Citrix pass-through and NTLM

Citrix pass-through and NTLM

When using Citrix pass-through on the web interface with Kerberos authentication, everything seems to work very well at first.
But then you might discover that some of your applications running on the XenApp server depend on NTLM for authentication.
This is where the fun part starts, how do you disable Kerberos and only on the applications started from the XenApp server?
What worked for us in the lab is to change the local file c:Programs Files (x86)CitrixICA ClientWFClient.ini and change the line SSPIEnabled=On to SSPIEnabled=Off.
This will disable Kerberos and allow NTLM to work on the applications.
This requires no change to your Citrix client GPO settings or requires that you change the configuration on the web interface.
The change to the WFClient.ini file can be pushed out by a GPP (Group Policy Preference).
It looks like the logon at the web interface is then still using Kerberos but from there NTLM is used, but this still has to be investigated further and maybe someone out there can shed some light on the subject?
This has been tested on the Receiver version 3.2 and 3.3 against XenApp 6.5 Rollup 1 and web interface 5.4.
image

Table of Contents

Share this post
Search blog posts
Authors
Modern Workplace consultant and a Microsoft MVP in Enterprise Mobility.
Modern Workplace consultant and a Microsoft MVP in Windows and Devices for IT.

Infrastructure architect with focus on Windows Client management & security.

Cloud & security specialist with focus on Microsoft backend products and cloud technologies.

Infrastructure architect with focus on design, implementation, migration and consolidation.

Infrastructure consultant with focus on cloud solutions in Office365 and Azure.

follow us in feedly
Categories

Follow on SoMe