Kerberos authentication
Jump to overview

Policy overview

Key metadata and intent for this policy.

Category
Citrix Components > Citrix Workspace > User authentication
Supported on
All Citrix Workspace supported platforms

Use this policy to control how the client uses Kerberos to authenticate the user to the remote application or desktop. When enabled, this policy allows the client to authenticate the user using the Kerberos protocol. Kerberos is a Domain Controller authorised authentication transaction that avoids the need to transmit the real user credential data to the server. When disabled, the client will not attempt Kerberos authentication. Troubleshooting: The machine running the client and the server running the remote application must be in domains that have a trust relationship. The Domain Controller must be aware that the Citrix XenApp server will be performing a full user logon (interactive logon) using Kerberos. This is configured using the "Trust for Delegated Authentication" settings on the Domain Controller. When connecting using the Web Interface, the Web Interface server must be aware that the client will connect using Kerberos authentication. This is necessary because by default the Web Interface server will use an IP address for the destination server whereas Kerberos authentication requires a Fully Qualified Domain Name. Both client and server machines must have correctly registered DNS entries. This is necessary because endpoints will authenticate each other during connection.

Internal name
Policy_KerberosLockdown
Computer
Policy_KerberosLockdown_1
User
Policy ID
f26123fac6c2
Elements
0

Registry values

How enabled and disabled states update the registry.

ScopeRegistry locationTypeEnabled valueDisabled valueCopy
Computer
Path
Software\Citrix\ICA Client
Value name
SSPIEnabled
REG_DWORD
HKLM
1
HKLM
Path
Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Kerberos
Value name
SSPIEnabled
REG_SZ
HKLM
true,false
HKCU
true,false
HKLM
HKCU
Path
Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials
Value name
EnableSSOnThruICAFile
REG_SZ
HKLM
HKCU
HKLM
HKCU
Path
Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials
Value name
SSOnUserSetting
REG_SZ
HKLM
true,false
HKCU
true,false
HKLM
HKCU
Registry location
Type REG_DWORD · Computer
Path
Software\Citrix\ICA Client
Value name
SSPIEnabled
Hive
HKLM
Enabled value
1
Disabled value
Registry location
Type REG_SZ · Both
Path
Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Kerberos
Value name
SSPIEnabled
Hive
HKLM
Enabled value
true,false
Disabled value
Hive
HKCU
Enabled value
true,false
Disabled value
Registry location
Type REG_SZ · Both
Path
Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials
Value name
EnableSSOnThruICAFile
Hive
HKLM
Enabled value
Disabled value
Hive
HKCU
Enabled value
Disabled value
Registry location
Type REG_SZ · Both
Path
Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials
Value name
SSOnUserSetting
Hive
HKLM
Enabled value
true,false
Disabled value
Hive
HKCU
Enabled value
true,false
Disabled value

Policy elements

Inputs and configuration options exposed by this policy.

This policy has no additional user input fields.