How to deploy Citrix Receiver Enterprise 3.2 for pass-through authentication using AD GPO

This article describes how to deploy and configure CitrixReceiverEnterprise.exe so that it can be used in Pass-Through authentication mode in a XenDesktop deployment. This article also provides a detailed step-by-step guide about deploying and configuring CitrixReciverEnterprise.exe onto a large number of End User Devices using Active Directory Group Policy Object.

When successfully installed and configured, the users are able to access their XenDesktop resources without the need to enter their credentials again. The credentials from the client machine are passed through automatically to the XenDesktop machine.

Requirements

  • Citrix Receiver for Windows 3.2 Enterprise Installation Package (CitrixReceiverEnterprise.exe), placed on a suitable network share accessible by the End User Devices.
  • icaclient.adm (located in the %SystemDrive%Program Files (x86)CitrixICA ClientConfiguration folder on any Windows PC on which Citrix Receiver for Windows is currently installed), added to a proper AD GPO that would be applied to the End User Devices.
  • CheckAndDeployCitrixReceiverEnterpriseStartupScript.bat located on the XenApp 6.5 installation DVD (%Install Media%Citrix Receiver and plug-insWindowsReceiverStarup_Logon_Scripts directory), edited to properly reflect the location and the version of CitrixReceiverEnterprise.exe installation package you wish to deploy.
  • Access to the Active Directory Group Policy Management console and Group Policy Editor. Note: CitrixReceiver.exe cannot be used for mass deployment because it requires Local Administrator privilege on the End User Device to install the SSON component. CitrixReceiverEnterprise.exe should be used because it installs SSON by default without requiring Local Administrator privilege on the End User Device.

Background

There are two different deployment scenarios to achieve Pass-Through Authentication for XenDesktop, when enterprise software deployment tools such Citrix Merchandising Server or Microsoft System Center Configuration Manager are not used:

  • Install Citrix Receiver manually and then configure it using Local Group Policy (importing icaclient.adm) on the various machines individually. This is recommended for very small environments. This option is not covered in this Citrix Knowledge Centre article. Refer to CTX131207 – How to Remove Storage Configured Under Host for this scenario.
  • Install Citrix Receiver using Active Directory Group Policy (for example, using CheckAndDeployCitrixReceiverEnterpriseStartupScript.bat which is included with XenApp). Configuration using icaclient.adm can then be applied using Active Directory Group Policy Management to large numbers of machines and centrally managed.

Note: Citrix strongly recommends that any steps outlined in this article are thoroughly tested and validated in non-production environments prior to use.

Procedures

  • Download and place CitrixReceiverEnterprise.exe on a suitable network share so that it can be accessed by the End User Devices.
  • Edit CheckAndDeployCitrixReceiverEnterpriseStartupScript.bat content to properly reflect the location and the version of CitrixReceiverEnterprise.exe.
  • Open the Active Directory Group Policy Management console. Choose a suitable existing GPO or create a new one to be applied to the End User Devices and open the Group Policy Editor.
  • Move to Computer Configuration > Windows Settings > Scripts (Startup/Shutdown).
  • Enter CheckAndDeployCitrixReceiverEnterpriseStartupScript.bat as a startup script.
  • Add icaclient.adm on the Group Policy Editor from Computer Configuration > Right Click on Administrative Templates > Choose Add/Remove Templates > Click Add, as displayed in the following screen shot:

  • Once icaclient.adm was successfully added, expand Computer Configuration > Administrative Templates > Classic Administrative Templates (ADM) > Citrix Components > Citrix Receiver > User authentication.
Note: Same icaclient.adm will be available on the User Configuration once icaclient.adm is added. This article is tested using icaclient.adm on the Computer Configuration only.
  • Choose Local user name password setting and configure the setting as Enabled, select Enable pass-through authentication, and click the Apply, as displayed in the following screen shot:

Note: Depending on the Web Interface configuration and security settings, you might have to select Allow pass-through authentication for all ICA for pass-through authentication to work.

  • Restart the End User Device for the changes to take effect.

To see the entire article and an example script go to the Citrix knowledgebase.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.