1. Create an Active Directory group and attach to it the computers on which users must be excluded.
2. Open the User Access console.
3. Create a new Access Point profile, call it "Citrix servers profile" for example:
4. Select Authentication Manager tab and click on Manage Accounts button.
5. Add the Active Directory group created at point 1:
6. Check the two following options and click OK:
Perform operating system authentication for local administrators
Perform operating system authentication when User Access Authentication fails
7. Select Enterprise SSO tab and uncheck the following options:
Show splash screen
Show Enterprise SSO icon in the task bar
And Apply modifications.
8. Associate the security profile to the Active Directory group created at point 1:
9. Set on each Citrix server the following registry key (it is not necessary to restart the servers):
StopSSOEngineOnOTPFailed = dword:00000001
This new configuration will be taken into account at cache refresh (by default between 24 and 48 hours).