This blog was co-authored by Sourabh Digavadekar, Staff Software Engineer at Citrix.

Having the ability to leverage single sign-on to access your work applications is extremely important, not just from a user experience standpoint but also from a security perspective. It reduces the number of attack surfaces since the users will only need to use one set of credentials and usually only have to log in once daily.

Traditionally, users have relied on using credentials like usernames and passwords to access their work applications. When working with a domain-joined Windows device provided by the enterprise, users expect to be able to access their work applications seamlessly without having to reauthenticate again.

Citrix Workspace app for Windows currently uses a component called single sign-on (SSON)/Domain pass-through authentication for single sign-on to Citrix Virtual Apps and Desktops environments. This authentication enables the user to authenticate to the domain on their device and use their virtual apps and desktops without having to reauthenticate again. When enabled, Domain pass-through caches user credentials, so that they can connect to other Citrix applications without having to sign in each time. You can find more details about this feature here.

Through feedback, we knew that we had to continue to enhance our Domain pass-through capabilities. That’s why we are excited to announce a tech preview of Enhanced Domain pass-through for single sign-on with the 2309 release of Citrix Workspace app for Windows. This method leverages Kerberos authentication instead of user credentials. So, suppose your users are leveraging FIDO2 or Windows Hello to log in. In that case, they will be able to seamlessly authenticate to their Citrix virtual app desktop resources without the need for Citrix Federated Authentication Service (FAS). Let’s take a closer look. 

What does enhanced Domain pass-through mean for you? 

With the advancement of passwordless technologies such as FIDO2 and Windows Hello, users can leverage biometrics, external passkeys, and a simple PIN to log in to their devices. These authentication methods are now supported by IDP vendors such as Microsoft Azure AD, Okta, and Ping, to name a few. The authentication is extremely seamless without the user having to remember or maintain complex passwords anymore. 

Citrix Workspace app for Windows supports passwordless authentication, and the user can leverage their FIDO2 security key or Windows Hello for Business to seamlessly log in to the Workspace app. However, previously, Domain pass-through would not work here since we didn’t have access to user credentials; to extend single sign-on to Citrix Virtual Apps and Desktops, you would need Citrix FAS installed in your enterprise. But with enhanced Domain pass-through, you no longer need FAS!

Please Note: Enhanced Domain pass-through requires the user’s device to be domain joined, and we also need to have a line of sight to the Active Directory (i.e user is on the internal network).

Enhanced Domain pass-through for single sign-on also provides other benefits over the current Domain pass-through/SSON authentication mechanism, including:

  • Upgrading the app does not require a reboot of the device provided the current SSON mechanism is disabled  
  • Multiple Provider Router (MPR) notifications can be disabled on Windows 11 machines
  • Because of the above, it does not need to be on the top of the list of network provider order

Try it today!

With our continued improvements to security and user experience, it’s imperative to give your users the latest capabilities. Please refer to the Citrix product documentation for more details and a step-by-step guide about this exciting new feature. We would also love to get your feedback on this preview. Please let us know about your experience using this form

Disclaimer: This publication may include references to the planned testing, release and/or availability of Cloud Software Group, Inc. products and services. The information provided in this publication is for informational purposes only, its contents are subject to change without notice, and it should not be relied on in making a purchasing decision. The information is not a commitment, promise or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for products remains at the sole discretion of Cloud Software Group, Inc.