Scribd
Upload
135 views

ADC Admin Guide PDF

Citrix Active Directory Connector Administration Guide. Explains how to manage users, provision users, and Edit group assignments. Provides alternate Provisioning solution.

Uploaded by

quikuron
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
135 views

ADC Admin Guide PDF

Citrix Active Directory Connector Administration Guide. Explains how to manage users, provision users, and Edit group assignments. Provides alternate Provisioning solution.

Uploaded by

quikuron
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 31

Citrix Active Directory Connector Administration Guide

GoToMeeting, GoToWebinar, GoToTraining, & OpenVoice

7414 Hollister Avenue Goleta CA 93117


http://support.citrixonline.com
2014 Citrix Online, LLC. All rights reserved.

Citrix Active Directory Connector Administration Guide

Contents
Citrix Active Directory Connector ................................................................................. 1
Managing Users ............................................................................................................ 2
Provisioning ................................................................................................................... 2
Alternate Provisioning Solution ..................................................................................... 2
Install the Citrix Active Directory Connector ............................................................... 3
Update the Citrix Active Directory Connector ............................................................. 4
Uninstall the Citrix Active Directory Connector .......................................................... 5
Citrix Active Directory Connector requirements ......................................................... 6
Citrix Accounts Requirements ....................................................................................... 6
Active Directory Requirements ...................................................................................... 6
System Requirements ................................................................................................... 6
Firewall Settings ........................................................................................................ 6
Attributes used to access the Active Directory .......................................................... 7
Acquire a consumerKey for the ADC............................................................................ 8
Launch the Active Directory Connector ....................................................................... 9
Launching the ADC ....................................................................................................... 9
Connect Active Directory and Citrix Accounts .......................................................... 10
Assign Active Directory groups .................................................................................. 11
Edit or delete a group assignment ........................................................................... 12
Manage ADC provisioning options ............................................................................. 13
Modify ADC provisioning options ................................................................................ 13
Modifying email Accounts for Testing ...................................................................... 13
Provision Users............................................................................................................. 14
Start the ADC .............................................................................................................. 16
1. Match valid Active Directory Users ......................................................................... 16
2. Provision all matched and new Active Directory users ........................................... 18
3. Review and modify Citrix-only users ....................................................................... 19
Run the ADC .................................................................................................................. 20
Run the ADC ............................................................................................................... 20
Adding users ............................................................................................................... 21
Deleting users ............................................................................................................. 21

2014 Citrix Online, LLC. All rights reserved.

Citrix Active Directory Connector Administration Guide

Set up Active Directory Connector logging ............................................................... 22


Set up logging in the Active Directory Connector ....................................................... 22
Locate ADC log files in the Windows Event Viewer .................................................... 23
Set up email notification for ADC errors .................................................................... 24
Create an email task in the Windows Event Viewer ................................................... 24
Specify when the notification email is sent using the Windows Task Scheduler ........ 25
Test the configuration .................................................................................................. 26
Set up email notification for ADC status .................................................................... 27
Create a scheduled task in the Windows Task Scheduler .......................................... 27
Specify when notification email is sent ....................................................................... 27
Email output example .................................................................................................. 28

2014 Citrix Online, LLC. All rights reserved.

ii

Citrix Active Directory Connector Administration Guide

Citrix Active Directory Connector


The Citrix Active Directory Connector (ADC) manages provisioning for GoToMeeting, GoToWebinar,
GoToTraining and OpenVoice user accounts in organizations using Active Directory. The ADC queries
Active Directory groups and users and connects with the Citrix Admin Portal to match or create accounts
for new and existing users, or remove accounts for departing users. The ADC allows your IT department
to define and maintain provisioning policies for Citrix products and apply them automatically and
consistently.
The ADC does not address authentication or authorization of users except to ensure they have (or do not
have) a viable Citrix account. Users will still need to sign-on to the account with their user credentials
within their Windows environment. Other Citrix SaaS products GoToAssist, GoToMyPC, Sharefile and
Podio use different protocols for provisioning. Do a web search for the product name and provisioning
or user management to locate the provisioning solutions for each.

Implementation of the Citrix Active Directory Connector consists of installing the ADC, connecting the
ADC to specific Active Directory groups, and running the ADC. This queries the Active Directory groups
and your corporate Citrix account. All identified users are displayed in a User page.

