Policy
Kerberos authentication
Use this policy to control how the client uses Kerberos to authenticate the user to the remote application or desktop. When enabled, this policy allows the client to authenticate the user using the Kerberos protocol. Kerberos is a Domain Controller authorised authentication transaction that avoids the need to transmit the real user credential data to the server. When disabled, the client will not attempt Kerberos authentication. Troubleshooting: The machine running the client and the server running the remote application must be in domains that have a trust relationship. The Domain Controller must be aware that the Citrix XenApp server will be performing a full user logon (interactive logon) using Kerberos. This is configured using the "Trust for Delegated Authentication" settings on the Domain Controller. When connecting using the Web Interface, the Web Interface server must be aware that the client will connect using Kerberos authentication. This is necessary because by default the Web Interface server will use an IP address for the destination server whereas Kerberos authentication requires a Fully Qualified Domain Name. Both client and server machines must have correctly registered DNS entries. This is necessary because endpoints will authenticate each other during connection.
f26123fac6c2 Policy_KerberosLockdown_1 Registry
Copy registry mappings
HKLM\Software\Citrix\ICA Client\SSPIEnabled (enabled) = 1HKLM\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Kerberos\SSPIEnabled (enabled) = true,false
HKLM\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Kerberos\SSPIEnabled (disabled) = HKCU\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Kerberos\SSPIEnabled (enabled) = true,false
HKCU\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Kerberos\SSPIEnabled (disabled) = HKLM\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials\EnableSSOnThruICAFile (enabled) = HKCU\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials\EnableSSOnThruICAFile (enabled) = HKLM\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials\SSOnUserSetting (enabled) = true,falseHKCU\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials\SSOnUserSetting (enabled) = true,falsePolicy notes
Use this policy to control how the client uses Kerberos to authenticate the user to the remote application or desktop. When enabled, this policy allows the client to authenticate the user using the Kerberos protocol. Kerberos is a Domain Controller authorised authentication transaction that avoids the need to transmit the real user credential data to the server. When disabled, the client will not attempt Kerberos authentication. Troubleshooting: The machine running the client and the server running the remote application must be in domains that have a trust relationship. The Domain Controller must be aware that the Citrix XenApp server will be performing a full user logon (interactive logon) using Kerberos. This is configured using the "Trust for Delegated Authentication" settings on the Domain Controller. When connecting using the Web Interface, the Web Interface server must be aware that the client will connect using Kerberos authentication. This is necessary because by default the Web Interface server will use an IP address for the destination server whereas Kerberos authentication requires a Fully Qualified Domain Name. Both client and server machines must have correctly registered DNS entries. This is necessary because endpoints will authenticate each other during connection.