While working on issues related to Smartcard authentication, one common query we receive in Tech-support is – how can we make Single Sign-on working with Smartcard for Windows 7\Vista clients? With ‘Full Kerberos’ support this works for Domain-joined clients. I was recently working in my lab to simulate the behaviour and to use ‘Constrained Kerberos Delegation’ to configure Passthough behaviour for non-domain joined machines using authentication point as ‘At Web Server’.


Windows 2008 R2 domain

XenApp 6.0 + HF 86 – Single server working as XML Broker, hosting app, etc

Web Interface 5.4

ICA Client 12.1 on Windows 7 machine

Gemalto .Net card

Configuration – (first the easier one)

1. On XenApp server

Verify that the registry settings are taking effect by going to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\IMA\XML Service and HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\IMA\Citrix Xml Service. Note: Run GPUPDATE /FORCE from the command prompt if the policies are not on the registry

2. Web Interface

A.  SSL (Https)

B.  Create a site with authentication point as ‘At Web Server’

C.  Open IIS Manager > select your server name and ensure you have Active Directory Client Certificate Authentication enabled

D.  Open IIS Manager , go to Sites>Default Web Site>Citrix><Name of your site>>. Ensure Windows Authentication is enable

E.  Configure SSL settings on Citrix virtual directory on IIS

3.   From the Domain Controller – This is the main one: –

  1. Go to the Active Directory Users and Computers
  2. Go to the properties of the Web Interface server > Delegation tab and the following entries
    1. “Trust this computer for delegation to specified services only”
    2. “Use any authentication protocol”
    3. Add HTTP service to the XML broker server

3.    Go to the properties of the XenApp / XML broker > Delegation tab and the following entries

1.  “Trust this computer for delegation to specified services only”

2. ” Use any authentication protocol “

3.  Add CIFS> each domain controller(s)

4.   Add HOST> to XenApp server(s) hosting apps

5.  Add LDAP> each domain controller(s)

4. On Client Machine – Add WI site to ‘Trusted Site’ and on authentication enable ‘Automatic logon with current username and password’. This will make IE to prompt for credential and if you have you Smartcard inserted, it will prompt for PIN.

Note – Make sure to have XenApp 6.0 w/ XML Shared with IIS.  Also, ensure to use “constrained delegation”. If you select “Unconstrained” Trust this computer for delegation to any service (kerberos only), you will not be able to authenticate to WI/IIS server.  Network trace can be useful for troubleshooting any issue.

Several of our customers look into Kerberos Delegation as an alternate authentication method for Citrix XenApp. A Kerberos-based authentication scheme offers several key security benefits all while speeding logon for increased user satisfaction. This is particularly true for Smartcard users, as this reduces the number of times the user certificate must be validated with the CA, thereby decreasing the number of pin prompts. There are some things to watch out for when designing your environment for Kerberos authentication:

  • Every single network service from all of your apps and agents need to be defined as a Kerberos delegation in AD. There is no way to turn on Kerberos for “all services.”
  • Kerberos is not recommended for  XenApp published desktops as a user can potentially open any network resources that the environment has not been setup with delegations-wise therefore locking out their account.

Documentation already exists that talk about setting up Kerberos delegation with domain-joined clients. The steps above focus on how to setup Kerberos with XenApp for operation with non-domain joined clients.