VDA 2203 OS Windows 11 || Username password incorrect with domain passthrough and SSON not working

VDA 2203 OS Windows 11 || Username password incorrect with domain passthrough and SSON not working

book

Article ID: CTX692763

calendar_today

Updated On:

Description

 Username password incorrect with domain passthrough and SSON not working

Resolution

-The Enable MPR notifications for the System policy in the Group Policy Object template must be enabled to support the domain pass-through (single sign-on) authentication feature on Windows 11. By default, this policy is disabled on Windows 11 24H2. So, if upgraded to Windows 11 24H2, you must enable the Enable MPR notifications for the System policy.

-The legacy domain pass-through (SSON) authentication requires enabling the Enable MPR notifications for the System policy in the Group Policy Object template. Enhanced domain pass-through, however, allows pass-through authentication without needing to enable this policy.

Please follow below steps:

1. StoreFront configuration

You must enable domain pass-through authentication for the store and its corresponding website.

Perform the following steps to enable Domain pass-through for the store:

  1. Open the StoreFront management console.

  2. Go to Store > Manage Authentication methods. The Manage Authentication Methods - Web window appears.

  3. Select the Domain pass-through checkbox.

  4. Click OK.

Perform the following steps to enable Domain pass-through for the website:

  1. Open the StoreFront management console.
  2. Open Stores > Receiver for Websites tab > Manage Receiver for Web Sites > Configure > Authentication Methods. The Edit Receiver for Web site - /Citrix/Web window appears.

  3. Select the Domain pass-through checkbox.

  4. Click OK.

Citrix Policy configuration

You must enable the setting using Citrix policy:

  1. Navigate to Citrix Studio or the web console.
  2. Click Policies > Create Policy. The Create Policy dialog box appears.
  3. Search for the Enhanced domain pass-through for single sign-on policy. The Edit Settings dialog box appears.

  4. Select the Allowed option to enable the Enhanced domain pass-through for single sign-on policy. 

  5. Click OK.

Session host configuration

After enabling the Enhanced domain pass-through for single sign on feature using Citrix policy, you must also enable a Windows setting on the session hosts. You can enable the Windows setting through local policy or GPO:

  1. Navigate to Computer Configuration\Policies\Administrative Templates\System\CredentialsDelegation.

  2. Enable the Remote host allows delegation of non-exportable credentials setting.

  3. Reboot the session host for the setting to take effect.

Note:

The Remote host allows delegation of non-exportable credentials setting is not available on Windows Server 2016 local policy. If you need to configure this setting locally on the session host instead of using GPO, you must add the following registry value:

Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa

  • Value type: DWORD
  • Value name: DisableRestrictedAdmin
  • Value data: 0

Client device configuration

You must do the following on client device:

  • Enable Enhanced domain pass-through for single sign-on
  • Trust Storefront site

Enable Enhanced domain pass-through for single sign-on

You must enable the Enhanced domain pass-through for single sign on feature on the client device. You can do this through local policy or GPO.

  1. Navigate to Computer Configuration\Policies\Administrative Templates\Citrix Components\Citrix Workspace\User Authentication.

  2. Enable the Enhanced Domain pass-through for single sign-on setting.

  3. Restart Citrix Workspace app for settings to take effect.

Trust Storefront site

You must make sure your Storefront URL is trusted by the client devices. If the URL is not part of an already trusted domain, you must add it as either a local intranet site or a trusted site. You can do this through local policy or GPO.

    1. Navigate to Computer Configuration\Policies\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security page.

    2. Enable the Site to Zone Assignment List setting and add the appropriate URLs and corresponding zone assignment.

    3. Enable the Logon options setting and set it to Automatic logon with current username and password.

Problem Cause

Configuration for "Enhanced domain pass-through for single sign-on" is not complete as specified on edocs (https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/domain-passthrough-for-single-sign-on.html).
VDA configuration: missing "Remote host allows delegation of non-exportable credentials"
Client configuration: missing "Trust Storefront site" configuration

Additional Information

https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/domain-passthrough-for-single-sign-on.html

https://docs.citrix.com/en-us/citrix-workspace-app-for-windows/whats-new

Powered by Wolken Software