Configuring Citrix Receiver PNAgent pass-through authentication to StoreFront 2.5

The PN Agent is a seamless way to publish Citrix shortcuts for users. Citrix Storefront 2.5 re-introduces pass-through authentication for legacy clients, this makes it more seamless for the end-user.

In this blog I am going to configure the PN Agent to point to StoreFront 2.5 using pass-through authentication. I assume that Storefront is installed.


Click on Authentication and click on Add/Remove Methods image
Select Domain pass-through image
Click on Receiver for Web and click on Choose authentication methods image
Select Domain pass-through image
Click on Stores and click on Configure Legacy Support

Enable Legacy Support and write down the URL.

The configuration files that we are going to modify are now generated.



Open the file C:\inetpub\wwwroot\
Citrix\*Store name*>\
Replace the following code:

Save the file

<LogonMethod><%= ViewData[PnaConfigViewConstants.LogonMethodId]%></LogonMethod>
<EnableKerberos><%= ViewData[PnaConfigViewConstants.EnableKerberosId] %></EnableKerberos>




Open the file  C:\inetpub\wwwroot\
Citrix\*Store name*\web.config
Replace the following code:

Save the file

<pnaProtocolResources changePasswordAllowed=”Never” logonMethod=”prompt”
kerberosEnabled=”false” changePasswordMethod=”Proxy” changePasswordUrl=””>



<pnaProtocolResources changePasswordAllowed=”Never” logonMethod=”sson”
kerberosEnabled=”false” changePasswordMethod=”Proxy” changePasswordUrl=””>

Reset IIS image
The following settings are modified on the client:
Install Citrix Receiver using the following command line:

(Replace the server location with the location written down at the creation of the legacy site)

CitrixReceiverEnterprise.exe /silent /includeSSON ADDLOCAL=”ReceiverInside,ICA_Client,AM,SELFSERVICE
,SSON,USB,DesktopViewer,Flash,PN_Agent,Vd3d” ENABLE_SSON=”YES” SERVER_LOCATION=”https://Citrix/Citrix/*Store*/PNagent/config.xml&#8221;


Pastebin: here

Reboot the machine
Verify if the process ssonsvr.exe is running. 1
Open GPedit.msc and import the Citrix ADM file (icaclient.adm) from C:\Program Files (x86)\Citrix\ICA Client\Configuration
Change the following settings: 1



Reboot the machine


After logging on the Citrix Receiver PN Agent makes a connection to the Legacy Support site and the icons will be displayed on the desktop and start menu.



This entry was posted in Citrix XenApp and tagged . Bookmark the permalink.

2 Responses to Configuring Citrix Receiver PNAgent pass-through authentication to StoreFront 2.5

  1. MasterXen says:

    Seems part of the path has been cut off for:

  2. FLTech says:

    This finally fixed the pass-through for my XenApp 7.9 install. The PNAgent website in StoreFront just refused to use the SSON. It prompted for logon no matter what I did. Why can’t Citrix make things that just work any more? I have been all over the internet and this is the most straight forward fix document. What I did: I am using receiver, not receiver enterprise which you can’t find any more. I finally just did a manual install of receiver with SSON so that I knew the receiver install wasn’t screwed up. Then I entered my PNAgent web address into receiver when the receiver install prompted. I edited the two IIS files you mention in your article. Restarted IIS. Restarted the client computer. I did not need to enable legacy ticketing settings in the GPO for this 7.9 install. Your Citrix receiver install command looks kinda messed up. But I won’t hold that against you. So after I fix my receiver command-line install today, everything should be good to go. Thanks!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s