7.2. Sun Ray Software

7.2.1. About the Oracle VDI Sun Ray Kiosk Session
7.2.2. How to Adapt the Bundled Sun Ray Kiosk Session
7.2.3. How to Access Desktops Using a Sun Ray Client
7.2.4. Multi-Monitor Support
7.2.5. How to Access the Sun Ray Administration GUI
7.2.6. How to Change User Password
7.2.7. How to Disable Client Authentication
7.2.8. How to Enable Desktop Screen Locking on Sun Ray Clients

When you install and configure Oracle VDI, you also install and configure the bundled release of Sun Ray Software, see Section 1.3, “About the Oracle VDI Package Software”.

To assist Oracle VDI administrators who are not familiar with Sun Ray Software, the bundled Sun Ray Software is configured specifically for use with Oracle VDI. The information in this section provides only the information needed to provide access to Oracle VDI desktops using Sun Ray clients.

Administrators who are familiar with Sun Ray Software might want to adapt the default configuration to meet their requirements. Appendix B, Defaults for the Software Bundled With Oracle VDI has details of the default configuration.

For detailed information about Sun Ray Software and Sun Ray Clients, see Sun Ray Products Documentation at http://www.oracle.com/technetwork/documentation/sun-ray-193669.html.

7.2.1. About the Oracle VDI Sun Ray Kiosk Session

Sun Ray Software is typically used to provide access to standard UNIX or Linux platform desktop sessions. However, other session types can be supported by using Sun Ray Kiosk mode. Oracle VDI comes with a predefined Kiosk session, called Oracle Virtual Desktop Infrastructure. This Kiosk session uses the Sun Ray Windows connector to establish a remote desktop protocol (RDP) connection to a virtual machine.

Typically, a Sun Ray Kiosk session starts when a user inserts a smart card (token) into a Sun Ray Client. First a login dialog is displayed, where the user enters a user name, a password, and optionally a Windows domain. After successful authentication, the system contacts the Oracle VDI service to determine the desktops assigned to the user. If multiple desktops are available, a desktop selector screen is displayed. Once the user selects a desktop, the Sun Ray Windows connector starts and connects to the virtual machine running the desktop. If the virtual machine is not already running, a wait screen is displayed while the machine starts. See Section 7.2.3, “How to Access Desktops Using a Sun Ray Client” for examples.

Users do not have to use a smart card to log in. By default the Kiosk session is enabled for both smart card and non-smart card access.

By default, all users must authenticate to Oracle VDI before they can access a desktop. The Oracle VDI service contacts the user directory for the verification of the provided user credentials. If authentication succeeds the connection to the selected desktop is established. These credentials can be passed to a Windows guest operating system so that users can be automatically logged into their desktop.

Authentication to Oracle VDI can be disabled, see Section 7.2.7, “How to Disable Client Authentication”. If you disable Client Authentication, the user must either insert a smartcard, or provide a user name and no password (in the login dialog), in order to access their desktop. The available desktops are the desktops assigned to the token, or the desktops assigned to the user name. In this situation, it is best practice to configure the desktop operating system to require authentication.

The login and desktop selector dialogs can also be disabled. When the desktop selector is disabled, users are always connected to their default desktop without authenticating to Oracle VDI. Because users cannot enter a user name or password before accessing their desktop, you must disable Client Authentication. If you do this, users must insert a smartcard to enable Oracle VDI to determine pool or desktop assignments.

The appearance and behavior of the Kiosk session can be configured using a number of session parameters. There are two sort of parameters:

  • Desktop selector options: these settings are for the VDA session and affect the login and desktop selector dialogs.

  • Sun Ray Windows connector options: these settings are for Sun Ray Windows connector (also known as uttsc) and affect the quality of the RDP connection.

The options are explained in the rest of this section. Section 7.2.2, “How to Adapt the Bundled Sun Ray Kiosk Session” describes how to configure and apply the options.

Desktop Selector Options

The following table shows the available desktop selector options.

Argument

Description

-n

Disables the login and desktop selector dialogs.

-d <domain>

Sets a default domain in the Domain field.

-l <domain1>,<domain2>,...

Populates the Domain dropdown list with the specified domains.