2014 Citrix Online, LLC. All rights reserved.

Citrix Active Directory Connector Administration Guide

Managing Users
Most customers have an existing Citrix account with a set of current users. The ADC User page provides
a procedure administrators can follow to manage the different user groups in a manner appropriate to
their organization. The procedure addresses and clears the simplest (and usually the largest number of)
cases first, resulting in a refined list of user cases that need additional attention. The process to provision
for the first time, or for newly added Active Directory groups, is:
Start the ADC - This queries the linked Active Directory groups and your Citrix account and displays
all the users in the ADC Users page. You can now work with your users in three basic steps.
1. Recognize existing Citrix account holders to avoid reprovisioning. To do this, use Automatic
matching to link Active Directory users to existing Citrix accounts where the emails are identical. Then
manually match accounts where the same user has different credentials for the two accounts.
(Alternately, you can delete the Citrix account and reprovision the user under their Active Directory
credentials.)
2. Provision all new Active Directory users. This clears the Active Directory queue (unmatched AD
users) of all but users with incorrect Active Directory data. Fix the data and these users will be
provisioned automatically the next time you start the ADC.
3. Finally, review and correct as needed users with Citrix accounts and no Active Directory
account. These may be Unix or Mac users, contractors, or other special cases. Create equivalent
Active Directory accounts if you want to ensure all Citrix account management can be done by
managing your Active Directory groups.

Provisioning
Users provisioned through the ADC receive an enrollment email. The email directs them to login, where
they will change their password, and then have access to a Citrix account. They can login on their
Windows desktop, through a browser, or on a mobile device. They can also access their accounts
through extensions for applications such as Outlook, Salesforce and Google Calendar.
For small changes of one to several users, the provisioning or deprovisioning can occur in a matter of
minutes. If you are provisioning hundreds or thousands of users, a general rule of thumb for a average
system is 1000 provisioning requests per hour.
Any changes to users in the provisioned Active Directory groups or users is reflected in the ADC and
passed to the Citrix Admin Portal. Provisioning is fully automated and your users have full access to Citrix
SaaS business tools.
Under normal operations, the ADC polls the Active Directory at the interval you set (see Managing Users
after Implementation).

Alternate Provisioning Solution


With some additional implementation, an organization can provision and deprovision users more directly
and with greater precision. The Citrix SaaS developer portal developer.citrixonline.com includes the
Citrix Administration APIs. These APIs let you create a standalone application to provision your users,
and offers greater control over the process. You can specify account attributes by product and by user,
setting such options as whether the users webcam is enabled, whether toll or VoIP access is available,
and how the users chat will work during online sessions.
A Powershell code sample is available on the developer site for .NET. This sample can be reused in
compatible .NET environments to provision users for GoToMeeting, GoToTraining, GoToWebinar, and
OpenVoice.

2014 Citrix Online, LLC. All rights reserved.

Citrix Active Directory Connector Administration Guide

Install the Citrix Active Directory Connector


The Citrix Active Directory Connector is a desktop application and uses a standard InstallShield
executable.
1. Download the Citrix Active Directory Connector Setup file.
NOTE: This link launches the download of the install executable.

2. Run the Citrix Active Directory Connector Setup.exe file. The InstallShield Wizard will guide you
through the installation. Click Next on each screen to continue.

3. Click Install > Finish to exit the wizard and complete the installation.
4. Click the new desktop shortcut

, named Launch ADCAdminUI, to start the ADC.

2014 Citrix Online, LLC. All rights reserved.

Citrix Active Directory Connector Administration Guide

Update the Citrix Active Directory Connector


To update the Active Directory Connector, download and launch the latest ADC installation executable.
All existing ADC configurations are preserved through the update process. When you relaunch the ADC,
all your users, groups and provisioning rules are intact.
See System Requirements.
NOTE: you can view the current version you have installed, but the download page and .ZIP filename have no reference to the
version they represent. In general, you would need to contact Global Support to determine the currently available ADC version
number.

1. To verify your current installed version, open the Operations tab and check the version number.

2. Download the current Citrix Active Directory Connector Setup file.


NOTE: This link launches the download of the install executable.

3. Run the Citrix Active Directory Connector Setup.exe file.


4. When prompted to perform an upgrade, click Yes.
5. When the installer launches, click Next > Finish to complete the upgrade.
6. Launch the ADC application.
7. Open the Operation tab and choose Start to start the ADC service.

2014 Citrix Online, LLC. All rights reserved.

Citrix Active Directory Connector Administration Guide

Uninstall the Citrix Active Directory Connector


You can remove the Citrix Active Directory Connector application from the host machine, and also delete
all ADC configuration files.
IMPORTANT: The impact of an uninstall will be the loss of all provisioning for all users represented in the ADC. If you delete the
configuration file, recovery consists of redefining the ADC groups and users, and reconfiguring any provisioning rules.

1. Open or download the Citrix Active Directory Connector Setup file.


2. Click Remove to uninstall ADC from your computer. If you want to remove the configuration files,
click Remove configuration from harddisk.

3. Once the Active Directory Connector Administration application has been uninstalled, click Finish to
exit the installer.

2014 Citrix Online, LLC. All rights reserved.

Citrix Active Directory Connector Administration Guide

Citrix Active Directory Connector requirements


There are three areas of requirements to use the Citrix Active Directory Connector (ADC) effectively:
Citrix Accounts, your Active Directory implementation, and the Windows requirements for the ADC host
machine.

Citrix Accounts Requirements


A corporate administrator account for GoToMeeting and/or OpenVoice Corporate. The GoToMeeting
base account is configured with seats for GoToMeeting, GoToTraining and GoToWebinar.
Each administrator account is limited to 16,000 user accounts
A Citrix Developer consumerKey set to Production level (used by ADC to communicate with Citrix
servers). See Acquire a consumerKey.

Active Directory Requirements

An Active Directory Service account. The account must have read access and the password
should not expire.
An Active Directory forest with Windows Server 2003 functionality.

System Requirements
Operating System: Windows Server 2008 R2 (not necessarily a domain controller)
Software: Microsoft .NET Framework 4.5 update (included in the ADC installer if needed).
Memory: 2GB RAM or greater recommended
Available disk space: Minimum 200MB (depending on log level and storage period)
Display: Minimum 1024 x 768
Internet connection:The ADC connects to developer.citrixonline.com via the Internet

Firewall Settings
Firewall settings should be configured as follows:
Use Case

<source server>

<target server>:<port>

Interface for provisioning


Insecure connections
Secure connections
Global Catalog, Insecure connections
Global Catalog, Secure connections
Insecure/secure connections via STARTTLS[1]
Secure connections[1]

<ADC Server Name>


<ADC Server Name>
<ADC Server Name>
<ADC Server Name>
<ADC Server Name>
<ADC Server Name>
<ADC Server Name>

pi.citrixonline.com:443
Active Directory Domain Controller:389 (LDAP)
Active Directory Domain Controller:636 (LDAPS)
Active Directory Domain Controller:3268 (LDAP)
Active Directory Domain Controller:3269 (LDAPS)
SMTP server : 25
SMTP server : 465

1. Optional; useful if sending Windows Event logs via email

2014 Citrix Online, LLC. All rights reserved.

Citrix Active Directory Connector Administration Guide

Attributes used to access the Active Directory


The following group and user attributes are used to collect info about groups or members from your
Active Directory. The data in these attributes must be valid based on the rules for that attribute (e.g., data
type, legal characters, existence of required data, etc.). See Provision Users.
Required attributes
distinguishedName
objectSID
uSNChanged
member

Group

User

X
X
X

X
X
X

X
mail
name

X
userAccountControl
aAMAccountName
sn
givenName
accountExpires

2014 Citrix Online, LLC. All rights reserved.

X
X
X
X
X

Citrix Active Directory Connector Administration Guide

Acquire a consumerKey for the ADC


A developer consumerKey (or APIKey) is required to communicate on a trusted basis with Citrix servers.
To implement the Active Directory Connector, you must create a developer account with Citrix, and then
request that the account be set to Production status.
NOTE: This procedure assumes you have an active Citrix corporate account, and that you have the
Administrative login for the account. If you do not have a corporate account, contact Citrix sales.
1. Register for a development account at https://developer.citrixonline.com/user/register.
2. Create an app on the site for GoToMeeting or OpenVoice. GoToMeeting provides the organizer
account needed to connect with the Citrix Admin Portal for GoToMeeting, GoToTraining and
GoToWebinar. Save the app, and when you open the app on the My Apps page, the consumerKey is
displayed on the Keys tab.

You can access the MyApps page at any time from the Home page (developer.citrixonline.com): click
Building with access to a key.
3. All new developer accounts are Test accounts by default and lack adequate permissions to manage
users and provisioning. Set your developer account to Production status by emailing [email protected] and requesting that your account be changed to Production for the Active
Directory Connector.
Include the following information:
consumerKey
Application Name: AD Connector
App Product: GoToMeeting
Application URL: your companys home page
Number of anticipated provisioned accounts

2014 Citrix Online, LLC. All rights reserved.

Citrix Active Directory Connector Administration Guide

Launch the Active Directory Connector


Citrix Active Directory Connector (ADC) is a desktop application and underlying Windows service. Launch
the application from the Start menu, an icon on your desktop, or from the Application folder.

Launching the ADC


1. Locate the Citrix ADC on your computer:
Desktop icon:
Start menu
From the installation folder
2. Double-click to start the application. The ADC opens on the Operations tab. Do not click Start until
you have connected to the Active Directory and identified the provisioning groups and rules.
3. Next step: connect the ADC to your Citrix SaaS applications.

2014 Citrix Online, LLC. All rights reserved.

Citrix Active Directory Connector Administration Guide

Connect Active Directory and Citrix Accounts


The Citrix Active Directory Connector (ADC) connects your Active Directory instance and the Citrix Admin
Portal for your corporate Citrix account. This procedure configures that connection.
1. Open the Citrix Active Directory Connector (ADC) and select the Connections tab.
2. In the Active Directory section, enter the following information from the Active Directory:
URL of domain controller (fully qualified domain name without preceding protocol e.g.,
LDAP:\\)
LDAP Port (typically 389 or 636)
Active Directory username and password
3. In the Citrix collaboration account section, enter the email address and password you use to log in
to your corporate GoToMeeting or OpenVoice administrator's account. (IMPORTANT: This is NOT the
login for the Developer account.) The administrator account is permanently associated with the ADC
and cannot be deleted.
4. Enter the consumerKey you acquired from the Citrix Developer Center. If you don't have a
consumerKey, go through the steps described at Acquire a consumerKey for the ADC.
5. In the API URL field, enter https://api.citrixonline.com.
6. If you want to use proxy settings in order to connect to services inside your network, check Use
proxy settings and fill out the proxy fields.
Note: Proxy auto-config (.pac) files are not supported by the ADC service.

7. Click Apply changes when finished.

2014 Citrix Online, LLC. All rights reserved.

10

Citrix Active Directory Connector Administration Guide

Assign Active Directory groups


Provisioning is the act of giving a specific user with a specific email address an account for a specific
Citrix SaaS product - GoToMeeting, GoToWebinar, GoToTraining, or OpenVoice. The ADC automatically
performs the provisioning for users in the Active Directory groups you assign.
The following steps assign the Active Directory groups. If you wish to set ADC provisioning options for
email addresses, to activate logging, delete deprovisioned users, or set deprovisioning alerts see Manage
ADC provisioning options.
Important: Nested Active Directory groups are not currently supported. Select each group at one level above the included users.

1. Open the ADC application and select the Provisioning tab.


2. Click Create assignment.
3. In the Create Assignment window, click Browse to search for and select an existing group from the
Active Directory (the group SID will be automatically populated).

4. In the Create Assignment dialog, choose the Citrix product to provision (GoToMeeting,
GoToWebinar, GoToTraining or OpenVoice). GoToWebinar and GoToTraining accounts automatically
include access to GoToMeeting. Only one product can be selected for each assignment; to provision
group members with multiple products, create additional assignments for the same group.
5. Click OK. Your new group assignment appears under Active Directory groups with assigned
products.
6. Click Apply changes when finished.

2014 Citrix Online, LLC. All rights reserved.

11

Citrix Active Directory Connector Administration Guide

Edit or delete a group assignment


1. Open the ADC and select the Provisioning tab.
2. Under Active Directory groups with assigned products, select the desired Active Directory group
assignment.
3. Select either of the following:
To modify the group assignment, click Edit Assignment and make desired changes. Click OK
when finished.
To remove the group assignment (and deprovision all users), click Delete Assignment > Yes.
The group assignment will automatically disappear from the table.
4. Click Apply changes when finished.

2014 Citrix Online, LLC. All rights reserved.

12

Citrix Active Directory Connector Administration Guide

Manage ADC provisioning options


Provisioning options allow you to modify email addresses prior to provisioning for testing purposes,
activate logging, delete deprovisioned users, and set deprovisioning alerts.
IMPORTANT: The provisioning options are global: they apply to all users and provisioning at all times.

Modify ADC provisioning options


1. Open the ADC and select the Provisioning tab.
2. Under the Global Options section, you'll see the following provisioning options. To enable an option,
set or select the desired criteria in the Value column.
Delete Citrix account of de-provisioned users When users are deprovisioned, you can choose
to completely delete the users' Citrix accounts, or suspend an account and save the account data.
If you suspend an account, future provisioning of the user (assuming the same email is used)
restores the user's prior account including the data.
Activate event logging for reporting Logging records ADC events on the local server. The log
location is set in the logging options.
Activate alert on number of de-provisioning/suspension operations When the selected number
of Active Directory users are de-provisioned or suspended, an alert can be delivered to the
Windows Event Viewer. See Set up Active Directory Connector logging.
NOTE: Alerts occur based on events between polls. Set polling periods and event thresholds accordingly. Assume roughly
one event every half second or 500 milliseconds.

