How to: Troubleshoot pass-through authentication to Web Interface

This article defines troubleshooting steps for a failure in pass-through authentication. Symptoms include getting prompted for credentials at the Web Interface logon and also getting a logon screen when you attempt to launch a published application.


Complete the following steps to troubleshoot pass-through authentication to Web Interface:

  • Verify that SSONSVR.EXE is running on the client machine. If Receiver was installed with the ENABLE_SSON=Yes command line switch, then the computer must be rebooted after the installation if not this process does not load. If this process is not running for any reason, pass-through authentication will not work.

How to deploy Citrix Receiver Enterprise 3.2 for pass-through authentication using AD GPO

This article describes how to deploy and configure CitrixReceiverEnterprise.exe so that it can be used in Pass-Through authentication mode in a XenDesktop deployment. This article also provides a detailed step-by-step guide about deploying and configuring CitrixReciverEnterprise.exe onto a large number of End User Devices using Active Directory Group Policy Object.

When successfully installed and configured, the users are able to access their XenDesktop resources without the need to enter their credentials again. The credentials from the client machine are passed through automatically to the XenDesktop machine.


  • Citrix Receiver for Windows 3.2 Enterprise Installation Package (CitrixReceiverEnterprise.exe), placed on a suitable network share accessible by the End User Devices.
  • icaclient.adm (located in the %SystemDrive%Program Files (x86)CitrixICA ClientConfiguration folder on any Windows PC on which Citrix Receiver for Windows is currently installed), added to a proper AD GPO that would be applied to the End User Devices.
  • CheckAndDeployCitrixReceiverEnterpriseStartupScript.bat located on the XenApp 6.5 installation DVD (%Install Media%Citrix Receiver and plug-insWindowsReceiverStarup_Logon_Scripts directory), edited to properly reflect the location and the version of CitrixReceiverEnterprise.exe installation package you wish to deploy.

Why is synced time essential for Active Directory?

Windows AD needs timestamps for resolving AD replication conflicts and for Kerberos authentication. Kerberos uses them to protect against replay attacks—where an authentication packet is intercepted on the network and then resent later to authenticate on the original sender’s behalf.  Continue reading “Why is synced time essential for Active Directory?”