How to: Troubleshoot pass-through authentication to Web Interface

This article defines troubleshooting steps for a failure in pass-through authentication. Symptoms include getting prompted for credentials at the Web Interface logon and also getting a logon screen when you attempt to launch a published application.


Complete the following steps to troubleshoot pass-through authentication to Web Interface:

  • Verify that SSONSVR.EXE is running on the client machine. If Receiver was installed with the ENABLE_SSON=Yes command line switch, then the computer must be rebooted after the installation if not this process does not load. If this process is not running for any reason, pass-through authentication will not work.
  • Verify that the Citrix Receiver group policy allowing pass-through authentication has been applied to the workstation. This can be done either through Group Policy Management Console or through a Local Policy. The template for this group policy setting can be found in the following location on any workstation with Receiver installed:

C:Program FilesCitrixICA ClientConfigurationicaclient.adm

Once it is added to the Administrative Templates, browse to Computer Configuration > Administrative Templates > Citrix Components > Citrix Receiver > User Authentication and find the Local user name and password option. Double click and set it to Enabled. You must have Enable pass-through authentication and Allow pass-through authentication for all ICA connections enabled:

  • Verify on the XenApp servers that the RDP listener is set to not prompt for passwords. Open Server Manager and expand Roles > Remote Desktop Services. Click on RD Session Host Configuration. Double-click the RDP-TCP connection and check the Log on Settings tab. Ensure the Always prompt for password checkbox is unchecked.
  • Verify in the Web Interface Management Console that the site connecting to is configured for pass-through authentication. Right-click on your site and select Authentication Methods. Pass-through option must be checked here. If the connection is made to a PNAgent site, check any Services Sites as well as Web Sites. For Services Sites, verify that pass-through is set to the default authentication method.
  • Add your Web Interface site to the list of Trusted Sites in Internet Explorer.
  • In Internet Explorer, click Internet Options and navigate to the Security tab. Highlight the Trusted Sites Zone and click Custom level. Navigate to the end of the Security Settings window to User Authentication > Logon and set it to Automatic logon with current user name and password.

Read more here at the Citrix knowledgebase.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.