Citrix Virtual Apps and Desktops
a. What is the Active Directory Kerberos Realm the smart cards use?
Specify the Kerberos Realm the used by the smart cards to authenticate. While this should be entered in
all capital letters, the iApp automatically capitalizes lower case letters when you submit the template.
b. Which service account (in SPN format) can be used for Kerberos authentication?
Specify a service account in SPN (Service Principal Name) format which can be used to enable Kerberos
Protocol Transition and Constrained Delegation from the BIG-IP to Web Interface or StoreFront resources.
Where the Service is host and the Service Name is user@domain.com.
c. What is the password associated with that account?
Specify the password for the service account you entered in the previous question.
d. What is the Kerberos Key Distribution Center (KDC) for the server realm?
Type the KDC for the server's realm. This is normally an Active Directory domain controller. If you
leave this empty, the KDC must be discoverable through DNS, for example, BIG-IP system must be able
to fetch SRV records for the server realm's domain, where the name is usually the same as the realm's
name. If the domain name is different from the realm name, it must be specified in /etc/krb5.conf file,
otherwise adding the realm configuration to that file is not required. Kerberos SSO processing is fastest
when KDC is
specified by its IP address, and slower if it is specified by host name, and even slower if it is left empty
(due to additional DNS queries). When the user's realm is different from the server's realm, KDC must be
left empty. This is also true in cases of multi-domain realms. If you leave this field blank, set
dns_lookup_kdc parameter to equal true in BIG-IP /etc/krb5.conf file.
e. Create a new AAA object or select an existing one?
The AAA Server contains the authentication mechanism for the BIG-IP APM Access Policy.
Select whether you want to the template to create a new BIG-IP APM AAA Server object, or if you have
already created an AAA object for Virtual Apps and Desktops on the BIG-IP system.
• Select an existing AAA Server object
Select this option if you have already created an AAA Server object for this deployment. If you want
to create your own AAA Server, but have not already done so, you must exit the template and create
the object before it becomes available from the list.
• Create a new AAA Server object
Select this option (the default) to have the template create a new Active Directory AAA Server object
for the Citrix environment.
a. What is the Active Directory FQDN for your Citrix users?
Type the Active Directory domain name for your Virtual Apps and Desktops implementation in
FQDN (Fully Qualified Domain Name) format.
b. Which Active Directory servers in your domain can this BIG-IP system contact?
Type both the FQDN and IP address of all Active Directory servers in your domain that this BIG-IP
system can contact. Make sure this BIG-IP system and the Active Directory servers have routes to
one another and that firewalls allow traffic between the two. Click Add to include additional servers.
c. Does your Active Directory domain allow anonymous binding?
Select whether anonymous binding is allowed in your Active Directory environment.
• Yes, anonymous binding is allowed
Select this option if anonymous binding is allowed. No further information is required.
• No, credentials are required for binding
If credentials are required for binding, you must specify an Active Directory user name and
password for use in the AAA Server.
a. Which Active Directory user with administrative permissions do you want to use?
Type a user name with administrative permissions.
b. What is the password for that user?
Type the associated password.
d. How do you want to handle health monitoring for this pool?
You can choose the type of health monitor you want to use for the pool of Active Directory
servers. Specify whether you want the template to create a new LDAP monitor or a new ICMP
monitor, or if you select an existing monitor.
• Do not monitor Active Directory
Select this option if you do not want the BIG-IP system to create a health monitor for your
Active Directory implementation.