Example: -l north.example.com,south.example.com

-t secs

Specifies the timeout in seconds applied after a user logs in.

The default is three minutes.

-j path

Path to the Java Runtime Environment (JRE) used to display the login and desktop selector dialogs.

Example: -j /usr/java6

-a

Enables the User Name field.

Normally the User Name field is read-only. Using this option enables users to log in with a different user name.

-h

Hides the User Name field.

-o

Hides the Domain field.

-w

Shows the Password field.

-r <res1>,<res2>,...

Populates the Screen Resolution menu (under More Options) with a list of resolutions.

Example: -r 1920x1200,2560x1600

-v <log level>

Enables verbose logging.

The log levels are FINEST, INFO, WARNING, SEVERE, and ALL.

Previous releases of Oracle VDI supported a long format for these options, for example --no-desktop-selector instead of -n. The long options are deprecated, do not use them.

If you disable the login and desktop selector dialogs with the -n option, users cannot enter a user name or password before accessing their desktop. If you use this option, you must also disable client authentication. See Section 7.2.7, “How to Disable Client Authentication”. Users must insert a smartcard to access their default desktop.

If you enable verbose logging with the -v option, additional log messages are output to standard error (stderr). The log messages can be viewed in the following locations:

  • Oracle Solaris platforms: /var/dt/Xerrors

  • Oracle Linux platforms: /var/opt/SUNWkio/home/utku<XX>/.xsession-errors

By default, the Oracle VDI login and desktop selector dialogs use the JRE included with Oracle VDI. However, an alternative JRE can be specified using the -j option. For the best support for locales and the latest improvements to Java Swing, use Java 6.

Sun Ray Windows Connector (uttsc) Options

The uttsc man page has the complete listing of the supported options.

7.2.2. How to Adapt the Bundled Sun Ray Kiosk Session

  1. Log in to the Sun Ray Administration GUI.

    See Section 7.2.5, “How to Access the Sun Ray Administration GUI”.

  2. Go to the Advanced tab.

  3. Click the Kiosk Mode link.

    The Kiosk Mode page is displayed.

  4. Click the Edit button.

    The Edit Kiosk Mode page is displayed.

  5. In the Arguments field, type the required Kiosk session arguments.

    The syntax for the Kiosk session arguments is:

    desktop selector options -- uttsc options
    

    The available Kiosk options for Oracle VDI are described in Section 7.2.1, “About the Oracle VDI Sun Ray Kiosk Session”.

    For example:

    -d vdatest -j /usr/java6 -- -E wallpaper -E theming
  6. Click OK.

  7. (Optional) Perform a cold restart of Sun Ray services.

    The new settings only take effect for new Kiosk sessions. To enforce the settings for existing sessions, you must perform a cold restart of Sun Ray services. This terminates all existing sessions and creates new Kiosk sessions as necessary.

    1. Go to the Servers tab.

    2. Select all servers in your Oracle VDI environment.

    3. Click Cold Restart.

      This operation can take several minutes to complete.

7.2.3. How to Access Desktops Using a Sun Ray Client

This section provides examples of how users access their desktops using Sun Ray Clients (Sun Ray hardware or Oracle Virtual Desktop Client).

Depending on the configuration of the Sun Ray Kiosk session, users might have to log in before they can access a desktop. If a user is assigned multiple desktops, they also might be able to select the desktop. See Section 7.2.1, “About the Oracle VDI Sun Ray Kiosk Session” for more details.

Example 1

In this example, a user logs in to Oracle VDI and then selects the desktop to access.

  1. Log into Oracle VDI.

    Insert a smart card (token) into a Sun Ray Client that is connected to an Oracle VDI host. The token is assigned to a pool, or directly to a desktop.

    The login dialog is displayed.

    Figure 7.1. Oracle VDI Login Dialog

    Screen capture of the Oracle VDI login dialog.

    The user must provide a user name, password, and optionally a Windows domain.

  2. Select a desktop or pool.

    After successful authentication, the system determines the desktops and pools assigned to the user. If multiple desktops are assigned to the user, the desktop selector dialog is displayed. The dialog is not displayed, if only one desktop is assigned.

