6.2. Desktop Access Using Sun Ray Clients

6.2.1. About the Oracle VDI Sun Ray Kiosk Session
6.2.2. How to Modify the Bundled Sun Ray Kiosk Session
6.2.3. How to Access the Sun Ray Administration GUI
6.2.4. How to Change a User Password
6.2.5. How to Disable Client Authentication
6.2.6. How to Enable Desktop Screen Locking on Sun Ray Clients
6.2.7. Sun Ray Client User Access Scenarios
6.2.8. Multiple Monitor Capability

Oracle VDI installation and configuration includes the installation of a bundled release of Sun Ray Software configured specifically for use with Oracle VDI (see About the Oracle VDI Software). This section describes the information needed to provide access to Oracle VDI desktops from Sun Ray Clients.

Administrators can modify this default configuration. Appendix B, Defaults for the Software Bundled With Oracle VDI has details of the default configuration. For detailed information about Sun Ray Software and Sun Ray Clients, see the Sun Ray Product Documentation page http://www.oracle.com/technetwork/documentation/sun-ray-193669.html.

6.2.1. About the Oracle VDI Sun Ray Kiosk Session

Sun Ray Software is designed to provide access to standard Oracle Solaris or Linux platform desktop sessions from Sun Ray Clients. You can also use Sun Ray kiosk mode to provide controlled access to other session types. Oracle VDI comes with a predefined kiosk session, called Oracle Virtual Desktop Infrastructure. This kiosk session uses the Sun Ray Windows connector (uttsc) to establish a Remote Desktop Protocol (RDP) connection to a virtual machine.

Typically, an Oracle VDI Sun Ray kiosk session starts when a user inserts a smart card into a Sun Ray Client. The user enters a user name, a password, and, optionally, a Windows domain in the Login Dialog. The Login Dialog always requires a fully qualified domain name (FQDN). However, you can control, on a per-pool basis, whether the kiosk session uses a FQDN or a NetBIOS name when it starts uttsc. Use the Fully Qualified Domain Name check box in the Login panel under Pool Settings > Login in the Oracle VDI Admin GUI to toggle between the FQDN (the default) and the NetBIOS name.

After successful authentication, the system contacts the Oracle VDI service to determine what desktops are assigned to that user. If multiple desktops are available, a Desktop Selector screen prompts the user to select a desktop, after which the Sun Ray Windows connector starts and connects to the virtual machine running the user's desktop. If the virtual machine is not already running, a wait screen (see Figure 6.4, “The Wait Screen”) is displayed while the machine starts.

The kiosk session is enabled for both smart card and non-smart card access, so users do not have to use smart cards to log in; however, by default, all users must authenticate to Oracle VDI before they can access a desktop. The Oracle VDI service contacts the User Directory to verify user credentials. If authentication succeeds, the connection to the selected desktop is established. The credentials can then be passed to a Windows guest operating system so that the user can be logged into that desktop automatically.

If you disable client authentication (see Section 6.2.5, “How to Disable Client Authentication”), users can either insert a smart card or provide a user name in the Login Dialog to access their desktops. Desktops are assigned via the smart card token or the user name, and the user is not required to enter a password. In this situation, which bypasses other authentication mechanisms, it is best to configure the desktop operating system to require authentication.

The login and Desktop Selector dialogs can also be disabled. When the Desktop Selector is disabled, users are always connected to their default desktop without having to authenticate to Oracle VDI. Because users cannot enter a user name or password before accessing their desktops, however, disabling these dialogs also requires Client Authentication to be disabled. When this is the case, users must insert a smart card, which is used to direct them to the proper pool or desktop assignments. This arrangement can be convenient for users, but it is not recommended for sites or administrators with security concerns.

Administrators can use session parameters to configure the appearance and behavior of the kiosk session. There are two sort of parameters:

  • Desktop Selector options, which affect the login and Desktop Selector dialogs.

  • Sun Ray Windows connector options, which affect the quality of the RDP connection.

The options are explained below. Section 6.2.2, “How to Modify the Bundled Sun Ray Kiosk Session”, describes how to configure and apply the options.

Desktop Selector Options

The following table shows the available Desktop Selector options.

Argument

Description

-n

Disables the login and Desktop Selector dialogs.

-d <domain>

Sets a default domain in the Domain field.

-l <domain1>,<domain2>,...

Populates the Domain dropdown list with the specified domains.

Example: -l north.example.com,south.example.com

-t secs

Specifies the timeout in seconds applied after a user logs in.

The default is three minutes.

-j path

Path to the Java Runtime Environment (JRE) used to display the login and Desktop Selector dialogs.

Example: -j /usr/java6

-a

Enables the User Name field.

Normally the User Name field is read-only. Using this option enables users to log in with a different user name.

-h

Hides the User Name field.

-o

Hides the Domain field.

-w

Shows the Password field.

-r <res1>,<res2>,...

Populates the Screen Resolution menu (under More Options) with a list of resolutions.

Example: -r 1920x1200,2560x1600

-v <log level>

Enables verbose logging.

The log levels are FINEST, INFO, WARNING, SEVERE, and ALL.

-N

Disables numlock and the navigation or direction keys are active

By default, numlock is enabled and the navigation or direction keys are not active.

Previous releases of Oracle VDI supported a long format for these options, for example --no-desktop-selector instead of -n. The long options are deprecated, do not use them.

If you disable the login and Desktop Selector dialogs with the -n option, users cannot enter a user name or password before accessing their desktops. If you use this option, you must also disable client authentication (see Section 6.2.5, “How to Disable Client Authentication”). Users must insert a smart card in order to access their default desktop.

If you enable verbose logging with the -v option, additional log messages are output to standard error (stderr). The log messages can be viewed in the following locations:

  • Oracle Solaris platforms: /var/dt/Xerrors

  • Oracle Linux platforms: /var/opt/SUNWkio/home/utku<XX>/.xsession-errors

By default, the Oracle VDI login and Desktop Selector dialogs use the JRE included with Oracle VDI. However, you can specify an alternative JRE with the -j option. For the best support for locales and the latest improvements to Java Swing, use Java 6.

Desktop Selector Configuration

By default, when users disconnect from their desktops, they are returned to the Oracle VDI Login Dialog. To change this behavior so that users are returned to the Desktop Selector dialog, run the following command as root.

# /opt/SUNWvda/sbin/vda settings-setprops -p client.logout.always=Disabled

If you change this setting, users are returned to the Desktop Selector dialog only if they use either the X button on the Sun Ray Windows connector toolbar at the top of the screen or the Disconnect button in the Windows Start menu. If users disconnect in any other way, they are logged out.

By default, the Desktop Selector dialog has a Reset button that enables users to reboot a desktop. To hide the Reset button from all users, run the following command as root:

# /opt/SUNWvda/sbin/vda settings-setprops -p client.desktop.reset=Disabled

If you change this setting, the Desktop Selector dialog is displayed only if a user is assigned multiple desktops. If a user is assigned only one desktop, the Desktop Selector dialog is never displayed.

For additional settings to control which server is presented as the default after users disconnect from their sessions, see Section 9.7.7, “How Do I Control Client Redirection with client.autoredirect Properties?”. For a discussion of how login and Desktop Selector screens can be affected by Global Oracle VDI Centers, see Section 3.12.3, “Oracle VDI Login and Desktop Selector Dialog”.

uttsc Options

The man page for the uttsc command (man -M /opt/SUNWuttsc/man uttsc) has the complete listing of the supported options.

6.2.2. How to Modify the Bundled Sun Ray Kiosk Session

  1. Log in to the Sun Ray Administration GUI.

    See Section 6.2.3, “How to Access the Sun Ray Administration GUI”.

