With the release of XenDesktop / XenApp 7.5, Citrix Storefront has brought back a very sought after feature, Single sign on for local credentials to the storefront site!
Citrix Storefront SSO can be the default configuration or a choice can be given to the user if you select more than one authentication type as below:
Desktop appliance site: (Slight deviation, bear with me).
An interesting addition to storefront in 2.5 is a desktop appliance site is installed by default. Richard covers what a desktop appliance site really well in this article for the current release of storefont here. It’s worth noting the desktop appliance site is running the older storefront code base and does not currently support single sign on, strangely.
Back on topic!
Below is a quick guide on how to get it working and any interesting features along the way, I’ve broken this piece down into three parts:
XenDesktop Delivery controller configuration:
on each delivery controller accessible by the storefront site, run the following two commands:
(Shawn Bass did alot of the hardwork here for me, so a thank you for that!)
when installing the client, you can enable the single sign on features with the following command line:
CitrixReceiver.exe /includeSSON /ENABLE_SSON=Yes /silent STORE0="Store;https://yourservername.yourdomain.com/Citrix/Store/discovery;on;Store"
Once this is complete, add the storefront url to the trusted sites for the user, then add the following setting to the trusted sites zone:
Once complete, open group policy on the local machine (or active directory group policy) and import the icaclient.adm file, the typical path is below for convenience:
C:\Program Files\Citrix\ICA Client\Configuration\icaclient.adm
C:\Program Files (x86)\Citrix\ICA Client\Configuration\icaclient.adm
Once you have imported this adm file, configure the following values in the LOCAL MACHINE configuration*
*the policies dont work in user mode, oddly.
Configure the authentication policy:
Configure the web interface authentication ticket settings also:
Now reboot the machine and log in, ensuring SSONSVR.exe is running in task manager.
I’m going to go ahead and assume you’ve already installed storefront, so lets start from there.
Make your way down to the ‘Authentication’ tab choose add/remove methods and select domain pass-through as an authentication type:
Note the warning, the receiver for web will also need some configuration, so that’s our next step:
Make your way down to your ‘receiver for web’ tab and select ‘Choose Authentication Methods':
As you can see above, domain pass-through is now an option, with a nice little warning:
Note: if you don’t want SSO to be optional, don’t publish additional authentication types on this storeweb.
The quickest way to test is to go right ahead now and use the storefront in anger, but if you’re the cautious type Storefront 2.5 includes a subdirectory called DomainPassthroughAuth/test.aspx. if you browse to this site from a configured machine, you should see the following screen.
if you are prompted as below, or see any of the following errors, go back a few steps and check what you missed:
and the following error’s mean you’ve gotten the configuration wrong on the client side:
and that’s it, happy sso’ing!
When checking the bandwidth requirement of multimedia sites, checking how much additional bandwidth video conferencing is going to require or even troubleshooting WAN capacity issues, it’s extremely useful to have a visible interpretation of realtime bandwidth consumption from your virtual desktop.
I wrote a tool quite some time ago called watcher2 while troubleshooting a similar issue. I finally took the time to refactor that tool for use with XenApp 6.5 , XenDesktop and VMware View and they are finally available to download! Both watcher utilities also include a latency counter which was a request that came in over and over.
HDX and PCOIP watcher by default dock to the top of the screen and can be moved left or right as below:
They can now also be completely un docked:
How do they work?
The tool finds your username in the performance monitor counters for session bandwidth, once it finds this entry it reads your performance monitor data once every second and reports on it.
In the case of PCOIP watcher, it reads the PCOIP counters from performance monitor.
what do the values mean?
All values are in either Kilobits per second or Megabits per second.
In = Traffic from the client to the virtual, this may spike during large copy / paste jobs,web cams or copying data from a usb key to the session:
Out = Traffic from the virtual desktop to the client, mainly audio or video traffic causes this to spike.
Latency = The delay between your client and the virtual desktop.
Can I Configure it?
Two thresholds are available, a yellow warning and a red warning, currently . These default values can be written to HKCU\software\sessionmonitor or HKLM\software\sessionmonitor. E.G:
Do they have any dependencies?
.net framework 3.5
if you are running XenApp 6.5 or XenDesktop 5.6, ensure you have the latest hot-fixes installed or the counters may be incorrect.
How do I launch it?
Allow the user to run it manually, or place the executable in their start-up folder or login script.
Where Can I download it?
What’s coming next:
- Native Microsoft RDP Counters.
- Realtime graphs and recording.
- source code is available on request.
