Archive

Archive for the ‘CloudGateway’ Category

Citrix Storefront 2.5 and Single Sign on:

March 26, 2014 8 comments

image-01-535x535With the release of XenDesktop / XenApp 7.5, Citrix Storefront has brought back a very sought after feature, Single sign on for local credentials to the storefront site!

Citrix Storefront SSO can be the default configuration or a choice can be given to the user if you select more than one authentication type as below:

 

storefront auth choice

 

 

 

Desktop appliance site: (Slight deviation, bear with me).

 

An interesting addition to storefront in 2.5 is a desktop appliance site is installed by default. Richard covers what a desktop appliance site really well in this article for the current release of storefont here. It’s worth noting the desktop appliance site is running the older storefront code base and does not currently support single sign on, strangely.

 

 

 

Back on topic!

 

Below is a quick guide on how to get it working and any interesting features along the way, I’ve broken this piece down into three parts:

 

XenDesktop Delivery controller configuration:

 

on each delivery controller accessible by the storefront site, run the following two commands:

broker xml trust level

 

Client Configuration:

 

(Shawn Bass did alot of the hardwork here for me, so a thank you for that!)

when installing the client, you can enable the single sign on features with the following command line:

CitrixReceiver.exe /includeSSON /ENABLE_SSON=Yes /silent STORE0="Store;https://yourservername.yourdomain.com/Citrix/Store/discovery;on;Store"

 

Once this is complete, add the storefront url to the trusted sites for the user, then add the following setting to the trusted sites zone:

 

local zone settings

 

Once complete, open group policy on the local machine (or active directory group policy) and import the icaclient.adm file, the typical path is below for convenience:

x86:

C:\Program Files\Citrix\ICA Client\Configuration\icaclient.adm

x64:

C:\Program Files (x86)\Citrix\ICA Client\Configuration\icaclient.adm

 

Once you have imported this adm file, configure the following values in the LOCAL MACHINE configuration*

*the policies dont work in user mode, oddly.

Configure the authentication policy:

 

group policy

Configure the web interface authentication ticket settings also:


group policy2

 

 

 

Now reboot the machine and log in, ensuring SSONSVR.exe is running in task manager.

 

Storefront Configuration:

 

I’m going to go ahead and assume you’ve already installed storefront, so lets start from there.

 

Make your way down to the ‘Authentication’ tab choose add/remove methods and select domain pass-through as an authentication type:

 

add domain pass-through option in storefront config

 

Note the warning, the receiver for web will also need some configuration, so that’s our next step:

 

highlight change needed on storeweb

 

Make your way down to your ‘receiver for web’ tab and select ‘Choose Authentication Methods’:

 

add auth method to storeweb

 

 

 

 

As you can see above, domain pass-through is now an option, with a nice little warning:

 

storeweb passthrough warning

 

 

Note: if you don’t want SSO to be optional, don’t publish additional authentication types on this storeweb.

 

Testing:

The quickest way to test is to go right ahead now and use the storefront in anger, but if you’re the cautious type Storefront 2.5 includes a subdirectory called DomainPassthroughAuth/test.aspx. if you browse to this site from a configured machine, you should see the following screen.

 

 

passthrough auth test site

 

 

if you are prompted as below, or see any of the following errors, go back a few steps and check what you missed:

 

sso test fail via website

 

and the following error’s mean you’ve gotten the configuration wrong on the client side:

 

no trusted submit

no logon methods error - pass creds not set

 

and that’s it, happy sso’ing!

 

Customising the Citrix Receiver for Mac OS

January 2, 2013 6 comments

Here’s a fun little customisation if you grow tired of the green bubbles of gloom.


default


The background above is a png file, with the following dimensions:

  • Height: 2048
  • Width: 1056

So if you want to replace this file, go find your replacement picture and ensure your picture is of a similar enough size.

Once you have a png file with similar enough dimensions, open the finder application, open the applications folder and right click the Citrix Receiver app, choose “Show Package Contents”.

Browse down to: contents > resources


file


In this folder, you will find a file “backgroundImage_big_b.png”, before you start, rename this file to back it up.

