Citrix pass-through and NTLM

Citrix pass-through and NTLM

When using Citrix pass-through on the web interface with Kerberos authentication, everything seems to work very well at first.
But then you might discover that some of your applications running on the XenApp server depend on NTLM for authentication.
This is where the fun part starts, how do you disable Kerberos and only on the applications started from the XenApp server?
What worked for us in the lab is to change the local file c:Programs Files (x86)CitrixICA ClientWFClient.ini and change the line SSPIEnabled=On to SSPIEnabled=Off.
This will disable Kerberos and allow NTLM to work on the applications.
This requires no change to your Citrix client GPO settings or requires that you change the configuration on the web interface.
The change to the WFClient.ini file can be pushed out by a GPP (Group Policy Preference).
It looks like the logon at the web interface is then still using Kerberos but from there NTLM is used, but this still has to be investigated further and maybe someone out there can shed some light on the subject?
This has been tested on the Receiver version 3.2 and 3.3 against XenApp 6.5 Rollup 1 and web interface 5.4.

Table of Contents

Share this post
Search blog posts
Modern Workplace consultant and a Microsoft MVP in Enterprise Mobility.
Modern Workplace consultant and a Microsoft MVP in Windows and Devices for IT.

Infrastructure architect with focus on Modern Workplace and Microsoft 365 security.

Cloud & security specialist with focus on Microsoft backend products and cloud technologies.

Cloud & security specialist with focus on Microsoft 365.

Cloud & Security Specialist, with a passion for all things Cybersecurity

Cloud and infrastructure security specialist with background in networking.

Infrastructure architect with focus on design, implementation, migration and consolidation.

Infrastructure consultant with focus on cloud solutions in Office365 and Azure.

follow us in feedly

Follow on SoMe