Citrix Receiver adds an account error during installation

Citrix Receiver configuration

NComputing ensures that NoTouch has integrated the latest version of the Citrix Receiver (formerly known as the ICA Client). Our Citrix Receiver implementation supports both ICA and HDX, as well as Flash, Multimedia and USB forwarding. It creates a perfect Citrix endpoint solution, completely without installation software, cryptic configuration files or command line options! NoTouch offers a complete configuration environment for Citrix Receiver, so it is not absolutely necessary to work with Citrix's own configuration windows - everything can be configured and managed both via the local NoTouch configuration menu and centrally via the NoTouch Center.

The Citrix Receiver can be used to connect to Citrix Xen App, XenDesktop, VDI-in-a-Box (successor to Kaviza) and all previous Citrix programs, such as the "Presentation Server" or "MetaFrame". It can run as a standalone application running through the web browser, or it can be "hidden" so that the end user only sees a login dialog and then the actual server connection. NoTouch also supports "StoreFront".

This article gives you an overview of the various configuration options and then describes the product-specific configuration steps for Citrix. We assume that you already understand how the NoTouch OS is configured and, above all, how server connections are created and configured. The Citrix Receiver for Linux differs from Windows-based systems in many ways, not only in terms of appearance and handling, but also in terms of available features and even bugs.

Citrix-based connection modes in NoTouch for XenApp and XenDesktop

Yes, you can use the web browser. However, we find that many users prefer a "more direct" approach where users log in and enter their credentials without using a web browser. There are several different session modes that allow different ways of using Citrix (note that "published application" can also refer to a full desktop). The most important two are:

  • Citrix / StoreFront. The preferred mode for using NoTouch with StoreFront (NoTouch 2.40.188 or higher). It can be used to either run a resource (completely seamless for the end user) or to display a menu where the user can choose whichever suits them best!
  • Citrix / An application or a desktop. Log in to the web front end (in the background!) And run a single application or a desktop. This creates fluid handling for end users, they are forwarded directly to a specific resource.
  • Citrix / program environment. Log in to the web front end (in the background!) And put all available applications in the local start menu so that the user can choose from many available resources.

Please note that NoTouch OS configures the entire client for each session. Citrix differentiates between client and session parameters, while NoTouch OS can define everything as session-dependent parameters. This allows you more flexibility, but in rare cases it can lead to problems if several Citrix sessions with conflicting sessions are to be started at the same time.

In the end, it is always the client that makes an ICA connection to a terminal server, regardless of which session mode you are using and which Citrix products you are using.

One thing not mentioned in the list above is the ability to launch a browser on the desktop device and let the user connect through the browser; NoTouch OS regards this as a browser session - see Firefox.

StoreFront connections to XenApp and XenDesktop

Setting up a connection to a Citrix StoreFront portal is really easy. Just follow these simple steps:

  1. Create a connection
  2. Set the parameter to "Citrix / StoreFront"
  3. Set the Citrix StoreFront URL as a parameter.
    • You can also use the Citrix Options parameter instead of the - both parameters work equally well
  4. Make sure the client has access to all required certificates. StoreFront is only SSL-capable, the correct root certificates must be installed!

NoTouch displays a selection if more than one published resource is available (otherwise, if there is only one, it will be started without further query). If you'd like to go straight to a resource, please read on below.

Direct access to a specific application or the desktop

If you want to start a specific resource without making a selection:

  • Set the resource in the parameter of the Citrix options, or
  • Make sure that Citrix StoreFront only offers one resource. In this case, NoTouch starts the individual available resource automatically.

Logout time limit

By default, NoTouch closes the StoreFront connection immediately after the published application or desktop is closed. This is expected in 99% of all use cases - because you obviously don't want your users to log off a Windows desktop or walk away from the workstation, but you want the StoreFront chooser open to others ...

However, if your use case is different, you can change the parameter in the Citrix Options. By default it is 0 (= immediate termination), but any number of seconds is perfectly fine. So if you enter 120, you will give your users two minutes (120 seconds) to choose a different connection from the selection window.

