Configuring Citrix Web Interface and Pass Through Authentication.

This is quite difficult, badly documented and frustrating. So I’ve put together the below guide for ease when using ThinKiosk.

[Update] > Citrix have finally documented this end to end here:

I’ve split this post into three Steps:

  • Server side
  • Client side
  • and some troubleshooting tips

Server Side:

Some details to start with. This was tested on the following server:

  • Server 2008 R2 Service Pack 1.
  • Citrix Web Interface 5.4.

1: Prior to installing the web interface (or testing pass through), ensure IIS is installed with the following feature:

2: Now that you are sure it’s installed, fire up the web interface management console and browse to the web interface you wish to configure for pass through.

3: Right click this website and choose Authentication Methods:

4: Once this is open, ensure Pass-through is checked, then click Properties:

5: Click the Automatic Logon tab & configure the settings as below:

6: Now click the Kerberos Authentication tab, and ensure Kerberos is unchecked:

7: Now click ok > ok to close.

8: Move now to Internet Information Services Manager (start > run > inetmgr)

9: Browse down in this console to sites  > Default web site > Citrix > XenApp (or whatever you called your site) then click the Authentication button:

10: On this page, confirm a few things:

A: Windows Authentication is present (if it isn’t go back to the start of this page and read slower.)

B: Windows Authentication is enabled (if it isn’t, just right click and enable it):
11: Once you are Happy both A: and B: are correct, right click Windows Authentication and choose Advanced Settings:

12: On the advanced page, ensure Extended Protection is Off and Kernel-Mode is also turned off. (I should point out, I’m not sure why these options don’t work, don’t shoot the messenger).

13: And that should be that, this concludes the server side work.

Client Side:

NOTE: Before you start, ThinKiosk cannot pass the users credentials from the local machine to the session by default. There is a custom permission, or something hardcoded in the receiver to disallow this.

To work around this issue, rename thinkiosk.exe to iexplore.exe. The next version of ThinKiosk will ship with an executable called iexplore.exe by default.

Once that’s clear:

This client side piece is even more frustrating, so I’m going to assume in everyone’s case you have to install the receiver again. Just do it, its annoying, but you will save alot of hassle in the long run.

I’ve tested this under the following configurations sucessfully:

  • Windows xp, Windows 7 (x86 & x64), Windows Thin PC.
  • Citrix receiver Enterprise 3.2
  • Citrix Web Interface 5.4


1: download a new copy of the receiver, I dont care if you have one on your network share, it probably isn’t the right one. Only Citrix Receiver enterprise contains the components neccessary for this. So go download the Citrix Receiver Enterprise.

You can tell your copy is enterprise by the name:

2: Now once you’ve uninstalled your last copy of the receiver, install the receiver enterprise with the following command line:

citrixreceiverenterprise /silent /includeSSON ENABLE_SSON=”Yes”

3: Once the installation is complete. Open the local group policy manager (start > run > gpedit.msc)

(You can use Group policy for this too, but an offline test is always faster)

4: Under Computer Configuration, Right click Administrative templates, Click add/Remote templates.

5: Browse down t0 c:\program files\Citrix\ICA Client\Configuration… (program files (x86) is 64 bit)

6: Select the icaclient.adm and click open:

7: Once this has been imported, browse to Administrative templates > Citrix Components > Citrix Receiver > User Authentication.

8: Configure the Local user name and password Properties as below:

9: Configure the Web Interface Authentication ticket Properties as below:

10: Once this has been Complete, restart the computer and log back in.

11: Once logged back in, Ensure ssonsvr.exe is running in the process list:

12: Now check to ensure the pass through works from Internet Explorer.

13: Once you are happy this works from internet explorer.

14: Replace explorer with thinkiosk.exe and test.

Troubleshooting tips:

1: Pass through to the web interface is failing with the following screen:

This can happen if:

  • you are In different domains to the web interface.
  • The web interface is in the trusted sites, but you do not allow the username to be passed.
  • You use an FQDN to connect to the web interface.
  • The web interface is in the internet zone.
Theres a few caveats to this, the easiest way to fix this issue is to add the web interface to the trusted sites, then follow the below steps and restart:

2: Pass through working on the website but not the session:

  • When I log into xendesktop, the session immediately disconnects
  • When I log into xendesktop, i have to enter my credentials manually
  • When I log into a xenapp published desktop, I receive the following screen


You havent renamed thinkiosk.exe to internet explorer or SSONSVR is not running in the task list.

  1. Daniel Crowhurst
    June 22, 2012 at 3:09 pm

    Hi, Andrew thanks for the guide. I found I also had to change the Windows Authentication providers order for my IIS site. I had to move NTLM to the top of the list before the pass through worked.


