Citrix XenApp

How to fix pass-through authentication & the Microsoft Windows 2008 logon screen on XenApp 6.5/Web Interface 5.4 using Citrix Receiver

on

When you launch Internet Explorer and open your Citrix web interface page, you want it to pass through the user’s credentials and see all the available apps. When the user clicks on an app, it should launch immediately with no further prompts. Plain and simple.

But this is not always the case unfortunately. Sometimes pass-through authentication breaks. Symptoms I have seen are:

1. You get prompted for credentials at the Web Interface logon (an authentication error occurred error message) like this:

2. Passthrough at the web interface works fine but when launching an app, you get a Windows 2008 R2 logon screen from the XenApp server like this:

3. You get a combination of both issues above.

Don’t worry, there are a number of things you need to check that can resolve these issues for you. One or more of these factors may be the cause of errors in your environment. Just run through the bullet points below and verify everything:

1. You need to be using Citrix Receiver Enterprise if possible and not just the plain Citrix Receiver. The latest Citrix Receiver is 3.1 but 3.0 behaves the same way. It comes with Online Plugin 13.1.0.89 enabled out of the box. You can go to the “Receiver for Windows 3.1 – Admins” download page here:

https://www.citrix.com/English/ss/downloads/details.asp?downloadId=2319945&productId=1689163

You will need to download the 55.1 MB zip file. Inside you will see both “CitrixReceiver.exe” and “CitrixReceiverEnterprise.exe”. The one you want to install is the Enterprise version. This version will install with pass-through authentication support automatically for you as well as Single Sign On (SSO). You can always install and enable SSO with the standard Receiver using the “/includeSSON” and “ENABLE_SSON=Yes” command line switches and this actually will give you pass-through authentication features (more on this in bullet point 7 below). Receiver Enteprise will require administrator access to install on PCs unlike the standard/regular Citrix Receiver. The difference between the two versions is described here:

http://support.citrix.com/proddocs/topic/receiver-31-windows/ica-clients-deciding-v2.html

Note how Enterprise has “Single sign-on/pass-through authentication” but standard only has “Single sign-on”?

Now here’s a big problem. When an end user tries to download the Receiver off the Citrix website, it will not show Enterprise:

http://www.citrix.com/receiver

Go ahead and choose Windows in the drop down. The next page will show the download for Receiver. It does not specify if it is Standard or Enterprise. If you download the executable, it is just CitrixReceiver.exe which is the Standard version you had downloaded above.

So if you are troubleshooting pass-through authentication, the first thing you want to make sure of is go to Add/Remove programs on the user’s PC and verify it says “Citrix Receiver (Enterprise)” like below and not just “Citrix Receiver”:

I’m guessing Citrix only offers the standard version to end users so they are not confused on which one to download. The problem is if you are in an environment where Receiver Enterprise is not deployed centrally or if users take it upon themselves to install the latest Receiver from Citrix’s website (which does not require admin rights btw), they can cause a big mess and you are stuck troubleshooting it.

Another tip, you need to restart your PC for the pass-through authentication to work after you finish installing Receiver Enterprise 3.1. It will sometimes not start the Single Sign On process until you restart your PC. Or it will start it but it still not correctly passthrough credentials for whatever reason. So your best bet is to restart your PC to make sure everything is working correctly. Once you restart your PC, open Task Manager and verify “ssonsvr.exe” is running like below:

Here is another screenshot from Process Explorer which shows the dependency a bit better:

You can also go to the registry and under “HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\SSON” it should have a string value called “Enable” with a value data of “True” like this. This means SSO was installed. This key will be there if you installed Enterprise or forced the SSO install using Standard. Here is a Windows XP example:

Another thing you can do, and I’m on an XP 32 bit box right now, is navigate to “C:\Program Files\Citrix\ICA Client” and open up appsrv.ini in Notepad. You should see “SSOnUserSetting=On” at the very bottom which means that single signon is enabled.

Another check to verify for Enterprise installation, go to “HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\PNAgent” in the registry and look for the DWORD value “EnablePassThrough“. It should have a value of “1” meaning it is enabled. Standard Receiver doesn’t include the PNA plugin so you won’t even have this key if you were using it.

