Use this policy to control how the client uses Kerberos to authenticate the user to the remote application or desktop.
When enabled, this policy allows the client to authenticate the user using the Kerberos protocol. Kerberos is a Domain Controller authorised authentication transaction that avoids the need to transmit the real user credential data to the server.
When disabled, the client will not attempt Kerberos authentication.
Troubleshooting:
The machine running the client and the server running the remote application must be in domains that have a trust relationship. The Domain Controller must be aware that the Citrix XenApp server will be performing a full user logon (interactive logon) using Kerberos. This is configured using the "Trust for Delegated Authentication" settings on the Domain Controller.
When connecting using the Web Interface, the Web Interface server must be aware that the client will connect using Kerberos authentication. This is necessary because by default the Web Interface server will use an IP address for the destination server whereas Kerberos authentication requires a Fully Qualified Domain Name.
Both client and server machines must have correctly registered DNS entries. This is necessary because endpoints will authenticate each other during connection.
| Registry Hive | HKEY_CURRENT_USER |
| Registry Path | Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Kerberos |
| Value Name | SSPIEnabled |
| Value Type | REG_SZ |
| Enabled Value | true,false |
| Disabled Value | false |
| Registry Path | Value Name | Value Type | Value |
|---|---|---|---|
| Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials | SSOnUserSetting | REG_SZ | true,false |
| Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local Credentials | EnableSSOnThruICAFile | REG_SZ | true |