User authentication 编辑

StoreFront supports several different authentication methods for users accessing stores; although, not all are available depending on the user access method and their network location. For security reasons, some authentication methods are disabled by default when you create your first store. For more information about enabling and disabling user authentication methods, see Create and configure the authentication service.

User name and password

Users enter their credentials and are authenticated when they access their stores. Explicit authentication is enabled by default. All user access methods support explicit authentication.

When a user employs Citrix Gateway to access Citrix Receiver for Web, Citrix Gateway handles the logon and password change at expiration. Users can make elective password changes with the Citrix Receiver for Web UI. After an elective password change, the Citrix Gateway session terminates and the user must log on again. Citrix Receiver for Linux or Citrix Workspace app for Linux users can change only expired passwords.

SAML authentication

Users authenticate to a SAML Identity Provider and are automatically logged on when they access their stores. StoreFront can support SAML authentication directly within the corporate network, without the need to go through Citrix Gateway.

SAML (Security Assertion Markup Language) is an open standard used by identity and authentication products such as Microsoft AD FS (Active Directory Federation Services). With the integration of SAML authentication through StoreFront, administrators can allow users to, for example, log on once to their corporate network and then get single sign-on to their published apps.

Requirements:

• Implementation of the Citrix Federated Authentication Service.
• SAML 2.0-compliant identity providers (IdPs):
  • Microsoft AD FS v4.0 (Windows Server 2016) using SAML bindings only (not WS-Federation bindings). For more information, see AD FS Deployment and AD FS Operations.
  • Microsoft AD FS v3.0 (Windows Server 2012 R2)
  • Citrix Gateway (configured as an IdP)
• Configure SAML authentication in StoreFront using the StoreFront management console in a new deployment (see Create a new deployment), or in an existing deployment (see Configure the authentication service). You can also configure SAML authentication using PowerShell cmdlets, see StoreFront SDK.
• Citrix Receiver (4.6 and later) or Citrix Workspace app for Windows, or Citrix Receiver for Web.

Using SAML authentication with Citrix Gateway is supported with Receiver for Web sites.

Domain pass-through

Users authenticate to their domain-joined Windows computers, and their credentials are used to log them on automatically when they access their stores.

When you install StoreFront, domain pass-through authentication is disabled by default. You can enable domain pass-through authentication for users connecting to stores through Citrix Workspace app and XenApp Services URLs. Citrix Receiver for Web sites support domain pass-through authentication for Internet Explorer, Microsoft Edge, Mozilla Firefox, and Google Chrome on domain-joined Windows client machines.

Note:

To use this option, pass-through authentication must be enabled when Citrix Receiver for Windows is installed on users’ devices. Domain pass-through for Citrix Receiver for Web is limited to Windows operating systems using Internet Explorer, Microsoft Edge, Mozilla Firefox, and Google Chrome, and the browsers rely on successful client detection to communicate with native Citrix Workspace apps. It’s a prerequisite for domain pass-through authentication to function.

To enable domain pass-through authentication

1. Install Citrix Receiver for Windows or Citrix Workspace app for Windows or the Citrix Online plug-in for Windows on user devices. Ensure that pass-through authentication is enabled.
2. In the Citrix Receiver for Web site node in the administration console, enable domain pass-through authentication.
3. Configure SSON on Citrix Receiver for Windows or Citrix Workspace app for Windows, described in Configure domain pass-through authentication. Citrix Workspace app for HTML5 does not support domain pass-through authentication.
4. Windows’ default behavior is “Automatic logon only in the Intranet zone.” For Internet Explorer, Mozilla Firefox and Google Chrome, either configure your Citrix Receiver for Web sites as Intranet sites using the Internet Options, or enable automatic logon for the Trusted zone. For Microsoft Edge you must configure your Citrix Receiver for Web sites as Intranet sites.
5. For Mozilla Firefox, modify the browser advanced settings to trust the Citrix Receiver for Windows or Citrix Workspace app for Windows URI.

   Warning:

   Editing the advanced settings incorrectly can cause serious problems. Make edits at your own risk.

   1. Start Firefox, enter about:config in the address field and select “I accept the risk!”
   2. Type ntlm to the search box.
   3. Double-click on network.automatic-ntlm-auth.trusted-uris and type the Citrix Receiver for Windows or Citrix Workspace app for Windows site URL to the pop-up dialog.
   4. Click OK.