2. You need to verify the Citrix Receiver group policy allowing pass-through authentication has been applied to the PC you are working on. If you are just working on a test machine, you can apply this policy to just that PC for testing purposes instead of through AD. Just open up gpedit.msc on the PC, right click on “Administrative Templates” and then click “Add/Remove Templates…”. Click Add and choose the following file:

C:\Program Files\Citrix\ICA Client\Configuration\icaclient.adm

Once you have added it, navigate down to Computer Configuration > Administrative Templates > Citrix Components > Citrix Receiver > Authentication and you will see an option called “Local user name and password”. Double click on it and set it to Enabled. You need to have “Enable pass-through authentication” and “Allow pass-through authentication for all ICA connections” enabled. So it will look like this:

If you expand the User Configuration section, you will see the same settings under there as well. I usually have it set there as well but it is not necessary. In my testing, you can leave it enabled at the computer level and it will work. The changes should be instant from my testing but if they don’t take, try doing a “gpupdate /force“, restarting your browser, and/or rebooting your machine.

3. There is a known issue with XenApp 6.5 where pass-through authentication will not work. You need to apply Hotfix XA650W2K8R2X64001 to all your XenApp servers. You can get it here:

http://support.citrix.com/article/CTX130794

This will update your ccticket.dlls among other files that will fix the issue.

4. Verify on your XenApp servers that the RDP connection is set to not prompt for passwords. Under the Remote Desktop Session Host Configuration console, doubleclick on RDP-Tcp, then click the Log on Settings tab. Verify “Use client-provided log on information” is selected and “Always prompt for password” is NOT checked:

5. Verify in the Web Interface console that you have specified pass-through authentication for the XenApp site. Just open the Web Interface Management console, right click on your site, and click Authentication Methods. Pass-through should be checked here:

It should also be done on the XenApp Services site if you need it.

6. Pass-through authentication will not work in Firefox. I’ve added my web interface to the Trusted URIs config in FireFox but it won’t work. NTLM Passthrough authentication works fine on the web interface, but it won’t carry to the XenApp server when launching an app. You can add your WI to the list by typing this in the address bar in FireFox:

about:config

Then just type “NTLM” in the filter box. Add the URL (without the http:\\) in the “network.automatic-ntlm-auth.trusted-uris” box. If you do manage to somehow getting pass-through authentication to work in Firefox, please leave a comment below. I’m not a huge IE fan. 🙂

Quick note in IE, you do not need to add your WI URL to the Trusted Sites security zone for passthrough to work. Local Intranet is all you need from my experience. Sometimes you may get prompted at the web interface for credentials. Just make sure the site appears in Local Intranet and not Internet. I’ve seen issues where NTLM passthrough may not work in this scenario.

7. One final note, I did some additional testing using the Standard Receiver and command line installation. If you install Standard Receiver using command line with the following:

CitrixReceiver.exe /includeSSON ENABLE_SSON=Yes

You will see in Process Explorer or Task Manager that “ssonsvr.exe” is indeed running after the install. In my testing I was able to get it to actually pass-through but on certain XenApp 6.5 servers only. They had the pass-through hotfix I talk about below in bullet point 3 above applied. This was the only exception. And it only worked immediately after the Citrix Receiver install without rebooting the system. After rebooting the PC, it behaved like all other regular unpatched XenApp 6.5 and below farms. I would get the Server 2008 logon.

I then added the .adm template and configured it as described in bullet point 2 above and pass-through authentication worked fine with both patched and unpatched XenApp 6.5 servers. It even worked on XenApp 5 Feature Pack 3 farms with Web Interface 5.3 just fine.

If you check Process Explorer as you launch an app, the whole chain is there from the single sign on service to the connection manager down to the ICA client/Online Plugin:

So bottom line, you can get standard Receiver to work with passthrough but only if using these command line switches during install. I would just deploy Receiver Enterprise to begin with to avoid having issues down the road. It just seems to make more sense to me.

About Jason Samuel

Jason Samuel lives in Houston, TX with a primary focus on strategic advisory and architecture of end-user computing, security, enterprise mobility, virtualization, and cloud technologies from Citrix, Microsoft, & VMware. He also has an extensive background in web architecture and networking over his 20+ year career in IT. He is an Author, Speaker, and Local User Group Community Leader. He is certified in several technologies and is 1 of 63 people globally that is a recipient of the prestigious Citrix Technology Professional (CTP) award. He is 1 of 42 people in the world that has been awarded as a VMware EUC Champion and VMware vExpert. He is a featured author on DABCC which provides the latest IT Community News on Cloud, Data Center, Desktop, Mobility, Security, Storage, & Virtualization. In his spare time Jason enjoys writing how-to articles and evangelizing the technologies he works with. Disclaimer: The content and opinions expressed in articles and posts are his own and are by no means associated with his employer.

Recommended for you

28 Comments

  1. Mike Gower

    January 6, 2012 at 3:55 PM

    Very thorough. Good job on this!

  2. francois

    January 31, 2012 at 5:58 AM

    Thanks for this!

  3. Pat Matthews

    February 6, 2012 at 10:39 AM

    Worked great. The only thing that I had to do differently was that after I installed teh Receiver i rebooted, logged in and was prompted for my Citrix password, I canceled it and then rebooted a 2nd time and then it passed right thru as expected. That was on a fully patched fressh install of Windows XP SP3

  4. David Little

    February 21, 2012 at 1:16 PM

    I’m trying to do this as a Publised Desktop on a Win 2008 R2 64 Bit server and I’m still getting the same issue it will not autologin.
    I can log in manually but autologin fails.

    Any advice on this?

  5. David Little

    February 21, 2012 at 1:24 PM

    @David Little

    I think I found my issue… http://support.citrix.com/article/CTX129762
    logged in as a test user and it works.

  6. mikull

    March 12, 2012 at 10:16 PM

    thanks. my problem was with IIS. I followed all your above steps in vain, then as a chance I had a look at my IIS manager for the citrix website and under authentication there it wasn’t allowing windows authentication. I have no idea why that had happened as it should be automatic when the WI is configured. Yes, i tried repairing the site as well before I made the change using the IIS manager. All good now! Good blog though.

    Cheers from Australia!

  7. Carmen

    April 9, 2012 at 9:30 AM

    This process will remove the notice of validation but it will not make your copy genuine. You have to change your setting of windows automatic update to do not install update. Otherwise, your next update will reinstall the validation notice.

  8. Dave

    April 12, 2012 at 11:09 AM

    You address (initially) the problem of the windows authentication box appearing at the WI login screen, however I’m not seeing any suggestions on how to fix this. Everything seems to lean toward the WI and receiver config but I think the windows auth box at the login screen is more of an IIS (specifically IIS 7) issue. Strangely enough I have this issue when accessing my WI via a Win7 box (with either plugin 12.1 or the latest 13.x) but not from a server 2008 R2 box (same plugin). Any suggestions?

  9. Dave

    April 12, 2012 at 11:26 AM

    Nevermind, figured it out. My issue was that when accessing the site from the Win 7 box, the site showed up as a Trusted site. When I changed the settings for it to show as local intranet, voila! No more windows authentication box.

  10. Harald

    April 17, 2012 at 6:20 AM

    Very usefull, thanks!

  11. Justin

    April 19, 2012 at 8:23 AM

    I was having this same issue, and it turned out to be IIS7 for me, like Mikull mentioned above.

    Just go into the IIS7 Manager, drill down to your website (mine was the default website), and open up the Authentication icon under IIS. You will see Windows Authentication in the list. Make sure it is set to enabled.

    once I adjusted this, I restarted the website in IIS7, cleared my existing connections to the citrix server and connected with no password prompt after that. I didn’t even need to add the website into the trusted sites.

    thanks for this info, the web page and the comments covered all the bases for me 🙂

  12. Justin

    April 19, 2012 at 8:26 AM

    btw, i did also make/check the various changes mentioned itn he article. So keep that in mind when troubleshooting your own issue.

    I can say that I had no success at al until adjusting the IIS7 windows authentication though.

  13. Sootie

    April 19, 2012 at 7:30 PM

    Great article, and I have had success fixing the issue in my environement with the group policy change in step 2 however this doesnt help me when I move to a computer that is not joined to my domain as I cant change the group policy applying to them. Is anyone aware of any way around this?

  14. Sootie

    April 22, 2012 at 3:54 PM

    Sootie :
    Great article, and I have had success fixing the issue in my environement with the group policy change in step 2 however this doesnt help me when I move to a computer that is not joined to my domain as I cant change the group policy applying to them. Is anyone aware of any way around this?

