Jump to content
Welcome to our new Citrix community!

netscaler domain trust for streamlined login

Allan Rivers

Recommended Posts

we have a netscaler set up for domain login as well as PIV smart card login. 


when a user logs in on a domain joined computer with a smartcard they can SSO direct to their desktop due to domain trusts and whatnot through browser.  However with a NON-domain joined machine the user will need to auth with their smart card at initial login to the netscaler, storefront will use the callback for verification (if a secondary callback without auth is not present) the user will need to put in the PIN a second time.  Then due to a lack of trust the user will also need to authenticate to the windows desktop with their smartcard.  So 3 PIN prompts just to get to a working state.


with the additional configuration of the secondary Callback using this document from Citrix https://www.citrix.com/blogs/2014/08/14/how-to-reduce-smartcard-pin-prompts-while-using-netscaler-gateway-with-storefront-2-5/ it is possible to get it down to 2 PIN prompts.


is there a way to have a domain trust relationship built into the netscaler to be able to securely pass the PIN and certificate credentials of the authenticated user direct to the desktop to allow the user access without having to put in a PIN prompt again.

Link to comment
Share on other sites



I think your missing component is Citrix FAS (Federated Authentication Service) for getting SSO into the Windows Desktop / APps. checkout https://www.citrix.com/blogs/2017/01/12/smart-card-cacpiv-sson-with-fas/?_ga=2.126206281.536665297.1561979789-1544037607.1519142026


There are blogposts available explaining how to setup and configure it in the correct way

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...