Citrix provides several ways to access a Citrix server or published application. How you access the server determines how SecureLogin handles the authentication to the server. Although different methods are used depending on how you access the server, all forms of authentication can be managed with SecureLogin.
When the Citrix server requests a Windows GINA authentication, the Citrix Seamless Session Interface provides the credentials by using the hidden application. An example of this type of authentication occurs when you connect to a Citrix server through Program Neighborhood's Custom ICA Connection interface:
Another example of this type of authentication occurs when you export a published application to an .ICA file and distribute it to your workstations. This type of authentication is enabled by installing the GINA components. The authentication is not disabled even if SecureLogin is not currently active.
When a user accesses a Citrix Farm using Program Neighborhood, Program Neighborhood uses WFCRUN32.EXE and presents a Program Neighborhood authentication dialog box:
Program Neighborhood then collects the credentials and sends them to a Citrix server in the farm.
The Citrix Seamless Session Interface does not handle this authentication request. However, the wfcrun32.exe file can be handled by a script just like any other Windows application that is requesting authentication. The SecureLogin Wizard automatically creates a script that enables SSO for Program Neighborhood. You should modify this script to allow for error handling, such as a bad username, domain, or password.
If the Citrix Farm is configured to push out shortcuts to the user's desktops, the shortcut actually calls an executable pn.exe (for example, "C:\Program Files\Citrix\ICA Client\pn.exe"). Like wfcrun32.exe, this authentication is handled just like any other Windows application by using a script for pn.exe.
The SecureLogin Wizard automatically creates a script that enables SSO for pn.exe. Be sure to include error handling in case the user passes the wrong information into the dialog box.
The Citrix Seamless Session Interface currently does not detect if users change their domain or NDS® or eDirectoryTM password through a Citrix connection. If a user changes this password through a Citrix connection, the interface detects the failed seamless authentication the next time that the user connects to the Citrix server. The interface then once again prompts the user for credentials.
When the user enters the correct (new) password, the interface saves that new password in place of the previous password in the hidden application within the applicable datastore (and local file cache if applicable).