Go Premium for a chance to win a PS4. Enter to Win


Can personal certificates move with a user's profile in Citrix XenDesktop?

Posted on 2013-10-24
Medium Priority
Last Modified: 2013-10-28
I have users which need to be ported over to a pooled-random Citrix XenDesktop environment.
We are currently conducting testing in the VDI to ensure functionality in their programs.

One web-based app they use is called CoStar.
CoStar installs a trusted root certificate and a personal certificate.

I logged into a test vm in Citrix and installed the certs and got onto the CoStar site just fine.
I logged off and logged back into Citrix, which spun up a new Windows 7 Ent. image. As I feared, the certificates did not follow and CoStar could not find the cert.

How can I migrate these guys to XD while still having them be able to log into CoStar?

Things to note:
-The certificate is personal to the user and can't be embedded in the master image. (can I add everyone's certs/profiles to the image?)

-CoStar doesn't know where the cert is stored in Windows so I can't file redirect the folder. It's tied to Windows anyway, and not their profile.

-Due to the ISP screwing us, I have to migrate these guys in the next 6 days since they will be losing their MPLS connection and won't have a way to get to their "stuff".

I tried running a few tests in a pooled-static environment and the certificates appear to stick. (I thought it only kept licensing stuff)
What kinds of problems can I run into in the future if I keep static vs. random?
(i.e.- can "bad" settings remain like viruses, improper programs, etc?)
Question by:Paul Wagner
  • 3
  • 2
LVL 24

Expert Comment

by:Dirk Kotte
ID: 39598140
personal certificates should roam with the user profile.
check the certificate-location after installing them with mmc.
take a look to "local computer" and "user" store.

are you sure the xd-profiles roaming? take a link to the user desktop - is the link there afrer using the next desktop?

do you use MS or Citrix profile management?
LVL 19

Expert Comment

ID: 39598505
You can use Personal Vdisk with basic static image. The image should have very basic apps, which gives flexibility to retain user installed apps along with basic image. This way root certificate stays with the image and each user can use their own certificates roaming.

Author Comment

by:Paul Wagner
ID: 39601015
-No, it looks like personal certificates were not following in the pooled-random environment. It looks like they do in pooled-static, though.
-The personal certificate ends up in Certificates->Personal->Certificates in certmgr.msc.
-The profile is using file redirection for "most of" the profile. To be honest, I don't know yet.... The environment didn't have much documentation when I took over.
-Yes, the link/certificate is there after logging out/in using the pooled-static environment.

If I use Personal w/vdisk won't that greatly inflate my storage costs (in terms of space used)? It might also present a problem when trying to deploy a new master image to everyone, I believe.

To all:
Since it looks like pooled-static is working, do you know if this will cause any problems or config differences in the future vs. the other users who are in pooled-random?
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

LVL 24

Expert Comment

by:Dirk Kotte
ID: 39603697
as exclaimed within TechNet
user-certificates should be stored within the user-registry.
therefor the certs should roam with the user-profiles ...  (works for me)
but the trusted root cert can be stored within the device-registry.
If so you have to place the  trusted root cert  within the image.

don't know why pooled static should run. this devices are rebuild with every logon also...
(if you really shutdown/reboot the device)

Author Comment

by:Paul Wagner
ID: 39606820

Interesting find. I have discovered that pooled-static in fact does not work once rebooted. hrmmmm. bummer, right?

I would have thought that the profile keeps the certs but it appears to not come over. One thing to note is that the web app developer makes us install the first cert in the trusted root (not in the profile, right?) and the second cert 'just installs' but I can't find it in personal certs of certmgr.msc once it gets installed so I'm guessing that it too gets installed in trusted root.
Would that explain why it isn't following, or maybe XD with pooled-static doesn't truly pull "everything" over when it logs into a newly rebooted image.

I'm thinking at this point that I'll have to go dedicated.
LVL 24

Accepted Solution

Dirk Kotte earned 1500 total points
ID: 39606846
if you can't see the the personal certificate, the app don't use the system cert store for this certificate. (like firefox )
you should try to use the citrix profile management because this save more files and directories than the MS profile service.

to find the certificate you can use filemonitor from sysinternals. it is the only way some times.

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Will try to explain how to use the VMware feature TAGs in the VMs and create Veeam Backup Jobs using TAGs. Since this article is too long, I will create second article for the Veeam tasks.
August and September have been big months for VMware—from VMworld last month to our new Course of the Month in VMware Professional - Data Center Virtualization. We reached out to Andrew Hancock, resident VMware vExpert, to have a more in-depth discu…
How to install and configure Citrix XenApp 6.5 - Part 1. In this video tutorial we have explained step by step installation of Citrix XenApp 6.5 Server on Windows Server 2008 R2 is explained in this video. We have explained the difference between…
In this video tutorial I show you the main steps to install and configure  a VMware ESXi6.0 server. The video has my comments as text on the screen and you can pause anytime when needed. Hope this will be helpful. Verify that your hardware and BIO…

876 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question