Citrix Systems 6 User Authentication

Note:

XenServer uses Likewise (Likewise uses Kerberos) to authenticate the AD user in the AD server,

and to encrypt communications with the AD server.

How does XenServer manage the machine account password for AD integration?

Similarly to Windows client machines, Likewise automatically updates the machine account password, renewing

it once every 30 days, or as specified in the machine account password renewal policy in the AD server. For more

information, refer to http://support.microsoft.com/kb/154501.

The user specified needs to have Add/remove computer objects or workstations privileges,

which is the default for domain administrators.

Note:

If you are not using DHCP on the network used by Active Directory and your XenServer hosts,

use you can use these two approaches to setup your DNS:

1. Set up your domain DNS suffix search order for resolving non-FQDNs:

xe pif-param-set uuid=<pif-uuid_in_the_dns_subnetwork> \

“other-config:domain=suffix1.com suffix2.com suffix3.com”

2. Configure the DNS server to use on your XenServer hosts:

xe pif-reconfigure-ip mode=static dns=<dnshost>

when enabling authentication on a particular host and perform any roll-back of changes that

may be required, ensuring that a consistent configuration is used across the pool. Use the

host-param-list command to inspect properties of a host and to determine the status of

external authentication by checking the values of the relevant fields.

• Use XenCenter to disable Active Directory authentication, or the following xe command:

xe pool-disable-external-auth

To allow a user access to your XenServer host, you must add a subject for that user or a group that they are in.

(Transitive group memberships are also checked in the normal way, for example: adding a subject for group A,