Background Information

By default, the Desktop Director logon page displays three fields: User name, Password and Domain.

Default Logon Page

In some use cases, it may be beneficial to pre-populate the Domain Textbox, disable changes or even hide it altogether. Please note that the following modifications are for usability only, none of these constitute a security feature. You must use the Citrix Studio to secure Director.

Preparation

All modifications are made within the “LogOn.aspx” file, which is located in the “Director”directory of the IIS server where Desktop Director is installed. By default, this location is:

C:\inetpub\wwwroot\Director\LogOn.aspx

Make a copy of “LogOn.aspx” and rename it to “LogOn.aspx.bak”

If the server is using UAC, launch Notepad by right clicking and selecting “Run as Administrator” and then open the file (NB: Drag and drop won’t work, you must browse to the file).

If the sever isn’t running UAC, open the file as normal using Notepad.

Pre-Populating the Domain Textbox

Locate the line beginning with:

<asp:TextxBox ID="Domain"

LogOn.aspx

Insert your domain name as shown:

<asp:Textbox ID=”Domain” ... >MYDOMAIN.COM</asp:TextBox>

Added Domain

Save the file and reload your Director logon page. If you did everything correctly, the page should now contain a pre-populated Domain Textbox

Pre-populated Domain

Making the Domain Textbox Read-Only

You may want to prevent users from altering the text in the Domain textbox. If you do this, then you must pre-populate it first as explained previously.

Locate the tag which starts with:

<asp:TextxBox ID="Domain"

And change it, by adding ReadOnly=”True”

<asp:TextBox ID=”Domain” ReadOnly="True"

Read-only Domain

The logon page will look identical, but the Domain box will be Read-Only.

Hiding The Domain Textbox

As above, if you wish to hide the Domain textbox completely, ensure you have pre-populated it.

Locate the tag which starts with:

<asp:Label ID="DomainLabel"

Immediately prior to that label, locate the following tag:

<div class='label eight'>

Add the following before <div class=’label eight’>:

<div style=’display:none’>

Inbetween “</asp:Textbox> <br />” add the following:

 </div>

Hide Code

And the resulting logon page should look like this:

Hidden Domain Textbox

Background Information

By default XenDesktop provides desktops on a First Come First Serve basis and, with regards to Private Desktops on an “Assignment on First Use” basis. In some scenarios, it’s preferable to pre assign these private desktops based on a client device. This document is only applicable to Delivery Groups with private desktops – the following will not work with shared delivery groups.

Assigning Private Desktops

The “Get-BrokerPrivateDesktop” and “Set-BrokerPrivateDesktop” cmdlets are used to allocate particular desktops to a client.

References:

http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd7/get-brokerprivatedesktop-xd7.html

http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd7/set-brokerprivatedesktop-xd7.html

Use the command as follows:

Set-BrokerPrivateDesktop DOMAIN\DESKTOPNAME –Option1 Option –Option2 Option

The following options are recommended:

-AssignedIPAddress <string>

This is the local IP of the connecting client.

-AssignedClientName <string>

This is the NETBIOS (NB: Not the FQDN) name of the connecting client. NB: Does NOT work if an IP Address is assigned. Clear the IP first.

-PublishedName <string>

This is a custom published name to differentiate the pre-assigned private desktop from the rest of the Delivery Group (NB: As of XenDesktop 7.1, it appears that you are unable to remove a PublishedName attribute once it has been assigned!) e.g:

Set-BrokerPrivateDesktop CONTOSO\VDI001 –AssignedIPAddress 10.12.43.98 –PublishedName “Front Office”

The following can be used to get a quick overview of what has been assigned:

Get-BrokerPrivateDesktop | ft MachineName,AssignedIPAddress,AssignedClientName,PublishedName

Removing the Non-Assigned Desktop

After assigning a client device to a specific VDI Desktop, users will be presented with two desktops – the pre-assigned client-based desktop and their own user-based desktop, from the same delivery group. If all desktops have been pre-allocated, the user will still see a launch icon, though an error will be displayed when attempting to connect.

The “Get-BrokerAssignmentPolicyRule” and “Set-BrokerAssignmentPolicyRule” cmdlets are used to control this.

References:

http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd7/get-brokerassignmentpolicyrule-xd7.html

http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd7/set-brokerassignmentpolicyrule-xd7.html

Use the commands as follows:

Run “Get-BrokerAssignmentPolicyRule” to return a list of rules. Note the “Name” of the assignment policy rule you want to modify (It will almost certainly match your Delivery Group name)

The following command will now disable the ‘default’ user-based desktop:

Set-BrokerAssignmentPolicyRule –Name “Desktop Name” –Enable $false

Where a client has a private desktop assigned by IP or Hostname, only that desktop is displayed. If the user logs on elsewhere, no desktop will be displayed.

Alternatively, the “ExcludedUsers” option may be used to only hide this desktop from particular users.

Delivery Group Authentication

By default, XenDesktop only uses Users and Groups to authenticate against a Delivery Group. If a user is not in the Delivery Group they won’t see any desktop associated with it, even if the desktop has been specifically assigned to their client device.

“Get-BrokerAccessPolicyRule” and “Set-BrokerAccessPolicyRule” can be used to modify Delivery Group authentication beyond what is possible from within the console.

References:

http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd7/get-brokeraccesspolicyrule-xd7.html

http://support.citrix.com/proddocs/topic/citrix-broker-admin-v2-xd7/set-brokeraccesspolicyrule-xd7.html

Specific configuration is out of the scope of this document, but it’s possible to base authentication on IP Address or to simply open up the Delivery Group to all users.