Citrix Desktop Director 2.1

I have now released my Desktop Director RES AM Runbook. Follow this link for more details

Citrix Desktop Director 2.1 has just been released with XenDesktop 5.6. Desktop Director is the web administration tool which allows support and helpdesk staff to manage certain components of XenApp and XenDesktop. The interface is intuitive and offers lots of information that was not available in previous consoles. It’s a great addition to XenApp and XenDesktop but requires some work to get it up and running.

In this article I will share some of the issues I have come across when setting up Desktop Director.

I always favour a tiered approach to Citrix environments and I therefore like to separate out the different roles, such as Controllers and Management components. This article describes hosting Desktop Director on separate servers to your XenDesktop or XenApp controllers, in smaller environments you may want to install it directly onto a XenDesktop controller.

You may use a XenApp server to host your management tools; because Desktop Director requires the IIS role you probably won’t want to install this on a XenApp server – in this case I think Web Interface servers make a good place to host it.


System Requirements

    • XenDesktop 5 Service Pack 1 or XenDesktop 5.5, 5.6
    • HDX information displays are not supported for XenDesktop 5 Service Pack 1.
    • XenApp 6.5

User Requirements (these are no longer listed in the requirements of Desktop Director 2.1)

    • The Desktop Director client requires one of the following operating systems:
    • Microsoft Windows 7 Service Pack 1 (32- and 64-bit), Professional and higher
    • Microsoft Windows XP Service Pack 3 (32- and 64-bit), Professional and higher
    • Apple Macintosh 10.5 or 10.6

Desktop Director supports the following browsers:

Desktop Director 2.0

    • Microsoft Internet Explorer 7 or 8
    • Internet Explorer 7 is not supported for Windows 7. Compatibility mode is not supported for Internet Explorer 7 or 8.
    • Mozilla Firefox 3.6 for Windows
    • Mozilla Firefox 3.6 for Mac
    • Adobe Flash Player 10 must be installed to view the graphs.
Desktop Director 2.1
    • Internet Explorer 8 or 9
    • Firefox 8.x
    • Safari 5

Installing Desktop Director

Desktop Director 2.0 can be installed using the XenDesktop 5.5  installation media, or you can download it from Citrix website under XenDesktop 5.5 Custom Download or XenApp 6.5 Custom Download (Click on XenApp 6.5 - Version, scroll down to custom download and click the + next to your language)

Desktop Director 2.1 can be downloaded from the Citrix website under XenDesktop 5.6 Custom Download.

If you are trying to install Desktop Director 2.1 you must first install version 2.0 then upgrade to 2.1

The server you are installing Desktop Director on needs to have the IIS Role.

Run Autorun, deselect all components except Desktop Director.








During the install you will be prompted to enter the names of your XenDesktop Controllers,  you are able to enter the addresses of multiple controllers but Desktop Director does not load balance or failover between XenDesktop Controllers, this is merely if you want to manage multiple XenDesktop sites.  In an enterprise environment you would need to load balance using NetScaler or another type of load balancer.

For smaller environments, in the instance where you lose the Controller that Desktop Director is pointing at, you can manually change the name of the Controller in the IIS config. See further down for instructions.

For XenApp, you only need to enter the name of one of the Controllers, and Desktop Director discovers all controllers in the farm and uses them for failover. It will not, however, use them for load balancing.

Don't enter the name of your XenApp controllers at this stage though as Desktop Director will think they are XenDesktop Controllers. See further down for instructions on how to add XenApp Controllers.









In Desktop Director 2.1 there is a bug that causes the WinRM reports to give you this error when looking at a machine in the console:

Failed to retrieve data: Server reported unexpected error (error code 100). View server event logs for further information.

Citrix have now released CTX132851 which explains how to resolve this.

If you are using Desktop Director with XenApp you should install the hotfix found in CTX131221

Configuring Desktop Director

Configuration of Desktop Director is done via the IIS website Applications Settings. To get to these:

  1. Open IIS Manager
  2. Expand Default Website
  3. Click on DesktopDirector
  4. Double click Application settings.

SSL Check

If you are not securing Desktop Director with an SSL certificate you will get this error at the logon screen.




