Configure the authentication service 编辑

Manage authentication methods

You can enable or disable user authentication methods set up when the authentication service was created by selecting an authentication method in the results pane of the Citrix StoreFront management console and, in the Actions pane, clicking Manage Authentication Methods.

1. On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile.
2. Select the Store node in the left pane of the Citrix StoreFront management console and, in the Actions pane, click Manage Authentication Methods.
3. Specify the access methods that you want to enable for your users.

• Select the Username and password check box to enable explicit authentication. Users enter their credentials when they access their stores.
• Select the SAML Authentication check box to enable integration with a SAML Identity Provider. Users authenticate to an Identity Provider and are automatically logged when they access their stores. From the Settings drop-down menu:
  • Select Identity Provider to configure the trust to the Identity Provider.
  • Select Service Provider to configure the trust for the Service Provider. This information is required by the Identity Provider.
• Select Domain pass-through to enable pass-through of Active Directory domain credentials from users’ devices. Users authenticate to their domain-joined Windows computers and are automatically logged on when they access their stores. To use this option, pass-through authentication must be enabled when Citrix Receiver for Windows or Citrix Workspace app for Windows is installed on users’ devices.

  Note:

  The domain pass-through for Citrix Receiver for Web is limited to Windows operating systems using Internet Explorer, Microsoft Edge, Mozilla Firefox, and Google Chrome, and the browsers rely on successful client detection to communicate with native Citrix Workspace apps. It’s a prerequisite for domain pass-through authentication to function.

• Select Smart card to enable smart card authentication. Users authenticate using smart cards and PINs when they access their stores.
• Select HTTP Basic to enable HTTP Basic authentication. Users authenticate with the StoreFront server’s IIS web server.
• Select Pass-through from Citrix Gateway to enable pass-through authentication from Citrix Gateway. Users authenticate to Citrix Gateway and are automatically logged on when they access their stores.

To enable pass-through authentication for smart card users accessing stores through Citrix Gateway, use the Configure Delegated Authentication task.

Configure trusted user domains

Use the Trusted Domains task to restrict access to stores for users logging on with explicit domain credentials, either directly or using pass-through authentication from Citrix Gateway.

1. On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile.

2. Select the Stores node in the left pane of the Citrix StoreFront management console and, in the results pane, select the appropriate authentication method. In the Actions pane, click Manage Authentication Methods.

3. From the User name and password > Settings list, select Configure Trusted Domains.

4. Select Trusted Domains only and click Add to enter the name of a trusted domain. Users with accounts in that domain are able to log on to all stores that use the authentication service. To modify a domain name, select the entry in the Trusted domains list and click Edit. To discontinue access to stores for user accounts in a domain, select the domain in the list and click Remove.

   The way in which you specify the domain name determines the format in which users must enter their credentials. If you want users to enter their credentials in domain user name format, add the NetBIOS name to the list. To require that users enter their credentials in user principal name format, add the fully qualified domain name to the list. If you want to enable users to enter their credentials in both domain user name format and user principal name format, you must add both the NetBIOS name and the fully qualified domain name to the list.

5. If you configure multiple trusted domains, select from the Default domain list the domain that is selected by default when users log on.

6. If you want to list the trusted domains on the logon page, select the Show domains list in the logon page check box.

Enable users to change their passwords

Use the Manage Password Options task to enable Citrix Workspace app and Receiver for Web site users logging on with domain credentials to change their passwords. When you create the authentication service, the default configuration prevents Citrix Workspace app, and Citrix Receiver for Web site users from changing their passwords, even if the passwords have expired. If you decide to enable this feature, ensure that the policies for the domains containing your servers do not prevent users from changing their passwords. Enabling users to change their passwords exposes sensitive security functions to anyone who can access any of the stores that use the authentication service. If your organization has a security policy that reserves user password change functions for internal use only, ensure that none of the stores are accessible from outside your corporate network.

1. Citrix Receiver for Web supports password changes on expiration, and elective password changes. All desktop Citrix Workspace apps support password change through Citrix Gateway on expiration only. On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile.

2. In the left pane of the Citrix StoreFront management console Actions pane, select the Stores node and click Manage Authentication Methods.

3. From the User name and passwords > Settings drop-down menu, select Manage Password Options, specify the circumstances under which Citrix Receiver for Web site users logging on with domain credentials are able to change their passwords.

   • To enable users to change their passwords whenever they want, select At any time. Local users whose passwords are about to expire are shown a warning when they log on. Password expiry warnings are only displayed to users connecting from the internal network. By default, the notification period for a user is determined by the applicable Windows policy setting. For more information about setting custom notification periods, see Configure the password expiry notification period. Supported only with Citrix Receiver for Web.

   • To enable users to change their passwords only when the passwords have already expired, select When expired. Users who cannot log on because their passwords have expired are redirected to the Change Password dialog box. This is supported for Citrix Workspace apps, and Citrix Receiver for Web.

     Note:

     Ensure that there is sufficient disk space on your StoreFront servers to store profiles for all your users. To check whether a user’s password is about to expire, StoreFront creates a local profile for that user on the server. StoreFront must be able to contact the domain controller to change users’ passwords.

   • To prevent users from changing their passwords, do not select Allow users to change passwords. If you do not select this option, you must make your own arrangements to support users who cannot access their desktops and applications because their passwords have expired.

   • To prevent users from changing their passwords, do not select Allow users to change passwords. If you do not select this option, you must make your own arrangements to support users who cannot access their desktops and applications because their passwords have expired.

   Citrix Workspace apps	User can change an expired password if enabled on StoreFront	User is notified that password expires	User can change password before it expires if enabled on StoreFront
   Windows	Yes
   Mac	Yes
   Android
   iOS
   Linux	Yes
   Web	Yes	Yes	Yes

Shared authentication service settings

Use the Shared Authentication Service Settings task to specify stores that share the authentication service enabling single sign-on between them.

1. On the Windows Start screen or Apps screen, locate and click the Citrix StoreFront tile.
2. Select the Stores node in the left pane of the Citrix StoreFront management console and, in the results pane, select a store. In the Actions pane, click Manage Authentication Methods.
3. From the Advanced drop-down menu, select Shared authentication service settings.
4. Click the Use shared authentication service check box and select a store from the Store name drop-down menu.

Note:

There is no functional difference between a shared and dedicated authentication service. An authentication service shared by more than two stores is treated as a shared authentication service and any configuration changes affect the access to all the stores using the shared authentication service.

Delegate credential validation to Citrix Gateway

Use the Configure Delegated Authentication task to enable pass-through authentication for smart card users accessing stores through Citrix Gateway. This task is only available when Pass-through from Citrix Gateway is enabled and selected in the results pane.

When credential validation is delegated to Citrix Gateway, users authenticate to Citrix Gateway with their smart cards and are automatically logged on when they access their stores. This setting is disabled by default when you enable pass-through authentication from Citrix Gateway, so that pass-through authentication only occurs when users log on to Citrix Gateway with a password.