Citrix Receiver 4 with Domain Pass-Through


Citrix Receiver 4 with Domain Pass-Through

I have gotten a lot of questions from my customers which I provide free support to through my membership sites xenapptraining and appv5training.

What happened to Citrix Receiver Enterprise 4? Well, there isn’t one according to Citrix, and that’s probably the reason why you find the 3.4 Enterprise version on the XenDesktop 7 media.

Tweet about Citrix Receiver 4

So how do you install Citrix Receiver 4 for Pass-Through authentication? Well, you don’t, it’s enabled by default when you install the VDA and check to install Receiver. That being said, you still need to configure it. Here’s how you do it:

When you create a Delivery Group in Citrix Studio you can define your Store so that the Virtual Desktop Agent (VDA) automatically configures Citrix Receiver on the client-side (Windows Desktop or Server OS). Just add your Store URL and put /discovery at the end.

Out of the box, the user must click the + sign to add their applications. If you want applications to be added automatically you just set the Description to KEYWORDS:Auto.

It’s also required to enable Domain Pass-Through on your StoreFront server.

Citrix Receiver 4 with Domain Pass-Trough 05

Add the StoreFront URL to Trusted Sites or Local Intranet. I’m using a global Group Policy – Zone Assignment List with *://*.ctxlab.local in my lab, so it’s set and forget.

And finally, you need to create a Group Policy that has the following settings:

And that’s it. When the users start Citrix Receiver they’ll not get the screenshot at the top of this post, but taken directly to the Store with the applications automatically added.

Citrix Receiver 4 doesn’t place the Receiver shortcut in the startup folder, so if you want it to auto start you need to copy the shortcut to C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Note: Domain Pass-Through only works with Citrix Receiver 4 and not with the Citrix Receiver for Web client.

If you still haven’t check out my new Free Citrix XenDesktop 7 Boot Camp you should do it RIGHT NOW!

Update: Bulletproof Guide to Citrix Receiver Start Menu Integration.


Automation Framework Community Edition

The fastest way to build your lab environment.

Virtual Expo

Friday 30th of September 2022

54 thoughts on “Citrix Receiver 4 with Domain Pass-Through”

  1. When doing this for Xenapp and storefront can you think of any reason why a user would see this?

    I expect the user to see your first screenshot of the enter in email or website as xenapp users dont use VDA. However my screenshot i dont understand. It looks like StoreFront is requesting authentication. After that authentication then pass through works as expected.

  2. So basically, the environment I have crafted of over the past 10 years with a tightly controlled desktop for my users is now pissed away?

    I do not need nor want StoreFront. What I do need is a controlled way for my users to go to their Desktop and click the programs I give them without jumping through Hoops.

    If this is the future for Citrix, it is time to start looking at other vendors. 2X comes to mind.

    • Not at all, you’re free to use it as you please. But if you want to go with XenDesktop 7 there’s only support for StoreFront and Netscaler Gateway for remote access. If your environment works, stick to it.

    • This is one of the many reasons we have decided to drop our 250+ TC devices and put managed PCs on user’s desktops this year.

      The cost of their purchase and ease of management is a heck of a lot better these days and at least you can support them easier instead of having to duck and dive through continuing stability issues.

      Sure, you are convinced that you save your money at the start but after spending 10 years of supporting this type of environment we have spent more if anything with constant fixing, updating and relying on the support of poorly trained partners … these guys weren’t cheap in the first place.

  3. I’m trying to get this passthrough working since days.
    I did exactly what you write in your blog, but it still dont work, I get the same login mask as Jason told before.
    A friend of mine has the same behavior in his environment.

    What have we missed?

    • Hi, I had the same problem. The Point can be, that every storefront Storage support only one Authentication method. So by default, the first created Store will be for “prompt”. So if you like to have “passthrough” you have to create a second store eg. “Store2”.
      But that is not all.
      Now you have to use powershell and change the authentication method of this store2 to “sson”.
      We checked it with Receiver EE 3.4 and there you can see if you change the Url at the receiver to https://storefront.domain/citrix/store2/PNAGent/config.xml the Receiver change the Method from “prompt” to “passthrough”
      It was the best method to know is pasthrough from Storefront accepted or not.

