Citrix Receiver Desktop Lock

With the launch of Citrix Receiver 4.2, Citrix has brought back their desktop to thin client converter “Desktop Lock”.

Citrix Desktop Lock was dropped from support back in Citrix Receiver 3.4 as it relied on the PNAgent functionality that was killed off in the last release of Receiver 3.4 Enterprise.

With Desktop Lock’s return, it now fully supports the latest and greatest Receiver versions and Citrix StoreFront communication.

Fellow CTP Andrew Morgan and I spent some time looking at Desktop Lock to write this article.  Below you’ll find a review of the product along with an installation guide on how to get Desktop Lock up and running.

How was Desktop Lock before this upgrade?

Before we look at the new version, lets look at why the previous Citrix Desktop Lock was a very fundamental solution with some gaps.

For example:

  • The machines you convert need to be on the corporate domain.
  • The user needed to sign in as themselves on the local end point.
  • There was no “choice in the matter”.  If you had more than one desktop available, Desktop Lock would just fire one desktop session alphabetically.
  • User profiles on the local machine quickly became an issue in a shared kiosk environment as they are not cleaned up.
  • No Hotkey pass through.  By default ctrl alt and del and [Win] + [L] lock the local workstation, not the remote workstation.
  • Local applications like flash/media player redirection may not work or local hardware may not work. (Desktop Lock does not run active setup, or the run keys which are needed by a number of applications).
  • If you are a local administrator, you cannot use the solution as Desktop Lock closes and logs in locally.

With the return of Desktop Lock, we were hoping some of these drawbacks would be resolved in the return.  Sadly, that’s not the case.  Unfortunately there are new ones we weren’t expecting to add to the list:

  • Citrix Desktop Lock does not allow for desktops in maintenance mode, it just hangs and eventually logs the user off again.
  • Citrix Desktop Lock will prompt users if it has a difficult time connecting to restart the machine.  But the restart button on the menu just restarts the local machine!

Desktop Lock for Receiver is simply an update to the previous version to add StoreFront support.  None of the previous gotcha’s seem to have been addressed.

In Review:

Desktop Lock is a clever utility in the tool belt for Citrix Deployments but has some limiting drawbacks.

If SSO isn’t an immediate requirement and if you are comfortable just publishing a browser, then consider the Desktop Appliance site from StoreFront (with some configuration):

  • Can deliver a better experience
  • Can offer desktop choices
  • Have no domain or SSO requirement
  • Has better handling of errors

Reviewing your options:

There are a number of free products for Windows like ThinKiosk available with greater functionality out of box than desktop lock but the customers use case will determine your course of action.

Installation Guide:

Installing Receiver and Desktop Lock

Citrix Desktop Lock requires a number of key installation settings in order to function correctly, below we’ve documented them step by step for ease of configuration.

Citrix receiver must be installed with the SSON functionality

When installation Citrix Receiver, specify the SSON and storefront details here to save some heartache: CitrixReceiver.exe /includeSSON /ENABLESSON=Yes /silent STORE0=”Store;https://storefront.domain.local/Citrix/Store/discovery;on;Store”

SSON must be enabled in Group Policy

Import the icaclient.adm file locally (or via gpo) in the Citrix ICA Client installation directory\configuration.

Browse to Administrative Templates > Citrix Components > Citrix Receiver > User authentication and Enable Local username and password as below:

If Trusted Sites, the Trusted Sites Zone must be configured to allow SSO pass through
Computer Policies > administrative templates > Internet Explorer > Internet Control Panel > Security Page > Trusted sites zone:

Enable Automatic logon with current username and password.

Storefront SSO

SSO must be configured in the StoreFront Receiver is connecting to. In the StoreFront, make sure your site is configured to allow SSO:

Testing it before installing Desktop lock

So there you have it, with a bit of know how and a pinch of luck, it’s time for testing.

Note: Test this as a user or users.  Ensure Receiver opens as the user when they log in without providing login details. If it works, you’re good to go.

Installing Desktop Lock

Installing Desktop Lock is a fairly trivial matter.  Just fire up the installer and next, next, finish. You’ll then be prompted to restart.

For reference, Desktop Lock works by taking control of the Shell key in HKLM\Software\Microsoft\Windows NT\Current Version\WinLogon.

Desktop Lock also uses ImageFileExecutionOptions to redirect all calls to task manager to Citrix’s own task manager.

Once finished, Desktop Lock should now be installed.  Restart.

Note: If Desktop Lock detects an administrator logged in, it will revert the shell value to explorer, launch explorer in full desktop mode, and then revert the key again.

Testing Desktop Lock

Logging in as a user, the user is presented with the familiar login screen for desktop lock then get forwarded to their session:

Note: The log off and restart buttons action locally.

Admin Login

If you log in as an administrator with UAC controls, you will receive the following:

Once you click OK, you will be logged into the full Windows shell.

So now you have some initial thoughts to Citrix Receiver Desktop Lock 4.2 and how to configure it.

If you have found this article interesting or if you have any insights, please feel free to leave comments on this article.


Access Gateway Enterprise with AAA Groups and the Citrix Receiver

I recently enabled VPN in Access Gateway Enterprise for another way to get into my corporate environment since myself and a handful of engineers support the environment.  We already had the Citrix Receiver setup and working through Access Gateway.  Once I began testing my access (before rolling out to others) after enabling VPN by testing the different methods of access, I started getting errors and wasn’t able to logon using the Citrix Receiver.  In this blog post I am going to go over Access Gateway Enterprise with AAA Groups and the Citrix Receiver.

Continue reading “Access Gateway Enterprise with AAA Groups and the Citrix Receiver”

Citrix Products 2010: A Wish List (continued) +1

This week Helge Klein started a Citrix products 2010 wish listTim Arenz expanded on Helge’s wish list on his blog earlier today.  I want to expand on both Helge’s and Tim’s additions with my own wishes as well.  I’m sure they both don’t mind since Tim encourages other bloggers to continue adding to this list.  Like Tim, I encourage other bloggers to keep this wish list going.  Helge’s are in black and Tim’s are in red.  So here on are my additions in orange.
Continue reading “Citrix Products 2010: A Wish List (continued) +1”

Merchandising Server 1.1 and XenServer Tools Update

Citrix has recently released Merchandising Server 1.1.  Merchandising Server is a XenServer virtual appliance that allows you to centrally manage the setup of the Citrix Receiver, enables Citrix plug-ins and updates, enables access to web-based user support services, and has management reporting features.  I recently downloaded and installed the Merchandising Server virtual appliance in my XenServer lab.  The Merchandising Server virtual appliance comes packaged with XenServer tools 5.0.  In this blog post I am going to go over installing the Merchandising Server virtual appliance and updating the XenServer tools.
Continue reading “Merchandising Server 1.1 and XenServer Tools Update”