Passthrough Authentication in Citrix – Five components to configure and check

Passthrough authentication is the the process in which user credentials are passed via web interface running on a Windows server with IIS installed, so the user doesn’t get challenged to enter his/her credentials twice to be authenticated to a Citrix published desktop or published application

This is a really simplistic high level explanation of Passthrough. If you really want to know the nitty- griddy details and a core explanation,

Nichollas Dillie has an outstanding article explaining Passthrough authentication in details

There are five important components that need to be configured or exist in order to Passthrough authentication to work properly:

1. Citrix Web Interface Management Console (WIMC) (inside of a Citrix Web Interface Server)
2. ADM template (on the Windows end point device or client)
3. ICA client with the correct code to manage Passthrough authentication
4. ICA and RDP listener
5. IIS Windows Authentication

Explaining the five components:

1. The WIMC must be configured to use the Passthrough Authentication Method. Note this picture where the Authentication Methods option is available on the right side of the screen

passthrough pic1 WI

2. The ADM template is part of the ICA client and needs to be configured in order for passthrough authentication: to work. You need to open MMC on the client workstation where the ICA client is installed and load the ADM template. Once opened you need to enable the option Local Username and Password (Details here: under the “Procedure” section from Bullets 7 to 11)

passthrough pic 2 adm template

3. Not all Citrix Windows ICA clients support Passthrough authentication. Make sure you use the Enterprise Edition of Citrix Receiver AKA the Citrix Receiver PNA Legacy Plugin. The executable filename should say citrixreceiverenterprise.exe; As of March 2013, the latest version is 3.4. Other types might work but you might need to install using the command line switch that contains the switch /includeSSON (See Citrix E-Docs )

4. The ICA listener and the RDP listener
Even if you configured the three previous components correctly, you still need to make sure the option to “Prompt for Password” is NOT checked on the ICA listener and also on the RDP listener. Both listeners are located under the Administrative Tools – RDS – Remote Desktop Session Host Configuration option (located on Xenapp servers hosted on 2008 R2 servers)

passthrough  Pic 3 ICA listener

5. IIS Windows Authentication
If you installed the Web interface component on a server correctly, this should already be configured, but always ensure that the Web Server > Security > Windows Authentication role service is enabled for the Web Server (IIS) role (E-Docs) here is a screenshot of the IIS Role and features you need to be aware:

IIS windows authentication

Finally. always make sure that the process ssonsvr.exe or ssonsrv32.exe is running on the client, otherwise, Passthrough authentication won’t work.
And here is a final tip. Sometimes the Network provider order might prevent the process to load. You can check under the Network properties of the NIC on the top menu Advanced – Advanced Settings- Provider Order to make sure Single SignOn is closer to the top, not all the way to the botton; Also check this registry key for the Network Provider order to make sure it is closer to the top as well:
Change the order of the items in the following registry keys:
HKLM\System\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder and HKLM\System\CurrentControlSet\Control\NetworkProvider\HWOrder\ProviderOrder
Example: If something like this: RDPNP,LanmanWorkstation,WebClient,IntelNetProvCredMan, PnSson
Change it to this: RDPNP,LanmanWorkstation,WebClient,PnSson,IntelNetProvCredMan

Good discussion here

I hope this helps!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: