Jump to content
Welcome to our new Citrix community!

Domain Pass-Through not working

Sam Buckler

Recommended Posts

Hi all


I am using Storefront 1906.1 with Workspace 1907, which are the latest versions at the time of writing.


I have a Storefront services site for internal applications I need to publish to Windows 2019 terminal server users, which are logging into these desktops externally via netscaler.


The issue is that SSO doesn't work from the Windows 2019 TS to the internal services site (no netscaler involved). I've enabled it as the main authentication method, enabled trust on the XML service and also installed workspace with /includeSSON. I have also added the storefront server into the intranet zone and enabled automatic login for said zone.


When I run the configuration check from workspace, it tells me I need to enable domain pass-through on the storefront site, but it is already enabled.

Link to comment
Share on other sites

Hello Sam,

In order to get more clarity on your query, we have a end user connected to external network --> end user hits Citrix NetScaler to launch 2019 server --> from the server session they hit SF server --> enumeration happens --> attempts to launch application --> end up with credential prompt?

Is this the issue?


- What exactly is the message on screen?

- Is user using Workspace app or Receiver for web from server session?

-SSO does not work for both Workspace app and Web browser (receiver for web)?




Link to comment
Share on other sites

Hi Aseem,


That is correct. Users are prompted to enter their credentials. If I type in the username/password (we are using UPN so user@principal.name) apps are shown and I can launch them. However the apps open in a new session on the same server. This is a different issue maybe as it doesn't seem like vprefer is working.


I've attached a couple of screenshots for you.





Link to comment
Share on other sites

Have you modified the User Authentication settings in Internet Explorer. 


- On the Internet Options > Security tab, click Trusted Sites.

- Click Custom level. The Security Settings – Trusted Sites Zone window appears.

- In the User Authentication pane, select Automatic logon with current user name and password.



If this has been already done, please share the complete text in details tab which starts with: Checking server configuration. Enable domain passthrough....


Link to comment
Share on other sites

Yes I have made changes to the IE policy, it says that in my original post and also passes in the SSON Checker.


The bottom line, which fails the check, says "Checking server configuration. Enable domain passthrough authentication on the store."


As I previously mentioned, Domain Passthrough is enabled on the store as per screenshot above, but the SSON checker says otherwise.


If I look at the config.xml I have this under the login node:


- <Logon>
- <NDS_Settings>
 <DefaultTree />


I should be seeing "sson" (or something to that effect) as a logon method, but I only have prompt. So it looks like domain passthrough is not enabled even though it shows as such on the storefront interface.


Link to comment
Share on other sites

The answer was to run the below command, since we were using two storefront sites.

& "C:\Program Files\Citrix\Receiver StoreFront\Scripts\EnablePnaForStore.ps1" -SiteId 1 -ResourcesVirtualPath /Citrix/<StorefrontName> -LogonMethod sson


Due to us using two storefront sites, force it to use SSON/DomainPassthrough for the second site.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...