Can personal certificates move with a user's profile in Citrix XenDesktop?

I have users which need to be ported over to a pooled-random Citrix XenDesktop environment.
We are currently conducting testing in the VDI to ensure functionality in their programs.

One web-based app they use is called CoStar.
CoStar installs a trusted root certificate and a personal certificate.

I logged into a test vm in Citrix and installed the certs and got onto the CoStar site just fine.
I logged off and logged back into Citrix, which spun up a new Windows 7 Ent. image. As I feared, the certificates did not follow and CoStar could not find the cert.

How can I migrate these guys to XD while still having them be able to log into CoStar?

Things to note:
-The certificate is personal to the user and can't be embedded in the master image. (can I add everyone's certs/profiles to the image?)

-CoStar doesn't know where the cert is stored in Windows so I can't file redirect the folder. It's tied to Windows anyway, and not their profile.

-Due to the ISP screwing us, I have to migrate these guys in the next 6 days since they will be losing their MPLS connection and won't have a way to get to their "stuff".

I tried running a few tests in a pooled-static environment and the certificates appear to stick. (I thought it only kept licensing stuff)
What kinds of problems can I run into in the future if I keep static vs. random?
(i.e.- can "bad" settings remain like viruses, improper programs, etc?)
Paul WagnerFriend To Robots and RocksAsked:
Who is Participating?
Dirk KotteSECommented:
if you can't see the the personal certificate, the app don't use the system cert store for this certificate. (like firefox )
you should try to use the citrix profile management because this save more files and directories than the MS profile service.

to find the certificate you can use filemonitor from sysinternals. it is the only way some times.
Dirk KotteSECommented:
personal certificates should roam with the user profile.
check the certificate-location after installing them with mmc.
take a look to "local computer" and "user" store.

are you sure the xd-profiles roaming? take a link to the user desktop - is the link there afrer using the next desktop?

do you use MS or Citrix profile management?
You can use Personal Vdisk with basic static image. The image should have very basic apps, which gives flexibility to retain user installed apps along with basic image. This way root certificate stays with the image and each user can use their own certificates roaming.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Paul WagnerFriend To Robots and RocksAuthor Commented:
-No, it looks like personal certificates were not following in the pooled-random environment. It looks like they do in pooled-static, though.
-The personal certificate ends up in Certificates->Personal->Certificates in certmgr.msc.
-The profile is using file redirection for "most of" the profile. To be honest, I don't know yet.... The environment didn't have much documentation when I took over.
-Yes, the link/certificate is there after logging out/in using the pooled-static environment.

If I use Personal w/vdisk won't that greatly inflate my storage costs (in terms of space used)? It might also present a problem when trying to deploy a new master image to everyone, I believe.

To all:
Since it looks like pooled-static is working, do you know if this will cause any problems or config differences in the future vs. the other users who are in pooled-random?
Dirk KotteSECommented:
as exclaimed within TechNet
user-certificates should be stored within the user-registry.
therefor the certs should roam with the user-profiles ...  (works for me)
but the trusted root cert can be stored within the device-registry.
If so you have to place the  trusted root cert  within the image.

don't know why pooled static should run. this devices are rebuild with every logon also...
(if you really shutdown/reboot the device)
Paul WagnerFriend To Robots and RocksAuthor Commented:

Interesting find. I have discovered that pooled-static in fact does not work once rebooted. hrmmmm. bummer, right?

I would have thought that the profile keeps the certs but it appears to not come over. One thing to note is that the web app developer makes us install the first cert in the trusted root (not in the profile, right?) and the second cert 'just installs' but I can't find it in personal certs of certmgr.msc once it gets installed so I'm guessing that it too gets installed in trusted root.
Would that explain why it isn't following, or maybe XD with pooled-static doesn't truly pull "everything" over when it logs into a newly rebooted image.

I'm thinking at this point that I'll have to go dedicated.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.