Some of your user Linux VDA can experience this. signing on storefront, click the published Linux desktop and presented with an ugly "Invalid Login" dialog box in the receiver.
This package Active Directory integration Linux can be caused by the underlying (such Winbind or Centrify) not recognizing the format the login name entered in storefront.
Citrix Storefront will allow users in one of the following name formats and Windows Active Directory support the application:
- down-level logon name: MyCorp sally smith
- UPN: sallysmith@mycorp.net
- NetBIOS suffix format: sally smith @ MyCorp
- UPN with custom suffix: sally smith @ sales department
, the login name down-level format is often referred to as NTLM, SAM account, or pre-Windows 00 name.
These various name formats work seamlessly in the delivery of Windows applications and desktops, because the goal VDAS Windows, has the good baked into the operating system support for all logon naming formats. As you'd expect Windows machines behave very well in the Windows ecosystem.
For Linux, however VDAS, we rely on your choice of third party Active Directory integration package, each of which vary in features, capabilities and limitations. Most are mature products that play to make Linux more beautiful in the AD environment; However, there are some limitations when it comes to support the full range of logon name formats.
In the example at the beginning of this article presented our users Sally logged on with a UPN with a custom suffix ( sally smith @ Sales Department ) Winbind configured with the Linux VDA to use. This failed because Winbind recognize no custom UPN suffixes, and was not placed in a position available to decrypt the login name. If Sally had logged on using MyCorp sally smith or sallysmith@mycorp.net instead, the session would have started.
If we with Centrify support provides custom UPN suffixes instead of Winbind, Sally would have logged on using sally smith @ Sales Department , without question. However Centrify shifts the problem slightly - it is not unsupported NetBIOS suffix name while Winbind does
An easy way to the user name formats are supported for testing
by the Active Directory Integration package is getent passwd for a run. known user in AD in each of the various name formats. For example:getent passwd MyCorp \ sally smith getent passwd sallysmith@mycorp.net getent passwd sally smith @ MyCorp getent passwd sally smith @ Sales Department
If the user is detected, an entry for the user with their UID and GID appears. If it is not recognized, nothing is displayed. The double slash for the first case is for Shell to escape purposes.
will exercise Another simple test, the Kerberos authentication to perform the password for know about PAM is a local console or Secure Shell application for a user. Do this in each of name formats. For example:
ssh localhost -l MyCorp \ sally smith ssh localhost -l sallysmith@mycorp.net ssh localhost -l sally smith @ MyCorp ssh localhost -l sally smith @ Sales Department
The good news is ,.
- : the down level most commonly used and UPN name formats are supported by all of the AD integration packages of the Linux VDA
- your users to avoid certain name formats when logging on storefront.
- For Winbind that do not support the use of UPN suffixes in Active Directory UPN suffixes to remove, if feasible.
- are allocated for Centrify, does not support the NetBIOS suffixes, a UPN suffix with matches create the NetBIOS domain name and this each user.
to treat possible remedies an unsupported login name format are supported
footnote to custom separators
[1945001einSonderfall], if your AD integration package is configured to use a different partition than backslash for down-level logon name. A common alternative in Linux circles is the plus icon to use (+), creating identities as MyCorp + sally smith instead of the usual MyCorp sally smith . For example:getent passwd MyCorp + sally smith
Users still on the storefront log backslashed DOMAIN user format, as this is what Windows expects; However, the Linux VDA must be configured to replace the backslash with the custom delimiter before passing the name on PAM for authentication. This configuration change is carried out by using the ctxreg tool:
sudo / usr / local / bin / ctxreg update -k "HKLM / System / CurrentControlSet / Control / Citrix / WinStations / tcp" -v "DownLevelLogonNameSeparator" d "+"
to check the setting:
sudo / usr / local / bin / ctxreg read -k "HKLM / system / CurrentControlSet / Control - / Citrix / WinStations / tcp " -v" DownLevelLogonNameSeparator "
for this setting to take effect, the VDA and HDX services must be restarted.
can apply that custom separators Note not to UPN and the other naming formats the @ symbol used.
to learn more about Linux Virtual Desktop and our team here at Citrix to learn about all of our posts here.
0 Komentar