  2. June 22, 2012 at 4:01 pm

    Thanks for that Daniel!

    is it working now ok with ThinKIosk?

    • Daniel Crowhurst
      July 13, 2012 at 1:41 pm

      Yes, as long as i have the exe renamed!

  3. Joe
    August 3, 2012 at 4:35 pm

    Andrew – I’m running thinkiosk v2.2 as a shell replacement, but am running into the “screen flashes but xendesktop session doesn’t start” issue. If I launch the command prompt from the admin menu, run Internet Explorer and go to the exact same URL as I’m using in Thinkiosk, everything works fine. I’ve verified that iexplore.exe exists in the thinkiosk install directory. Any ideas?

    • August 3, 2012 at 4:44 pm

      are you running the Iexplore.exe application? or the thinkiosk.exe application, you should be using iexplore.exe.

      Is ssonsvr running when you open task manager?

      • Joe
        August 3, 2012 at 4:50 pm

        I was running thinkiosk.exe as the shell instead of your iexplorer.exe. Switched that and it’s working now. Thanks!

      • August 3, 2012 at 5:04 pm

        Great to hear, have a nice weekend.

  4. Mark
    August 20, 2012 at 6:38 am

    Andrew – i’ve configured the passthrough as above and it works well, but the Vdesktop won’t auto start or manual start it looks like it disconnects straight away. I have installed receiver ent, ssonsvr is running and the iexplore.exe version of the kiosk is set as the shell and is running.

    Any idea what i’m doing wrong?


    • August 20, 2012 at 7:59 am

      Hi Mark,

      thanks for dropping by and letting me know.

      I have a feeling I know what the auto start issue is, I experienced something similar with the new version of cloud gateway. I’ll drop you an email.

      The issue where you can’t launch the desktop is well known. Are you trying to launch thinkiosk.exe or iexplore.exe in the thinkiosk folder?

      the iexplore.exe is for using pass through, Citrix have hard coded iexplore.exe as the only process allowed to retrieve the credentials from SSONSVR and send them to the desktop. The reason you are getting automatically disconnected is because the XenDesktop machine is not receiving the credentials.

  5. Mark
    August 20, 2012 at 8:04 am


    Thanks for the quick reply. I’m using the iexplore.exe located in the thinkiosk folder, which I believe is what you are suggesting should resolve the issue but still having no luck? I have even tried renaming the thinkiosk.exe to iexplore.exe with no luck as well.

    • August 20, 2012 at 9:39 am

      Hi Mark,

      are you absolutely sure the receiver is working correctly, if you test pass through authentication from an internet explorer session instead of ThinKiosk does it work?

      Did you install the receiver enterprise with the command line above?

      Did you modify the local group policy as above?

      The disconnect from the login page is an issue with credentials from the SSONSVR, I’d imagine you will see this issue too with internet explorer.

  6. Mark
    August 21, 2012 at 8:12 am

    Andrew – I can’t seem to get it working through IE either, which i guess removes thinkiosk as the issue. Not really sure what i’m doing wrong I have installed an uninstalled receiver enterprise multiple times with command line above. I even tried using different receiver versions. The GP has been modified as required. It gets through the web interface login page I just can’t launch the desktop. I even tried multiple PC’s with no success. Maybe theres something i missed on the server side.

    • August 21, 2012 at 5:23 pm

      Hi mark,

      Have you tried trusting the site? Deleting and recreating the site?

      What version or web interface?

  7. Mark
    August 22, 2012 at 1:11 am

    Andrew – Yes,Yes, version 4.5. I just added the Xenapp farm to the kiosk website and the passthrough works with the apps but it still doesn’t work with the xendesktops.

    • August 23, 2012 at 4:57 pm

      Are you getting a strange message on the web interface about trusts? Have you specified on the DDC to trust communication over XML?

  8. UJ
    September 7, 2012 at 5:48 pm

    Thank you so much for this! Putting it all together in one place with step-by-step instructions and screenshots was a big help!

  9. Mark
    September 17, 2012 at 6:44 am

    Andrew – Sorry for the late reply finally got it working. It was the DDC trust issue you mentioned above. I can log into the PC and the web inface open fine and the desktop will start when click on, have you had any chance to think about the desktop autostart issue at all? Thanks for all your help. Mark

  1. May 9, 2013 at 5:25 pm
  2. May 28, 2013 at 5:23 pm
  3. October 8, 2014 at 5:55 pm
Comments are closed.
<span>%d</span> bloggers like this: