Sydney XenApp Projects: Single Sign-on using XenApp Services

Storefront Support for XenApp Services

At Peninsula IT Services in Sydney we have observed that over the years many companies have trained their staff to leverage the Citrix Program Neighborhood functionality.  By this, we mean where users XenApp application icons will appear by right-clicking the Citrix icon in the system tray on a Windows PC.  To make it seamless, pass-through authentication from the users Windows session is often used.  While Citrix has tried to retire this functionality for several years, many customers still use it at large scale (eg, healthcare) and don’t see a great need to change to the Citrix Receiver look and feel.  As a result, there are lots of systems out there using very old versions of the Citrix online plugin, or they are stuck on Citrix Receiver Enterprise 3.4 which supports the old right-click method.  Citrix Storefront provides the backend compatibility via the “XenApp Services Support” option which essentially publishes the Citrix farm configuration in the original PNAgent formatted config.xml file.

On a recent engagement by our Citrix Technology Consulting services practice with a large public utility, our customer was relying on the PNAgent functionality and had been trying to fix a broken Citrix Storefront server for several days, with help via phone from the team at Citrix technical support.  The main problem was that they could not get the Single Sign On working with Citrix Receiver Enterprise 3.4 . After several days of troubleshooting, the advice from Citrix was to upgrade to the latest Receiver client.  At Peninsula IT, we generally recommend sticking with the latest stable release versions, however in this customers case, upgrading the client on thousands of PC’s and changing the workflow of thousands of staff in response to a server outage was more disruption than they wanted at a critical time for their business.

Case sensitive Storefront configuration

On arrival at our customers site, we were able to quickly verify that the Storefront was generally working ok with the exception of single signon.  “Domain pass-through” was enabled as an authentication Storefront console.

We tried several configurations including hard coding the LogonMethod attribute in the configuration of the XenApp Services site provided by Storefront. Documentation of this attribute is not clear, as many websites (including the Citrix documentation) have conflicting guidance. The configuration file that we edited was located at C:\inetpub\wwwroot\Citrix\<StoreName>\PNAgent\web.config.

It’s important to note that the LogonMethod attribute in the C:\inetpub\wwwroot\Citrix\<StoreName>\PNAgent\web.config file is Case Sensitive.  Find the attribute in the web.config file and make sure it looks like this:

 

<LogonMethod>sson</LogonMethod>

For this customer, once the attribute was set to “sson” (lower case), the single sign-on began working as expected for all users in the business.  That’s it!  Needless to say, our customer was very happy!