Wednesday, February 29, 2012

Configuring Citrix XenDesktop 5.5 virtual desktops with Citrix Receiver for pass-through authentication for XenApp 6.5 published applications

I’m sure there’s probably some documentation out there for setting up Citrix XenDesktop 5.5 virtual desktops with Citrix Receiver for pass-through authentication for XenApp 6.5 published applications but I sure couldn’t find a single documentation that had all of the information and since I’m bound to come across this again, I thought I’d document the steps I went through to get it working.  Interestingly enough, I received mixed information about whether this would work or not even though I knew it was supposed to since this is Citrix’s best practice—set up your XenDesktop virtual desktops and stream what applications you could to the virtual desktop so you’re just updating the applications from your XenApp servers rather than the virtual desktop image itself.  Anyways, I originally placed a call into Citrix when I kept getting prompted for credentials within my virtual desktop:

image

The support engineer told me this was expected behavior but I was almost certain it wasn’t and that it was a misconfiguration so I reached out to another presales engineer I work with from Citrix and he told me that it should work.  So after fiddling around with the configuration, I finally got pass-through authentication to work and the following highlights the steps:

Step 1 – Set up your virtual desktop master image:

Ensure that your XenDesktop virtual desktop has the correct Citrix Receiver.  The XenDesktop 5.5’s VDA agent installs bundles the correct one but it doesn’t hurt to double check to ensure you have the correct Enterprise version.  More information can be found in one of my previous posts here: http://terenceluk.blogspot.com/2012/01/citrix-xenapp-65-pass-through.html

Once the Citrix Receiver has been installed, make sure the service ssonsvr.exe process is running on the virtual desktop:

image

Step 2 – Ensure that the pass-through authentication settings configured via GPO is applied

It’s important that you apply the pass-through authentication settings configured via GPO through the Citrix provided ADM file to both:

  1. The login accounts
  2. The actual virtual desktops

More information on how to do this can be found in one of my previous blog posts here: http://terenceluk.blogspot.com/2012/01/lessons-learned-with-citrix-web.html

Step 3 – Configure a XenApp Services Site on your Web Interface server for pass-through authentication:

image

Unless you intend on configuring the authentication for Kerberos only, do not select the Use Kerberos only checkbox for your XenApp Services Site for pass-through authentication:

image

Step 4 – Add your Web Interface server’s virtual name (NLB), NetBIOS name and FQDN into your virtual desktop’s intranet sites via GPO as well as change the User Authentication in the Custom level of the Local Intranet settings to Automatic logon with current user name and password

Whether you want to add the NetBIOS name or FQDN into your virtual desktop’s intranet site via GPO in Active Directory or as a local policy is up to you as both will work:

imageimageimage

Note that I haven’t fully tested whether it’s absolutely necessary to have the User Authentication in the Custom level of the Local Intranet settings set to Automatic logon with current user name and password since we’re already putting the web interface’s virtual name (NLB), NetBIOS and FQDN into the Local Intranet site because through other tests with pass-through authentication through the web interface site, I was able to just leave it set to Automatic logon only in Intranet zone.

Step 5 – Test pass-through authentication from your XenDesktop to a Web Interface site configured for pass-through authentication

As a test, although this is optional, I would suggest that you configure a pass-through authentication site on your Web Interface server to check to ensure your virtual desktop can actually authenticate correctly with the site without prompting you for credentials:

image

Step 6 – Enter the Server Address into your Citrix Receiver’s Change Server window

With everything set up, you can now add the URL of your XenApp Services Site into the Citrix Receiver’s Change Server‘s Server Address field:

image

Note that you need to add:

/config.xml

… after your site’s URL or it won’t work.

Note that alternatively, you can modify the Server Address via the registry in the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\PNAgent

image

Step 7 – Ensure that the pass-through authentication works within the XenDesktop virtual desktop

After you’ve entered the server address into the Citrix Receiver’s properties, you should be able to right-click on the Online Plug-in status and see that your options are as follows:

  • Refresh Applications
  • Change Server
  • Options

image

Click on your virtual desktop’s start menu and you should see the start menu populated with your XenApp applications.

No comments: