Citrix Workspace app for Windows (2023)

October 12, 2022

Contributed by:

C

V

You can configure various types of authentication for your Citrix Workspace app, including domain pass-through (single sign-on or SSON), smart card, and Kerberos pass-through.

Domain pass-through (Single Sign-on) authentication

Domain pass-through (single sign-on or SSON) lets you authenticate to a domain and use Citrix Virtual Apps and Desktops and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) without having to reauthenticate again.

When enabled, domain pass-through (single sign-on) caches your credentials, so that you can connect to other Citrix applications without having to sign in each time. Ensure that only software that is in accordance with your corporate policies runs on your device to mitigate the risk of credential compromise.

When you log on to Citrix Workspace app, your credentials are passed through to StoreFront, along with the apps and desktops and Start menu settings. After configuring single sign-on, you can log on to Citrix Workspace app and launch virtual apps and desktops sessions without having to retype your credentials.

All web browsers require you to configure single sign-on using the Group Policy Object (GPO) administrative template. For more information about configuring single sign-on using the Group Policy Object (GPO) administrative template, see Configure single sign-on with Citrix Gateway.

You can configure single sign-on on both fresh installation or upgrade setup, using any of the following options:

  • Command-line interface
  • GUI

Note:

The terms domain pass-through, single sign-on, and SSON might be used interchangeably in this document.

Configure single sign-on during fresh installation

To configure single sign-on during fresh installation, do the following steps:

  1. Configuration on StoreFront.
  2. Configure XML trust services on the Delivery Controller.
  3. Modify Internet Explorer settings.
  4. Install Citrix Workspace app with single sign-on.

Configure single sign-on on StoreFront

Single sign-on lets you authenticate to a domain and use Citrix Virtual Apps and Desktops and Citrix DaaS from the same domain without having to reauthenticate to each app or desktop.

When you add a store using the Storebrowse utility, your credentials pass through the Citrix Gateway server, along with the apps and desktops enumerated for you, including your Start menu settings. After configuring single sign-on, you can add the store, enumerate your apps and desktops, and launch the required resources without having to type your credentials multiple times.

Depending on the Citrix Virtual Apps and Desktops deployment, single sign-on authentication can be configured on StoreFront using the Management Console.

Use the following table for different use cases and its respective configuration:

Use case Configuration details Additional information
Configured SSON on StoreFront Launch Citrix Studio, go to Stores > Manage Authentication Methods - Store > enable Domain pass-through. When Citrix Workspace app isn’t configured with Single sign-on, it automatically switches the authentication method from Domain pass-through to User name and password, if available.
When workspace for web is required Launch Stores > Workspace for Web Sites > Manage Authentication Methods - Store > enable Domain pass-through. When Citrix Workspace app isn’t configured with Single sign-on, it automatically switches the authentication method from Domain pass-through to User name and password, if available.

Configure single sign-on with Citrix Gateway

You enable single sign-on with Citrix Gateway using the Group Policy Object administrative template.

  1. Open the Citrix Workspace app GPO administrative template by running gpedit.msc.
  2. Under the Computer Configuration node, go to Administrative Template > Citrix Components > Citrix Workspace > User Authentication, and select Single Sign-on for Citrix Gateway policy.
  3. Select Enabled.
  4. Click Apply and OK.
  5. Restart Citrix Workspace app for the changes to take effect.

Configure XML trust services on the Delivery Controller

On Citrix Virtual Apps and Desktops and Citrix DaaS, run the following PowerShell command as an administrator on the Delivery Controller:

asnp Citrix* ; Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True

Modify the Internet Explorer settings

  1. Add the StoreFront server to the list of trusted sites using Internet Explorer. To add:
    1. Launch Internet Options from the Control panel.
    2. Click Security > Local Intranet and click Sites.

      The Local Intranet window appears.

    3. Select Advanced.
    4. Add the URL of the StoreFront FQDN with the appropriate HTTP or HTTPS protocols.
    5. Click Apply and OK.
  2. Modify the User Authentication settings in Internet Explorer. To modify:
    1. Launch Internet Options from the Control panel.
    2. Click Security tab > Local Intranet.
    3. Click Custom level. The Security Settings – Local Intranet Zone window appears.
    4. In the User Authentication pane, select Automatic logon with current user name and password.

      Citrix Workspace app for Windows (1)

    5. Click Apply and OK.

Configure single sign-on using the command-line interface

Install Citrix Workspace app with the /includeSSON switch and restart Citrix Workspace app for the changes to take effect.

Note:

When you install Citrix Workspace app for Windows without the single sign-on component, upgrade to the Citrix Workspace app latest version with the /includeSSON switch isn’t supported.

(Video) Citrix Workspace App Demo Video

Configure single sign-on using the GUI

  1. Locate the Citrix Workspace app installation file (CitrixWorkspaceApp.exe).
  2. Double-click CitrixWorkspaceApp.exe to launch the installer.
  3. In the Enable Single Sign-on installation wizard, select the Enable Single Sign-on option.
  4. Click Next and follow the prompts to complete the installation.

You can now log on to an existing store (or configure a new store) using Citrix Workspace app without entering user credentials.

Configure single sign-on on workspace for web

You can configure single sign-on on workspace for web using the Group Policy Object administrative template.

  1. Open the workspace for web GPO administrative template by running gpedit.msc.
  2. Under the Computer Configuration node, go to Administrative Template > Citrix Component > Citrix Workspace > User Authentication.
  3. Select the Local user name and password policy and set it to Enabled.
  4. Click Enable pass-through authentication. This option allows the workspace for web to use your login credentials for authentication on the remote server.
  5. Click Allow pass-through authentication for all ICA connections. This option bypasses any authentication restriction and allows credentials to pass-through on all the connections.
  6. Click Apply and OK.
  7. Restart the workspace for web for the changes to take effect.

Verify that the single sign-on is enabled by launching the Task Manager and check if the ssonsvr.exe process is running.

Configure single sign-on using Active Directory

Complete the following steps to configure Citrix Workspace app for pass-through authentication using Active Directory group policy. In this scenario, you can achieve the single sign-on authentication without using the enterprise software deployment tools, such as the Microsoft System Center Configuration Manager.

  1. Download and place the Citrix Workspace app installation file (CitrixWorkspaceApp.exe) on a suitable network share. It must be accessible by the target machines you install Citrix Workspace app on.

  2. Get the CheckAndDeployWorkspacePerMachineStartupScript.battemplate from the Citrix Workspace app for Windows Download page.

  3. Edit the content to reflect the location and the version of CitrixWorkspaceApp.exe.

  4. In the Active Directory Group Policy Management console, type CheckAndDeployWorkspacePerMachineStartupScript.bat as a startup script. For more information on deploying the startup scripts, see the Active Directory section.

  5. In the Computer Configuration node, go to Administrative Templates > Add/Remove Templates to add the receiver.adml file.

  6. After adding the receiver.adml template, go to Computer Configuration > Administrative Templates > Citrix Components > Citrix Workspace > User authentication. For more information about adding the template files, see Group Policy Object administrative template.

  7. Select the Local user name and password policy and set it to Enabled.

  8. Select Enable pass-through authentication and click Apply.

  9. Restart the machine for the changes to take effect.

Configure single sign-on on StoreFront

StoreFront configuration

  1. Launch Citrix Studio on the StoreFront server and select Stores > Manage Authentication Methods - Store.
  2. Select Domain pass-through.

Citrix Workspace app for Windows (2)

Authentication tokens

Authentication tokens are encrypted and stored on the local disk so that you don’t need to reenter your credentials when your system or session restarts. Citrix Workspace app provides an option to disable the storing of authentication tokens on the local disk.

For enhanced security, we now provide a Group Policy Object (GPO) policy to configure the authentication token storage.

Note:

This configuration is applicable only in cloud deployments.

To disable storing of authentication tokens using the Group Policy Object (GPO) policy:

  1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.
  2. Under the Computer Configuration node, go to Administrative Templates > Citrix Components > SelfService.
  3. In the Store authentication tokens policy, select one of the following:

    • Enabled: Indicates that the authentication tokens are stored on the disk. By default, set to Enabled.
    • Disabled: Indicates that the authentication tokens aren’t stored on the disk. Reenter your credentials when your system or session restarts.
  4. Click Apply and OK.

Starting with Version 2106, Citrix Workspace app provides another option to disable the storing of authentication tokens on the local disk. Along with the existing GPO configuration, you can also disable the storing of authentication tokens on the local disk using the Global App Configuration Service.

In the Global App Configuration Service, set the Store Authentication Tokens attribute to False.

For more information, see the Global App Configuration Service documentation.

Configuration Checker

Configuration Checker lets you run a test to check if the single sign-on is configured properly. The test runs on different checkpoints of the single sign-on configuration and displays the configuration results.

  1. Right-click Citrix Workspace app icon in the notification area and click Advanced Preferences. The Advanced Preferences dialog appears.
  2. Click Configuration Checker.The Citrix Configuration Checker window appears.

    Citrix Workspace app for Windows (3)

  3. Select SSONChecker from the Select pane.
  4. Click Run. A progress bar appears, displaying the status of the test.

The Configuration Checker window has the following columns:

  1. Status: Displays the result of a test on a specific check point.

    • A green check mark indicates that the specific checkpoint is configured properly.
    • A blue I indicates information about the checkpoint.
    • A Red X indicates that the specific checkpoint isn’t configured properly.
  2. Provider: Displays the name of the module on which the test is run. In this case, single sign-on.
  3. Suite: Indicates the category of the test. For example, Installation.
  4. Test: Indicates the name of the specific test that is run.
  5. Details: Provides additional information about the test, for both pass and fail.

The user gets more information about each checkpoint and the corresponding results.

The following tests are done:

  1. Installed with single sign-on.
  2. Logon credential capture.
  3. Network Provider registration: The test result against Network Provider registration displays a green check mark only when “Citrix Single Sign-on” is set to be first in the list of Network Providers. If Citrix Single Sign-on appears anywhere else in the list, the test result against Network Provider registration appears with a blue I and additional information.
  4. Single sign-on process is running.
  5. Group Policy: By default, this policy is configured on the client.
  6. Internet Settings for Security Zones: Make sure that you add the Store/XenApp Service URL to the list of Security Zones in the Internet Options.If the Security Zones are configured via Group policy, any change in the policy requires the Advanced Preferences window to be reopened for the changes to take effect and to display the correct status of the test.
  7. Authentication method for StoreFront.

Note:

(Video) How to Install Citrix on Your Personal Computer at Home

  • If you’re accessing workspace for web, the test results aren’t applicable.
  • If Citrix Workspace app is configured with multiple stores, the authentication method test runs on all the configured stores.
  • You can save the test results as reports. The default report format is .txt.

Hide the Configuration Checker option from the Advanced Preferences window

  1. Open the Citrix Workspace app GPO administrative template by running gpedit.msc.
  2. Go to Citrix Components > Citrix Workspace > Self Service > DisableConfigChecker.
  3. Click Enabled to hide the Configuration Checker option from the Advanced Preferences window.
  4. Click Apply and OK.
  5. Run the gpupdate /force command.

Limitation:

Configuration Checker does not include the checkpoint for the configuration of trust requests sent to the XML service on Citrix Virtual Apps and Desktops servers.

Beacon test

Citrix Workspace app allows you to do a beacon test using the Beacon checker that is available as part of the Configuration Checker utility. The Beacon test helps to confirm if the beacon (ping.citrix.com) is reachable. This diagnostic test helps to eliminate one of the many possible causes for slow resource enumeration, that is the beacon not being available. To run the test, right-click the Citrix Workspace app in the notification area and select Advanced Preferences > Configuration Checker. Select the Beacon checker option from the list of Tests and click Run.

The test results can be any of the following:

  • Reachable – Citrix Workspace app is successfully able to contact the beacon.
  • Not reachable - Citrix Workspace app is unable to contact the beacon.
  • Partially reachable - Citrix Workspace app can contact the beacon intermittently.

Note:

  • The test results aren’t applicable on workspace for web.
  • The test results can be saved as reports. The default format for the report is .txt.

Domain pass-through (Single Sign-on) authentication with Kerberos

This topic applies only to connections between Citrix Workspace app for Windows and StoreFront, Citrix Virtual Apps and Desktops, and Citrix DaaS.

Citrix Workspace app supports Kerberos for domain pass-through (single sign-on or SSON) authentication for deployments that use smart cards. Kerberos is one of the authentication methods included in Integrated Windows Authentication (IWA).

When enabled, Kerberos authenticates without passwords for Citrix Workspace app. As a result, prevents Trojan horse-style attacks on the user device that try to gain access to passwords. Users can log on using any authentication method and access published resources, for example, a biometric authenticator such as a fingerprint reader.

When you log on using a smart card to Citrix Workspace app, StoreFront, Citrix Virtual Apps and Desktops, and Citrix DaaS configured for smart card authentication- the Citrix Workspace app:

  1. Captures the smart card PIN during single sign-on.
  2. Uses IWA (Kerberos) to authenticate the user to StoreFront. StoreFront then provides your Workspace app with information about the available Citrix Virtual Apps and Desktops and Citrix DaaS.

    Note:

    Enable Kerberos to avoid an extran PIN prompt. If Kerberos authentication isn’t used, Citrix Workspace app authenticates to StoreFront using the smart card credentials.

  3. The HDX engine (previously referred to as the ICA client) passes the smart card PIN to the VDA to log the user on to Citrix Workspace app session. Citrix Virtual Apps and Desktops and Citrix DaaS then delivers the requested resources.

To use Kerberos authentication with Citrix Workspace app, check if the Kerberos configuration conforms to the following.

  • Kerberos works only between Citrix Workspace app and servers that belong to the same or to trusted Windows Server domains. Servers are trusted for delegation, an option you configure through the Active Directory Users and Computers management tool.
  • Kerberos must be enabled both on the domain and Citrix Virtual Apps and Desktops and Citrix DaaS. For enhanced security and to make sure that Kerberos is used, disable any non-Kerberos IWA options on the domain.
  • Kerberos logon isn’t available for Remote Desktop Services connections that’re configured to use either Basic authentication, always use specified logon information, or always prompt for a password.

Warning:

Using the Registry editor incorrectly might cause serious problems that can require you to reinstall the operating system. Citrix can’t guarantee that problems resulting from incorrect use of the Registry editor can be solved. Use the Registry Editor at your own risk. Make sure you back up the registry before you edit it.

Domain pass-through (Single Sign-on) authentication with Kerberos for use with smart cards

Before continuing, see Secure your deployment section in the Citrix Virtual Apps and Desktops document.

When you install Citrix Workspace app for Windows, include the following command-line option:

  • /includeSSON

    This option installs the single sign-on component on the domain-joined computer, enabling your workspace to authenticate to StoreFront using IWA (Kerberos). The single sign-on component stores the smart card PIN, used by the HDX engine when it remotes the smart card hardware and credentials to Citrix Virtual Apps and Desktops and Citrix DaaS. Citrix Virtual Apps and Desktops and Citrix DaaS automatically selects a certificate from the smart card and gets the PIN from the HDX engine.

    A related option, ENABLE_SSON, is enabled by default.

If a security policy prevents you from enabling single sign-on on a device, configure Citrix Workspace app using Group Policy Object administrative template.

  1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.
  2. Choose Administrative Templates > Citrix Components > Citrix Workspace > User authentication > Local user name and password
  3. Select Enable pass-through authentication.
  4. Restart Citrix Workspace app for the changes to take effect.

    Citrix Workspace app for Windows (4)

To configure StoreFront:

When you configure the authentication service on the StoreFront server, select the Domain pass-through option. That setting enables Integrated Windows Authentication. You do not need to select the Smart card option unless you also have non domain-joined clients connecting to StoreFront using smart cards.

For more information about using smart cards with StoreFront, see Configure the authentication service in the StoreFront documentation.

Support for Conditional Access with Azure Active Directory

Conditional Access is a tool used by Azure Active Directory to enforce organizational policies. Workspace administrators can configure and enforce Azure Active Directory conditional access policies for users authenticating to the Citrix Workspace app. The Windows machine running the Workspace app must have Microsoft Edge WebView2 Runtime version 99 or later installed.

For complete details and instructions about configuring conditional access policies with Azure Active Directory, see Azure AD Conditional Access documentation at Docs.microsoft.com/en-us/azure/active-directory/conditional-access/.

Note:

This feature is supported only on Workspace (Cloud) deployments.

Other ways to authenticate to Citrix Workspace

You can configure the following authentication mechanisms with the Citrix Workspace app. For the following authentication mechanisms to work as expected, the Windows machine running the Workspace app must have Microsoft Edge WebView2 Runtime version 99 or later installed.

(Video) How to install Citrix workspace on windows 10 /11

  1. Windows Hello based authentication – For instructions about configuring Windows Hello based authentication, see Configure Windows Hello for Business Policy settings - Certificate Trust at _Docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.

    Note:

    Windows Hello based authentication with domain pass-through (single-sign-on or SSON) is not supported.

  2. FIDO2 Security Keys based authentication – FIDO2 security keys provide a seamless way for enterprise employees to authenticate without entering a user name or password. You can configure FIDO2 Security Keys based authentication to Citrix Workspace. If you would like your users to authenticate to Citrix Workspace with their Azure AD account using a FIDO2 security key, see Enable passwordless security key sign-in at Docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key.
  3. You can also configure Single Sign-On (SSO) to Citrix Workspace app from Microsoft Azure Active Directory (AAD) joined machines with AAD as an identity provider. For more details about configuring Azure Active Directory Domain services, see Configuring Azure Active Directory Domain services at Docs.microsoft.com/en-us/azure/active-directory-domain-services/overview. For information about how to connect Azure Active Directory to Citrix Cloud, see Connect Azure Active Directory to Citrix Cloud.

Smart card

Citrix Workspace app for Windows supports the following smart card authentication:

  • Pass-through authentication (single sign-on) - Pass-through authentication captures the smart card credentials when users log on to Citrix Workspace app. Citrix Workspace app uses the captured credentials as follows:

    • Users of domain-joined devices who log on to Citrix Workspace app using the smart card can start virtual desktops and applications without needing to reauthenticate.
    • Citrix Workspace app running on non-domain joined devices with the smart card credentials must type their credentials again to start a virtual desktop or application.

    Pass-through authentication requires configuration both on StoreFront and Citrix Workspace app.

  • Bimodal authentication - Bimodal authentication offers users a choice between using a smart card and typing the user name and password. This feature is effective when you can’t use the smart card. For example, the logon certificate has expired. Dedicated stores must be set up per site to allow Bimodal authentication, using the DisableCtrlAltDel method set to False to allow smart cards. Bimodal authentication requires StoreFront configuration.

    Using the Bimodal authentication, the StoreFront administrator can allow both user name and password and smart card authentication to the same store by selecting them in the StoreFront console. See StoreFront documentation.

  • Multiple certificates - Multiple certificates can be availed for a single smart card and if multiple smart cards are in use. When you insert a smart card in a card reader, the certificates are applicable to all applications running on the user device, including Citrix Workspace app.

  • Client certificate authentication - Client certificate authentication requires Citrix Gateway and StoreFront configuration.

    • For access to StoreFront through Citrix Gateway, you must reauthenticate after removing the smart card.
    • When the Citrix Gateway SSL configuration is set to Mandatory client certificate authentication, operation is more secure. However, mandatory client certificate authentication isn’t compatible with bimodal authentication.
  • Double hop sessions - If a double-hop is required, a connection is established between Citrix Workspace app and the user’s virtual desktop.

  • Smart card-enabled applications - Smart card-enabled applications, such as Microsoft Outlook and Microsoft Office, allow users to digitally sign or encrypt documents available in virtual apps and desktops sessions.

Limitations:

  • Certificates must be stored on the smart card and not on the user device.
  • Citrix Workspace app does not save the choice of the user certificate, but stores the PIN when configured. The PIN is cached in non-paged memory only during the user session and isn’t stored on the disk.
  • Citrix Workspace app does not reconnect to a session when a smart card is inserted.
  • When configured for smart card authentication, Citrix Workspace app does not support virtual private network (VPN) single-sign on or session pre-launch. To use VPN with smart card authentication, install the Citrix Gateway Plug-in. Log on through a webpage using their smart cards and PINs to authenticate at each step. Pass-through authentication to StoreFront with the Citrix Gateway Plug-in isn’t available for smart card users.
  • Citrix Workspace app updater communications with citrix.com and the Merchandising Server aren’t compatible with smart card authentication on Citrix Gateway.

Warning

Some configuration requires registry edits. Using the Registry editor incorrectly might cause problems that can require you to reinstall the operating system. Citrix can’t guarantee that problems resulting from incorrect use of the Registry Editor can be solved. Make sure you back up the registry before you edit it.

To enable single sign-on for smart card authentication:

To configure Citrix Workspace app for Windows, include the following command-line option during installation:

To enable smart card authentication to StoreFront instead of Kerberos, install Citrix Workspace app for Windows with the following command-line options:

  • /includeSSON installs single sign-on (pass-through) authentication. Enables credential caching and the use of pass-through domain-based authentication.

  • If the user logs on to the endpoint with a different authentication method, for example, user name and password, the command line is:

    /includeSSON LOGON_CREDENTIAL_CAPTURE_ENABLE=No

This type of authentication prevents capturing of the credentials at logon time and allows Citrix Workspace app to store the PIN during Citrix Workspace app login.

  1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.
  2. Go to Administrative Templates > Citrix Components > Citrix Workspace > User Authentication > Local user name and password.
  3. Select Enable pass-through authentication. Depending on the configuration and security settings, select Allow pass-through authentication for all ICA option for pass-through authentication to work.

To configure StoreFront:

  • When you configure the authentication service, select the Smart card check box.

For more information about using smart cards with StoreFront, see Configure the authentication service in the StoreFront documentation.

To enable user devices for smart card use:

(Video) Citrix- How to Install Citrix Workspace 2112 version on Windows 10 | Windows 8/10/11 |

  1. Import the certificate authority root certificate into the device’s keystore.
  2. Install your vendor’s cryptographic middleware.
  3. Install and configure Citrix Workspace app.

To change how certificates are selected:

By default, if multiple certificates are valid, Citrix Workspace app prompts the user to choose a certificate from the list. Instead, you can configure Citrix Workspace app to use the default certificate (per the smart card provider) or the certificate with the latest expiry date. If there are no valid logon certificates, the user is notified, and given the option to use an alternate logon method if available.

A valid certificate must have all of these characteristics:

  • The current time of the clock on the local computer is within the certificate validity period.
  • The Subject public key must use the RSA algorithm and have a key length of 1024 bits, 2048 bits, or 4096 bits.
  • Key usage must include digital signature.
  • Subject Alternative Name must include the User Principal Name (UPN).
  • Enhanced key usage must include smart card logon and client authentication, or all key usages.
  • One of the Certificate Authorities on the certificate’s issuer chain must match one of the allowed Distinguished Names (DN) sent by the server in the TLS handshake.

Change how certificates are selected by using either of the following methods:

  • On the Citrix Workspace app command line, specify the option AM_CERTIFICATESELECTIONMODE={ Prompt | SmartCardDefault | LatestExpiry }.

    Prompt is the default. For SmartCardDefault or LatestExpiry, if multiple certificates meet the criteria, Citrix Workspace app prompts the user to choose a certificate.

  • Add the following key value to the registry key HKEY_CURRENT_USER OR HKEY_LOCAL_MACHINE\Software\[Wow6432Node\Citrix\AuthManager: CertificateSelectionMode={ Prompt SmartCardDefault LatestExpiry }.

Values defined in HKEY_CURRENT_USER take precedence over values in HKEY_LOCAL_MACHINE to best assist the user in selecting a certificate.

To use CSP PIN prompts:

By default, the PIN prompts presented to users are provided by Citrix Workspace app for Windows rather than the smart card Cryptographic Service Provider (CSP). Citrix Workspace app prompts users to enter a PIN when required and then passes the PIN to the smart card CSP. If your site or smart card has more stringent security requirements, such as to disallow caching the PIN per-process or per-session, you can configure Citrix Workspace app to use the CSP components to manage the PIN entry, including the prompt for a PIN.

Change how PIN entry is handled by using either of the following methods:

  • On the Citrix Workspace app command line, specify the option AM_SMARTCARDPINENTRY=CSP.
  • Add the following key value to the registry key HKEY_LOCAL_MACHINE\Software\[Wow6432Node\Citrix\AuthManager: SmartCardPINEntry=CSP.

Smart card support and removal changes

A Citrix Virtual Apps session logs off when you remove the smart card. If Citrix Workspace app is configured with smart card as the authentication method, configure the corresponding policy on Citrix Workspace app for Windows to enforce the Citrix Virtual Apps session for logoff. The user is still logged into the Citrix Workspace app session.

Limitation:

When you log on to the Citrix Workspace app site using smart card authentication, the user name is displayed as Logged On.

Fast smart card

Fast smart card is an improvement over the existing HDX PC/SC-based smart card redirection. It improves performance when smart cards are used in high-latency WAN environments.

Fast smart cards are supported on Linux VDA only.

To enable fast smart card logon on Citrix Workspace app:

Fast smart card logon is enabled by default on the VDA and disabled by default on Citrix Workspace app. To enable fast smart card logon, include the following parameter in the default.ica file of the associated StoreFront site:

copy[WFClient]SmartCardCryptographicRedirection=On<!--NeedCopy-->

To disable fast smart card logon on Citrix Workspace app:

To disable fast smart card logon on Citrix Workspace app, remove the SmartCardCryptographicRedirection parameter from the default.ica file of the associated StoreFront site.

For more information, see smart-cards.

Silent authentication for Citrix Workspace

Citrix Workspace app introduces a Group Policy Object (GPO) policy to enable silent authentication for Citrix Workspace. This policy enables Citrix Workspace app to log in to Citrix Workspace automatically at system startup. Use this policy only when domain pass-through (single sign-on or SSON) is configured for Citrix Workspace on domain-joined devices.

For this policy to function, the following criteria must be met:

  • Single sign-on must be enabled.
  • The SelfServiceMode key must be set to Off in the Registry editor.

Enabling silent authentication:

  1. Open the Citrix Workspace app Group Policy Object administrative template by running gpedit.msc.
  2. Under the Computer Configuration node, go to Administrative Templates > Citrix Workspace > Self Service.
  3. Click the Silent authentication for Citrix Workspace policy and set it to Enabled.
  4. Click Apply and OK.

Prevent Citrix Workspace app for Windows from caching passwords and usernames

By default, Citrix Workspace app for Windows automatically populates the last user name entered. To turn off autofill of the user name field , edit the registry on the user device:

  1. Create a REG_SZ value HKLM\SOFTWARE\Citrix\AuthManager\RememberUsername.
  2. Set its value false.

To disable the Remember my password checkbox and prevent an automatic sign in, create following registry key on client machine where Citrix Workspace app for Windows is installed:

  • Path: HKLM\Software\wow6432node\Citrix\AuthManager
  • Type: REG_SZ
  • Name: SavePasswordMode
  • Value: Never

Note:

Using Registry Editor incorrectly can cause serious problems that can require you to reinstall the operating system. Citrix cannot guarantee that problems resulting from incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Make sure you back up the registry before you edit it.

To prevent caching credentials for the StoreFront stores, see Prevent Citrix Workspace app for Windows from caching passwords and usernames in the StoreFront documentation.

FAQs

How do I install Citrix Workspace on Windows? ›

Installing Citrix Workspace app (Windows)
  1. Go to: Citrix Workspace App.
  2. Click Workspace app for Windows.
  3. Click Download Citrix Workspace app for Windows. ...
  4. Open CitrixWorkspaceApp.exe & follow the prompts to install it.
  5. On the final installation screen, click Add Account.

What is Citrix Workspace for Windows? ›

Citrix Workspace app for Windows (Store) is client software available that enables users to access virtual desktops and hosted applications delivered by Citrix Virtual Apps and Desktops. It is available via the Windows Store.

Can you download Citrix on Windows 10? ›

Compatible with

Windows 11, 10 as well as Windows Server 2022, 2019, 2016. See the product documentation for the complete list of features.

Is Citrix Workspace app free? ›

Citrix Workspace app is the easy-to-install client software that provides seamless, secure access to everything you need to get work done. With this free download, you easily and securely get instant access to all applications, desktops and data from any device, including smartphones, tablets, PCs and Macs.

What is difference between Citrix Receiver and Citrix Workspace? ›

Citrix Workspace app is a new client from Citrix that works similar to Citrix Receiver and is fully backward-compatible with your organization's Citrix infrastructure. Citrix Workspace app provides the full capabilities of Citrix Receiver, as well as new capabilities based on your organization's Citrix deployment.

Is Citrix Workspace a virtual desktop? ›

Citrix virtual desktop solutions

For companies looking to support the distributed workforce, Citrix offers the most comprehensive DaaS and VDI solutions available. Provide the best VDI experience on any device or network.

What is difference between Citrix Workspace and Citrix Workspace app? ›

Citrix Workspace app is a new client from Citrix that works similar to Citrix Receiver and is fully backward-compatible with your organization's Citrix infrastructure. Citrix Workspace app provides the full capabilities of Citrix Receiver, and new capabilities based on your organization's Citrix deployment.

Why do I have Citrix Workspace on my computer? ›

The Citrix Workspace platform enables IT administrators to manage all their enterprise applications, desktops and data from a single pane, providing them various access controls to build a secure digital perimeter around the user when accessing enterprise content from any device, hosted on any cloud, and from any ...

What is Citrix Workspace and do I need it? ›

Citrix Workspace is a digital workspace solution that delivers secure and unified access to apps, desktops, and content (resources) from anywhere, on any device. These resources can be Citrix DaaS, content apps, local and mobile apps, SaaS and Web apps, and browser apps.

How do I install Citrix app on my laptop? ›

3.2 Install Citrix Receiver for Windows

Double-click CitrixReceiver.exe. In the Citrix Receiver Installation wizard, select Enable Single Sign-on. Click Next. After the installation is complete, log off from the client device and log on again.

How do I get Citrix Workspace on my laptop? ›

Instructions
  1. Navigate to www.citrix.com.
  2. Select Downloads. For Receiver: Select the Looking for Citrix Receiver? ...
  3. Select the drop down arrow next to the desired Workspace app. ...
  4. Once the desired app has been located, select the Citrix Workspace app link.
  5. Select the Download Citrix Workspace app button.

How do I know if Citrix is installed on Windows? ›

For Windows 10 computers, go to the Search bar and enter Citrix Receiver. For other Windows versions, in the Windows Start menu select: All Programs > Citrix > Citrix Receiver. 3. If the Citrix Receiver appears on your computer, then the application has been installed onto your computer.

How do I install Citrix Workspace app? ›

You can install the Citrix Workspace app either by: Downloading the CitrixWorkspaceApp.exe installation package from the Download page or. From your company's download page (if available).
...
Using a Windows-based installer
  1. Installation media.
  2. Network share.
  3. Windows Explorer.
  4. Command-line interface.
10 Oct 2022

How much does Citrix Workspace cost? ›

Citrix Workspace: Workspace Essentials: $2 USD per user, per month. Workspace Standard: $7 USD per user, per month. Workspace Premium: $18 USD per user, per month.

Do I need Citrix Workspace on my laptop? ›

Much depends on what you're going to use the computer for. If you don't think you will need to connect to remote desktops or servers or require anyone to connect to you, you shouldn't need it. This is obviously different if you're on a work computer as you may require Citrix Receiver to connect from home.

What is an alternative to Citrix Workspace? ›

VMware Horizon Cloud is easy to use and the full development cloud is very good. The main features of VMware are included. It's a cloud-based virtual desktop infrastructure software that allows you to permit the virtual desktops and applications to any device from the single unified management control.

Is Citrix the same as Remote Desktop? ›

From the end user perspective, Citrix XenDesktop provides very similar features to Microsoft's Remote Desktop Services. However, it is more lightweight, easier to manage, and operates faster than RDS.

Is Citrix Workspace a VPN? ›

Citrix Workspace provides a cloud- based, VPN-less solution to access all intranet web, SaaS, mobile, and virtual applications—whether using managed, unmanaged, or bring-your-own devices (BYOD) over any network.

What are the benefits of Citrix Workspace? ›

Citrix digital workspace solutions

Improve how people work by unifying content, apps, and data into a unified, personal experience—and increase productivity by automating tasks and streamlining workflows. Reduce security risk by protecting all applications and data with a zero-trust model approach.

Is Citrix VPN or VDI? ›

Citrix is a VDI system which means Virtual Desktop Infrastructure. Citrix allows remote access to a virtual desktop hosted on a corporate server rather than a remote connection.

What is Workspace app used for? ›

Citrix Workspace App (formerly known as Citrix Receiver) enables users to access applications, services, and data from several desktop and mobile devices. By using this product, you can instantly access all your software as a Service (SaaS) and web applications, files, and mobile apps.

Is Citrix owned by Microsoft? ›

Citrix, a cloud computing and virtualization company used by companies including Microsoft, Google, and SAP, has revealed plans to be acquired by affiliates of global investment firm Vista Equity Partners, and an affiliate of Elliott Investment Management called Evergreen Coast Capital Corporation.

Is Citrix Workspace app Safe? ›

Citrix offers a complete work-from-anywhere workspace with an advanced zero-trust security approach. In addition, it is VPN-less, which allows workers to access internal web apps and SaaS applications without needing to connect to the network.

How do I stop Citrix Workspace from running in the background? ›

All you have to do is open up Task Manager by right-clicking on the Taskbar, or using the CTRL + SHIFT + ESC shortcut key, clicking “More Details,” switching to the Startup tab, and then using the Disable button.

Why do people use Citrix? ›

One great benefit of Citrix Virtual Apps and Desktops is their expansive offering of applications, end security, and machines regardless of the OS or interface.

What is the difference between Citrix and windows? ›

Compared to Citrix, Windows Virtual Desktop is easier to use for small businesses. While Citrix has many advanced features, the cost of implementation and maintenance is high. However, not all businesses (especially small ones) need or want to pay for these capabilities.

What is Citrix Workspace used for in windows 10? ›

Citrix Workspace app for Windows is an easy-to-install app that provides access to your applications and desktops using Citrix Virtual Apps and Desktops and Citrix DaaS (formerly Citrix Virtual Apps and Desktops service) from a remote client device.

Why won't Citrix work on my laptop? ›

If you have an outdated version of Citrix Workspace or Citrix Receiver, you may encounter this issue of the app not failing to launch a desktop or applications. It is always good practice to update to the latest supported version of the app.

Why cant I download Citrix on my computer? ›

Turn off firewalls, antivirus software, and third-party security software. ​Make sure user has administrative privileges for account being used to download software. Try downloading over a wired, not wireless, connection.

Can I use Citrix on my personal laptop? ›

The Citrix Workspace App is already installed on public lab computers around campus. The following installation instructions apply only to personal computers. You can read more about the Citrix system from here.

Where is Citrix Workspace installed? ›

If the installation is user-based, Citrix Workspace app must be installed for each user who logs on to the local machine. The default installation path for user-based installations is C:\Users\%UserName%\AppData\Local\Citrix\ICA Client .

What do I need to run Citrix? ›

Citrix Hypervisor Center system requirements
  1. Operating System: Windows 10. ...
  2. .NET Framework: Version 4.8.
  3. CPU Speed: 750 MHz minimum, 1 GHz or faster recommended.
  4. RAM: 1 GB minimum, 2 GB or more recommended.
  5. Disk Space: 100 MB minimum.
  6. Network: 100 Mbit/s or faster NIC.
  7. Screen Resolution: 1024x768 pixels, minimum.
10 Aug 2022

What operating system is needed for Citrix? ›

Virtual Delivery Agent (VDA) for multi-session OS

Windows 11. Windows 10 (x64 only), any version that is currently in mainstream support. Windows Server 2022.

Is Citrix Workspace compatible with Windows 10? ›

Note: Windows 10 versions are compatible with mentioned Citrix Workspace app versions only. For example, Windows 10 Version 21H1 isn't compatible with the version earlier than 2106. The following table lists the Windows 11 version number and the corresponding compatible Citrix Workspace app for Windows releases.

What's better than Citrix? ›

Top 10 Alternatives to Citrix DaaS
  • V2 Cloud.
  • Amazon WorkSpaces.
  • AnyDesk.
  • VirtualBox.
  • VNC Connect.
  • Horizon Cloud.
  • TeamViewer.
  • ConnectWise Control.

How much is Citrix per user? ›

The Citrix pricing for Citrix Virtual Apps and Desktops starts at US $15 per user, per month.
...
What Is the Pricing for Citrix Virtual Apps and Desktops?
SchemeCitrix price
VDI Edition (user/device)US $102
Enterprise Edition (concurrent user)US $535
4 more rows
2 Aug 2021

How do I enable Citrix Workspace? ›

Right-click the Citrix Workspace icon in the Windows system tray and select Advanced Preferences > Reset Citrix Workspace. Open Citrix Workspace app for Windows and select Accounts > Add. Enter the Workspace URL and then select Add.

How do I install Citrix Workspace? ›

You can install the Citrix Workspace app either by: Downloading the CitrixWorkspaceApp.exe installation package from the Download page or.
...
Note:
  1. Citrix Workspace app or plug-in installation.
  2. Per-machine ICA lockdown settings.
  3. Group policy object (GPO) administrative template configurations for Citrix Workspace app.
7 Nov 2022

How manually install Citrix? ›

Download Citrix Receiver for Windows (CitrixReceiver.exe) from Citrix Downloads. Log onto the client device with administrator privilege. Double-click CitrixReceiver.exe. In the Citrix Receiver Installation wizard, select Enable Single Sign-on.

How do I setup and install Citrix? ›

  1. Sign up.
  2. Citrix HDX Plus for Windows 365.
  3. Citrix DaaS for Google Cloud.
  4. Machine identities. Active Directory. Azure Active Directory joined. ...
  5. Set up resource types. Microsoft Azure Resource Manager cloud environments. ...
  6. Create and manage connections.
  7. Install VDAs.
  8. Install VDAs using the command line.
1 Nov 2022

How do I set up a Citrix Workspace? ›

To add a Citrix Workspace app account

From the Citrix Workspace app home page, click the down arrow and select Accounts. From the Add or Remove Accounts dialog, select Add and complete the information provided by your administrator.

Where is Citrix Workspace app installed? ›

If the installation is user-based, Citrix Workspace app must be installed for each user who logs on to the local machine. The default installation path for user-based installations is C:\Users\%UserName%\AppData\Local\Citrix\ICA Client .

How do you check if Citrix Workspace is installed? ›

For Windows 10 computers, go to the Search bar and enter Citrix Receiver. For other Windows versions, in the Windows Start menu select: All Programs > Citrix > Citrix Receiver. 3. If the Citrix Receiver appears on your computer, then the application has been installed onto your computer.

How do I download Citrix app on my laptop? ›

Instructions
  1. Navigate to www.citrix.com.
  2. Select Downloads. For Receiver: Select the Looking for Citrix Receiver? ...
  3. Select the drop down arrow next to the desired Workspace app. ...
  4. Once the desired app has been located, select the Citrix Workspace app link.
  5. Select the Download Citrix Workspace app button.

How do I download Citrix? ›

Open the Google Play Store and search for Citrix Workspace to download and install the latest version.

What is the difference between Citrix Workspace and workspace app? ›

Citrix Receiver is not a standalone program, and it comes included in XenApp and XenDesktop subscriptions. On the other hand, Citrix Workspace app is an independent product and can be installed separately. Some users continue to use Citrix Receiver as it supports any desktop platforms such as Windows, Mac, and Linux.

Videos

1. Installing📦the Citrix Workspace App 2202.
(Ben Oostdam)
2. Citrix Workspace app for HTML5 configuration
(c4rm0)
3. Downloading and Installing the Citrix Workspace App (2022) at CSUN
(Steve Graves)
4. How To Install Citrix Workspace On Windows | Citrix Workspace | Citrix
(Nitro IT Services)
5. Citrix Workspace - An Overview | Citrix Workspace app | Citrix Workspace Training | Citrix Workspace
(KELVGLOBAL ICT)
6. How to deploy Citrix Workspace in SCCM
(Carson Cloud)
Top Articles
Latest Posts
Article information

Author: Rueben Jacobs

Last Updated: 10/21/2022

Views: 6004

Rating: 4.7 / 5 (57 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Rueben Jacobs

Birthday: 1999-03-14

Address: 951 Caterina Walk, Schambergerside, CA 67667-0896

Phone: +6881806848632

Job: Internal Education Planner

Hobby: Candle making, Cabaret, Poi, Gambling, Rock climbing, Wood carving, Computer programming

Introduction: My name is Rueben Jacobs, I am a cooperative, beautiful, kind, comfortable, glamorous, open, magnificent person who loves writing and wants to share my knowledge and understanding with you.