Monday, 20 September 2010

XenApp 6 – Publishing a Delivery Services management console to non-admins

I’m assuming here you have a first line support and they can be trusted with logging off users?  We don’t want them reconfiguring the farm though, do we – they might get dangerous! 

Simple stuff really, but good to get right. Incidentally, this is to get the console working as a Hosted application – I would like to stream it really, and indeed had it streamed in XenApp 5.  I’ve not had any success streaming the updated version in XenApp 6 though.  If anyone has a working process, do let us know.

Publishing the Delivery Services Console (DSC)

  1. UAC – if this is enabled, disable it on the servers you will host the console from as this apparently can cause trouble with this application – according to various posts on the Citrix Forums site and this eDocs article.  I’ve not tried it personally, I have UAC off on my XenApp servers.
  2. Install the Management Tools on a live XenApp server that you want to publish them from.  If you have run the install manually, they’re on by default.  If you scripted it you might have well not installed them (best not to, really). On a XenApp Server without the DSC, click Start, Citrix, XenApp Server Role Manager and XenApp Server Role Manager.
  3. image

  4. Click Add server roles and admire the nice animated progress bar.

  5. Select your XenApp edition and accept the terms and conditions
  6. You probably have something like the screen below, with only XenApp selected.  Just click next to continue

  7. On Choose Role Subcomponents, make expand Default Conponents and you should see “XenApp Management” is ticked but not greyed – that means it is not installed, but will be.  Click Next, Next and Install to install the tools and their pre-requisites…~

  8. You should now see the folder Citrix > Management Consoles in the Start Menu.  Before you proceed, do you use Citrix Single Sign On?  If not, remove this from the console or it will keep prompting you about it.  Go to Control Panel, select Uninstall a Program.  Find “Citrix Single Sign-On Console 4.8” , right click and select Change.  On the screen that pops up, select Remove to get rid of it.

  9. Launch the Citrix DSC on your server.  You’ll be asked about “.NET Authenticode”.  If you are behind a Proxy I would disable this:

  10. The “Configure and run discovery” wizard should now run.  You should be able to click Next, Next, Add Local Computer, Next, Next and Finish to see your farm.
  11. Right click Applications and select Publish Application.  Configure it as an Application, Accessed from a Server and Installed rather than Streamed.  The location of the executable will be “C:\Program Files (x86)\Citrix\Citrix Delivery Services Console\Framework\CmiLaunch.exe”.  You should know the settings for the users who will see it and the servers to host it from.

Configuring non-administrator access

  1. In the DSC as a Farm Administrator, right click Administrators (immediately under your farm name) and click Add Administrator

  2. On the Select Users screen, add in the users or groups that will be helpdesk users on the farm.  Use an AD group for this, so in the future you just have to add a user to this group.  It might be an idea to present the published icon to only this group as well.
  3. You then get options to create the users as View Only (pretty useless), Full Admins (overkill!) or Custom.  Choose Custom.

  4. You now get a very nice console which by default gives your users no permissions (you’ve got to admire that kind of attitude).  Go through the tree and turn on anything you want to give out.  For instance, if your helpdesk users are only going to log users off and reset sessions, click the Servers or Applications tabs and click the appropriate check boxes.  On Applications and Servers folders, make sure you include “View Server Information” or “View Application Information” otherwise the users will have the permission to configure settings but not to see the interface to do so. 

    If you have subfolders in Servers and Applications, click “Copy to Subfolders” after doing this to copy those permissions down – if you want to do that of course.  You might have servers you don’t want anyone to administer but you.  When you create folders in the future, remember to allow them to inherit permissions.

  5. If you want to change these permissions in future, just right click the entry in the Administrators section of the DSC and select Administrator Properties and the Permissions tab on the left.
  6. Your non admin users should now be able to launch the DSC, run “Configure and Run Discovery” as you did (clicking Add Local Computer to connect to the farm) and see the elements you selected for them.
  7. If your users get the error “Errors occurred when using [servername] in the discovery process” and when you double click it you see the error “This user account is not an administrator of the farm”, make sure that the user has the right “Log on to Management Console” under the Administrators section.



Anonymous said...

Tried the same however for whatever reason the account I created cannot view user sessions logged in to the servers.
Everything else seems to work fine such as publishing apps etc. but cant seem to see user sessions.
Even if I do select all tasks under custom permissions, it still doesn't work unless I grant Full Admin Permissions instead of using custom.
UAC is disabled btw.
Any ideas?

Support Engineer said...

I have the same as the above, no UAC, Custom setting for a Non Admin and they still get delivery services console failure at discovery, what more do they need?
If these Custom Admins use local server or an IMA management server they get the error "Errors occurred when using %servername% in the discovery process".

Anonymous said...

How would you package this in your favorite virutalization tool, so you do not need to install it manually on all servers you want to run the console from? i.e. Citrix, App-V, ThinApp etc. I am trying this with ThinApp right now and having some problems...

Alex Don said...

Your site is so nice. I like your site.

Courier service in Australia
Same day courier service

Post a Comment