eG Monitoring
 

Measures reported by CtxSFDKrbAuthTest

Citrix Receiver for Windows supports Kerberos for domain pass-through authentication for deployments that use smart cards.

When Kerberos authentication is enabled, Kerberos authenticates without passwords for Citrix Receiver for Windows, thus preventing Trojan horse-style attacks on the user device to gain access to passwords. Users can log on to the user device with any authentication method; for example, a biometric authenticator such as a fingerprint reader, and still access published resources without further authentication.

Citrix Receiver for Windows handles pass-through authentication with Kerberos as follows when Citrix Receiver for Windows, StoreFront, XenDesktop and XenApp are configured for smart card authentication and a user logs on with a smart card:

  • The Citrix Receiver for Windows Single Sign-on service captures the smart card PIN.

  • Citrix Receiver for Windows uses Kerberos to authenticate the user to StoreFront. StoreFront then provides Citrix Receiver for Windows with information about available virtual desktops and apps.

  • The HDX engine (previously referred to as the ICA client) passes the smart card PIN to XenDesktop or XenApp to log the user on to the Windows session. XenDesktop or XenApp then deliver the requested resources.

Any delay in authentication using Kerberos is bound to deny users timely access to published resources; in the long run, this will negatively impact the logon experience of users - particularly smart card users. To avoid this, administrators should keep a close watch on pass-through authentication attempts that use Kerberos and proactively detect slowness in authentication. This is what the CtxSFDKrbAuthTest test does.

This test monitors pass-through authentication attempts made by StoreFront using Kerberos and reports the average time taken for authenticating using Kerberos. Slowness in authentication can thus be captured and the reasons for the same investigated.

Outputs of the test : One set of results for the Citrix Storefront server being monitored.

The measures made by this test are as follows:

Measurement Description Measurement Unit Interpretation
Authenticate_calls Indicates the number of authentication calls made using Kerberos since the last measurement period. Number  
Authenticate_avg_time Indicates the average time taken for pass-through authentication using Kerberos. Millisecs A consistent rise in the value of this measure could indicate a bottleneck in Kerberos authentication.