Complete the following tasks before installing and configuring Citrix Provisioning.
Ensure that all Windows updates are current before installing Citrix Provisioning components. Citrix recommends that you reboot after installing all Windows updates.
Select and configure the Microsoft SQL database
Each PVS farm has a single database. You can provide the database on either:
- An existing SQL Server or SQL Server Express instance
- A new server running SQL Server or SQL Server Express
All PVS servers in a farm must be able to communicate with the database server.
In a production environment, to avoid poor distribution during load balancing, best practice is to install the SQL Server or SQL Server Express instance and the Citrix Provisioning server component software on separate servers.
The PVS Configuration Wizard can create the database. Alternatively, if you do not have permission to create databases, you can use the DbScript.exe utility to create a SQL script that a database administrator can run to create the PVS database. This utility is installed with the provisioning software.
Run the DbScript.exe utility to create or update the database
If you do not have permission to create databases, use DbScript.exe to generate a SQL script for the database administrator to run to create or update the PVS database. Run the script from the Windows command prompt in
C:\Program Files\Citrix\Provisioning Services.
To generate the script to create the database, use this syntax:
DbScript.exe -new <databaseName> <farmName> <siteName> <collectionName> <farmAdminGroup> <adGroupsEnabled> <scriptName> <is2012orHigher>
To generate the script to update the database, enter:
DbScript.exe -upgrade <databaseName> <scriptName>
The commands use these arguments:
<databaseName>— Name of the database to create or update.
<farmName>— Farm name for the new database.
<siteName>— Site name for the new database.
<collectionName>— Collection name for the new database
<farmAdminGroup>— Farm administrator group, specified as a full path.
When you run the configuration wizard, you must be a member of this group (an Active Directory group) to add the PVS servers to the database.
<adGroupsEnabled>— Enable or disable AD groups, specified as Boolean, where
trueenables AD groups and
falsedisables AD groups.
<scriptName>— Name of the script to generate, specified as a full path.
<is2012orHigher>— This is deprecated. Use
This example generates a script to create an empty Citrix Provisioning database called
db1-2. The script is called newDb.sql and is located in
C:\Program Files\Citrix\Provisioning Services> DbScript.exe -new db1-2 Farm1 Site1 Collection1 "test.local/Users/Domain Users" true c:\newDb.sql true
This example generates a script to upgrade the Citrix Provisioning database
test1. The script is called upgrade.sql and, because no path is specified, is located in the directory where the script was run (
C:\Program Files\Citrix\Provisioning Services).
C:\Program Files\Citrix\Provisioning Services>DbScript.exe -upgrade test1 upgrade.sql
For information, see database sizing.
When the database is created, its initial size is 20 MB with a growth size of 10 MB. The database log initial size is 10 MB with a growth size of 10%.
The base amount of space required is 112 KB, which does not change. The base image includes the following:
- DatabaseVersion record requires approximately 32 KB
- Farm record requires approximately 8 KB
- DiskCreate record requires approximately 16 KB
- Notifications require approximately 40 KB
- ServerMapped record requires approximately 16 KB
The variable amount of space required, based on objects, is as follows:
- Access and groupings (each)
- A User group that has access to the system requires approximately 50 KB
- A Site record requires approximately 4 KB
- A Collection requires approximately 10 KB
- FarmView (each)
- FarmView requires approximately 4 KB
- FarmView/Device relationship requires approximately 5 KB
- SiteView (each)
- SiteView requires approximately 4 KB
- SiteView/Device relationship requires approximately 5 KB
- Target device (each)
- A target device requires approximately 2 KB
DeviceBootstraprequires approximately 10 KB
Device:Diskrelationship requires approximately 35 KB
Device:Printerrelationship requires approximately 1 KB
DevicePersonalityrequires approximately 1 KB
DeviceStatuswhen a Device boot requires approximately 1 KB
DeviceCustomPropertyrequires approximately 2 KB
- Disk (each)
- Unique disk requires approximately 1 KB
DiskVersionrequires approximately 3 KB
DiskLocatorrequires approximately 10 KB
DiskLocatorCustomPropertyrequires approximately 2 KB
- Provisioning server (each)
- A server requires approximately 5 KB
ServerIPrequires approximately 2 KB
ServerStatuswhen a Server boot requires approximately 1 KB
ServerCustomPropertyrequires approximately 2 KB
- Store (each)
- Store requires approximately 8 KB
- Store:Server relationship requires approximately 4 KB
- Disk update (each)
VirtualHostingPoolrequires approximately 4 KB
UpdateTaskrequires approximately 10 KB
DiskUpdateDevicerequires approximately 2 KB
DiskUpdateDevice:Diskrelationship requires approximately 35 KB
Disk:UpdateTaskrelationship requires approximately 1 KB
The following changes cause the size requirements to increase:
- Each processed task (for example: Virtual disk versionings merge) requires approximately 2 KB.
- If auditing is turned on, each change made by the administrator in the Citrix Provisioning console, MCLI, or PowerShell interface requires approximately 1 KB.
For Citrix Provisioning to support MS SQL database mirroring, the database needs to be configured with High-safety mode with a witness (synchronous).
When using the Database Mirroring feature, the SQL native client is required on the server. If the native SQL client does not exist, the option to install SQL native client x64 or x86 is presented when SQL is installed.
Be sure to update the SQL native client to a version that supports TLS 1.2. For details, see “Client component downloads” in KB3135244 - TLS 1.2 support for Microsoft SQL Server.
For information on how to configure and use database mirroring, see Database mirroring.
To implement database clustering, follow Microsoft’s instructions then run the Citrix Provisioning Configuration wizard. No additional steps are required because the wizard considers the cluster as a single SQL Server.
Supported authentication types
The table helps you determine how you want Citrix Provisioning to authenticate with the database, and the credentials you want to use when authenticating.
|Authentication type||Grants access to||Required credentials||Database platform||Other restrictions|
|Active Directory Integrated||Active Directory User. Create the username in Active Directory if you do not want to use an existing one.||Nothing (uses the current login context)||SQL Server||The PVS server must belong to a domain, the PVS service user context must be a domain user, and PVS must be configured by a domain user.|
|SQL Server||SQL Login. Create the SQL login on the database server if you do not want to use an existing one.||Login and Password||SQL Server|
There are additional authentication types supported for Azure SQL Database and Azure SQL Managed Instance. For more information, see Supported authentication types.
Citrix Provisioning uses Windows authentication for accessing the database. Microsoft SQL Server authentication is not supported except by the Configuration Wizard.
Configuration wizard user permissions
The following MS SQL permissions are required for the login used when running the Configuration wizard:
dbcreatorfor creating the database for SQL Server, and SQL Server Express
securityadminfor creating the SQL logins for the Stream and SOAP services
If you are using MS SQL Express in a test environment, you can choose to give the login used when running the Configuration wizard
sysadmin privileges, the highest level for the database.
Alternatively, if the database administrator has created an empty database by running the DbScript.exe utility, the login used when running the Configuration wizard must be the owner of the database. Also, this login must have the View any definition permission. The database administrator sets this permission when the empty database is created.
Service account permissions
The user context for the Stream and SOAP services requires the following database permissions:
- Run permissions on stored procedures
Datareader and Datawriter database roles are configured automatically for the Stream and SOAP Services login account using the Configuration wizard. The Configuration wizard assigns these permissions. In addition, the service login used must have the following system privileges:
- Run as service
- Registry read access
- Access to Program Files\Citrix\Citrix Provisioning
- Read and write access to any virtual disk location
Determine which of the following supported user accounts the Stream and SOAP services run under:
Network service account
Minimum privilege local account, which authenticates on the network as a computers domain machine account
Specified user account (required when using a Windows Share), which can be a Workgroup or domain user account
Support for KMS licensing requires the SOAP Server user account to be a member of the local administrators group.
Authentication is not common in workgroup environments, as a result, minimum privilege user accounts must be created on each server and each instance must have identical credentials.
Determine the appropriate security option to use in this farm. Only one option can be selected per farm and the selection you choose impacts role-based administration. For security options:
Use Active Directory groups for security (default); select this option if you are on a Windows Domain running Active Directory. This option enables you to use Active Directory for Citrix Provisioning administration roles.
Windows 2,000 Domains are not supported.
Use Windows groups for security. Select this option if you are on a single server or in a Workgroup. This option enables you to use the Local User/Groups on that particular server for Citrix Provisioning administration roles.
Console users do not directly access the database.
Minimum permissions required for more provisioning functionality include:
- Citrix Virtual Apps and Desktops Setup wizard, Streamed VM Setup wizard, and ImageUpdate service
- vCenter, SCVMM, and Citrix Hypervisor minimum permissions
- Permissions for the current user on an existing Citrix Virtual Apps and Desktops controller
- A Citrix Provisioning console user account configured as a Citrix Virtual Apps and Desktops administrator added to a provisioning
SiteAdmingroup or higher
- Active Directory Create Accounts permission to create accounts in the console. To use existing accounts, Active Directory accounts have to exist in a known OU for selection
- If using personal vDisks with Citrix Virtual Apps and Desktops, the SOAP Server user account must have Citrix Virtual Apps and Desktops full administrator privileges.