    Disregard, I’m an idiot and misunderstood the point of pass through authentication.

  15. JohnnyCAPSLOCK

    May 8, 2012 at 12:31 PM

    Thank you for what I find to be the most complete explanation of how to enable pass through authentication. Sure beats trying to figure it out from Citrix documentation.
    There is on more thing I had to do to get the Citrix Receiver itself to stop prompting for authentication when logging into the computer.
    It seems it is not enough to enable pass-through on XenApp Services Site, you also have to set it as default by highlighting it and clicking the Set as Default on the Authentication Methods properties page. Or at least I did.
    Just in case anyone else has been beating their head against the wall wondering why pass through is working for the web interface but not for PNAgent/XenApp Services side.

  16. Matt Engel

    May 14, 2012 at 7:32 AM

    This was very helpful! Thanks!

  17. RedPlumpTomato

    May 23, 2012 at 8:54 AM

    Fantastic Article!! The comments helped as well as the issue I had was with IIS and windows authentication.. Thanks to Mikull for that!

  18. Jonathan Pitre

    June 13, 2012 at 6:49 PM

  19. Louie

    July 20, 2012 at 8:54 AM

    Nice tips, thanks.

  20. Artur

    January 9, 2013 at 4:09 PM

    THX Jason
    Very usefull work. I resolved two problems with Your help.

  21. Jako

    January 23, 2013 at 2:16 AM

    Now it’s name is “Receiver for Windows 3.4 (Legacy PNA)” and you must log in to MyCitrix to see and download it.

    In Add-remove Prgrams you see still Citrix Receiver (Enterprise)

  22. JohnnyCAPSLOCK

    February 28, 2013 at 5:24 PM

    Additionally even after all the great tips in here, we are having an issue where after a period of time some users lose SSON through pnagent. So when they login their computer Citrix Receiver tells them they need to log in. Looking through the article everything is still in place including ssonsvr is running. Then I find yet another place to set sson.
    http://support.citrix.com/article/CTX123150
    The offending computers had logonmethod set to prompt. Normal computers don’t have logonmethod even present in that key, but you can change it to sson.
    Why they store settings as psuedo xml in a binary key, I don’t know. Just to make it even more difficult I guess. Here is a website that has a powerscript example for manipulating that key.
    http://www.remkoweijnen.nl/blog/2012/02/13/scripting-citrix-online-plugin-settings/

    If you just want to fix it quickly, you can just delete the entire PNAGENT key and it will rebuild itself on login without setting logonmethod to prompt.

    Remember that this setting is under the USER hive, not the Local Computer hive. In fact other users who login the same computer do not exhibit the same problem.

  23. stonkac

    July 12, 2013 at 1:28 AM

    passthru is working well when connecting from windows 7 client, but when connecting from the windows xp or windows embedded the pass thru ends up with: “2. Passthrough at the web interface works fine but when launching an app, you get a Windows 2008 R2 logon screen from the XenApp server like this:” The settings on the clients are identic, I ran out of ideas where the problem could be, can anybody help, please?

  24. Itiseasy

    July 18, 2013 at 7:31 PM

    I have seen this issue(2) before time, but the root cause is that Xenapp servers can’t communication with DB server.

  25. tommyketchup

    July 22, 2013 at 4:02 AM

    The links of reciever enterprise dont seem to work no more 🙁

  26. Graham

    August 25, 2013 at 4:46 PM

    Thanks for the blog post. In my case the computer was in the wrong OU and the GPO was not being applied. Thanks for the step by step approach.
    Graham

  27. Glen

    May 29, 2014 at 10:28 PM

    Excellent article. Thank you.

    I have FireFox working with pass-through authentication! In addition to the changes identified in this article I needed to go into FireFox and disable the Citrix Receiver add-on. Then it all worked and no more Windows Server 2008 login screen.

    We are using Citrix Receiver 3.4 (enterprise); Web Interface v5.3, XenApp 5 (on Windows Server 2008 32-bit); FireFox ESR 24.1.1.

  28. Raja

    March 13, 2015 at 2:35 AM

    Many thanks Jason for the fantastic article.

    I have fixed pass through authentication with the help of post. Keep it up.

    thanks again.

Leave a Reply

Your email address will not be published.