Description The SsOnExpert tool is a command-line based application that automates the process of checking common causes of Single Sign On issues in XenApp environments. The tool can be used to verify configuration settings both from the console and remotely. Single Sign-on 5.0 integrates the Single Sign-on Plug-in into Citrix Receiver, simplifies the user experience, enables the Single Sign-on Plug-in to be deployed using Merchandising Server, and includes Simplified Chinese as a supported Single Sign-on Plug-in language. Users access the Single Sign-on Plug-in through the Citrix Receiver icon. The client wants to achieve authenticated access to XenApp/XenDesktop infrastructure via Linux Citrix Receiver using Pass-through authentication (SSO) and AD-based account credentials. The process at the moment is as follows: an end-user has already entered his/her PIN code while receiving Kerberos ticket from AD, yet PIN is asked again for. Single Sign-on 5 Citrix Preview Documentation. You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement. The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change. Citrix Receiver miniOrange SSO (Single Sign-on)product provides easy and seamless access to all enterprise resources with one set of credentials, miniOrange SSO provides Single Sign-on to Citrix Receiver from any type of devices or applications whether they are in the cloud or on-premise.
Navigation
This page details creation of session profiles and policies for NetScaler Gateway 11 where ICA Only (formerly known as Basic Mode) is checked.
Partly based on Citrix Knowledgebase Article CTX139963 – How to Configure NetScaler Gateway with StoreFront
Session Profiles/Policies CLI Commands
The CLI commands are shown below:
Session Profiles
Or use the GUI to create the policies/profiles:
- On the left, expand NetScaler Gateway, expand Policies, and click Session.
- On the right, switch to the SessionProfiles tab, and click Add.
- Name the first one ReceiverSelfService or similar. This is for Receiver Self-Service (not in a web browser).
- Switch to the Client Experience tab.
- Check the Override Global box next to Clientless Access and set it to Allow. Scroll down.
- Check the Override Global box next to Plug-in Type and set it to Java.
- Check the Override Global box next to Single Sign-on to Web Applications and enable it. Scroll up.
- If you need two-factor authentication, the session policy for Receiver Self-Service needs to be adjusted to indicate which authentication field contains the Active Directory password. On the Client Experience tab is Credential Index. This needs to be changed to SECONDARY. Leave the session policy for Web Browsers set to PRIMARY.
- On the Security tab, check the Override Global box next to Default Authorization Action and set it to Allow.
- On the Published Applications tab, check the Override Global box next to ICA Proxy and set it to ON.
- If you only have one domain, then check the Override Global box next to Single Sign-on Domain and enter the name of your Active Directory domain. StoreFront needs to accept this domain name (Configure Trusted Domains).
- If you have multiple domains, then leave Single Sign-on Domain field blank, and ensure the LDAP authentication servers have userPrincipalName in the SSO Name Attribute field.
- For Account Services Address, enter the Base URL for StoreFront. NetScaler needs to be able to resolve this DNS name.
- Highlight the existing session profile and click Add. This copies the settings from the existing profile into the new one.
- Change the name of the second Session Profile to ReceiverForWeb or similar.
- On the Client Experience tab, Clientless Access should be set to Allow. Scroll down.
- Plug-in Type should still be set to Java.
- Single Sign-on to Web Applications should be enabled.
- If you need two-factor authentication, the session policy for Receiver for Web needs Credential Index set to PRIMARY. Only the Receiver Self-Service policy needs SECONDARY as detailed earlier.
- On the Security tab, the Default Authorization Action should still be Allow.
- On the Published Applications tab, for the Web Interface Address field, add the path to your Receiver for Web site (e.g. /Citrix/StoreWeb).
- Account Services Address only applies to Receiver Self-Service so you can leave it or clear it.
- Everything else should be the same. If you only have one domain, then check the Override Global box next to Single Sign-on Domain and enter the NetBIOS name of your Active Directory domain. If you have multiple domains, then leave this field blank and ensure the LDAP authentication servers have userPrincipalName in the SSO Name Attribute field.
- Account Services Address is not needed in this profile but there’s no harm in leaving it.
- Click Create.
Citrix Pass Through Authentication
Session Policies
- On the right, switch to the SessionPolicies tab, and click Add.
- Name the Policy ReceiverSelfService or similar.
- Change the Request Profile to ReceiverSelfService.
- Either type in or use the Expression Editor link to build the following expression:
- Then click Create.
- Add another policy, and name it ReceiverForWeb or similar.
- Change the Action to ReceiverForWeb.
- In the Expression box, either type in the following or use the Expression Editor. It’s the same as the previous expression, except it’s NOTCONTAINS instead of CONTAINS.
- Click Create.