Non-domain-joined Linux VDAs
Overview
Non-domain-joined VDAs obliterate the need to join VDAs to Active Directory domains for VDA and user authentication. When creating a non-domain-joined VDA, you generate a public-private key pair for registering the VDA to the cloud control plane. Thus, joining an Active Directory domain is no longer required. When a user launches a session from the non-domain-joined VDA, the VDA creates a local mapping account using the user name that the user uses to log on to Citrix Workspace app. The VDA assigns a random password that the local mapping account uses for SSO and session reconnection. If you change the random password, SSO and session reconnection fail. To disable SSO, see Non-SSO authentication.
Important:
- For Citrix DaaS™ customers:
- You can deploy non-domain-joined VDAs in a public cloud or in the on-premises data center. Non-domain-joined VDAs are managed by the control plane in Citrix DaaS.
- To create non-domain-joined VDAs, customers using the Citrix Gateway service must ensure that Rendezvous V2 is enabled. Cloud Connectors are required only if you plan to provision machines on on-premises hypervisors or if you want to use Active Directory as the identity provider in Workspace.
- For CVAD customers:
Enable WebSocket Feature in DDC by following below instruction:
"HKLM:\SOFTWARE\Citrix\DesktopServer\WorkerProxy" -Name "WebSocket_Enabled" -PropertyType "DWord" -Value 1 -ForceOpen a powershell and run follow command, then reboot the DDC New-ItemProperty
- To create non-domain joined VDAs, you can use both MCS and easy install. For more information, see Create non-domain-joined Linux VDAs using MCS and Create a non-domain-joined Linux VDA using easy install (preview).
- MCS doesn’t support bare metal servers.
- The following features are available for non-domain-joined Linux VDAs:
Features available for non-domain-joined Linux VDAs
Create local users with specified attributes on non-domain-joined VDAs
When you open a session hosted on a non-domain-joined VDA, the VDA automatically creates a local user with default attributes. The VDA creates the local user based on the user name that you used to log on to Citrix Workspace™ app. You can also specify user attributes including the user’s User Identifier (UID), Group ID (GID), home directory, and log-in shell. To use this feature, complete the following steps:
- 
    Run the following command to enable the feature: /opt/Citrix/VDA/bin/ctxreg create -k "HKLM\Software\Citrix\VirtualDesktopAgent\LocalMappedAccount" -t "REG_DWORD" -v "CreateWithUidGid" -d "0x00000001" --force <!--NeedCopy-->
- 
    Specify the following attributes in the /var/xdl/getuidgid.shscript under the installation path of the VDA:Attribute Required or optional Description uidRequired A User Identifier (UID) is a number assigned by Linux to each user on the system. It determines which system resources that the user can access. gidRequired A Group Identifier (GID) is a number used to represent a specific group. homedirOptional The Linux home directory is a directory for a particular user. shellOptional A login shell is a shell given to a user upon the login to their user account. The following is an example of the getuidgid.shscript:Note: Make sure that the attributes specified in the script are valid. #!/bin/bash ############################################################################### # # Citrix Virtual Apps™ & Desktops For Linux Script: Get uid and gid for the user # # Copyright (c) Citrix Systems, Inc. All Rights Reserved. # export LC_ALL="en_US.UTF-8" function get_uid_gid_for_user() { echo "uid:12345" echo "gid:1003" echo "homedir:/home/$1" echo "shell:/bin/sh" } get_uid_gid_for_user $1 <!--NeedCopy-->
Non-SSO authentication
By default, the Linux VDA has single sign-on (SSO) enabled. Users log on to Citrix Workspace app and to VDA sessions using one set of credentials. To have users log on to VDA sessions using a different set of credentials, disable SSO on the Linux VDA. For more information, see Non-SSO authentication.
Authentication with Azure Active Directory
The non-domain-joined VDAs that you deploy in Azure integrate with the AAD identity service to provide user authentication. For more information, see Authentication with Azure Active Directory.
Rendezvous V2
Non-domain-joined VDAs are supported for using Rendezvous V2 to bypass Citrix Cloud Connectors. For more information, see Rendezvous V2.