Archive
Explaining #Citrix Pass-through Authentication
Check out this great blog post from Joel Bejar:
Introduction
Pass-through authentication is a simple concept. User credentials are passed to a Web Interface site and then to the XenApp/XenDesktop servers, preventing users from having to explicitly authenticate at any point during the Citrix application launch process. While this authentication method seems straightforward, there are some moving pieces, and this article aims to break these down to provide a more detailed understanding of how this process truly works within Citrix.
Pass-Through Authentication – Web Interface Site
The first step to the pass-through process occurs at the Web Interface site. Users are able to navigate to the web interface site, and their credentials are passed through and they are presented with their Citrix delivered resources. Web Interface is built on Internet Information Services (IIS). For pass-through authentication to work, IIS Integrated Windows Authentication must be leveraged. Formerly called NTLM, this authentication method hashes the user credentials before they are sent over the network. When this type of authentication is enabled, the client browser proves its is authenticated through a cryptographic exchange with the Web Interface server, involving hashing. Because of this, the web browser is responsible for authenticating with the Web Interface Server (IIS). It is important to note, though, that credentials are actually never exchanged. Instead, the signed hash is provided to IIS, proving that said user had already been authenticated at the Windows desktop. The web interface user uses the user’s AD context (sometimes referred to as a token) to retrieve the user’s AD group membership and pass this list of groups directly to the XML service for authentication. At this point, the user has successfully passed through to the Web Interface site, and can now view his/her Citrix resources.
- The WI server must be in the same domain as the user, or in a domain that has a trust relationship with domain of the user.
- If the WI server and user are in different domains, and resources are published using Domain Local AD groups in the user domain, then the WI will not be able to enumerate these, even with a proper AD trust relationship (due to the very nature of Domain Local groups).
- The WI site should be added as a Trusted Site or Intranet Zone site in Internet Explorer. In addition, the security settings should be modified so that User Authentication\Logon is set to ‘Automatic Logon with Username and Password’.
- Pass-through authentication is not supported on Web Interface for NetScalerPlease Note: Pass-through authentication and Kerberos authentication are not interchangeable and they have different requirements.
Pass-Through Authentication – XenApp/XenDesktop Session
One of the biggest misconceptions with Pass-Through authentication in Citrix is that it only occurs when a user navigates to the Web Interface site and he/she is automatically passed through. As mentioned above, this IIS authentication method that is being used does not actually exchange the user password. In other words, Web Interface is never in control of the user credentials. This brings up the question: How are users passed through to the actual XenApp/XenDesktop ICA session?
While the web browser has a role in authenticating the user to the web site, the Citrix client (Citrix Receiver) plays an integral role in making sure the user is fully passed through to the application or desktop. Citrix Receiver installs a process called SSONSVR.exe, which is the single sign-on component of the client (no, not password manager SSO, but rather desktop credential pass-through authentication SSO.) This process is fully responsible for passing the user credentials to XenApp or XenDesktop. Without this piece, pass-authentication will not function.
Continue reading here!
//Richard
Delivering #Citrix #XenApp on #Hyper-V with PVS and #McAfee – via @TonySanchez_CTX
Good Citrix blog post from Tony Sanchez!
Architectures—whether physical or virtual—should be flexible enough to adapt to different workloads, allowing them to support changing business needs. Although implementing a new IT architecture takes time and careful planning, the process to test and validate an architecture should be easy. In the case of a virtual desktop architecture, test engineers should be able to follow a repeatable pattern, step by step, simply changing out the workload to validate the architecture under different anticipated user densities, application workloads, and configuration assumptions. The procedure should be as easy as learning a new series of dance steps (think PSY’s Gangnam Style, the most watched dance video on YouTube). The point causes me as a test engineer to ask the question: in the case of VDI, why can’t a hypervisor simply learn a new workload just like I might learn a new sequence of dance steps?
Luckily for test engineers, Citrix FlexCast® provides the ability to learn and deliver any workload type by leveraging the power of the Citrix Provisioning Services® (PVS). Recently I worked with engineers from Citrix and Dell, collaborating to build a FlexCast reference architecture for deploying XenApp® and XenDesktop® on Hyper-V on a Dell infrastructure. Testing of this reference architecture looked at how XenApp and XenDesktop performed under various workloads, altering hypervisor configuration settings and examining the overall user experience and user densities. At the drop of dime, FlexCast and PVS enabled a simple switch of the architecture to a new workload.
Based on that reference architecture effort, we recently began a Single Server Scalability (SSS) test using the latest hardware and software releases available. This blog focuses on that effort — what I call the “XenApp dance step for FlexCast style” and how XenApp workloads perform on Hyper-V. (A follow-on blog article will focus on an alternate “dance” sequence for XenDesktop.) The focus of this blog is how the configuration of the McAfee virus scanning software can impact performance and scaling.
In previous blogs, I describe the testing process and methodology that leverages the Login VSI test harness, along with key tips for success. Since those same methods and recommendations apply here, let’s review the configurations we used for this scalability testing as well as the workloads and actual test results.
For background reading, I highly recommend that you review Frank Anderson’s post on XenApp physical versus virtual testing results with Hyper-V. Frank is my colleague and a great resource for insights about testing, including implementation tips and general best practices. In addition, the related Dell and Citrix white paper describing the FlexCast reference architecture for deploying XenApp and XenDesktop on Hyper-V is available here.
Continue reading here!
//Richard
Enterprise Mobility Report – Lessons from the Mobile Cloud – #Citrix, #BYOD
Here is a good report done by Citrix, not that much that I didn’t expect but great to get some input!
We just released our quarterly enterprise mobility cloud report. Every quarter, we look out across our enterprise mobility customers deployed in the cloud and try to understand common practices by reviewing aggregate data on deployed apps, app blacklisting and whitelisting practices, policy deployments, and OS deployments by region and vertical industry. So here’s a small taste of what we saw in Q412.
Things we expected:
- iOS led in the enterprise. Definitely something we already knew.
- Industries like retail and restaurants – whose use cases involve direct one-on-one customer engagement, were iOS- (and iPad-) heavy. Makes sense.
- Industries with mobile field service organizations went for Android. Given the platform’s lower replacement cost, control-ability, and ubiquity, that makes sense.
- Facebook and Dropbox made the blacklist. Productivity and data security are major concerns, especially for corporate-issued devices.
Things we didn’t expect:
- Android gained in EMEA. Android gained eleven percentage points in Europe, the Middle East, and Africa in a quarter. Anecdotally, we know several organizations there that deployed big Android-based mobile line-of-business initiatives last quarter, but is there a bigger trend? Tell us what you think!
- Healthcare went for Android. 85% of deployed devices in our cloud in healthcare were Android. But healthcare organizations we talk to are standardizing on iOS, so it doesn’t add up! But remember: this is the cloud report. Most of our large healthcare customers have deployed our solution on-premise and those seem to be mostly iOS today. The cloud healthcare companies are really mobile themselves – usually home healthcare organizations like traveling nurses and therapists and hospice care workers who deliver end of life care to patients in their homes. It makes sense that these organizations would be big users of the cloud given the highly distributed nature of the business and the fact that there are some common HIPAA-compliant mobile apps that have developed for the Android platform.
- Dropbox was on the blacklist, but was also one of the most heavily-recommended apps from enterprise IT (in the enterprise app catalog). This juxtaposition speaks to Dropbox’s simultaneous usefulness and risk! Organizations can’t decide! Many of our customers talk to us about the “Dropbox dilemma” and most agree that if they could provide data sharing in a secure, enterprise-grade way, users would go for it.
Download the complete report here!
//Richard
Are you, or wanna become a Mobility or Networking guru? – #EnvokeIT, #Citrix, #XenMobile, #BYOD
Then you might be the one that we’re looking for!!
EnvokeIT is expanding and are looking for people with the following areas of expertise:
Mobility
Are you currently working within the mobility area or with any of the major Mobile Device Management products out there (MDM, MAM, MIM etc.)? Then we’d love to talk to you! We strongly believe in this area and are focusing on it and would like to have you onboard on this journey! And of course we’re focusing on the Citrix product portfolio but are mainly looking for people with experience within the area and not exclusively on the Citrix XenMobile/Zenprise products. And Enterprise Mobility Management is here to stay, it’s the future work-/play-ground!
Networking
Wow, this is an area that is exploding! And I must agree that I’m not the expert within this area, but there are so many new capabilities being developed right now and we and our customers see the business value here. We’re talking about everything from traditional old school SSL VPN to supporting the latest mobility, application and cloud delivery solutions out there! So if you have experience on the Citrix NetScaler product or are a current Cisco, F5 or Riverbed person; contact us to hear more on what we have to offer!
Contact us – EnvokeIT (form page),or if you rather contact me or Mathias directly:
Richard Egenas – CTO
Email: richard-at-envokeit-.-com
Phone: +46 (0) 768 81 01 62
Mathias Törnblom – CEO
Email: mathias-at-envokeit-.-com
Phone: +46 (0) 8 587 633 10
Thanks for taking your time reading this and I hope that you will join us on this journey!! 🙂
//Richard
#Citrix Virtual Desktop Handbook 5.x – #XenDesktop, #XenApp
Ok, this is a pretty good handbook I must admit. Have a look at it here!
And if you need help then of course you can always contact EnvokeIT! 😉
And here is a good blog post about this as well by Thomas Berger:
One of the foundational project management principals is that project success occurs when it is delivered on time, within budget and with a level of quality that is satisfactory to the client. Of course these three dimensions are valid for any desktop virtualization project as well.
While a lot of information about budget planning and TCO/ROI for virtual desktop / application delivery projects can be found on the internet (e.g. http://flexcast.citrix.com/analyzeandcompare.html), the amount of information about time planning and success criteria is very low.
Since this lack of publicly available information causes every customer to “reinvent the wheel” and therefore add some delays to their projects, we thought it’s time to provide some guidance around these topics.
The result of our efforts has become part of the newly released Citrix Virtual Desktop Handbook (http://support.citrix.com/article/CTX136546). Version 1 of this white paper focuses on the Assess phase that identifies the information required prior to starting the design phase and outlines the project management tasks I mentioned earlier.
But instead of just discussing the topics from a theoretical point of view, we provide detailed guidance and tools which can be used for your projects right away. For example you will get a sample project plan (Microsoft Project), which outlines and provides duration estimates for every step of a desktop virtualization project (sample below).
Furthermore the white paper discusses a general project methodology, describes how business priorities can be identified and provides detailed information about the roles required during a enterprise grade project (sample below).
This and even more can be found within the new Citrix Virtual Desktop Handbook..
//Richard
#Sanbolic Brings Public Cloud Economics to the Enterprise – #Melio
Ok, I must say that this product is great!!! If you haven’t looked at it before then please do! And contact us at EnvokeIT if you want more details!
Sanbolic Enables Distributed Flash, SSD and HDD to Achieve Enterprise Systems Capability and Scale-Out In Server-Side and Commodity Storage Deployments
Waltham, MA – (March 18, 2013) – Sanbolic® today announced the general availability of its Melio version 5 (Melio5™) software – delivering distributed scale-out, high-availability and enterprise data services through software. Server-side flash has seen rapid adoption for applications such as hyperscale web serving, but limited adoption in general purpose enterprise applications. With the launch of Melio5, Sanbolic enables enterprise customers to dramatically improve their storage infrastructure economics by enabling server-side flash, SSD and HDD as primary persistent storage. Melio5 aggregates across nodes for scale-out and availability while providing RAID, remote replication, quality of Service (QoS), snapshots and systems functionality through a software layer on commodity hardware. This provides customers with the ability to deploy commodity and server-based storage architecture with similar economics and flexibility as public cloud data centers such as Google and Facebook.
With validation by hundreds of enterprise and government organizations running in production, Melio volume management and file system technology addresses the needs of high performing cost effective storage infrastructure on-premise. Melio5’s architecture is designed to scale up to 2,048 nodes and up to 65,000 storage devices enabling linear performance scalability in a cluster.
Melio5 also eliminates the need to deploy a redundant flash caching layer in front of legacy storage area network (SAN) hardware by directly incorporating flash into hybrid volumes and intelligently placing data based on file system access profiles. A hybrid volume will place random access data such as file system metadata on flash sectors while placing sequential data on low cost hard disk drives to greatly reduce the cost of capacity. The result is a highly scalable, high performance storage system, with a much lower cost than legacy storage arrays.
“Typically, server and disk drive vendors operate on gross margins in the 20-30% range. Storage array vendors, on the other hand, are often twice that or more,” said Eric Slack, Senior Analyst,Storage Switzerland. “Sanbolic’s approach leverages the architecture that the big social media and public cloud companies use, to fix this problem. By replacing storage arrays (and storage array margins) with commodity server and disk drive hardware and enabling it with intelligence through software, companies can significantly reduce storage infrastructure costs.”
Terri McClure, Senior Analyst, Enterprise Strategy Group (ESG), stated, “Sanbolic’s Melio5 software enables corporate users to take advantage of flash and SSD in conjunction with commodity hardware to create an intelligent, cost effective, and high performance storage architecture like the huge public cloud companies run, while still ensuring enterprise workload scalability and high availability.”
“Melio5 lets us solve one of the biggest challenges for our customers today – the upfront and management cost for storage – without sacrificing systems capability or performance. The Lego-like modular capability of Melio allows our customers to scale-out their storage and servers based on off-the-self commodity components, without downtime,” said Mattias Tornblom, CEO, EnvokeIT.
“LSI and Sanbolic’s shared vision and complementary products help customers to dramatically improve the performance, flexibility and economics of their on-premise storage infrastructure,” said Brent Blanchard, Senior Director of Worldwide Channel Sales and Marketing, LSI Corporation. “LSI’s Nytro™ family of server-side flash acceleration cards and leading SAS-based server storage connectivity solutions…
Continue reading here or here!
//Richard
#Citrix Introducing #CloudBridge 2000 and 3000
Ok, this is interesting!
Citrix is pleased to announce the new WAN-optimization appliances: CloudBridge 2000 and CloudBridge 3000. These appliances come loaded with our WAN-optimization and XenDesktop acceleration technologies including rich protocol optimization, advanced TCP flow-control, adaptive compression and smart acceleration.
This blog highlights some of key features of these appliances.
Un-matched Scalability: A pay-grow offering that is unique in the WAN-optimization industry
Using the pay-grow offering, CloudBridge 2000 can be scaled from a throughput of 10 Mbps to 20 Mbps and further to 50 Mbps with just a license upgrade. Similarly CloudBridge 3000 can be scaled from 50 Mbps to 100 Mbps and further to 155 Mbps. This avoids the cost, time and logistics overhead associated with a forklift replacement. So if you have small office and expect to grow in future then these appliances are ideal for you.
* Session count is limited by link bandwidth, no session count is enforced. Published numbers are for guidance only. |
Built-in reliability
CB 2000 and CB 3000 models come prepackaged with Network bypass cards for the traffic interfaces. This ensures that the traffic to your network is never interrupted, even in case of power failure to the appliance.
Also with these models do not contain any rotating disks. Instead they use SSDs as storage resulting in enhanced disk-access speed and…
Continue reading here on the blog post and also look at this Service Delivery Network video where you can look at Citrix’s story on how enterprise and cloud networks are unified into a service delivery fabric that optimizes and secures applications and data.
//Richard
User-centric application delivery with Microsoft System Center and the #XenApp Connector for Configuration Manager
Another good blog post from Citrix:
This week we are happy to announce the release of the XenApp Connector for System Center 2012 Configuration Manager (a.k.a. Project Thor), marking the culmination of several months of collaboration between Citrix and Microsoft.
System Center 2012 Configuration Manager helps IT empower people to use the devices and applications they need to be productive, while maintaining corporate compliance and control. It provides a unified infrastructure for mobile, physical, and virtual environments that allows IT to deliver applications and manage user experiences based on identity, connectivity, and device.
More so than any previous release of Configuration Manager, the 2012 release supports the model of user-centric IT management. The new focus of Configuration Manager is one of empowering users by putting them at the center of the IT universe; one that supports user self-service, bring-your-own-device initiatives, workforce mobility, and the overall IT consumerization trend. We are very excited about the power this user-centric model provides and how that model is realized via integration of Configuration Manager and XenApp.
So what does the XenApp Connector do? Put simply, it extends the reach of admins using Configuration Manager to a much broader range of devices and user locations. Historically, Configuration Manager has been used for management of Windows OS & applications deployed to Windows PCs, Windows laptops, Windows Servers and Windows Phones operating within the traditional IT periphery – in other words Active Directory domain joined machines.
The XenApp Connector and Citrix Receiver extend the reach of Configuration Manager to deliver apps not just to Windows devices but all kinds of office and mobile devices including Linux, iOS, and Android devices; in fact nearly every device on the market today.. The Connector also enables a more flexible and mobile workforce. Users are able to gain access to the applications they need regardless of whether they are in the office, working from home, or on the road.
To deliver this functionality, the XenApp Connector leverages three capabilities introduced with System Center 2012:
- Deployment Types
- User-centric administration, and
- The Application Catalog
#Lync 2013 March VDI Update
Microsoft has released an update for Microsoft Lync 2013. This update provides the latest fixes for Lync 2013.
This update fixes several bugs in the RTM versions of Lync 2013 Virtual Desktop Infrastructure (VDI) clients. Additionally, after you apply this update, you do not have to re-enter a username and password when you pair a Lync 2013 VDI plugin with a Lync 2013 Desktop client.
You can apply this hotfix on both Lync 2013 VDI clients and Lync 2013 Desktop clients.
Continue reading and download the update here!
//Richard
SP1 for Windows 7 and for Windows Server 2008 R2 available
Service Pack 1 (SP1) for Windows 7 and for Windows Server 2008 R2 is now available. This service pack is an update to Windows 7 and to Windows Server 2008 R2 that addresses customer and partner feedback.
SP1 for Windows 7 and for Windows Server 2008 R2 is a recommended collection of updates and improvements to Windows that are combined into a single installable update.
Windows 7 SP1 can help make your computer safer and more reliable. Windows Server 2008 R2 SP1 provides a comprehensive set of innovations for enterprise-class virtualization. This includes new virtualization capabilities with Dynamic Memory and Microsoft RemoteFX.
Consumer end-users can find general information about Windows 7 SP1 at the following Microsoft website:
The IT Melting Pot! 