Deployment Guide: Deploying Azure Files for Citrix Profile Management and Citrix User personalization layers

Azure Files offers fully managed file shares in the cloud, and accessible using Server Message Block (SMB) protocol. Azure Files shares can be mounted simultaneously in the cloud and on-premises, on Windows, Linux, or macOS.

Azure Files support for on-premises Active Directory Domain Service Authentication enables Citrix User personalization layers and Citrix Profile Management to use Azure Files. For more about Active Directory Domain Service Authentication, seeon-premises Active Directory Service Authentication over SMB for Azure File shares。本文解释了如何设置Azure文件to use with Citrix User personalization layers and Citrix Profile Management.

Requirements

In addition to the requirements forUser personalization layerand配置文件管理, Azure Files requires that your on-premises domain controller is synchronized to your Azure Active Directory.

Overview

在你建立用户个人ization layers or Profile Management, set up Azure Files using the following steps:

• Step 1: Synchronize Azure AD with your on-premises AD
• Step 2: Create Azure Files share
• Step 3: Enable Azure Files AD DS Authentication
• Step 4: Assign share level and NTFS permissions

Step 1: Synchronize Azure AD with your on-premises AD

To use Azure Files with AD Authentication,Synchronize your on-premises AD with Azure AD, using Azure AD Connect。

IMPORTANT:

• The Azure AD tenant and the file share that are used for user personalization layers or Profile Management must be associated with the same subscription.
• The accounts being used must be created in the domain controller and synchronized to Azure AD. Accounts sourced from Azure AD are not appropriate.

After the Synchronization completes, give it some time for Users and Groups to be replicated to Azure AD before you proceed.

Step 2: Create Azure Files share

This procedure explains how to create an Azure Files file share for storing your user layers and profiles.

Currently, there are two tiers of Azure Files, Standard and Premium. Choose the appropriate tier based on your performance requirements. For more about Azure Files performance, refer toAzure Files scalability and performance targets。

This document explains how to set up Standard storage as an example.

1. Open the Azure Portal.
2. ClickCreate a resource。
3. SelectStorage account – blob, file, table, queue。
4. Enter the following information into theCreate storage accountpage:
   • ForResource Group, click创建新的。
   • ForStorage account, enter a unique name.
   • ForLocation, we recommend you choose the same location as the Virtual Delivery Agents (VDAs) in the Azure resource location.
   • ForPerformance, select标准。(example choice)
   • ForAccount kind, selectStorageV2。
   • ForReplication, selectLocally-redundant storage (LRS)。
5. When you’re done, select审查+ create, then selectCreate。
6. Once storage accounts provisions, selectGo to resource。
7. On theOverviewpage, selectFile sharestile.
8. Select+File share。
   • Enter aName, for exampleuplfolder。
   • Enter an appropriateQuota, or leave the field blank for no quota.
9. SelectCreate。

For more detail about setting up Standard and Premium Azure Files, refer to these documents:标准andPremium。

For further details, refer toCreate an Azure file share。

Step 3: Enable Azure Files AD Authentication

Use the instructions in this section to enable Azure Files AD Authentication. You need to run these commands from any machine that is already domain-joined. This action is a one-time task. The VM used to run the process is not needed for the solution once the task is complete.

1. Use Remote Desktop Protocol (RDP) to connect to thedomain-joinedvirtual machine.
2. To install theAzFilesHybridmodule and enable authentication, follow the instructions inEnable AD DS authentication for your Azure file shares。

Before proceeding to the next step, validate that Azure Files AD Authentication is enabled as follows:

1. Open the Azure portal.
2. Open yourstorage accountthat is tied to your Azure Files.
3. UnderSetting, selectConfiguration, and confirm that Active Directory (AD) is set toEnabled。

Step 4: Assign share level and NTFS permissions

Before assigning user personalization layers and profiles to users and groups, configure the appropriate access to the Azure Files file share.

Important:

The accounts or groups to which you assign permissions must be created in the domain and synchronized with Azure AD. Accounts created in Azure AD are not supported.

Assign share level permissions to users

The following section describes how to set the share level permissions:

1. Open the Azure portal.
2. Open thestorage accountyou created inStep 2。
3. SelectAccess Control (IAM)。
4. SelectAdd a role assignment。
5. In theAdd role assignmenttab, selectStorage File Data SMB Share Elevated Contributorfor the Share administrator account.
6. Then selectStorage File Data SMB Share Contributorfor the users or groups that are assigned user personalization layers and profiles.
7. SelectSave。

The permissions can take up to 30 minutes before they fully take effect. Give it some time before you proceed to next step.

For details, refer to theAssign share-level permissions to an identity。

Configure your NTFS permissions on the shared folder

Once you have assigned your file share permissions, configure your NTFS permissions.

To configure directory and file level NTFS permissions:

1. Open the Azure portal.
2. Open thestorage accountyou created in step 3.
3. Click theFile Sharetile
4. Click the share name you created, for exampleuplshare。
5. ClickProperties。
6. Copy the URL link.
7. After copying the URL, convert it into theUNCformat:
   • Removehttps://。
   • Replace all forward slashes//with back slashes\\。For example:
     https://uplshare.file.core.windows.net/uplfolderbecomes\\uplshare.file.core.windows.net\uplfolder。
8. Using RDP, connect to a virtual machine that is domain joined.
9. Open a command prompt, and run the following cmdlet to mount the Azure file share and assign it a drive letter:net use UNC-pathExample:net use S: \\uplshare.file.core.windows.net\uplfolder
10. Once the share is mounted, set the following permissions on the mounted share.

Setting name	Value	Apply to
Creator Owner	Modify	Subfolders and Files only
Owner Rights	Modify	Subfolders and Files only
Users or group:	Create Folder/Append Data; Traverse Folder/Execute File; List Folder/Read Data; Read Attributes	Selected Folder Only
System	Full Control	Selected Folder, Subfolders, and Files
Domain Admins, and selected Admin group	Full Control	Selected Folder, Subfolders, and Files

Set up the User personalization layers and profiles

Next, you can configure User personalization layers and profiles. Follow the instructions fordeploying User personalization layersand配置文件管理quick start guide。Use the UNC path described inStep 4for theUser Layer Repository Path。