March 7, 2015 - Nick

Getting Citrix Desktop Lock 4.2 to work in your environment

After battling the configuration of getting Citrix Desktop Lock to work in our environment, I think I’ve got all the missing pieces documented. For some reason, I had trouble figuring this out even with the Citrix Desktop Lock documentation located here. I got it working in our US domain workstations, then a couple weeks passed by, and it was asked to get it working down in our Brazil office, and I had forgot all the steps involved. The purpose of this post is to memorialize all those steps in case there is a next time :)

For those of you who don’t know what Desktop Lock is, it’s add-on that runs on top of Citrix Receiver 4.2 and when installed properly on a domain-connected workstation, it passes the users AD credentials and logs them directly into their VDI desktop. This is super useful if you don’t have thin clients available and want to re-purpose existing desktops while improving user experience on VDI, ALL without actually spending any money except a little bit of time. Normally if you go from physical machine to VDI, the user is plagued with now having to deal multiple logins, multiple screensaver timeouts, etc. Desktop lock addresses this problem because now the user just logs into their physical desktop and it passes the credentials and logs the user directly into their default VDI desktop. When the user logs off of VDI, it logs them off of both the VDI desktop and physical machine they’re running lock from.

To make this as straight forward as possible, I’m going to break this out to a couple different areas here:

  1. Storefront Configuration
  2. XenDesktop Delivery Controller Configuration
  3. Group policy configuration
  4. Desktop Configuration

As you can tell, there a lot of different areas here that need some form of adjustment to get this to work – so let’s get to it!

 1. Storefront Configuration:

  1. Create a new store to work with specifically for single sign on to avoid messing with your production users. (This is not mandatory, but highly recommended)
  2. On the target storefront store, modify the following configuration files:
    1. Go to: C:\inetpub\wwwroot\Citrix\<STORENAME>\web.config and change logonMethod=”prompt” to logonMethod=”sson” like:<pnaProtocolResources changePasswordAllowed=”Never” logonMethod=”sson”
      kerberosEnabled=”false” changePasswordMethod=”Proxy” changePasswordUrl=””>
    2. Now let’s go to C:\inetpub\wwwroot\Citrix\<STORENAME>\Views\PnaConfig\Config.aspx and edit the following between the <Logon></Logon> tags:<Logon>
      <LogonMethod>sson</LogonMethod>
      <LogonMethod>prompt</LogonMethod>
      <EnableSavePassword>false</EnableSavePassword>
      <EnableKerberos>false</EnableKerberos>
      <SupportNDS>false</SupportNDS>
      <NDS_Settings>
      <DefaultTree></DefaultTree>
      </NDS_Settings>
      </Logon>
  3. After saving both files, be sure to replicate your changes across your Storefront server group, if you have multiple storefront servers in your environment.
  4. Now, on all your storefront servers, we must enable windows authentication from within IIS manager on the particular store we’re targeting for use with Desktop lock. To do this, do the following:Browser for the site that we’re configuring for desktop lock, Clicked into configuration editor for the site, In configuration editor, selected system.webServer, Then expanded out Security – authentication, Clicked into windowsauthentication and enabled it.This is a step that I missed during my configuration and took a while to figure out.
  5. Perform an IISRESET on all storefront servers in scope.

2. XenDesktop Delivery Controller Configuration:

  1. Log on the Delivery Controller(s), then open Windows PowerShell and execute the following commands to enable the Delivery Controller to trust XML requests sent from StoreFront:
    1. If not already loaded, load the Citrix cmdlets by typing asnp Citrix*. (be sure to include the period after Citrix*).
    2. Press Enter.
    3. Then type Add-PSSnapin citrix.broker.admin.v2 and press Enter.
    4. Then type Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True and press Enter.
    5. Close PowerShell.

(Refer to this article for more information: http://support.citrix.com/proddocs/topic/receiver-windows-42/receiver-windows-configure-passthrough.html)


3. Group Policy Configuration

  1. Create a new group policy and apply the security filtering on the physical workstations we’re targeting to work with desktop lock.
  2. Add the ICA Client GPO Administrative Template to the Local Computer Policy:
    1. Right-click Computer Configuration > Administrative Templates and then select Add/Remote Templates.
    2. Add the C:\Program Files\Citrix\ICA Client\Configuration\icaclient.adm template.
  3. Enable the following settings in that policy:
    1. Choose Local user name and password.
    2. Select Enabled.
    3. Select Enable pass-through authentication.
    4. Select Allow pass-through authentication for all ICA connections.
    5. Configure whatever other settings you see relevant
    6. Click OK.The resultant policy should look like this:
      cdlgpo
  4. MAKE SURE THE POLICY IS ACTUALLY APPLYING TO THE WORKSTATION YOU ARE TESTING FROM! You can do this by doing a gpresult /scope COMPUTER gprp.html and confirming that your policy is applying.

 

4. Desktop Configuration:

  1. Uninstall all existing versions of Citrix Receiver on your target desktop. I prefer to use the Receiver Clean-Up Utility for good measure.
  2. Download the latest version of desktop lock here: http://www.citrix.com/downloads/citrix-receiver/additional-client-software/receiver-desktop-lock-42.html
  3. Download a compatible version of Citrix Receiver, version 4.2 or above: http://www.citrix.com/downloads/citrix-receiver/additional-client-software.html
  4. Install Citrix Receiver (4.2 or later)with the following switch (to understand these switches in detail, read on here),
    CitrixReceiver.exe /includeSSON /ENABLESSON=Yes STORE0="Store;https://my.storefront.com/Citrix/YOUR_Store/discovery;on;STORENAME"
  5. Make sure to reboot after the installation. Rebooting will allow the Receiver single sign-on service to start. Upon reboot, make sure you see ssonsvr.exe running in processes of task manager:
    ssonsvr.exe
  6. Now let’s test the receiver agent and that single sign on is working. This is an important validation, because if this doesn’t work, then logging in using desktop lock, certainly will not work. To do this, launch the citrix receiver by going to the system tray/notification area and right-clicking on the citrix receiver icon and choosing ‘Open’. From there, it will launch the Citrix Receiver with the default ‘Storefront Green’ background. In the top middle/right you’ll have a link that reads ‘Log On’. Upon clicking, it should not prompt you to enter your credentials again; it should actually just log you in to the receiver and you should see your desktop(s) on the left-hand tab as in the following screenshot:
    receiver_ssoIf you receive the same result above, this would validate that the local machine ssonsvr.exe and citrix receiver are working properly. You can proceed to the final step.
  7. Install Citrix Desktop Lock – and test. Feel free to drop me a line here if you run into any issues. Chances are I’ve had the same error you’re seeing now and will be able to offer some guidance.

Feel free to comment if you have any questions. There is a lot involved here. Special thanks to Juan Guerra @ Citrix Support again for the assist here. Good luck!

Citrix Receiver / XenDesktop citrix / Citrix Desktop Lock / Citrix Receiver 4.2 / Delivery Controller / Storefront / xendesktop /

Comments

  • ylzjyu says:

    Thank’s!!!

  • Chris says:

    Great Post, how ever I am having issues where once a user has signed out after being signed in the user is unable to sign back in until I manually kick them off the server. Is this a known issue or has anyone else had a similar issue?

    • Nick says:

      @Chris, haven’t seen that behavior in our environment although I’ve seen some other oddities. Maybe check the Citrix forums and see if you find anything. I would also suggest running a trace when you’re able to re-create the issue.

  • d_morris102 says:

    We are looking to implement this in our enterprise on two types on thin clients, is there a need for AV on the machines anymore because of the locking capabilities?

    • Nick says:

      d_morris, you say two types of thinclients. What do you mean by thin clients? If you’re using a thin client, you really wouldn’t need Desktop Lock, as the thin client would serve as the single sign-in you’re looking for. Shoot me an e-mail and I’ll help you discuss a little further: http://nickyfixit.com/get-in-touch/

  • Dawid says:

    Hi David,My name is Amjad and i am working on one poejrct, where App-DNA and App-V is used by organization for virtualization.I am getting problem in after getting the App-DNA result green for application we want to automate the system to complete the App-V sequence and get the virtual file to deploy.I am running App-DNA and APP-V both on same VM window 7 x32 bit machine.Please let me know after application analysis done how i start the App-V sequencer automatic .Please send me document or process notes Thank you for helpRegards,AJ

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>