I know what you’re thinking; “Come on Jason! Do we really need another article, whitepaper or guide on how to enable pass-through authentication?”. Well… yes we do. Here is why:

There are several resources out there on Citrix.com as well as other third-party sites on this topic. However it seems like none of them spell out clearly exactly what needs to be done, especially with XenDesktop 7.5 relying so heavily on PowerShell for advanced configuration. Every time I try to enable this feature for one of my customer I run into problems. So, I created this quick step-by-step guide on how to successfully enable pass-through authentication for the full Citrix Receiver with XenDesktop or XenApp, making your customers (and their users) very happy. Especially when their applications then “magically” appear in their Receiver client window and/or in their Windows Start Menu.

  1. Install Citrix Receiver 3.4 or higher with the /includeSSON switch. Optionally, the STORE= command switch can be included as well (to avoid the user from having to enter the store name). In my opinion, Receiver 3.4 should be the minimum version used because of some bug fixes included in 3.4 specific to pass-through authentication scenarios. I prefer using Receiver 4.1 if given the choice.
  1. CitrixReceiver.exe /includeSSON STORE0=(store name);https://(StoreFront server DNS name)/citrix/(store name)/discovery
  2. To add up to 10 StoreFront stores, additional STORE1 through STORE9 entries can be added to the command line if desired.
  3. When completed, check to see that pass-through authentication was successfully enabled by starting Citrix Receiver and confirming that the ssonsvr.exe process is also running.
  • If necessary, add the ICA Client GPO Administrative Template to the Local Computer Policy on the users local machine and/or in the VDA desktop gold image:
    1. Open gpedit.msc.
    2. Right click on Computer Configuration > Administrative Templates and select Add/Remote Templates.
    3. Add the c:\Program Files\Citrix\ICA Client\Configuration\icaclient.adm template.
  • Enable the following Local Computer GPO (Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > User authentication) on the users local machine and/or in the VDA desktop gold image (pic below).
    1. Choose the Local user name password setting.
    2. Select Enabled.
    3. Select Enable pass-through authentication.
    4. Select Allow pass-through authentication for all ICA connections.
    5. Click Ok.
    6. Reboot the VDA Desktop gold image.
    7. This process is outlined here: http://support.citrix.com/article/CTX133982
  • Log on the Delivery Controller(s), open Windows PowerShell and execute the following commands to enable the Delivery Controller to trust XML requests sent from StoreFront.
    1. If not already loaded, load the Citrix cmdlets by typing asnp Citrix*. (do not forget to include the period). Press Enter.
    2. Then type Add-PSSnapin citrix.broker.admin.v2 and press Enter.
    3. Then type Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True and press Enter.
    4. Close PowerShell.
  • On the local machine and/or in the VDA desktop gold image, log out of Citrix Receiver.
  • Completely Close/Exit Citrix Receiver.
  • Open Internet Explorer on the local machine and/or in the VDA desktop gold image. Under Internet Settings>Security>Trusted Sites, add the StoreFront server(s) fully qualified name (without the store path) to the list.
    1. E.g. https://storefront.company.com
  • Restart Citrix Receiver. When the UI opens, if the current user is logged in to the doman, those user’s credentials should be passed through to StoreFront and enumerate apps and desktops within Citrix Receiver as well as the user’s Start Menu. Then when an icon is clicked, Receiver will pass through the users domain credentials to the Delivery Controller and the app/desktop will launch.
  • NOTE: In this example, the above Receiver installation, application of computer policy and configuration of a trusted site on the client OS are all done manually. All of these steps can be automated through Active Directory group policy to make things easier. This automation process is outlined here: http://support.citrix.com/article/CTX134280.

    The Receiver 3.4 Command Line reference can be found here:


    The Receiver 4.1 Command Line reference can be found here:


    NOTE: The Receiver 3.4 Command Line reference is different from the Receiver for Enterprise 3.4 Command Line Reference. This article does not apply to the Receiver for Enterprise client.

    ICAClient ADM Config