Configuring Citrix VDA Smart Card Authentication
You can integrate Delinea Agent for *NIX with the Citrix Virtual Delivery Agent (VDA) for Active Directory user authentication. This integration helps users log in to remote Red Hat Linux (RHEL) virtual desktop sessions with a smart card connected to the client device.
The Delinea Authentication Service supports pass-through authentication if the Citrix requirements are met. For details, see https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/system-requirements.html.
Be sure that you have set up smart card authentication already on Windows systems in your domain before continuing.
To configure Citrix VDA smart card authentication:
-
Install the Citrix Linux VDA.
For details, see the Citrix documentation: https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/installation-overview.html.
For example, you might run a command that looks like the following:
sudo yum -y localinstall XenDesktopVDA-19.9.0.3-1.el7_x.x86_64.rpm -
According to the Citrix VDA documentation, install the necessary software and perform the required system integrations.
NTP isn't required to be configured in an Active Directory environment, but Citrix Linux VDA does require certain software, such as PostgreSQL and openJDK. For details, see https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/configuration.html.
-
Install Delinea Agent for *NIX version 19.9 or later and join the computer to the domain.
For details, see the Planning and Deployment Guide.
-
To configure the agent integrations with the Citrix Linux VDA, add the following setting to the centrifydc.conf file:
smartcard.login.service.accounts: ctxsrvrThe Citrix smart card login service runs as the
ctxsrvraccount. This parameter allows you to specify a list of non-root user accounts that use the smart card login services. -
Configure the Citrix Linux Virtual Delivery Agent (VDA).
For details, see the Citrix documentation: https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/configuration.html and https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/installation-overview/redhat.html.
Below is an example of running ctxsetup.sh in interactive mode; be sure to adjust as needed for your environment.
$ sudo /opt/Citrix/VDA/sbin/ctxsetup.shWelcome to the Citrix Linux VDA setup script. This script will guide you through the
configuration of the Linux VDA system services. You can re-run this script at
any time to reconfigure the system.
Gathering information...
Checking CTX_XDL_DOTNET_RUNTIME_PATH... Value not set.
Dotnet Core runtime environment is needed to run Linux VDA.
Linux VDA will install it to /opt/dotnet by default.
If required, please specify an absolute path in valid format here (e.g., /the/path). [\<none\>]:
Checking CTX_XDL_SUPPORT_DDC_AS_CNAME... Value not set.
The Virtual Delivery Agent supports specifying a Delivery Controller name using a DNS CNAME record.
Do you want to enable support for DNS CNAME records? (y/n) [n]: y
Checking CTX_XDL_DDC_LIST... Value not set.
The Virtual Delivery Agent requires a space-separated list of Delivery Controller Fully Qualified Domain Names
(FQDNs) to use for registering with a Delivery Controller. Please provide the FQDN of at least one Delivery
Controller: CS.CITRIX.TEST
Checking CTX_XDL_VDA_PORT... Value not set.
The Virtual Delivery Agent by default communicates with Delivery Controllers using TCP/IP port 80.
Please provide the TCP/IP port the Virtual Delivery Agent service (ctxvda) should use to communicate with a
Delivery Controller [80]:
Checking CTX_XDL_REGISTER_SERVICE... Value not set.
The Linux VDA services support starting during boot.
Do you want to register these services to start on boot? (y/n) [y]:
Checking CTX_XDL_ADD_FIREWALL_RULES... Value not set.
The Linux VDA services require incoming network connections to be allowed through
the system firewall. Do you want to automatically open the required ports (by default ports 80, 1494, 2598, 8008 and 6001\~6099) in the
system firewall for the Linux VDA? (y/n) [y]:
Checking CTX_XDL_AD_INTEGRATION... Value not set.
The Virtual Delivery Agent requires Kerberos configuration settings to authenticate with Delivery Controllers. The
Kerberos configuration is determined from the installed and configured Active Directory integration tool on this
system. Please select the Active Directory integration tool configured on this system:
1: Winbind
2: Quest
3: Centrify 4: SSSD
5: PBIS
Select one of the above options (1-5) [1]: 3
Checking CTX_XDL_HDX_3D_PRO... Value not set.
Linux VDA supports HDX 3D Pro, a set of graphics acceleration technologies designed to optimize the
virtualization of rich graphics applications. HDX 3D Pro requires a compatible NVIDIA Grid graphics card to be
installed. If HDX 3D Pro is selected the Virtual Delivery Agent will be configured for VDI desktops (single-session)
mode. Do you want to enable HDX 3D Pro? (y/n) [n]:
Checking CTX_XDL_VDI_MODE... Value not set.
Linux VDA supports delivery of hosted shared desktops (multi-session) or VDI desktops (single-session).
Do you want to enable VDI desktops (single session) mode? (y/n) [n]: y
Checking CTX_XDL_SITE_NAME... Value not set.
The Virtual Delivery Agent discovers LDAP servers using DNS, querying for LDAP service records. To limit the DNS
search results to a local site, a DNS site name may be specified.
If required, please specify a local DNS site name. [\<none\>]:
Checking CTX_XDL_LDAP_LIST... Value not set.
The Virtual Delivery Agent by default queries DNS to discover LDAP servers, however if DNS is unable to provide
LDAP service records, you may provide a space-separated list of LDAP Fully Qualified Domain Names (FQDNs) with
LDAP port (e.g. ad1.mycompany.com:389).
If required, please provide the FQDN:port of at least one LDAP server. [\<none\>]:
Checking CTX_XDL_SEARCH_BASE... Value not set.
The Virtual Delivery Agent by default queries LDAP using a search base set to the root of the Active Directory
Domain (e.g. DC=mycompany,DC=com), however to improve search performance, a search base may be specified
(e.g. OU=VDI,DC=mycompany,DC=com).
If required, please provide an LDAP search base. [\<none\>]:
Checking CTX_XDL_FAS_LIST... Value not set.
The Federated Authentication Service (FAS) servers are configured through AD Group Policy. But because
the Linux VDA does not support AD Group Policy, you can provide a semicolon-separated list of FAS servers instead.
Caution 1: The sequence must be the same as configured in AD Group Policy.
Caution 2: If any server address is removed, you must fill its blank with the '\<none\>' string and keep the index of server addresses without any changes.
If required, please specify the list of FAS servers (e.g., fasserver.company.com). [\<none\>]:
Checking CTX_XDL_START_SERVICE... Value not set.
The Linux VDA services may be started after configuration is complete.
Do you want to start these services once configuration is complete? (y/n) [y]:
Configuring Citrix Linux VDA ...
Configuration complete.
-
In Citrix Virtual Apps or Citrix Virtual Desktops, create the machine catalog and delivery group.
-
(Optional) Enable the group policy entitled "Enable smart card support."
-
Verify that the smart card login is enabled on the Linux computer:
$ sudo sctool -sDelinea Smart Card support is enabled.
If you have not enabled the group policy enabled "Enable smart card support", you may need to run the following command to enable smart card login:
$ sctool -eFor details about this group policy, see the Smart Card Configuration Guide.
-
Reboot the Linux computer.
-
In Citrix StoreFront, enable smart card authentication.
For details, see https://docs.citrix.com/en-us/storefront/current-release/configure-authentication-and-delegation/configure-authentication-service.html.
