Workspace Receiver

Posted on  by admin

To select only the LTSR updates using GPO, navigate to Administrative Templates Citrix Components Citrix Receiver AutoUpdate Enable or Disable AutoUpdate. Select Enabled and set the policy to LTSR ONLY. Command line interface. During Citrix Workspace app for Windows installation, set the /AutoUpdateStream attribute to LTSR. It has been designed to work with Citrix Receiver 4.7 up to Citrix Workspace app 2103.1. Microsoft.Net Framework 4.5.2 minimum. Installing Citrix Workspace app CommandLine. Extract the contents of the zip file to a folder. How to Use Citrix Workspace app CommandLine.

SSO Overview

There are to ways you can use SSO in a Citrix 7.5+ environment using built-in Citrix technologies:

  1. SSO via Citrix Receiver for Web
  2. SSO via the Citrix Receiver client

Depending on which method you choose the prerequisites differ, however not by much. Below are the prerequisites that are required for either method, meaning it doesn’t matter which method you choose the same prerequisites exist:

  1. Citrx Receiver must be installed on the client device with the SSON component installed
  2. Receiver for Web website must be in the Local Intranet Zone
  3. If using the Trusted Sites zone instead, Automatic logon with current username and password must be set in Trusted Sites zone (I will talk no further about using the Trusted Sites zone)
  4. Domain pass-through must be enabled on Receiver for Web via StoreFront console
  5. Requests sent to the XML service port on your DDCs must be trusted

Now below are the remaining unique prerequisites/differences for each method.

Receiver for Web

  1. Always use Receiver for HTML5 must not be selected in StoreFront
  2. Internet Explorer must be used when accessing Receiver for Web
  3. Group Policies do not need created for Receiver for Web SSO
  4. The User Name and Password Receiver for Web authentication method should be disabled to avoid extra prompts which will later be explained

Receiver client

  1. Group Policies do need created for Receiver client SSO

Installing and configuring SSO (Receiver for Web):

  1. Citrix Receiver client must be installed on the end device. The SSO component is not required so a simple GUI or command line interface command can be used to install the client.
  2. Using StoreFront MMC, enable Domain pass-through on Receiver for Web
  3. Using StoreFront MMC, disable User Name and Password authentication against Receiver for Web
  4. Launch Internet Explorer on logon by placing a shortcut in the Startup folder C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup. This should be done on the base/gold image
  5. Set Internet Explorers homepage to the Receiver for Web website address
  6. Create a GPO linked to all machnes participating in Citrix Receiver for Web SSO or use an existing policy
  7. Using the above created policy, edit the setting Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel to include the Receiver for Web website address in the Local Intranet zone

Decision: To get rid of the first-time logon prompt which will be shown later in this post, you need to disable User Name and Password authentication. Doing so partly reduces functionality:

  1. Non domain machines cannot authenticate to this Receiver for Web website
  2. Usrs can not log on using a set of credentials different than those they used to log on to their domain joined client device

Keeping the above restrictions in mind, a decision must be made to bring true SSO experience at the expense of reduced authentication ability, or accept that a prompt will be given to users on first log on to Receiver for Web in favour of keeping maximum authentication abilities. It is also possible to create a seperate Receiver for Web website for SSO users only, or create sites for non-SSO participants. This means you can configure seperate devices/users to point to specific Receiver for Web websites based on authentication needs.

Installing and configuring SSO (Receiver client)

  1. Citrix Receiver client must be installed on the end-device. The SSO component is required so a simple GUI or command line interface command can be used to install the client. A command line install if preferred because you can automate Citrix Store configuration. The following command at minimum is required to install Receiver client: CitrixReceiver.exe /includeSSON (tested on Receiver 4.3)
  2. Using StoreFront MMC, enable Domain pass-through on Receiver for Web
  3. Download and copy receiver.admx and receiver.adml template files to the PolicyDefinitions folder on a Domain Controller
  4. Create a GPO linked to all machines participating in Citrix Receiver client SSO or use an existing one
  5. Using the above created policy, edit the setting Computer Configuration -> Policies -> Administrative Templates -> Citrix -> Components -> Citrix Receiver -> Local User Name and Password enabling Enable pass-through authentication
  6. Using the above created policy, edit the setting Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel to include the Receiver for Web website address in the Local Intranet zone

The Receiver for Web logon prompt

Now that we have discussed the prompt and the advantages/disadvantages with enabling/disabling this feature, here below is a picture of what the prompt actually is and looks like.

When you have enabled Domain pass-through and User name and Password authentication on Receiver for Web, the first time a user logs on they get this prompt to either log on using the account used to sign on to the computer or to switch to the username and password logon screen. The user name and password logon screen gives the user the ability to authenticate with any set of credentials they have. Since I mention “first time” above, first time means the first time a user logs on to Receiver for Web on a device that they have never used before. The next time they use the same machine the same prompt does not appear. If you log off, you may also get the below message.

If the device is a thin-client with a write-based restrictive filter, the profiles may not be stored and as such the user is using that machine for the first time every time as far as the device is concerned after said device is restarted. This reduces the SSO experience, as the prompt requires manual input. Users wanting true SSO experience must disable User name and Password authentication. User name and Password authentication conflicts with SSO and is not required. A seperate Receiver for Web site must be created for users who do require the User name and Password authentication method. User name and Password is enabled by default when you install Citrix StoreFront.

The User Name and Password authentication method

Configuring SSO for Receiver client

Now that we have covered the theory, I will walk through configuring SSO for Receiver client. I won’t go through SSO with Receiver for Web but it is just as similar to configure.

Install Citrix Receiver on the client device with SSON component included. I am using a command to install. The command automatically configures the store.

You could also enable SSO by checking the box on newer versions (4.3+) if you prefer however you will have to manually configure the store or use the Receiver ADMX templates with Group Policy.

Insert the Receiver for Web site in the Local Intranet Zone. If using the Trusted Sites zone instead, Automatic logon with current username and password must be set in the Trusted Sites zone. In most cases you will use the Local Intranet zone. This is best done via GPO.


  1. Intranet Zone = 1
  2. Trusted Sites = 2

If using the Trusted Sites zone, enable Automatic logon with current username and password.

Enable Domain pass-through on Receiver for Web via StoreFront console and remove other authentication method(s). Pass-through from NetScaler Gateway can be enabled, however User name and password should not.

On your DDCs requests sent to the XML service port on your DDCs must be trusted, so run the following command:

Configure Group Policy to enable pass-through authentication on Receiver. You will need to have imported the Receiver.admx and Receiver.adml files to the Group Policy Central Store.


Now if you open the Citrix Receiver client on your device, it should not ask to configure the store or ask for credentials. Instead, you will be passed through to StoreFront and presented with your subscribed applications and desktops.

Be aware after installing Receiver you must log off/on to your client device for the SSONSVR.EXE process to start and capture your credentials.

Additional feature – Desktop Lock

You can also turn your PC/Thin Clients in to kiosk type machines using what is called Citrix Desktop Lock. When a user logs on to their device the Citrix desktop automatically launches in full-screen mode and if the user disconnects or logs off the Citrix desktop the user is automatically logged off the local device. This is great in a VDI environment if you want to bring a true no-touch experience to your users. You can download Desktop Lock from the Citrix website.

Once downloaded launch the Citrix Desktop Lock software on an SSON configured client device.

Click Close once the software has installed.

Restart the client device.

Now log on as a standard user who has one Citrix desktop assigned to them.

Desktop Lock automatically launches the desktop in full screen.

The Desktop Viewer toolbar has some missing buttons to prevent the user from minimizing the desktop for example.

When the user disonnects or logs off, the local client device is also logged off. This helps secure the device and not leave any unattended workstations logged on.

If you need to control the local device yourself, log on as a user who is a Local Administrator of that machine and you will be presented with the below prompt.

Download Citrix Workspace Receiver

After clicking OK you can access the local desktop to perform management tasks.

Troubleshooting SSO

  • The SSONSVR.EXE process must be running on your client device
  • Ensure you have met all the prerequisites stated above for your SSO method (Receiver client/Receiver for Web)
  • Using an SSO configured device go to The web address I would go to is and if SSO is correctly configured you should see results similar to the below. (Included in StoreFront 2.5)
  • Restart the client device (requirement after Receiver install with SSON)

Receiver 4.5 (released September 2016):

New with Citrix Receiver for Windows 4.5 is the Configuration Checker tool which performs various checks against the prerequisites needed for SSO to work. Open Advanced Preferences by right-clicking the Receiver icon in the system tray. Click Configuration Checker.

Tick SSONChecker and click Run.

As you can see a number of checks have been performed with one failure.

Looking closer at the failure alert we can see the Single Sign-on process is not running. After installing the SSON components you only need to log off/on for the process to run. In this case, I deliberately left out the SSON component so it is not installed at all. Click on Save Report to save the results to .TXT.

Heres a look at the results .TXT file.

Receiver Vs Workspace

I’ve now ran the SSON Checker on a machine that is properly configured for SSO. As expected, all checks have passed.

Receiver SSON logging:

You can enable SSON logging which may be help in identifying an issue.

Add a the following values to HKLMSoftwareCitrixInstallSSON (32bit) or HKLMSoftwareWOW6432NodeCitrixInstallSSON (64bit).

REG_SZ DebugEnabled = true

REG_SZ LogPath = Path location

When you log off and on again log files will be created relating to SSON.

The trace-pnsson.log file shows information such as the credentials captured and packaged by SSON.

Workspace Receiver

Microsoft has recently released the new Microsoft Edge browser which is built on top of Chromium. This is a very strong proposition for the enterprise market. With all the benefits of the open source Chromium engine and the good bits of Microsoft enterprise security and manageability. However because this browser is quite fresh, it does present a few challenges when it comes to integrating it with existing products such as Citrix Storefront and Citrix Workspace. I am currently in the process of deploying new laptops, one of the key features we will use is our existing Citrix XenDesktop environment.

As of currently I find these settings to be providing the best end user experience, as it provides the users with the following experience:

  • No hassle of installing or updating the Citrix Workspace app, I have configured this through the Microsoft Store.
  • no struggles with receiver detection;
  • no need to manually allow downloading of .ICA files;
  • no user interruptions from login to desktop.

This might be contrary to modern management with which you give your end users more and more freedom of choice. But I do feel that some things just need to be taken care of for your end users.


Citrix Workspace deployment

Before we go on with the next steps we need to make sure that we have the Citrix Workspace application installed on our device. We use Microsoft Endpoint Manager (MEM) to manage our laptops. With Endpoint Manager you can easily deploy apps that are available in the Microsoft Store.

I used the same method to deploy the Citrix Workspace app. I did this using the following steps:

  1. Go to Apps > Windows click on the Add button and choose Microsoft store app as the application type and click on Select.
  2. Enter the application details, such as the Name, Description, Publisher.:
  3. The application URL can be determined by visiting the Microsoft store, and searching for the Citrix Workspace application.
  4. If all went well you can click on Next.
  5. In the next window you can select your preferred assignments. Assign the application to a group, or whatever your prefer and click on Next.
  6. You can now click on Create to create your application deployment.

After a while you should end up with a Citrix Workspace application installed on your machine. There are off course numerous other ways to get the Citrix Workspace application installed on a managed device. But this method provided is a modern and commonly used method.

Citrix Receiver/ Workspace detection

Citrix Receiver or Workspace detection is quite troublesome when it comes the new Microsoft Edge browser. As of now I could not find any information on how to make this detection work. From the past I can remember that is quite troublesome anyway. Because we already provided our end users with a Citrix Workspace app using the previously described Citrix Workspace deployment through the Windows Store. We can skip the receiver detection all together. Citrix has this process documented and it requires modification of the StoreFront web.config file.

Citrix Receiver Workspace 1911 Download

For your convenience I have included the required steps below:

  1. Find the web.config file on your StoreFront server. This is typically located in the C:inetpubwwwrootCitrix<storename>Web directory. Replace <storename> with the name of your StoreFront store.
  2. With the file open, search for the phrase protocolHandler.
  3. Look for the entry with protocolHandler inside, in my case it was formatted as follows:
  4. Now go ahead make the change, and change <protocolHandler enabled=”true” to <protocolHandler enabled= “false”
  5. Save the web.config file and restart iis using iisreset (from an elevated command prompt.
  6. Note: if you have multiple StoreFront servers make sure that you apply the configuration change on each of your StoreFront servers.

Now if you revisit the StoreFront webpage, you should automatically be taken to the desktop list. Now you can open the preferred desktop without getting bothered by the Citrix Receiver detection.

Desktop not opened automatically

Citrix receiver or workspace app

So there we go, Citrix Workspace/ Receiver detection is working. But wait, lets open a desktop. Dang, another user interruption:

Workspace Receiver

The .ICA desktop file is not automatically opened due to the security features of the Microsoft Edge browser. This prevents automatic opening of downloaded files, which is essentially what is happening when you click on a desktop to launch. Fair enough, you need this kind of security nowadays. Luckily we can overcome this by setting specific Edge policies.

We need to set two edge policies in order to allow downloads of ICA files. If you have not done so already, you can create a device configuration profile in Microsoft Endpoint Manager in order to manage Microsoft Edge. You can also use traditional GPO’s, the policy names should be the same. I will guide you through the Endpoint Manager method in this article.

  1. In Microsoft Endpoint Manager, go to Devices and click on Configuration profiles
  2. Click on Create profile and choose Windows 10 and later as a platform and Administrative Templates as a profile. Click on Create
  3. Give the profile a sensible name, and click on Next.
  4. The first policy that we need to configure is: List of file types that should be automatically opened on download so search for that in the configuration settings. The setting type can be either device or user as a setting type. Configure ica as a file type:

5. Next up we want to make sure that our configuration is still secure. You don’t want to be wildly allowing ICA files to be opened from anywhere. So we need to set the additional setting URLs where AutoOpenFileTypes can apply. Set this to your StoreFront location:

6. Now we can finish up the wizard. Make sure you set the assignment to a group that you require.

You should now wait a while in order to allow Endpoint Manager to apply the configuration profile. But this should get rid of the extra download step from a user perspective.

Citrix Workspace Add Account pop-up

Once the desktop is launched, you will also notice the Citrix Workspace Add account pop-up.

This is not directly related to Edge, but I tried to make this article as complete as possible. You can disable this pop-up manually by selecting the checkbox Do not show this window automatically at logon.

One other option is to distribute the following registry key to your clients:


Deployment of registry keys is somewhat limited using Microsoft Endpoint Manager. But current ways of doing this are:

  • Using PowerShell scripts
  • using custom MSI’s or other ways of installing the registry key.

I will walk you through the PowerShell method. For convenience I have included the PowerShell script as well. Here are the steps that you should take:

  1. From the Microsoft Endpoint Manager console, go to devices and then go to scripts. Click on Add to add a new script. Choose Windows 10.
  2. First you need the script saved in a .ps1 file, the script that I used is the following:
    New-Item -Path HKLM:SoftwarePoliciesCitrix
    New-ItemProperty -Path HKLM:SoftwarePoliciesCitrix -Name EnableFTU -PropertyType DWORD -Value 0

    This script is really simple, it first created the Citrix path, followed by a DWORD registry entry.
  3. Next up in the MEM console, give the script a name. And click Next.
  4. Select the script and leave all other toggles to its default value (we want to run the script under the SYSTEM context and not the user context)
  5. Select Next, assign the script to a group and finish up the script.

Now give MEM some time to distribute and execute the script.

Conclusion and wrap-up

This concludes this guide of using Citrix Workspace and Microsoft Edge together. The Edge browser is great and should be a great competitor in the browser space for the coming years. But is still very fresh, which does present some challenges currently. There is not a lot of information out there yet.

I hope this article helped you to overcome some of the challenges you will face with Citrix in conjunction with Microsoft Edge. If you have any other suggestions for Citrix and Microsoft Edge (Chromium) feel free to add them in the comments down below and I will make sure I will update the article accordingly.