Citrix XenDesktop/XenApp Database Communications

I recently assisted a customer with a problem that they were experiencing with their Citrix environment. During the troubleshooting process they had some questions in relation to how the security accounts work when communicating with the Citrix Delivery Controllers. Here’s an overview on how that works – I hope you find this useful!

During the configuration of the first controller, when you are logged on with an account that has temporarily elevated permissions in SQL, the database is created on the database server, Stored Procedures are created on the database server, and something else really cool happens.  This cool thing that happens is that the XA/XD Configuration Wizard adds the XenDesktop Controller machine account as a login on the SQL Server.  (It also adds each subsequent controller that is part of the XA/XD 7.x Site).  So, for example, our Accelera XA/XD Controller, “ASI-XDDC1”, it would add its machine account into the Security|Logins as “Domain\ASI-XDDC$”.  And then, any time the Controller wants to do something on the database server (query a value or write a value, for example), it does so in the context of “Domain\ASI-XDDC$”.  This is important to understand, because with previous versions, that was not the case.

So, although you do require an account with temporarily elevated SQL permissions to install the database during the XA/XD Configuration wizard, once you do so, that account is no longer referenced at all.  The account that *is* referenced is the controller machine account.  If you are troubleshooting the database connection, however, you really need to be logged on to the XenApp/XenDesktop Controller with an account that has elevated permissions in SQL, otherwise, you may not be able to determine that you have a database permission issue.  That controller machine account login on the SQL server has only a limited amount of permissions.

Here’s a great article that explains it directly from Citrix: