Looking for:
Configure access to workspaces | Citrix Workspace.Authenticate | Citrix Workspace app LTSR for Windows |
- Authenticate | Citrix Workspace app for Windows
Click Enable FAS. This change might take up to five minutes to be applied to subscriber sessions. Afterward, the Federated Authentication Service is active for all virtual app and desktop launches from Citrix Workspace.
When subscribers sign in to their workspace and launch a virtual app or desktop in the same resource location as the FAS server, the app or desktop starts without prompting for credentials. Subscribers are prompted for their AD credentials to access each application or desktop. The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
Citrix Workspace app for Windows. View PDF. This content has been machine translated dynamically. Give feedback here. Thank you for the feedback. Need more help? Product issues. Open or view cases Chat live. Other support options. Share this page. Single Sign-on Troubleshooting and Diagnostics. When Citrix Receiver for Windows is not configured with Single Sign-on, it automatically switches the authentication method from Domain pass-through to Username and Password , if available.
When Citrix Receiver for Windows is not configured with Single Sign-on, it automatically switches the authentication method from Pass-through to Explicit , if available. How authentication, authorization, and auditing works.
Basic components of authentication, authorization, and auditing configuration. Authentication virtual server. Authorization policies. Authentication profiles. Authentication policies. Users and groups. Authentication methods. Multi-Factor nFactor authentication. Configuring nFactor authentication. Set a cookie using nFactor.
Sample deployments using nFactor authentication. How to articles. SAML authentication. Configure SAML single sign-on. Additional features supported for SAML. OAuth authentication. LDAP authentication. Client certificate authentication. Configuring Authentication Profiles. Binding Authentication Policies. Setting Priorities for Authentication Policies. Configuring Local Users. Configuring Groups. Adding Users to Groups.
Configuring Policies with Groups. To configure LDAP authentication by using the configuration utility. To configure LDAP authorization. Creating Session Policies for Group Extraction. Configuring Client Certificate Authentication. Configuring two-factor Client Certificate Authentication.
Configuring Smart Card Authentication. Configuring IP Address Extraction. If your existing FAS server is older than Version 10, you can download the latest FAS software from Citrix and upgrade the server in-place before creating this connection. When you create the connection, you select the resource location for your FAS server.
The same FAS server can be used for Workspace and on-premises deployments. You must have Citrix DaaS provisioned and enabled in Workspace. By default, the DaaS is enabled in Workspace Configuration after you subscribe to the service. However, the service requires that you deploy Citrix Cloud Connectors to allow Citrix Cloud to communicate with your on-premises environment.
Deploy at least two Cloud Connectors to ensure high availability. The servers on which you install the Cloud Connector software must meet the following requirements:. If you already have the Resource Locations page loaded in your browser, refresh the page to display the registered FAS server. A list of all FAS servers for all connected resource locations appears. To display FAS servers for a specific resource location, select the resource location from the drop-down list. Afterward, the Federated Authentication Service is active for all virtual app and desktop launches from Citrix Workspace.
When subscribers sign in to their workspace and launch a virtual app or desktop in the same resource location as the FAS server, the app or desktop starts without prompting for credentials. Subscribers are prompted for their AD credentials to access each application or desktop. The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
Citrix workspace enable sso. Configuring Single sign-on to Workspace app
Current Release. About this release. System requirements and compatibility. Install and Uninstall. Get started. Configuring Single sign-on. Domain pass-through access matrix. Secure communications. Storebrowse for Workspace. Citrix Workspace app Desktop Lock. ICA settings reference.
Aviso legal. Este texto foi traduzido automaticamente. Este artigo foi traduzido automaticamente. You can configure various types of authentication for your Citrix Workspace app, including domain pass-through single sign-on or SSON , smart card, and Kerberos pass-through. When enabled, domain pass-through single sign-on caches your credentials, so that you can connect to other Citrix applications without having to sign in each time. Ensure that only software that is in accordance with your corporate policies runs on your device to mitigate the risk of credential compromise.
When you log on to Citrix Workspace app, your credentials are passed through to StoreFront, along with the apps and desktops and Start menu settings. After configuring single sign-on, you can log on to Citrix Workspace app and launch virtual apps and desktops sessions without having to retype your credentials.
You can configure single sign-on on both fresh installation or upgrade setup, using any of the following options:. The terms domain pass-through, single sign-on, and SSON might be used interchangeably in this document. Single sign-on lets you authenticate to a domain and use Citrix Virtual Apps and Desktops and Citrix DaaS from the same domain without having to reauthenticate to each app or desktop. When you add a store using the Storebrowse utility, your credentials pass through the Citrix Gateway server, along with the apps and desktops enumerated for you, including your Start menu settings.
After configuring single sign-on, you can add the store, enumerate your apps and desktops, and launch the required resources without having to type your credentials multiple times. Depending on the Citrix Virtual Apps and Desktops deployment, single sign-on authentication can be configured on StoreFront using the Management Console.
In the User Authentication pane, select Automatic logon with current user name and password. You can now log on to an existing store or configure a new store using Citrix Workspace app without entering user credentials. You can configure single sign-on on workspace for web using the Group Policy Object administrative template.
Verify that the single sign-on is enabled by launching the Task Manager and check if the ssonsvr. Complete the following steps to configure Citrix Workspace app for pass-through authentication using Active Directory group policy.
In this scenario, you can achieve the single sign-on authentication without using the enterprise software deployment tools, such as the Microsoft System Center Configuration Manager. It must be accessible by the target machines you install Citrix Workspace app on.