Older Citrix product-specific information

Non-StoreFront XenApp

Registration in the Citrix Web Frontend enables better load balancing, reconnection and session balancing, since the user first authenticates himself with the connection broker and then establishes a connection to a specified server. The session modes "Citrix / One application or desktop" and "Citrix / Program Neighborhood" benefit from this:

  1. Create a connection
  2. Set the session type to "Citrix / One application or desktop" or "Citrix / Program Neighborhood"
  3. Save your changes, then navigate to the Citrix sub-category
  4. Set the "Citrix URL" parameter to a URL that contains the host name / IP address under which the web front end is installed, e.g. B. http://mycitrix.mycompany.com/Citrix/PNAgent/config.xml
    • If possible, always have your Citrix URL refer to a config.xml. You can only abbreviate this if the paths are standard as on the server
  5. If you are using "Citrix / One application or desktop" you must write the name of the desired published application in the "Launch Resource" parameter
  6. save Changes

Non-StoreFront XenDesktop

XenDesktop also uses the ICA / HDX protocol and the Citrix web service. The configuration is therefore similar to the configuration of XenApp. (Note that there is a special note below for XenDesktop 7 ...)

  1. Create a connection
  2. Set the connection mode to (depending on what you want to use)
    • "Citrix / One application or desktop" (launch a named desktop)
      • In this case, please write the name of the desktop to be started in the "Launch Resource" parameter. Pay attention to case, space and punctuation
    • "Citrix / Program Neighborhood" (add desktops to the local start menu)
  3. Set the "Citrix URL" parameter in the subtree of the Citrix parameter to the URL on which the Citrix web service is located

There are a few other hints you should pay attention to (mostly these are fulfilled by default, but better than safe is safe):

  • Workplace management must be set to either "none", "disconnected" or "all". This will either restore no sessions (none), only disconnect sessions, or all types of sessions (all).
  • The authentication method for the webxml service must be set to "prompt". "Passthrough" is NOT supported by the Linux Citrix Receiver.
  • Make sure that the device is set to a color depth of 24 bits and that the ICA session is also using a color depth of 24 bits.

XenDesktop 7 and higher

In XenDesktop 7 and higher, only the StoreFront interface is active by default. That's perfectly fine, you the one Citrix / StoreFront-Connect mode (see above). If you want to use other modes that use config.xml, you have to activate the "Legacy Support" according to this screenshot:

Non-StoreFront Access Gateway

The connection through Citrix Access Gateway is generally no different from the connection through XenApp or XenDesktop. However, there are three things to look out for:

  • Configuration of Access Gateway and Citrix URLs. For information on how the Access Gateway can work directly with the Citrix Receiver (i.e. NoTouch), see http://support.citrix.com/article/CTX124937.
  • Citrix URLs: If you only provide a short URL or just a host name, NoTouch will add the default config.xml path for you. Users using Access Gateway are more likely to change paths so that autocomplete does not work. You need to provide the exact and correct url for config.xml.
  • Certificates: If you are using HTTPS (SSL) with a self-signed / private certificate (and not one from a known certification authority), you will need to upload your Root CA certificate to NoTouch. The Citrix Receiver does not provide an option to ignore unverifiable certificates, nor does it offer to accept and store a private certificate for you (as a web browser does). It must be available before the connection can be started, regardless of whether you are connecting via the browser or directly with the Citrix Receiver. Further information on handling certificates in NoTouch can be found here: Certificates

In addition, the Access Gateway must also be configured correctly:

  • It must allow the connection from anywhere (IP / network area)
  • It must be possible to connect from the user account and the user account must be able to connect from this network
  • It must allow connection from a non-Windows computer and a non-domain member
  • Make sure that there are no forwardings that only work "within", and that no private IP addresses may be used

The following article might also be helpful: http://www.jasonsamuel.com/2012/04/10/how-to-setup-your-citrix-netscaler-access-gateway-and-web-interface-for-ipads- and-mobile-devices-that-use-citrix-receiver /

Note that your Access Gateway is not configured correctly if it is running from another client, especially a Windows PC. Especially when testing with external URLs on your network, you may see a perfectly working scenario and it won't work from outside. You may find that your system is redirecting to internal IP addresses or finding similar causes of errors. You may find that your system is redirecting to internal IP addresses or finding similar causes of errors.

Non-StoreFront NetScaler

There is generally no difference between connecting with or without NetScaler. However, there are three things to look out for:

  • Configuration of NetScaler and PNAgent Service. For information on configuring the PNAgent service (config.xml) on the NetScaler, see http://support.citrix.com/article/CTX133771
  • Citrix URLs: If you only enter a short URL or just a host name, NoTouch will add the default path config.xml for you. Users using the NetScaler are more likely to change paths so autocomplete does not work. You need to provide the exact and correct url for config.xml.
  • Certificates: If you are using HTTPS (SSL) with a self-signed / private certificate (and not one from a known certification authority), you will need to upload your Root CA certificate to NoTouch The Citrix Receiver does not provide an option to ignore unverifiable certificates, nor does it offer to accept and store a private certificate for you (as a web browser does). It must be available before the connection can be started, regardless of whether you are connecting via the browser or directly with the Citrix Receiver. Further information on handling certificates in NoTouch can be found here: Certificates

The following article might also be helpful: http://www.jasonsamuel.com/2012/04/10/how-to-setup-your-citrix-netscaler-access-gateway-and-web-interface-for-ipads- and-mobile-devices-that-use-citrix-receiver /

Note that your Access Gateway is not configured correctly if it is running from another client, especially a Windows PC. Especially when testing with external URLs on your network, you may experience a perfectly working scenario and it won't work from outside. You may find that your system is redirecting to internal IP addresses or finding similar causes of errors. You may find that your system is redirecting to internal IP addresses or finding similar causes of errors.

