Jump to content
Welcome to our new Citrix community!
  • 0

Workspace SSO and Kerberos



Hi all,


Trying to figure out Workspace SSO and Kerberos, if it's something we should have enabled or not. 


- Currently our Storefront server has Kerberos Delegation enabled.  Something set from our previous admin for reasons unknown.

- Dell Thin clients are setup with CVAD broker pointing to our only storefront store and 3rd party authentication using Imprivata
- Most everyone logs in with only a Windows AD username and password.  Some users login with a Windows AD username/pw with either proximity card or a fingerprint scan.  No smartcards are used.


If we install Workspace with Enable_Kerberos=Yes, SSO doesn't work but we're able to manually login and get desktops/apps.

If we install Workspace without Enable_Kerberos=Yes, SSO works but storefront doesn't connect (due to the Kerberos Delegation being enabled we presume)

Looking at documents for 2203 LTSR, for Kerberos it states:


Citrix Workspace app supports Kerberos for domain pass-through authentication for deployments that use smart cards.


So does this mean Kerberos should only be used when smartcards are being used?  


I reached out to Citrix support and the first tech says it should work with just a username/password, but this documentation they sent seems to contradict that.


I'm just trying to get a better understanding of how/when Kerberos should be used with Workspace SSO and to figure out:

A) if our previous admin enabled it when it shouldn't be since we don't use smartcards.
or B) if kerberos enabled should work with just a username/password, why isn't it?  We're not sure what would be breaking it.


Link to comment

3 answers to this question

Recommended Posts

  • 0

Kerberos used to be an option in XenApp 6.5 and older, but 7.x does not support Kerberos and instead has been replaced by FAS.


Users must authenticate to StoreFront. StoreFront then sends the user's credentials to both the Delivery Controllers and the VDAs. In Kerberos, Kerberos delegation is needed for both. If StoreFront has access to the user's password, then Kerberos isn't needed.


Internally, you can use Integrated Windows Auth (Kerberos) to log into StoreFront (IIS), but this means StoreFront doesn't have the user's password. The authentication requirement for Delivery Controller is disabled by enabling Trust XML in Set-BrokerSite. Authentication to VDAs is handled by ssonsvr.exe on the Workspace app, or you can use FAS, or the VDA will prompt the user to login.

Link to comment
  • 0

Ok, so with Kerberos no longer supported in 7.x it sounds like we should be ok to disable that Kerberos Delegation on the store and install Workspace without Kerberos enabed?  Citrix support made it sound like we had to use Kerberos_enabled=Yes when installing workspace to get SSO to work.


So we've just been getting confused with all the different information we're finding and getting on how to make this work properly.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...