Information
This article outlines workarounds and resolutions to specific Citrix pass-through authentication issues.
Common Pass-Through Authentication Issues and Inquiries
Refer to the following links for information on common pass-through authentication issues and inquiries:
Citrix Docs - Enabling Pass-Through Authentication
CTX133855 -How to Configure Desktop Pass-Through with Storefront and Receiver
CTX122676 – How to Install the Web Plug-in and the Pass-Through Authentication Component for Use with ICA Files or Web Interface
CTX129762 – Single Sign On (Pass-through Authentication) Fails Intermittently
CTX123577 – Overview of Pass-Through (SSON) Authentication - Smart Card
CTX128907 – Users are Unable to Re-Authenticate to a Web Interface 5.4 Site
CTX124871 – 12.0 Online Web Plug-in Using Single Sign On - SSON Fails with Web Interface
CTX134280 – How to Deploy Citrix Receiver for Pass-Through Authentication Using Active Directory Group Policy
Specific Pass-Through Authentication Issues
Refer to the following links for information on specific pass-through authentication issues:
CTX114276 – The Presentation Server Client 10.100 Installation Does Not Prompt for a Restart if Secure Sign-on is Enabled
CTX113004 – How to Configure Single Sign-on for Web Interface Using Version 10, 11, and 12x Plug-ins
CTX118628 – Citrix Single Sign-On (SSONSVR.exe) Fails to Start on Computers using Intel Credentials Manager
CTX135588 – How To Troubleshoot Pass-Through Authentication to Web Interface
Ensure that the issue is not specific to client version. Attempt to upgrade or downgrade the client.
Pass-Through Authentication Does Not Work When Using Any Version of the Win32 Clients Embedded in an HTML File
When creating an HTML file using either the Published Application Manager in MetaFrame 1.8 or Citrix Management Console in MetaFrame XP to embed an ICA connection, the local credentials cannot be passed from Single Sign-On to the session inside the web browser.
This is by design. The wfica32.exe file first verifies for two true conditions before launching a connection with the .ica file. The wfcrun32.exe is present in the ICA client directory and if it is being called from a web browser, the wfica32.exe launches the connection directly. Otherwise, wfcrun32.exe is launched and passes the parameters to establish the session. To use Single Sign-On, the wfcrun32.exe must be executable to launch the connection.
Other methods of using a web browser and Single Sign-On are available by using NFuse 1.7 or later and the desktop credential pass-through feature.
To reproduce the issue:
Using Published Application Manager or Citrix Management Console, create an HTML file and choose the embedded method.
Add the settings to the ICA file to enable Single Sign-On from an ICA file. See How to Enable Pass-Through Authentication Within an ICA File.
Open the HTML page either locally or from a web server. The Winlogon dialog box appears.
Open the ICA file; the credentials are automatically passed through.
How to Enable Pass-Through Authentication Within an ICA File
If Presentation Server Client version 10.x or later is used, do NOT complete the following procedure. See CTX113004 – How to Configure Single Sign-on for Web Interface Using Version 10, 11, and 12x Plug-ins.
To enable pass-through authentication within an ICA file, complete the following procedure:
Note:The following steps assumes that the user-specific profiles are being used on the client workstations and running Windows 9x/ME/2000/XP operating systems.
In the Appsrv.ini file of the user profile, add the following lines at the end of the [wfclient] section:
SSOnUserSetting=On
EnableSSOnThruICAFile=OnTo use the .ica file, add the following line in the Application section (this is the section where all the settings like resolution or encryption are stored):
UseLocalUserAndPassword=On
Note:This change has to be made individually to the Appsrv.ini file for each user. Users must have the full Program Neighborhood Client installed and have Use Local Username and Password selected for logon in the ICA Settings menu.
Example:
Citrix Gateway Reset Password
Pass-through authentication fails when store has a farm name similar to the DNS A records in DNS
The store has a farm name similar to the DNS A records in DNS and this name pointed to a public IP address. To resolve this issue change the farm name.
Additional Resources
Refer to the Citrix Knowledge Center Highlights: App Virtualization & VDI (July Edition) for more information.
