StoreBrowse Authentication Methods
Do you use StoreBrowse and wonder what kind of authentication methods it supports? What does HTTP Basic authentication do? Is HTTP Basic similar to HTTP protocol? Let’s take a deep dive
to find out more.
StoreBrowse is an excellent, lightweight command-line tool you can use to interact between the client and server. It authenticates for all operations within Storefront. Using this tool, users can add a store, enumerate resources from a configured store, or download an ICA file, which can be used to manually launch an ICA session.
StoreFront supports a number of different authentication methods for users accessing stores, however, not all are available, as they are dependent on the user access method and their network location. For security reasons, some authentication methods are disabled by default while creating a store.
- Username and Password
Users enter their credentials and are authenticated when they access their stores. Explicit authentication is enabled by default when you create your first store. All user access methods support explicit authentication.
- Domain Pass-through
Users authenticate to their domain-joined Windows computers, and their credentials are used to log them on automatically when they access their stores. When you install StoreFront and create your first store, domain pass-through authentication is disabled by default. It can be enabled when required.
Follow this link to configure domain pass-through (SSON).
Users authenticate using smart cards and PINs when they access their stores. When you install StoreFront and create your first store, smart card authentication is disabled by default. It can be enabled when required.
- HTTP Basic
HTTP basic access authentication is a method for an HTTP user to provide a user name and password when making a request. HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it does not require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header, removing the need for handshakes. This option is disabled by default on storefront. Enable it when required.
StoreBrowse supports these authentication methods in two ways.
- Using its own copy of authmanager — when the credential is passed via command line — StoreBrowse use authmanager, which resides within StoreBrowse. For this only HTTP Basic authentication method works.
- Delegating everything to Receiver’s authmanager – All other authentication methods explained above use this route. There is a special case for domain pass through which will be explained later.
HTTP Basic and domain pass-through authentication method with StoreBrowse
HTTP Basic Authentication
StoreFront Configuration: Configuration on StoreFront for this authentication method is fairly simple. Only HTTP Basic needs to be enabled in this case. No other configuration is needed.
HTTP Basic Authentication uses base64 encoding. One call to the server is enough to get the information, making the client slightly faster than more complex authentication methods. HTTP basic doesn’t mean traffic is http only, it can be used with https as well. Basic Authentication should only be used where transport layer security is provided such as https so that network traffic is not at risk of being intercepted. Hence https is always recommended.
As displayed in above diagram, when user credentials are passed through StoreBrowse command line, authmanager of StoreBrowse directly passes the credentials to storefront. Once storefront sends the ICA file, ICA session can then be launched.
Storefront Configuration: Httpbasic and Domain pass-through need to be enabled on storefront. No other configuration needed.
When SSOn is enabled, user is logged on with Windows user credentials by default. (This can be overridden using FastConnect API as well if required). Refer this link for Fastconnect SDK.
With StoreBrowse it can be done in two ways.
- Receiver authenticates using Integrated Windows Authentication(IWA) with StoreFront. In this case while launching an app, ICA file doesn’t have any logon ticket and just a field UseLocalUserNameAndPassword=On. When launching a session, ICA engine would need to retrieve credentials from SSOnSvr to pass through to VDA. This works only if ICA file is retrieved from trusted location. To trust the ICA file.
- Copy file to resource cache folder. Cache folder path can be found under [HKEY_CURRENT_USER\Software\Citrix\Program Neighborhood Agent] registry key with registry name ‘’Resource Cache”.
- Use group policy to use SSOn for all ICA launches.
Note: SSOnSvr is a process which stores windows credentials when user logons to the client. It also get updated credential via Fast connect.
2. Receiver authenticates to Storefront using httpbasic. Authmanger retrieves credentials from SSOnSvr and uses httpbasic method like the way StoreBrowse does with its own copy. ICA file would contain logon ticket so ICA engine doesn’t need to retrieve any credentials and ICA file can be launched from any folder. For receiver’s authmanager to use httpbasic the following needs to be configured.
- On 64-bit Windows
- On 32-bit Windows