview

There are to ways you can use SSO in a Citrix 7.5+ environment using built-in Citrix technologies:

  1. SSO via Citrix Receiver for Web
  2. SSO via the Citrix Receiver client
Receiver

Depending on which method you choose the prerequisites differ, however not by much. Below are the prerequisites that are required for either method, meaning it doesn’t matter which method you choose the same prerequisites exist:

  1. Citrx Receiver must be installed on the client device with the SSON component installed
  2. Receiver for Web website must be in the Local Intranet Zone
  3. If using the Trusted Sites zone instead, Automatic logon with current username and password must be set in Trusted Sites zone (I will talk no further about using the Trusted Sites zone)
  4. Domain pass-through must be enabled on Receiver for Web via StoreFront console
  5. Requests sent to the XML service port on your DDCs must be trusted

Now below are the remaining unique prerequisites/differences for each method.

Receiver for Web

  1. Always use Receiver for HTML5 must not be selected in StoreFront
  2. Internet Explorer must be used when accessing Receiver for Web
  3. Group Policies do not need created for Receiver for Web SSO
  4. The User Name and Password Receiver for Web authentication method should be disabled to avoid extra prompts which will later be explained

Receiver client

  1. Group Policies do need created for Receiver client SSO

Installing and configuring SSO (Receiver for Web):

  1. Citrix Receiver client must be installed on the end device. The SSO component is not required so a simple GUI or command line interface command can be used to install the client.
  2. Using StoreFront MMC, enable Domain pass-through on Receiver for Web
  3. Using StoreFront MMC, disable User Name and Password authentication against Receiver for Web
  4. Launch Internet Explorer on logon by placing a shortcut in the Startup folder C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup. This should be done on the base/gold image
  5. Set Internet Explorers homepage to the Receiver for Web website address
  6. Create a GPO linked to all machnes participating in Citrix Receiver for Web SSO or use an existing policy
  7. Using the above created policy, edit the setting Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel to include the Receiver for Web website address in the Local Intranet zone

Decision: To get rid of the first-time logon prompt which will be shown later in this post, you need to disable User Name and Password authentication. Doing so partly reduces functionality:

  1. Non domain machines cannot authenticate to this Receiver for Web website
  2. Usrs can not log on using a set of credentials different than those they used to log on to their domain joined client device

Keeping the above restrictions in mind, a decision must be made to bring true SSO experience at the expense of reduced authentication ability, or accept that a prompt will be given to users on first log on to Receiver for Web in favour of keeping maximum authentication abilities. It is also possible to create a seperate Receiver for Web website for SSO users only, or create sites for non-SSO participants. This means you can configure seperate devices/users to point to specific Receiver for Web websites based on authentication needs.

Installing and configuring SSO (Receiver client)

  1. Citrix Receiver client must be installed on the end-device. The SSO component is required so a simple GUI or command line interface command can be used to install the client. A command line install if preferred because you can automate Citrix Store configuration. The following command at minimum is required to install Receiver client: CitrixReceiver.exe /includeSSON (tested on Receiver 4.3)
  2. Using StoreFront MMC, enable Domain pass-through on Receiver for Web
  3. Download and copy receiver.admx and receiver.adml template files to the PolicyDefinitions folder on a Domain Controller
  4. Create a GPO linked to all machines participating in Citrix Receiver client SSO or use an existing one
  5. Using the above created policy, edit the setting Computer Configuration -> Policies -> Administrative Templates -> Citrix -> Components -> Citrix Receiver -> Local User Name and Password enabling Enable pass-through authentication
  6. Using the above created policy, edit the setting Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel to include the Receiver for Web website address in the Local Intranet zone

The Receiver for Web logon prompt

Now that we have discussed the prompt and the advantages/disadvantages with enabling/disabling this feature, here below is a picture of what the prompt actually is and looks like.

When you have enabled Domain pass-through and User name and Password authentication on Receiver for Web, the first time a user logs on they get this prompt to either log on using the account used to sign on to the computer or to switch to the username and password logon screen. The user name and password logon screen gives the user the ability to authenticate with any set of credentials they have. Since I mention “first time” above, first time means the first time a user logs on to Receiver for Web on a device that they have never used before. The next time they use the same machine the same prompt does not appear. If you log off, you may also get the below message.

If the device is a thin-client with a write-based restrictive filter, the profiles may not be stored and as such the user is using that machine for the first time every time as far as the device is concerned after said device is restarted. This reduces the SSO experience, as the prompt requires manual input. Users wanting true SSO experience must disable User name and Password authentication. User name and Password authentication conflicts with SSO and is not required. A seperate Receiver for Web site must be created for users who do require the User name and Password authentication method. User name and Password is enabled by default when you install Citrix StoreFront.

The User Name and Password authentication method

Configuring SSO for Receiver client

Now that we have covered the theory, I will walk through configuring SSO for Receiver client. I won’t go through SSO with Receiver for Web but it is just as similar to configure.

