Workspace SSO and Kerberos

[sortola27]

Hi all,

 

Trying to figure out Workspace SSO and Kerberos, if it's something we should have enabled or not. 

 

- Currently our Storefront server has Kerberos Delegation enabled.  Something set from our previous admin for reasons unknown.

- Dell Thin clients are setup with CVAD broker pointing to our only storefront store and 3rd party authentication using Imprivata
- Most everyone logs in with only a Windows AD username and password.  Some users login with a Windows AD username/pw with either proximity card or a fingerprint scan.  No smartcards are used.

 

If we install Workspace with Enable_Kerberos=Yes, SSO doesn't work but we're able to manually login and get desktops/apps.

If we install Workspace without Enable_Kerberos=Yes, SSO works but storefront doesn't connect (due to the Kerberos Delegation being enabled we presume)

Looking at documents for 2203 LTSR, for Kerberos it states:
 

Quote

Citrix Workspace app supports Kerberos for domain pass-through authentication for deployments that use smart cards.

 

So does this mean Kerberos should only be used when smartcards are being used?  

 

I reached out to Citrix support and the first tech says it should work with just a username/password, but this documentation they sent seems to contradict that.

 

I'm just trying to get a better understanding of how/when Kerberos should be used with Workspace SSO and to figure out:

A) if our previous admin enabled it when it shouldn't be since we don't use smartcards.
or B) if kerberos enabled should work with just a username/password, why isn't it?  We're not sure what would be breaking it.

Thanks.

[CarlStalhood]

Kerberos used to be an option in XenApp 6.5 and older, but 7.x does not support Kerberos and instead has been replaced by FAS.

 

Users must authenticate to StoreFront. StoreFront then sends the user's credentials to both the Delivery Controllers and the VDAs. In Kerberos, Kerberos delegation is needed for both. If StoreFront has access to the user's password, then Kerberos isn't needed.

 

Internally, you can use Integrated Windows Auth (Kerberos) to log into StoreFront (IIS), but this means StoreFront doesn't have the user's password. The authentication requirement for Delivery Controller is disabled by enabling Trust XML in Set-BrokerSite. Authentication to VDAs is handled by ssonsvr.exe on the Workspace app, or you can use FAS, or the VDA will prompt the user to login.

[sortola27]

Ok, so with Kerberos no longer supported in 7.x it sounds like we should be ok to disable that Kerberos Delegation on the store and install Workspace without Kerberos enabed?  Citrix support made it sound like we had to use Kerberos_enabled=Yes when installing workspace to get SSO to work.

 

So we've just been getting confused with all the different information we're finding and getting on how to make this work properly.

[CarlStalhood]

ssonsvr.exe does not use Kerberos. Instead it captures the username and password when the user logs into Windows. ssonsvr.exe then submits those credentials to the VDA machine.