Older VDI-in-a-Box

VDI-in-a-Box was discontinued by Citrix a long time ago and therefore NoTouch support has also expired. This information is provided as a courtesy only. For VDI-in-a-Box connections you would also use the Citrix Receiver - as described in this article. Use the connection mode "Citrix / One application desktop". The only notable difference is that the url to config.xml looks a little different - please see the relevant article on VDI-in-a-Box connections: VDI-in-a-Box

Legacy systems - "Presentation Server", "MetaFrame"

There are three other "direct" Citrix modes that were used with previous Citrix products such as MetaFrame and Presentation Server. Most users use either the web browser or XenApp / XenDesktop mode (see above).

  • Legacy Citrix / ICA connect. Run a single ICA session for a host or published application. This was the primary mode for Citrix Terminal Servers prior to XenApp / XenDesktop, primarily in Presentation Server deployments. Nowadays most people opt for one of the other modes:
  • Legacy Citrix / Built-in PNAgent view. Log in to the web front end (in the background!) And run the so-called "PNAgent view on Linux" - a window with symbols for various applications. The PNAgent mode uses the Citrix receiver's own user interface. For a more beautiful display, we recommend using Citrix / One application or Citrix / Program Neighborhood.
  • Legacy Citrix / ICA configurator. Log in to the web front end (in the background!) And run the Citrix configuration dialog (basically the binary file wfcmgr, if you are familiar with the Citrix Receiver Run the Citrix configuration dialog (basically the wfcmgr binary, if you are familiar with the Citrix Receiver for Linux). If you run an ICA client on a normal Linux, you would see exactly that, but we advise against this use, because the Citrix / One application or the Citrix / Program neighborhood is easier in the Handling is.

The availability of these modes also depends on the Citrix client version used. The RX-HDX Thin Client is supplied with the Citrix Client 13.x and higher. This only allows "Legacy Citrix / ICA connect".

For the easiest ICA connection, do the following (in NoTouch or NoTouch Center):

  1. Create a connection
  2. Set the session type to "Legacy Citrix / ICA connect"
  3. Set "Connection target" to the host name of a Citrix-enabled terminal server (= XenApp server)
  4. save Changes

Web browser

You can use your local Firefox browser to connect to Citrix servers. In this case, just add a "browser" connection. Your users can log in and start the applications through the Citrix Web user interface.

Make sure that the server does not try to use the Java client - NoTouch OS has integrated the native client and reports this to the server. So you shouldn't download the Java client.

Note: In order to be able to use all functions such as drive mapping, you may have to run Firefox with "root" permissions. To do this, please go to Connection Options, Advanced, and check "Force to run as root". Please read the Firefox article to understand the implications.

Help! No full screen!

Connection modes Citrix / One Application or Desktop and Citrix / Program Neighborhood and connection to Citrix through the browser means that the actual session specification is created on the server. This includes, for example, the window size. It is not possible to change such settings from the client side - you have to do this in the Citrix management console, e.g. B. set the "window size" to "fullscreen".

Multi-monitor / dual-screen operation

The Citrix Receiver automatically uses multiple monitors and reports the screen geometry to the server. Please make sure that the multi-monitor support works. Further information can be found here: Multi-monitor operation with NoTouch

Two parameters influence the dual monitor / multi-monitor behavior - the effects of these parameters are exclusive to Citrix and can change with different versions of the Citrix client:

  • Use Screens (Span)
    • Default. This is the default. All available monitors are used, if any.
    • All. Forces all monitors to be used.
    • No attitude. NoTouch will not set this parameter at all when starting the Citrix client.
    • Custom. The values ​​from the "User-defined span parameter" parameter are adopted.
  • User-defined span parameter (only if "Use screens" is set to "Custom". The following excerpt is from the Citrix manual:
-span [h [[o] [a | mon1 [, m2 [, m3, m4]]] Set monitor spanning of full-screen sessions.