To stop this set UI.EnableSslCheck to false

XenApp Only Implementations

If you are only using Desktop Director for XenApp change Service.AutoDiscoveryAddresses to Service.AutoDiscoveryAddressesXA

Otherwise, logon to Desktop Director will fail and you will see an Event ID 7 in the Application log with this detail

Logon attempt failed. 

Username: user

Domain: domain 

Additional diagnostics information (exception message):

'No farms or sites are currently accessible'

Multiple Sites

To manage multiple XenApp and / or multiple XenDesktop sites, configure Service.AutoDiscoveryAddressesXA with the addresses of the XenApp Controllers for the multiple sites separated by commas;  and Service.AutoDiscoveryAddresses with the addresses of the XenDesktop Controllers for the multiple sites separated by commas.


You will want to configure a timeout for the Desktop Director console for security reasons. To do this:

  1. Expand Default Website
  2. Click on DesktopDirector
  3. Double click Session State
  4. Set your timeout under Cookie Settings


Win RM is used by Desktop Director to pull the Memory, CPU, and Network stats, and the HDX report.

CTX125243 explains all you need to know about installing and /or enabling WinRM.

The person viewing the reports needs to have some permission on the endpoint on which they are trying to view information. This can either be granted by giving the person viewing the report local Administrator rights on the endpoint, or by manually granting a user or group the permissions in WinRM (this is known as the Trusted Subsystem Model).

To use the Impersonation Model you need to run the following command on the XenApp or XenDesktop endpoint that the person will be viewing the WinRM stats on.

ConfigRemoteMgmt.exe can be found in the XenDesktop installation media under x86Virtual Desktop Agent and x64Virtual Desktop Agent folders and on the XenApp installation media in the tools folder.

To use the  Trusted Subsystem Model change

Connector.WinRM.Identity = User


Connector.WinRM.Identity = Service

in the Desktop Director IIS Application settings.

This is contrary to Citrix's documentation which states the setting should be Service.Connector.WinRM.Identity = Service, which is incorrect (thanks to Ken for helping me get this working)

Remote Assistance

Remote Assistance can be configured as part of the Virtual Desktop Agent install but if you didn't do it at time of install you can configure it using the following GPO applied to your Desktops:

Computer Configuration-->Policies-->Administrative Templates-->System-->Remote Assistance

If you do not configure one of these, you will get the message "Failed to initiate Remote Assistance" in the Desktop Director console when you try to shadow.

Helpdesk Admins

One last thing to note is that if you delegate rights to your helpdesk staff in XenDesktop and you give them the Helpdesk role, when they log into Desktop Director they will not be able to see the Dashboard.

Instead of seeing this screen, they will just get a search box.

If you want to enable the Dashboard for Helpdesk role, run the following PowerShell command on your XenDesktop Controllers:

Set-BrokerAdministrator-Readonly $true

Personal vDisk

To allow non-administrators to reset XenDesktop Personal vDisks you need to create an registry key on your XenDesktop Virtual Desktop Agents. Do this in your gold image(s) if you are using Machine Creation Services or Provisioning Services, otherwise you will have to deploy it to all VDAs using some other method.

The registry key is HKEY_LOCAL_MACHINESoftwareCitrixpersonal vDiskConfigPvDResetUserGroup (REG_SZ)

Populate this registry key with the AD group that you want to grant reset Personal vDisk permissions.

51 Responses

  1. Kevin

    Good and helpful article. Just wanted to mention that the Desktop Director version on the XenApp 6.5 Additional Components ISO is 2.0, not 2.1

    • Hi Kevin,

      Thanks for your comment. I have updated the article to reflect what you mention.


  2. Ken

    The Citrix Documentation is incorrect…

    INCORRECT: Service.Connector.WinRM.Identity = Service
    CORRECT: Connector.WinRM.Identity = Service

    • Sweet. Thanks for the comment. I am going to test that out.

    • Ken, thanks for this. Finally got around to testing it and updated the article.

  3. Richard

    Hello Shaun,
    Nice article.
    Have you succeed to manage in the same time a XenApp and a XenDesktop environment ?
    My dashboard only give me the information regarding the XD Site.

    • Hi, sorry for late reply. Been busy.

      The dashboard will only show XenDesktop information. If you are just using Xenapp or a combination of XenDesktop and XenApp then you need to search for the user and you will then be able to see the published apps that they are running and view information about the servers they are connected to (provided you have configure WinRM on the XenApp servers)

      You will only see real time information for the users that have published apps running. User not running anything = no information.


