Ok, one more question on this. Environment: AD/resources on separate boxes. We then have "silos" (and I use that term loosely since it's not a standard Citrix silo), one for each company. In each silo is an app database box, and a "Citrix" box which contains PS4 and WI (and possibly CSG if possible/necessary). We're essentially hosting a turnkey solution for multiple companies to purchase this application, almost like an app provider, from our client who hosts everything in our data center. A bit confusing since there's essentially 3 levels of confusion here. All end user communication is done straight over the Internet. What we want to do is have one box for Citrix and have it be the single point of contact and communications. The app talks to the db server in the background on its own. The client wants to use user certs as the only form of 2-factor authentication. Their ideal setup is when the user opens the web page, it prompts them for their user certificate, and after they choose that, they are automatically signed into WI and see their apps, without having to type username/password into the WI login screen. We will be issuing user certs separately and not as a part of this Citrix solution, so we can assume that 100% of the users who want to use this will have a proper user cert on their machine prior to connecting. Is this even possible? I've never worked with user certs before, so this is new to me, but it doesn't seem like rocket science. Right now I can get the user cert dialog to come up, user chooses their cert, then WI page comes up, but the user has to log into WI. Pass-through authentication is looking to pull a local computer username/password, and not from the user cert, so I'm not sure if there's a way to do what I'm looking to do. At this time I do not have CSG in place, as I understand that will only confuse things, since both WI and CSG would be on the same box. Any suggestions/ideas/info that may at least give me an answer on this? Thanks, Adam