Skip to content

Citrix Receiver Single-Sign-On (Pass-through Authentication) does not work with StoreFront

30. September 2013

During the last weeks I did a lot of testing with Citrix XenDesktop 7. There was one thing which was quite hard to figure out why it wasn’t working:

A connection from Citrix Receiver 4.X to StoreFront always failed while I was using the Domain-Credentials (or Domain-Pass-through). No Single-Sign-On (SSON) – even for the configuration of the store – was possible. I was only able to connect the Receiver to StoreFront using the Authentication-Methods “Username and Password” or “Smartcard”. If I tried to configure a Store I always received the message “Select an account to continue”.
2013-09-29 15_04_29-Muster-Client04 on W2012-LENOVO - Virtual Machine Connection
The problem with this message was that I didn’t receive a Dialog to choose a Store…
After a lot of testing’s I found the necessary steps so that SSON was working.

1. Open a command prompt and start the Receiver Installation with the argument /includeSSON
2013-09-29 14_59_45-Muster-Client04 on W2012-LENOVO - Virtual Machine Connection
Without this option the necessary SSON Components are not installed.

2. At the end of the installation don’t choose “Add Account” – SSON is not yet working.
2013-09-29 15_02_16-Muster-Client04 on W2012-LENOVO - Virtual Machine Connection

3. Open “Internet Options” in Internet Explorer an switch to Security.
2013-09-29 15_05_01-Muster-Client04 on W2012-LENOVO - Virtual Machine Connection
Choose “Trusted Sites”, “Sites” and add the StoreFront FQDN (beginning with https://)
2013-09-29 15_05_21-Muster-Client04 on W2012-LENOVO - Virtual Machine Connection
After adding the StoreFront-Address to the "Trusted Sites” open “Custom Level” to change the “Security Settings”. Scroll down to “Authentication” and activate“Automatic logon with current user name and password”,
2013-09-29 15_05_47-Muster-Client04 on W2012-LENOVO - Virtual Machine Connection

[EDIT]
Instead of adding the StoreFront-Adress to the Trusted Sites you can also add it to the “Local Intranet” Zone –than you don’t need to edit the Security Settings. Thanks to Neal Dolson (@ndolson816) for the tip.
[/EDIT]

4. Now you have to logout and login again – otherwise the necessary ssonsvr process is not started. After login open the Task Manager and check if the ssonsvr.exe is running.
2013-09-29 15_03_04-Muster-Client04 on W2012-LENOVO - Virtual Machine Connection

5. That’s it – you can now configure your Store and connect to the store using Domain Pass-through,

If it’s still not working you can configure a Group Policy to activate SSON on your clients. Create a new Policy and add the adm file icaclient.adm. You can find the file on a client with an installed receiver in the folder “C:\Program Files\Citrix\ICA Client\Configuration” or “C:\Program Files (x86(\Citrix\ICA Client\Configuration” on 64Bit systems.

Navigate to “Computer Configuration, Policies, Classic Administrative Templates (ADM), Citrix Components, Citrix Receiver. User Authentication
2013-09-29 20_37_05-dc01 (24.1.1) on W2012-LENOVO - Virtual Machine Connection

Enable “Local user name and password” with “Enable pass-through authentication” and “Allow pass-through authentication for all ICA connections” activated.
2013-09-29 20_39_37-dc01 (24.1.1) on W2012-LENOVO - Virtual Machine Connection

Link the group policy to your client OU and reboot your clients to apply it. That’s it.

SSONSVR is not starting

If the ssonsvr process is not starting you have to check the network provider order. Open the registry and navigate to
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
Edit “ProviderOrder” and make sure that “PnSson” is the first entry.
2013-09-29 15_03_49-Muster-Client04 on W2012-LENOVO - Virtual Machine Connection
Reboot your system – after login the process is started.

Published Desktop shows logon screen or connection is directly closed

Another problem that might happen is that a pass-through login to Citrix Receiver is working – but after starting a published desktop the logon screen appears or the connection is directly closed. Furthermore you may find the following error in the event-log:
Source: ICA Service
ID: 34
Description: ICA connection is cancelled because auto-logon is enforced and auto-logon failed.

