For the third time, I’ve been asked to implement SSO for Citrix Director. Citrix has an easy article to implement it: How to configure Integrated Windows Authentication with Citrix Director (CTX227835)
The first time I had to do it, the AD guy at the customer answered me: “Are you crazy??? NO WAY!” a few minutes after I sent the requirements given in this article.
The “annoying” part here is this one:
If you are used to AD security assessment, this kind of Kerberos Delegation should be avoided. Here is some information about this: Microsoft Defender for Identity unconstrained Kerberos identity security posture assessment | Microsoft Docs
Talking with PM and DEV team at Citrix through the CTP program, I’ve been able to gather some information and here is the result I implement at my customers:
The services I’m adding are both HOST and HTTP on all Delivery Controller servers. You also need to create the relevant SPN (Service Principal Name):
- http/ALIAS
- http/FQDN_OF_ALL_DIRECTOR_SERVERS