Linux Virtual Delivery Agent

Access by unauthenticated (anonymous) users

You can allow users to access applications and desktops without presenting credentials to StoreFront or Citrix Workspace app. To grant access to unauthenticated users, you must have an unauthenticated StoreFront store and enable access for unauthenticated users in a delivery group.


Access by unauthenticated users is supported for domain-joined VDAs only.

Session prelaunch is not supported for unauthenticated users. Session prelaunch is also not supported on Citrix Workspace app for Android.

Create an unauthenticated StoreFront store

  1. Select the Stores node in the left pane of the Citrix StoreFront management console and, in the Actions pane, click Create Store.
  2. On the Store Name page, specify a name for your store, select Allow only unauthenticated (anonymous) users to access this store, and click Next.

For more information, see Create an unauthenticated store.

Enable access for unauthenticated users in a delivery group

A delivery group is a collection of machines selected from one or more machine catalogs. When you specify who can use the applications and desktops in a delivery group, you can grant access to unauthenticated users. For more information, see Create delivery groups.

Set the idle timeout for unauthenticated user sessions

Unauthenticated user sessions have a default idle timeout of 10 minutes, and are logged off automatically when the client disconnects. You can configure a custom idle timeout through the registry setting AnonymousUserIdleTime. For example, to set a custom idle timeout of five minutes, run the following command:

sudo /opt/Citrix/VDA/bin/ctxreg update -k  "HKLM\System\CurrentControlSet\Control\Citrix"  -v AnonymousUserIdleTime  -d 0x00000005

Set the maximum number of unauthenticated users

To set the maximum number of unauthenticated users, use the registry key MaxAnonymousUserNumber. This setting limits the number of unauthenticated user sessions running on a single Linux VDA concurrently. Use the ctxreg tool to configure this registry setting. For example, to set the value to 32, run the following command:

sudo /opt/Citrix/VDA/bin/ctxreg update -k  "HKLM\System\CurrentControlSet\Control\Citrix"  -v MaxAnonymousUserNumber  -d  0x00000020


Limit the number of unauthenticated user sessions. Too many sessions being launched concurrently can cause problems on the VDA, including running out of available memory.


Consider the following when configuring unauthenticated user sessions:

  • Failed to log on to an unauthenticated session.

Verify that the registry was updated to include the following (set to 0):

sudo /opt/Citrix/VDA/bin/ctxreg read –k "HKLM\System\CurrentControlSet\Control\Citrix" –v MaxAnonymousUserNumber

Verify that the ncsd service is running and configured to enable passwd cache:

ps  uax | grep nscd
cat /etc/nscd.conf | grep 'passwd' | grep 'enable-cache'

Set the passwd cache variable to no if it is enabled, then restart the ncsd service. You might need to reinstall the Linux VDA after changing this configuration.

  • The lock screen button is displayed in an unauthenticated user session with KDE.

The lock screen button and menu are disabled by default in an unauthenticated user session. However, they can still be displayed in KDE. In KDE, to disable the lock screen button and menu for a particular user, add the following lines to the configuration file $Home/.kde/share/config/kdeglobals. For example:

[KDE Action Restrictions]

However, if the KDE Action Restrictions parameter is configured as immutable in a global wide kdeglobals file such as /usr/share/kde-settings/kde-profile/default/share/config/kdeglobals, the user configuration has no effect.

To resolve this issue, modify the system-wide kdeglobals file to remove the [$i] tag at the [KDE Action Restrictions] section, or directly use the system-wide configuration to disable the lock screen button and menu. For details about the KDE configuration, see the KDE System Administration/Kiosk/Keys page.

Access by unauthenticated (anonymous) users