XenDesktop 7 Session Launch – Part 1, Authentication

The process of enumerating, brokering, and connecting to a XenDesktop resource involves quite a few moving parts, and can be a daunting task to troubleshoot for someone who isn’t familiar with the product. There are several key components involved in the session launch process including authentication, enumeration, registration, ticketing, and display/session handling.

In this post I’d like to briefly explain how the Citrix Receiver authenticates to a XenDesktop 7 application or desktop. To keep it simple, I’m only going to talk about StoreFront (no WI) and XenDesktop (no XenApp/IMA). So just Receiver <> StoreFront <> XenDesktop.

The first step to launching a XenDesktop session is to authenticate to the StoreFront Store that the XenDesktop resource is connected to. In this step, a user connects to the StoreFront server and:

  1. Authenticates to a StoreFront virtual directory via Citrix Receiver:
    • The Receiver is connecting to a StoreFront Store, StoreWeb, StoreDesktopAppliance, or PNAgent IIS virtual directory. IIS allows anonymous authentication since the StoreFront .NET services (Citrix.Storefront.exe & Citrix.StoreFront.PrivilegedService.exe) handle authentication:


    • To configure a StoreFront server’s authentication methods, use the Citrix Studio MMC to open the Authentication TreeNode of the Citrix StoreFront deployment. Here you can specify which authentication methods to allow on Stores hosted by that server:


    • There are four authentication methods available as of StoreFront 2.0:
      • User name and password: Similar to windows basic auth in IIS, or explicit authentication in Citrix Web Interface Server.Prompts the user to enter their credentials at logon.
        • In this scenario, the broker passes the user’s credentials to the target ICA server on behalf of the client
      • Domain Pass-through: Similar to Integrated Authentication in IIS, and
        • Allows Receiver for Windows endpoints automatically log on using the local session’s logged on user domain account (via NTLM)
        • In this scenario, the client sends credentials (via ssonsvr.exe) directly to the target ICA server
        • For pass-through authentication to work, you must use the /includesson switch when installing Receiver (per CTX133982), which tells the meta-installer to include the ‘SSON’ component (ssonsvr.exe) that is needed to capture the user’s domain credentials at logon. Receiver relies on the SSON component to send the user’s domain credentials to the StoreFront server’s StoreWeb (via browser), Store (via Receiver), or legacy PNAgent (via Online Plugin / Receiver Enterprise) virtual directory.
          • There is currently a bug with XenDesktop 7 published desktops using pass-through authentication to provide ‘FlexCast’ functionality (enumerate and launch published apps from the published desktop) where ssonsvr.exe wouldn’t run (crashed at login) because pnsson.dll wasn’t playing nice with the ICA stack at session logon.
          • Citrix has provided a provisional test-fix to customers with an open case, and will soon be releasing a public hotfix. As of this post, pass-through authentication doesn’t work on XenDesktop 7 published desktops running Receiver 3/4 without this fix in place.
      • Smart Card: Allows smart card pass-through
        • Thankfully I don’t work with this method very often, so I’ll refrain from digging in. Just know that it’s required if smart-cards are used in the environment
      • Pass-through from NetScaler Gateway: Allows a NetScaler Gateway virtual server to handle user authentication on behalf of the user
        • Requires Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $true to be set on the DDC/XML broker)
        • Use the Configure Delegated Authentication option to specify that the NetScaler send logon credentials directly to the remote Windows session


    • There are also client-side registry values that control whether or not to allow pass-through authentication, and can even lock down the feature to only work with StoreFront sites in specified Internet Explorer Security Zones (aka Client Selective Trust). The easiest way to adjust this is to use the ADM template in %ProgramFiles%\Citrix\ICA Client\Configuration\icaclient.adm


In my next post on XD7 session launch I’ll talk about resource enumeration, including details about the virtual XML broker and XenDesktop broker services.


NetScaler Bootcamp

The most advanced cloud network platform.

The most advanced cloud network platform.

A few of us at iVision just completed a two day NetScaler bootcamp led by Richard Nash at my old office in Alpharetta. With access to a hands-on learning lab, we were able to gain a solid understanding of Netscaler fundamentals.

Day one started with a lecture that covered core topics, including the following key features:

  • TCP Connection Multiplexing
  • Load Balancing
  • SQL Load Balancing (DataStream)
  • Compression
  • Clustering
  • High Availability
  • SSL Acceleration
  • Attack Defense
  • Application Firewall
  • Global Server Load Balancing
  • Caching

We then worked through several scenarios in the learning lab. Being new to NetScaler, I was impressed with how well the Java UI performed, and was quite pleased with it’s functionality and ease of use. The main menu was a bit scary looking at first, but once I navigated through the categories a few times, I was able to quickly find the settings I needed to configure.

The day one lab gave us a good understanding of the steps needed to setup a NetScaler VPX HA pair for load balancing, content switching, and SSL Offload. Generating the SSL cert was a hassle as it always is,  but fortunately the lab was already equipped with a Certificate server.

On day two of the bootcamp, we spent time working with HTTP header modification, port redirection, and URL transformation. We also covered DataStream SQL load balancing and rate limiting, which was very impressive functionality to configure and see in action. Database responders, token-based load balancing, and integrated SQL caching really rounded out the lab.

Unfortunately we didn’t get to cover Access Gateway, but I took some time to review Bill Hackley’s step by step instructions on the Citrix Blogs, which I was able to fairly easily implement in my lab environment. I was pretty satisfied with this training, and believe our team is much better equipped to lead many successful implementations with the foundation that this two day crash course provided!