Last year I blogged about using VMware with XenDesktop. That article was focused on XenDesktop 4 and VMware integration. With the recent release of XenDesktop 5, it’s time for an updated article. In this blog post I am going to go over using XenDesktop 5 with VMware.
vCenter HTTPS Access
1. If it doesn’t already exist, create a DNS entry for your vCenter server. Another option would be to create a host file entry on your XenDesktop Delivery Controllers and Provisioning Servers for your Virtual Center/vCenter server.
2. Using your browser connect to the FQDN of the vCenter server. You should get a warning about the website’s security certificate. Click continue to this website (not recommended).
3. Click the Certificate Error in the Security Status bar and select View certificates. Once you can see the vCenter certificate, Click Install Certificate.
4. When the Certificate Import Wizard comes up, select Place all certificates in the following store and click Browse.
5. When Select Certificate Store comes up, select Show physical stores then expand Trusted People and then select Local Computer and click Ok.
6. When the Certificate Import Wizard completion screen comes up, click Finish.
7. You will get prompted when the import is successful, click Ok.
8. Close the browser and reopen it. You should be able to browse to your vCenter server without getting any certificate errors.
vCenter role for XenDesktop
When setting up the XenDesktop role in vCenter, the permissions listed in the Citrix eDocs are from the SDK programming guide and some permissions are not what is actually shown in the add a new role dialog box. Differences in permissions are noted below in bold.
Create a role in vCenter with the following permissions:
- Datastore Permissions
- Allocate space
- Browse datastore
- File management is listed in Citrix eDocs but it is Low level file operations in vCenter
- Network Permissions
- Assign network
- Resource Permissions
- Assign virtual machine to resource pool
- System Permissions – These permissions are automatically added when you create a role in vCenter.
- Anonymous
- Read
- View
- Task Permissions
- Create Task
- Virtual Machine/Configuration Permissions
- Add existing disk
- Add new disk
- Change CPU count
- Configure Resource is listed in the Citrix eDocs but it is Change resource in vCenter
- Memory
- Remove disk
-
Virtual Machine/Interaction
-
Power Off
-
Power On
-
Reset
-
Suspend
-
- Virtual Machine/Inventory
- Create is listed in the Citrix eDocs but it is Create New in vCenter
- Create from existing
- Delete is listed the Citrix eDocs but is Remove in vCenter
- Register
- Virtual Machine/Provisioning
- Clone is listed in the Citrix eDocs but it is Clone virtual machine in vCenter
- Disk Random Access is listed in the Citrix eDocs but it is Allow disk access in vCenter
- Get VM Files is listed in the Citrix eDocs but it is Allow virtual machine download in vCenter
- Put VM Files is listed in the Citrix eDocs but it is Allow virtual machine files upload in vCenter
- Virtual Machine/State
- Create snapshot
- Revert to snapshot
If you want XenDesktop to tag the virtual machines, you must also add the following permissions:
- Global
- Manage Custom Fields is in the Citrix eDocs but it is Manager custom attributes in vCenter
- Set Custom Field is in the Citrix eDocs but it is Set custom attribute in vCenter
To use XenDesktop Setup Tool with Provisioning Services, you will have to add the following permissions in addition to what is listed above:
- Virtual Machine/Provisioning
- Clone Template
- Deploy Template
Now that we have the XenDesktop role created, assign a domain account to the role. For this article the example domain account is Citirx_services.
One question I am always asked when using XenDesktop with VMware by customers is how to limit virtual machine creation to a certain cluster or servers within vCenter. Follow the steps below to control where virtual machines are deployed within your VMware infrastructure.
- Assign the XenDesktop role at the Datacenter level but do not propagate by unselecting Propagate when adding the role.
- Assign the XenDesktop role at the Cluster level but do not propagate by unselecting Propagate when adding the role. If you want to control virtual machine creation at the Cluster level then leave Propagate selected. Assign the XenDesktop role to Servers within a Cluster if you want to limit virtual machine creation to certain Servers within a Cluster.
- Assign the XenDesktop role to the Networks you want the virtual machines to have access to.
- Assign the XenDesktop role the to Datastores you want virtual machines to be created in.
- If you are also using folders within vCenter in the VMs and Templates view make sure to also assign the XenDesktop role to the folders you want virtual machines created in.
You should now be able to control where the virtual machines are placed when they are created. See the screenshot below for an example of controlling where virtual machines get created.
In the example above, virtual machines will only be created within the Citrix\Desktops folder on a single server within the VDILab cluster in a single Datacenter in vCenter. The virtual machines will only use the VDI Network and will only be created on the LeftHand_Lab Datastore.
