Configuring domain pass-through as your default authentication method

In the healthcare industry, doctors and clinicians typically have a single set of logon credentials. The most efficient way for them to access their applications is with domain pass-through authentication. This enables users who have already authenticated to a domain-joined device to immediately access their applications/virtual desktops without entering their user name and password.

There will be instances, however, where a subset of users have alternate accounts needed for logon. These accounts can range from generic kiosk accounts to administrative accounts. Users need to be able to log on with accounts that may be different from their current Windows credentials.

How can you accommodate both sets of users with Citrix StoreFront?

You have to enable domain pass-through and explicit user name and password authentication methods. But if both methods are enabled in a single StoreFront Store, you sacrifice logon efficiency. That means those doctors and clinicians, who have a single set of logon credentials, will have to choose a logon method instead of being immediately passed through to access their resources. And that takes up valuable time.

There is a solution.

Using the customization below, you can configure pass-through authentication as the default for all users, while still giving them the ability to switch accounts if needed after they log on. This provides a simpler experience for users who need domain pass-through and reduces the number of clicks required when initially logging on to StoreFront.

We’ve tested the customization successfully on StoreFront 3.12, StoreFront 3.16, and StoreFront 1811.1.0, and it will work on Receiver for Web on both IE 11 and Chrome version 71.0.3578.80. It won’t work with Receiver for Windows/Mac or Workspace app, but we’ve provided additional details related to functionality and configuration below. The customization requires both JavaScript and CSS.

Configuring Default Pass-Through Authentication

What does the customization look like?

When it’s implemented, users accessing Receiver for Web will be immediately passed through with domain pass-through authentication.

Logon Experience

If the user wants to log on with a different account, they can log off and then will be redirected to the explicit authentication logon page. They can log on with a different account or they can select the “Click here to sign in with current user name and password” link to automatically be passed through with their current Windows credentials.

Explicit Authentication Logon Page

Before we get started with the customization, please keep in mind that text with the following format <example text here> requires information specific to the Receiver for Web site name or path. You’ll need to remove this text and add in the respective Receiver for Web site name or path.

For example: If your domain pass-through Receiver for Web site name is DomainPassThroughWeb and the Receiver for Web site path is https://example.lab/Citrix/DomainPassThroughWeb, the text would change as follows:

C:\inetpub\wwwroot\Citrix\<domain pass-through site name>\custom\string.en.js C:\inetpub\wwwroot\Citrix\DomainPassThroughWeb\custom\string.en.js

…window.location.replace(“<domain pass-through site path>”);</script>…
…window.location.replace(“https://example.lab/Citrix/DomainPassThroughWeb”);</script>…

Store Authentication Methods

Step 2: Configure the existing Receiver for Web site to support only domain pass-through authentication.

Receiver for Web Site Authentication Methods (Domain Pass-Through)

Step 3: Add a second Receiver for Web site to the Store.

Add Additional Receiver for Web Sites

Step 4: Configure the second Receiver for Web site to support only user name and password authentication.

Receiver for Web Site Authentication Methods (User Name and Password)

Step 5: Set the corresponding domain pass-through Receiver for Web site as the default website in IIS.

Set Default Website

$(‘.customAuthTop’).html(“<a href=’<domain pass-through site path>‘ Click here to sign in with current user name and password.</a>”);

Step 8: Add the following code to the user name and password Receiver for Web site style.css file located at the following path: C:\inetpub\wwwroot\Citrix\<user name and password site name>\custom\style.css

.customAuthTop {
Font-size: 16px;
Text-align: center;
Padding-bottom: 35px;
}
.customAuthTop a {
Color: white;
}

Configuring Receiver for Windows/Mac, Workspace App

This customization applies to Receiver for Web sites, not Receiver for Windows/Mac or Workspace app. However, If the Store is configured with both domain pass-through and user name and password authentication enabled (Step 1) and Receiver is configured for SSO, users will be automatically passed through with domain pass-through authentication. If a user is not on a domain-joined machine or SSO fails for other reasons, the Store will fall back to explicit user name and password authentication.

Users with multiple accounts who require explicit user name and password authentication should be trained to access applications through a browser to have the customized functionality detailed above.

If you have any comments, questions, or customization requests, let us know in the comments!

Citrix Tech Bytes – Created by Citrix Experts, made for Citrix Technologists! Learn from passionate Citrix Experts and gain technical insights into the latest Citrix Technologies.

Click here for more Tech Bytes and subscribe.

Want specific Tech Bytes? Let us know! tech-content-feedback@citrix.com.