Delegated Kerberos Authentications Test

Citrix Workspace App for Windows supports Kerberos for domain pass-through authentication for deployments that use smart cards.

When Kerberos authentication is enabled, Kerberos authenticates without passwords for Citrix Workspace App for Windows, thus preventing Trojan horse-style attacks on the user device to gain access to passwords. Users can log on to the user device with any authentication method; for example, a biometric authenticator such as a fingerprint reader, and still access published resources without further authentication.

Citrix Workspace App for Windows handles pass-through authentication with Kerberos as follows when Citrix Workspace App for Windows, StoreFront, XenDesktop and XenApp are configured for smart card authentication and a user logs on with a smart card:

  1. The Citrix Workspace App for Windows Single Sign-on service captures the smart card PIN.
  2. Citrix Workspace App for Windows uses Kerberos to authenticate the user to StoreFront. StoreFront then provides Citrix Workspace App for Windows with information about available virtual desktops and apps.
  3. The HDX engine (previously referred to as the ICA client) passes the smart card PIN to XenDesktop or XenApp to log the user on to the Windows session. XenDesktop or XenApp then deliver the requested resources.

Any delay in authentication using Kerberos is bound to deny users timely access to published resources; in the long run, this will negatively impact the logon experience of users - particularly smart card users. To avoid this, administrators should keep a close watch on pass-through authentication attempts that use Kerberos and proactively detect slowness in authentication. This is what the Delegated Kerberos Authentications test does.

This test monitors pass-through authentication attempts made by StoreFront using Kerberos and reports the average time taken for authenticating using Kerberos. Slowness in authentication can thus be captured and the reasons for the same investigated.

Target of the test : Citrix StoreFront Server

Agent deploying the test : An internal/remote agent

Outputs of the test : One set of results for the Citrix Storefront server being monitored

Configurable parameters for the test
Parameters Description

Test period

This indicates how often should the test be executed.


The host for which the test is to be configured.


The port number at which the specified host listens to. By default, this is 443.

Measurements made by the test
Measurement Description Measurement Unit Interpretation

Authenticate calls

Indicates the number of authentication calls made using Kerberos since the last measurement period.



Authenticate average time

Indicates the average time taken for pass-through authentication using Kerberos.


A consistent rise in the value of this measure could indicate a bottleneck in Kerberos authentication.