I found something extremely intriguing about StoreFront and authentication and wanted to share it with the community.
Let’s take StoreFront 3.0, although I bet it was there since beginning.
When StoreFront is configured in SSO mode you have two types of authentication:
- From the Internet (via NetScaler)
- From internal network (no NetScaler involved)
The Internet authentication is pretty straight forward. StoreFront SSO is not active and users must login the old way, with username and password.
The difference can be seen when SSO authentication from internal network is being used and one specific feature is missing. Explicitly.
And apparently, there’s a reason for it.
In StoreFront’s top-right side, there’s a drop-down menu that appears when clicking the user’s name. The drop-down menu is by default populated with the “Activate” and “Log Off ” options, but the Administrator can add more options there.
But where’s the “Change password…” option?
Well, I mentioned that this feature is explicitly removed when SSO is active, and the reason is very logic and I’d give lots of Kudos to Citrix for this.
The reason for the missing “Change password…” option is just one: SECURITY.
As mentioned by some friends at Citrix, the logic behind this is quite simple. When an user logs in to his computer and SSO is active, the option is missing in order to protect it’s password, as he might leave his PC unlocked and “a friend” could change the password from StoreFront. And because SSO is active, the “friend” would not be asked for the current password.
If you have like me, clients that need to change passwords from StoreFront, tell them to connect with the alternate login method (Username and Password) and the “Change password…” field will appear where it should be.