involves domain-joined user devices that run the Desktop Lock and connect to
StoreFront through XenApp Services URLs.
The Desktop Lock is
a separate component that is released with Citrix XenDesktop and Citrix
VDI-in-a-Box. It is an alternative to the Desktop Viewer and is designed mainly
for repurposed Windows computers and Windows thin clients. The Desktop Lock
replaces the Windows shell and Task Manager in these user devices, preventing
users from accessing the underlying devices. With the Desktop Lock, users can
access Windows Server Machine desktops and Windows Desktop Machine desktops.
Note: Installation of
Desktop Lock is optional
A user logs on to a
device using a smart card and PIN. If Desktop Lock is running on the device, it
authenticates the user to a Storefront server using Integrated Windows
Authentication (IWA). StoreFront passes the user security identifiers (SIDs) to
Citrix XenDesktop. When the user starts a virtual desktop, the user is not
prompted for a PIN again because the single sign-on feature is configured on
This deployment can
be extended to a double-hop with the addition of a second StoreFront server and
a server hosting applications. A Receiver from the virtual desktop
authenticates to the second StoreFront server. Any authentication method can be
used for this second connection.
The configuration shown for the first hop can be reused in the second hop or used in the second hop only.