Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Can personal certificates move with a user's profile in Citrix XenDesktop?

Posted on 2013-10-24
Medium Priority
Last Modified: 2013-10-28
I have users which need to be ported over to a pooled-random Citrix XenDesktop environment.
We are currently conducting testing in the VDI to ensure functionality in their programs.

One web-based app they use is called CoStar.
CoStar installs a trusted root certificate and a personal certificate.

I logged into a test vm in Citrix and installed the certs and got onto the CoStar site just fine.
I logged off and logged back into Citrix, which spun up a new Windows 7 Ent. image. As I feared, the certificates did not follow and CoStar could not find the cert.

How can I migrate these guys to XD while still having them be able to log into CoStar?

Things to note:
-The certificate is personal to the user and can't be embedded in the master image. (can I add everyone's certs/profiles to the image?)

-CoStar doesn't know where the cert is stored in Windows so I can't file redirect the folder. It's tied to Windows anyway, and not their profile.

-Due to the ISP screwing us, I have to migrate these guys in the next 6 days since they will be losing their MPLS connection and won't have a way to get to their "stuff".

I tried running a few tests in a pooled-static environment and the certificates appear to stick. (I thought it only kept licensing stuff)
What kinds of problems can I run into in the future if I keep static vs. random?
(i.e.- can "bad" settings remain like viruses, improper programs, etc?)
Question by:Paul Wagner
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 24

Expert Comment

by:Dirk Kotte
ID: 39598140
personal certificates should roam with the user profile.
check the certificate-location after installing them with mmc.
take a look to "local computer" and "user" store.

are you sure the xd-profiles roaming? take a link to the user desktop - is the link there afrer using the next desktop?

do you use MS or Citrix profile management?
LVL 19

Expert Comment

ID: 39598505
You can use Personal Vdisk with basic static image. The image should have very basic apps, which gives flexibility to retain user installed apps along with basic image. This way root certificate stays with the image and each user can use their own certificates roaming.

Author Comment

by:Paul Wagner
ID: 39601015
-No, it looks like personal certificates were not following in the pooled-random environment. It looks like they do in pooled-static, though.
-The personal certificate ends up in Certificates->Personal->Certificates in certmgr.msc.
-The profile is using file redirection for "most of" the profile. To be honest, I don't know yet.... The environment didn't have much documentation when I took over.
-Yes, the link/certificate is there after logging out/in using the pooled-static environment.

If I use Personal w/vdisk won't that greatly inflate my storage costs (in terms of space used)? It might also present a problem when trying to deploy a new master image to everyone, I believe.

To all:
Since it looks like pooled-static is working, do you know if this will cause any problems or config differences in the future vs. the other users who are in pooled-random?
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 24

Expert Comment

by:Dirk Kotte
ID: 39603697
as exclaimed within TechNet
user-certificates should be stored within the user-registry.
therefor the certs should roam with the user-profiles ...  (works for me)
but the trusted root cert can be stored within the device-registry.
If so you have to place the  trusted root cert  within the image.

don't know why pooled static should run. this devices are rebuild with every logon also...
(if you really shutdown/reboot the device)

Author Comment

by:Paul Wagner
ID: 39606820

Interesting find. I have discovered that pooled-static in fact does not work once rebooted. hrmmmm. bummer, right?

I would have thought that the profile keeps the certs but it appears to not come over. One thing to note is that the web app developer makes us install the first cert in the trusted root (not in the profile, right?) and the second cert 'just installs' but I can't find it in personal certs of certmgr.msc once it gets installed so I'm guessing that it too gets installed in trusted root.
Would that explain why it isn't following, or maybe XD with pooled-static doesn't truly pull "everything" over when it logs into a newly rebooted image.

I'm thinking at this point that I'll have to go dedicated.
LVL 24

Accepted Solution

Dirk Kotte earned 1500 total points
ID: 39606846
if you can't see the the personal certificate, the app don't use the system cert store for this certificate. (like firefox )
you should try to use the citrix profile management because this save more files and directories than the MS profile service.

to find the certificate you can use filemonitor from sysinternals. it is the only way some times.

Featured Post

How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After several days of searching and hunting for limited documentation, I wanted to share this guide to hopefully save someone the hassle of trying to figure this out on their own. I have tested this on Xendesktop 7.1 and PS 4.5 running simultaneous…
Veeam Backup & Replication has added a new integration – Veeam Backup for Microsoft Office 365.  In this blog, we will discuss how you can benefit from Office 365 email backup with the Veeam’s new product and try to shed some light on the needs and …
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question