4 minute read

It’s been a long time since my last post! I’ve been so busy working on the house (but nothing really blog-worthy). Anyway today a colleague and I went through and set up the Citrix Web Interface (5.x) with single-sign-on using Microsoft ISA 2006.

The Web Interface and Secure Gateway run on the same server but are configured completely independently of each other, they could just as well be on separate servers if the load warranted it. They both listen on port 443 on separate IP addresses with separate certificates.

On the face of it, it seems quite straight forward – configure the Web Interface for pass-through authentication, create an ISA web publishing rule using our common SSO web listener with forms based authentication and configure an authentication delegation method. This works just fine as far as getting the user logged in with their list of applications.

Next step – configure the CSG to listen on a separate IP address with a separate certificate and configure a NAT rule so the ICA client can connect directly to the CSG. Again fairly straight forward.

Here’s the catch. Using pass-through on the web interface doesn’t work with the CSG. Pass-through mode expects the client to be domain-joined, inside the corporate network and able to authenticate directly with the XenApp Server (as opposed to being pre-authenticated by the XML/STA services). The result with the above configuration is that when the user launches an application they are presented with a Windows login dialog which defeats the purpose of single-sign-on.

The solution – ASP.Net “jump” page on the web interface.

Configure the Web Interface in “Explicit ” mode rather than pass-through. This is the standard method where the user is presented with the Citrix Web Interface login form.

Configure the ISA web publishing rule to delegate “basic” credentials. i.e. clear text user-name/password (secured with SSL of course!).

Create an ASP.NET jump page which extracts the user-name and password from the HTTP request, and creates a form with hidden fields then uses java script to POST the form to the Web Interface login page.

This all happens instantly without the user noticing. Don’t configure the Web Interface as the default IIS page, instead place the jump page in the root of the IIS web site and set the document priority to to serve it up first. Here’s the code: (Download link at the end of the post)


<pre escaped="true" lang="asp"><%@ Page Language="C#" AutoEventWireup="true" CodeFile="AuthPass.aspx.cs" Inherits="AuthPass" %>

<html xmlns="http://www.w3.org/1999/xhtml">
	<body onload="submitlogin()">
		<div id="FormContainer" runat="server">


<script type="text/javascript" language="javascript">
	 function submitlogin()

AuthPass.aspx.csNote: The domain field needs to be set to your own domain or removed completely depending on how your users login. The form action needs to point to your Web Interface login.aspx page.

<pre lang="csharp">using System;
using System.Net;
using System.Text;
using System.Web;

public partial class AuthPass: System.Web.UI.Page
    protected void Page_Load(object sender, EventArgs e)
		FormContainer.InnerHtml = doLogin(Request.ServerVariables["AUTH_USER"],Request.ServerVariables["AUTH_PASSWORD"]);

	private String doLogin(String strUser, String strPassword)
		StringBuilder strForm = new StringBuilder();
		strForm.Append("<form name=\"CitrixForm\" action=\"https://citrix.corp.com/Citrix/XenApp/auth/login.aspx\" method=\"post\">");
		strForm.Append("<input type=\"hidden\" name=\"domain\" value=\"MyDomain\">");
		strForm.Append("<input type=\"hidden\" name=\"user\" value=\"{0}\">");
		strForm.Append("<input type=\"hidden\" name=\"password\" value=\"{1}\">");
		strForm.Append("<input type=\"hidden\" name=\"LoginType\" value=\"Explicit\">");
		return String.Format(strForm.ToString(), strUser, strPassword);


Here are the key points.

ISA 2006

  • Web publishing rule with SSO WebListener using forms based Authentication
  • “Basic” authentication delegation (SSL end to end!)
  • Published logoff URL is set to /Citrix/XenApp/site/logout.aspx
  • Simple NAT rule for CSG

Web Interface

  • A new XenApp site is created in the Web Interface Management tool with “At Web Interface” configured for the “Where user authentication takes place” setting
  • Authentication Method set to Explicit
  • AuthPass.aspx[.cs] files are placed in the root of the IIS website to handle auto-login
  • XenApp web site is not configured as the default IIS site. AuthPass.aspx is set as the default page on the IIS web site
  • Secure access mode is set to “Gateway Direct” but this will depend on your environment


  • This CSG is entirely configure using the CSG Management Console
  • A specific certificate for the CSG is selected
  • The CSG is set to listen on specific IP address rather than the default of all IPv4 addresses (an additional address must be added to the server’s TCP config).
  • “Direct” mode is configured for the Web Interface location

There you have it. Citrix WI/CSG SSO for ISA. I know it’s a bit of a hack but I spent some time trying to find a way to do this natively with Citrix Web Interface configuration and posted in the Citrix support forums without any success. If there is a more official way to do it I’d love to hear about it.

On a side note…

I found a long delay during login which was fixed by disabling NetBIOS over TCP/IP on the web interface server

Citrix Web Interface SSO for MS ISA (1069 downloads) </body></html>