Pass-through from Citrix Gateway

Users authenticate to Citrix Gateway and are automatically logged on when they access their stores. Pass-through from Citrix Gateway authentication is enabled by default when you first configure remote access to a store. Users can connect through Citrix Gateway to stores using Citrix Workspace app or Citrix Receiver for Web sites. For more information about configuring StoreFront for Citrix Gateway, see Add a Citrix Gateway connection.

StoreFront supports pass-through with the following Citrix Gateway authentication methods.

• Security token. Users log on to Citrix Gateway using passcodes that are derived from tokencodes generated by security tokens combined, sometimes, with personal identification numbers. If you enable pass-through authentication by security token only, ensure that the resources you make available do not require extra or alternative forms of authentication, such as users’ Microsoft Active Directory domain credentials.
• Domain and security token. Users logging on to Citrix Gateway are required to enter both their domain credentials and security token passcodes.
• Client certificate. Users log on to Citrix Gateway and are authenticated based on the attributes of the client certificate presented to Citrix Gateway. Configure client certificate authentication to enable users to log on to Citrix Gateway using smart cards. Client certificate authentication can also be used with other authentication types to provide double-source authentication.

StoreFront uses the Citrix Gateway authentication service to provide pass-through authentication for remote users so that they only need to enter their credentials once. However, by default, pass-through authentication is only enabled for users logging on to Citrix Gateway with a password. To configure pass-through authentication from Citrix Gateway to StoreFront for smart card users, delegate credential validation to Citrix Gateway. For more information, see Create and configure the authentication service.

Users can connect to stores within Citrix Workspace app with pass-through authentication through a Secure Sockets Layer (SSL) virtual private network (VPN) tunnel using the Citrix Gateway plug-in. Remote users who can’t install the Citrix Gateway plug-in can use clientless access to connect to stores within Citrix Workspace app with pass-through authentication. To use clientless access to connect to stores, users require a version of Citrix Workspace app that supports clientless access.

Also, you can enable clientless access with pass-through authentication to Citrix Receiver for Web sites. To do this, configure Citrix Gateway to act as a secure remote proxy. Users log on to Citrix Gateway directly and use the Citrix Receiver for Web site to access their applications without needing to authenticate again.

Users connecting with clientless access to Endpoint Management resources can only access external software-as-a-service (SaaS) applications. To access internal web applications, remote users must use the Citrix Gateway plug-in.

If you configure double-source authentication to Citrix Gateway for remote users accessing stores from within Citrix Workspace app, you must create two authentication policies on Citrix Gateway. Configure RADIUS (Remote Authentication Dial-In User Service) as the primary authentication method and LDAP (Lightweight Directory Access Protocol) as the secondary method. Modify the credential index to use the secondary authentication method in the session profile so that LDAP credentials are passed to StoreFront. When you add the Citrix Gateway appliance to your StoreFront configuration, set the Logon type to Domain and security token. For more information, see http://support.citrix.com/article/CTX125364

To enable multidomain authentication through Citrix Gateway to StoreFront, set SSO Name Attribute to userPrincipalName in the Citrix Gateway LDAP authentication policy for each domain. You can require users to specify a domain on the Citrix Gateway logon page so that the appropriate LDAP policy to use can be determined. When you configure the Citrix Gateway session profiles for connections to StoreFront, do not specify a single sign-on domain. You must configure trust relationships between each of the domains. Ensure that you allow users to log on to StoreFront from any domain by not restricting access to explicitly trusted domains only.

Where supported by your Citrix Gateway deployment, you can use SmartAccess to control user access to Citrix Virtual Apps and Desktops resources based on Citrix Gateway session policies. For more information about SmartAccess, see How SmartAccess works for Citrix Virtual Apps and Desktops.

Smart cards

Users authenticate using smart cards and PINs when they access their stores. When you install StoreFront, smart card authentication is disabled by default. Smart card authentication can be enabled for users connecting to stores through Citrix Workspace app, Citrix Receiver for Web, and XenApp Services URLs.

Use smart card authentication to streamline the logon process for your users while also enhancing the security of user access to your infrastructure. Access to the internal corporate network is protected by certificate-based two-factor authentication using the public key infrastructure. Private keys are protected by hardware controls and never leave the smart card. Your users get the convenience of accessing their desktops and applications from a range of corporate devices using their smart cards and PINs.

