Saturday, January 14, 2012

Lessons learned with Citrix Web Interface 4.6 Pass-Through Authentication

I’ve been having some issues with 2 environments when configuring pass-through authentication for the Citrix Web Interface 4.6 servers and now that I finally have the issues resolved, I thought I’d write a post about a few things learned during the self troubleshooting process and what the Citrix Web Interface and XenApp engineers mentioned to me during the support calls.

Note that some of the items I’ll be including in this blog post may be repeating what the following video mentions:

How To: Configure Pass-Through Authentication with Web Interface 5.2

… as well as the following eDoc from Citrix:

Enabling Pass-Through Authentication

… but since it’s not always convenient to watch a video during a deployment, I’ll include them as well.

Enabling Pass-Through Authentication is a 3 step process:

Step #1 – Install the appropriate plug-ins

The following 2 plugins are supported for pass-through authentication on users’ devices:

  1. Citrix online plug-in
  2. Citrix Desktop Viewer Plug-in
  3. Citrix Receiver (Enterprise)

Note that while the documentation only specifies these 2 plugins, the full Citrix Receiver plug-in is also supported but you need to make sure you download the Citrix Receiver (Enterprise) which requires you to log into your Citrix account to obtain and not the regular Citrix Receiver because although the latter allows you to install the components required for pass-through authentication via switches, it’s easier to just use the Enterprise version to get the components installed.  More information can be found here at my previous post:

For security reasons, the Citrix online plug-in – web does not include this feature.

Step #2 – Enabling Pass-Through for the Clients

The second step is to actually enable all of your clients (workstations and users) for pass-through authentication.  The way to enable your clients is to use Active Directory’s group policy to apply both Computer and User settings to each domain user and computer object that will be using the Citrix environment.

I found the video I listed above a bit misleading because it shows you how to load an ADM file and apply it to a local computer.  The presenter in the video also doesn’t make it clear as to where you’re applying this local policy and therefore may lead you to think that you’re applying it to the Web Interface servers which is incorrect!

Citrix doesn’t make it clear as to what the best practice is for setting this policy which doesn’t surprise me as every domain is unique in their own way and if I had to think about the items to consider, I would suggest the following:

  1. Never apply the settings to your default domain policy.  This is just my general best practice as I always avoid making modifications to the default domain policy unless I need to (i.e. password policies for users which has to be set at the default domain policy).
  2. If you’re lazy and would like to simply apply the policy to everyone in the domain, create the policy and apply it at the domain level (same level as the default domain policy).
  3. Note that the Citrix pass-through authentication policy applies settings to both the user and computer which means if you apply it to an OU with just user accounts, you’ll also need to apply that policy to the other OU with the computer objects that your users are using.
  4. Throughout the years, I’ve come across a lot of situations where policies don’t get applied properly due to Active Directory issues so make sure you use commands such as gpresult to check to see if the policy was successfully applied to the user and computer.

Why do I see Citrix Receiver and Citrix online plug-in in the same icaclient.adm template?

One of the things that threw me off while configuring the policy for the clients was that depending on which version of XenDesktop and XenApp you have, you may see Citrix Receiver or Citrix Online Plug-in listed under Administrative Templates –> Classic Administrative Templates (ADM):


I’ve asked 2 Citrix engineers about this and was told that they can be used interchangeably since the Citrix Receiver is the replacement for the Citrix online plug-in.

Where can I find the icaclient.adm template?

The icaclient.adm template can be found in the following directory:
C:\Program Files (x86)\Citrix\ICA Client\Configuration

Step #3 – Enabling Pass-Through Using the Console

The last step is to actually enable pass-through authentication at the Web Interface servers.  Ensure that you enable it for all of your Web Interface servers if you have more than one.  The checkboxes you’ll need to check are the following:



Additional Undocumented Steps

While troubleshooting the issue I had with pass-through authentication with a Citrix engineer, he had me modify quite a few registry keys and local computer policies which I did not document but was told that they usually don’t need to be modified.  With that being said, one of the changes he asked me to make and said was worth trying if I ever ran into issue was to modify the Web Interface, XenApp, XenDesktop domain computer objects to allow for delegation via Active Directory Users and Computers shown here:


**Note that I’ve gotten pass-through to work in several environments without the delegation setting shown above.


While troubleshooting the pass-through authentication issue with the Citrix support engineer, he constantly asked me to check to ensure that the following process:

Image Name: ssonsvr.exe *32
User Name: System
Description: Citrix Pass-through Authentication


… was present in the Task Manager of the client (i.e. Windows 7 workstation) as well as the Web Interface server (I found that pass-through would still work even if this process wasn’t present on the Web Interface server).  He said this process would be loaded if you have the Citrix Online plug-in or the Citrix Receiver installed.  What I noticed was that this appears to only be true for the former (Citrix Online plug-in) and not the latter (Citrix Receiver).  I was never able to see this process loaded unless I installed the Citrix Online plug-in.  It’s probably also worth mentioning that the documentation as shown in the link above specifically states:

You must install the Citrix online plug-in or Citrix Desktop Viewer Plug-in on your users’ devices using an administrator account. Pass-through authentication is available only in these plug-ins, which are included on the XenApp and XenDesktop installation media. For security reasons, the Citrix online plug-in – web does not include this feature. This means that you cannot use Web-based client installation to deploy Citrix plug-ins containing this feature to your users.

… as shown in the snippet above, the Citrix Receiver is not mentioned.


While it’s obvious, I’ll state it anyways: Make sure you check for hotfixes available for the XenApp, XenDesktop or Web Interface servers.  When I finally made the call to Citrix for support, the first thing the engineer had me do was install the following hotfix for the XenApp 6.5 server:

While the hotfix didn’t end up fixing the server, it eliminated the possibility that not having it installed was causing the issue.


Hope this helps anyone who may be having issues with configuring pass-through authentication for their Citrix environment.


redacted definition said...

The game walks into one's bag

Jesse Boehm said...

Hello, I love reading through your blog, I wanted to leave a little comment to support you and wish you a good continuation. Wish you best of luck for all your best efforts..
Citrix Web Interface