Local user name and password
Supported on: All Citrix Workspace supported platforms
Description
Use this policy to instruct the client to use the same logon credentials (pass-through authentication) for the Citrix XenApp server as the client computer. When this policy is enabled, the client can be prevented from using the current user's logon credentials to authenticate to the remote server by clearing the "Enable pass-through authentication" check box. The client imposes certain restrictions specifying when pass-through authentication can occur (for details, see Citrix eDocs at http://support.citrix.com/proddocs/). If these restrictions are too strict for your environment, select the "Allow pass-through authentication for all ICA connections" check box to bypass the pass-through authentication restrictions. When run in a Novell Directory Server environment, selecting the "Use Novell Directory Server credentials" check box requests that the client uses the user’s NDS credentials. Troubleshooting: To enable pass-through authentication, the client must have been installed by an administrator, and the "Allow Local Credential Pass-through" option must have been selected at that time. Each user can choose to disable pass-through authentication through the client registry settings, the Program Neighbourhood window, or by editing their copy of AppSrv.ini. To enable pass-through authentication, the user's copy of AppSrv.ini must contain the setting "EnableSSonThruICAFile=true".
Registry
Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials Value name: UseLocalUserAndPassword
Enabled: UseLocalUserAndPassword = true,false
Disabled: UseLocalUserAndPassword = false
This policy sets several registry values:
SSOnUserSetting SSOnUserSetting = true,false EnableSSOnThruICAFile EnableSSOnThruICAFile = true REG Builder
BETAConfigure the state and elements to generate .reg, PowerShell, Intune, and SCCM outputs.
These exports replicate the policy's registry effect. Editing the registry directly is not the same as applying the GPO through the management console (no gpupdate, no central reporting). Test before production; HKLM changes require administrator rights.
.reg file
Windows Registry Editor Version 5.00
; Exported from gporais.com
; Policy: Local user name and password
; State: Enabled
; Supported on: All Citrix Workspace supported platforms
[HKEY_CURRENT_USER\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials]
"UseLocalUserAndPassword"="true,false"
"SSOnUserSetting"="true,false"
"EnableSSOnThruICAFile"="true"
"UseLocalUserAndPassword"=dword:00000001
"LegacyLocalUserNameAndPassword"=dword:00000000
"SSOnCredentialType"=dword:00000000 PowerShell
# Exported from gporais.com
# Policy: Local user name and password
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'UseLocalUserAndPassword' -Value 'true,false' -Type String
Set-ItemProperty -Path $path -Name 'SSOnUserSetting' -Value 'true,false' -Type String
Set-ItemProperty -Path $path -Name 'EnableSSOnThruICAFile' -Value 'true' -Type String
Set-ItemProperty -Path $path -Name 'UseLocalUserAndPassword' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'LegacyLocalUserNameAndPassword' -Value 0 -Type DWord
Set-ItemProperty -Path $path -Name 'SSOnCredentialType' -Value 0 -Type DWord Intune XML
No direct Policy CSP / OMA-URI mapping for this policy. Use the Intune Remediation tab, or ingest the ADMX in Intune. Intune Remediation
# === Detection script ===
# Exported from gporais.com
# Policy: Local user name and password
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'UseLocalUserAndPassword' -Expected 'true,false' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'SSOnUserSetting' -Expected 'true,false' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'EnableSSOnThruICAFile' -Expected 'true' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'UseLocalUserAndPassword' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'LegacyLocalUserNameAndPassword' -Expected 0 -Kind DWord)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'SSOnCredentialType' -Expected 0 -Kind DWord)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Local user name and password
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'UseLocalUserAndPassword' -Value 'true,false' -Type String
Set-ItemProperty -Path $path -Name 'SSOnUserSetting' -Value 'true,false' -Type String
Set-ItemProperty -Path $path -Name 'EnableSSOnThruICAFile' -Value 'true' -Type String
Set-ItemProperty -Path $path -Name 'UseLocalUserAndPassword' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'LegacyLocalUserNameAndPassword' -Value 0 -Type DWord
Set-ItemProperty -Path $path -Name 'SSOnCredentialType' -Value 0 -Type DWord SCCM CI
# Exported from gporais.com
# Policy: Local user name and password
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
# SCCM Configuration Item guidance:
# Create a Configuration Item of type "Setting: Script".
# Discovery script: use the Detection script below.
# Remediation script: use the Remediation script below.
# Compliance rule: the Discovery script output equals 'Compliant'.
# === Detection script ===
# Exported from gporais.com
# Policy: Local user name and password
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
function Test-RegistryValue {
param(
[Parameter(Mandatory = $true)][string]$Path,
[Parameter(Mandatory = $true)][string]$Name,
[object]$Expected,
[ValidateSet('String', 'DWord', 'MultiString')][string]$Kind = 'String',
[switch]$Absent
)
try {
$item = Get-ItemProperty -LiteralPath $Path -Name $Name -ErrorAction Stop
} catch {
return $Absent.IsPresent
}
if ($Absent.IsPresent) { return $false }
$actual = $item.$Name
if ($Kind -eq 'DWord') { return ([int64]$actual) -eq ([int64]$Expected) }
if ($Kind -eq 'MultiString') {
$actualValues = @($actual)
$expectedValues = @($Expected)
if ($actualValues.Count -ne $expectedValues.Count) { return $false }
for ($i = 0; $i -lt $expectedValues.Count; $i++) {
if ([string]$actualValues[$i] -ne [string]$expectedValues[$i]) { return $false }
}
return $true
}
return [string]$actual -eq [string]$Expected
}
$checks = @(
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'UseLocalUserAndPassword' -Expected 'true,false' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'SSOnUserSetting' -Expected 'true,false' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'EnableSSOnThruICAFile' -Expected 'true' -Kind String)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'UseLocalUserAndPassword' -Expected 1 -Kind DWord)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'LegacyLocalUserNameAndPassword' -Expected 0 -Kind DWord)
(Test-RegistryValue -Path 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials' -Name 'SSOnCredentialType' -Expected 0 -Kind DWord)
)
if ($checks -notcontains $false) {
Write-Output 'Compliant'
exit 0
}
Write-Output 'Non-compliant'
exit 1
# === Remediation script ===
# Exported from gporais.com
# Policy: Local user name and password
# State: Enabled
# Supported on: All Citrix Workspace supported platforms
$path = 'HKCU:\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials'
New-Item -Path $path -Force | Out-Null
Set-ItemProperty -Path $path -Name 'UseLocalUserAndPassword' -Value 'true,false' -Type String
Set-ItemProperty -Path $path -Name 'SSOnUserSetting' -Value 'true,false' -Type String
Set-ItemProperty -Path $path -Name 'EnableSSOnThruICAFile' -Value 'true' -Type String
Set-ItemProperty -Path $path -Name 'UseLocalUserAndPassword' -Value 1 -Type DWord
Set-ItemProperty -Path $path -Name 'LegacyLocalUserNameAndPassword' -Value 0 -Type DWord
Set-ItemProperty -Path $path -Name 'SSOnCredentialType' -Value 0 -Type DWord