Some of your Linux VDA users may experience this. They log on via StoreFront, click on their published Linux desktop and are presented with an ugly “Invalid Login” dialog box in Receiver.
This may be caused by your underlying Linux Active Directory integration package (such as Winbind or Centrify) not recognizing the format of the logon name entered in StoreFront.
Citrix StoreFront will permit users to logon in any of the following naming formats supported by Windows and Active Directory:
- Down-level logon name: MYCORP\sallysmith
- UPN: firstname.lastname@example.org
- NetBIOS Suffix format: sallysmith@MYCORP
- UPN with custom suffix: sallysmith@SalesDept
The down-level logon name format is also commonly referred to as the NTLM, SAM Account, or pre-Windows 2000 name.
These various naming formats work seamlessly when delivering Windows apps and desktops because the target VDAs are Windows, which has support for all logon naming formats baked nicely into the operating system. As you would expect Windows machines behave very well in the Windows ecosystem.
For Linux VDAs however, we rely on your choice of third party Active Directory integration package, each of which vary in features, capabilities and limitations. Most are mature products that make Linux play nicely in the AD environment; however, there are some limitations when it comes to supporting the full gamut of logon name formats.
In the example presented at the top of this article, our user Sally logged on with a UPN with a custom suffix (sallysmith@SalesDept) with the Linux VDA configured to use Winbind. This failed because Winbind does not recognize custom UPN suffixes, and was unable to decode the logon name provided. If Sally had logged on using MYCORP\sallysmith or email@example.com instead, the session would have started.
If we were using Centrify, which does support custom UPN suffixes, instead of Winbind, Sally would have logged on using sallysmith@SalesDept without issue. However Centrify only shifts the problem slightly – it does not support NetBIOS suffix names, whereas Winbind does.
A simple way to test which user name formats are supported by your Active Directory integration package is to run getent passwd for a known user in AD in each of the various naming formats. For example:
getent passwd MYCORP\\sallysmith getent passwd firstname.lastname@example.org getent passwd sallysmith@MYCORP getent passwd sallysmith@SalesDept
If the username is recognized, an entry for the user with their UID and GID will be displayed. If not recognized, nothing is displayed. The double backslash for the first case is for shell escaping purposes.
Another simple test that will exercise Kerberos authentication via PAM is to perform a local console or secure shell logon for a user you know the password for. Do this in each of the naming formats. For example:
ssh localhost -l MYCORP\\sallysmith ssh localhost -l email@example.com ssh localhost -l sallysmith@MYCORP ssh localhost -l sallysmith@SalesDept
The good news is the most commonly used down-level and UPN naming formats are supported by all of the AD integration packages supported by the Linux VDA.
Possible workarounds to deal with an unsupported logon naming format are:
- Educate your users to avoid certain naming formats when logging onto StoreFront.
- For Winbind which does not support UPN suffixes, remove the use of UPN suffixes in Active Directory, if practical.
- For Centrify which does not support NetBIOS suffixes, create a UPN suffix with matches the NetBIOS domain name and assign this to each user.
Footnote about custom Separators
A special case is if your AD integration package is configured to use a separator other than backslash for down-level logon names. A common alternative in Linux circles is to use the plus symbol (+), creating identities such as MYCORP+sallysmith instead of the usual MYCORP\sallysmith. For example:
getent passwd MYCORP+sallysmith
Users will still log onto StoreFront using the backslashed DOMAIN\user format, as this is what Windows expects; however, the Linux VDA must be configured to substitute the backslash with the custom separator character before passing the name onto PAM for authentication. This configuration change is done using the ctxreg tool:
sudo /usr/local/bin/ctxreg update \ -k "HKLM/System/CurrentControlSet/Control/Citrix/WinStations/tcp" \ -v "DownLevelLogonNameSeparator" \ -d "+"
To verify the setting:
sudo /usr/local/bin/ctxreg read \ -k "HKLM/System/CurrentControlSet/Control/Citrix/WinStations/tcp" \ -v "DownLevelLogonNameSeparator"
For this setting to take effect, the VDA and HDX services will need to be restarted.
Note that custom separators do not apply to UPNs and the other naming formats employing the @ symbol.
To learn more about Linux Virtual Desktop and our team here at Citrix, catch up on all our posts here.