Citrix Federated Authentication Service Integration with APM

Hello,

Very helpful article, when I found this I saw that I clearly overthought on how to leverage APM in front of StoreFront with FAS. This however made me look more into how you can get SSO to work "without" password prompt also in replacement mode.

It is possible!

1: Configure StoreFront to allow Domain Pass-through on the store

2: Add group or users to each VDA's local! security group: "Direct Access Users"

3: On a domain joined PC, install Citrix Receiver with the /includeSSOn argument to install the SSO service. -This actually caches the credentials a users types in at login.

On the domain joined PC, add the of your VS to the trusted sites list of Internet Explorer -Receiver uses this zone to validate if it should try a pass-through authentication or not.

4: On BIG-IP, check that your VPE ends with your sAMAccountName in session.logon.last.username variable and that you get a full WebTop with a Citrix Remote Desktop resource.

Check that your Citrix Remote Desktop resource has SSO enabled and set to SmartCard!

-This is quite interesting, since you've configured your broker to trust XML requests, it doesn't validate the credentials at this point and enumerates the Citrix resources.

-Also here you will instruct the Receiver client to perform pass-through authentication by adding the following lines to custom parameters:

SSOnUserSetting=On

EnableSSOnThruICAFile=On

UseLocalUserAndPassword=On

ConnectionBar=1

ShowDesktopViewer=On

Conclusion: If you have a domain joined PC, you can leverage any authentication protocol on the client-side, as long as you can figure out the sAMAccountName and still be able to SSO into Citrix resources in WebTop replacement mode.

PS: This has nothing to do with FAS :)