You can use smart cards for user authentication through StoreFront to desktops and applications provided by Citrix Virtual Apps and Desktops. Smart card users logging on to StoreFront can also access applications provided by the Endpoint Management. However, users must authenticate again to access Endpoint Management web applications that use client certificate authentication.

To enable smart card authentication, users’ accounts must be configured either within the Microsoft Active Directory domain containing the StoreFront servers or within a domain that has a direct two-way trust relationship with the StoreFront server domain. Multi-forest deployments involving two-way trusts are supported.

The configuration of smart card authentication with StoreFront depends on the user devices, the clients installed, and whether the devices are domain-joined. In this context, domain-joined means devices that are joined to a domain within the Active Directory forest containing the StoreFront servers.

Use smart cards with Citrix Receiver for Windows or Citrix Workspace app for Windows

Users with devices running Citrix Receiver for Windows or Citrix Workspace app for Windows can authenticate using smart cards, either directly or through Citrix Gateway. Both domain-joined and non-domain-joined devices can be used, although the user experience is slightly different.

The figure shows the options for smart card authentication through Citrix Receiver for Windows or Citrix Workspace app for Windows.

For local users with domain-joined devices, you can configure smart card authentication so that users are only prompted for their credentials once. Users log on to their devices using their smart cards and PINs and, with the appropriate configuration in place, aren’t prompted for their PINs again. Users are silently authenticated to StoreFront and also when they access their desktops and applications. To achieve this, you configure Citrix Receiver for Windows or Citrix Workspace app for Windows for pass-through authentication and enable domain pass-through authentication to StoreFront.

Users log on to their devices and then authenticate to Citrix Receiver for Windows or Citrix Workspace app for Windows using their PINs. There’s no further PIN prompts when they try to start apps and desktops

Because users of non-domain-joined devices log on to Citrix Receiver for Windows or Citrix Workspace app for Windows directly, you can enable users to fall back to explicit authentication. If you configure both smart card and explicit authentication, users are initially prompted to log on using their smart cards and PINs but have the option to select explicit authentication if they experience any issues with their smart cards.

Users connecting through Citrix Gateway must log on using their smart cards and PINs at least twice to access their desktops and applications. This applies to both domain-joined and non-domain-joined devices. Users authenticate using their smart cards and PINs, and, with the appropriate configuration in place, are only prompted to enter their PINs again when they access their desktops and applications. To achieve this, you enable pass-through with Citrix Gateway authentication to StoreFront and delegate credential validation to Citrix Gateway. Then, create an extra Citrix Gateway virtual server through which you route user connections to resources. In the case of domain-joined devices, you must also configure Citrix Receiver for Windows or Citrix Workspace app for Windows for pass-through authentication.

Note:

If you’re using Citrix Receiver for Windows or Citrix Workspace app for Windows, you can set up a second virtual server and use the optimal gateway routing feature to remove the need for PIN prompts when starting apps and desktops.

Users can log on to Citrix Gateway using either their smart cards and PINs, or with explicit credentials. This enables you to provide users with the option to fall back to explicit authentication for Citrix Gateway logons. Configure pass-through authentication from Citrix Gateway to StoreFront and delegate credential validation to Citrix Gateway for smart card users so that users are silently authenticated to StoreFront.

Use smart cards with XenApp Services URLs

Users of PCs running the Citrix Desktop Lock can authenticate using smart cards. Unlike other access methods, pass-through of smart card credentials is automatically enabled when smart card authentication is configured for a XenApp Services URL.

The figure shows smart card authentication from a domain-joined device running the Citrix Desktop Lock.

Users log on to their devices using their smart cards and PINs. The Citrix Desktop Lock then silently authenticates users to StoreFront through the XenApp Services URL. Users are automatically authenticated when they access their desktops and applications, and aren’t prompted for their PINs again.

Use smart cards with Citrix Receiver for Web

You can enable smart card authentication to Citrix Receiver for Web from the StoreFront Administration Console.

1. Select the Citrix Receiver for Web node in the left panel.
2. Select the site that you want to use smart card authentication.
3. Select the Choose Authentication Methods task in the right panel.
4. Check the Smart card check box in the popup dialog screen and click OK.

