Ubuntu Citrix VDA installation with FAS enable

With the repetitive unsuccessful VDA installation with RedHat (Invalid Login), I had to try with another OS. Let's got for Ubuntu Desktop 22.04.3

· 5 min read
Ubuntu Citrix VDA installation with FAS enable

With the repetitive unsuccessful VDA installation with RedHat (Invalid Login), I had to try with another OS. Let's got for Ubuntu Desktop 22.04.3

Ubuntu Desktop installation 22.04.3

you can download the iso here :

Download Ubuntu Desktop | Download | Ubuntu
Ubuntu is an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.

The installation is straight forward and very simple.

Click on Install Ubuntu
Chose your keyboard language click on Continue
Use the preferred options and click on Continue
Install Now
Continue and after few minutes you're done

Before we begin, make sure

To check the hostname of this machine :

hostname -f # should give you the fqdn if not follow the next line
sudo nano /etc/hostname # write your hostname here without the domain and save
sudo nano /etc/hosts # one line should remains 127.0.0.1 hostname-fqdn hostname localhost and save

To disable the multicast DNS

sudo nano /etc/nsswitch.conf
hosts: files mdns_minimal [NOTFOUND=return] dns
To:
hosts: files dns
and save

Installation of all the prerequisites

you will thanks me later for this one, there are a few...

sudo apt update
sudo apt install openjdk-11-jdk imagemagick libgtkmm-3.0-1v5 ufw ubuntu-desktop libxrandr2 libxtst6 libxm4 util-linux gtk3-nocsd bash findutils sed cups libmspack0 ibus libgoogle-perftools4 libpython3.10 libsasl2-modules-gssapi-mit libnss3-tools libqt5widgets5 libqrencode4 libimlib2 libsasl2-2 libsasl2-modules-gssapi-mit libldap-2.5-0 krb5-user libgtk2.0-0

SQLite installation

To store all the information needed for the VDA to connect and store applied policies etc...

sudo apt-get install -y sqlite3

PBIS installation and domain join

This will allow to join the computer to the Active Directcory domain

sudo wget https://github.com/BeyondTrust/pbis-open/releases/download/9.1.0/pbis-open-9.1.0.551.linux.x86_64.deb.sh
sudo chmod +x pbis-open-9.1.0.551.linux.x86_64.deb.sh
sudo sh pbis-open-9.1.0.551.linux.x86_64.deb.sh
sudo /opt/pbis/bin/domainjoin-cli join yourdomain.local adminuser
sudo reboot

DotNet runtime installation

You can download it here, download the latest ASP.NET Core Runtime version, binaries, x64

Download .NET 6.0 (Linux, macOS, and Windows)
.NET 6.0 downloads for Linux, macOS, and Windows. .NET is a free, cross-platform, open-source developer platform for building many different types of applications.
sudo mkdir /opt/dotnet
sudo tar zxvf aspnetcore-runtime-6.0.26-linux-x64.tar.gz -C /opt/dotnet 

Citrix Linux VDA installation

You need to download it from here

Download Citrix Virtual Apps and Desktops - Citrix
Download Citrix Virtual Apps and Desktops product software
sudo dpkg -i /yourpath/xendesktopvda_23.11.0.66-1.ubuntu22.04_amd64.deb
sudo apt-get install -f
sudo nano /etc/xdl/db.conf # replace posgresql by SQLite and save

And then we can proceed to the configuration

export CTX_XDL_NON_DOMAIN_JOINED='n'
export CTX_XDL_AD_INTEGRATION=pbis
export CTX_XDL_DDC_LIST='fqdndeliverycontroller1 fqdndeliverycontroller2'
export CTX_XDL_VDI_MODE='y'
export CTX_XDL_HDX_3D_PRO='n'
export CTX_XDL_START_SERVICE='y'
export CTX_XDL_REGISTER_SERVICE='y'
export CTX_XDL_ADD_FIREWALL_RULES='y'
export CTX_XDL_DESKTOP_ENVIRONMENT= '<none>'
export CTX_XDL_DOTNET_RUNTIME_PATH='/opt/dotnet'
export CTX_XDL_VDA_PORT='80'
export CTX_XDL_SITE_NAME='<none>'
export CTX_XDL_LDAP_LIST='<none>'
export CTX_XDL_SEARCH_BASE='<none>'
export CTX_XDL_SUPPORT_DDC_AS_CNAME='y'
export CTX_XDL_FAS_LIST='fqdnfasserver'
sudo -E /opt/Citrix/VDA/sbin/ctxsetup.sh

You can make sure everything is fine by running

sudo systemctx status ctxvda.service ctxhdx.service
Green is good, yellow or red are not ;)

And of course I got the fucking Invalid Login message ! 😠

Let's check the logs now, logs file related to the VDA are located here /var/log/xdl

user@ubuntu01:~$ sudo tail -f /var/log/xdl/jproxy.log
2024-01-26 15:24:13.267 [INFO ] [1] - Krb5 ticket cache file spec: /tmp/krb5cc_<uid>
2024-01-26 15:24:13.371 [INFO ] [19] - [VDA POLICY]: Start Ldap proxy Server.
2024-01-26 15:24:13.392 [INFO ] [20] - Start kerberos proxy server.
2024-01-26 15:24:13.397 [WARN ] [15] - FASProxyServer.prepareFasServer: failed to prepare FAS Server. Please confirm if FAS Server is configured correctly. If you are not using FAS, please ignore this warning.
2024-01-26 15:24:16.401 [INFO ] [34] - Listening on /var/xdl/.cbpcontroller for incoming data..
2024-01-26 15:24:16.401 [INFO ] [34] - Start CBP Proxy Server.
2024-01-26 15:24:16.402 [INFO ] [34] - Clean the sock file if it exist
2024-01-26 15:24:16.402 [INFO ] [34] - Listening for incoming data...
2024-01-26 15:24:16.402 [INFO ] [34] - Modify sock file attr
2024-01-26 15:24:42.916 [INFO ] [18] - LdapServerMonitor.checkLdapServer start wait timer event occur

Ok so there is something wrong with FAS initial setup, so let's redo this part by executing this script :

sudo bash /opt/Citrix/VDA/sbin/ctxfascfg.sh

result :

ctxfascfg.sh sets up Federated Authentication Service for the Linux VDA, which includes the automatic installation of
the necessary packages and changes to the configuration files.
Step 1: Check the current OS platform.
  The platform is ubuntu. [Pass]
Step 2: Get the Active Directory integration method.
Step 3: Install dependent packages.
 [Success]
Step 4: Configure krb5.conf.
The Federated Authentication Service (FAS) servers are configured through AD Group Policy. But because
the Linux VDA does not support AD Group Policy, you can provide a semicolon-separated list of FAS servers instead.
Caution 1: The sequence must be the same as configured in AD Group Policy.
Caution 2: If any server address is removed, you must fill its blank with the '<none>' string and keep the
index of server addresses without any changes.
If required, please specify the list of FAS servers (e.g., fasserver.company.com): fqdnfasserver
  Specify the KDC hostname:fqdndomaincontroler
  Specify the path to store the root CA certificate and all intermediate certificates) (e.g., /etc/pki/CA/certs/):/etc/pki/CA/certs/
  /etc/krb5.conf configuration finished.
Step 5: Configure PAM ctxfas. [Success]
ctxfascfg.sh finished successfully. Federated Authentication Service is ready.

Don't forget to put your CAroot to the /etc/pki/CA/certs folder beforehand

Let's try again :

at last

It's all good, after reboot it's still good.

I don't understand what the hell is wrong with RedHat VDA installation, never got it to work with RedHat 8 and 9....