FAQ: Kerberos Support for XenDesktop 7.x

FAQ: Kerberos Support for XenDesktop 7.x

book

Article ID: CTX212302

calendar_today

Updated On:

Description

Q: Does StoreFront 3.5 support configuring Kerberos authentication with XenDesktop 7.8?

A: XenApp 6.5 supports Kerberos but XenDesktop 7.x does not. Going forward Kerberos will be replaced with Virtual Smart cards. This is because of the newer FMA architecture and Microsoft's SAM architecture changes in newer Windows servers.

"Active Directory logon permits two techniques: username/password and smart card. The StoreFront and User Credential Service accept an SSO assertion based on the identity provider and convert that into a network virtual smart card logon for active directory." For more information check the SAML Authentication Technology Preview for XenApp and XenDesktop - https://www.citrix.com/blogs/2016/03/03/saml-authentication-technology-preview-for-xenapp-and-xendesktop/.

Old architecture (used in XenApp 6.5) 
https://technet.microsoft.com/en-us/library/dn169014%28v=ws.10%29.aspx 

New architecture (Windows 10 / Server 2016) 
https://technet.microsoft.com/en-us/itpro/windows/whats-new/security 
Search for “Virtualization-based security” 

This started in Server 2012 R2 and is fully implemented in Windows 10 and will be in Server 2016. To meet the need for federated authentication, we are building solution to use network virtual smart cards rather than Kerberos. Windows will view the logon as a smart card authentication; the Citrix Federated Authentication Service holds the cards and use of the cards is enabled based upon NetScaler/StoreFront authentication, where SAML already exists. 

Windows SAM architecture changes in newer versions of Windows operating systems prevent the technique that Citrix used to implement KCD on XenApp 6.5. The SAM in the newer operating systems runs in a mini VM, separate from the main Windows OS. Inserting the KCD hooks into the SAM on the new OSes would insert the hook into the separate machine, where they could not perform the work to log the user onto the machine. 

https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-8/install-configure/install-prepare.html

Issue/Introduction

An explanation as to why Kerberos will not work on XenDesktop 7.x and is only supported on XenApp 6.5.