Citrix Storefront 2.5 and Single Sign on:

image-01-535x535With the release of XenDesktop / XenApp 7.5, Citrix Storefront has brought back a very sought after feature, Single sign on for local credentials to the storefront site!

Citrix Storefront SSO can be the default configuration or a choice can be given to the user if you select more than one authentication type as below:


storefront auth choice



Desktop appliance site: (Slight deviation, bear with me).


An interesting addition to storefront in 2.5 is a desktop appliance site is installed by default. Richard covers what a desktop appliance site really well in this article for the current release of storefont here. It’s worth noting the desktop appliance site is running the older storefront code base and does not currently support single sign on, strangely.




Back on topic!


Below is a quick guide on how to get it working and any interesting features along the way, I’ve broken this piece down into three parts:


XenDesktop Delivery controller configuration:


on each delivery controller accessible by the storefront site, run the following two commands:

broker xml trust level


Client Configuration:


(Shawn Bass did alot of the hardwork here for me, so a thank you for that!)

when installing the client, you can enable the single sign on features with the following command line:

[code language=”bash”]
CitrixReceiver.exe /includeSSON /ENABLE_SSON=Yes /silent STORE0=”Store;;on;Store”


Once this is complete, add the storefront url to the trusted sites for the user, then add the following setting to the trusted sites zone:


local zone settings


Once complete, open group policy on the local machine (or active directory group policy) and import the icaclient.adm file, the typical path is below for convenience:


C:Program FilesCitrixICA ClientConfigurationicaclient.adm


C:Program Files (x86)CitrixICA ClientConfigurationicaclient.adm


Once you have imported this adm file, configure the following values in the LOCAL MACHINE configuration*

*the policies dont work in user mode, oddly.

Configure the authentication policy:


group policy

Configure the web interface authentication ticket settings also:

group policy2




Now reboot the machine and log in, ensuring SSONSVR.exe is running in task manager.


Storefront Configuration:


I’m going to go ahead and assume you’ve already installed storefront, so lets start from there.


Make your way down to the ‘Authentication’ tab choose add/remove methods and select domain pass-through as an authentication type:


add domain pass-through option in storefront config


Note the warning, the receiver for web will also need some configuration, so that’s our next step:


highlight change needed on storeweb


Make your way down to your ‘receiver for web’ tab and select ‘Choose Authentication Methods':


add auth method to storeweb





As you can see above, domain pass-through is now an option, with a nice little warning:


storeweb passthrough warning



Note: if you don’t want SSO to be optional, don’t publish additional authentication types on this storeweb.



The quickest way to test is to go right ahead now and use the storefront in anger, but if you’re the cautious type Storefront 2.5 includes a subdirectory called DomainPassthroughAuth/test.aspx. if you browse to this site from a configured machine, you should see the following screen.



passthrough auth test site



if you are prompted as below, or see any of the following errors, go back a few steps and check what you missed:


sso test fail via website


and the following error’s mean you’ve gotten the configuration wrong on the client side:


no trusted submit

no logon methods error - pass creds not set


and that’s it, happy sso’ing!


Related Posts

While using the ShareFile mobile applications, NTF... Here's a weird little bug I caught in the wild while deploying XenMobile Enterprise. While browsing NTFS shares, published as connectors in the ShareF...
UnSticking an AppDisk provisioning task in XenDesk... Here's a wee little bug I've no idea how i created, but managed to clear it out anyway. After creating an AppDisk, it got a little stuck. I tried d...
Cannot Log into XenMobile 10.3 Appliance after ini... Here's a horrendous bug I just came across in the field today while deploying a XenMobile 10.3 Proof...

15 Comments About “Citrix Storefront 2.5 and Single Sign on:

  1. james

    App Controller 2.10 and SF 2.5 don’t seem to play well together. Can’t aggregate AppC with SF, just get this in the event log:
    An error occurred while attempting to write information to the Citrix servers: Unable to write data to the transport connection: An existing connection was forcibly closed by the remote host.. This message was reported from the XML Service at address https://appcontroller.lab.local:443/scripts/wpnbr.dll [NFuseProtocol.TRequestAppData]. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

  2. Kim

    When I access an application via receiver web. It prompts me to login to windows server and after logging in the app will launch. If I remove the Domain pass-through then it launches properly. I tested the DomainPassthroughAuth/test.aspx and got the windows authentication.

    Not sure why it prompts to login in again. Do you know what the issue might be?

    This is our test lab and we are not using https

    Any feedback would be greatly appreciate it

  3. alozzy

    To folllowup on JD’s comment, it seems that SSO (domain passthrough) only works for the Receiver for Web site on StoreFront (in other words, when using a browser rather than the native interface for the locally installed Citrix Receiver).

    Andrew, do you have a definitive answer on that?

  4. dfdf

    You should mention the security risks of enabling xml trusts! The xml broker communication needs to be isolated between only the Storefront server and the xml brokers through firewall rules or ipsec before enabling xml trusts.

    Evil doers can do great damage (like disconnecting users) if this is not done, you the official citrix article about this

  5. Radek

    SSON with Receiver for Web is not working if it’s running over NetScaler LoadBalancing. I had a Case open with Citrix, and they have confirmed that.

  6. David Thomas


    I have configured as per the settings. the SSO works ok when i use a web browser , but when i launch the Citrix Reciever client it shows no applications. As mentioned earlier does SSO work with the citrix reciever. I want it work this way as i want to deliver user virtual desktops and then inside that desktop use reciever to manage users shortcuts to applications in the start menu.

    1. andyjmorgan Post author

      I had that issue recently. My problem was a dodgy storefront server. I removed the offender from the load balance and it worked correctly again.

      Also check that the proxy is not set to autodiscovery or you experience a long delay!

  7. PeersB


    good stuff. used your article and it was spot on. just a quick question, the customer wants apps to zoom straight up and doesnt want to press the lonely “log on” button in your screenshot right at start of article.

    know how we could get it to go straight to apps when opening the URL?


  8. Paul

    Implemented this exactly according to this article. Works like a charm.
    We also have a XA 6.5 farm that operates with this SF website. Since we added that farm, if you log off in Storefront it will give you a “logoff error”. Things seem fine though. Just strange.
    And what happens on the XA 7.6 site is that all apps are logged of but apps from the 6.5 farm remain open.
    We did not do the trust XML PS command on the XA 6.5 XML brokers. How can a work around this? Do you have any idea?


Leave a Reply