  2. Go to the Advanced tab.

  3. Click the Kiosk Mode link.

    The Kiosk Mode page is displayed.

  4. Click the Edit button.

    The Edit Kiosk Mode page is displayed.

  5. In the Arguments field, type the required kiosk session arguments.

    The syntax for the kiosk session arguments is:

    Desktop Selector options -- uttsc options
    

    The available kiosk options for Oracle VDI are described in Section 6.2.1, “About the Oracle VDI Sun Ray Kiosk Session”.

    For example:

    -d vdatest -j /usr/java6 -- -E wallpaper -E theming
  6. Click OK.

  7. (Optional) Perform a cold restart of Sun Ray services.

    The new settings only take effect for new kiosk sessions. To enforce the settings for existing sessions, you must perform a cold restart of Sun Ray services. This terminates all existing sessions and creates new kiosk sessions as necessary.

    1. Go to the Servers tab.

    2. Select all servers in your Oracle VDI environment.

    3. Click Cold Restart.

      This operation can take several minutes to complete.

6.2.3. How to Access the Sun Ray Administration GUI

The Sun Ray Administration GUI is configured and accessible on each Oracle VDI host. This allows easy modification of Sun Ray configuration settings, such as kiosk session parameters.

Steps

  1. Go to https://<server-name>:1660.

    If you enter an http:// URL, you are redirected to an https:// URL.

    The browser displays a security warning and prompts you to accept the security certificate.

  2. Accept the security certificate.

    The login screen is displayed.

  3. Log in as super user (root) with corresponding password.

Note

Oracle VDI does not use the default admin user account that is normally configured as part of the Sun Ray Software installation.

6.2.4. How to Change a User Password

Oracle VDI supports password change on the following directory servers:

  • Active Directory (from Windows Server 2003 and 2008)

  • Oracle Directory Server Enterprise Edition

If client authentication is not disabled, Sun Ray Client users can update their passwords in the User Directory from the desktop login/selector dialog (see Section 6.2.5, “How to Disable Client Authentication”.

The authentication type (see Section 3.1, “About User Directory Integration”) selected to integrate the User Directory with Oracle VDI affects the password change functionality in the following ways:

Note

A default restriction in Active Directory prevents password update from an LDAP Simple Authentication.

6.2.4.1. If the Password has Expired

On an Active Directory server that uses Kerberos authentication (see Section 3.5, “How to Set Up Kerberos Authentication”) or Public Key authentication (see Section 3.6, “How to Set Up Public Key Authentication”):

  1. The user enters login credentials in the Login Dialog.

  2. The system detects that the user password has expired and directs the user to the password change dialog, where the user types old and new passwords (new password needs to be entered twice).

  3. After a successful password update, the user is authenticated with the new password and the system will offer the same screen as after a regular successful authentication.

If an LDAP type of authentication (see Section 3.1, “About User Directory Integration”) is used:

  1. The user enters login credentials in the Login Dialog.

  2. The system detects that the user password has expired and displays an error message.

  3. The user must use an alternate, customer-provided process to update the password before to be able to log in again.

6.2.4.2. If the Password Has Not Expired

This functionality is offered with all types of authentication for the User Directory (see Section 3.1, “About User Directory Integration”) so long as the directory server allow users to change their passwords and the user is assigned more than one desktop.

  1. The Desktop Selector dialog offers a More Options menu at the bottom which contains a Change Password entry.

  2. The user selects Change Password and is directed to the password change dialog and types old and new passwords (the new password needs to be entered twice).

  3. The user may cancel the password change at this point, in which case, there is no password change, and the Desktop Selector screen is displayed.

  4. When the user confirms the password change, the password gets updated in the directory server and the Desktop Selector screen displays a confirmation message.

6.2.4.3. Troubleshooting

The update of the password may fail for the following reasons:

In case of problems, check the log files. See Section 8.3.2, “How to Check the Oracle VDI Log Files”, for further information.

