Looking for:
Single sign on citrix workspace appHow to Manually Install and Configure Citrix Receiver for Pass-Through Authentication.Authenticate | Citrix Workspace app LTSR for Windows
Current Release. About this release. System requirements and compatibility. Install and Uninstall. Get started. Configuring Single sign-on. Domain pass-through access matrix. Secure communications. Storebrowse for Workspace. Citrix Workspace app Desktop Lock. ICA settings reference. Aviso legal. Este texto foi traduzido automaticamente. Este artigo foi traduzido automaticamente. You can configure various types of authentication for your Citrix Workspace app, including domain pass-through single sign-on or SSON , smart card, and Kerberos pass-through.
When enabled, domain pass-through single sign-on caches your credentials, so that you can connect to other Citrix applications without having to sign in each time. Ensure that only software that is in accordance with your corporate policies runs on your device to mitigate the risk of credential compromise. When you log on to Citrix Workspace app, your credentials are passed through to StoreFront, along with the apps and desktops and Start menu settings.
After configuring single sign-on, you can log on to Citrix Workspace app and launch virtual apps and desktops sessions without having to retype your credentials. You can configure single sign-on on both fresh installation or upgrade setup, using any of the following options:. The terms domain pass-through, single sign-on, and SSON might be used interchangeably in this document. Single sign-on lets you authenticate to a domain and use Citrix Virtual Apps and Desktops and Citrix DaaS from the same domain without having to reauthenticate to each app or desktop.
When you add a store using the Storebrowse utility, your credentials pass through the Citrix Gateway server, along with the apps and desktops enumerated for you, including your Start menu settings. After configuring single sign-on, you can add the store, enumerate your apps and desktops, and launch the required resources without having to type your credentials multiple times. Depending on the Citrix Virtual Apps and Desktops deployment, single sign-on authentication can be configured on StoreFront using the Management Console.
In the User Authentication pane, select Automatic logon with current user name and password. You can now log on to an existing store or configure a new store using Citrix Workspace app without entering user credentials. You can configure single sign-on on workspace for web using the Group Policy Object administrative template. Verify that the single sign-on is enabled by launching the Task Manager and check if the ssonsvr.
Complete the following steps to configure Citrix Workspace app for pass-through authentication using Active Directory group policy. In this scenario, you can achieve the single sign-on authentication without using the enterprise software deployment tools, such as the Microsoft System Center Configuration Manager. It must be accessible by the target machines you install Citrix Workspace app on.
Edit the content to reflect the location and the version of CitrixWorkspaceApp. For more information on deploying the startup scripts, see the Active Directory section. After adding the receiver. For more information about adding the template files, see Group Policy Object administrative template.
Select the Local user name and password policy and set it to Enabled. Citrix Workspace app provides an option to disable the storing of authentication tokens on the local disk. Starting with Version , Citrix Workspace app provides another option to disable the storing of authentication tokens on the local disk. Along with the existing GPO configuration, you can also disable the storing of authentication tokens on the local disk using the Global App Configuration Service.
For more information, see the Global App Configuration Service documentation. Configuration Checker lets you run a test to check if the single sign-on is configured properly.
The test runs on different checkpoints of the single sign-on configuration and displays the configuration results. Click Configuration Checker. The Citrix Configuration Checker window appears. Configuration Checker does not include the checkpoint for the configuration of trust requests sent to the XML service on Citrix Virtual Apps and Desktops servers.
Citrix Workspace app allows you to do a beacon test using the Beacon checker that is available as part of the Configuration Checker utility. The Beacon test helps to confirm if the beacon ping.
This diagnostic test helps to eliminate one of the many possible causes for slow resource enumeration, that is the beacon not being available. Select the Beacon checker option from the list of Tests and click Run. Citrix Workspace app supports Kerberos for domain pass-through single sign-on or SSON authentication for deployments that use smart cards.
When enabled, Kerberos authenticates without passwords for Citrix Workspace app. As a result, prevents Trojan horse-style attacks on the user device that try to gain access to passwords.
Users can log on using any authentication method and access published resources, for example, a biometric authenticator such as a fingerprint reader. Enable Kerberos to avoid an extran PIN prompt.
