How to (correctly) implement SSO for Citrix Director?

For the third time, I’ve been asked to implement SSO for Citrix Director. Citrix has an easy article to implement it: How to configure Integrated Windows Authentication with Citrix Director (CTX227835)

The first time I had to do it, the AD guy at the customer answered me: “Are you crazy??? NO WAY!” a few minutes after I sent the requirements given in this article.

The “annoying” part here is this one:

Enable delegation on the Active Directory for the server on which Director is installed

If you are used to AD security assessment, this kind of Kerberos Delegation should be avoided. Here is some information about this: Microsoft Defender for Identity unconstrained Kerberos identity security posture assessment | Microsoft Docs

Talking with PM and DEV team at Citrix through the CTP program, I’ve been able to gather some information and here is the result I implement at my customers:

The services I’m adding are both HOST and HTTP on all Delivery Controller servers. You also need to create the relevant SPN (Service Principal Name):

  • http/ALIAS
  • http/FQDN_OF_ALL_DIRECTOR_SERVERS

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.