So What's This All About

The purpose of this site

I started off my career in IT 25 years ago as a COBOL Programmer in South Africa and have progressed (or some may say regressed) to consulting on virtualization technologies. I created this site to share my experiences with virtualization and cloud computing, as well as the latest virtualization news, tips, tricks and tools from other experts in the field.



Online Training

Free XenApp 7.6 Training

This free, one-hour online course provides an introduction to Citrix XenApp 7.6. Students will explore key components required in a XenApp 7.6 implementation, the FMA-based architecture, as well as key use cases.

Click here for the course details



Keep Tabs on Me

Social media links

RSS Feed 2.0

 
Articles

Setting a Default Landing Folder for Receiver for Web

An article by Feng Huang from Citrix Blogs

Recently I implemented a customization for a customer to set a default landing folder for Receiver for Web 2.6. As this may be useful for customers who used to follow CTX119550 to customize Web Interface to get this functionality, I am making it available here.

First, follow the instruction here to configure the related Store to be a mandatory store.

Then, configure the Applications view as the default view for the Receiver for Web site as described here.

After that, append the following code snippet to custom.script.js in the contrib folder under the Receiver for Web site (typically C:\inetpub\wwwroot\Citrix\<Store-Name>Web\contrib) and change the value of landingFolderPath in the code to be the path of your desired landing folder.

$(document).ready(function () {
        var landingFolderPath = '/Microsoft/Office/2013';
        $.ctxs.ctxsMyApps.prototype._renderMyApps = function() {
            var self = this;
            self.element.html(self._generateTreeViewMarkup());
            var path = $.localization.string('MyAppFolderRootPathName') + landingFolderPath;
            self._setCurrentPath(path);
            self.element.wrap('<div id="myapps-scroller"></div>').parent().ctxsMakeScrollable();
        };
});

Your desired landing folder will be displayed after users log in to Receiver for Web.

Read More

 

Delivering Contextual Security with SmartControl

An article by Kurt Roemer from Citrix Blogs

Control is a core requirement for delivering on the promises of security – but how can enterprise control align with a threat landscape that is constantly changing due to seemingly unbounded user and usage situations? And, how can this access be unified across all internal and external applications to both enforce security and provide for a superior user experience?

Today’s enterprise security control has to be effected across dynamic access situations that involve combinations of devices, networks, services, applications, locations and the policies designed to protect sensitive enterprise data. These situations can change multiple times throughout the day, as users work from different locations, utilize different devices and networks and access enterprise, SaaS and cloud-based applications to do their jobs.

In the “good old days” before rampant mobility and consumerization, access controls were applied just at the point of login. The evolution of access into highly dynamic usage scenarios has highlighted the need for contextual security, which enables security measures to match the situational-specific policies required to protect sensitive data.

Read More

 

Cookbook to Upgrade from Receiver 3.4 for Windows to Receiver 4.2.100

An article by Mayunk Jain from Citrix Blogs

If you have been using Receiver 3.4 Enterprise for Windows, your mobile workspace is due for spring-cleaning and the Citrix Receiver crew is here to help.

As Dave Coleman reminds us in this blog series–aptly titled “Spring Forward”–on fresh user-experience enhancements, this is the season for change, for rejuvenation, and for embracing the new.

Upgrade to the latest Receiver 4.2.100 for Windows that enables the best performance for graphics-intensive 3D professional applications, USB redirection with published apps, Microsoft Lync virtualization, local app access, app shortcuts, pass-through authentication, and more. Receiver 4.2.100 for Windows provides over 45 fixes and enhancements, making it even simpler for end users to consume IT apps. To benefit from the new features and bug fixes in the recently released XenApp and XenDesktop 7.6 Feature Pack 1, you must plan your upgrades to the latest versions of StoreFront and Receiver as soon as possible.

