Thursday, July 26, 2018
Manually creating a Service Principal for XenDesktop Essentials
Manually creating a Service Principal for XenDesktop Essentials
I have been looking at the customer experience around XenDesktop Essentials lately, and I have helped a few customers with issues around defining their Service Principal accounts.
Backing up a bit. What is this Service Principal account and what is it used for?
The Service Principal is the username / secret that is used by Citrix Cloud to talk to the Azure API and perform machine lifecycle actions in your Azure Subscription.
You could call it a delegated user, or an application user, or simply an application account.
The Service Principal is not a new concept in the enterprise world. In my background we always created very restricted user accounts for use by applications, granting only those permissions that were necessary for the application to perform its functions.
I know there is guidance on using various PowerShell scripts to do this. But quite honestly, it is so few clicks in the Azure Portal, you might as well do it there. Far less hassle than installing the Azure cmdlets.
Plus - by doing it this way, you can quickly identify if you have the permissions necessary, and get it fixed or pass the responsibility to the person that can do it.
First, login to the Azure Account that Citrix will be deploying workstations to.
Next make sure that you have a subscription container for the Citrix stuff and a Virtual Network for the workstations to use all ready to go.
- Select the Azure Active Directory blade in the Azure Account
- Select App registrations
- Select Add +
- Enter a name, leave the application type as web app / API, and enter a Sign-on URL such as https://localhost/xde
- Select Create
Grant it permission to interact with the Azure API for your account
- Once the registration is created, select it to view its settings
- Select Required permissions
- Select Windows Azure Active Directory
- Select Sign in and read user profile and
- Select Read all users basic profiles
- Select Save
- Select Add, Select an API, Select Windows Azure Service Management API, Select Select
- Select Access Azure Service Management as organization users
- Select Select
- Select Done
Add a Key (the secret)
- In the Settings, Select Keys
- Enter a Key description, select a duration
- Select Save
- Copy the Value of the key (this value is necessary when this Service Principal is used with Citrix Cloud - and there are warnings that you can never see this key again)
Grant the Service Principal access to the Subscription for Citrix stuff
- Select the Billing Blade
- Select the Subscription that you would like Citrix Cloud to be using
- Select Access control
- Select + Add
- Under Role select Contributor
- Under Select, type in the name of the App Registration you created (mine was xendesktop)
- Select the Azure AD user
- Select Save
At this point in time, the Service Principal information can be handed off to your Citrix Administrator for establishing the Host connection to Azure in the Citrix Cloud portal.
When Adding the Connection select the Use existing option.
They will need;
- the Subscription UUID
- the Active Directory ID
- the Application ID
- the Application secret (that value that I mentioned you had to copy and save)
If you return the Azure Active Directory blade, Select the Properties, you will find the Directory ID.
Then select App registrations, select the one you created you can find the Application ID.
The Subscription id, is back under the Billing blade.
