Sometimes I hate Citrix SSO

So I spent a couple hours troubleshooting Single Sign On with a customer today.  I swore I’d done it all correctly!  SSONSRVR was running, StoreFront was set to allow domain pass through, both machines were in the same login domain, I used the .adm to allow single sign on, the site was in trusted sites, heck I even changes the provider order… but it still wasn’t working.  That’s when I finally came across this nugget:

Trusated Sites


This probably isn’t news to most folks, but I only happened to stumble across it on an old blog post from like 6 years ago so I thought it deserved a rehash.  For those who aren’t aware, Citrix Receiver (specifically the Program Neighborhood Agent) uses Internet Explorer settings when it makes the connection behind the scenes to your StoreFront server on IIS.  This is true by the way even on Windows 10 with Edge as the default browser.  So with the default settings, Automatic logon is only allowed for sites in the Intranet zone.  If you for instance put your internal sites in say Trusted Zone instead, pass through doesn’t work.

You have two fairly simple choices here… put the StoreFront in Intranet Zone instead of Trusted Zone, or change the setting in IE to “Automatic logon with current user name and password” instead.  The choice is yours.  Both however are user-specific settings so require a policy push across your organization to stick.  Hopefully the next person who has this issue doesn’t have to spend 2 hours trying to track it down :).

, ,

One Comment

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">