Pass Thru Authentication with Citrix Receiver 4.3.x and Web Interface

We are testing Citrix receiver 4.3 and are having trouble getting pass thru authentication to work. We are currently running 4.2 without any problems. I was wondering if anyone else has run into problems.

Our environment consists of:
2008R2 servers running Xenapp 6.5 with Rollup Pack 6
2008R2 server running Web Interface
All clients running Windows 7 with 4.2.10..1 Citrix receiver

Since we are running 4.2 using pass thru, we are not strangers to the way Citrix needs to be set up but we must be missing something with 4.3

We use the following command when installing

After it installs and we reboot the system, the receiver is asking for a user name and password. This doesn't happen in 4.2. IF we enter credentials, it works. Of course this is bypassing pass thru. If we just cancel out of the login screen and reboot, the receiver starts but never seems to log in.

Any suggestions?
Larry SchroederAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sekar ChinnakannuStaff EngineerCommented:
Can you validate this steps and make sure its correct
Larry SchroederAuthor Commented:
Thanks for the link.

We went through and verified the settings in the document. Everything looked correct.

We then decided to try and do a manual install without using our script. We ran the install by clicking on the .exe file and chose to install pass thru. We were then able to open the client and configure everything thru self service and we saw all of the users apps.

We want to disable self service and just have all the apps show up in the start menu as we did in version 4.2. Only way we can get the apps to show up in the start menu is to put a checkmark by them in the self service menu. When we disable self service, none of the apps show up in the start menu.
Brian MurphySenior Information Technology ConsultantCommented:
Apologies but that STORE0 is StoreFront.  That works with StoreFront only, not Web Interface.

You can install StoreFront, create a Store that only points to your XenApp Controllers.

This would be like the popup box that asked for email address.  That requires a SRV record, DNS and some other stuff to work.

The 4.3.1 client once installed has ADMX files that should go into the C:\Windows\Policydefinitions folder OR your SYSVOL share where the centralized policies reside.

Otherwise you should stay with Receiver 4.2.1.  There is just no value to 4.3.1 without Storefront 2.6 or 3.

Not to mention version 7.6 XenApp with Update Rollup 2 and Feature Pack 1 and Feature Pack 2.

FP 2 enables Framehawk but requires 4.3.1 client, Netscaler Firmware 11+, StoreFront 3.

Storefront 3 you also have the option to make that Store like a legacy PN Agent site with a Powershell command but you must update the WMI framework using Citrix latest update and the new Powershell modules.

Much longer conversation.
Brian MurphySenior Information Technology ConsultantCommented:
Your probably already aware of this but you left out the ADMX files and Dazzle registry key settings.  And I've never seen anything that clearly states this other than the examples but on the install the mean StoreFront URL + /Discovery.

Then, you might see a reference to the ADMX files but what they don't tell you is that is after the install and you only need the receiver.admx from somewhere here:
“C:\Program Files (x86)\Citrix\ICA Client\Configuration”  also grap the corresponding .adml file.

Then you have two options:
1. Copy those files to your C:\Windows\PoliciesDefinition folder (ADMX) and the ADML to EN folder

2.  If you already have a GPO Central Store on SYSVOL then they would go there but for simplicity let's say you copy those to the local device.

And I want to be clear that when I did this it was with Storefront not Web Interface.

With Storefront installed you have created the Store and the Receiver for web component.  The first one is what they are referring to but you don't need it in the command line.

You can set that also in Group Policy.

Click Start, Run, MMC.exe, ENTER

Add snapin Group Policy Editor, Local.

Under Machine and User containers you will see a new Citrix folder.  Under the Citrix folder you will see USER AUTHENTICATION, LOCAL USER NAME AND PASSWORD AS INDICATED BY EXHIBIT 1 ATTACHED.  Check both boxes.

After the receiver.admx, receiver.adml template has been successfully added, expand Computer Configuration > Administrative Templates > Citrix Components > Citrix Receiver > User authentication.

Choose Local user name password setting.

Select Enable pass-through authentication and Allow pass-through authentication for all ICA connections options when enabling the preceding policy.

Then you would go back to the Storefront Server, that store, and set those same two Authentication Methods.

And we have a long way to go.  Just Google "Dazzle" and receiver 4.3.  But I digress.

Now when I went through this Citrix documentation was worse than it is now.  You won't find a lot of these items in the Citrix 4.2 or 4.3 EDOCS.

And don't bother calling Citrix to open a case if you want to use the Dazzle key setting to force all apps mandatory instead of actually do that in XenApp 7.6 as designed.  But if you are doing POC, might not want to jack with your production.

Now several of those keys can be done with the ADMX file.  Like create Startfolder named Citrix and a Desktop folder named Citrix, Enable pre-launch.  There are about 15 settings.

So going back to the next setting is the STORE setting versus the command line.

If you go command line it might look something like:
CitrixReceiver.exe /includeSSON /ENABLESSON=Yes STORE0="Store;;on;STORENAME"

Notice the IncludeSSON followed by EnableSSON.  Look at the syntax on the Store0.

You might not know that unless you add the ADMX files, open gpeditor and it tells you the syntax.  That first entry of Store; is the actual name of the StoreFront Server.  That is actually the default name and the receiver for web is StoreWeb.