Install Citrix Receiver on the client device with SSON component included. I am using a command to install. The command automatically configures the store.

Citrix Receiver Single Sign On

You could also enable SSO by checking the box on newer versions (4.3+) if you prefer however you will have to manually configure the store or use the Receiver ADMX templates with Group Policy.

Insert the Receiver for Web site in the Local Intranet Zone. If using the Trusted Sites zone instead, Automatic logon with current username and password must be set in the Trusted Sites zone. In most cases you will use the Local Intranet zone. This is best done via GPO.

Values:

  1. Intranet Zone = 1
  2. Trusted Sites = 2

If using the Trusted Sites zone, enable Automatic logon with current username and password.

Enable Domain pass-through on Receiver for Web via StoreFront console and remove other authentication method(s). Pass-through from NetScaler Gateway can be enabled, however User name and password should not.

On your DDCs requests sent to the XML service port on your DDCs must be trusted, so run the following command:

Configure Group Policy to enable pass-through authentication on Receiver. You will need to have imported the Receiver.admx and Receiver.adml files to the Group Policy Central Store.

Outcome

Now if you open the Citrix Receiver client on your device, it should not ask to configure the store or ask for credentials. Instead, you will be passed through to StoreFront and presented with your subscribed applications and desktops.

Be aware after installing Receiver you must log off/on to your client device for the SSONSVR.EXE process to start and capture your credentials.

Additional feature – Desktop Lock

You can also turn your PC/Thin Clients in to kiosk type machines using what is called Citrix Desktop Lock. When a user logs on to their device the Citrix desktop automatically launches in full-screen mode and if the user disconnects or logs off the Citrix desktop the user is automatically logged off the local device. This is great in a VDI environment if you want to bring a true no-touch experience to your users. You can download Desktop Lock from the Citrix website.

Once downloaded launch the Citrix Desktop Lock software on an SSON configured client device.

Click Close once the software has installed.

Restart the client device.

Now log on as a standard user who has one Citrix desktop assigned to them.

Sign

Desktop Lock automatically launches the desktop in full screen.

The Desktop Viewer toolbar has some missing buttons to prevent the user from minimizing the desktop for example.

When the user disonnects or logs off, the local client device is also logged off. This helps secure the device and not leave any unattended workstations logged on.

If you need to control the local device yourself, log on as a user who is a Local Administrator of that machine and you will be presented with the below prompt.

After clicking OK you can access the local desktop to perform management tasks.

Troubleshooting SSO

  • The SSONSVR.EXE process must be running on your client device
  • Ensure you have met all the prerequisites stated above for your SSO method (Receiver client/Receiver for Web)
  • Using an SSO configured device go to https://yourstorefrontserver.domain.com/citrix/storename/domainpassthroughauth/test.aspx. The web address I would go to is https://storefront.citrixpro.co.uk/citrix/cpsweb/domainpassthroughauth/test.aspx and if SSO is correctly configured you should see results similar to the below. (Included in StoreFront 2.5)
  • Restart the client device (requirement after Receiver install with SSON)

Receiver 4.5 (released September 2016):

New with Citrix Receiver for Windows 4.5 is the Configuration Checker tool which performs various checks against the prerequisites needed for SSO to work. Open Advanced Preferences by right-clicking the Receiver icon in the system tray. Click Configuration Checker.

Tick SSONChecker and click Run.

As you can see a number of checks have been performed with one failure.

Looking closer at the failure alert we can see the Single Sign-on process is not running. After installing the SSON components you only need to log off/on for the process to run. In this case, I deliberately left out the SSON component so it is not installed at all. Click on Save Report to save the results to .TXT.

Heres a look at the results .TXT file.

I’ve now ran the SSON Checker on a machine that is properly configured for SSO. As expected, all checks have passed.

Receiver SSON logging:

You can enable SSON logging which may be help in identifying an issue.

Add a the following values to HKLMSoftwareCitrixInstallSSON (32bit) or HKLMSoftwareWOW6432NodeCitrixInstallSSON (64bit).

REG_SZ DebugEnabled = true

REG_SZ LogPath = Path location

When you log off and on again log files will be created relating to SSON.

The trace-pnsson.log file shows information such as the credentials captured and packaged by SSON.

A virtual workspace with a single-sign-on feature

Adapting the modern workstyles and complex IT environments are both exhausting and frustrating as you’re forced to remember various account details for every single virtual app you owned. Not to mention the performance and security issues you’ll need to bear every time you’re bound to change from different devices. These situations are not only a waste of your time but also a big hindrance to your productivity in a day.
The good thing is there’s a simple way to resolve all of these troublesome issues. Spent more time on your productivity by using the Citrix Workspace App! This app is the latest addition to the reliable Citrix’s family of services.

An efficient virtual workspace app

The app is the most extensive technology the Citrix family of services has to offer.

Citrix Workspace App is a universal software client that allows you to instantly access anytime, anywhere all your workspace services without the trouble of individually sign-on, confusing passwords, and complicated interfaces. It’s the simplest way to work on all of your virtual apps, desktops, SaaS apps, files, and mobile apps on any device. The app isn’t only providing convenience to its users, but also offers security that stops others from interfering with your business. No doubt that this app will help you boost your productivity to a higher level!

More than just a revamped

If you’re thinking that this app came out of nowhere (or just a new addition to the family of Citrix services), well, you simply missed the highlights of Citrix Synergy 2018. The app was announced to play the role of the focal point of the end-user Citrix Workspace experience. It is the successor of Citrix Receiver, a software used primarily for connecting users to XenDesktop, XenApp desktops and applications. But there’s no need to worry since the app incorporates the full capabilities of Citrix Receiver, plus a dozen more.
Citrix is also committed in helping its customers through this transition and also working double-time to prepare significant resources you can use in simplifying the process involved in shifting through these technologies. The app’s features will come from all existing Citrix Receiver technology as well as the other Citrix client technology including the NetScaler plug-ins, XenMobile Secure Hub, ShareFile drive mapper, desktop app and sync. Additionally, it is also enhanced to deliver extra premium features concerning data loss prevention, secure access to SaaS apps, secure internet browsing capabilities, advanced search, and many more.

(In)dependent workspace app

The app is all great and efficient productivity-wise. It’s also created to look modern and appealing to the taste of its users as well as intuitive enough for beginners. However, in order to have full control of your virtual workspace, you’ll need to avail the other necessary Citrix services. The app can aggregate multiple services and deliver them through the new end-user interface but will only display the associated workspace resources to which your availed services are entitled. For instance, if you only have the Citrix Cloud XenApp and XenDesktop service, then the app will intelligently enumerate and deliver only the associated virtual apps and desktops included on your bundle. You’ll lose control with the items that do not include the XenApp and XenDesktop services such as the single-sign-on to mobile apps, SaaS apps, and web apps.
On the other hand, if you currently own multiple services including ShareFile service, then you’ll have access to all the virtual apps, desktops, and files as well as cross-service integration capabilities. It’s nice to have instant access to all your virtual apps and desktops but in order to do that, you’ll just have to spend a little and avail other Citrix services and bundles.

Where can you run this program?

The app can be utilized in various devices including Windows, Mac, Linux, Chrome OS, iOS and Android. You can download the app from the leading app stores or by simply visiting its official website and clicking right through the download page. Although, you’ll need to have access to Citrix Workspace Platform to unlock the app’s full capabilities. You can find the Platform in all Citrix Cloud services.

Is there a better alternative?

Since looking for the most suitable virtual workspace program for your needs can be troublesome at times, checking out one app will never be enough. Aside from Citrix Workspace, you can check out and try its well-known rival--VMware Workspace ONE. It is a digital workspace platform that delivers and manages any app on any device by integrating access control, application management, and multi-platform endpoint management. It also offers a wide range of features; most of them are comparable to what’s available in Citrix Workspace such as it's ability to give you a passwordless single sign-on to a catalog that provides easy access to virtual apps and files. VMware Workspace One isn’t necessarily better than Citrix Workspace as it works (almost) the same functions. You’ll only need to determine which product is the closest to delivering exactly what you need for you to be able to choose from the two.

Our take

The app has its own merits including the fact that it’s developed by one of the most reliable names in the digital workspace market. But for some users, this fact can also be considered as the app’s own downfall. Even if you can download the app for free, you can only fully utilize its potential by availing Citrix’s other services which come with a pricey subscription fee. The only thing that will stop you from liking the app is your unwillingness to try out the whole package of Citrix services. Overall, the app is really for user’s convenience and back-end security. It’s UI is designed perfectly modern-looking and beginner-friendly. It is also highly recommended for those who have already Citrix Receiver to start with since the app is a total upgrade of the cloud-based software.

Should you download it?

Citrix receiver single sign on storefront

Citrix Receiver Single Sign On Chrome

Only if you have already other Citrix services such as XenApp, XenDesktop, NetScaler, XenMobile, and ShareFile. The app will work perfectly managing your virtual apps and desktops through these services. Although you may also check out the app’s biggest rival, VMware Workspace ONE, to see which specific service fits your needs.

Highs

Citrix Pass Through Authentication

  • Free download available
  • Modern interface design
  • Beginner-friendly features
  • Offers single-sign-on to all your virtual apps and files
  • From the reliable Citrix’s family of services

Lows

Citrix Receiver Single Sign On Registry

  • Unlock the app’s full potential only by availing other Citrix paid services
  • Needs access to Citrix Workspace Platform
  • Complex transition process from Citrix Receiver to the app

Citrix Receiverfor Windows

Citrix Receiver Single Sign On Netscaler Gateway

18.8.0.0