  4. Rho

    When trying to run the ConfigRemoteMgmt.exe /configwinrmuser domainname command I get this error:

    Could not load file or assembly ‘Interop.NetFwTypeLib, Version=, Culture=neutral, PublicKeyToken=4b82bfc4004a8f37’ or one of its dependencies. The system cannot find the file specified.

    Any idea’s?

    • Can you post in the forum (sign in with Twitter or Facebook account) & I will take a look when I have some time. Prob this evening.

      • Rho

        I managed to resolve it, I didn’t copy the other .dll file that the ConfigRemoteMgmt.exe application needs to work.

        • Cool. Glad you got it to work.

  5. Marc Smid

    For anyone concerned, the citrix permission tool did not work for me.
    The problem and solution is posted here:

  6. Todd

    Good article, very clear, thanks!

  7. Eno

    When installing for XA ONLY use, I don’t see the dashboard view. Looking at your image for the DD Dashboard, I see elements that wouldn’t be particularly relevant for XA installs. Is it the case that DD Dashboard is not available? I’ve tried to run the Set-BrokerAdministrator-Readonly $true cmdlet, but it doesn’t exist on an XA box, even with the PS SDK installed. Looking it says its making the query, but it doesn’t say anything about what is returned. The string “HELPDESK” sits in the black bar at the top, and I see a search bar only.

    Any ideas? Thanks!!

    • There is no dashboard view for XenApp.

      • Todd

        Shaun – Great article! Just wanted to confirm something. you mention there’s no dashboard view above for XA only. Does this mean a Citrix admin would just see the search box .. same as a help desk type person? How would you “adminsiter / make changes” to Desktop Director if you don’t get the dashboard page. I’m a bit lost here. Have a user who is definitely full permission domain AND Citrix admin but only getting search box.

        • This is correct. For XenApp you only get the search box – no dashboard view as far as I can remember

  8. R Sougey


    is it possible to limit the dashboard view only to the catalogs that the helpdesk group can manage ? (and not to allow to view all catalogs ?

    Many thanks in advance

    • To be honest I don’t know. Something I’ll have to look into.

  9. James

    I used the trusted subsystem model using the DDC servers names instead of users to configure WinRM. Using the DDC Server names I didnt have to grant the helpdesk admin right to the virtual workstations. Does this also work in the XenApp 5.6 environment as well?

  10. Rob

    Is it possible to pre-fill and maybe hide the domain field on the login screen.

    P.S. Great blog post.

    • I’m looking into it.


    • I’m sure it’s possible to get rid of the domain field but I am not skilled enough in html to do it.

      Take a look at C:inetpubwwwrootDesktopDirectorLogOn.aspx

      • add Text=”Your Domain” to the LogOn.aspx under C:inetpubwwwrootDesktopDirector



        • Thanks for the info. Going to test this out when I get some time.

          • Nicolas Leon

            Were you able to test out hiding the domain field from the Desktop Director login? If so, what were the final steps. Thanks in advance.

          • Nicolas Leon


  11. PNR

    In my environment DDC and DD roles are hosted in different servers. I’m trying to login desktop director console, I am getting an error stating that ‘The System is currently unavailable. Please try again or contact your administrator’ and same time if i looked the event viewer in DD server, I can see Event ID 7 generated with ‘No sites are currently accessible’.

    I have re-installed DD, IIS couple of times but no luck.

    The environment details are as follows,
    DDC 5.6 FP1
    DD 2.1

    Your valuable reply is much appreciated.


    • It sounds like you have not configured Desktop Director with the address of your DDC. Or you have configured it incorrectly.

      • PNR

        Hi Thanks for your quick reply.

        I have configured the DDC controller information on IIS->Default website-> DesktopDirector->ServiceAutoDiscoveryAddress->

        I’ve tried adding two controllers with comma separated or single but no luck.

        Just want to clarify whether DD 2.1 will support XenDEsktop 56 FP1 version..? I’m suspecting this.. because rest all seems to be fine in our environment.

        Look forward your reply soon…


        • This issue can also be caused by token bloat.

          The kerberos SSPI package generated an output token of size 32308 bytes, which was too large to fit in the token buffer of size 12000 bytes, provided by process id 872.

          The output SSPI token being too large is probably the result of the user USER@DOMAIN.COM being a member of a large number of groups.

          It is recommended to minimize the number of groups a user belongs to. If the problem can not be corrected by reduction of the group memberships of this user, please contact your system administrator to increase the maximum token size, which in term is configured machine-wide via the following registry value: HKLMSYSTEMCurrentControlSetControlLsaKerberosParametersMaxTokenSize.

          If the Kerberos token is too large, the user cannot authenticate properly to Desktop Director. We changed the MaxTokenSize regkey, restarted the server and the issue went away.

          • Cool. Thanks for the information Carl.

  12. Elliott Mendelow

    Fantastic article Shaun, this has really helped a lot with some WinRM troubles configuring Director for XA 6.5. Cheers mate 🙂

    • Excellent. Glad it help. It is quite amazing how fiddly Desktop Director is to get working.

  13. Do you mind if I quote a couple of your articles as long as I provide credit and sources back to your site?
    My blog site is in the very same niche as yours and my users
    would really benefit from some of the information you provide here.
    Please let me know if this ok with you. Appreciate it!

    • Would be more than happy for you to do that.

  14. Rob

    Similar to the person above, when trying to log in, I get Event ID 7 generated with ‘No farms or sites are currently accessible’. XenApp 6.5 with HRP01. I followed the instructions above closely, though I installed Desktop Director 2.0 from the XenApp 6.5 Additional Components ISO, as per this article:

    I’ve renamed the IIS setting to Service.AutoDiscoveryAddressesXA and I’ve definitely got the correct FQDN of my Data Collector.

    I’ve opened TCP 2513 inbound on the Windows Firewall. Desktop Director VM is in the same VLAN as the Data Collector.

    I doubt this issue can be token bloat because the user I’m testing with is a Domain Admin and is in no other AD groups.

    No idea what to do next to get this working. Very frustrating!

    • Rob

      I found that the “Citrix XenApp Commands Remoting” service had been disabled on all XenApp servers by the hotfix in CTX134147. I re-enabled the service and started it on all servers, but I still get the same error when attempting to log in to Desktop Director. I’ll keep hunting for a solution!

    • Rob

      Issue fixed. I had to run “ConfigRemoteMgmt.exe /configwinrmuser domainname” on my XenApp Data Collectors. I used the new version from CTX131165.

      I had previously assumed that because I was using a Domain Admin account (for testing), I wouldn’t need to run this command. I was wrong! Anyway, Desktop Director is working now so I’m very happy. I hope this information helps others too.

  15. Ron

    I can get DD to work fine with my XD farm, but I can’t seem to get DD to work with my XA farm. if I’m local admin on all servers in the farm, do I still need to run the configremotemgmt cmd on all of the XA servers if I’m using the default “user” impersonation model?

  16. Gary

    Hi, can you confirm how many separate XenDesktop Farms a single Desktop Director can support. Thanks

    • No, I don’t know.

      How many Farms do you have?

  17. Chuck

    Can you tell me if you have to run the configremotemgmt on all the servers in the farm or just the ddc’s? Pulling session information is only working for me on servers that I have run this on. Other servers return 105 errors. Thanks for the article!

    • You need to run it on all the servers in the farm.

  18. ajay

    Hi Shaun,

    can you please tell me how to change the language from French to English in the Director interface. I am using Xendesktop 7.

    -Ajay Pendota

    • Um, have no idea to be honest. Log it in the Citrix forum.

  19. Walt Sikora

    Can you tell me where I can look to see what groups have access to use DD? Nor can I find a way to add any additional groups.


    • It’s all comes from the groups you have permission in Studio / or PowerShell.

  20. […] If you are not securing Director with an SSL certificate you will get this error at the logon […]

  21. […] If you are not securing Director with an SSL certificate you will get this error at the logon […]

  22. […] If you are not securing Director with an SSL certificate you will get this error at the logon […]

  23. […] If you are not securing Director with an SSL certificate you will get this error at the logon […]

  24. […] If you are not securing Director with an SSL certificate you will get this error at the logon […]

  25. […] If you are not securing Director with an SSL certificate you will get this error at the logon […]

  26. […] If you are not securing Director with an SSL certificate you will get this error at the logon […]

Leave a comment