Enabling Pass-through authentication for the Citrix Web Interface

When using the Citrix Receiver in combination with the Citrix Web Interface and Pass-through authentication, in some scenarios the following screen pops-up and Pass-through is not functioning correctly:



To get Pass-through working correctly, the following settings must be set.
This can be done using a Group Policy Object, or locally using the Local Computer Policy.

In this example I am going to use the Local Computer Policy.


Install the Citrix Receiver Enterprise using the command line: CitrixReceiverEnterprise.exe /silent /includeSSON ADDLOCAL=”ReceiverInside,ICA_Client,AM,SELFSERVICE,
SSON,USB,DesktopViewer,Flash,PN_Agent,Vd3d” SERVER_LOCATION=
https://server/Citrix/PNagent/config.xml ENABLE_SSON=”YES”
Open GPedit.mscExpand Computer Configuration, Administrative Templates
Right-click on Administrative TemplatesSelect Add/Remove Templates…
Click on Add
Open C:\Program Files (x86)\Citrix\ICA Client\Configuration\icaclient.adm image
Click on Close
Expand Computer Configuration, Administrative Templates, Classic Administrative Templates, Citrix Components, Citrix Receiver
Expand User Authentication  image
Open Kerberos authentication
Change the following values:

Check Enabled 

Click Ok

Open Local User name and password
Change the following values:Check Enabled

Check Enable pass-through authentication

Check Allow pass-through authentication

Click Ok

Open Web Interface authentication ticket
Change the following values:

Check Enabled 

Check Legacy ticket handling 

Check Web Interface 4.5 and above 

Click Ok

If you use a Smart card for pass-through authentication, open Smart card authentication 

Check Enabled 

Check Allow smart card authentication 

Check Use pass-through authentication for PIN 

Click Ok

The next step is to set the Web Interface as trusted site
In GPedit.msc expandWindows Components/Internet Explorer/Internet Control Panel/Security Page
Open Site to Zone Assignment List 

Check Enabled 

Click Show 

Under Value Name add the address of the web interface siteUnder Value add the value 2

Value 2 represents the Local Intranet zone, this zone has the correct privileges for pass-through authentication.

Click Ok

Click Ok

The next step is to check if Pass-through is enabled on the XenApp web site.
Open the Citrix Web Interface Management Console

Click XenApp Web Sites 

Click Authentication Methods 

Make sure that Pass-through is selected.


Now you can test the pass-through functionality by opening the Web Interface website.


Can’t get the solution to work? Contact me and let me do the trick.




This entry was posted in Citrix XenApp. Bookmark the permalink.

4 Responses to Enabling Pass-through authentication for the Citrix Web Interface

  1. Good blog with some fascinating information. I’ll be back.

  2. Stumbled into this website by chance but I’m sure glad I clicked on that link. You genuinely answered all of the queries I’ve been dying to answer for some time now. Will actually come back for more of this. Thank you so much

  3. Very nice and detailed information given above. But hey, you didn’t mentioned the version!

  4. Pingback: Best Citrix XenApp 6.5 CTX Articles 2013 | KnowCitrix

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s