Setting up a double-hop with Azure AD as IdP

As more and more companies are moving from on-premises environments to a cloud and would like to make the best of their investments, we see a great demand in moving to Azure Active Directory (AAD). AAD gives you some benefits as you could utilize Azure Multi-Factor Authentication (MFA) with Conditional Access. With Conditional Access, it’s possible to give users the option to only sign on with username and password from trusted locations (think about HQ and branch offices).

This article explains how to set up a double-hop scenario with Citrix Virtual Apps and Desktop (CVAD) services (Citrix Cloud), where your identity provider (IdP) is Azure AD.

What’s a Double-Hop, and why use it?

A double-hop scenario is when you start a published app from other resources within your published desktop. An example:

You have an app that doesn’t support the OS you would like all users to have. In most situations, this will be Windows Server 2019 for multi-session purposes. The one app that you would like users to open is a legacy app and only supports Windows 2012 R2 as the latest supported OS. As your organization states that you only work with supported configurations, you can’t install this app on Windows 2019. To ensure the user can access the app, you create a dedicated delivery group based on Windows 2012R2 VM’s and use this delivery group to give users access to the app. Those users start this app within their published desktop as a seamless app and don’t notice if they are local or remote.

The above scenario is called a double-hop. As a company, you could have many reasons to use this scenario. Think about:

  • The app is for archive only;
  • The app doesn’t support the same OS as the desktop (mentioned in the example);
  • The app has conflicts with other apps;
  • The app can only be used by some users, and licenses don’t allow us to install it on the same image as the desktop.

Challenges when using double-hop with Azure AD as IdP

When you sign on to Citrix Cloud with your Azure and open your published desktop, your on-premises environment uses Federated Authentication Services (FAS) to sign on to the VDA. Look at the below diagram to see how FAS is working (thanks to Daniel Feller (

When you would like to have SSO from your published desktop to Citrix cloud, it’s only possible to use Azure Active Directory Seamless Single Sign-On or using an on-premises StoreFront environment that supports FAS authentication. Azure seamless SSO requires the use of Pass-through Authentication (PTA) or password hash synchronization. The customer where I’m currently implementing CVAD services is transitioning to Azure AD, and they don’t have seamless SSO enabled. That’s the reason we need to use another option to create the double-hop scenario. The only other option, as mentioned, is to install an on-premises StoreFront that supports FAS authentication.

Configuring StoreFront and FAS

In this example, I only have one StoreFront server and one FAS server to keep this guide simple. Below you could see how the authentication is working using a double-hop scenario.

StoreFront & FAS

After you installed and configured StoreFront, we configure it to allow FAS as an authentication method.

  1. First, enable FAS support on your Store, change “/Citrix/Store” to your store name:

    Get-Module “Citrix.StoreFront.*” -ListAvailable | Import-Module
    $StoreVirtualPath = “/Citrix/Store”
    $store = Get-STFStoreService -VirtualPath $StoreVirtualPath
    $auth = Get-STFAuthenticationService -StoreService $store
    Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName “FASClaimsFactory”
    Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider “FASLogonDataProvider”

  2. Secondly configuring the Delivery Controllers

    Click Manage Delivery Controllers
    Usually, you would add your On-Premises Delivery Controller here, but now you need to add the Cloud Connectors here. You need to use port 80 (HTTP) and can’t use 443 (HTTPS) as a transport type.

  3. Set Authentication Methods

    Click Manage Authentication Methods
    Enable Domain Pass-Through

  4. Set the GPO Federated Authentication Service

    As FAS is already working, the ADMX files are probably in the PolicyDefinitions central Store, so I skip the step to copy these ADMX files. For the StoreFront server, configure a GPO, so it knows which servers are FAS servers.Open the GPO and navigate to Computer Configuration/Policies/Administrative Templates/Citrix Components/Authentication
    Edit the Federated Authentication Service
    configure the DNS addresses of your FAS servers
    Perform a gpupdate /force to make sure the GPO is applied.

  5. As FAS is configured to access your VDA, we only need to change the rule you use for FAS.

  6. Open the FAS Administration Console and go to the tab rules

  7. I only have 1 rule named “Default” click on the Pencil to edit the rule.

  8. Go to Access Control
    Click Manage StoreFront access permissions

  9. Here you add the Computer account of your StoreFront server.
    Make sure you remove the default “Domain Computers” as that one denies access.
    Click OK

  10. Now click Apply, and your FAS configuration is ready for testing.


After you configured all the settings as described above, It’s time to test the configuration.

When you sign in to your published desktop, your Citrix workspace app (when configured correctly) is signing in to the StoreFront site, and you could start an app that’s published from your start menu. Please try, and let me know if this is working.

Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.