A Comprehensive Guide to Enabling

Pass-Through Authentication with

XenDesktop 7.5
By Jason Maynard Published April 11, 2014 16 Comments
Tags: citrix receiver Pass-through Authentication StoreFront XenApp 7.5 xendesktop 7.5
Products: Receiver XenApp XenDesktop
Share on email

I know what youre thinking; Come on Jason! Do we really need another article, whitepaper or guide on
how to enable pass-through authentication?. Well yes we do. Here is why:
There are several resources out there on Citrix.com as well as other third-party sites on this topic.
However it seems like none of them spell out clearly exactly what needs to be done, especially with
XenDesktop 7.5 relying so heavily on PowerShell for advanced configuration. Every time I try to enable
this feature for one of my customer I run into problems. So, I created this quick step-by-step guide on how
to successfully enable pass-through authentication for the full Citrix Receiver with XenDesktop or
XenApp, making your customers (and their users) very happy. Especially when their applications then
magically appear in their Receiver client window and/or in their Windows Start Menu.
1.

Install Citrix Receiver 3.4 or higher with the /includeSSON switch. Optionally, the STORE=
command switch can be included as well (to avoid the user from having to enter the store name). In my
opinion, Receiver 3.4 should be the minimum version used because of some bug fixes included in 3.4
specific to pass-through authentication scenarios. I prefer using Receiver 4.1 if given the choice.
1.
CitrixReceiver.exe /includeSSON STORE0=(store name);https://(StoreFront server
DNS name)/citrix/(store name)/discovery
2.
To add up to 10 StoreFront stores, additional STORE1 through STORE9 entries can be
added to the command line if desired.
3.
When completed, check to see that pass-through authentication was successfully
enabled by starting Citrix Receiver and confirming that the ssonsvr.exe process is also running.
2.
If necessary, add the ICA Client GPO Administrative Template to the Local Computer Policy on
the users local machine and/or in the VDA desktop gold image:
1.
Open gpedit.msc.
2.
Right click on Computer Configuration > Administrative Templates and select
Add/Remote Templates.
3.
Add the c:\Program Files\Citrix\ICA Client\Configuration\icaclient.adm template.
3.
Enable the following Local Computer GPO (Computer Configuration > Administrative
Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver >
User authentication) on the users local machine and/or in the VDA desktop gold image (pic below).
1.
Choose the Local user name password setting.
2.
Select Enabled.
3.
Select Enable pass-through authentication.
4.
Select Allow pass-through authentication for all ICA connections.
5.
Click Ok.
6.
Reboot the VDA Desktop gold image.

7.
4.

5.
6.
7.

8.

This process is outlined here: http://support.citrix.com/article/CTX133982

Log on the Delivery Controller(s), open Windows PowerShell and execute the following
commands to enable the Delivery Controller to trust XML requests sent from StoreFront.
1.
If not already loaded, load the Citrix cmdlets by typing asnp Citrix*. (do not forget to
include the period). Press Enter.
2.
Then type Add-PSSnapin citrix.broker.admin.v2 and press Enter.
3.
Then type Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True and press
Enter.
4.
Close PowerShell.
On the local machine and/or in the VDA desktop gold image, log out of Citrix Receiver.
Completely Close/Exit Citrix Receiver.
Open Internet Explorer on the local machine and/or in the VDA desktop gold image. Under
Internet Settings>Security>Trusted Sites, add the StoreFront server(s) fully qualified name (without
the store path) to the list.
1.
E.g. https://storefront.company.com
Restart Citrix Receiver. When the UI opens, if the current user is logged in to the doman, those
users credentials should be passed through to StoreFront and enumerate apps and desktops within
Citrix Receiver as well as the users Start Menu. Then when an icon is clicked, Receiver will pass
through the users domain credentials to the Delivery Controller and the app/desktop will launch.

NOTE: In this example, the above Receiver installation, application of computer policy and configuration
of a trusted site on the client OS are all done manually. All of these steps can be automated through
Active Directory group policy to make things easier. This automation process is outlined here:
http://support.citrix.com/article/CTX134280.
The Receiver 3.4 Command Line reference can be found here:
http://support.citrix.com/proddocs/topic/receiver-windows-34/receiver-windows-cfg-command-line.html
The Receiver 4.1 Command Line reference can be found here:
http://support.citrix.com/proddocs/topic/receiver-windows-40/receiver-windows-cfg-command-line-40.html
NOTE: The Receiver 3.4 Command Line reference is different from the Receiver for Enterprise 3.4
Command Line Reference. This article does not apply to the Receiver for Enterprise client.