Archive

Archive for the ‘StoreFront’ Category

Citrix Storefront 2.5 and Single Sign on:

March 26, 2014 8 comments

image-01-535x535With the release of XenDesktop / XenApp 7.5, Citrix Storefront has brought back a very sought after feature, Single sign on for local credentials to the storefront site!

Citrix Storefront SSO can be the default configuration or a choice can be given to the user if you select more than one authentication type as below:

 

storefront auth choice

 

 

 

Desktop appliance site: (Slight deviation, bear with me).

 

An interesting addition to storefront in 2.5 is a desktop appliance site is installed by default. Richard covers what a desktop appliance site really well in this article for the current release of storefont here. It’s worth noting the desktop appliance site is running the older storefront code base and does not currently support single sign on, strangely.

 

 

 

Back on topic!

 

Below is a quick guide on how to get it working and any interesting features along the way, I’ve broken this piece down into three parts:

 

XenDesktop Delivery controller configuration:

 

on each delivery controller accessible by the storefront site, run the following two commands:

broker xml trust level

 

Client Configuration:

 

(Shawn Bass did alot of the hardwork here for me, so a thank you for that!)

when installing the client, you can enable the single sign on features with the following command line:

CitrixReceiver.exe /includeSSON /ENABLE_SSON=Yes /silent STORE0="Store;https://yourservername.yourdomain.com/Citrix/Store/discovery;on;Store"

 

Once this is complete, add the storefront url to the trusted sites for the user, then add the following setting to the trusted sites zone:

 

local zone settings

 

Once complete, open group policy on the local machine (or active directory group policy) and import the icaclient.adm file, the typical path is below for convenience:

x86:

C:\Program Files\Citrix\ICA Client\Configuration\icaclient.adm

x64:

C:\Program Files (x86)\Citrix\ICA Client\Configuration\icaclient.adm

 

Once you have imported this adm file, configure the following values in the LOCAL MACHINE configuration*

*the policies dont work in user mode, oddly.

Configure the authentication policy:

 

group policy

Configure the web interface authentication ticket settings also:


group policy2

 

 

 

Now reboot the machine and log in, ensuring SSONSVR.exe is running in task manager.

 

Storefront Configuration:

 

I’m going to go ahead and assume you’ve already installed storefront, so lets start from there.

 

Make your way down to the ‘Authentication’ tab choose add/remove methods and select domain pass-through as an authentication type:

 

add domain pass-through option in storefront config

 

Note the warning, the receiver for web will also need some configuration, so that’s our next step:

 

highlight change needed on storeweb

 

Make your way down to your ‘receiver for web’ tab and select ‘Choose Authentication Methods’:

 

add auth method to storeweb

 

 

 

 

As you can see above, domain pass-through is now an option, with a nice little warning:

 

storeweb passthrough warning

 

 

Note: if you don’t want SSO to be optional, don’t publish additional authentication types on this storeweb.

 

Testing:

The quickest way to test is to go right ahead now and use the storefront in anger, but if you’re the cautious type Storefront 2.5 includes a subdirectory called DomainPassthroughAuth/test.aspx. if you browse to this site from a configured machine, you should see the following screen.

 

 

passthrough auth test site

 

 

if you are prompted as below, or see any of the following errors, go back a few steps and check what you missed:

 

sso test fail via website

 

and the following error’s mean you’ve gotten the configuration wrong on the client side:

 

no trusted submit

no logon methods error - pass creds not set

 

and that’s it, happy sso’ing!