    Figure 7.2. Oracle VDI Desktop Selector Dialog

    Screen capture of the Oracle VDI desktop selector screen.

  3. Work with the desktop.

    Once the user selects a desktop, the Sun Ray Windows connector starts and displays the desktop.

    Figure 7.3. Oracle VDI Windows Desktop

    Screen capture of a Windows desktop displayed through Oracle VDI.

    At any time, the user can disconnect from the desktop by moving your mouse up to the top of the screen and clicking the "X" on the remote desktop pulldown menu. The user is disconnected from the current desktop session and either the desktop selector dialog or the login dialog is displayed.

    There is also a Disconnect button available in the Windows start menu, for desktops connected via Windows RDP. Desktops connected through Oracle VM VirtualBox (VRDP) do not have this button.

Example 2

In this example, a user is not required to log in to Oracle VDI and can accesses only their default desktop.

  1. Start the desktop.

    Insert a smart card (token) into a Sun Ray Client that is connected to an Oracle VDI host. The token is assigned to a pool, or directly to a desktop.

    Oracle VDI determines the default desktop assigned to the user. In this example, the desktop is not already running and so a wait screen is displayed while the desktop is started.

    Figure 7.4. The Wait Screen

    Screen capture of the wait screen.

  2. Log in to the desktop.

    In this example, the standard Windows login screen is displayed because of the configuration of the guest operating system requires a user name and password (and potentially the Windows domain).

    Figure 7.5. Windows Login Screen

    Screen capture of the Windows login screen.

  3. Work with the desktop.

    Figure 7.6. Oracle VDI Windows Desktop

    Screen capture of a Windows desktop displayed through Oracle VDI.

    After successful authentication, the desktop is displayed. The behavior is the same as for a standard Windows PC.

7.2.4. Multi-Monitor Support

The Multi-Monitor feature enables the use of more than one monitor connected to a Sun Ray Client or to a Sun Ray Multihead Group. The desktops may be configured to display one desktop session across multiple monitors, or multiple desktop sessions across multiple monitors.

At a minimum, the feature requires a Sun Ray Client (like a Sun Ray 2FS or Sun Ray 3 Plus) with two monitors connected and the desktop selector enabled. If more than two screens are required, a Sun Ray Multihead Group can be configured to connect several DTUs.

7.2.4.1. Multi-Desktop

If more then one desktop is assigned to a user, and more then one monitor is available, then the desktop selector allows the user to select and connect to multiple desktops.

Figure 7.7. Connecting to Multiple Desktops with Multiple Monitors

Image showing a Sun Ray Client with two monitors, and a different desktop displayed on each monitor.

The desktops will be displayed in the order they are listed. For example, the first desktop will be displayed on the first monitor. To change the order in which the desktops are displayed, the user must return to the desktop selector by logging out or closing the Sun Ray Windows connector session. The previously displayed desktops will be marked with a monitor icon. When one of the desktops marked with a monitor is selected, arrows will be displayed allowing each desktop to be promoted or demoted in position. When the desktops have been re-ordered, the user may reselect the ones they wish to view and click Connect.

7.2.4.2. Multi-Monitor

The Multi-Monitor feature relies on the multiple remote monitors feature from Oracle VM VirtualBox, which enables configuration of up to eight monitors per one Oracle VDI desktop session. The Multi-Monitor feature is supported for Windows XP and Windows 7 guests hosted by Oracle VM VirtualBox and using VRDP.

Figure 7.8. Multiple Monitors

Image showing a Sun Ray Client with two monitors, and a Windows desktop extended to display across both monitors.

7.2.4.3. Hotdesking and Multi-Monitor Feature

There is a possibility that moving from one Sun Ray Client to another will leave some open windows on non-existing monitors. In that case, the end user must go to Control Panel, launch the Display Properties application, and modify the number of available monitors. After that, all windows from the invisible monitors will be brought over to the existing monitors. That will allow the user to see all windows again.

7.2.4.4. Sun Ray Multihead Groups

The Sun Ray 2FS and Sun Ray 3 Plus Clients support two monitors. In order to create a large array of monitors, several Sun Rays Clients can be hooked together to form a multihead group. When configuring multihead groups, ensure that XINERAMA is left disabled. See the Multiple Monitor Configurations chapter in the Sun Ray Software 5.2 Administration Guide.

