Product Documentation

Citrix Provisioning Services connector configuration

Jan 11, 2018

A Provisioning Services Connector Configuration contains the credentials and storage location that Citrix App Layering appliance, also known as Enterprise Layer Manager (ELM),  needs to connect to Provisioning Services. It also identifies the properties to be associated with the virtual disk (vDisk).

Each Connector Configuration is set up to access a storage location through a specific account.

Before you start

The first time you create an Image Template for publishing Layered Images to your Provisioning Services environment, add a Provisioning Services Connector Configuration for the Provisioning Services location.

Provisioning Services requirements

Provisioning Services must be running as a domain account. For App Layering to work correctly with Provisioning Services, the Provisioning Services services must be running as a domain account. Domain accounts have permissions to access the Provisioning Services store. The local system account does not.

If your Provisioning Services server is configured to use the local system account, which is the default setting, you can change the account by running the Provisioning Services configuration tool. The tool gives you an option to run as local system or use a domain account. Choose a domain account.

Provisioning Services server and account information. For App Layering to access the location in your Provisioning Services environment where you want to publish a Layered Image, you need to supply the credentials and location in a Provisioning Services Connector Configuration.

The information you need for the Provisioning Services Connector Configuration includes:

  • Name - A useful name to help identify and keep track of this connector configuration.
  • Console - The name of the Provisioning Services server on which App Layering agent is deployed. This is the server to which you publish the vDisk.
  • Domain User - User name of a domain account that has permission to manage Provisioning Services. This account is used by the agent to run Provisioning Services PowerShell commands. This account must have Read/Write access to the Provisioning Services store for writing the published vDisk.
  • Password - Password for the domain user account.
  • Site Name - Name of the Site this vDisk is to be a member of.
  • Store Name - Name of the Store that this vDisk is a member of.
  • Write Cache - When a new Disk is being created, this value sets the Write Cache type of the new Disk. Possible values include:
    • Cache on Server
    • Cache on Server, Persistent
    • Cache in Device RAM
    • Cache in Device RAM with Overflow on Hard Disk
    • Cache on Device Hard Drive
      When choosing a Write Cache option, see Selecting the write cache destination for standard vDisk images. This topic provides information for proper configuration of the Provisioning Services servers and target devices for the type you select.
  • License Mode - Sets the Windows License Mode to:
    • KMS - Key Management Service
    • MAK - Multiple Activation Keys
    • None
  • Enable Active Directory machine account password management - Enables Active Directory password management. The default value is Enabled.
  • Enable Load Balancing - Enables load balancing for the streaming of the vDisk.
  • Enable Printer Management - When enabled, invalid printers are deleted from the device.

Create a new Connector Configuration for Provisioning Services

If you don't yet have a Connector Configuration that includes the Provisioning Services server information and credentials for the server where the Layered Image will be published, add one now.

To add a new Connector Configuration

  1. In the Publish Layered Image wizard, click the Connector tab.
  2. Under the list of Connector Configurations, click New. A dialog box opens.
  3. Select the Connector Type for the platform and location where you are publishing the Layered Image. Then, click New to open the Connector Configuration page.
  4. Complete the fields on the Connector Configuration page. For guidance, see the preceding field definitions.
  5. Click TEST to verify that the appliance can access the location specified by using the credentials supplied.
  6. Click SAVE

       The new Connector Configuration appears on the Connector tab.

Script Configuration (optional, advanced feature)

When creating a new Connector Configuration, you can configure an optional PowerShell script on any Windows machine running an App Layering agent—the same agent used on the Provisioning Services server. These scripts must be stored on the same machine that the App Layering agent is installed on, and will only run after a successful deployment of a Layered Image. Some preset variables are available to enable scripts to be reusable with different template images and different connector configurations. These variables also contain information needed to identify the virtual machine created as part of the published layered image in Provisioning Services.

Running the scripts will not affect the outcome of the publish job. Also, progress of the commands that are run in the script are not be visible. The Provisioning Services connector logs contain the output of the script after it runs.

Configure a script (optional)

If you want a script to run each time a Layered Image is published, complete these steps using the values described in the sections that follow.

  1. Complete and save the Connector Configuration in the preceding section. 
    Note: Before selecting Script Configuration page, you must save (or discard) any edits to the Connector Configuration settings,
  2. If the Navigation menu on the left is not open, select it and then click Script Configuration to open the Script Path page.
  3. Complete the required fields using the values detailed in the section Script Configuration fields and then click Save.

Script Configuration fields

  • Enable script - Select this check box to enable the remaining fields. This allows you to enter a script that runs each time a Layered Image is published.
  • Script Agent - The agent machine where the scripts are located and run from.
  • Username (optional) - The user name to impersonate when running the script. This can be used to ensure the script runs in the context of a user that has the needed rights/permissions to perform the operations in the script.
  • Password (optional) - The password for the specified user name.
  • Path - A full path and file name on the agent machine where the script file resides.

Other Script Configuration values

When the script is run, the following variables are set and can be used in the PowerShell script.

Value Applies to connector types Value determined by which code Description



Common code

This is the name of the connector configuration that the script configuration is associated with.



Common code

This is the name of the layered image template that was used to build/publish the layered image.



Common code

This is the OS type of the layered image that was published. It can be one of the following values:

  • Windows7
  • Windows764
  • Windows200864
  • Windows201264
  • Windows10
  • Windows1064




The internal id for the vDisk.

User Impersonation
The App Layering Agent, which runs as a service on a Windows machine, runs under either the local system account or the network account. Either of these accounts can have some special privileges, but they often are restricted when it comes to running specific commands or seeing files in the file system. Therefore, App Layering gives you the option of adding a domain user and password that can be used to "impersonate" a user. This means that the script can be run as if that user had logged onto the system so that any commands or data will be accessible subject to those user rights and permissions. If a user name or password is not entered, the script runs using the account under which the service is configured to run.

Script Execution Policy
Script execution policy requirements are generally up to you. If you intend to run unsigned scripts, you must configure the policy to one of the more lenient policies. However, if you sign your own scripts accordingly, you can choose to use a more restrictive policy.