6.2.5. How to Disable Client Authentication

All users must present authentication credentials before getting access to any desktop. Credentials usually consist of a user name, password, and optionally a Windows domain, The Oracle VDI service contacts the User Directory to verify the credentials. A connection to the desktop is only established if authentication succeeds. The user credentials are forwarded to the desktop operating system to provide an automatic login so that the user does not have to authenticate again.

The automatic login feature works for Windows desktops using either the RDP or VRDP protocols. Automatic logins do not work for non-Windows desktops.

It is possible to disable authentication at the Oracle VDI service level, but if you do so, it is a good idea to configure desktops to present their own login screen, so that users authenticate to the desktop operating system. Users may consider login screens inconvenient, but they do provide at least minimal protection for user data. Bypassing authentication at the Oracle VDI service level may also allow you to take advantage of more advanced authentication techniques that are not supported by the Oracle VDI service.

Steps

Authentication is enabled by default. You can use the vda command to enable or disable authentication by the Oracle VDI service.

To check the current authentication policy:

# /opt/SUNWvda/sbin/vda settings-getprops -p clientauthentication

To enable authentication (the default):

# /opt/SUNWvda/sbin/vda settings-setprops -p clientauthentication=Enabled

To disable authentication:

# /opt/SUNWvda/sbin/vda settings-setprops -p clientauthentication=Disabled

6.2.6. How to Enable Desktop Screen Locking on Sun Ray Clients

With the hotdesking feature, the user must authenticate to access an assigned desktop when inserting a smart card. Once logged into the desktop session, the user can move to other Sun Ray Clients by removing and reinserting the smart card without having to log in again. This is one of the advantages of hotdesking.

However, some groups may find this scenario to be a security issue. For example, a lost smart card could be used by a different person to get access to the desktop session without the need to enter a password.

Enabling desktop screen locking forces users to provide a password whenever they insert a smart card, even when currently logged into a desktop session. The domain field and the user field on the login screen are already provided.

By default, desktop screen locking is disabled.

  • To check the current desktop screen locking policy:

    # /opt/SUNWvda/sbin/vda settings-getprops -p clientscreenlock
  • To enable desktop screen locking:

    # /opt/SUNWvda/sbin/vda settings-setprops -p clientscreenlock=Enabled
  • To disable desktop screen locking (default):

    # /opt/SUNWvda/sbin/vda settings-setprops -p clientscreenlock=Disabled

6.2.7. Sun Ray Client User Access Scenarios

This section provides examples of how users access their desktops from Sun Ray Clients (Sun Ray hardware or Oracle Virtual Desktop Client).

Depending on the configuration of the Sun Ray kiosk session, users might have to log in before they can access a desktop. Users assigned multiple desktops may also be able to select which desktop to access. See Section 6.2.1, “About the Oracle VDI Sun Ray Kiosk Session”, for more details.

What users see on the Login Dialog can also be affected by other factors, such as the configuration of multiple Oracle VDI Centers.

Example 1

In this example, a user logs in to Oracle VDI and then selects which desktop to access.

  1. The user logs into Oracle VDI.

    The user inserts a smart card into a Sun Ray Client that is connected to an Oracle VDI host. The token on the user's smart card is assigned either to a pool or directly to a desktop.

    The Login Dialog is displayed.

    Figure 6.1. Oracle VDI Login Dialog

    Screen capture of the Oracle VDI Login Dialog.

    The user must provide a user name, password, and, optionally, a Windows domain.

  2. The user selects a desktop or pool.

    After successful authentication, the system determines which desktops and pools are assigned to the user. If multiple desktops are assigned to the user, the Desktop Selector dialog is displayed. The dialog is not displayed if only one desktop is assigned.

    Figure 6.2. Oracle VDI Desktop Selector Dialog

    Screen capture of the Oracle VDI Desktop Selector screen.

  3. The user works with the desktop.

    Once the user selects a desktop, the Sun Ray Windows connector starts and displays the desktop.

    Figure 6.3. Windows Desktop

    Screen capture of a Windows desktop displayed through Oracle VDI.

    The user can disconnect from the desktop at any time by moving the mouse to the top of the screen and clicking the X on the remote desktop pulldown menu. When the user is disconnected from the current desktop session, either the Desktop Selector dialog or the Login Dialog is displayed.

    Desktops connected through Windows RPD also have a Disconnect button available in the Windows start menu. Desktops connected through VirtualBox RDP (VRDP) do not have this button.

Example 2

In this example, the user is not required to log in to Oracle VDI and accesses only the default desktop.

  1. The user starts the desktop.

    The user inserts a smart card into a Sun Ray Client that is connected to an Oracle VDI host. The user's smart card token is assigned either to a pool or directly to a desktop.

    Oracle VDI determines the default desktop assigned to the user. In this example, the desktop is not already running, so a wait screen is displayed while the desktop is started.

    Figure 6.4. The Wait Screen

    Screen capture of the wait screen.

  2. The user logs in to the desktop.

    In this example, the standard Windows login screen is displayed because the configuration of the guest operating system requires a user name and password. (It could also require the Windows domain, but that case is not illustrated in the following figure.)

    Figure 6.5. Windows Login Screen

    Screen capture of the Windows login screen.

  3. The user works with the desktop.

    Figure 6.6. Oracle VDI Windows Desktop

    Screen capture of a Windows desktop displayed through Oracle VDI.

    After successful authentication, the desktop is displayed. The behavior is the same as for a standard Windows PC.

6.2.8. Multiple Monitor Capability

Sun Ray Software enables the display of a single Sun Ray session across multiple monitors or of multiple Sun Ray sessions on separate monitors (see Multiple Monitor Configurations in the Sun Ray Software 5.3 Administration Guide.) Oracle VDI extends this capability to the display of virtual Windows XP or Windows 7 desktops.

6.2.8.1. Multiple Desktop Selection

The Desktop Selector enables the user to select and connect to multiple desktops, provided that user has a Sun Ray Client with two monitors and has been assigned two or more virtual desktops.

Figure 6.7. Connecting to Multiple Desktops with Multiple Monitors

Image showing a Sun Ray Client with two monitors, and a different desktop displayed on each monitor.

Desktops are displayed in the order they are listed on the Desktop Selector, that is, the first desktop listed is displayed on the first monitor. To change the order in which the desktops are displayed, the user must return to the Desktop Selector by logging out or by closing the Sun Ray Windows connector session. The previously displayed desktops are then marked with monitor icons. When one of the desktops marked with a monitor icon is selected, arrows allowing each desktop to be promoted or demoted in position are displayed. When the desktops have been re-ordered, the user can reselect which ones to view and click Connect.

6.2.8.2. Multiple Monitors

The Multi-Monitor feature enables configuration of multiple monitors for an Oracle VDI desktop session. It is supported for Windows XP and Windows 7 guests that use either VRDP or MS-RDP. The feature is limited to a maximum of eight monitors for VRDP.

Note

Not all editions of Windows 7 include multi-monitor support, see the Microsoft Remote Desktop Connection FAQ for details.

Figure 6.8. A Virtual Windows Desktop Display Across Multiple Monitors Connected to One Sun Ray Client

Image showing a Sun Ray Client with two monitors, and a Windows desktop extended to display across both monitors.

6.2.8.3. Multi-Monitor Hotdesking

Hotdesking enables users to access their sessions when they move from one Sun Ray Client to another (see Hotdesking in the Sun Ray Software 5.3 Administration Guide). However, because some Sun Ray Clients support only one monitor while others can support either one or two (see Section 6.2.8.4, “Sun Ray Multihead Groups and Xinerama”), users may have to modify some settings in order to get or keep their desired display characteristics.

For example, moving from one Sun Ray Client to another may leave some open windows on non-existent monitors. In that case, the user must go to Control Panel, launch the Display Properties application, and modify the number of available monitors. This moves all windows from the invisible monitors to the existing monitors, allowing the user to see all windows again.

6.2.8.4. Sun Ray Multihead Groups and Xinerama

You can configure several Sun Ray Clients as a multihead group to create a large array of monitors and display a single desktop across several monitors or multiple desktops on separate monitors. Sun Ray 2FS and Sun Ray 3 Plus Clients can support two monitors each.

For multihead groups and VRDP, Oracle VDI runs an instance of the Sun Ray Windows Connector for each monitor connection. For this configuration, disable the Xinerama X Window System extension.

For multihead groups and MS-RDP, Oracle VDI runs an instance of the Sun Ray Windows Connector for each VDI session. For this configuration, enable the Xinerama X Window System extension.

For details on Xinerama usage, see How to Enable and Disable Xinerama in the Sun Ray Software 5.3 Administration Guide.

Note

The term head in this context refers to a Sun Ray Client, not a monitor.

Figure 6.9. Multihead Group Supporting Multiple Desktops

Image showing three Sun Ray Clients with six monitors in a multihead group, with different desktops displayed across the group.

Figure 6.10. Multihead Group Supporting a Single Desktop

Image showing three Sun Ray Clients, with six monitors, configured in a multihead group and a single virtual Windows desktop displayed across the group.

6.2.8.5. How to Enable Support for Multiple Monitors

  1. Edit the template or desktop and configure the display properties to extend the desktop to multiple monitors.

    If you are using Sysprep, do not perform this step, because the monitor configuration is removed during cloning. If you use FastPrep, the monitor configuration is preserved.

    1. In the template or desktop, go to the Start menu and select Control Panel .

    2. Go to Appearance and PersonalizationPersonalizationDisplay Settings.

    3. Select Identify Monitors and position the monitors.

  2. Configure the required number of monitors for the desktops in a pool.

    1. In Oracle VDI Manager, go to Pools and select a pool.

    2. Go to the Settings tab.

    3. In the Sun Ray Client section, select the required number of monitors in the Monitors list.

      The virtual machine is configured with one graphics card for each monitor.

  3. Modify the virtual machine video memory setting for the template or the desktop.

    Multiple monitors require more video memory. The amount of video memory depends on the screen resolution and the color depth configured in the desktop or template. The following calculations provide a good estimate of the amount of memory you should allocate but should not be used as a replacement for your own testing. The calculations also assume that you are not using special video effects such as 3D.

    The video memory required for each monitor can be calculated using the following formula:

    Video Memory (in bytes) = (display_width * display_height * 4) + 1048576 (1 megabyte)

    For example, for a monitor with a resolution of 1920 x 1200, the memory required is:

    (1920 * 1200 * 4) + 1048576 = 10264576 bytes (9.79 megabytes)

    The total video memory (in bytes) is the sum of the video memory required for each monitor + 1048576 (1 megabyte).

    For example, for two 1920 * 1200 monitors, the total video memory required is:

    (2 * 10264576) + 1048576 = 21577728 bytes (20.58 megabytes)

    To access the video memory setting for a desktop or template in a pool, do either of the following:

    • Go to the Templates tab, click the master revision in the Templates table, and then click Virtual Machine.

    • Go to the Desktop tab, click a desktop in the Desktops table, and then click Virtual Machine.

  4. Restart all running desktops in the pool.

    You must restart all running desktops so that the graphics card changes in the virtual machine are detected. If you do not do this, users might experience connection problems when they connect to their desktops. Existing desktops that have been powered off detect the graphics card changes when they are next powered on.

    1. Go to the Desktop tab.

    2. Select all the running desktops in the pool.

      Select all the desktops except those with a Machine State of powered off.

    3. Click Restart.

    The display properties in existing desktops must be configured individually to extend the desktop to multiple monitors.