Modifying email Accounts for Testing


You can modify the format of outgoing email notifications to avoid contacting users during testing of the
ADC. You can direct the emails to a designated domain or non-existent account.
Modify email addresses before provisioning - Add prefix Adding a prefix of NEW modifies
[email protected] to [email protected].
Modify email addresses before provisioning - Add suffix Adding a suffix of OLD modifies
[email protected] to [email protected].
Modify email addresses before provisioning - Replace domain name Adding a domain of LOCAL
modifies [email protected] to [email protected].

3. Click Apply changes when finished.

2014 Citrix Online, LLC. All rights reserved.

13

Citrix Active Directory Connector Administration Guide

Provision Users
Provisioning users in the Citrix Active Directory Connector (ADC) for the first time, or when you add
groups of users, allows for review of the user accounts before you provision. This procedure gives you
the opportunity to review your users, fix any errors, and provision only when you're ready. After this,
provisioning is automatic, assuming the Active Directory data values are valid. Also make sure you have
Production status for your developer account before proceeding.
For a detailed overview of this process, see Managing Users in the ADC Overview.
The process to provision for the first time, or for newly added Active Directory groups, is:
Start the ADC - This queries the linked Active Directory groups and your Citrix account and displays
all the users in the ADC Users page. You can now work with your users in three basic steps.
1. Recognize existing Citrix account holders to avoid reprovisioning. To do this, use Automatic
matching to link Active Directory users to existing Citrix accounts where the emails are identical. Then
manually match accounts where the same user has different credentials for the two accounts.
(Alternately, you can delete the Citrix account and reprovision the user under their Active Directory
credentials.)
2. Provision all new Active Directory users. This clears the Active Directory queue (unmatched AD
users) of all but users with incorrect Active Directory data. Fix the data and these users will be
provisioned automatically the next time you start the ADC.
3. Finally, review and correct as needed users with Citrix accounts and no Active Directory
account. These may be Unix or Mac users, contractors, or other special cases. Create equivalent
Active Directory accounts if you want to ensure all Citrix account management can be done by
managing your Active Directory groups.

2014 Citrix Online, LLC. All rights reserved.

14

Citrix Active Directory Connector Administration Guide

Users provisioned through the ADC receive an enrollment email. They login to change their password,
and they then have access to a Citrix account. They can login on their Windows desktop, through a
browser, or on a mobile device. They can also access their accounts through extensions for applications
such as Outlook, SalesForce and Google Calendar.
For small changes of one to several users, the provisioning or deprovisioning can occur in a matter of
minutes. If you are provisioning hundreds or thousands of users, a general rule of thumb for a average
system is 1000 provisioning requests per hour.
Any changes to users in the provisioned Active Directory groups or users is reflected in the ADC and
passed to the Citrix Admin Portal. Provisioning is fully automated and your users have full access to Citrix
SaaS business tools.

2014 Citrix Online, LLC. All rights reserved.

15

Citrix Active Directory Connector Administration Guide

Start the ADC


1. On the Operations tab, click Start.
This starts the queries against the Active Directory and the Citrix account you used to connect through
the Developer account.

Once the queries run, all linked Active Directory users new to the ADC display in the Unmatched Active
Directory users pane on the Users tab. All existing Citrix users on your corporate account display in the
Unmatched Citrix users pane on the Users tab.

1. Match valid Active Directory Users


When you open the Users tab after adding a new group, you'll see a message: This service does not
automatically provision your users yet. The ADC is in Edit mode, allowing you to review the users before
provisioning.
Start by matching new Active Directory users to existing Citrix user accounts.
2. Click Automatic Matching. This finds all users with identical email addresses between the two
unmatched lists, AND who have valid Active Directory data. It automatically moves these users to the
Matched users pane.
The users in the matched pane have Citrix accounts already, and these accounts match the Active
Directory accounts correctly (they use identical email addresses for the credentials).

2014 Citrix Online, LLC. All rights reserved.

16

Citrix Active Directory Connector Administration Guide

Review the two unmatched panes. Look for Active Directory users who match users with Citrix accounts,
but who were not identified during automatic matching. These users have different email addresses for
the two accounts.
You have two choices for how to manage these users. You can require identical email credentials (steps
3 & 4) or match the two accounts (step 5).
3. To force identical emails, delete the Citrix account. Right-click the user from the Unmatched Citrix
users list, and select Delete User. This removes the user and any product provisioning for the user
from the ADC and the Citrix product portals.

4. Click Apply changes. You'll see a Provisioning successful message, and the status(es) will no
longer say Pending. If you deactivate edit mode before applying changes, any unsaved changes will
be lost.
Or match the two accounts:

2014 Citrix Online, LLC. All rights reserved.

17

Citrix Active Directory Connector Administration Guide

5. To match two accounts, select each pair of matching accounts - one in Unmatched AD users and
one in Unmatched Citrix users - and click Match Selected.
Unmatching accounts
6. If for any reason you decide to unmatch a matched user, select the desired user(s) in the Matched
users table and click Revoke selected user matchings. The entries return to the Unmatched Active
Directory users and Unmatched Citrix users tables.
7. Click Apply changes.

2. Provision all matched and new Active Directory users


You can provision all unmatched AD users, or provision selected users.
8. To provision all users, click Provision all unmatched AD Users.
9. To provision selected users, select the desired user(s) from the Unmatched AD users list (Ctrl-Shift
selects multiple users) and right-click to select Provision user. The provisioning status changes to
Pending, and the entries are moved to the Matched users list (also Pending).

You will be alerted that you are in Edit mode. Click Deactivate edit mode to begin provisioning.
IMPORTANT: Provisioning may take time. Assume approximately 1 hour per 1000 users.

When the provisioning step is completed, all valid Active Directory users - new Citrix users and those
with a pre-existing Citrix account - are all in the Matched users pane.
If you have unmatched users remaining in either pane, continue on to the next section. However, if you
do have users in the Unmatched AD users pane at this point, these should now be only users with invalid
Active Directory data.
10. Correct the errors in the Active Directory. For a list of the data values the ADC queries, see
ADC Requirements.
11. After a few minutes, the users will refresh in the Unmatched AD users pane. You can provision
them, or match them with Citrix accounts.
All users should be cleared from the Unmatched AD users pane at this point.

2014 Citrix Online, LLC. All rights reserved.

18

Citrix Active Directory Connector Administration Guide

3. Review and modify Citrix-only users


The remaining users in the Unmatched Citrix users pane have a Citrix account, but do not have an Active
Directory account. These may be Unix or Mac users, contractors, or other special cases. For unmatched
Citrix account users, you can leave them unmatched, or set up Active Directory matching.
12. Add them to the Active Directory using the same credentials as the existing Citrix account. This
ensures that you can manage all provisioning through the Active Directory.
The changes to Active Directory will, unless you place the ADC back in Edit mode in the User tab, get
provisioned automatically.

2014 Citrix Online, LLC. All rights reserved.

19

Citrix Active Directory Connector Administration Guide

Run the ADC


For normal operations, open and start the Active Directory Connector (ADC), and set the polling
frequency. Users added to or removed from the Active Directory groups linked to the ADC are
automatically provisioned (or de-provisioned) with no further intervention.

Run the ADC


1. Locate the Citrix ADC on your computer:
Desktop icon:
Start menu
From the installation folder
2. Double-click to start the application. The ADC opens on the Operations tab. Click Start to start the
ADC queries.

3. Set the Active Directory polling time(in seconds). The default polling time is set to 15 seconds
full range is 0 to 30,000 seconds. Alerts (see Manage ADC Provisioning) occur based on events
between polls. Set polling periods and event thresholds accordingly. Assume roughly one event every
half second or 500 milliseconds.

2014 Citrix Online, LLC. All rights reserved.

20

Citrix Active Directory Connector Administration Guide

Adding users
Adding a new user consists of including them in the proper Active Directory group(s).
1. Add users to the appropriate Active Directory group or groups for Citrix provisioning.
2. Optional: In the ADC, verify that the new user appears in the User page of the ADC, typically in the
Unmatched AD users pane.The users will be automatically provisioned with the Citrix SaaS products
defined for their groups.

Deleting users
Removing a user consists of removing them from your Active Directory and then making sure they are
automatically removed in the ADC.
1. Delete the user in Active Directory. They are automatically deleted from the provisioning groups in
Active Directory.
2. The user is also automatically deleted in the Citrix Active Directory Connector. It is a good idea to
verify that the deleted user is removed. If not, the user may be unmatched to an Active Directory
group. In that case:
3. Select the Users tab in ADC.
4. Click Activate edit mode and wait until you see Edit mode: Active in the bottom-right corner.
7. Click Deactivate edit mode and wait until you see Edit mode: Inactive.

