Passthrough authentication is the the process in which user credentials are passed via web interface running on a Windows server with IIS installed, so the user doesn’t get challenged to enter his/her credentials twice to be authenticated to a Citrix published desktop or published application
This is a really simplistic high level explanation of Passthrough. If you really want to know the nitty- griddy details and a core explanation,
Nichollas Dillie has an outstanding article explaining Passthrough authentication in details
There are five important components that need to be configured or exist in order to Passthrough authentication to work properly:
1. Citrix Web Interface Management Console (WIMC) (inside of a Citrix Web Interface Server)
2. ADM template (on the Windows end point device or client)
3. ICA client with the correct code to manage Passthrough authentication
4. ICA and RDP listener
5. IIS Windows Authentication
Explaining the five components:
1. The WIMC must be configured to use the Passthrough Authentication Method. Note this picture where the Authentication Methods option is available on the right side of the screen
2. The ADM template is part of the ICA client and needs to be configured in order for passthrough authentication: to work. You need to open MMC on the client workstation where the ICA client is installed and load the ADM template. Once opened you need to enable the option Local Username and Password (Details here: under the “Procedure” section from Bullets 7 to 11)
3. Not all Citrix Windows ICA clients support Passthrough authentication. Make sure you use the Enterprise Edition of Citrix Receiver AKA the Citrix Receiver PNA Legacy Plugin. The executable filename should say citrixreceiverenterprise.exe; As of March 2013, the latest version is 3.4. Other types might work but you might need to install using the command line switch that contains the switch /includeSSON (See Citrix E-Docs )
4. The ICA listener and the RDP listener
Even if you configured the three previous components correctly, you still need to make sure the option to “Prompt for Password” is NOT checked on the ICA listener and also on the RDP listener. Both listeners are located under the Administrative Tools – RDS – Remote Desktop Session Host Configuration option (located on Xenapp servers hosted on 2008 R2 servers)
5. IIS Windows Authentication
If you installed the Web interface component on a server correctly, this should already be configured, but always ensure that the Web Server > Security > Windows Authentication role service is enabled for the Web Server (IIS) role (E-Docs) here is a screenshot of the IIS Role and features you need to be aware:
Finally. always make sure that the process ssonsvr.exe or ssonsrv32.exe is running on the client, otherwise, Passthrough authentication won’t work.
And here is a final tip. Sometimes the Network provider order might prevent the process to load. You can check under the Network properties of the NIC on the top menu Advanced – Advanced Settings- Provider Order to make sure Single SignOn is closer to the top, not all the way to the botton; Also check this registry key for the Network Provider order to make sure it is closer to the top as well:
Change the order of the items in the following registry keys:
HKLM\System\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder and HKLM\System\CurrentControlSet\Control\NetworkProvider\HWOrder\ProviderOrder
Example: If something like this: RDPNP,LanmanWorkstation,WebClient,IntelNetProvCredMan, PnSson
Change it to this: RDPNP,LanmanWorkstation,WebClient,PnSson,IntelNetProvCredMan
Good discussion here
I hope this helps!