I recently delivered a presention to the Dutch Citrix User Group and E2EVC on the new technology release by Citrix called ‘Local App Access’.
In this post you will find the presentation deck and two utilities I have written for this technology to help empower the user to configure settings.
As I mentioned in my presentation, this technology is really cool, but it needs work. For a 1.0 it’s very promising but we need to use it in anger and log the bugs with Citrix to get them fixed. This technology alike Citrix remote PC is not a silver bullet, but it is a very useful utility in your toolbox for concentrating on the low hanging fruit during a migration.
Don’t let a single user or application in a department hold up user migrations by using this technology to keep the application local until you have time to come back to it.
Question: “You mentioned there’s a work around for getting ‘local app access’ to work without requiring desktop viewer?”
Yes, I’m a complete eejit, in both sessions I told you I would show you a way to get around this…. Then completely forgot! To get this working without needing desktop viewer, rename the cdviewer.exe executable in the ica client program folder to something else!
Reverse seamless VDI helper:
with the reverse seamless VDI helper tool, you can present this application to users In their virtual desktop to allow them to manage which applications are presented to their virtual desktop without having to lead the user through the registry.
Revere Seamless local desktop helper:
with the reverse seamless local desktop helper tool, you can distribute this tool out to your users to control which folders from which shortcuts are brought up to the virtual desktop.
Because life is about education, here’s the source code if you want to expand it yourself:
Thinkiosk Version 4.0 is the culmination of 9 months hard work, rebuilding ThinKiosk in a new development style to include the enterprise features many of you requested, adding a management server, secure key redirection technologies, local group policy control and a number of other features. After weeks of rigorous testing we’re delighted to announce the availability of ThinKiosk version 4… Today!
With the release of Version 4.0 we’re lifting the cloak on the company we’ve setup in order to support and further develop ThinKiosk, ThinScale Technology. We’ve set up ThinScale as a little software company to publish applications to the virtualisation community, tackling the smaller issues and annoyances we face day to day as consultants and administrators. More clever little products are in the pipeline, but for now enough about the company!
The largest change around ThinKiosk 4.0 is the version introduction. ThinKiosk will ship in two editions, Enterprise edition and Community edition. Remko and I took a look at the product back in October last year and identified area’s that the project needed investment in order to reach and fulfill it’s full potential. We also noted that a number of customers really wanted the support and functionality offered by a professional product. After much deliberation we took the decision at that point to invest the time and resources into the product to ensure it fulfils it’s potential, this in turn justified the need for a chargeable Enterprise product.
ThinKiosk Community Edition.
- The community edition is free and will always remain free, we want to make sure the community will always have the benefit of the product.
- The Community edition is still one of the most powerful Windows alternatives on the market, including paid for products.
- The Community edition is an extremely powerful piece of software with one or two limitations in comparison to the Enterprise product.
- The Community edition will receive functionality from the enterprise edition over time.
We’re extremely proud of the community edition and we do recommend it if you do not require the functionality of the Enterprise Version.
ThinKiosk Enterprise Edition will include all the current functionality you know and use in ThinKiosk, along with loads of additional features and benefits. The enterprise version of ThinKiosk delivers far more value than the competitor products and from a functionality perspective beats them hands down even in its first release.
An exact side by side comparison can be found along with pricing and details on the ThinScale Licensing page.
Some of the New goodies are listed below!
ThinKiosk 4.0 new central management server. With this central management console, you can:
- Manage off domain machines.
- Push updates.
- Perform remote power commands.
- Remote Control end users.
- Report on your current ThinKiosk hardware.
- and much more.
Allow me to introduce our new ‘dynamic key pass-through technology’ MagicFilter. Magic filter will now block local Ctrl + Alt + Del and windows + L keystrokes and “magically” send them on to the remote desktop environment as if the user is working locally. This gives the user an immersive, native feeling desktop experience from the ThinKiosk client.
We are extremely proud to say we are the only Windows Thin Client vendor on the market who can do this.
ThinKiosk 4.0 is a fully fledged browser, so you can allow your users access to web resources without compromising on security. You can layer in as many bookmarks as you like to the browser or you can simply allow the users to browse the sites they wish via the address bar.
And so much more!
I covered a lot of the functionality previews back in April in the feature teaser.
Want to learn more?
And without further ado:
I’ve taken enough of your time for now, to jump right in click the download button below and we’ll send you everything you need to get started.
Just a quick note to say I’ve updated the original Guide to Lotus Notes in SBC / VDI environments with another 2 years of begrudging, pain and bug fixes.
A link to the updated article is here. Best of luck!
Everyone having a Good Citrix Synergy week? Some great new products announced! Ready for more announcements?
After 5 months of coffee, tears of frustration and hair pulling we’re absolutely delighted, thrilled and relieved to announce ThinKiosk 4.0 is nearly ready. Complete with my new partner in crime Remko Weijnen (I’ve been saying ‘we’ for ages, now you know who… awesome eh?) we’ve worked some long nights to get this version out the door.
With that out of the way, we’re proud to announce some of the new features coming in 4.0. Bear in mind this is just a preview, the final features and details of the product are still being hammered out, but below is a taster of some of the functionality you can expect to see shortly.
Back to the drawing board:
ThinKiosk 4.0 is a complete rewrite and refactor of ThinKiosk. It’s built on the 4.0 .Net framework which has brought a lot of simplicity and new features to our tool-set. ThinKiosk 4.0 was built with three main aims:
- Enterprise Ready.
- Fool Proof.
- Secure by Design.
With ThinKiosk 4.0, your setup time will go from days to minutes. Out of the box, ThinKiosk is ready for the following technologies without any local machine tuning:
- Citrix XenDesktop / XenApp.
- Citrix VDI in a Box.
- VMware View.
- Microsoft Remote Desktop Services.
For the exact details of each of these optimizations, follow the subsequent blog posts / documentation.
New Look and Feel:
Without further ado, lets start with the new look and feel:
ThinKiosk 4.0 has also been built on the industry leading graphical interface DevExpress giving us a really shiny, professional and sleek interface. Finally giving us an Interface we can be proud to put on your desktops.
ThinKiosk’s interface has been further improved giving you an Applications tab for Publishing desktops for VMware View, Microsoft Remote Desktop services or Citrix Desktops via ICA file or local applications.
This Applications tab has been modelled after the windows 8 Metro err, I mean Windows 8 UI. This provides a similar look and feel to the new Windows start menu and it really breathes new life into old hardware. With this tab, you can publish shortcuts to VDI Desktops or local applications making it a one stop shop for applications.
You can flick from one tab to another easily, or disable the one you do not wish to use.
It’s all about the customization!
Beauty is in the eye of the beholder right? Agreed!
ThinKiosk 4.0 will ship with over 8 themes and wallpapers, customization of the splash screen, buttons… everything!
The Applications tab can also be completely customized to your tastes:
As with Previous versions of ThinKiosk, every button and object in ThinKiosk can be locked down to exactly what you wish, for example here’s a stripped back browser session:
Or a stripped back application window:
Anyway… Enough about the appearance, Lets talk tech!
Introducing the new ThinKiosk Broker Service and Management console:
The ThinKiosk Broker, Management Console and ThinKiosk clients use an all new ThinKiosk TCP protocol (I never ever, ever want to see a tcp socket again for as long as I live, writing this protocol was a killer!) to allow you to centrally manage, catalog and report on your ThinKiosk devices. The protocol is lightening fast and secure by design.
This new framework will form a long blog post itself, but some quick fire information is below:
- Complete off domain management.
- Auto device registration, just point ThinKiosk at the broker and it will check in and download the default profile.
- Remote Control / Shadowing of end point devices via the console.
- Device Grouping for profiling multiple devices or creating an organisation structure.
- Remote actions (power off, restart, update).
- Device Reporting.
- No Enterprise database software necessary.
- Audit logging.
Unlike other Thin Client protocols and software, ThinKiosk does not accept any inbound connections, in user or system context. Removing the ability to hijack thin clients… which is all too possible with certain vendors!
The console is simple, and quick to navigate:
Installation of the broker takes roughly 5 minutes and is ready to serve your Devices as soon as you configure the default profile.
New Profile Handler:
The ThinKiosk client has received an overhaul and with it we’ve streamlined the profile. ThinKiosk no longer requires group policies or the clunky offline config tool, we have a new profile system based on XML files with a fitting profile editor to match:
No more configuring 5 group policies for one url, the new policy manager is clean, self explanatory, full of new functionality and uses the same interface whether you are using the ThinKiosk management console or modifying the local profile.
If you want to still use group policy to deploy configuration? No problem! just drop the file on the client via group policy preferences!
And the Client!
Lets talk about the 4.0 client.
Windows XP – Windows 8
ThinKiosk is now a fully fledged browser, complete with address bar. If you want to allow your users to browse around, now you can.
The ThinKiosk 4.0 browser will:
- Supress scripting errors.
- Allow you to add your sites to the trusted sites via policy.
- Auto tunes the browser for VDI portals.
- Auto circumvent silly SSL untrusted or mismatched errors (great for POC’s *cough* VDI in a Box *cough*)
- ThinKiosk now runs as an Internet explorer executable. No more flicking between iexplore.exe and thinkiosk.exe.
Now to the nuts and bolts!
Local login pass through:
Now that you have the ability to add direct VDI connections. ThinKiosk will handle the log in experience and pass the credentials to the responsible technology:
This integration allows ThinKiosk to better manage the desktop experience and provide your users with a single login pane rather than the recurrent login screens you can experience with Microsoft / Citrix file connections.
These connection files can also be auto launched, to remove that pesky click first thing each day.
- Log off screen redirection for Web interface, storefront and VDI in a box.
- Log off the web portal when a desktop launches for the above platforms.
- Support for Adding ICA file connections.
- Auto configuration of Single sign on from local pc to remote desktop. (Nightmare previously).
- VDI in a Box auto browser tuning for compatibility.
- Optionally disable the Citrix Desktop viewer (CDviewer.exe).
- Support for publishing multiple pool connections
- Support for publishing multiple direct desktop connections.
- Support for PassThrough.
- Disables Certificate checking by default for quick POC’s.
- Pass through ctrl alt del / Windows + l (more on this later).
Microsoft Remote Desktop Services:
- Support for publishing multiple connections.
- Support for 2012 RDS and VDI.
- SSL Certificate warning suppression.
- Support for login once.
Improved local application handling:
ThinKiosk 4.0 has an improved local application engine, When you add an application to the Applications tab, it will automatically pull in the icon window and you can also specify to launch apps but hide them (think run key entries). If ThinKiosk is restarted via admin task, it’s smart enough to know not to relaunch them.
Environment variables for paths and arguments are fully supported and i’ve also added a variable for 32bit program files paths… I always wondered why Microsoft didn’t do this, but I digress.
Windows secure keystroke blocking and passthrough:
You asked… (and asked and asked and asked and asked). It’s done, with ThinKiosk 4.0 you will be able to block CTRL + Alt + Del, [Windows] + [L] etc.
Pass through of these keystrokes to the remote desktop is available for VMware View already and will be coming shortly after 4.0 for Citrix and Microsoft connections.
Group Policy Lockdown:
By default when you install ThinKiosk 4.0, it will arm the PC with the most restrictive policies via the local group policy engine, disabling access to all admin utilities and even local disks. This lockdown can be tuned or turned off via policy if required.
ThinKiosk performs privileged actions via the ThinKiosk Machine service which installs as part of the installation.
ThinKiosk will ship with it’s own user account for fast deployment. This account will be created on the local machine and gives you a quick an easy method to manage local accounts on non domain joined PC.
The accounts password is synchronized with the ThinKiosk unlock password you specify.
This account is completely optional and you can turn it off or substitute it with a domain account of your choice.
ThinKiosk will also manage the Windows Shell replacement policy itself via policy, so no more mucking around with local group policy or registry keys.
ThinKiosk also now encrypts the auto login account using LSA.
With ThinKiosk as shell, you can now run Active Setup with ThinKiosk’s improved Active Setup Async.
Active setup Async is a utility we have implemented into ThinKiosk that will perform active setup 60% faster than standard Microsoft active setup via a threading and queuing engine, the end result is active setup support ( for example: HDX flash redirection) with a much faster (and prettier) interface.
ThinKiosk can now implement the local group policy engines start-up script to allow you to manage off domain PC’s. With the start-up script, you can install software, updates, disable services, uninstall software, delete files, profiles… anything!
The only limitation here is your own imagination or scripting abilities.
If the latter is a concern? worry not, we’ll be creating a scripting library where ThinKiosk enthusiasts can share and collaborate on similar tasks.
ThinKiosk 4.0 offers you the ability to control local volume, printers, screen saver and even background color.
ThinKiosk logs everything, every action, command, hiccup… everything.
If something isn’t quite working as expected, chances are the debugging window will announce in triumphant glory exactly what is broken!
Redundant profile management:
ThinKiosk takes a copy of it’s profile on each check in to an FTP server or Broker server.
In the event of the server being offline ThinKiosk attempts five times to connect before failing back to the local profile allowing your users to continue working without an outage.
If the broker server becomes available again throughout the day, ThinKiosk will check back in to allow management but will not disturb the user.
And so much more!
I’m not going to go on and on, but as you can see… It’s awesome!
Check back in a few weeks for the release as we ready the build.