Citrix Receiver Single-Sign-On (Pass-through Authentication) does not work with StoreFront
During the last weeks I did a lot of testing with Citrix XenDesktop 7. There was one thing which was quite hard to figure out why it wasn’t working:
A connection from Citrix Receiver 4.X to StoreFront always failed while I was using the Domain-Credentials (or Domain-Pass-through). No Single-Sign-On (SSON) – even for the configuration of the store – was possible. I was only able to connect the Receiver to StoreFront using the Authentication-Methods “Username and Password” or “Smartcard”. If I tried to configure a Store I always received the message “Select an account to continue”. 
The problem with this message was that I didn’t receive a Dialog to choose a Store…
After a lot of testing’s I found the necessary steps so that SSON was working.
1. Open a command prompt and start the Receiver Installation with the argument /includeSSON 
Without this option the necessary SSON Components are not installed.
2. At the end of the installation don’t choose “Add Account” – SSON is not yet working. 
3. Open “Internet Options” in Internet Explorer an switch to Security. 
Choose “Trusted Sites”, “Sites” and add the StoreFront FQDN (beginning with https://) 
After adding the StoreFront-Address to the "Trusted Sites” open “Custom Level” to change the “Security Settings”. Scroll down to “Authentication” and activate“Automatic logon with current user name and password”, 
[EDIT]
Instead of adding the StoreFront-Adress to the Trusted Sites you can also add it to the “Local Intranet” Zone –than you don’t need to edit the Security Settings. Thanks to Neal Dolson (@ndolson816) for the tip.
[/EDIT]
4. Now you have to logout and login again – otherwise the necessary ssonsvr process is not started. After login open the Task Manager and check if the ssonsvr.exe is running. 
5. That’s it – you can now configure your Store and connect to the store using Domain Pass-through,
If it’s still not working you can configure a Group Policy to activate SSON on your clients. Create a new Policy and add the adm file icaclient.adm. You can find the file on a client with an installed receiver in the folder “C:\Program Files\Citrix\ICA Client\Configuration” or “C:\Program Files (x86(\Citrix\ICA Client\Configuration” on 64Bit systems.
Navigate to “Computer Configuration, Policies, Classic Administrative Templates (ADM), Citrix Components, Citrix Receiver. User Authentication” 
Enable “Local user name and password” with “Enable pass-through authentication” and “Allow pass-through authentication for all ICA connections” activated. 
Link the group policy to your client OU and reboot your clients to apply it. That’s it.
SSONSVR is not starting
If the ssonsvr process is not starting you have to check the network provider order. Open the registry and navigate to
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order
Edit “ProviderOrder” and make sure that “PnSson” is the first entry. 
Reboot your system – after login the process is started.
Published Desktop shows logon screen or connection is directly closed
Another problem that might happen is that a pass-through login to Citrix Receiver is working – but after starting a published desktop the logon screen appears or the connection is directly closed. Furthermore you may find the following error in the event-log:
Source: ICA Service
ID: 34
Description: ICA connection is cancelled because auto-logon is enforced and auto-logon failed.
To fix this you have to add another setting in the above created GPO. Open “…,Citrix Receiver, User Authentication” and enable “Kerberos authentication”. 
Wait until your clients applied the updated GPO (or do a “gpupdate /force”) – starting a published desktop now works without pass-through authentication.
Jan Hendriks Blog 
Hi Jan, what OS and version of Storefront were you using?
My colleague states he has got it working on Win8 with Storefront 2
Hi Jerry,
I used StoreFront 2.0 on Windows 2012 and for the Client Windows 8 with Receiver 4.0.1
So it’s working fine for him?
We are running Windows 2008 R2. Did you add the adm template to AD?
Yes – where else? It’s an adm file.
There is a private Hotfix available which replace the pnsson.dll. Ask Citrix Support for that fix. In addition there is a open thread in the Support Forum.
But that’s for a crashing sson process – or? In my tests the sson process was always running
I’ve received the private Fix from Citrix Support but it doesnt work
Isn’t that for a crashing ssonsvr.exe?
If i follow these steps : will it mean when i open https://mystorefront.domain.com/citrix/storeweb/ in IE i do not have to login again (like in Web Interface 5.4 , we lauched Site in IE and it pass through the logged in user)
No – at the moment StoreFront doesn’t support Web-SSON.
Hello,
Finally, i’ve been able to make SSON working. One question though, if the computer is on the local network, shouldnt citrix receiver connect without user interaction?
Thanks for this blog article.
Best regards,
Hello.
Yes that should work.
Does storeFront now support WEB-SSON ?
Thank you 🙂
Hello Stig,
no that’s still not possible.
Best regards
You have to add HKLM\Software\Wow6432node\Citrix\Dazzle -> “PNASSONEnabled” =true
I just followed the instructions to configure storefront with SSON. The pass-through seems to work fine as not credential were requested, but I could not launch either Desktop or Applications. I get the error message “Cannot start desktop….” or “cannot start app..”
Well – that sounds like a different Problem – because sson already happened when you can see the applications / Desktops
Already used this command to work around the problem:
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True
Do you have similar blog for “Smart Card” PassThrough? Now facing some challenging here.
We are in the middle of a migration of Xenapp 5.0 to Xendesktop 7.6, as we proceed in our quest of getting everything working, we are facing a problem with SSON on windows xp embedded thin clients. With windows 7 embedded everything works flawlessly. Weve implemented SSON as discribed in numerous forums and white papers. Installed the latest Receiver + .NET3.5 SP1 on the thin client. Its possible to logon manually, SSONSVR.exe process is running. When SSON is kicking in… you see that the client is trying to receive the published desktops but after clicking on ” Refresh Apps” the following message appears: ” Your apps are not available at this time” . Does anyone ever get this working properly on windows XP embedded + Receiver 4.3 + Storefront (Xendesktop 7.6)?
Hi Guys, i wonder if anyone has any ideas. I have xenapp 7.6 on 2012R2 TS. All works well, until I enable SSON domain pass thru. The receiver clients do automatically authenticate, but when it comes to launching a desktop session, i get prompted with a credential request.
If we turn off domain pass-thru, and therefore manually authenticate to receiver, no such password prompt occurs when launching session.
It very much matches the scenario above “Published Desktop shows logon screen or connection is directly closed” … except i see no such event log.
Additionally the workstations have admin rights and we do not wish to control them with a GPO, i wonder if there’s a relevant registry key.
I have tried just about everything i can.
The published apps work seamlessly.
I leave a response each time I appreciate a article on a site or I have something to
valuable to contribute to the conversation. It’s caused by the sincerness displayed in the post I looked at.
And after this post Citrix Receiver Single-Sign-On (Pass-through Authentication) does not work with StoreFront | Jan Hendriks Blog.
I was actually excited enough to drop a thought 😉
I do have a few questions for you if you don’t mind. Could
it be only me or does it look like like some of these comments come across like they are written by
brain dead visitors? 😛 And, if you are posting on additional online sites, I would like to follow everything fresh you have to post.
Could you list every one of all your community pages like your Facebook page, twitter feed, or linkedin profile?