Citrix provides several ways to access a Citrix server or published application. How you access the server determines how SecureLogin handles the authentication to the server. Although different methods are used depending on how you access the server, SecureLogin can manage all forms of authentication.
When the Citrix server requests a Windows GINA/Credential Provider authentication, the Citrix Seamless Session Interface provides the credentials by using the hidden application (platform) method. An example of this type of authentication occurs when you connect to a Citrix server through Program Neighborhood's Custom ICA Connection interface:
Figure 5-2 Custom ICA Connections
Another example of this type of authentication occurs when you export a published application to an .ica file and distribute it to your workstations. This type of authentication is enabled by installing the Credential Provider components. The authentication is not disabled even if SecureLogin is not currently active.
When a user accesses a Citrix farm by using Program Neighborhood, Program Neighborhood uses wfcrun32.exe and presents a Program Neighborhood authentication dialog box:
Figure 5-3 Program Neighborhood Authentication
Program Neighborhood then collects the credentials and sends them to a Citrix server in the farm. The Citrix Seamless Session Interface does not handle this authentication request. However, a script can handle the wfcrun32.exe file just as it can handle any other Windows application that is requesting authentication. The SecureLogin Wizard automatically creates a script that enables single sign-on to Program Neighborhood. You should modify this script to allow for error handling, such as a bad username, domain, or password.
If the Citrix farm is configured to push out shortcuts to the user's desktops, the shortcut actually calls an executable, pn.exe (for example, C:\Program Files\Citrix\ICA Client\pn.exe). Authentication to pn.exe is handled by using a script, just like using a script for wfcrun32.exe or any other Windows application.
The SecureLogin Wizard automatically creates a script that enables single sign-on to pn.exe. Be sure to include error handling in case the user enters the wrong information into the dialog box.
The Citrix Seamless Session Interface currently does not detect if users change their domains or NDS or eDirectory passwords through a Citrix connection. If a user changes one of these passwords through a Citrix connection, the interface detects the failed seamless authentication the next time that the user connects to the Citrix server. The interface then once again prompts the user for credentials.
When the user enters the correct (new) password, the interface saves that new password in place of the previous password in the hidden application within the datastore (and the local file cache if applicable).