Using XenDesktop 5 with VMware

Share Button

Last year I blogged about using VMware with XenDesktop.  That article was focused on XenDesktop 4 and VMware integration.  With the recent release of XenDesktop 5, it’s time for an updated article.  In this blog post I am going to go over using XenDesktop 5 with VMware.

vCenter HTTPS Access

1. If it doesn’t already exist, create a DNS entry for your vCenter server.  Another option would be to create a host file entry on your XenDesktop Delivery Controllers and Provisioning Servers for your Virtual Center/vCenter server.

2. Using your browser connect to the FQDN of the vCenter server.  You should get a warning about the website’s security certificate.  Click continue to this website (not recommended).

3. Click the Certificate Error in the Security Status bar and select View certificates.  Once you can see the vCenter certificate, Click Install Certificate.

4. When the Certificate Import Wizard comes up, select Place all certificates in the following store and click Browse.

5.  When Select Certificate Store comes up, select Show physical stores then expand Trusted People and then select Local Computer and click Ok.

6. When the Certificate Import Wizard completion screen comes up, click Finish.

7. You will get prompted when the import is successful, click Ok.

8. Close the browser and reopen it.  You should be able to browse to your vCenter server without getting any certificate errors.

vCenter role for XenDesktop

When setting up the XenDesktop role in vCenter, the permissions listed in the Citrix eDocs are from the SDK programming guide and some permissions are not what is actually shown in the add a new role dialog box.  Differences in permissions are noted below in bold.

Create a role in vCenter with the following permissions:

  • Datastore Permissions
    • Allocate space
    • Browse datastore
    • File management is listed in Citrix eDocs but it is Low level file operations in vCenter

  • Network Permissions
    • Assign network

  • Resource Permissions
    • Assign virtual machine to resource pool

  • System Permissions – These permissions are automatically added when you create a role in vCenter.
    • Anonymous
    • Read
    • View
  • Task Permissions
    • Create Task

  • Virtual Machine/Configuration Permissions
    • Add existing disk
    • Add new disk
    • Change CPU count
    • Configure Resource is listed in the Citrix eDocs but it is Change resource in vCenter
    • Memory
    • Remove disk


  • Virtual Machine/Interaction
    • Power Off
    • Power On
    • Reset
    • Suspend

  • Virtual Machine/Inventory
    • Create is listed in the Citrix eDocs but it is Create New in vCenter
    • Create from existing
    • Delete is listed the Citrix eDocs but is Remove in vCenter
    • Register

  • Virtual Machine/Provisioning
    • Clone is listed in the Citrix eDocs but it is Clone virtual machine in vCenter
    • Disk Random Access is listed in the Citrix eDocs but it is Allow disk access in vCenter
    • Get VM Files is listed in the Citrix eDocs but it is Allow virtual machine download in vCenter
    • Put VM Files is listed in the Citrix eDocs but it is Allow virtual machine files upload in vCenter

  • Virtual Machine/State
    • Create snapshot
    • Revert to snapshot

If you want XenDesktop to tag the virtual machines, you must also add the following permissions:

  • Global
    • Manage Custom Fields is in the Citrix eDocs but it is Manager custom attributes in vCenter
    • Set Custom Field is in the Citrix eDocs but it is Set custom attribute in vCenter

To use XenDesktop Setup Tool with Provisioning Services, you will have to add the following permissions in addition to what is listed above:

  • Virtual Machine/Provisioning
    • Clone Template
    • Deploy Template

Now that we have the XenDesktop role created, assign a domain account to the role.  For this article the example domain account is Citirx_services.

One question I am always asked when using XenDesktop with VMware by customers is how to limit virtual machine creation to a certain cluster or servers within vCenter.  Follow the steps below to control where virtual machines are deployed within your VMware infrastructure.

  1. Assign the XenDesktop role at the Datacenter level but do not propagate by unselecting Propagate when adding the role.
  2. Assign the XenDesktop role at the Cluster level but do not propagate by unselecting Propagate when adding the role.  If you want to control virtual machine creation at the Cluster level then leave Propagate selected.  Assign the XenDesktop role to Servers within a Cluster if you want to limit virtual machine creation to certain Servers within a Cluster.
  3. Assign the XenDesktop role to the Networks you want the virtual machines to have access to.
  4. Assign the XenDesktop role the to Datastores you want virtual machines to be created in.
  5. If you are also using folders within vCenter  in the VMs and Templates view make sure to also assign the XenDesktop role to the folders you want virtual machines created in.

You should now be able to control where the virtual machines are placed when they are created.  See the screenshot below for an example of controlling where virtual machines get created.

In the example above, virtual machines will only be created within the CitrixDesktops folder on a single server within the VDILab cluster in a single Datacenter in vCenter.  The virtual machines will only use the VDI Network and will only be created on the LeftHand_Lab Datastore.

When you create virtual machines using Machine Creation Services or XenDesktop Setup Tool with Provisioning Services, configure the following on the Host screen:

  • Host type: VMware virtualization
  • Address: – example vCenter name
  • Username: domaincitrix_services – example service account for XenDesktop role created in vCenter
  • Password: password for citrix_services account – example service account password for XenDesktop role created in vCenter

This article was created using vCenter/ESX 4.1, XenDesktop 5 with Machine Creation Services, and Internet Explorer 8.

This blog post was a collaboration with Shane Kleinert (@shanekleinert, CitrixIRC, @CitrixIRC).  I would like to give a big thanks to Shane for the team work on this article.

If you have found this article interesting or if you have any other insights, please feel free to leave comments on this article.
Share Button
  1. Mayur PatelMayur Patel05-09-2011

    I have tried everything to integrate XD5 to vCenter 4.1 the same issue with https://FQDN, the username supplied is also domainservicename but to no avail. My DDC installation is on Win2K8 R2 SP1 (UAC Disabled) and has been updated with IE9 and I am wondering this could be causing the issue? has anyone managed to get it to work. My DNS is also working. When I import the certificate as per the above article which is the same as the ( I do get the message “import successful” but when I close and re-open the browser with the FQDN I get the certificate error.

    I have made this work in the past for XD3 and 4 using the http method but this is NO longer a supported configuration for those who use this as a work around.

    I was thinking if it is this troublesome i’d rather just create a self signed cert and get round it.

    Any pointers would be very welcome.

    • Mayur PatelMayur Patel05-09-2011

      I did some checking and found that the cert did get imported into the Trusted PeopleLocal Computer but what I suspect might be causing my issue (if others have managed to get it working) is the vCenter certificate which I have imported has a different server name to the actual VCenter server because I had renamed it.

      When I look at the certificate details under “Subject Alternative Name” it has the previous server name.

      I am wondering this could be the cause of my problems?

      This means I will have to create a new VMWare cert on the VC box.

    • Michael YuenMichael Yuen05-15-2011

      I was told by Citrix on multiple occasions that Win2K8 R2 SP1 breaks a lot of things for XenDesktop and XenApp. They advised me to stay away from SP1 for now.

  2. Brandon JasperBrandon Jasper03-11-2011

    Trying to set this up in a lab environment before pushing XenDesktop 5 to clients. However, I’m still having an issue connecting “The hypervisor is not contactable at this address” What the heck?! I’ve tried all of the above and reviewed all of Citrix’s Doc’s for this product. I’m using and internal Domain Controller hosting DNS, all entries of the servers are showing up in DNS, and I have tried using the 20 year old NT option of editing the host file and nothing. I’ve also tried using all of the above suggestions and no go…What gives, please help!!

    • Jarian GibsonJarian Gibson03-13-2011

      What version of ESX are you running? You are also using vCenter to manage you ESX hosts correct?

      • Brandon JasperBrandon Jasper03-14-2011

        I’m running ESX 4.1.0, Yes, running vCenter

      • Michael YuenMichael Yuen03-18-2011

        I had the same issue until I tried httpS:// in our environment (instead of http://). Furthermore, the username should have the domain as part of the name. Example: domainservicename.

        To ensure there’s no permission issue, I originally provided the Username of an account with full Administrator rights to vCenter. Once that worked, I then provided the service account I wanted to use with XenDesktop.

        The account that will be used must be assigned at the Datacenter level as per Jarian, you may be missing “VirtualMachine.Config.RemoveDisk” in yoru steps. I’m currently investigating if that’s what’s causing my machine creation to fail (since it works with full Administrator rights, but not with the locked down account.)

        With all that said, Jarian, THANK YOU for this informative blog. It helped me jump start my PoC.


      • Michael YuenMichael Yuen03-18-2011

        Jarian, I’ve confirmed that you are indeed missing the “VirtualMachine.Config.RemoveDisk” permission in one of your steps. My machines are creating without issue now (no longer fails at not being able to remove snapshot/disk.)

        • Jarian GibsonJarian Gibson03-18-2011

          Actually I have that in the screenshot but left it out in bullet point list. Thanks for catching that. Article updated.

      • Michael YuenMichael Yuen04-12-2011

        I’ve found an issue with deleting Machine Catalogs of the Dedicated type. Pooled delete just fine. I have found that “Remove Snapshot” is another permission that’s required, and will test this out more tomorrow after further testing. I have an open case with Citrix for another issue, but this came up again today while I was troubleshooting. Will let you know my findings.

      • Michael YuenMichael Yuen04-12-2011

        Confirmed. “Remove Snapshot” is required. When you look at the VMware log, you’ll see that it does a “Task: Remove all snapshots” right after “Task: Revert snapshot”.

        It always failed right after “Task: Revert snapshot”, giving the error: “Failed to remove the virtual machine; .” (Where is something like “DOMAINcomputername$”, repeating the error on every line for every machine that’s part of the catalog.)

        I’ll share this finding with Citrix tech support tomorrow when we discuss the open case.

        • Jarian GibsonJarian Gibson04-12-2011

          Thanks for the info. I am working on an updated article. I will add this to it. Thanks again for the info, I really appreciate it.

  3. Mike PaezMike Paez03-01-2011

    Im running vsphere 4.1 Update 1 and I didnt have to import the cert or create a host file entry on the XenDesktop Controller. Which is strange because when I was testing XenDesktop 4 under vsphere server 4..1 no update I had to do the VMware hoop jumps.

    Im having an issue with the desktop deployment Wizard and setting up our new test environment. Im in the host details configuration and Im unable to select the guest network or storage. Any ideas what I could have missed that would have caused this?

    • Jarian GibsonJarian Gibson03-18-2011

      Did you setup the permissions at each level or did you propagate permissions from the datacenter? Either of those options should work and allow you to see the guest network and storage.

  4. BradBrad02-24-2011

    I will add from experience that if your DDC has UAC enabled, you need to start IE with “run as administrator” to get the option to install into the Trusted People-Computer chain.

    • Jarian GibsonJarian Gibson03-01-2011

      Good point. I always disable UAC on my servers thru group policy so I haven’t come across this issue.

Leave a Reply