2014 Citrix Online, LLC. All rights reserved.

21

Citrix Active Directory Connector Administration Guide

Set up Active Directory Connector logging


The Citrix Active Directory Connector (ADC) logs activities to the Windows Event Viewer.

Set up logging in the Active Directory Connector


1. Open the ADC and select the Operation tab.
2. In the More configuration section, set the Windows event logger, File logger and the Folder for
file logging as needed.
3. Click Apply changes when finished.

2014 Citrix Online, LLC. All rights reserved.

22

Citrix Active Directory Connector Administration Guide

Locate ADC log files in the Windows Event Viewer


1. Open the Windows Event Viewer (Start > All Programs > Administrative Tools > Event Viewer).
2. In the left navigation, select Applications and Services Logs > Citrix AD Connector. Only Active
Directory Connector logs will be displayed.

2014 Citrix Online, LLC. All rights reserved.

23

Citrix Active Directory Connector Administration Guide

Set up email notification for ADC errors


You can set up email notifications for error messages and status messages for Citrix Active Directory
Connector (ADC) events. The following additional requirements are needed for this process:

SMTP(S) server (to send status information) -- SMTP service account (user/password) for
sending emails (only if it's necessary for your SMTP server)
SSL certificate -- May be required to connect to the SMTP server and Domain Controller securely
(optional)

You can also Set up email notification for ADC status.

Create an email task in the Windows Event Viewer


1. Open the Windows Event Viewer (Start > All Programs > Administrative Tools > Event Viewer).
2. With the ADC installed, the Windows Event Viewer will show an additional event log called
ADCSLog (under the Applications and Services Logs folder). Select the new event log in the left
navigation.
3. In the records pane, right-click the event for which youd like to receive email notifications and
select Attach Task To This Event from the drop-down menu.
4. In the Create a Basic Task wizard, name your task and click Next > Next.
5. Select Send an email and click Next.

2014 Citrix Online, LLC. All rights reserved.

24

Citrix Active Directory Connector Administration Guide

6. Fill out the From, To, Subject, Text, Attachment and SMTP server fields and click Next.
7. Click Finish to save your new task.

Specify when the notification email is sent using the Windows Task
Scheduler
1. Open the Windows Task Scheduler (Start > All Programs > Administrative Tools > Task
Scheduler).
2. In the left navigation, select Task Scheduler Library > Event Viewer Tasks.
3. Right-click the new task created in the prior set of steps and select Properties.
4. On the General tab, click Run with highest privileges check box.

5. On the Triggers tab, select On an event and click Edit. Enable the Delay task for check box and
enter 2 minutes and click OK. If you do not add a delay, new events that arrive will trigger additional
actions before the actual action is completed.
6. On the Actions tab, review the actions that will occur when your task starts. The following actions
are required; you can add, edit or delete as needed. Click OK when finished.
Stop task (disable_task.bat) schtasks /Change /TN "Event Viewer
Tasks\ADCSLog_Error" /DISABLE
Get error (error_status.bat) del %temp%\error_status.txt wevtutil qe ADCSLog
/q:"*[System[Provider[@Name='AD Conn'] and (Level=2) and
TimeCreated[timediff(@SystemTime) <= 120000]]]" /f:text /rd:true >
C:\temp\error_status.txt
Enable task (enable_task.bat) schtasks /Change /TN "Event Viewer
Tasks\ADCSLog_Error" /ENABLE

2014 Citrix Online, LLC. All rights reserved.

25

Citrix Active Directory Connector Administration Guide

Test the configuration


Retrieve all error events from the last two minutes and save them to c:\temp\error_status.txt. From there,
the new task created in Step #1 should collect the error events and attach them to the email.