Now simply copy your replacement file into this folder, using the above name:


newfile


And that’s it! You’ve now got a lovely custom Citrix Receiver:


result


PS: I wouldn’t try to do this with windows, the file is an embedded resource and would require resource hacker to change the file.

 

Announcing ThinKiosk 3.1

November 16, 2012 Leave a comment

With great pleasure I’m announcing the general availability of ThinKiosk 3.1. Quite a bit of change under the hood and some nice features added to match.

New features:

VMware View enhanced support:

VMware View has gotten some love in this update, A big thanks to Jarian Gibson for the help.

You can now enforce end of session options for VMware view:


You can also now choose to wipe the last users details from the Kiosk between View sessions:

FTP policy management:

With ThinKiosk 3.1, you no longer are tied to manage the thinkiosk devices by Group Policy or local registry settings, you can now also use an ftp server with a shared xml configuration file:

Just configure a Device as you would like it to appear, unlock the admin menu and you can export the configuration to xml:

Then move it to your ftp server!

Encryption:

The unlock password in group policy can now be encrypted to save it appearing in plain text to anyone capable of viewing the policy. ThinKiosk 3.1 ships with a password encryption tool you can use to encrypt your password.

You can also test reversing the password to plain text to make sure you get it right before applying it en-mass and locking yourself out!

This encryption functionality has now been added to both the offline configuration tool:

And by default the FTP password will be encrypted too!


Battery Awareness:

ThinKiosk is now aware of batteries in laptop devices and will report their status.

When the battery begins to run out, ThinKiosk will throw a warning in the foreground as below:

You can additionally disable this functionality with the offline configuration tool.

Pre launch Citrix Receiver:

A rare issue seen with the latest versions of the receiver was a bit of a hang, pause or complete lock up as receiver came to life. To combat this, you can now choose to early launch the receiver for Citrix, allowing it to gracefully start up in the background before the user requires it.

Early launch process:

A number of customers needed to have third party software launched as soon as ThinKiosk started each day. I’ve now added the ability to early launch a process 

You can also choose to launch this process as hidden, away from the user.

Browser navigation buttons:

ThinKiosk can now act as a locked down browser by adding back and forward buttons.

AM / PM clock:

This feature was asked for quite a few times, so now you can set the clock to 12 hour.

Debug Mode:

A fully fledged debug window has been added to help timing issues. The debug menu can be accessed via command line (-debug) or via the admin menu in ThinKiosk.

Zorder awareness:

In rare situations (and I’ve been unable to reproduce it) ThinKiosk can jump above the citrix session when a log off of the web interface happens or during the login process.

Zorder awareness will tell ThinKiosk to send itself to the back of the Zorder when the browser finishes rendering. It will also display a hide button, which will send ThinKiosk to  the back in this rare event.

Please use this setting as a troubleshooting tool, not a production setting. If this setting fixes the issue for you, please drop me an email and I’ll write it in. As I’ve been unable to reproduce this issue, it’s a bit rough around the edges.

Citrix Storefront timeout screen:

ThinKiosk is now aware of the timeout screen and will automagically redirect back to the login screen if it see’s it.

Hide ThinKiosk when a desktop is active:

If you wish to outright hide ThinKiosk while a desktop is active, you can now do so!

Even More sites:

Support for up to 20 sites has been added, thanks Martijn!

Sticky Home Page:

A request came through to allow the home page always be site 1, this has now been included.

Bug Fixes:

  • support for environment variables in custom tools and prelaunch commands. (thanks Nathan).
  • Offline config tool not setting password correctly.
  • VB Powerpack accidentally bundled with ThinKiosk 3.0
  • In process launch mode, power options were intermittently being applied.

And it’s still free!

ThinKiosk development has taken quite some time and it takes time to support you via email. If you use ThinKiosk in your environment or appreciate the savings its made for you, please consider making a donation or paying for enterprise support to help me keep this project alive… I would really appreciate it as it will allow me to invest in better development tools to make the product look and feel even better!


ThinKiosk 3.0 General Release

September 21, 2012 14 comments

It gives me great pleasure and relief to announce the general availability of ThinKiosk 3.0!

