SSON(single sign on)可以实现SF或者ADC的单点登录,支持的组合如下表所示:
CWA:Citrix Workspace App
√:支持
×:不支持
注意:对于CWA + ADC store的场景,如果ADC采用AAA认证则不支持。
1.CWA安装
在安装CWA时勾选“Enable single sign-on”,如果之前的安装的CWA没有勾选sson,需要重新安装CWA,安装之后必须重启客户端才能生效。
2.客户端策略
可以通过本地或者AD组策略下发。
将客户端以下文件拷贝到AD的C:\Windows\PolicyDefinitions目录
C:\Program Files (x86)\Citrix\ICA Client\Configuration\CitrixBase.admx
C:\Program Files (x86)\Citrix\ICA Client\Configuration\receiver.admx
将客户端以下文件拷贝到AD的C:\Windows\PolicyDefinitions\en-US或者其他语言目录下
C:\Program Files (x86)\Citrix\ICA Client\Configuration\en-US\CitrixBase.adml
C:\Program Files (x86)\Citrix\ICA Client\Configuration\en-US\receiver.adml
2.1允许用户名密码透传
Computer Configuration > Policies >Administrative Templates > Citrix Components >Citrix Workspace >User authentication >Local user name and password
2.2 Store地址策略
NetScaler Gateway URL >StoreFront Account List
2.3 IE浏览器设置
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page >Site to Zone Assignment List
填入StoreFront的FQDN
Note: 1:intranet区域; 值2:受信任区域;值3:为internet区域;值4:受限制区域
Computer Configuration > Policies > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone >Logon Options
2.4 设置Gateway policy
如果是Netscaler gateway场景需要以下policy:
Under the Computer Configuration node, go to Administrative Template > Citrix Components > Citrix Workspace > User Authentication, and select Single Sign-on for Citrix Gateway policy.
3.SF设置
- 设置CWA store:StoreFront console >选中Store > Manage Authentication Methods > 勾选 Domain pass-through.
- 设置Receiver for web: Store > Workspace for Web Sites > Manage Authentication Methods > 勾选 Domain pass-through.
4.DDC设置
PowerShell命令配置XML trust
asnp citrix*
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True