With the release of XenDesktop / XenApp 7.5, Citrix Storefront has brought back a very sought after feature, Single sign on for local credentials to the storefront site!
Citrix Storefront SSO can be the default configuration or a choice can be given to the user if you select more than one authentication type as below:
Desktop appliance site: (Slight deviation, bear with me).
An interesting addition to storefront in 2.5 is a desktop appliance site is installed by default. Richard covers what a desktop appliance site really well in this article for the current release of storefont here. It’s worth noting the desktop appliance site is running the older storefront code base and does not currently support single sign on, strangely.
Back on topic!
Below is a quick guide on how to get it working and any interesting features along the way, I’ve broken this piece down into three parts:
XenDesktop Delivery controller configuration:
on each delivery controller accessible by the storefront site, run the following two commands:
(Shawn Bass did alot of the hardwork here for me, so a thank you for that!)
when installing the client, you can enable the single sign on features with the following command line:
CitrixReceiver.exe /includeSSON /ENABLE_SSON=Yes /silent STORE0="Store;https://yourservername.yourdomain.com/Citrix/Store/discovery;on;Store"
Once this is complete, add the storefront url to the trusted sites for the user, then add the following setting to the trusted sites zone:
Once complete, open group policy on the local machine (or active directory group policy) and import the icaclient.adm file, the typical path is below for convenience:
C:\Program Files\Citrix\ICA Client\Configuration\icaclient.adm
C:\Program Files (x86)\Citrix\ICA Client\Configuration\icaclient.adm
Once you have imported this adm file, configure the following values in the LOCAL MACHINE configuration*
*the policies dont work in user mode, oddly.
Configure the authentication policy:
Configure the web interface authentication ticket settings also:
Now reboot the machine and log in, ensuring SSONSVR.exe is running in task manager.
I’m going to go ahead and assume you’ve already installed storefront, so lets start from there.
Make your way down to the ‘Authentication’ tab choose add/remove methods and select domain pass-through as an authentication type:
Note the warning, the receiver for web will also need some configuration, so that’s our next step:
Make your way down to your ‘receiver for web’ tab and select ‘Choose Authentication Methods’:
As you can see above, domain pass-through is now an option, with a nice little warning:
Note: if you don’t want SSO to be optional, don’t publish additional authentication types on this storeweb.
The quickest way to test is to go right ahead now and use the storefront in anger, but if you’re the cautious type Storefront 2.5 includes a subdirectory called DomainPassthroughAuth/test.aspx. if you browse to this site from a configured machine, you should see the following screen.
if you are prompted as below, or see any of the following errors, go back a few steps and check what you missed:
and the following error’s mean you’ve gotten the configuration wrong on the client side:
and that’s it, happy sso’ing!
When checking the bandwidth requirement of multimedia sites, checking how much additional bandwidth video conferencing is going to require or even troubleshooting WAN capacity issues, it’s extremely useful to have a visible interpretation of realtime bandwidth consumption from your virtual desktop.
I wrote a tool quite some time ago called watcher2 while troubleshooting a similar issue. I finally took the time to refactor that tool for use with XenApp 6.5 , XenDesktop and VMware View and they are finally available to download! Both watcher utilities also include a latency counter which was a request that came in over and over.
HDX and PCOIP watcher by default dock to the top of the screen and can be moved left or right as below:
They can now also be completely un docked:
How do they work?
The tool finds your username in the performance monitor counters for session bandwidth, once it finds this entry it reads your performance monitor data once every second and reports on it.
In the case of PCOIP watcher, it reads the PCOIP counters from performance monitor.
what do the values mean?
All values are in either Kilobits per second or Megabits per second.
In = Traffic from the client to the virtual, this may spike during large copy / paste jobs,web cams or copying data from a usb key to the session:
Out = Traffic from the virtual desktop to the client, mainly audio or video traffic causes this to spike.
Latency = The delay between your client and the virtual desktop.
Can I Configure it?
Two thresholds are available, a yellow warning and a red warning, currently . These default values can be written to HKCU\software\sessionmonitor or HKLM\software\sessionmonitor. E.G:
Do they have any dependencies?
.net framework 3.5
if you are running XenApp 6.5 or XenDesktop 5.6, ensure you have the latest hot-fixes installed or the counters may be incorrect.
How do I launch it?
Allow the user to run it manually, or place the executable in their start-up folder or login script.
Where Can I download it?
What’s coming next:
- Native Microsoft RDP Counters.
- Realtime graphs and recording.
- source code is available on request.
I recently delivered a presention to the Dutch Citrix User Group and E2EVC on the new technology release by Citrix called ‘Local App Access’.
In this post you will find the presentation deck and two utilities I have written for this technology to help empower the user to configure settings.
As I mentioned in my presentation, this technology is really cool, but it needs work. For a 1.0 it’s very promising but we need to use it in anger and log the bugs with Citrix to get them fixed. This technology alike Citrix remote PC is not a silver bullet, but it is a very useful utility in your toolbox for concentrating on the low hanging fruit during a migration.
Don’t let a single user or application in a department hold up user migrations by using this technology to keep the application local until you have time to come back to it.
Question: “You mentioned there’s a work around for getting ‘local app access’ to work without requiring desktop viewer?”
Yes, I’m a complete eejit, in both sessions I told you I would show you a way to get around this…. Then completely forgot! To get this working without needing desktop viewer, rename the cdviewer.exe executable in the ica client program folder to something else!
Reverse seamless VDI helper:
with the reverse seamless VDI helper tool, you can present this application to users In their virtual desktop to allow them to manage which applications are presented to their virtual desktop without having to lead the user through the registry.
Revere Seamless local desktop helper:
with the reverse seamless local desktop helper tool, you can distribute this tool out to your users to control which folders from which shortcuts are brought up to the virtual desktop.
Because life is about education, here’s the source code if you want to expand it yourself:
Thinkiosk Version 4.0 is the culmination of 9 months hard work, rebuilding ThinKiosk in a new development style to include the enterprise features many of you requested, adding a management server, secure key redirection technologies, local group policy control and a number of other features. After weeks of rigorous testing we’re delighted to announce the availability of ThinKiosk version 4… Today!
With the release of Version 4.0 we’re lifting the cloak on the company we’ve setup in order to support and further develop ThinKiosk, ThinScale Technology. We’ve set up ThinScale as a little software company to publish applications to the virtualisation community, tackling the smaller issues and annoyances we face day to day as consultants and administrators. More clever little products are in the pipeline, but for now enough about the company!
The largest change around ThinKiosk 4.0 is the version introduction. ThinKiosk will ship in two editions, Enterprise edition and Community edition. Remko and I took a look at the product back in October last year and identified area’s that the project needed investment in order to reach and fulfill it’s full potential. We also noted that a number of customers really wanted the support and functionality offered by a professional product. After much deliberation we took the decision at that point to invest the time and resources into the product to ensure it fulfils it’s potential, this in turn justified the need for a chargeable Enterprise product.
ThinKiosk Community Edition.
- The community edition is free and will always remain free, we want to make sure the community will always have the benefit of the product.
- The Community edition is still one of the most powerful Windows alternatives on the market, including paid for products.
- The Community edition is an extremely powerful piece of software with one or two limitations in comparison to the Enterprise product.
- The Community edition will receive functionality from the enterprise edition over time.
We’re extremely proud of the community edition and we do recommend it if you do not require the functionality of the Enterprise Version.
ThinKiosk Enterprise Edition will include all the current functionality you know and use in ThinKiosk, along with loads of additional features and benefits. The enterprise version of ThinKiosk delivers far more value than the competitor products and from a functionality perspective beats them hands down even in its first release.
An exact side by side comparison can be found along with pricing and details on the ThinScale Licensing page.
Some of the New goodies are listed below!
ThinKiosk 4.0 new central management server. With this central management console, you can:
- Manage off domain machines.
- Push updates.
- Perform remote power commands.
- Remote Control end users.
- Report on your current ThinKiosk hardware.
- and much more.
Allow me to introduce our new ‘dynamic key pass-through technology’ MagicFilter. Magic filter will now block local Ctrl + Alt + Del and windows + L keystrokes and “magically” send them on to the remote desktop environment as if the user is working locally. This gives the user an immersive, native feeling desktop experience from the ThinKiosk client.
We are extremely proud to say we are the only Windows Thin Client vendor on the market who can do this.
ThinKiosk 4.0 is a fully fledged browser, so you can allow your users access to web resources without compromising on security. You can layer in as many bookmarks as you like to the browser or you can simply allow the users to browse the sites they wish via the address bar.
And so much more!
I covered a lot of the functionality previews back in April in the feature teaser.
Want to learn more?
And without further ado:
I’ve taken enough of your time for now, to jump right in click the download button below and we’ll send you everything you need to get started.
Just a quick note to say I’ve updated the AppV launcher tool to support Appv 5.
The app-V launcher tool is a self contained executable which lists your installed App-V packages and allows you to launch an executable in that virtual applications environment. This is particularly useful if you or your admins / users are not PowerShell friendly or you would prefer to not publish PowerShell scripts as programs.
You can get a copy of the latest version and/or it’s source code over here.
As an added benefit I’ve included source code for running PowerShell commands in .Net, so if you are interested in trying to do so grab the source code!