What if your organization gives you a smart card to login to your computer and expects you to use it for logging into all your apps? What if giving out a user name and password is non-compliant with your security policy? In this case, how will you login to Director?

With integrated Windows authentication, you needn’t worry any more.

Director 7.7 with integrated Windows Authentication will take care of all your user identification needs. With your Windows credentials, it can authenticate the user and directly take him to the dashboard page without the hassle of entering credentials.

Note: For integrated Windows authentication to work with Director 7.7 you should have a compatible XenDesktop 7.7 environment (broker or delivery controller should also be 7.7)

By default, integrated windows authentication for Director is disabled. As an admin you need to enable it by;

Configuring Integrated Windows Authentication in the IIS server

Once you have installed Director 7.7 open IIS, navigate to the Director Site and open Authentication settings. In the Authentication settings, enable Windows Authentication and disable Anonymous Authentication. Once this is done, restart the IIS server.

IIS Configuration
IIS Configuration
Disabling and enabling authentication parameters for the site Director in the IIS
Disabling and enabling authentication parameters for the site Director in the IIS

In order to disable IWA for Director, please enable Anonymous Authentication and disable Windows Authentication, keeping Forms Authentication as enabled.

The above configuration settings should let your users log in to Director without a password, provided their Windows credentials have privileges to log into Director. In case the Windows credentials do not match the Director credentials, the browser prompts you to enter the credentials.

Browser prompts for credentials if it does not support IWA
Browser prompts for credentials if it does not support IWA

If you want to use a different credential to log into Director, log off from the Director console and in the Director log on page, choose Authentication type as User credentials and enter your new credentials.

Authenticate with a user name and password
Authenticate with a user name and password

Delegation, when Director and the broker (delivery controller) are on different machines

In a scenario, where the delivery controller or the broker are in two different servers, we need to enable delegation on the Director server.

Delegation
Delegation

Go to the AD – Active Directory Users and Computers – Right Click on the machine name and select properties – Enable ‘Trust this computer for delegation’ as shown below.

Enable delegation on the Active Directory for the server on which Director is installed
Enable delegation on the Active Directory for the server on which Director is installed

You can also access Director as a published app and the credential that you used to log on to Citrix Receiver, will be used for accessing Director. You can refer the video here, if you want to know more on how to publish an app.

Configuring IE

If your browser does not support integrated Windows authentication, then as an admin, a group policy should be applied across all the supported browsers. Here is how you can set your IE for integrated Windows authentication.

  1. Open Microsoft Internet Explorer.
  2. Select Tools > Internet Options.
  3. Open the security tab
  4. Select internet or intranet (depends on how Director is accessed) and click on custom level
  5. Enable automatic logon with current user name and password
IE settings
IE settings

Note: For configuring integrated windows authentication on Chrome and Firefox, please refer their support forums.

Note: For scenarios when the user is trying to access Director through IWA from a domain that is not trusted by the domain in which the Director server is; the user will be redirected to the normal log on page. Please take a look at the below diagram:

When IWA is not supported; due to domain trust issues
When IWA is not supported; due to domain trust issues

Note: In case of multiple domain, make sure that all the domain being used trust each other in a two way translative manner. This is mandatory for integrated Windows authentication to work.

That’s all, folks!

With integrated Windows authentication, it is now a breeze to log in to Director securely. Director now complies with the highest security polices to manage credentials. May it be a smart card or a two factor authentication system, you can now log on to Director without any hassle and without entering your credentials.