Kerberos authentication

Use this policy to control how the client uses Kerberos to authenticate the user to the remote application or desktop.

When enabled, this policy allows the client to authenticate the user using the Kerberos protocol. Kerberos is a Domain Controller authorised authentication transaction that avoids the need to transmit the real user credential data to the server.

When disabled, the client will not attempt Kerberos authentication.

The machine running the client and the server running the remote application must be in domains that have a trust relationship. The Domain Controller must be aware that the Citrix XenApp server will be performing a full user logon (interactive logon) using Kerberos. This is configured using the "Trust for Delegated Authentication" settings on the Domain Controller.

When connecting using the Web Interface, the Web Interface server must be aware that the client will connect using Kerberos authentication. This is necessary because by default the Web Interface server will use an IP address for the destination server whereas Kerberos authentication requires a Fully Qualified Domain Name.

Both client and server machines must have correctly registered DNS entries. This is necessary because endpoints will authenticate each other during connection.

Supported on: Not specified
Registry PathSoftware\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Kerberos
Value NameSSPIEnabled
Value TypeREG_SZ
Enabled Valuetrue,false
Disabled Valuefalse
Enable policy:
Registry PathValue NameValue TypeValue
Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local CredentialsSSOnUserSettingREG_SZtrue,false
Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon\Local CredentialsEnableSSOnThruICAFileREG_SZtrue


Administrative Templates (Computers)