This feels like one of those things I should have known, but in the midst of projects and customer calls, it can be a challenge at times to simply consider, “What am I doing?”  To that end, I’m just passing along some information obtained by opening a call with Citrix support regarding pass-through authentication when using the Citrix web interface deployed on a NetScaler.  I’ve used it before to provide applications to tablets and it just didn’t register that providing applications to Windows clients would be any different but when I configured my Windows-based Citrix Receiver to access the PN Agent site on the NetScaler, I was unable to get pass-through authentication working.

Turns out this is the expected behavior, and once I was told, it made sense.  Here is the summary of the issue provided by Citrix NetScaler support:

A Web Interface XenApp services site published on Web Interface of NetScaler cannot inherently deploy using pass-through authentication mode as this requires the Web Interface server to be part of the domain.  As you may have already surmised, a NetScaler cannot join a Windows Active Directory domain.

Thus, the ability to use pass-through authentication is strictly a feature of Web Interface installed on Microsoft Windows Server/IIS.   Pass-through authentication functions by challenging the client computer with for NTLM authentication, and the Web Interface/IIS computer authenticates the user to the domain.  Further, the ICA files do not have the same user/password ticket references as typical ICA files. This is because the end user computer’s SSONSVR.EXE hidden Windows service (part of the Citrix Receiver) is going to pass the end user’s security token to the target XenApp server instead of a pre-negotiated password ticket.