Jump to content
Welcome to our new Citrix community!

Control Single-Sign-on

Guillaume Bodin1709155484

Recommended Posts



I have a specific case where I want to have SSO working the first time I click on desktop icon but not the following ones, unless I logged again to SF. We do not use smartcards at the moment.


Here is the design.


First connection with OTP to access Storefront (client workstation is out of domain - BYOD) - SF session will last 14h.

=> access to VDI with SSO (OK).

=> user leaves his office (for coffee etc) => idle time reached (screensaver lock) OR user's manual lock OR the user closes is VDI (disconnect)

=> SF session still on. !!! Any user coming to the station can reopen the VDI !!! => We want to handle this security concern.


If we set an aggressive timeout on SF then when SF timeouts the VDI also gets disconnected. WE are using F5 to handle the SF session (Closing The browser with SF session also closes the VDI).


=> How to disable the SSO at this step so that clicking on the desktop icon would not reopen freely but the SSO would still work if we just connected again to SF?


Here is the planned solution so far : 

- In the master the fPromptForPassword key is set to 0 https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_PASSWORD => SSO is working as it should when connecting to SF the first time (with OTP).

- After any kind of "connection" (scheduled task AT LOGON and CONNECTION TO USER SESSION and WORKSTATION UNLOCK) we execute a script thant will change this fPromptForPassword to 1 and create a key with date/time of the action => SSO is now disabled even if the SF session is ON, nobody can click on the desktop icon to get back to the VDI without providing the credentials.

- After any kind of "disconnection" (scheduled task at session lock (WORKSTATION LOCK and DISCONNECT FROM USER SESSION) we execute a script that will set the fPromptForPassword registry key back to 0 IF the SF timeout has been passed (ie 14h for us, using the custom key with date/time) therefor re-activating the SSO for the user when he will reconnect to SF.


While this plan seems to work, I was wondering if there any easier/smarter/cleaner way of handling this? ? Maybe at the F5 setup? 


Thank you.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...