en-US citrix computer

Kerberos authentication

Citrix Workspace App

Supported on: All Citrix Workspace supported platforms

Description

Use this policy to control how the client uses Kerberos to authenticate the user to the remote application or desktop. When enabled, this policy allows the client to authenticate the user using the Kerberos protocol. Kerberos is a Domain Controller authorised authentication transaction that avoids the need to transmit the real user credential data to the server. When disabled, the client will not attempt Kerberos authentication. Troubleshooting: The machine running the client and the server running the remote application must be in domains that have a trust relationship. The Domain Controller must be aware that the Citrix XenApp server will be performing a full user logon (interactive logon) using Kerberos. This is configured using the "Trust for Delegated Authentication" settings on the Domain Controller. When connecting using the Web Interface, the Web Interface server must be aware that the client will connect using Kerberos authentication. This is necessary because by default the Web Interface server will use an IP address for the destination server whereas Kerberos authentication requires a Fully Qualified Domain Name. Both client and server machines must have correctly registered DNS entries. This is necessary because endpoints will authenticate each other during connection.

Registry

HKLM Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Kerberos

Value name: SSPIEnabled

Enabled: SSPIEnabled = true,false

Disabled: SSPIEnabled = false

This policy sets several registry values:

SSOnUserSetting Local Credentials
Enabled: SSOnUserSetting = true,false
EnableSSOnThruICAFile Local Credentials
Enabled: EnableSSOnThruICAFile = true
SSPIEnabled ICA Client
Enabled: SSPIEnabled = 1

REG Builder

BETA

Configure the state and elements to generate .reg, PowerShell, Intune, and SCCM outputs.

These exports replicate the policy's registry effect. Editing the registry directly is not the same as applying the GPO through the management console (no gpupdate, no central reporting). Test before production; HKLM changes require administrator rights.

.reg file

Windows Registry Editor Version 5.00

; Exported from gporais.com
; Policy: Kerberos authentication
; State: Enabled
; Supported on: All Citrix Workspace supported platforms

[HKEY_LOCAL_MACHINE\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Kerberos]
"SSPIEnabled"="true,false"

[HKEY_LOCAL_MACHINE\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials]
"SSOnUserSetting"="true,false"
"EnableSSOnThruICAFile"="true"

[HKEY_LOCAL_MACHINE\Software\Citrix\ICA Client]
"SSPIEnabled"=dword:00000001