  4. Hi,

    i have configured sso and the sso-process works well but when i klick on an appliaktion i got a message the app can´t start because is temporary not availabel.

    i activate logging in the receiver but i can´t see what´s wrong.

    Any idears

    Cheers Mario

        • start C:\Program Files\Citrix\Broker\Snapin\v2\AdminSDK
          @ your Broker.
          Check the value TrustRequestsSentToTheXmlServicePort with get-broker-site.If its “False” you can change the value with command
          set-brokersite -TrustRequestsSentToTheXmlServicePort $true

          hope it will help you 😉

  5. Hi

    Nice article!

    Is there anyway of suppressing the selfservice screen? On my install of Receiver it adds selfservice.exe -ShowAppPicker in the startup folder, I have tried this with the -logon switch but with no luck. Basically I want the users to logon and have all apps populated in the start menu with out having to use the selfserive. This is all working great apart from the selfservice windows appearing.


    • Carl, did you ever find an answer to this? Just installed Receiver 4.1 on two XenApp 6.5 servers that only publish a desktop to the users. When you login, the folder under All Programs that the published apps should appear isn’t there. If you look in the notification area and right-click on receiver, it hasn’t logged on. Click login and passthrough works fine, but who wants their users to have to go click somewhere just to see their list of apps?

      • I replaced -ShowAppPicker with -poll to get this working. It will now logon, without showing the window. Tried using the -logon parameter, didn’t seem to do anything.

  6. For the most part, this new environment works for us. However, I have a few desktops where I want to continue having the “prompt user” setting to accomodate multiple user logins. How can I change the settings to not use “pass-through” authentication for these few computers? Thanks.

  7. Hi,
    I’ve been struggling with Smartcard pass-through since last one month and even after doing everything right, it’s prompting for PIN prompt at the application launch screen but the passthru works if I enable kerberos in the XA server and in the AD. But my customer is saying that in his case PIN passthru is working without Kerberos. Due to security reason customer is not willing to share any details.

    Here is my scenario in brief.

    – At first, login into Xendesktop using smartcard, set as prompt for PIN.
    – Once I provide the PIN, login to XD56 is successful
    – Now I launch my VDA (Win7 VM)
    – launch my Citrix receiver (3.4) – connection to my XA65 server (set as passthru smartcard as Auth method in the server)
    – It prompts for the PIN as soon as VDA gets launched.
    – Once I provide the PIN, I can get all my published app showing up on the desktop
    – Now I click on any one app, say -Word.
    – It prompts for PIN again.

    Everything works if I enable kerberos as I mentioned before.

    Please help!


    • Hard to fix if you cannot get details! If it works with Kerberos and not without, that’s your answer. Unless the smartcard vendor have detailed information on how to get it working with XA without Kerberos.

  8. What are the pros and cons of just going through the storefront url on Windows 7 embeded thin clients as opposed to installing the receiver for windows?

  9. Hi, this is a great post and im trying it that out.
    I had configured on Xendesktop studio, and now pending on trusted site and GPO.
    Trusted site i believe should be set for the VDI, how about the GPO? How do i create a GPO for the VDI’s Citrix receiver?

  10. Hi,
    I’m just working around with auto-add application to receiver as described by you:
    Out of the box the user must click the + sign to add their applications. If you want applications to be added automatically you just set the Description to KEYWORDS=Auto.
    Where can I set this setting? I’m using XenApp 6.5, StoreFront 2.0 and Receiver 4

    Thanks in advance.


  11. Does anybody know if it’s possible to use the new Receiver 4.x as “PNA” even though it doesn’t provide Receiver Enterprise functionality? It feels wrong to use “old” Receiver versions when building new solutions, and there’s often a need for “ICA-in-ICA” with automatic publishing of icons etc. Any tips would be much appreciated.

