To use the Fast Connect API you must first configure your site appropriately, including setting up SSO:
- If you are using StoreFront, enable the HTTP Basic authentication method as follows:
- Install Citrix Receiver for Windows 4.2 or later using the
By default, user credentials are captured at Windows session logon. This may not always be desirable, especially in off-domain pass-through scenarios; to disable logon credential capture, use the
receiver.admxfiles and then open
gpedit.msc. This will make the Group Policy templates appear within the gpedit.msc GUI.
- For information on importing Citrix Receiver for Windows Group Policy administrative template for Citrix Receiver for Windows Version 4.5, see Citrix Product Documentation.
- For information on importing Citrix Receiver for Windows Group Policy administrative template for Citrix Receiver for Windows Version 4.6, see Citrix Product Documentation.
5. Navigate to the administrative templates folder and then select Citrix Components > Citrix Receiver > User authentication.
6. Select the GPO policy Kerberos authentication, double-click it, and then disable it.
The order in which you configure policies is important. You must disable Kerberos authentication before configuring the Local user name and password policy as described in step 6.
7. To allow SSO functionality, locate the GPO policy Local user name and password, double-click it, and then enable the following options:
- Enable pass-through authentication
- Allow pass-through authentication for all ICA connections
8. Navigate to the administrative templates folder and then select Citrix Components > Citrix Receiver > Fast Connect API Support
9. To allow Fast Connect functionality, locate the GPO policy Manage FastConnectAPI support, double-click it, and then enable the following options:
- Enable the GPO
- Enable Fast Connect API Functionality Disable Leave Apps Running On
- Enable Integrate Self Service Plugin with FastConnect
10. Optionally, in the administrative templates folder, select Citrix Components > Citrix Receiver > SelfService > Manage App shortcut:
- Startmenu Directory = Citrix
- Desktop Directory = Citrix
- Disable Startmenu Shortcut = False (clear checkbox)
- Enable Desktop Shortcut = True (select checkbox )
- Disable Categorypath = True (select checkbox to use StoreFront categories in the Start menu)
- RemoveAppsOnLogoff = True (select checkbox)
- Clear the set of applications shown in the Receiver Windows on log off = True (select checkbox)
- Prevent Receiver performing a refresh of the application list when opened = True (select checkbox)
- Ignore self service selection of apps and make all mandatory = False (clear checkbox), but True (select checkbox) if you are using Web Interface
11. Optionally, select SelfService > Control when Receiver attempts to reconnect to existing sessions:
- Enable the policy
- Choose the appropriate combination of reconnect conditions
12 Optionally, select SelfService > Enable application Prelaunch. Enable this policy to disable prelaunch.
13. If you are using StoreFront, add the FQDN of the XenDesktop Controller to the intranet zone: You can set this through Group Policy:
- Select Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page
- Select Site to Zone Assignment List, enable it, then add the FQDN of the XenDesktop Controller as a zone assignment with a value of 1. For more details, see http://blogs.msdn.com/b/askie/archive/2012/06/05/how-to-configure-internet-explorer- security-zone-sites-using-group-polices.aspx
14. On the command line, rungpupdate/forceto apply these settings.
15 Start Citrix Receiver from the Start menu.
16. When you are prompted for an account, specify the URL for your StoreFront Services Site, StoreFront XenApp Services Site, or Web Interface XenApp Services Site.
A StoreFront URL looks like this: https://SMBSZ-XENAPPS1.xa.local/Citrix/Store/discovery
A Web Interface URL looks like this: https://SMBSZXENAPPS1.xa.local/Citrix/PNAgent/config.xml
If you require an http (unsecure) URL, first perform step 13 above before re-attempting this step.
17. If you are using a HTTP site, set the following registry key to allow HTTP traffic for Citrix Receiver:
- On 64-bit Windows:
HKLM\SOFTWARE\Wow6432Node\Citrix\Authmanager Name: ConnectionSecurityMode Type: REG_SZ Data: Any
- On 32-bit Windows:
HKLM\SOFTWARE\Citrix\AuthManager Name: ConnectionSecurityMode Type: REG_SZ Data: Any
18. Restart Citrix Receiver.
19. If you are using StoreFront, create the following registry keys and values on the endpoint(s) to allow HTTP Basic authentication, which is needed for SSO:
- On 64-bit Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\AuthManager\Protocols \httpbasic Name: Enabled Type: REG_SZ Data: True
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\AuthManager Name: ProtocolOrder Type: REG_MULTI_SZ Value: httpbasic
- On 32-bit Windows:
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\AuthManager\Protocols\httpbasic Name: Enabled Type: REG_SZ Data: True
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\AuthManager Name: ProtocolOrder Type: REG_MULTI_SZ Data: httpbasic
20. To get the store accepted, log on as any user and restart the endpoint.
21. When the endpoint restarts, verify that the SSO functionality is enabled by running ssonsvr.exe, as described at http://support.citrix.com/article/CTX133855
22. You can now inject a user name and password into the SSO functionality by interacting with the Fast Connect API, using the LogonSsoUser() function described later in this document.
23. If you would like the Self-Service Plug-in UI to automatically log on and log off in response to the Fast Connect LogonSSOUser and LogoffSSOUser library calls and thereby update the user’s icons, enable the policy “Integrate Self Service Plugin with FastConnect” described in step 8.
Alternatively, you can manually update the UI and desktop icons following these calls by using the following sequence:
SelfService.exe –ipoll // Refreshes the SSP GUI
24. Start Receiver from the Start menu. The injected user will be logged on to Receiver.
All the user’s applications then appear for the first time on the desktop, the Start menu, and within the SSP GUI.
25. To inject further user credentials into Receiver through Fast Connect, repeat Step 15. Receiver on the endpoint is now set up for SSO and Fast Connect API use.