To use Kerberos authentication with Citrix Workspace app, check if the Kerberos configuration conforms to the following. Using the Registry editor incorrectly might cause serious problems that can require you to reinstall the operating system.
Use the Registry Editor at your own risk. Make sure you back up the registry before you edit it. Before continuing, see Secure your deployment section in the Citrix Virtual Apps and Desktops document. This option installs the single sign-on component on the domain-joined computer, enabling your workspace to authenticate to StoreFront using IWA Kerberos.
If a security policy prevents you from enabling single sign-on on a device, configure Citrix Workspace app using Group Policy Object administrative template. When you configure the authentication service on the StoreFront server, select the Domain pass-through option.
That setting enables Integrated Windows Authentication. You do not need to select the Smart card option unless you also have non domain-joined clients connecting to StoreFront using smart cards. For more information about using smart cards with StoreFront, see Configure the authentication service in the StoreFront documentation.
Conditional Access is a tool used by Azure Active Directory to enforce organizational policies. Workspace administrators can configure and enforce Azure Active Directory conditional access policies for users authenticating to the Citrix Workspace app. You can configure the following authentication mechanisms with the Citrix Workspace app. For the following authentication mechanisms to work as expected, the Windows machine running the Workspace app must have Microsoft Edge WebView2 Runtime version 99 or later installed.
Pass-through authentication single sign-on - Pass-through authentication captures the smart card credentials when users log on to Citrix Workspace app. Citrix Workspace app uses the captured credentials as follows:. Bimodal authentication - Bimodal authentication offers users a choice between using a smart card and typing the user name and password.
For example, the logon certificate has expired. Dedicated stores must be set up per site to allow Bimodal authentication, using the DisableCtrlAltDel method set to False to allow smart cards. Bimodal authentication requires StoreFront configuration. Using the Bimodal authentication, the StoreFront administrator can allow both user name and password and smart card authentication to the same store by selecting them in the StoreFront console. See StoreFront documentation.
Multiple certificates - Multiple certificates can be availed for a single smart card and if multiple smart cards are in use. When you insert a smart card in a card reader, the certificates are applicable to all applications running on the user device, including Citrix Workspace app. Client certificate authentication - Client certificate authentication requires Citrix Gateway and StoreFront configuration. Smart card-enabled applications - Smart card-enabled applications, such as Microsoft Outlook and Microsoft Office, allow users to digitally sign or encrypt documents available in virtual apps and desktops sessions.
Some configuration requires registry edits. Using the Registry editor incorrectly might cause problems that can require you to reinstall the operating system.
To configure Citrix Workspace app for Windows, include the following command-line option during installation:. Single sign-on is another term for pass-through authentication.
In the Registry editor, navigate to the following path and set the SSONCheckEnabled string to False if you have not installed the single sign-on component. The key prevents the Citrix Workspace app authentication manager from checking for the single sign-on component and allows Citrix Workspace app to authenticate to StoreFront. To enable smart card authentication to StoreFront instead of Kerberos, install Citrix Workspace app for Windows with the following command-line options:.
Enables credential caching and the use of pass-through domain-based authentication. If the user logs on to the endpoint with a different authentication method, for example, user name and password, the command line is:. This type of authentication prevents capturing of the credentials at logon time and allows Citrix Workspace app to store the PIN during Citrix Workspace app login. By default, if multiple certificates are valid, Citrix Workspace app prompts the user to choose a certificate from the list.
Instead, you can configure Citrix Workspace app to use the default certificate per the smart card provider or the certificate with the latest expiry date. If there are no valid logon certificates, the user is notified, and given the option to use an alternate logon method if available. Prompt is the default. For SmartCardDefault or LatestExpiry , if multiple certificates meet the criteria, Citrix Workspace app prompts the user to choose a certificate. If your site or smart card has more stringent security requirements, such as to disallow caching the PIN per-process or per-session, you can configure Citrix Workspace app to use the CSP components to manage the PIN entry, including the prompt for a PIN.
A Citrix Virtual Apps session logs off when you remove the smart card.
No comments:
Post a Comment