Jump to content
Welcome to our new Citrix community!
  • 1

Workspace App SSO Broken for First Sign In


Felipe Albuquerque1709153149

Question

Writing this so other people don't bash heads to the desks like I did!

 

I've been configuring Receiver/Workspace SSO for over a decade now and all that requirements checklist worked until latest versions of workspace app...

For those that don't know the steps to make SSO work look here

https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/authentication.html 

 

What I found today is:
For new user profiles, the Workspace App sits there and does not automatically logon for the user, no shortcuts are placed anywhere... Unless the user right click and click Refresh or click Sign In...(if Sign In is visible sometimes it's not...)

When the user does this will not be asked for the password and the authentication happens and the shortcuts pop. Subsequent sessions logon seamlessly like should in the first time.

 

However, this also breaks Desktop Lock, since without the automatic logon, the desktop is not "subscribed" and ofc will not launch. And since the user does not have access to the workspace interface is not able to "force" the sign in.

 

Now, at the Botton of the same link above there is something that didn't exist before the "Silent Authentication"

 

And look at this:

image.thumb.png.259db95e63495a9bab2618bb74a98bd8.png

 

As I understand: The SSO will be ignored even if enabled, if this policy is not configured to Enabled. Also this policy will not work if Self Service Mode is not set do Disabled.

 

So now you need 2 additional things in the GPO to make SSO Work:
Computer/Administrative Templates/Citrix Components/Citrix Workspace/SelfService

 

Silent authentication for Citrix Workspace = Enabled

Manage SelfServiceMode = Disabled

(This will hide Workspace interface, so the user experience changes. Self-service is gone and will just subscribe to everything but won't have access to any shortcuts unless you configure "Manage App shortcut" policy...)

 

I have tested this setup with Workspace App 2203 LTSR CU1, and now new profiles and reset profiles also authenticate automatically as they did before.

image.png

Link to comment

4 answers to this question

Recommended Posts

  • 0

I think this was the problem. Enabling SSO at install automatically enabled pre-launch.

image.thumb.png.9a6aa905ebccb2e345b8b268dcf12c65.png

 

BUT, prelaunch only works on the 2nd successful logon to a client.

image.thumb.png.3e212fd0842d18360237178e89159f70.png

We are running on non-persistent thin clients so every logon is the 1st one. I think the pre-launch is what changed the behavior.

 

To publish the apps to the desktop and NOT prelaunch I modified the registry.

 

HKEY_LOCAL_MACHINE\Software\[Wow6432Node\]Citrix\\Dazzle\EnablePrelaunch = False

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Prelaunch\State = 0

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\Dazzle\InitialRefreshMinMs = 1

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\Dazzle\InitialRefreshMaxMs = 1

 

The default behavior was the selfserviceplugin.exe kicked off selfservice.exe -prelaunch.

 

After the registry modification the selfserviceplugin.exe kicks off selfservice.exe -periodicpoll which is the process that kicks off the application enumeration.

 

IF you want prelaunch then just leave it enabled and set the initial refresh times.

 

 

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...