Then you have a mandatory semi-colon, no space, then the name of your Storefront (NOT Receiver for Web) and you tack on the /discovery.  Another semi-colon, the word on as in turn it on, semi-colon, what I call the Friendly name.  This is what the users see in the Single Sign On Console, that big green box that pops up and if you have more than one store they could check all of them.  That is what it is.

Now, you might think that is enough but it isn't.  

Your going to go back to Storefront, and modify some web.config files first.  Easier at this point just to find a link:

Ignore the desktop lock, that is the last step and optional.  Everything else is valid but this one is missing the GPO stuff.

make the changes, open CMD prompt, IISRESET

On your delivery controller that corresponds that store or you might have one or three but you must go to each one and then open powershell and tell your broker service to trust this XML stuff I'm about to send from Storefront not web interface

Log on the Delivery Controller(s), then open Windows PowerShell and execute the following commands to enable the Delivery Controller to trust XML requests sent from StoreFront:
If not already loaded, load the Citrix cmdlets by typing asnp Citrix*. (be sure to include the period after Citrix*).
Press Enter.
Then type Add-PSSnapin and press Enter.
Then type Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True and press Enter.
Close PowerShell. 

There are still requirements left like having the entire FQDN as you made it in the Intranet Zone and if that zone is not set to the User username and password none of it will work.

This one here appears to have all the steps but references the ADM files not ADMX and does not list the other settings we spoke about

This one shows the GPO settings and the corresponding Storefront settings

If you were like me, how hard can it be.  Your in for a surprise.  

Enterprise client 3.4 is gone, PNAgent is history but there is actually a Powershell command to enable PNAgent functionality.

Thing is, that is by design.  Like it or not, Citrix has moved to a concept that is more like a Google App HTML 5 look and feel.  You control how Storefront looks more with XenApp by defining categories and tagging the apps as mandatory or optional.

That was the hardest part.   Everyone wants to go to Storefront.  WI is going away.  We must get on Storefront.

Well, your screwed if you want to use Storefront and have your Start Menu populate with applications.  That is the opposite of the design.

Storefront is built on a self service model where people are supposed to delegate out those responsibilities and manages of each LOB have control of what applications they assign their employees allowing them better control over who gets what and licensing costs for that matter.

If you migrate from 6.5 to 7.6 you are supposed to configure your machine groups and delivery groups in a way that decentralizes adminstration while centralizing the hosting aspect.  

Yet, you will probably never hear that from someone at Citrix.  And it is not obvious in the documentation.

But that has always been the case.  They have never had good documentation which left it up to us to learn the product, make it work so on and so forth.

I know it is extremely difficult but I had to watch all the boring videos on Citrix TV or youtube, master classes, two hour life impelmentations.  And if you watch enough of them you get bits and pieces pulled out of each presentation and eventually reach this same conclusion.

I would not be surprised if Citrix starts moving more to HTML 5 strategically.  Where your machine and browser are now agnostic.  Like Google apps or Office 365.

I study patterns, and right now whether you want it or not Microsoft is slowly doing away with MSI and forcing everyone to APPV.  Why?  Because a tool like Wyse Studio which disappeared btw right after Dell bought Wyse and Microsoft and Dell close to the marriage point.  

You cannot get a tool like that one where you could upload all your MSI's to a SQL server, do preflight check, DLL remediation on the fly, automated merge module compliance while comparing it against the baseline of your OS and can spit out a report of every dll to dll to ocx to this or that and spit out a MSI you could deploy mid-day and never cause an outage.  

Microsoft needed another cash flow.  So now, you pay full price for the application, and your probably going to pay a little extra more to APP-V that application and host it on Citrix.

The latest version ships with APPV integration?  In the VDA and the Director console.  Last time I tried to use a APPV solution it took 6 people for 300 applications and a disappointing success rate.  Luckily, Wyse Studio was there and worked every time.

So, pretty much plan for Storefront concept, some apps in XenApp and then you have the AppV which can run in XenApp or from a file share to the workstation or a VDI solution.

It is a self service, cloud methodology solution where the decentralized application management will help drive sales once managers catch on they don't have to do everything through IT and you probably won't be able to buy a viable MSI packaging tool in the next 3 years.  It started off with SCCM integration which just happens to host the APPV distribution component, full reporting and now it is embedded at default in XenApp Server and XenDesktop Site Controllers / Delivery Controllers and both workstation and server VDA's.

Where users simply logged in to a web portal and applications fill the screen whether you use them or not you can give them a 7.6 VDI XenDekstop solution, install the Citrix 4.3 receiver and you can either tell the users to click on the plus sign and add the applications themselves or you must configure XenApp to say which are mandatory, just be on the application tab where the first tab is favorites and a blank screen.

The Storefront website is structured identical to the receiver client.  There is no possible way to give your legacy users that same look and feel.  if you don't implement the product as designed you will be pounded daily by people wanting to have this app or not that app or I don't want to click on the plus sign.  Sooner or later people will configure XenApp to fully utilize storefront and gladly pass that off to the LOB managers and in reality that is a good thing and should create growth and more adoption of the product if you consider that one of your job security software components.

What we just discussed right here taking 15 steps to do SSON is probably the easiest part of the equation.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Brian MurphySenior Information Technology ConsultantCommented:
Oh yea, and here is a glimpse into the next 6 months future
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.