XenDesktop – Assigning Private Desktops by Client IP or Hostname

Background Information

By default XenDesktop provides desktops on a First Come First Serve basis and, with regards to Private Desktops on an “Assignment on First Use” basis. In some scenarios, it’s preferable to pre assign these private desktops based on a client device. This document is only applicable to Delivery Groups with private desktops – the following will not work with shared delivery groups.

Assigning Private Desktops

The “Get-BrokerPrivateDesktop” and “Set-BrokerPrivateDesktop” cmdlets are used to allocate particular desktops to a client.




Use the command as follows:

Set-BrokerPrivateDesktop DOMAIN\DESKTOPNAME –Option1 Option –Option2 Option

The following options are recommended:

-AssignedIPAddress <string>

This is the local IP of the connecting client.

-AssignedClientName <string>

This is the NETBIOS (NB: Not the FQDN) name of the connecting client. NB: Does NOT work if an IP Address is assigned. Clear the IP first.

-PublishedName <string>

This is a custom published name to differentiate the pre-assigned private desktop from the rest of the Delivery Group (NB: As of XenDesktop 7.1, it appears that you are unable to remove a PublishedName attribute once it has been assigned!) e.g:

Set-BrokerPrivateDesktop CONTOSO\VDI001 –AssignedIPAddress –PublishedName “Front Office”

The following can be used to get a quick overview of what has been assigned:

Get-BrokerPrivateDesktop | ft MachineName,AssignedIPAddress,AssignedClientName,PublishedName

Removing the Non-Assigned Desktop

After assigning a client device to a specific VDI Desktop, users will be presented with two desktops – the pre-assigned client-based desktop and their own user-based desktop, from the same delivery group. If all desktops have been pre-allocated, the user will still see a launch icon, though an error will be displayed when attempting to connect.

The “Get-BrokerAssignmentPolicyRule” and “Set-BrokerAssignmentPolicyRule” cmdlets are used to control this.




Use the commands as follows:

Run “Get-BrokerAssignmentPolicyRule” to return a list of rules. Note the “Name” of the assignment policy rule you want to modify (It will almost certainly match your Delivery Group name)

The following command will now disable the ‘default’ user-based desktop:

Set-BrokerAssignmentPolicyRule –Name “Desktop Name” –Enable $false

Where a client has a private desktop assigned by IP or Hostname, only that desktop is displayed. If the user logs on elsewhere, no desktop will be displayed.

Alternatively, the “ExcludedUsers” option may be used to only hide this desktop from particular users.

Delivery Group Authentication

By default, XenDesktop only uses Users and Groups to authenticate against a Delivery Group. If a user is not in the Delivery Group they won’t see any desktop associated with it, even if the desktop has been specifically assigned to their client device.

Get-BrokerAccessPolicyRule” and “Set-BrokerAccessPolicyRule” can be used to modify Delivery Group authentication beyond what is possible from within the console.




Specific configuration is out of the scope of this document, but it’s possible to base authentication on IP Address or to simply open up the Delivery Group to all users.


Enabling PNAgent Single Sign On (SSO) with Storefront 2.1

Background Information

StoreFront 2.1 provides compatibility for the Online Plug-In and legacy clients by enabling the exposure of a Web Interface “Services Site” style config.xml page. This is used by the PNAgent to discover the site (i.e. store) configuration options and is configured

More information: http://support.citrix.com/proddocs/topic/dws-storefront-21/dws-legacy-support.html

By default, StoreFront is configured to only allow “Prompt” authentication from a PNAgent connection and an application launch.

Enabling PNAgent SSON to StoreFront

In order to allow PNAgent to use Single Sign-On to connect to the StoreFront server and enumerate the applications, do the following:

  1. Browse to C:\inetpub\wwwroot\Citrix\[StoreName]\Views\PnaConfig
  2. Make a backup of “Config.aspx”
  3. On the production copy of “Config.aspx”, make the following changes:
  4. Find the line starting with “<LogonMethod>” and ending with “</LogonMethod>”
  5. Change this line to “<LogonMethod>sson</LogonMethod>”
  6. Save the file and restart PNAgent. It should now automatically login and return the published applications.

Enabling PNAgent SSON to the Published Applications

In order to allow a user to correctly launch a published application delivered by SSON PNAgent, do the following:

  1. Browse to C:\inetpub\wwwroot\Citrix\[StoreName]
  2. Make a backup of “web.config”
  3. On the production copy of “web.config”, make the following changes:
  4. Find the line starting with “<pnaProtocolResources”
  5. Within that line, locate the “logonMethod” setting and change the method to “sson”. i.e. logonMethod=”sson”
  6. Your applications should now authenticate correctly.