- AD account synchronization: create, reset, and delete permissions
- Virtual disk: Privileges to perform volume maintenance tasks
Enable a remote connection in SQL Server
Use the information in this section to establish a remote connection to the SQL server.
- Log into the SQL server using SQL Server Management Studio.
In the object explorer window, right-click the SQL server and choose Properties:
- In the Object Explorer window, select the Connections node. Under Remote server connections, select or clear the Allow remote connections to this server check box:
After updating the remote server connection:
- In the Start menu, click Start > Microsoft SQL Server version > SQL Server version Configuration Manager. The SQL Server Configuration Manager window appears.
- Expand the option SQL Server Network Configuration. Select Protocols for (your server name). Select TCP/IP and right click. In the contextual menu, choose Enable. Click OK to restart the service.
After restarting the service, change the Start mode. In the SQL Server Configuration Manager window:
- Select SQL Server Services. In the right pane, right-click the SQL Server Browser option to expose a contextual menu.
- Choose Properties.
- In the Service tab, change the Start Mode to Automatic.
- Click OK.
- Select the SQL Server Browser and right-click to open a contextual menu. Click Start.
- Select the SQL Server Instance Name and right-click to open a contextual menu. Click Restart.
Create an exception for SQL Server in Windows Firewall
Use the information in this section to create an exception for SQL Server in environments using the Windows Firewall:
- Open the Control panel and select System and Security.
Select Windows Defender Firewall:
Click Allow an app or feature through Windows Defender Firewall. Turn on Windows Firewall:
In the Allow apps to communicate through Windows Defender Firewall window, click Allow another app…:
- In the Add an app screen, click Browse.
Browse to the SQL Service
sqlserver.exeand click Open. The default path to
- SQL 2019 –
C:\Program Files\Microsoft SQL Server\MSSQL15.<SQL Instance Name>\MSSQL\Binn
- SQL 2017 –
C:\Program Files\Microsoft SQL Server\MSSQL14.<SQL Instance Name>\MSSQL\Binn
- SQL 2019 –
- Click Add:
- Repeat steps 4–7 for
C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe.
- Click OK.
Enable secure connection from provisioning server to SQL server
SQL server, license server, and provisioning server can be configured to enable secure connection.
Use the information in this section to establish a secure connection to the SQL server.
On the SQL server computer:
- Obtain a server certificate with a private key that can be used as the SQL server’s server certificate. You can obtain the server certificate from a trusted authority or use a self-signed certificate. The server certificate and private key should be in a .PFX file. The common name must be the FQDN of the SQL server computer.
- Import the certificate and the key in the personal certificates folder of the local computer certificate store on the SQL server computer.”
- Give the SQL server access to the certificate and key.
- Do the following to configure the SQL server to force secure connections.
- Run the SQL Server Configuration Manager.
- From the left pane, select SQL Server Network Configuration > Protocols for instance.
- Right-click to select Properties.
- In the Flags tab, set Force Encryption to Yes.
- In the Certificate tab, select the server certificate from the drop-down list. If this certificate is not in the list, then verify that it was imported as described.
- Click OK and restart the SQL server service for the instance.
On the PVS server computer:
- Deploy the necessary certificate authority certificates that are required to trust the server certificate.
- If the authority is not trusted:
- Obtain the authority certificate.
- Import that certificate into the Trusted Root Certificate Authorities folder of the local computer certificate store.
- If the server certificate is self-signed:
- On the SQL server computer, export the certificate only into a certificate file.
- Copy this certificate to the PVS server computer.
- Import this certificate into the Trusted Root Certificate Authorities folder of the local computer certificate store.
- If the authority is not trusted:
- Configure the provisioning server to connect to the SQL server using the same name as in the certificate, which is the FQDN of the SQL server computer. If necessary, run the Configuration Wizard, and join the Farm again. Using this method, you can change the database server name.
By default, the Citrix Provisioning console, Imaging wizard, PowerShell snap-in, and MCLI use Kerberos authentication when communicating with the SOAP Service in an Active Directory environment. Part of the Kerberos architecture is for a service to register (create a service principal name, SPN) with the domain controller (Kerberos Key Distribution Center). The registration is essential because it allows Active Directory to identify the account that the SOAP service is running in. If the registration is not performed, the Kerberos authentication fails and Citrix Provisioning falls back to using NTLM authentication.
The Citrix Provisioning SOAP Service registers every time the service starts and unregisters when the service stops. However, the registration fails if the service user account does not have permission. By default, the Network Service account and domain administrators have permission while normal domain user accounts do not.
To work around this permissions issue, do either of the following:
Use a different account that has permissions to create SPNs.
Assign permissions to the service account.
|Computer Account||Write Validated SPN|
|User Account||Write Public Information|