Kerberos authentication
Supported on: All Citrix Workspace supported platforms
Description
Use this policy to control how the client uses Kerberos to authenticate the user to the remote application or desktop. When enabled, this policy allows the client to authenticate the user using the Kerberos protocol. Kerberos is a Domain Controller authorised authentication transaction that avoids the need to transmit the real user credential data to the server. When disabled, the client will not attempt Kerberos authentication. Troubleshooting: The machine running the client and the server running the remote application must be in domains that have a trust relationship. The Domain Controller must be aware that the Citrix XenApp server will be performing a full user logon (interactive logon) using Kerberos. This is configured using the "Trust for Delegated Authentication" settings on the Domain Controller. When connecting using the Web Interface, the Web Interface server must be aware that the client will connect using Kerberos authentication. This is necessary because by default the Web Interface server will use an IP address for the destination server whereas Kerberos authentication requires a Fully Qualified Domain Name. Both client and server machines must have correctly registered DNS entries. This is necessary because endpoints will authenticate each other during connection.
Registry
Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Kerberos Value name: SSPIEnabled
Enabled: SSPIEnabled = true,false
Disabled: SSPIEnabled = false
This policy sets several registry values:
SSOnUserSetting Local Credentials SSOnUserSetting = true,false EnableSSOnThruICAFile Local Credentials EnableSSOnThruICAFile = true REG Builder
BETAConfigure the state and elements to generate .reg, PowerShell, Intune, and SCCM outputs.
These exports replicate the policy's registry effect. Editing the registry directly is not the same as applying the GPO through the management console (no gpupdate, no central reporting). Test before production; HKLM changes require administrator rights.
.reg file
Windows Registry Editor Version 5.00
; Exported from gporais.com
; Policy: Kerberos authentication
; State: Enabled
; Supported on: All Citrix Workspace supported platforms
[HKEY_CURRENT_USER\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Kerberos]
"SSPIEnabled"="true,false"
[HKEY_CURRENT_USER\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials]
"SSOnUserSetting"="true,false"
"EnableSSOnThruICAFile"="true" PowerShell
# Exported from gporais.com
# Policy: Kerberos authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Kerberos'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'SSPIEnabled' -Value 'true,false' -Type String
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'SSOnUserSetting' -Value 'true,false' -Type String
Set-ItemProperty -Path $path -Name 'EnableSSOnThruICAFile' -Value 'true' -Type String Intune XML
No direct Policy CSP / OMA-URI mapping for this policy. Use the Intune Remediation tab, or ingest the ADMX in Intune. Intune Remediation
# === Detection script ===
# Exported from gporais.com
# Policy: Kerberos authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Kerberos' -Name 'SSPIEnabled' -Expected 'true,false' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'SSOnUserSetting' -Expected 'true,false' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'EnableSSOnThruICAFile' -Expected 'true' -Kind String)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Kerberos authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Kerberos'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'SSPIEnabled' -Value 'true,false' -Type String
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'SSOnUserSetting' -Value 'true,false' -Type String
Set-ItemProperty -Path $path -Name 'EnableSSOnThruICAFile' -Value 'true' -Type String SCCM CI
# Exported from gporais.com
# Policy: Kerberos authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
# SCCM Configuration Item guidance:
# Create a Configuration Item of type "Setting: Script".
# Discovery script: use the Detection script below.
# Remediation script: use the Remediation script below.
# Compliance rule: the Discovery script output equals 'Compliant'.
# === Detection script ===
# Exported from gporais.com
# Policy: Kerberos authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Kerberos' -Name 'SSPIEnabled' -Expected 'true,false' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'SSOnUserSetting' -Expected 'true,false' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'EnableSSOnThruICAFile' -Expected 'true' -Kind String)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Kerberos authentication
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Kerberos'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'SSPIEnabled' -Value 'true,false' -Type String
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'SSOnUserSetting' -Value 'true,false' -Type String
Set-ItemProperty -Path $path -Name 'EnableSSOnThruICAFile' -Value 'true' -Type String