Depending on how your company configured Duo authentication, you may or may not see a “Passcode” field when using the Citrix Receiver client.
Password with Automatic Push
If Receiver only prompts for a password, like so:
After you submit your login information, an authentication request is automatically sent to you via push to the Duo Mobile app or as a phone call.
To use domain pass-through authentication via Receiver for Web sites using Chrome or similar browsers, Citrix Receiver for Windows or Citrix Workspace app for Windows must be installed with the WebHelper component. This guide will walk you through how to active Citrix Workspace. You are enrolled in Archpass Duo, but the system doesn't recognize your login, even if it's correct. This is most likely your first time using Citrix Workspace since vLab was put behind Archpass. We currently have a configuration bug that messes up the login on first try. Which brings to my problem, I'm not able to paste the password on the login password field on Citrix Workspace. The only version this seems to work is on v4.2.0.10. Wanted to know if there is anyone else having this same problem and if there is some workaround or if Citrix is aware of this.
Alternatively, you can add a comma (“,”) to the end of your password, followed by a Duo passcode or the name of a Duo factor. Here's how:
| Type... | To... |
|---|---|
| password,passcode | Log in using a passcode, either generated with Duo Mobile, sent via SMS, generated by your hardware token, or provided by an administrator. Examples: 'mypass123,123456' or 'mypass123,1456789' |
| password,push | Push a login request to your phone (if you have Duo Mobile installed and activated on your iOS, Android, or Windows Phone device). Just review the request and tap 'Approve' to log in. |
| password,phone | Authenticate via phone callback. |
| password,sms | Get a new batch of SMS passcodes. Your login attempt will fail — log in again with one of your new passcodes. |
You can also add a number to the end of these factor names if you have more than one device registered. For example, push2 will send a login request to your second phone, phone3 will call your third phone, etc.
Examples
To use Duo Push if your password is 'hunter2', type:
To use the passcode '123456' if your password is 'hunter2', type:
To send new SMS passcodes to your second phone if your password is 'hunter2', type:
The comma is Duo's default separator character between your password and the Duo factor. Your administrator may have changed this to a different character. Be sure to follow the instructions sent to you by your organization if they differ from what's shown here.
Passcode for Factor Selection
If Receiver does prompt you for a 'Passcode' as shown:
Use the 'Passcode' field to tell Duo how you want to authenticate. Here's how:
| Type... | To... |
|---|---|
| A passcode | Log in using a passcode, either generated with Duo Mobile, sent via SMS, generated by your hardware token, or provided by an administrator. Examples: '123456' or '1456789' |
| push | Push a login request to your phone (if you have Duo Mobile installed and activated on your iOS, Android, or Windows Phone device). Just review the request and tap 'Approve' to log in. |
| phone | Authenticate via phone callback. |
| sms | Get a new batch of SMS passcodes. Your login attempt will fail — log in again with one of your new passcodes. |
You can also add a number to the end of these factor names if you have more than one device registered. For example, push2 will send a login request to your second phone, phone3 will call your third phone, etc.
Examples
To send a Duo Push request to your primary phone, type:
To send a Duo Push request to your secondary phone, type:
To use the passcode '123456', type:
To send new SMS passcodes to your second phone, type:
Specific Pass-Through Authentication Issues
Refer to the following links for information on specific pass-through authentication issues:
CTX114276 – The Presentation Server Client 10.100 Installation Does Not Prompt for a Restart if Secure Sign-on is Enabled
CTX113004 – How to Configure Single Sign-on for Web Interface Using Version 10, 11, and 12x Plug-ins
CTX118628 – Citrix Single Sign-On (SSONSVR.exe) Fails to Start on Computers using Intel Credentials Manager
CTX135588 – How To Troubleshoot Pass-Through Authentication to Web Interface
Ensure that the issue is not specific to client version. Attempt to upgrade or downgrade the client.
Pass-Through Authentication Does Not Work When Using Any Version of the Win32 Clients Embedded in an HTML File
When creating an HTML file using either the Published Application Manager in MetaFrame 1.8 or Citrix Management Console in MetaFrame XP to embed an ICA connection, the local credentials cannot be passed from Single Sign-On to the session inside the web browser.
This is by design. The wfica32.exe file first verifies for two true conditions before launching a connection with the .ica file. The wfcrun32.exe is present in the ICA client directory and if it is being called from a web browser, the wfica32.exe launches the connection directly. Otherwise, wfcrun32.exe is launched and passes the parameters to establish the session. To use Single Sign-On, the wfcrun32.exe must be executable to launch the connection.
Other methods of using a web browser and Single Sign-On are available by using NFuse 1.7 or later and the desktop credential pass-through feature.
To reproduce the issue:
Using Published Application Manager or Citrix Management Console, create an HTML file and choose the embedded method.
Add the settings to the ICA file to enable Single Sign-On from an ICA file. See How to Enable Pass-Through Authentication Within an ICA File.
Open the HTML page either locally or from a web server. The Winlogon dialog box appears.
Open the ICA file; the credentials are automatically passed through.
How to Enable Pass-Through Authentication Within an ICA File
If Presentation Server Client version 10.x or later is used, do NOT complete the following procedure. See CTX113004 – How to Configure Single Sign-on for Web Interface Using Version 10, 11, and 12x Plug-ins.
To enable pass-through authentication within an ICA file, complete the following procedure:
Passcode Citrix Workspace Free
Note:The following steps assumes that the user-specific profiles are being used on the client workstations and running Windows 9x/ME/2000/XP operating systems.
In the Appsrv.ini file of the user profile, add the following lines at the end of the [wfclient] section:
SSOnUserSetting=On
EnableSSOnThruICAFile=OnTo use the .ica file, add the following line in the Application section (this is the section where all the settings like resolution or encryption are stored):
UseLocalUserAndPassword=On
Note:This change has to be made individually to the Appsrv.ini file for each user. Users must have the full Program Neighborhood Client installed and have Use Local Username and Password selected for logon in the ICA Settings menu.
Example:
Citrix Clemson
Pass-through authentication fails when store has a farm name similar to the DNS A records in DNS
Citrix Password Policy
The store has a farm name similar to the DNS A records in DNS and this name pointed to a public IP address. To resolve this issue change the farm name.
Additional Resources
Refer to the Citrix Knowledge Center Highlights: App Virtualization & VDI (July Edition) for more information.