The new Receiver is a major upgrade over Receiver 3.4 Enterprise, and does not support in-place upgrade by the end-user. The IT administrator must prepare the environment, so all users on the network can complete the upgrade successfully to Receiver 4.2.100. Generally this would happen in the background, when the users restart their clients after the upgrade has been pushed out. There are a number of steps that go into configuring this properly, and maintain the familiar user interface of Receiver 3.4 while upgrading to the new release. We have compiled the best practices in an easy-to-read cook-book that helps IT administrators complete this upgrade with minimum disruption. Once the user base is upgraded to Receiver 4.2, it will make future upgrades easier.

The guide is divided into two parts: if you are already on StoreFront, only refer to the first part; the second part is meant for those still using the older Web Interface. In both cases, there are instructions to upgrade both the IMA-based XenApp 6.5 environment as well as the FMA-based 7.6 environments. A birds-eye view of the instructions looks something like this:

1) Uninstall Receiver 3.4 using group policies (GPO)

2) Use scripted-install to deploy Receiver 4.2.100 with pass-through authentication

3) Use GPO to configure global application shortcuts to Start Menu and Desktop

4) Alternatively, configure per-app settings for Start Menu and Desktop shortcuts

5) Execute the group policies to upgrade Receiver and push the settings to end-points

 

When the end users login to their clients, the group policies kick in and it takes a few minutes for the upgrade to complete. At that point, end user has to exit, and login to their Windows session once. The Single Sign-On service will securely record the credentials, and on subsequent login the user will be authenticated all the way to the published apps and desktops using Windows Authentication pass-through. In the ‘shortcuts only’ mode, users never have to go through the self-service app selection. They will find their mobile workspace apps under the familiar Start Menu or Desktop folders, as desired, same as locally installed apps.

Using copious screenshots and step-by-step recipe, this cookbook is your one-stop reference to deploy and upgrade Receiver for Windows.

Read More

 

NetScaler Troubleshooting with Citrix Insight Services

An article by Andrew Redman from Citrix Blogs

Citrix has developed tools and online analysis capabilities to help you collect environment information, analyze that information and receive tailored recommendations based on your Citrix environment and configuration.

The tools are focused on a single mission–data collection–and their impact to your environment is minimal in terms of disk space, prerequisites and performance impact during the data collection process.

Citrix Insight Services analyzes the data captured in the support bundle and provides you with Tailored Recommendations, specific to your environment. To leverage Citrix Insight Services, you’ll need to harvest a NetScaler tech support bundle.

The tech support bundle captures critical system data about the performance of the appliance, error logs and a host of other extremely important data that can be used for analysis.

To create a new tech support bundle that can be analyzed for potential issues on the appliance, simply log into NetScaler via your favorite SSH client and enter the command: > show techsupport

The tech support file will be generated and stored on the hard drive of NetScaler in the /var/tmp/support directory and the file name will start with collector_P or S

You can log into NetScaler via WinSCP and navigate to the /var/tmp/support directory to transfer the collector file to your local computer.

IMPORTANT NOTE: If this appliance is part of an HA pair, make sure that you log into the SECONDARY appliance and collect a tech support bundle on it as well. Citrix Technical Support will use both support bundles to correlate issues between the HA pair.

https://taas.citrix.com/AutoSupport/

Citrix Insight Services

 

Once you log in and the support bundle has been uploaded, you’ll see lots of details that you can investigate.

Read More

 

Performance Tip: Disabling Mouse Shadow for XenDesktop and XenApp

An article by Rachel Berry from Citrix Blogs

Until I joined HDX and started researching them, I had no idea how complicated and troublesome a little arrow could be! Citrix XenDesktop and XenApp both involve constructing a desktop on a server and then remoting the pixels of the desktop to an end-client device; that end-client device could be a Windows workstation, a Linux thin client, an iPad or a smartphone. This means there are two potential places a cursor can be added on top of the desktop, 1) on the server or 2) on the client device.

Server-Rendered Cursors

Server-rendered cursors are expensive for virtualised desktops. Every time the user moves their mouse, that message is sent to the server, so the desktop can be redrawn and then the new desktop is sent back to the user. This can generate high-bandwidth and if the desktop is very complex (e.g. a complex CAD model where the application is recalculating the part) this can become a bottleneck. It can also result in a lot of redrawing of transient intermediate frames that are unnecessary, intermittent information that a user doesn’t need e.g. when they are scrolling or moving a window rapidly.

Client-Rendered Cursors

Client-rendered cursors involve the instruction to redraw the mouse being done on the client and simply overlaid upon the “background” desktop.

Recognising A Server-Rendered Cursor

In XenApp, it is very easy to recognise a server-rendered cursor by dragging the mouse to the edge of an application window. If the tail is chopped off then the mouse is server rendered, a client-rendered mouse being overlaid would retain its tail.

Mouse Shadow

Read More

 

XenApp/XenDesktop Site Design (v2015)

An article by Nick Rintalan from Citrix Blogs

A couple years ago, I wrote an article called “XenApp Farm and Zone Design,” which was based on the IMA architecture and was specific to XenApp, as the article’s name implies. This is, essentially, “Part 2″ of that article, so if you haven’t had a chance to read the first one (or you can’t remember what I was arguing in that article), then please go check out Part 1 first.

Here, I am going to talk about FMA Site Design, which applies to both XenApp & XenDesktop 7.x, which use the FMA architecture. And really I’d like to shed some light on some interesting designs we’re doing in the field when there is more than one data center. Because you actually have options, despite what you’ve probably been told. ;)

The Absence of Zones in FMA

No, the current shipping version of XenApp & XenDesktop (7.6 FP1) does not have a “zone” feature similar to what we had in IMA. And a “site” in FMA is really analogous to a farm in the IMA world. So, when there are multiple data centers in the mix, we have to implement multiple FMA sites, right? That is certainly what our documentation says (buried towards the bottom of this page in eDocs we essentially tell you to implement 1 site per data center and leverage StoreFront aggregation). And if you call Support, that is probably what they’ll tell you as well (“you have to create a separate site for each data center to be officially supported”).

But what if you have 2 data centers that are connected via dark fiber? What if those 2 data centers are in the same city, but literally across town from each other? What if the latency between your data centers is sub-5 ms? What if it is 50 ms? 100 ms? Where does the VDA-DDC and DDC-SQL communication within FMA really break down and start to cause performance degradation? Those are the questions a few of our customers have been wondering as they make the transition from IMA to FMA, so our Consulting and Product teams decided to dig a little deeper and figure it out.

As it turns out, we have quite a few customers with “well-connected” data centers within close proximity of one another and we really can get away with a single site.

Well-Connected Sites

This is the tricky part: defining just what the heck “well-connected” means. Because if you’ve got 2 data centers that are well-connected to each other, you absolutely can get away with a single FMA site (and I would argue it is fully supported if it meets the requirements I’m about to lay out). Most vendors and industry experts seem to agree that well-connected means they are connected via high-speed link and that link has very low latency. But what does “high” and “very low” mean in this context? What does “close proximity” really mean? It will vary slightly depending on who you talk to, but most folks seem to agree on the following:

  • High Speed Network Link = 1 Gbps+
  • Very Low Network Latency = sub-5 ms
  • Close Proximity = 50 miles or less

So, if you have 2 data centers connected via dark fiber and they are, say, 15 miles apart and the average network latency is 3 ms, then you can definitely treat those as one logical data center if you so choose (and implement 1 FMA site). We’ve done this a number of times already in the field and there are honestly no performance issues whatsoever. And again, I think this is a fully supported scenario and you can point to this article if someone tells you otherwise.

Where it becomes a little grayer is when you have two data centers that are connected via 10 Mbps and say 30 ms latency (or even 1 Mbps and 100 ms latency). What is the tipping point and when should you definitely implement multiple FMA sites?

Not-So-Well-Connected Sites

First off, I have to say that if you don’t meet the requirements I outlined above, then you’re not going to be officially supported by Citrix. This may change in a future version of XenApp/XenDesktop, but with 7.6, if you decide to do what I’m about to tell you, then you’re taking a risk, as you’re relegated to “best effort” support.

Now that the disclaimer is out there … we have a few customers who have the classic branch office scenario or “mini” data centers (DCs). These branches or mini DCs have data that can’t be migrated to a central office/DC, but at the same time, it’s neither a ton of data nor users, so we don’t need a ton of workers/VDAs to support the load. These scenarios are perfect for extending a single FMA site to distributed sites that are not-so-well connected to the main DC (where SQL and the Brokers live).

So, what does “not-so-well-connected” mean and where does it fall over? After running this through the lab with a WAN Emulator testing, literally, dozens of different link speeds and latency combinations (and also proving this out in the field at a few willing customers!), we found that things start to deteriorate if you exceed 50 ms latency or have less than 256 kbps bandwidth. And while I mentioned bandwidth/speed there, it really didn’t play as big a factor as we thought and we were even getting decent results with ~100 kbps! Like most applications, it’s really all about the latency.

So, what did we test exactly and what should you expect if you do this? Well, that’s a bit out of scope for this article (and maybe I can do a follow-up article with all the gory details if folks are interested), but a few things I’ll highlight:

Read More

 

Deployment Guide For Microsoft Lync 2013 In VDI Environment

An article by Mayank Singh from Citrix Blogs

With the release of the Feature Pack 1 for Citrix XenDesktop 7.6, we now support audio and video optimization for Microsoft Lync 2013 Client and Server deployments using the Citrix HDX RealTime Optimization Pack for Lync. This level of Lync optimization is unique in the market.

While the optimization pack is the best way to deliver Lync to end-users in most scenarios, XenApp and XenDesktop also provide additional options which should be considered as part of the project planning phase.

These options are:

  1. Using Citrix HDX RealTime Optimization Pack for Lync
  2. Using Microsoft Lync 2013 VDI Plugin
  3. Citrix Generic HDX Delivery
  4. Citrix Local App Access
  5. Lync Online and Office 365

This deployment guide discusses all options in detail, provides best practice recommendations and step-by-step installation instructions.

Read More

 

Citrix X1 StoreFront High Availability

An article by Trond Eirik Haavarstein from xenappblog

In my latest posts I’ve shown you how to secure and customize your CItrix X1 StoreFront solution.

Now let’s take a look at how you can remove single point of failure by configuring a multiple-server deployment. Did you know it doesn’t work as expected?

I’m deploying all my servers with my Automation Framework, let’s take a look at the Task Sequence.

Citrix X1 StoreFront High Availability 017

So the Task Sequence will install Citrix X1 StoreFront unattended and also Import and Bind the SSL Certificate because the Task Sequence variable is set to True in CustomSettings.ini. Read more about it in my post Securing Citrix X1 StoreFront with Powershell.

Citrix X1 StoreFront High Availability 018

[Settings]
Priority=ByVM, UUID, Default
Properties=XenAppRole, PVSTemplate, WindowsUpdate, ImportCertificate, ConfigureSite, JoinSite, vCenterCertificate
WindowsSource=%DeployRoot%Operating SystemsWindows Server 2012 R2sourcessxs

WindowsUpdate=False
ImportCertificate=True
vCenterCertificate=False
ConfigureSite=True
JoinSite=True

Let’s start the Citrix X1 StoreFront console for the first time on SF-02.

Citrix X1 StoreFront High Availability 003

To get High Availability you need to click on Join existing server group. This will ask for the Authorizing server and code.

Citrix X1 StoreFront High Availability 004

To get this Code you need to head over to your Primary X1 StoreFront server, in my case SF-01.

Select Server Group – Add Server. This will give you the code.

Citrix X1 StoreFront High Availability 005

Head back to your Secondary X1 StoreFront Server and type in the information above.

Citrix X1 StoreFront High Availability 006

Citrix X1 StoreFront High Availability 007

Citrix X1 StoreFront High Availability 008

Now let’s test the new site on SF-02.

Citrix X1 StoreFront High Availability 009

Citrix X1 StoreFront High Availability 010

Citrix X1 StoreFront High Availability 011

Hey, Wait a Minute Citrix! Where’s my customization that I made according to the post Citrix Netscaler Gateway and X1 StoreFront Customization?

So the built in Synchronization takes care of my Application Subscriptions, Trusted Domains and Feature App Groups, but why not Customize Website Appearance?

Citrix X1 StoreFront High Availability 012

Citrix wants us to leverage Netscaler Gateway for Load Balancing, but what help does that do if StoreFront can’t replicate my Customizations!

Well, fix it yourself. Run the following script to replicate the Customization:

$PriSF="sf-01.ctxlab.local"
$SecSF="sf-02.ctxlab.local"
$StoreLocation="StoreWeb"

copy-item \$PriSFc$inetpubwwwrootCitrix$StoreLocationcustom* \$SecSFc$inetpubwwwrootCitrix$StoreLocationCustom -Recurse
copy-item \$PriSFc$inetpubwwwrootCitrix$StoreLocationreceiverimages2xReceiverFullScreenBackground_46E559C0E6B5A27B.jpg \$SecSFc$inetpubwwwrootCitrix$StoreLocationreceiverimages2xReceiverFullScreenBackground_46E559C0E6B5A27B.jpg -Recurse

PowerShell Customization Replication

Let’s check Customize Website Appearance once more.

Citrix X1 StoreFront High Availability 016

I’ve recently found the class for the Login Page Logo and added that to my StoreWebcustomstyle.css file which at the moment look like this:

Citrix X1 StoreFront High Availability 014

/* Edit this file to customize the User Interface by overriding the existing CSS Styles. 
 * You can use browser development tools to identify the CSS classes you want to customize.
 */

/* When using the StoreFront Authentication SDK to return custom forms, a class "customform" is added to each form.
 * The following commented CSS rule illustrates how to modify the width of form field labels for custom forms.
 */

/*
.customform .field {
    width: 400px;
}
*/

/* The following section of the file is reserved for use by StoreFront. */
/* CITRIX DISCLAIMER: START OF MANAGED SECTION. PLEASE DO NOT EDIT ANY STYLE IN THIS SECTION */
.theme-header-bgcolor{
	background-color:#464647;
}
.is-hdpi .logo-container{
	background-image: url('Receiver_Logo_2x.png');
	background-size: 110px 39px;
}
.logo-container{
	background-image: url('Receiver_Logo_1x.png');
	background-size: 110px 39px;
}
/* CITRIX DISCLAIMER: END OF MANAGED SECTION. */
/* You may add custom styles below this line. */
.with-logo.logon-spacer{
	background-image: url('xenappblog_Logo.png');
}

Citrix X1 StoreFront High Availability 013

I tried a couple of hours to replace the background image in the Body, but it didn’t work out to good. Probably because the body is calling another CSS file. If anyone have solved this issue, please share in the comment below.

I want to specify location and e.g. Custom_BG.jpg in Style.css instead of using the ridiculous long name ReceiverFullScreenBackground_46E559C0E6B5A27B.jpg.

The post Citrix X1 StoreFront High Availability appeared first on xenappblog.

 

How To Double Your VSAN Performance

An article by Chuck Hollis from VMware vSphere Blog » vSphere

How To Double Your VSAN Performance

VSAN 6.0 is now generally available!

Among many significant improvements, performance has been dramatically improved for both hybrid and newer all-flash configurations.

VSAN is almost infinitely configurable: how many capacity devices, disk groups, cache devices, storage controllers, etc.  Which brings up the question: how do you get the maximum storage performance out of VSAN-based cluster?

Our teams are busy running different performance characterizations, and the results are starting to surface.  The case for performance growth by simply expanding the number of storage-contributing hosts in your cluster has already been well established — performance linearly scales as more hosts are added to the cluster.

Here, we look at the impact of using two disk groups per host vs. the traditional single disk group.  Yes, additional hardware costs more — but what do you get in return?

As you’ll see, these results present a strong case that by simply doubling the number of disk -related resources (e.g. using two storage controllers, each with a caching device and some number of capacity devices), cluster-wide storage performance can be doubled — or more.

Note: just to be clear, two storage controllers are not required to create multiple disk groups with VSAN.  A single controller can support multiple disk groups.  But for this experiment, that is what we tested.

This is a particularly useful finding, as many people unfamiliar with VSAN mistakenly assume that performance might be limited by the host or network.  Not true — at least, based on these results.

For our first result, let’s establish a baseline of what we should expect with a single disk group per host, using a hybrid (mixed flash and disks) VSAN configuration.

Here, each host is running a single VM with IOmeter.  Each VM has 8 VMDKs, and 8 worker tasks driving IO to each VMDK.  The working set is adjusted to fit mostly in available cache, as per VMware recommendations.

More details: each host is using a single S3700 400GB cache device, and 4 10K SAS disk drives. Outstanding IOs (OIOs) are set to provide a reasonable balance between throughput and latency.

VSAN_perf_1

On the left, you can see the results of a 100% random read test using 4KB blocks.  As the cluster size increases from 4 to 64, performance scales linearly, as you’d expect.  Latency stays at a great ~2msec, yielding an average of 60k IOPS per host.  The cluster maxes out at a very substantial ~3.7 million IOPS.

When the mix shifts to random 70% read / 30% writes (the classic OLTP mix), we still see linear scaling of IOPS performance, and a modest increase in latency from ~2.5msec to ~3msec.  VSAN is turning it a very respectable 15.5K IOPS per host.  The cluster maxes out very close to ~1m IOPS.

Again, quite impressive.  Now let’s see what happens when more storage resources are added.

For this experiment, we added an additional controller, cache and set of capacity devices to each host.  And the resulting performance is doubled — or sometimes even greater!

VSAN_perf_2

Note that now we are seeing 116K IOPS per host for the 100% random read case, with a maximum cluster output of a stunning ~7.4 million IOPS.

For the OLTP-like 70% read / 30% write mix, we see a similar result: 31K IOPS per host, and a cluster-wide performance of ~2.2 million IOPS.

For all-flash configurations of VSAN, we see similar results, with one important exception: all-flash configurations are far less sensitive to the working set size.  They deliver predictable performance and latency almost regardless of what you throw at them.  Cache in all-flash VSAN is used to extend the life of write-sensitive capacity devices, and not as a performance booster as is the case with hybrid VSAN configurations.

In this final test, we look at an 8 node VSAN configuration, and progressively increase the working set size to well beyond available cache resources.  Note: these configurations use a storage IO controller for the capacity devices, and a PCI-e cache device which does not require a dedicated storage controller.

On the left, we can see the working set increasing from 100GB to 600GB, using our random 70% read / 30% OLTP mix as before.

Note that IOPS and latency remain largely constant:  ~40K IOPS per node with ~2msec latency.  Pretty good, I’d say.

On the right, we add another disk group (with dedicated controllers) to each node (flash group?) and instead vary the working set size from an initial 100GB to a more breathtaking 1.2TB.  Keep in mind, these very large working set sizes are essentially worst-case stress tests, and not the sort of thing you’d see in a normal environment.

VSAN_perf_3

Initially, performance is as you’d expect: roughly double of the single disk group configuration (~87K IOPS per node, ~2msec latency).  But as the working set size increases (and, correspondingly, pressure on write cache), note that per-node performance declines to ~56K IOPS per node, and latency increases to ~2.4 msec.

What Does It All Mean?

VSAN was designed to be scalable depending on available hardware resources.  For even modest cluster sizes (4 or greater), VSAN delivers substantial levels of storage performance.

With these results, we can clearly see two axes to linear scalability — one as you add more hosts in your cluster, and the other as you add more disk groups in your cluster.

Still on the table (and not discussed here): things like faster caching devices, faster spinning disks, more spinning disks, larger caches, etc.

It’s also important to point out what is not a limiting factor here: compute, memory and network resources – just the IO subsystem which consists of a storage IO controller, a cache device and one or more capacity devices.

The other implication is incredibly convenient scaling of performance as you grow — by either adding more hosts with storage to your cluster, or adding another set of disk groups to your existing hosts.

What I find interesting is that we really haven’t found the upper bounds of VSAN performance yet.  Consider, for example, a host may have as many as FIVE disk groups, vs the two presented here.   The mind boggles …

I look forward to sharing more performance results in the near future!

———–

Chuck Hollis

http://chucksblog.typepad.com

@chuckhollis

 

 

 

Reducing PIN Prompts with NetScaler Gateway and Smart Cards

An article by Nicholas Czabaranek from Citrix Blogs

Smart Cards and NetScaler Gateway are a common XenApp/XenDesktop access scenario for many of our customers – especially in the U.S. Federal space where smart card usage has been mandated for most government agencies. One of the most common requests that we get when implementing Smart Cards is to reduce the number of PIN prompts that a user receives before they can get to their Windows applications or desktops. In this article I’m going to outline what configurations result in different PIN prompts, primarily in the context of Windows-based client devices accessing the NetScaler Gateway through a web browser.

Let’s go through the different places where we expect to see a PIN prompt in a non-optimized NetScaler Gateway + Smart Card configuration:

  1. Authentication to NetScaler. We need to authenticate the user with their PIN + Certificate before we can do anything else on the system. This is accomplished by requiring a client certificate to make the initial SSL connection to NetScaler Gateway.
  2. ICA Connection to NetScaler. After a user selects a published application or desktop to launch, Citrix Receiver will connect them to the NetScaler Gateway over SSL to begin the ICA session. If the Gateway vServer asks for a client certificate, the user will receive a PIN prompt.
  3. Windows Authentication to Desktop or XenApp Server. If single sign-on hasn’t been configured, or isn’t available, the Windows machine hosting the application or desktop that we want to connect to will also ask for the user’s PIN to logon.

Some would say that’s a lot of prompts, and I would tend to agree. Most users expect that they authenticate only once with their PIN as this is what they are used to on their traditional local Windows devices.

The good news is…it can be done!

Based on the three PIN prompts above let’s talk about how each one can be handled:

  1. Authentication to NetScaler. This prompt is normally needed as it allows us to authenticate the user at the NetScaler before allowing them access to internal resources. At a minimum the user will need to select their certificate if their Smart Card is configured with multiple certs. If their PIN is cached by a middleware application from their Windows client logon (like ActivClient), then they won’t need to enter a PIN here. Otherwise we expect both a certificate selection and PIN entry here.
    1st Prompt – Removable!

    If the client device has middleware that supports and is configured for PIN caching, the user can bypass the PIN prompt for the initial NetScaler Gateway connection.

  2. ICA connection to NetScaler. This is the easiest prompt to get rid of completely, and just requires that you setup a second NetScaler Gateway vServer that only handles ICA proxy. This NetScaler Gateway will not be configured to prompt for Client Certificate Check, meaning the SSL ICA connection doesn’t need to prompt the user again. At Web Interface we would setup Secure Access to point to this vServer instead of the initial authentication NetScaler Gateway. For information on how to do this in StoreFront using Optimal Gateway Routing, check out Bill Hackley’s blog post :

    Read More