When you create virtual machines using Machine Creation Services or XenDesktop Setup Tool with Provisioning Services, configure the following on the Host screen:
- Host type: VMware virtualization
- Address: https://vCenter.domain.com/sdk – example vCenter name
- Username: domain\citrix_services – example service account for XenDesktop role created in vCenter
- Password: password for citrix_services account – example service account password for XenDesktop role created in vCenter
This article was created using vCenter/ESX 4.1, XenDesktop 5 with Machine Creation Services, and Internet Explorer 8.
This blog post was a collaboration with Shane Kleinert (@shanekleinert, CitrixIRC, @CitrixIRC). I would like to give a big thanks to Shane for the team work on this article.
Jarian Gibson is a consultant that specializes in Citrix and Microsoft technologies. Credentials include being certified as a Citrix Certified Administrator, Citrix Certified Advanced Administrator, Citrix Certified Enterprise Engineer, Citrix Certified Integration Architect, Citrix Certified Instructor, Citrix Certified Sales Professional, Microsoft Certified Technical Specialist, Microsoft Certified IT Professional (Server Administrator, Enterprise Administrator, and Virtualization Administrator) and VMware Certified Professional. Memberships include being a nominated and selected member of the Citrix Partner Technical Expert Council. With over 10 years of experience in the IT field, Jarian has worked for companies such as Securities America Financial Corporation and MTM Technologies. He is currently based in the Kansas City area working for Choice Solutions as a Citrix Practice Manager/Principal Consultant.
Thanks for great an article Jarian, always using your blog for references when setting up XenDesktop with VMware.
Thanks for the detailed explanation. It was very helpful to me in my current project.
I followed the steps as outlined but still getting the certificate error. Is there away to do this via http instead of https? I imported the VMware Certificate but it still did not work.
Have you looked at http://support.citrix.com/article/CTX125578 ?
Hi,
I followed the steps in your article adding all the required permissions to a new custom role to use for XenDesktop and mapped a Domain User with Domain Admin rigths to that Role.
If I use Quick Deploy and speficy the address of my vCenter Server https:///sdk and the domain account I had mapped to that new vCenter Server role I get so far that I can browse my datacenter objects, drilling down to my ESX Cluster I want to deploy the virt Desktops on, down to my Win7 Master Image but I am unable to select it, because the “OK” Button does not get active. I can only select “cancel”
Am I missing something here?
I will add from experience that if your DDC has UAC enabled, you need to start IE with “run as administrator” to get the option to install into the Trusted People-Computer chain.
Good point. I always disable UAC on my servers thru group policy so I haven’t come across this issue.
Im running vsphere 4.1 Update 1 and I didnt have to import the cert or create a host file entry on the XenDesktop Controller. Which is strange because when I was testing XenDesktop 4 under vsphere server 4..1 no update I had to do the VMware hoop jumps.
Im having an issue with the desktop deployment Wizard and setting up our new test environment. Im in the host details configuration and Im unable to select the guest network or storage. Any ideas what I could have missed that would have caused this?
Did you setup the permissions at each level or did you propagate permissions from the datacenter? Either of those options should work and allow you to see the guest network and storage.
Trying to set this up in a lab environment before pushing XenDesktop 5 to clients. However, I’m still having an issue connecting “The hypervisor is not contactable at this address” What the heck?! I’ve tried all of the above and reviewed all of Citrix’s Doc’s for this product. I’m using and internal Domain Controller hosting DNS, all entries of the servers are showing up in DNS, and I have tried using the 20 year old NT option of editing the host file and nothing. I’ve also tried using all of the above suggestions and no go…What gives, please help!!
What version of ESX are you running? You are also using vCenter to manage you ESX hosts correct?
I’m running ESX 4.1.0, Yes, running vCenter
I had the same issue until I tried httpS:// in our environment (instead of http://). Furthermore, the username should have the domain as part of the name. Example: domain\servicename.
To ensure there’s no permission issue, I originally provided the Username of an account with full Administrator rights to vCenter. Once that worked, I then provided the service account I wanted to use with XenDesktop.
The account that will be used must be assigned at the Datacenter level as per http://support.citrix.com/article/CTX127546S. Jarian, you may be missing “VirtualMachine.Config.RemoveDisk” in yoru steps. I’m currently investigating if that’s what’s causing my machine creation to fail (since it works with full Administrator rights, but not with the locked down account.)
With all that said, Jarian, THANK YOU for this informative blog. It helped me jump start my PoC.
Michael
Jarian, I’ve confirmed that you are indeed missing the “VirtualMachine.Config.RemoveDisk” permission in one of your steps. My machines are creating without issue now (no longer fails at not being able to remove snapshot/disk.)
Actually I have that in the screenshot but left it out in bullet point list. Thanks for catching that. Article updated.
I’ve found an issue with deleting Machine Catalogs of the Dedicated type. Pooled delete just fine. I have found that “Remove Snapshot” is another permission that’s required, and will test this out more tomorrow after further testing. I have an open case with Citrix for another issue, but this came up again today while I was troubleshooting. Will let you know my findings.
Confirmed. “Remove Snapshot” is required. When you look at the VMware log, you’ll see that it does a “Task: Remove all snapshots” right after “Task: Revert snapshot”.
It always failed right after “Task: Revert snapshot”, giving the error: “Failed to remove the virtual machine; .” (Where is something like “DOMAIN\computername$”, repeating the error on every line for every machine that’s part of the catalog.)
I’ll share this finding with Citrix tech support tomorrow when we discuss the open case.
Thanks for the info. I am working on an updated article. I will add this to it. Thanks again for the info, I really appreciate it.
I have tried everything to integrate XD5 to vCenter 4.1 the same issue with https://FQDN, the username supplied is also domain\servicename but to no avail. My DDC installation is on Win2K8 R2 SP1 (UAC Disabled) and has been updated with IE9 and I am wondering this could be causing the issue? has anyone managed to get it to work. My DNS is also working. When I import the certificate as per the above article which is the same as the (http://support.citrix.com/article/CTX125578) I do get the message “import successful” but when I close and re-open the browser with the FQDN I get the certificate error.
I have made this work in the past for XD3 and 4 using the http method but this is NO longer a supported configuration for those who use this as a work around.
I was thinking if it is this troublesome i’d rather just create a self signed cert and get round it.
Any pointers would be very welcome.
I did some checking and found that the cert did get imported into the Trusted People\Local Computer but what I suspect might be causing my issue (if others have managed to get it working) is the vCenter certificate which I have imported has a different server name to the actual VCenter server because I had renamed it.
When I look at the certificate details under “Subject Alternative Name” it has the previous server name.
I am wondering this could be the cause of my problems?
This means I will have to create a new VMWare cert on the VC box.
I was told by Citrix on multiple occasions that Win2K8 R2 SP1 breaks a lot of things for XenDesktop and XenApp. They advised me to stay away from SP1 for now.
Thanks for this article ! Nevertheless, I’m having an issue creating vm’s in a specific resource pool of the vCenter. All vm’s are created out of the resource pools, at the same level in the tree. Any ideas ?
I don’t have a “Local Computer” sub-store of “Trusted People”, so can’t properly install the cert.
Helpl!
Did check/click show physical stores?
Great arcticle but I could not got it working in Distributed Virtual Switch configuration. I gave access to individual port groups but since cannot assign the permission to DVS object, hence VM level NICs got not be modified. Any thoughts
Are you on vSphere 4.x or 5?
any idea how an existing catalog can be migrated to different datastore within the same VM cluster?
I just noticed that in Create Catalog wizard I’m not prompted for Storage selection although I have 3 datastores. I also created another host which is the same cluster but different datastore but Catalog wizard doesn’t prompt to select host either. It’s XD5 MCS on vSphere 4.1
I figured this one or rather found out it’s a no go. It would work with XenServer but not VMware. When XD5 uses Vmware you need kill the catalog and recreate it, this means all machine creation process and longer maintenance window which sucks
Great article. Thanks
Thanks! Glad it helped!
Jarian, great article!
Have you tried so far to connect XenDesktop 5.6 with vCenter 5 virtual appliance? You got it to work???
Thanks!
Dude, you made it so easy… thank you! I remember hacking some proxy/policy file before to convert things to http. This is a proper and elegant solution.
Great post, thank you for clarifying and detailing this. I’ve done all this role setup tasks you outlined ahead ,and double checked the propagate settings for each level, but the VMs are created in a different folder than I granted access to (?). Come to think of it, this folder is under another folder – perhaps I have to assign rights to the parent. I’ll check on that!
Hi Jarian,
An update from the above post – I’ve followed these directions but it still isn’t working as far as creating the VMs in the desired container. The VMs are provisioned in the same container as the master image, even though the user I am using to authenticate from XD is only assigned the XenDesktop role and is also assigned only to the folders I want them to be created in, several layers down, with no propagate selected. Is there a way to adjust to view settings for the catalog that points to where they will be created or does it simply put them in the next closest container to where the master is, that it has access to?
Thaks
Great walk-through.
Does the user need to be a domain admin or can they have some other role in AD that does not grant domain admin rights? We would prefer to not give this account the “keys to the domain” so to speak if possible.
Thanks