For most users, the default settings will suffice for both single and dual monitor setups.

HTTPS / SSL and certificates

If you are using private certificates, you will need to add your own certificate. For more information, see the documentation on certificates.

The Citrix Receiver for Linux cannot simply ignore certificate checking. This is a Citrix limitation.

USB forwarding

By default, USB forwarding is switched on and USB devices are automatically forwarded to the server. So-called HIDs (human interface devices such as keyboards, mice, but also devices that emulate mice such as digital dictation foot pedals) are not forwarded, but treated locally and brought to the VDI desktop as keystrokes and mouse movements.

There are two parameters that must both be enabled for USB forwarding to work (yes, both are enabled by default):

  • "Citrix USB Forwarding" in the "Services" section
  • "Generic USB Forwarding" in the "ICA parameters" section of the current connection.

Citrix USB forwarding is a system service and can therefore be configured using the "Services" parameter, but not using the Citrix ICA connection parameters. The start behavior is set via the parameter "Start Citrix USB Forwarder" controlled. It has the following options:

  • with Citrix session. This is the default. Only start Citrix USB forwarding if a Citrix connection is configured.
  • out. Do not start Citrix USB forwarding.
  • a. Start Citrix USB forwarding after the system has started.

In addition, you can allow or deny certain devices by setting the parameters "Allow devices" and "Prohibit devices" in the "Services" / "Citrix USB" parameters. These parameters change the Citrix usb.conf file directly and therefore only accept the original Citrix syntax [1]. Multiple stanzas, each describing a device, and groups of stanzas separated by commas can be added to this parameter. A row group consists of tags, which in turn have the form TAG = VALUE. Accepted tags are:

  • VIDVendor ID from the device description
  • RELRelease ID from the device description
  • PIDProduct ID from the device description
  • ClassClass, either from the device description or an interface description
  • SubClassSubClass, either from the device description or an interface description
  • ProtProtocol, either from the device description or an interface description

Valid examples for one of the two parameters are:

  • VID = 1460 PID = 0008
  • Class = 07 SubClass = 06

The information page of the local configuration application shows you information about USB devices. Here you can determine the VID or PID, for example. Users who have an affinity for command line commands will prefer the command "lsusb", also in the form "lsusb -v".

Refer to the original Citrix documentation for more information. Changes to these parameters require a restart to become active.

HDX and multimedia support

In the section "HDX / Multimedia" (a subsection of the Citrix parameter "ICA"), various aspects of the multimedia support of the ICA / HDX protocol can be configured.

HDX RealTime webcam video compression

HDX RealTime Webcam Video Compression needs audio input to be enabled both on client and server to work. NoTouch typically has audio input ("microphone in") disabled by default, so you have to turn this on. Besides that, no extra switch is necessary to enable HDX RealTime Webcam Video Compression, but there's still an extra switch to force the redirection, "HDX RealTime webcam video compression".

HDX RealTime Media Engine (RTME)

The Citrix HDX RealTime Media Engine (RTME) is the client-side component of the Citrix HDX RealTime Optimization Pack for Skype for Business. To enable Skype for Business, both the client side and the server side must be properly configured. On the client side, the RX-HDX thin client is supplied with an integrated RTME (firmware version 2.40.2670 and higher). The HDX RealTime Media Engine is deactivated by default and must be activated for the Citrix connection in order to optimize Skype for Business. This can be done under Connection → Citrix → HDX / Multimedia settings by setting the parameter “HDX Realtime Media Engine (Skype for Business)” to “on” (see figure below).

The Citrix HDX RealTime Connector must also be installed on the server side (see figure below). The RealTime Connector starts when the Skype for Business front-end application starts and communicates with the HDX RealTime Media Engine on the end-user device.

The Citrix HDX RealTime Media Engine and the Citrix HDX RealTime Connector should ideally have suitable connections. If all the prerequisites are met, the Connector and Media Engine should connect and exchange some information, as shown in the figure below.

Please check the supported Skype for Business versions in this article to ensure compatibility with the HDX RealTime Optimization Pack: https://docs.citrix.com/en-us/hdx-optimization/2-4-ltsr/ system-requirements.html

As soon as the HDX RealTime Optimization Pack is set up, the audio and video devices connected to the RX-HDX thin client are listed locally by RTME (i.e. not redirected from the client to the VDA). The audio and video settings can be changed directly in the Skype for Business settings menu.

HDX 3D Pro GPU / H.264 acceleration

HDX 3D Pro GPU / H.264 acceleration is activated by default. Switch it off by setting the "HDX 3D Pro GPU / H.264 acceleration" parameter to to "off".