- XenApp
- Receiver for Windows
Information
This article outlines workarounds and resolutions to specific Citrix pass-through authentication issues.
Common Pass-Through Authentication Issues and Inquiries
Refer to the following links for information on common pass-through authentication issues and inquiries:
Citrix Docs - Enabling Pass-Through Authentication
CTX133855 -How to Configure Desktop Pass-Through with Storefront and Receiver
CTX122676 – How to Install the Web Plug-in and the Pass-Through Authentication Component for Use with ICA Files or Web Interface
CTX129762 – Single Sign On (Pass-through Authentication) Fails Intermittently
CTX123577 – Overview of Pass-Through (SSON) Authentication - Smart Card
CTX128907 – Users are Unable to Re-Authenticate to a Web Interface 5.4 Site
CTX124871 – 12.0 Online Web Plug-in Using Single Sign On - SSON Fails with Web Interface
CTX134280 – How to Deploy Citrix Receiver for Pass-Through Authentication Using Active Directory Group Policy
Specific Pass-Through Authentication Issues
Refer to the following links for information on specific pass-through authentication issues:
CTX114276 – The Presentation Server Client 10.100 Installation Does Not Prompt for a Restart if Secure Sign-on is Enabled
CTX113004 – How to Configure Single Sign-on for Web Interface Using Version 10, 11, and 12x Plug-ins
CTX118628 – Citrix Single Sign-On (SSONSVR.exe) Fails to Start on Computers using Intel Credentials Manager
CTX135588 – How To Troubleshoot Pass-Through Authentication to Web Interface
Ensure that the issue is not specific to client version. Attempt to upgrade or downgrade the client.
Pass-Through Authentication Does Not Work When Using Any Version of the Win32 Clients Embedded in an HTML File
When creating an HTML file using either the Published Application Manager in MetaFrame 1.8 or Citrix Management Console in MetaFrame XP to embed an ICA connection, the local credentials cannot be passed from Single Sign-On to the session inside the web browser.
This is by design. The wfica32.exe file first verifies for two true conditions before launching a connection with the .ica file. The wfcrun32.exe is present in the ICA client directory and if it is being called from a web browser, the wfica32.exe launches the connection directly. Otherwise, wfcrun32.exe is launched and passes the parameters to establish the session. To use Single Sign-On, the wfcrun32.exe must be executable to launch the connection.
Other methods of using a web browser and Single Sign-On are available by using NFuse 1.7 or later and the desktop credential pass-through feature.
To reproduce the issue:
Using Published Application Manager or Citrix Management Console, create an HTML file and choose the embedded method.
Add the settings to the ICA file to enable Single Sign-On from an ICA file. See How to Enable Pass-Through Authentication Within an ICA File.
Open the HTML page either locally or from a web server. The Winlogon dialog box appears.
Open the ICA file; the credentials are automatically passed through.
Passcode Citrix Workspace Login
How to Enable Pass-Through Authentication Within an ICA File
If Presentation Server Client version 10.x or later is used, do NOT complete the following procedure. See CTX113004 – How to Configure Single Sign-on for Web Interface Using Version 10, 11, and 12x Plug-ins.
To enable pass-through authentication within an ICA file, complete the following procedure:
Note:The following steps assumes that the user-specific profiles are being used on the client workstations and running Windows 9x/ME/2000/XP operating systems.
In the Appsrv.ini file of the user profile, add the following lines at the end of the [wfclient] section:
SSOnUserSetting=On
EnableSSOnThruICAFile=OnTo use the .ica file, add the following line in the Application section (this is the section where all the settings like resolution or encryption are stored):
UseLocalUserAndPassword=On
Note:This change has to be made individually to the Appsrv.ini file for each user. Users must have the full Program Neighborhood Client installed and have Use Local Username and Password selected for logon in the ICA Settings menu.
Example:
Pass-through authentication fails when store has a farm name similar to the DNS A records in DNS
The store has a farm name similar to the DNS A records in DNS and this name pointed to a public IP address. To resolve this issue change the farm name.
Additional Resources
Refer to the Citrix Knowledge Center Highlights: App Virtualization & VDI (July Edition) for more information.