A multihead group can be used both to display several desktops or one desktop hosted on Oracle VM VirtualBox with several screens.

Figure 7.9. Multihead Group and Multiple Desktops

Image showing three Sun Ray Clients with six monitors in a multihead group, with different desktops displayed across the group.

Figure 7.10. Multihead Group and Single Desktop

Image showing three Sun Ray Clients with six monitors in a multihead group, with a Windows desktop extended to display across the group.

7.2.4.5. How to Enable Support for Multiple Monitors

  1. Edit the template and configure the display properties to extend the desktop to multiple monitors.

    If you are using Sysprep, do not perform this step because the monitor configuration is removed during cloning. If you use FastPrep, the monitor configuration is preserved.

    1. In the template, go to the Start menu and select Control Panel .

    2. Go to Appearance and PersonalizationPersonalizationDisplay Settings.

    3. Select Identify Monitors and position the monitors.

  2. Configure the required number of monitors for the desktops in a pool.

    1. In Oracle VDI Manager, go to Pools and select a pool.

    2. Go to the Settings tab.

    3. In the Sun Ray Client section, select the required number of monitors in the Monitors list.

      The virtual machine is configured with one graphics card for each monitor.

  3. Restart all running desktops in the pool.

    You must restart all running desktops so that the graphics card changes are detected in the virtual machine. If you do not do this, users might experience connection problems when they connect to their desktop. Existing desktops that are powered off, detect the graphics card changes when they are next powered on.

    1. Go to the Desktop tab.

    2. Select all the running desktops in the pool.

      Select all the desktops except those with a Machine State of powered off.

    3. Click Restart.

    The display properties in existing desktops must be configured individually to extend the desktop to multiple monitors.

7.2.5. How to Access the Sun Ray Administration GUI

The Sun Ray Administration GUI is configured and accessible on each Oracle VDI host. This allows easy modification of Sun Ray configuration settings such as Kiosk session parameters (see following section).

Steps

  1. Go to https://<server-name>:1660.

    If you enter an http:// URL, you are redirected to an https:// URL.

    The browser displays a security warning and prompts you to accept the security certificate.

  2. Accept the security certificate.

    The login screen is displayed.

  3. Log in as super user (root) with corresponding password.

Note

Oracle VDI does not use the default "admin" user account that is normally configured as part of the Sun Ray Software installation.

7.2.6. How to Change User Password

The desktop login/selector dialog allows end-users working from Sun Ray Clients to update their password in the user directory.

Note

Password Change is not offered when Client Authentication is disabled; see Section 7.2.7, “How to Disable Client Authentication”.

Oracle VDI supports password change on the following directory servers:

  • Active Directory (from Windows Server 2003 and 2008)

  • Oracle Directory Server Enterprise Edition

The authentication type (see Section 4.1, “About User Directory Integration”) selected to integrate the user directory with Oracle VDI affects the password change functionality:

Note

A default restriction in Active Directory prevents password update from an LDAP Simple Authentication.

7.2.6.1. The user password has already expired

If integrating with an Active Directory server using Kerberos authentication (see Section 4.5, “How to Set Up Kerberos Authentication”) or Public Key authentication (see Section 4.6, “How to Set Up Public Key Authentication”):

  1. The end-user enters her login credentials in the login dialog (see Section 7.2.3, “How to Access Desktops Using a Sun Ray Client”).

  2. The system detects that the user password has expired and direct the user to the password change dialog where the user is offered to type her old and new passwords (new password needs to be entered twice).

  3. After a successful password update, the user is authenticated with the new password and the system will offer the same screen as after a regular successful authentication (see Section 7.2.3, “How to Access Desktops Using a Sun Ray Client”).

If using an LDAP type of authentication (see Section 4.1, “About User Directory Integration”):

  1. The end-user enters her login credentials in the login dialog (see Section 7.2.3, “How to Access Desktops Using a Sun Ray Client”).

  2. The system detects that the user password has expired and displays an error message to the end-user.

  3. The end-user must use an alternate customer-provided process to update her password before to be able to log in again.

