Skip to main content

Using ProfileDisk when using CAC for authentication or using Citrix StoreFront/Microsoft IDP

Lukasz Mikosz
  • Created:
  • Updated:

Problem:

How to use ProfileDisk when also using CAC for authentication

 

Possible Resolution(s):

There are special considerations for desktop users using ProfileUnity’s ProfileDisk technology while using CAC authentication for logins. ProfileDisks can be deployed as either VHDs or VMDKs.

There are no extra configuration steps to take when working with VMDKs. In fact, ProfileDisk VMDKs work well with CAC authentication in ProfileUnity 6.5.10 and higher.

However, there are some extra configuration steps to take when working with ProfileDisk VHDs. ProfileUnity As a Service will need to be setup, and CAC Authentication must be enabled in the ProfileUnity Computer GPO (step 2). And setup your ProfleUnity client to run as a service (step 1)

1. Create a Service Account to use for process

  1. In AD create an account to use as the service account for this process or use an existing account. (Set password to never expire on that service account)
  2. Make sure the service account has full control on the share where the vhd ProfileDisks are to be stored.
  3. In ProfileUnity Console> Navigate to Administration on top right and scroll down to ProfileUnity Tools Section
  4. Add relevant account info and deploy/download the service .creds file to the share or netlogon folder where the ProfileUnity client tools (ini path) reside.  If the password for this account expires or changes you will need to repeat this process and ProfileDisk will stop working for all users until .cred file is updated and desktops are restarted.
  5. Ensure that startup.exe in that same path of the creds file gets executed by the pool/machines on boot as a startup script in the ProfileUnity Computer GPO - it does not need to be re-run on the master image unless you're using Instant Clones in Horizon View.

Note: In some instances (ProfileUnity GPO with no lwl.profileunity.client.startup.exe startup script) the image must be part of the domain to setup ProfileUnity client service running with service account credentials. 

 

2. To enable CAC authentication:

  1. Open your computer Group Policy for ProfileUnity.
  2. Under Computer Configuration > Administrative Templates > Classic Administrative Templates >Liquidware Labs > ProfileUnity under BOTH 32 and 64 Bit sections:
    Set ProfileDisk VHD CAC support to “Enabled”.  CAC logins require a setting so we know to impersonate the ProfileUnity as a Service user when connecting to the file share.
    Example:


3. Enable Logon Notification Events for SmartCard-based logons:

  • On the master image or pushed to persistent machines via a GPO and rebooted, we need to verify or create the following registry value if it doesn't exist:
    Key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
    Type: DWORD
    Value: SmartCardLogonNotify
    Data: 1
    (Reference: https://support.citrix.com/article/CTX131223)

4. Setup a new CIFS file share (this will be separate than user's home directory)

Make sure the service account used (above) has full permissions to the file share for the VHD's. 

 

For more details how to use Citrix Federated Authentication Services please refer to this Citrix KB:

Federated Authentication Service | Secure (citrix.com) 

 

Product: ProfileUnity

Product Version: 6.7+

 

Related articles