  12. Is there a way to display Published Desktops automatically in the Receiver client? Applications have the Description field, but Desktops do not.

    • Try this KEYWORDS:TreatAsApp Auto

      From eDocs : By default, shared XenApp server desktops are treated like other virtual desktops by Receiver for Web. To change this behavior, append the string KEYWORDS:TreatAsApp to the desktop description. The desktop is displayed in the application view rather than the desktop view and users must subscribe to the desktop before they can access it. In addition, the desktop is not automatically started when the user logs on to the site and is not accessed with the Desktop Viewer, even if Receiver for Web is configured to do this for other desktops.

      • Thank you, works a treat. Also Desktops do have a Description field, I was just missing it. It’s in the End User Settings tab.

  13. The Storefront site needs to be in the Intranet site for pass through to work – at least it did in my test environment.

  14. have you ever seen Citrix Reciever 4 going slow on Windows 7 x64 bit, connecting to a PS4 farm?

      • Here is the fix / work-around for the screen freezing and refresh / latency issue against PS4. I understand it also affects XenApp for UNIX back-ends.

        Any receiver version 3.4 (AKA 13.4) or later requires this registry change to work against PS4.

        Go to RegEdit and locate
        a. X86 HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Seamless Windows\
        b. X64 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Virtual Channels\Seamless Windows\
        Set DeferredUpdateMode to False (this is case sensitive)

  15. I am running Windows 8.1 and Receiver 3.4 Ent doesn’t run so well so how would you configure this to point to a Web Interface site and not a Storefront? I would like it to not use HTTPS right now and I would like the receiver to configure the list of DDCs so the user doesn’t need to enter anything. I know this is a little off topic. Thanks.

    • I have not tested this scenario, but will look into it. Normally you point to your StoreFront, if you have multiple DDCs with Storefront, it would be best to configure a FQDN poiting to a Load Balancer address on Netscaler. Web Interface is not supported for XenDesktop 7.x

  16. I’m trying to get this passthrough working since days.
    I did exactly what you write in your blog, but it still dont work, I get the same login mask as Jason told before.
    A friend of mine has the same behavior in his environment.

    What have we missed?

  17. Does anybody know if it’s potential to use the new Receiver 4.x as “PNA” even supposing it doesn’t offer Receiver Enterprise functionality?

  18. Unable to launch as the application is not currently available. Everything works great through web, but not through Citrix Receiver.

    Open PowerShell on your Desktop Delivery Controllers and run these commands:

    Add-PSSnapin citrix*
    Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True

    • What does this do exactly? The “TrustRequestsSentToTheXmlServicePort”?

      I have 2 DDC’s. One for US and one for EU. The US site seemed to have no issues. However I have come across this issue on my site in EU. Sometimes the apps would work in Receiver and sometimes they didn’t. One day a user would be fine and the next day the same user would get the “apps not available” error. It seemed to always work through the web as you all have described.

      So I just ran Get-BrokerSite and noticed that the “TrustRequestsSentToTheXmlServicePort” is set to “False” on the EU DDC. I have no issue setting it to true, but would like to get more information. Also is this a setting that should be “True” by default?


      • I’m setting the value as True for all my implementations. Here’s a summary from eDocs.

        “Configuring an XML Trusts policy specifies whether the Citrix XML Service should trust requests that it receives. Before enabling this rule, avoid security risks by using IPSec, firewalls, or another technology that ensures that only trusted services communicate with the Citrix XML Service. When you configure XML trusts, establish firewall rules in Desktop Studio to allow only trusted Web Interface servers to connect to it. After you establish your firewall rules, you then enable XML trusts by using a PowerShell command.”

  19. Thanks for sharing. However, I don’t believe this is valid anymore for storefront 2.5 and XenDesktop 7.5 as the configuration options have changed for specifying receiver address during store creation.

  20. Hi

    We have two different environments that are independent for some reasons. Is there a possibility to use sso with citrix receiver with Both Environments? maybe the user has a desktop icon and with this he chose which environment he wants to open?

    Thanks in advance.


Leave a Comment