Edit the content to reflect the location and the version of CitrixWorkspaceApp. For more information on deploying the startup scripts, see the Active Directory section. After adding the receiver. For more information about adding the template files, see Group Policy Object administrative template. Select the Local user name and password policy and set it to Enabled. Citrix Workspace app provides an option to disable the storing of authentication tokens on the local disk.
Starting with Version , Citrix Workspace app provides another option to disable the storing of authentication tokens on the local disk. Along with the existing GPO configuration, you can also disable the storing of authentication tokens on the local disk using the Global App Configuration Service. For more information, see the Global App Configuration Service documentation. Configuration Checker lets you run a test to check if the single sign-on is configured properly.
The test runs on different checkpoints of the single sign-on configuration and displays the configuration results. Click Configuration Checker. The Citrix Configuration Checker window appears. Configuration Checker does not include the checkpoint for the configuration of trust requests sent to the XML service on Citrix Virtual Apps and Desktops servers. Citrix Workspace app allows you to do a beacon test using the Beacon checker that is available as part of the Configuration Checker utility.
The Beacon test helps to confirm if the beacon ping. This diagnostic test helps to eliminate one of the many possible causes for slow resource enumeration, that is the beacon not being available. Select the Beacon checker option from the list of Tests and click Run. Citrix Workspace app supports Kerberos for domain pass-through single sign-on or SSON authentication for deployments that use smart cards. When enabled, Kerberos authenticates without passwords for Citrix Workspace app.
As a result, prevents Trojan horse-style attacks on the user device that try to gain access to passwords. Users can log on using any authentication method and access published resources, for example, a biometric authenticator such as a fingerprint reader.
Enable Kerberos to avoid an extran PIN prompt. To use Kerberos authentication with Citrix Workspace app, check if the Kerberos configuration conforms to the following. Using the Registry editor incorrectly might cause serious problems that can require you to reinstall the operating system. Use the Registry Editor at your own risk. Make sure you back up the registry before you edit it. Before continuing, see Secure your deployment section in the Citrix Virtual Apps and Desktops document.
This option installs the single sign-on component on the domain-joined computer, enabling your workspace to authenticate to StoreFront using IWA Kerberos. If a security policy prevents you from enabling single sign-on on a device, configure Citrix Workspace app using Group Policy Object administrative template. When you configure the authentication service on the StoreFront server, select the Domain pass-through option. That setting enables Integrated Windows Authentication.
You do not need to select the Smart card option unless you also have non domain-joined clients connecting to StoreFront using smart cards.
For more information about using smart cards with StoreFront, see Configure the authentication service in the StoreFront documentation. Conditional Access is a tool used by Azure Active Directory to enforce organizational policies. Workspace administrators can configure and enforce Azure Active Directory conditional access policies for users authenticating to the Citrix Workspace app.
You can configure the following authentication mechanisms with the Citrix Workspace app. For the following authentication mechanisms to work as expected, the Windows machine running the Workspace app must have Microsoft Edge WebView2 Runtime version 99 or later installed.
Pass-through authentication single sign-on - Pass-through authentication captures the smart card credentials when users log on to Citrix Workspace app. Citrix Workspace app uses the captured credentials as follows:. Bimodal authentication - Bimodal authentication offers users a choice between using a smart card and typing the user name and password. For example, the logon certificate has expired. Dedicated stores must be set up per site to allow Bimodal authentication, using the DisableCtrlAltDel method set to False to allow smart cards.
Bimodal authentication requires StoreFront configuration. Using the Bimodal authentication, the StoreFront administrator can allow both user name and password and smart card authentication to the same store by selecting them in the StoreFront console. See StoreFront documentation. Multiple certificates - Multiple certificates can be availed for a single smart card and if multiple smart cards are in use.
When you insert a smart card in a card reader, the certificates are applicable to all applications running on the user device, including Citrix Workspace app. Client certificate authentication - Client certificate authentication requires Citrix Gateway and StoreFront configuration. Smart card-enabled applications - Smart card-enabled applications, such as Microsoft Outlook and Microsoft Office, allow users to digitally sign or encrypt documents available in virtual apps and desktops sessions.
Some configuration requires registry edits. Using the Registry editor incorrectly might cause problems that can require you to reinstall the operating system. To configure Citrix Workspace app for Windows, include the following command-line option during installation:.
Single sign-on is another term for pass-through authentication. In the Registry editor, navigate to the following path and set the SSONCheckEnabled string to False if you have not installed the single sign-on component. The key prevents the Citrix Workspace app authentication manager from checking for the single sign-on component and allows Citrix Workspace app to authenticate to StoreFront.
To enable smart card authentication to StoreFront instead of Kerberos, install Citrix Workspace app for Windows with the following command-line options:. Enables credential caching and the use of pass-through domain-based authentication. If the user logs on to the endpoint with a different authentication method, for example, user name and password, the command line is:. This type of authentication prevents capturing of the credentials at logon time and allows Citrix Workspace app to store the PIN during Citrix Workspace app login.
By default, if multiple certificates are valid, Citrix Workspace app prompts the user to choose a certificate from the list. Instead, you can configure Citrix Workspace app to use the default certificate per the smart card provider or the certificate with the latest expiry date. If there are no valid logon certificates, the user is notified, and given the option to use an alternate logon method if available.
Prompt is the default. For SmartCardDefault or LatestExpiry , if multiple certificates meet the criteria, Citrix Workspace app prompts the user to choose a certificate. If your site or smart card has more stringent security requirements, such as to disallow caching the PIN per-process or per-session, you can configure Citrix Workspace app to use the CSP components to manage the PIN entry, including the prompt for a PIN.
A Citrix Virtual Apps session logs off when you remove the smart card.
No comments:
Post a Comment