Signle Sign-On is an awesome feature of any product if you ask me. It really makes the user experience a whole lot better! Imagine your user logs into his/her PC and all of the applications they use on a daily basis are automatically mapped to the start menu or desktop. The user is then able to simply double click on the icon and launch the streaming application.
So, how do we configure Single Sign-On? Well, the answer is quite simple and the procedure in itself is quite easy. There are a couple of things we’ll need for this.
- Citrix Receiver (4.2.100 in my case)
- Access to Group Policy Management Console in AD
- Proper OU structure
- Store information
With these 4 properties, we can easily configure Single Sign-On for the users. Let’s begin with the installation of the Citrix Receiver.
The only thing that needs to be done with Citrix Receiver, is that you’ll need to install it through command prompt using the /IncludeSSON switch. If you install the receiver with the VDA, I believe SSON will be included by default.
You also have the option of including other parameters in the installation such as Store information, suppressing the installation so that it’s silent, etc. These are the options you’d have do look into for each customer. For the most part, my preference has always been to use GPOs for the majority of the configuration. this ensure that if for some reason, the desktop is switched out, all the existing configuration will be applied once the user logs in to their domain.
Once the installation is complete, we can begin to look into the GPO configuration. I’d also like to point out, that the only manual configuration that I’ve applied in my lab, was the installation of the receiver with the IncludeSSON parameter. However, the installation of the receiver can also be automated through orchestration tools such as SCCM, GPOs, etc. I believe in automation, so in an ideal scenario, automate everything if possible.
The GPOs, this part is quite quick, but basically we need the following settings configured in GPOs:
- Create a new GPO
- Import ICACLIENT.ADM template
- Configure Pass-Through Authentication
- Configure Store Discovery
- Configure the Receiver URL in Internet Explorer Trusted Sites or Local Intranet
- Configure User Logon Option “Automatic Logon with Current Username and Password” for the Trusted or Intranet Site
- Apply the GPO to the proper OU
Step one, Create a new GPO, quite simply under the proper OU, right click on the OU and select Create a GPO in this domain, and Link it here…
Next step is to edit the GPO (don’t forget to give it a meaningful name) and import the icaclient.adm template so that we can apply the proper configuration to the receiver.
The icaclient.adm GPO can be found under C:\Program Files (x86)\Citrix\ICA Client\Configuration if you have the Citrix Receiver already deployed on the server.
Import the template and navigate to Computer Configuration -> Administrative Templates -> Classic Administrative Templates -> Citrix Components -> Citrix Receiver -> User Authentication and enable Local user name and password.
Next, we’ll need to configure the Store information for the Receiver. Remember, when the receiver needs to know where to connect to. The Store information that we will provide will tell the receiver to connect to that specific location automatically without the need to have the user specify it themselves. As a small reminder, I’ve already mentioned that we can configure the Store information during the installation of the receiver. However, as a best practice, I prefer to use GPOs for obvious reasons, one of them being standardized configuration across all endpoints.
Navigate to Computer Configuration -> Administrative Templates -> Classic Administrative Templates -> Citrix Components -> Citrix Receiver -> Storefront and enable Storefront Accounts List
Define the Store URL, in my case I’ve configured my Store with the following URL:
You’ll also need to configure the Store Name, Store Enabled State, and Store Description. In the end, my Value looked something like this:
Next, we’re going to be configuring the Internet Explorer settings. This includes:
- Trusted Sites URL
- User Logon option in custom settings under Trusted Sites
Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page and enable Site to Zone Assignment List
The value represents the security zones:
- Intranet Zone – Value of 1
- Trusted Sites Zone – Value of 2
- Internet Zone – Value of 3
- Restricted Sites – Value of 4
In this particular scenario, we’re applying the change to Trusted Sites Zone so for this, we’d need to define the value of 2.
Now, we just need to apply one last setting, and that is the User Authentication option. Navigate to Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page and enable Logon Options. Once enabled, we’ll need to select Automatic logon with current username and password.
Now, we can test. So, we can either force a GPUPDATE and re-open the Citrix Receiver, or we can log off and log back in to test the changes. One thing I will say, upon a logon, ensure that the ssonsvr.exe service is running, we can do this by opening Tasks Manager -> Details and then looking for ssonsvr.exe service
Without this service, SSO won’t function.