If you enable pass-through with smart card authentication to Citrix Virtual Apps and Desktops for Citrix Receiver for Windows or Citrix Workspace app for Windows users with domain-joined devices who do not access stores through Citrix Gateway, this setting applies to all users of the store. To enable both domain pass-through and pass-through with smart card authentication to desktops and applications, you must create separate stores for each authentication method. Your users must then connect to the appropriate store for their method of authentication.

If you enable pass-through with smart card authentication to Citrix Virtual Apps and Desktops for Citrix Receiver for Windows or Citrix Workspace app for Windows users with domain-joined devices accessing stores through Citrix Gateway, this setting applies to all users of the store. To enable pass-through authentication for some users and require others to log on to their desktops and applications, you must create separate stores for each group of users. Then, direct your users to the appropriate store for their method of authentication.

Use smart cards with Citrix Workspace app for iOS and Android

Users with devices running Citrix Workspace app for iOS and Android can authenticate using smart cards, either directly or through Citrix Gateway. Non-domain-joined devices can be used.

In the case of devices on the local network, the minimum number of logon prompts that users can receive is two. When users authenticate to StoreFront or initially create the store, they’re prompted for the smart card PIN. With the appropriate configuration in place, users are prompted to enter their PINs again only when they access their desktops and applications. To achieve this, you enable smart card authentication to StoreFront and install smart card drivers on the VDA.

With these Citrix Workspace apps, you have the option of specifying smart cards OR domain credentials. If you created a store to use smart cards and you want to connect to the same store using domain credentials, you must add a separate store without turning on smart cards.

Users connecting through Citrix Gateway must log on using their smart cards and PINs at least twice to access their desktops and applications. Users authenticate using their smart cards and PINs, and, with the appropriate configuration in place, are only prompted to enter their PINs again when they access their desktops and applications. To achieve this, you enable pass-through with Citrix Gateway authentication to StoreFront and delegate credential validation to Citrix Gateway. Then, create an extra Citrix Gateway virtual server through which you route user connections to resources.

Users can log on to Citrix Gateway using either their smart cards and PINs or with explicit credentials, depending on how you specified the authentication for the connection. Configure pass-through authentication from Citrix Gateway to StoreFront and delegate credential validation to Citrix Gateway for smart card users so that users are silently authenticated to StoreFront. If you want to change the authentication method, you must delete and recreate the connection.

Use smart cards with Citrix Receiver for Linux or Citrix Workspace app for Linux

Users with devices running Citrix Receiver for Linux or Citrix Workspace app for Linux can authenticate using smart cards in a similar way to users of non-domain-joined Windows devices. Even if the user authenticates to the Linux device with a smart card, Citrix Receiver for Linux or Citrix Workspace app for Linux has no mechanism to acquire or reuse the PIN entered.

Configure the server-side components for smart cards the same way that you configure them for use with the Citrix Receiver for Windows or Citrix Workspace app for Windows. Refer to Configure smart card authentication and for instructions on using smart cards, see Citrix Receiver for Linux.

The minimum number of logon prompts that users can receive is one. Users log on to their devices and then authenticate to Citrix Receiver for Linux or Citrix Workspace app for Linux using their smart cards and PINs. Users aren’t prompted to enter their PINs again when they access their desktops and applications. To achieve this, you enable smart card authentication to StoreFront.

Because users log on to Citrix Receiver for Linux or Citrix Workspace app for Linux directly, you can enable users to fall back to explicit authentication. If you configure both smart card and explicit authentication, users are initially prompted to log on using their smart cards and PINs but have the option to select explicit authentication if they experience any issues with their smart cards.

Users connecting through Citrix Gateway must log on using their smart cards and PINs at least once to access their desktops and applications. Users authenticate using their smart cards and PINs and, with the appropriate configuration in place, aren’t prompted to enter their PINs again when they access their desktops and applications. To achieve this, you enable pass-through with Citrix Gateway authentication to StoreFront and delegate credential validation to Citrix Gateway. Then, create an extra Citrix Gateway virtual server through which you route user connections to resources.

Users can log on to Citrix Gateway using either their smart cards and PINs, or with explicit credentials. This enables you to provide users with the option to fall back to explicit authentication for Citrix Gateway logons. Configure pass-through authentication from Citrix Gateway to StoreFront and delegate credential validation to Citrix Gateway for smart card users so that users are silently authenticated to StoreFront.

Smart cards for Citrix Receiver for Linux or Citrix Workspace app for Linux aren’t supported with the XenApp Services Support sites.

Once smart card support is enabled for both the server and Citrix Workspace app, provided the application policy of the smart card certificates allow it, you can use smart cards for the following purposes:

• Smart card logon authentication. Use smart cards to authenticate users to Citrix Virtual Apps and Desktops servers.
• Smart card application support. Enable smart card-aware published applications to access local smart card devices.

Use smart cards with XenApp Services Support

Users logging on to XenApp Services Support sites to start applications and desktops can authenticate using smart cards without depending on specific hardware, operating systems, and Citrix Workspace apps. When a user accesses a XenApp Services Support site and successfully enters a smart card and PIN, PNA determines the user identity, authenticates the user with StoreFront, and returns the available resources.

For pass-through and smart card authentication to work, you must enable Trust requests sent to the XML service.

Use an account with local administrator permissions on the Delivery Controller to start Windows PowerShell and, at a command prompt, enter the following commands to enable the Delivery Controller to trust XML requests sent from StoreFront. The following procedure applies to XenApp 7.5 through 7.8 and XenDesktop 7.0 through 7.8.

1. Load the Citrix cmdlets by typing asnp Citrix*. (including the period).
2. Type Add-PSSnapin citrix.broker.admin.v2.
3. Type Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True.
4. Close PowerShell.

For information about configuring the XenApp Services Support smart card authentication method, see Configure authentication for XenApp Services URLs.

Important considerations

Use of smart cards for user authentication with StoreFront is subject to the following requirements and restrictions.

• To use virtual private network (VPN) tunnels with smart card authentication, users must install the Citrix Gateway plug-in and log on through a webpage, using their smart cards and PINs to authenticate at each step. Pass-through authentication to StoreFront with the Citrix Gateway plug-in isn’t available for smart card users.

• Multiple smart cards and multiple readers can be used on the same user device, but if you enable pass-through with smart card authentication, users must ensure that only one smart card is inserted when accessing a desktop or application.

• When a smart card is used within an application, such as for digital signing or encryption, users might see extra prompts to insert a smart card or enter a PIN. This can occur if more than one smart card has been inserted at the same time. It can also occur due to configuration settings - such as middleware settings like PIN caching that are typically configured using group policy. Users who are prompted to insert a smart card when the smart card is already in the reader must click Cancel. If users are prompted for a PIN, they must enter their PINs again.

• If you enable pass-through with smart card authentication to Citrix Virtual Apps and Desktops for Citrix Receiver for Windows or Citrix Workspace app for Windows users with domain-joined devices who do not access stores through Citrix Gateway, this setting applies to all users of the store. To enable both domain pass-through and pass-through with smart card authentication to desktops and applications, you must create separate stores for each authentication method. Your users must then connect to the appropriate store for their method of authentication.

• If you enable pass-through with smart card authentication to Citrix Virtual Apps and Desktops for Citrix Receiver for Windows or Citrix Workspace app for Windows users with domain-joined devices accessing stores through Citrix Gateway, this setting applies to all users of the store. To enable pass-through authentication for some users and require others to log on to their desktops and applications, you must create separate stores for each group of users. Then, direct your users to the appropriate store for their method of authentication.

• Only one authentication method can be configured for each XenApp Services URL and only one URL is available per store. If you need to enable other types of authentication in addition to smart card authentication, you must create separate stores, each with a XenApp Services URL, for each authentication method. Then, direct your users to the appropriate store for their method of authentication.

• When StoreFront is installed, the default configuration in Microsoft Internet Information Services (IIS) only requires that client certificates are presented for HTTPS connections to the certificate authentication URL of the StoreFront authentication service. IIS does not request client certificates for any other StoreFront URLs. This configuration enables you to provide smart card users with the option to fall back to explicit authentication if they experience any issues with their smart cards. Subject to the appropriate Windows policy settings, users can also remove their smart cards without needing to reauthenticate.

  If you decide to configure IIS to require client certificates for HTTPS connections to all StoreFront URLs, the authentication service and stores must be colocated on the same server. You must use a client certificate that is valid for all the stores. With this IIS site configuration, smart card users can’t connect through Citrix Gateway and can’t fall back to explicit authentication. Users must log on again if they remove their smart cards from their devices.