Configure unauthenticated sessions

Use the information in this article to configure unauthenticated sessions. No special settings are required when installing the Linux VDA to use this feature.

Note:

When configuring unauthenticated sessions, consider that session prelaunch is not supported. Session prelaunch is also not supported on Citrix Workspace app for Android.

Create an unauthenticated store

You must create an unauthenticated store using StoreFront to support an unauthenticated session on the Linux VDA.

Enable unauthenticated users in a Delivery Group

After creating an unauthenticated store, enable unauthenticated users in a Delivery Group to support an unauthenticated session. To enable unauthenticated users in a Delivery Group, follow the instructions in the Citrix Virtual Apps and Desktops documentation.

Set the unauthenticated session idle time

An unauthenticated session has a default idle timeout of 10 minutes. This value is configured through the registry setting AnonymousUserIdleTime. Use the ctxreg tool to change this value. For example, to set this registry setting to five minutes:

sudo /opt/Citrix/VDA/bin/ctxreg update -k  "HKLM\System\CurrentControlSet\Control\Citrix"  -v AnonymousUserIdleTime  -d 0x00000005

Set the maximum number of unauthenticated users

To set the maximum number of unauthenticated users, use the registry key MaxAnonymousUserNumber. This setting limits the number of unauthenticated sessions running on a single Linux VDA concurrently. Use the ctxreg tool to configure this registry setting. For example, to set the value to 32:

sudo /opt/Citrix/VDA/bin/ctxreg update -k  "HKLM\System\CurrentControlSet\Control\Citrix"  -v MaxAnonymousUserNumber  -d  0x00000020

Important:

It is essential that you limit the number of unauthenticated sessions. Too many sessions being launched concurrently can cause problems on the VDA, including running out of available memory.

Troubleshooting

Consider the following when configuring unauthenticated sessions:

  • Failed to log on to an unauthenticated session.

Verify that the registry was updated to include the following (set to 0):

sudo /opt/Citrix/VDA/bin/ctxreg read –k "HKLM\System\CurrentControlSet\Control\Citrix" –v MaxAnonymousUserNumber

Verify that the ncsd service is running and configured to enable passwd cache:

ps  uax | grep nscd
cat /etc/nscd.conf | grep 'passwd' | grep 'enable-cache'

Set the passwd cache variable to no if it is enabled, then restart the ncsd service. You might need to reinstall the Linux VDA after changing this configuration.

  • The lock screen button is displayed in an unauthenticated session with KDE.

The lock screen button and menu are disabled by default in an unauthenticated session. However, they can still be displayed in KDE. In KDE, to disable the lock screen button and menu for a particular user, add the following lines to the configuration file $Home/.kde/share/config/kdeglobals. For example:

[KDE Action Restrictions]
action/lock_screen=false

However, if the KDE Action Restrictions parameter is configured as immutable in a global wide kdeglobals file such as /usr/share/kde-settings/kde-profile/default/share/config/kdeglobals, the user configuration has no effect.

To resolve this issue, try to modify the system-wide kdeglobals file to remove the [$i] tag at the [KDE Action Restrictions] section or directly use the system-wide configuration to disable the lock screen button and menu. For details about the KDE configuration, see the KDE System Administration/Kiosk/Keys page.