The environment has been configured as explained on https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/domain-passthrough-for-single-sign-on

Despite the valid configuration on VDA and Client, users experience a login prompt when launching a virtual desktop or application.

Analysis confirmed that ctxauth.dll, required for Enhanced SSO, was not injected into the lsass.exe process.

The issue is caused by the 'Allow Custom SSPs and APs to be loaded into LSASS' group policy being set to Disabled.

This prevents the ctxauth.dll from loading into the Local Security Authority Subsystem Service (lsass.exe), which is required for Enhanced SSO functionality.

Enable the following group policy:

Policy Location:
Computer Configuration > Administrative Templates > System > Local Security Authority

Policy Name:
Allow Custom SSPs and APs to be loaded into LSASS

Action:
Set the policy to Enabled

After enabling the policy and rebooting the system, ctxauth.dll is loaded into lsass.exe, and Citrix Enhanced SSO operates as expected.

The issue is observed during Virtual Delivery Agent (VDA) session launch attempt, where user credentials are prompted instead of SSO being performed