Customers want things to be easier. A common request is to support Single Sign On (SSO). Instead of having to enter credentials more than once, SSO remembers the username and password. The SSO design is secure yet provides a better user experience. SSO is a common feature for web browsers. Once logged in, the credentials are used for the site without requiring entering them again.
In Citrix XenDesktop/XenApp, the idea is very similar. Once logged into Receiver, StoreFront, or Web Interface, the user does not need to enter passwords again for desktop sessions and applications. Users only need to click on the icon of the desired desktop or application and the connection will be made without requiring credentials. Even though many different hosts are involved, the hosts work together to allow the user entry.
However, this is not considered the ultimate SSO solution. For users using Windows Receiver, there is a feature that uses the native Windows credentials from the user’s session. If the user is logged into Active Directory on a Windows domain workstation, they will not be required to login to Citrix if SSO is properly configured.
The official title for the Citrix feature is “Pass Thru Authentication” and based on the latest feature chart, is only supported on Windows Receiver. Setting it up is more involved than a typical installation. Please review the knowledge article. There is a command line switch called “/includeSSON” when installing CitrixReceiver.exe.
There are several other steps so please follow the knowledge article.
Once everything is working, users only need to sign into Windows in order to use Citrix XenApp and XenDesktop.
In Linux VDA version 1.0, we did not support this feature. To understand why requires some basic understanding of how this technology works. We will get to that in a moment, but it is important to announce that we have added this feature in Linux VDA version 1.1. This version of the Linux VDA can use the user’s domain credentials which are made available by the machine that the user is logged into and is running Windows Receiver.
Inside Citrix, we call this support “WD Credentials”. WD stands for Winstation Driver, a core module in the Citrix software stack. The concept is that the credentials are provided during the connection from Citrix Receiver. These credentials are provided very early in the HDX/ICA connection between Receiver and the host (Linux VDA). In the original model, the credential data was gathered from tickets in the ICA file. Specifically, the ticket was used to request the credentials from the Citrix DDC (broker). This was a problem since it is not possible to get Windows Receiver SSO credentials this way.
Over time, “WD Credentials” has been used by other Receivers as well. In fact, some Receivers only support providing credential information this way. For example, the Citrix HTML5 Receiver passes the user’s credentials to the VDA when requested. If the VDA does not request it (and uses the ICA file only) HTML5 Receiver will never be able to automatically sign in. In order to support Linux VDA 1.0, HTML5 Receiver 16.0 added support for the old credential transfer. However, this still meant that the older HTML5 Receivers could not connect and login automatically. With the change in Linux VDA 1.1, this is no longer a problem.
Even though the Linux VDA now supports “WD Credentials” it does not yet support smart cards. There is an additional work item to support the smart card virtual channel.
One of the hidden benefits of SSO is Active Directory integration. The credentials work for Windows resources accessed from Linux. For example, SSO allows for automatic access to user home directories. Services based on Active Directory Kerberos respect that the user has been authorized and will not request credentials from the user. This reduces the pain of connecting network shares during login.
Linux VDA 1.1 now supports Windows Receiver SSO and all Receivers that use “WD Credentials” to exchange credentials. This includes HTML5 Receivers prior to version 16.0. Smart card support is not there yet. With the Linux VDA 1.1 release, true SSO with Windows is now possible and the Receivers are able to use the latest Citrix credential exchange technology.
To read more from the Linux Virtual Desktop Team, please refer to the Linux Virtual Desktop Team blog here.