ThinKiosk 3.0 is another ground up redevelopment of the tool, 2 months ago I broke the program beyond recognition to add support for shared libraries and reduce the number of active components in the program. It’s fast, lightweight, it’s been a long time coming and I am absolutely thrilled with the result! 

WIth that out of the way and without further ado, there are hundred’s of changes to ThinKiosk, below are just the highlights:

Additional support:


  • Added support for Citrix StoreFront services 1.2 (Cloud Gateway).
  • Added support for VDI in a Box 5.1 (no open prompt!)
  • Added support for internet Explorer 10 as the local browser.
  • Added support for Windows 8 as an end point.
  • Added support for Windows Embedded Standard 8 as an end point.


New Features:



EULA:


This isn’t exactly a new feature, but I want to be as forthcoming about this as possible. I’ve added an EULA to ThinKiosk. There is nothing untoward, there’s no lock in, it just says its free to use, you can’t resell it, and you can’t sue me if you do something stupid.

Ultimately, it just protects me (a free tool developer) from lawsuits.


Languages:


The Norwegian language has now been added, thanks Thomas!

All current languages have been updated (spanish, french, dutch, italian, German)

 

Startup marquee:

 


On particularly old or slow pc’s the startup time for ThinKiosk can be quite lengthy while ThinKiosk loads the embedded browser.

To address this delay, a splash screen with progress marquee has been added to provide feedback and keep the user entertained.

 

Screenshot and email functionality:

 

 

You can now allow ThinKiosk register the [PrintScreen] key, which in turn will allow the user to use this key to send an error or issue directly to the helpdesk, including support information via SMTP.

 

 

By default, email and screenshot functionality is disabled, until you add SMTP options via policy or offline config too.

Thanks Shane for the idea!

Progress bar:

 

 

When loading slow to load URL’s, it can be difficult to tell whether the website has hung, or it has just taken some time to load. By default ThinKiosk 3.0 will ship with an “on demand” progress bar to tell you when ThinKiosk is busy.


Wireless Networks:


 

Beta support for Wireless Networks has been added via the control panel

This functionality will only currently work with:

  • Windows 7
  • Windows Embedded Standard 7.
  • Windows Thin PC

Note: this setting is disabled by default, but can be enabled via the group policy or offline config too.


Language Selection:


Probably the most requested feature so far, I’ve finally added a drop down for Language selection as below:


 

This drop down will allow the users to change the language on the fly. This option can be disabled via group policy or the offline config tool.

New items in the admin menu




The admin menu now contains some very useful commands for administrators when troubleshooting end points:

  • Task Manager.
  • Internet Explorer Control panel.
  • Restart /Exit ThinKiosk.
  • Remote Desktop connection.
  • Offline Configuration Tool.



Desktop launching dialog:

 

When using Web interface log off on session launch, ThinKiosk performed the task so quickly that the user was often left a little confused as to what has happened and why they have been kicked out before the session finally launched. ThinKiosk will now provide feedback when a new session launches or when workspace control is busy reconnecting and has a 2 seconds hold down timer before it kicks the user off the web interface.

 

End of session options:

 

 

Previously when a remote session ended, you had an option to log the local user off. This was particularly useful if you were using Citrix Pass through authentication. A recurring request was to add the ability to restart, or shutdown the pc. This is now included in the offline config tool and group policy.

 

Classic Colours:

 

 

A number of fussy individual’s didn’t appreciate my lightsteelblue colour scheme change, for you guys (you know who you are) you can now disable the colour change on startup via group policy or offline config tool if grey is your thing.

 

Process Launcher:

 

A new feature in ThinKiosk 3.0 is the process launcher. Instead of loading ThinKiosk as a browser session, the process launcher simply launches the process you specify, and only displays the ThinKiosk menu bar at the top for user convenience.

 

This process launcher, will launch the process you configure, watch the process and relaunch it if the user accidentally closes the window!

Process launcher also has all the user empowering options available, along with power management. This functionality is all free as aposed to paid for solutions delivering half this functionality!
As below, you can use the Process launcher for Microsoft Remote desktop connections:

 

 

Or VMware view!:





Or basically any process you would like to use. This functionality is quite new, so if find issues with it, I want to know about it!

 

Offline Config Tool improvements:



Restructure:


The offline config tool has been reordered to provide a better structure to settings.





Policy awareness:


 

The offline config tool will now detect values specified in group policy or in user key’s it cannot control and warn you that these values exist.

The apply button has been removed from the offline config tool, it wasn’t needed or working exactly as I wanted it to.

 

Bug fixes / enhancements:

 

ThinKiosk Layout changes:


Resizing ThinKiosk has been moved to a more native location as below:





The clock and language selection are now enabled by default:





Advanced functionality:

ThinKiosk can no longer be run as a standalone executable, the shared.dll must be available too, Don’t say I didn’t warn you.

Changing zones in internet explorer while ThinKiosk is running used to result in a crash (e.g moving a domain from the internet zone to trusted sites). This crash is now handled and you will receive a warning icon to restart ThinKiosk at your next convenience. Please note, circumventing this crash will disable Auto log off and log off redirection until ThinKiosk is restarted.

When navigating to a url with an untrusted SSL certificate, by default an embedded browser will not allow you to continue without prompting for scripting errors. These scripting errors in turn stopped Citrix Web Interface from working in multi farm environments. Support has been added to allow scripting errors only when an untrusted ssl cert is requested.

ThinKiosk will now amend the feature controls neccessary for embedded browsers on a per user basis. This will allow for better native support for ActiveX and Mime types. This will cause a quick restart as soon as ThinKiosk launches if a change is neccessary. This will also handle the upgrade to Internet Explorer 10 seamlessly. This process can be disabled via the offline config tool / group policy.

All shared code between ThinKiosk and the Offline config tool has been moved to a shared library! it wasn’t fun, it wasn’t easy but it will make things alot easier for me in future when making changes.

And it’s still free!


ThinKiosk development has taken quite some time and it takes time to support you via email. If you use ThinKiosk in your environment or appreciate the savings its made for you, please consider making a donation to help me keep this project alive… I would really appreciate it as it will allow me to invest in better development tools to make the product look and feel even better!


Download:

The download links for ThinKiosk are available above, or here:

ThinKiosk 3 features preview

September 6, 2012 Leave a comment

As requested, here’s a sneak peak of what to expect in the up coming release on ThinKiosk 2.3. I hope to have a release candidate available early next week. I’ll need my favourite translators to step forward again to help ThinKiosk reach multi language organisations and users!

Without further ado:

Additional support:

  • Added support for Citrix StoreFront services 1.2 (Cloud Gateway)
  • Added support for VDI in a Box 5.1 (no open prompt!)
  • Added support for internet Explorer 10
  • Added support for Windows 8
  • Added support for Windows Embedded Standard 8

New Features:

On particularly old or slow pc’s the startup time for ThinKiosk can be quite lengthy while ThinKiosk loads the embedded browser, a splash screen with progress marquee has been added to provide feedback and keep the user entertained.

Screenshot and email functionality. you can now allow ThinKiosk register [PrintScreen] which in turn will allow the user to send an error or issue directly to the helpdesk, including support information via SMTP. Thanks Shane!

Progress bar! When loading slow to load URL’s, it can be difficult to tell whether the website has hung, or it has just taken some time to load. By default ThinKiosk 2.3 will ship with an “on demand” progress bar to tell you when ThinKiosk is busy.

Added beta support for Wireless Networks via the control panel (this needs testing).

New items in the admin menu. The admin menu now contains some very useful commands for administrators when troubleshooting end points:

  • Task Manager.
  • Internet Explorer Control panel.
  • Restart /Exit ThinKiosk.
  • Remote Desktop connection.
  • Offline Configuration Tool.

When using Web interface log off on session launch, ThinKiosk performed the task so quickly that the user was often left a little confused as to what has happened and why they have been kicked out before the session finally launched. ThinKiosk will now provide feedback when a new session launches or when workspace control is busy reconnecting and has a 2 seconds hold down timer before it kicks the user off the web interface.

Restart or Shutdown on Session End. previously when a remote session ended, you had an option to log the local user off. This was particularly useful if you were using Citrix Pass through authentication. A recurring request was to add the ability to restart, or shutdown the pc. This is now included in the offline config tool and group policy.

A number of fussy individual’s didn’t appreciate my lightsteelblue colour scheme change, for you guys (you know who you are) you can now disable the colour change on startup via group policy or offline config tool if grey is your thing.

Bug fixes / enhancements:

Changing zones in internet explorer while ThinKiosk is running used to result in a crash (e.g moving a domain from the internet zone to trusted sites). This crash is now handled and you will receive a warning icon to restart ThinKiosk at your next convenience. Please note, circumventing this crash will disable Auto log off and log off redirection until ThinKiosk is restarted.

When navigating to a url with an untrusted SSL certificate, by default an embedded browser will not allow you to continue without prompting for scripting errors. These scripting errors in turn stopped Citrix Web Interface from working in multi farm environments. Support has been added to allow scripting errors only when an untrusted ssl cert is requested.

ThinKiosk will now amend the feature controls neccessary for embedded browsers on a per user basis. This will allow for better native support for ActiveX and Mime types. This will cause a quick restart as soon as ThinKiosk launches if a change is neccessary. This will also handle the upgrade to Internet Explorer 10 seamlessly. This process can be disabled via the offline config tool / group policy.

The offline config tool will now detect values specified in group policy or in user key’s it cannot control and warn you that these values exist.

The apply button has been removed from the offline config tool, it wasn’t needed or working exactly as I wanted it to.

The offline config tool has been reordered to provide a better structure to settings.

All shared code between ThinKiosk and the Offline config tool has been moved to a shared library! it wasn’t fun, it wasn’t easy but it will make things alot easier for me in future when making changes.

Tons more error catching in ThinKiosk.

ThinKiosk 2.1 Released

June 23, 2012 4 comments

This update has been a while coming, thanks to all who’s helped!

 

New features in 2.1:

  • German Language pack. (Thanks Michael)
  • A nifty clock.
  • CloudGateway Express support.
  • VDI in a box support.
  • Pass through Authentication support (documented here)
  • the offline Configuration tool is now a one stop shop with shell replacement and auto login options.
  • The client details and windows version menu items can now also be removed or moved.
  • Debug mode (activated via admin menu).
  • ThinKiosk can be configured to log users off after the session ends (if you are using passthrough).

Bug Fixes in 2.1:

  • The offline configuration tool now obeys UAC.
  • ThinKiosk is now aware of its browser rendering version and will attempt to fix it on the fly.
  • ThinKiosk has been rolled back to 32bit. This was due to compatibility issues. It is 64bit aware and will handle 64bit seamlessly.

You can download it here:

Configuring Citrix CloudGateway Express / Storefront services 1.1 for native SQL authentication.

One of my quibbles with Cloud Gateway is the database connection method. By default (and as per the edocs) CloudGateway Express will attempt to connect to the backed SQL database as the computer account on which Storefront services is running.

Citrix recommend you create a local user group on the SQL server and place the computer account in here… Wait.. what?

If you are running an SQL cluster, this will create a bit of a headache, as in a database failover event, the local group may not exist on the node onto which the cluster has failed to. Running into this event first hand, I decided to investigate how to change this connection string to an SQL account.

My first clue, came in the form of the Citrix edocs, with this document here, Citrix describe how to configure database failover for the store service. The connection string is stored in C:\inetpub\wwwroot\Citrix\<storename>\web.config

Now that we know where the connection string lives, it should simply be a case of modifying this string to suit ourselves!

Open the above file, and search for “DazzleResources.DataSource

Paste in the below, replacing the string and modify the bolded items below:

<add name="DazzleResources.DataSource" connectionString="Integrated Security=SSPI;server=servername\instance ; Database=cloudgateway ; user id=sa ;Password=Password;Trusted_Connection=False" providerName="System.Data.SqlClient" />

Once complete, restart the Receiver Storefront server. Then open the console again. You should now see the updated connection string (in clear text sadly) on the store:

Thats it!

Note: theres no reason you couldnt use an AD account for this either. But the plain text view of this string sucks to be honest.