7.2.6.2. The user password has not expired yet

Note

This functionality may only be accessed from the desktop selector dialog, which is not displayed to the end-user when only one desktop is applicable to her.

This functionality is offered with all types of authentication for the user directory (see Section 4.1, “About User Directory Integration”) (provided the directory server supports end-users to change their password):

  1. The desktop selector dialog (see Section 7.2.3, “How to Access Desktops Using a Sun Ray Client”) offers a More Options menu at the bottom which contains a Change Password entry.

  2. When clicking on Change Password, the user gets directed to the password change dialog where she is offered to type her old and new passwords (new password needs to be entered twice).

  3. The user may cancel her password change, she then goes back to the desktop selector screen without any change to take place.

  4. When the user confirms the password change, her password gets updated in the directory server and she then goes back to the desktop selector screen with a confirmation message.

7.2.6.3. Troubleshooting

The update of the password may fail for the following reasons:

  • The end-user does not type the right old password.

  • The new password does not comply to the password policy from the directory server (not allowed to reuse old password, password complexity not met).

  • If using Active Directory server, the Kerberos configuration does not allow password change. See Section 4.5, “How to Set Up Kerberos Authentication” for help on setting up Kerberos authentication.

  • The authentication type does not allow password change. See restrictions described in Section 7.2.6, “How to Change User Password”.

In case of problems, check the log files, see Section 9.3.2, “How to Check the Oracle VDI Log Files”.

7.2.7. How to Disable Client Authentication

All users must authenticate themselves before getting access to any desktop. Typically users will be asked for a user name/password combination (and optionally a Windows domain). The Oracle VDI service will then contact the user directory for the verification of the provided user credentials. If authentication succeeds the connection to the desired desktop will be established - otherwise it will be denied. The user name/password will also be forwarded to the guest OS running the desktop - this way users get automatically logged into their desktop without the need to potentially pass another login screen.

Note

Automatic login will work for Windows RDP only - forwarding of user credentials does not work yet for VRDP and non-Windows OS.

Authentication on the Oracle VDI service level can be disabled if desired. However, special care needs then to be taken on the users' desktops setup to not open unwanted security holes. For example, it is good practice, if desktops are configured to always present their own login screen before displaying the actual desktop content. This way authentication is still required, but it is now performed on the guest OS level only. This setup also allows to take advantage of more advanced authentication techniques that are not supported out of the box by the Oracle VDI service.

Note

For security reasons it is recommended to leave authentication always enabled, unless the simple user name/password authentication does not satisfy your requirements.

Steps

You can use the VDA administration CLI to configure, if authentication should be performed by the Oracle VDI service.

To check the currently configured authentication policy:

# /opt/SUNWvda/sbin/vda settings-getprops -p clientauthentication

To enable authentication (the default):

# /opt/SUNWvda/sbin/vda settings-setprops -p clientauthentication=Enabled

To disable authentication:

# /opt/SUNWvda/sbin/vda settings-setprops -p clientauthentication=Disabled

7.2.8. How to Enable Desktop Screen Locking on Sun Ray Clients

This procedure shows you how to configure screen locking for Sun Ray Software Clients in an Oracle VDI environment.

With the hotdesking feature, you must authenticate to access your assigned desktop when you initially insert your smart card. But, once you are logged into your desktop session, you can move to other Sun Ray Clients by removing and reinserting your smart card without having to log in again. This is actually one of the strengths of hotdesking.

However, some groups may find this scenario to be a security issue. For example, if you loose your smart card, the smart card could be used by a different person to get access to the your desktop session without the need to enter any password.

Enabling desktop screen locking forces you to provide a password whenever you insert your smart card, even when you are currently logged into your desktop session. The domain field and the user field on the login screen are already provided.

By default, desktop screen locking is disabled.

  • To check the current desktop screen locking policy:

    # /opt/SUNWvda/sbin/vda settings-getprops -p clientscreenlock
  • To enable desktop screen locking:

    # /opt/SUNWvda/sbin/vda settings-setprops -p clientscreenlock=Enabled
  • To disable desktop screen locking (default):

    # /opt/SUNWvda/sbin/vda settings-setprops -p clientscreenlock=Disabled