To fix this you have to add another setting in the above created GPO. Open “…,Citrix Receiver, User Authentication” and enable “Kerberos authentication”.
richtlinie - kerberos
Wait until your clients applied the updated GPO (or do a “gpupdate /force”) – starting a published desktop now works without pass-through authentication.

22 Comments
  1. Jerry OHara permalink

    Hi Jan, what OS and version of Storefront were you using?
    My colleague states he has got it working on Win8 with Storefront 2

    • Hi Jerry,
      I used StoreFront 2.0 on Windows 2012 and for the Client Windows 8 with Receiver 4.0.1
      So it’s working fine for him?

  2. Jerry OHara permalink

    We are running Windows 2008 R2. Did you add the adm template to AD?

  3. There is a private Hotfix available which replace the pnsson.dll. Ask Citrix Support for that fix. In addition there is a open thread in the Support Forum.

    • But that’s for a crashing sson process – or? In my tests the sson process was always running

  4. I’ve received the private Fix from Citrix Support but it doesnt work

  5. Kitaab permalink

    If i follow these steps : will it mean when i open https://mystorefront.domain.com/citrix/storeweb/ in IE i do not have to login again (like in Web Interface 5.4 , we lauched Site in IE and it pass through the logged in user)

  6. Mdumont permalink

    Hello,

    Finally, i’ve been able to make SSON working. One question though, if the computer is on the local network, shouldnt citrix receiver connect without user interaction?

    Thanks for this blog article.

    Best regards,

  7. Stig Paulsen permalink

    Does storeFront now support WEB-SSON ?
    Thank you 🙂

  8. Mark Bos permalink

    You have to add HKLM\Software\Wow6432node\Citrix\Dazzle -> “PNASSONEnabled” =true

  9. topokin permalink

    I just followed the instructions to configure storefront with SSON. The pass-through seems to work fine as not credential were requested, but I could not launch either Desktop or Applications. I get the error message “Cannot start desktop….” or “cannot start app..”

    • Well – that sounds like a different Problem – because sson already happened when you can see the applications / Desktops

  10. topokin permalink

    Already used this command to work around the problem:
    Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True

    Do you have similar blog for “Smart Card” PassThrough? Now facing some challenging here.

  11. We are in the middle of a migration of Xenapp 5.0 to Xendesktop 7.6, as we proceed in our quest of getting everything working, we are facing a problem with SSON on windows xp embedded thin clients. With windows 7 embedded everything works flawlessly. Weve implemented SSON as discribed in numerous forums and white papers. Installed the latest Receiver + .NET3.5 SP1 on the thin client. Its possible to logon manually, SSONSVR.exe process is running. When SSON is kicking in… you see that the client is trying to receive the published desktops but after clicking on ” Refresh Apps” the following message appears: ” Your apps are not available at this time” . Does anyone ever get this working properly on windows XP embedded + Receiver 4.3 + Storefront (Xendesktop 7.6)?

  12. Hi Guys, i wonder if anyone has any ideas. I have xenapp 7.6 on 2012R2 TS. All works well, until I enable SSON domain pass thru. The receiver clients do automatically authenticate, but when it comes to launching a desktop session, i get prompted with a credential request.
    If we turn off domain pass-thru, and therefore manually authenticate to receiver, no such password prompt occurs when launching session.
    It very much matches the scenario above “Published Desktop shows logon screen or connection is directly closed” … except i see no such event log.
    Additionally the workstations have admin rights and we do not wish to control them with a GPO, i wonder if there’s a relevant registry key.
    I have tried just about everything i can.
    The published apps work seamlessly.

  13. I leave a response each time I appreciate a article on a site or I have something to
    valuable to contribute to the conversation. It’s caused by the sincerness displayed in the post I looked at.
    And after this post Citrix Receiver Single-Sign-On (Pass-through Authentication) does not work with StoreFront | Jan Hendriks Blog.
    I was actually excited enough to drop a thought 😉
    I do have a few questions for you if you don’t mind. Could
    it be only me or does it look like like some of these comments come across like they are written by
    brain dead visitors? 😛 And, if you are posting on additional online sites, I would like to follow everything fresh you have to post.

    Could you list every one of all your community pages like your Facebook page, twitter feed, or linkedin profile?

Trackbacks & Pingbacks

  1. Auto Fill User Start Menu with Citrix Receiver 4.x | Jan Hendriks Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: