I hope everyone has seen the first few blogs in this series, in which the Citrix engineering team has talked about the next generation of connection high availability, session pre-launch and linger, and migration in XenApp and XenDesktop under the new Flexcast Management Architecture (FMA).
Today, I’ll cover the next upcoming feature, unauthenticated connections (or “anonymous” as it was known in XenApp).
Use cases
Unauthenticated connections are most popular among health-care customers but may be used any time an application is used in a kiosk or has its own security and user management. Instead of requiring users to log into Citrix Receiver with Active Directory user credentials, they instead rely on a combination of network security and authentication within the application itself.
When an unauthenticated resource is launched, XenApp uses a pool of local user accounts to host the user’s session. The session has a default idle timer of 10 minutes, and session reconnection and roaming are not allowed. One the session logs off, the user account is returned to the pool to be used by another connection.
Configuring unauthenticated access requires two steps:
- Creating a StoreFront store for unauthenticated users
- Publishing unauthenticated apps and desktops in XenApp
StoreFront Configuration
First, let’s look at the StoreFront setup. Unauthenticated support was recently introduced as a feature of StoreFront 2.5, but it only supports XenApp 6.5 and earlier as a backend for now. Creating an unauthenticated site is simple—just click the “Create Store for Unauthenticated Users” action at the top of the “Stores” tab. The rest of the wizard works just like the regular action to create a new store.
Then, configure Receiver to use the anonymous store, or simply access the Receiver for Web URL—the user is directly taken to the list of apps, skipping the logon screen. Also notice that with unauthenticated stores in StoreFront 2.5, there is no concept of subscribing to apps; the list of all available resources is shown automatically.
XenApp Support
The last XenApp version to support publishing unauthenticated resources was XenApp 6.5, but Citrix engineers are working to bring it forward in an upcoming release. The functionality looks much like XenApp 6.5, and simply allows unauthenticated users to be selected instead of AD accounts:
Although the UI looks much like XenApp, we’ve made two important improvements based on customer requests…
First, enabling unauthenticated access no longer implicitly gives access to all explicit users also. You have the flexibility to allow unauthenticated-only, a list of AD users, or a combination of both. Customers asked for this flexibility to enable them to silo their unauthenticated users onto separate VMs.
Second, there is no creation of local user accounts at VDA install time. This caused problems in some XenApp environments that did not use anonymous user support, so accounts are only created on demand when needed. The anonymous group still exists and may be used to pre-create user accounts if needed.
Finally, we are working to ensure help desk admins can use Citrix Director to troubleshoot these anonymous sessions. More information on this to come.
Come see the demo @ Citrix Synergy:
While this capability is not yet available in XenApp 7.5, we welcome you to stop by to see this demo at Synergy in May. And stay tuned, as there’s more to come as we continue this blog series on upcoming features.