The following events represent examples of error messages and what they mean if they're reported in the
Active Directory Connector service.
Event[0]: Log Name: ADCSLog Source: AD Conn Event[3]: Log Name: ADCSLog Source: AD Conn
Date: 2013-02-28T16:11:59.000 Event ID: 0 Date: 2013-02-28T16:11:58.000 Event ID: 0
Task: N/A Level: Error Opcode: Info
Task: N/A Level: Error Opcode: Info
Keyword: Classic User: N/A User Name: N/A Keyword: Classic User: N/A User Name: N/A
Computer: de-pc-devComputer: de-pc-dev018.ad.corp.expertcity.com Description:
018.ad.corp.expertcity.com Description:
2013-02-28 16:11:59,502 [WorkOrderThread] 2013-02-28 16:11:58,257 [WorkOrderThread]
ERROR - Writing OSD data: Organizer
ERROR - Writing OSD data: Server response
[email protected] was not created exception: {StatusCode": "409",
"StatusCodeAsString": "Conflict",
"Response": "The remote server returned an
error: (409) Conflict."}
Event[1]: Log Name: ADCSLog Source: AD Conn Event[4]: Log Name: ADCSLog Source: AD Conn
Date: 2013-02-28T16:11:59.000 Event ID: 0 Date: 2013-02-28T16:11:56.000 Event ID: 0
Task: N/A Level: Error Opcode: Info
Task: N/A Level: Error Opcode: Info
Keyword: Classic User: N/A User Name: N/A Keyword: Classic User: N/A User Name: N/A
Computer: de-pc-devComputer: de-pc-dev018.ad.corp.expertcity.com Description:
018.ad.corp.expertcity.com Description:
2013-02-28 16:11:59,499 [WorkOrderThread] 2013-02-28 16:11:56,966 [WorkOrderThread]
ERROR - Writing OSD data: Server response ERROR - Writing OSD data: Organizer
exception: {"StatusCode": "409",
[email protected] was not
"StatusCodeAsString": "Conflict",
created
"Response": "The remote server returned an
error: (409) Conflict."}
Log Name: ADCSLog Source: AD Conn Date:
Event[5]: Log Name: ADCSLog Source: AD Conn
2013-02-28T16:11:58.000 Event ID: 0 Task: Date: 2013-02-28T16:11:56.000 Event ID: 0
N/A Level: Error Opcode: Info Keyword:
Task: N/A Level: Error Opcode: Info
Classic User: N/A User Name: N/A Computer: Keyword: Classic User: N/A User Name: N/A
de-pc-dev-018.ad.corp.expertcity.com
Computer: de-pc-devDescription: 2013-02-28 16:11:58,260
018.ad.corp.expertcity.com Description:
[WorkOrderThread] ERROR - Writing OSD data: 2013-02-28 16:11:56,963 [WorkOrderThread]
Organizer [email protected] was ERROR - Writing OSD data: Server response
exception: {"StatusCode": "409",
not created
"StatusCodeAsString": "Conflict",
"Response": "The remote server

2014 Citrix Online, LLC. All rights reserved.

26

Citrix Active Directory Connector Administration Guide

Set up email notification for ADC status


You can set up email notifications for error messages and status messages for Citrix Active Directory
Connector (ADC) events. The following additional requirements are needed for this process: [n this case
you must change the search filter for the messages in the event log.]

SMTP(S) server (to send status information) -- SMTP service account (user/password) for
sending emails (only if it's necessary for your SMTP server)
SSL certificate -- May be required to connect to the SMTP server and Domain Controller securely
(optional)

You can also Set up email notification for ADC errors.

Create a scheduled task in the Windows Task Scheduler


1. Open the Windows Task Scheduler (Start > All Programs > Administrative Tools > Task
Scheduler).
2. In the left navigation, select Task Scheduler Library > Event Viewer Tasks.
3. In the right navigation, select Create Basic Task.
4. Use the Create Basic Task Wizard to give the task a name and select when and how often it
should start.
5. Select Send an email and click Next.
6. Fill out the From, To, Subject, Text, Attachment and SMTP server fields and click Next.
7. Click Finish to save your new task.

Specify when notification email is sent


1. In the Task Scheduler left navigation, select Task Scheduler Library > Event Viewer Tasks.
A new task is created.
2. Right-click the new task and select Properties.
3. On the General tab, click Run with highest privileges.
4. On the Actions tab, create a new action by selecting New > Start a program > OK.

2014 Citrix Online, LLC. All rights reserved.

27

Citrix Active Directory Connector Administration Guide

5. On the Actions tab, review the actions that will occur when your task starts. The following action is
required; you can add, edit or delete as needed. Click OK when finished.
Filter event log and write file (daily_status.bat) del
%temp%\daily_status.txt wevtutil qe ADCSLog /q:"*[System[Provider[@Name='AD
Conn'] and TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]" /f:text
/rd:true &gt; C:\temp\daily_status.txt

Email output example


Once successfully configured, the output will be attached to the email. The following is an example of a
daily email status output:
2013-03-20 09:35:19,448 | Organizer [email protected] was created
with G2T
2013-03-20 09:35:18,077 | Status changed to suspended for user with organizerkey
[email protected]
2013-03-20 09:35:16,555 | Organizer [email protected] was created
with G2T
2013-03-20 09:35:15,152 | Organizer [email protected] was created
with G2W
2013-03-20 09:35:13,603 | Organizer [email protected] was created
with G2W
-------------------------26 users created successfully

2014 Citrix Online, LLC. All rights reserved.

28

You might also like