If you are having session resolution issues while HDX 3D Pro is active, please see the following article:

http://support.citrix.com/article/CTX131501

To press

You can easily print with Citrix in NoTouch. Please refer to our printer configuration page.

Expired passwords

The Citrix Receiver for Linux has a feature that allows users to enter a new password when it has expired. This must be done before you log in. This functionality also only needs to be configured correctly - set these two parameters:

  • Kerberos KDC Server (Domain Controller Name). This must be a DNS host name or an IP address of the domain controller. Please make sure that the host name can be read by the DNS. (i.e. not just a Windows / WINS name). A simple test is to ping the name from the console of a NoTouch system or another non-Windows system such as a Mac.
  • Kerberos KDC Realm (Domain Name). Put this on the domain name of your AD domain.

Note that NoTouch systems are not members of the AD domain. For this reason, you have to forward these parameters to NoTouch, which in turn forwards them to the Citrix Receiver.

Smart card support

Citrix can route smart card readers and use them for login purposes. US customers benefit from CAC card support. In this case, you must not transmit the smart card reader using generic USB forwarding. The following are instructions on how to properly configure smart card support:

  1. Activate the "Smartcard service (PCSCD)" in the "Services" options
    • In most cases, the default settings for the smart card driver parameter are fine. Some readers need the Omnikey setting, not just Omnikey readers. You may need to experiment with it a little or contact support.
  2. Set the "Smartcard login" parameter in the Citrix parameters to "on"

Note: For XenDesktop, do not try to use the generic USB forwarding mechanism to forward the smart card reader (this is not a standard, you would have to play around with the settings). The disadvantage is that you cannot use the reader for login purpose. It would work to forward a reader to the session (i.e. without logging in) if that is what you want.

Advanced configuration

NoTouch comes with reasonable default values ​​and should include all of the Citrix options used by 99% of people. NoTouch includes an easy-to-use method for modifying Citrix INI files: Citrix Receiver configuration files

In addition, you can completely rewrite the files used to generate the Citrix configuration. That would work with the submission mechanism.

Select the Citrix Receiver version

Most NoTouch images contain at least two versions of Citrix Receiver. Yes, you read that right, two different versions of the Citrix product so you can choose the one that better suits your use case. The newer client is used by default.

To switch to an alternative version of the Citrix Receiver, use the "Client Version" parameter (if available) in the Citrix Options. You may have to scroll down a bit to find it, it's pretty far down.

Proxy settings

The Citrix Receiver can connect via a proxy server. Although these parameters may seem obvious, it is important to note that if you set the "Use Firefox proxy settings" parameter to "on", the Firefox proxy settings will inherit from the same connection on the Citrix Receiver. This exactly inherits your NoTouch settings that you made in the "Firefox" parameters.

Of course, you can configure the proxy settings directly and even specify that they are inherited from the system-level proxy settings. Here are the parameters in detail:

  • Use Firefox proxy settings. If this option is activated, all following parameters are ignored and the Firefox configuration parameters of the same connection are evaluated.
  • Proxy type. Master switch denoting the kind of proxy configuration used:
    • No setting. Don't mention anything about proxy in the Citrix configuration files.
    • None. No proxy is used
    • System settings. The system-level proxy settings are used.
    • Auto config (script). The system downloads a .pac file from the "Proxy autoconfig URL" and evaluates it.
    • Secure host. Think of this type as "manual configuration". The system uses the parameter "Proxy hostname" and the "proxy bypass list".
    • SOCKS. Uses the "proxy hostname" as the SOCKS proxy.
  • Proxy hostname. Host name: Port combination of the proxy server to be used. It must be configured to accept HTTPS traffic.
  • Proxy bypass list. A comma-separated list of host names and IP addresses that the receiver always contacts directly.
  • Proxy autoconfig url. A URL to the .pac file that provides the automatic proxy configuration when the "Proxy type" parameter is set to "Auto config (Script)".
  • Fallback to direct if no autoconfig received. If the Autoconfig URL (see above) cannot be reached, Receiver will establish a connection directly. This can be useful when traveling.

Citrix considerations

Citrix has many options, and some combinations can have strange effects. Most people are fine with the default settings, in fact NComputing recommends changing something only when a) necessary and b) recommended that you do it. NComputing cannot provide support for installing Citrix. Make sure you have a Citrix Professional on hand when troubleshooting.

For more information, see Citrix Receiver for Linux 13.4 eDocs - You can skip the part about installation and integration as this is already done in NoTouch.

Please also note the Citrix Receiver Feature Matrix.


If something does not work as expected, always open a Citrix support case before contacting NComputing.