Citrix Password Manager Administrator s Guide. Citrix Password Manager 4.6 Citrix Presentation Server 4.5 with Feature Pack 1, Platinum Edition

Transcription

1 Citrix Password Manager Administrator s Guide Citrix Password Manager 4.6 Citrix Presentation Server 4.5 with Feature Pack 1, Platinum Edition

2 Copyright and Trademark Notice Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. A printable copy of the End User License Agreement is included on your product CD-ROM. Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc. Citrix Password Manager replaces specific end users encryption keys each time their primary authentication method changes, such as a domain password change or issuance of a new smart card. Password Manager can be configured to perform this operation automatically by using the optional Key Management Module. Password Manager can also be configured to use the Microsoft Data Protection API (DPAPI). When using the optional Key Management Module and/or DPAPI, be advised that an administrator may be able to access user business or personal credentials stored in Password Manager if the administrator logs on as this end user. For additional security, end users can be asked to verify the user s identity with unique user-provided information. This provides an additional layer of protection for the user s secondary credentials. Regional government user computing regulations may require that you notify your end users about the possible security and privacy implications of deploying the Key Management Module and DPAPI security configurations. Review your company policies and determine what kind of notification, if any, is required for your end users Citrix Systems, Inc. All rights reserved. v-go code Passlogix, Inc. All rights reserved. Citrix, ICA (Independent Computing Architecture), and Program Neighborhood are registered trademarks, and Citrix Presentation Server, Citrix Password Manager, and SpeedScreen are trademarks of Citrix Systems, Inc. in the United States and other countries. RSA Encryption RSA Security Inc., All Rights Reserved. This product includes software developed by The Apache Software Foundation ( This product includes software developed by Salamander Software Ltd Salamander Software Ltd. Parts 2003 Citrix Systems, Inc. All rights reserved. Licensing: Portions of this documentation that relate to Globetrotter, Macrovision, and FLEXlm are copyright Macrovision Corporation and/or Macrovision Europe Ltd. All rights reserved. Trademark Acknowledgements Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries. Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Solaris is a registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc. has not tested or approved this product. Portions of this software are based in part on the work of the Independent JPEG Group. Portions of this software contain imaging code owned and copyrighted by Pegasus Imaging Corporation, Tampa, FL. All rights reserved. Macromedia and Flash are trademarks or registered trademarks of Macromedia, Inc. in the United States and/or other countries. Microsoft, MS-DOS, Windows, Windows Vista, Windows Media, Windows Server, Windows NT, Win32, Outlook, ActiveX, Active Directory, and DirectShow are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. in the U.S. and other countries. Novell Directory Services, NDS, and NetWare are registered trademarks of Novell, Inc. in the United States and other countries. Novell Client is a trademark of Novell, Inc. RealOne is a trademark of RealNetworks, Inc. Licensing: Globetrotter, Macrovision, and FLEXlm are trademarks and/or registered trademarks of Macrovision Corporation. All other trademarks and registered trademarks are the property of their respective owners. Document Code: September 4, 2007 (BC/NWA)

3 Contents 3 Contents 1 Welcome Password Manager Components The Central Store Password Manager Console Password Manager Agent Software The Password Manager Service Password Manager Product Line Password Manager Advanced Edition Password Manager Enterprise Edition Password Manager Advanced versus Enterprise Editions New Features in Citrix Password Manager About this Document Audience and Assumptions Providing Feedback about this Document Document Conventions Getting More Information and Help Product Documentation Getting Service and Support Subscription Advantage Education and Training Using Password Policies to Enforce Password Requirements Overview of Password Policies Password Sharing Groups Domain Password Sharing Groups Password Policies Enforcement

4 4 Citrix Password Manager Administrator s Guide Creating Password Policies: the Password Policy Wizard Set Basic Password Rules Set Alphabetic Character Rules Set Numeric Character Rules Set Special Character Rules Set Exclusion Rules (Excluding Specific Characters) Set Password History and Expiration Test Password Policy Establish Logon Preferences Customize Password Change Wizard Helping to Increase Password Strength and Security In Your Environment Using and Managing Application Definitions Overview of Application Templates Managing Application Definitions Using Templates How the Password Manager Agent Identifies Applications and User Credential Management Events Identifying the Parts of the Application s User Interface Application Definition Wizard Overview Identify Application Manage Forms Name Custom Fields Specify Icon Configure Advanced Detection Configure Password Expiration Confirm Settings Form Definition Wizard Overview Windows Type Application Definitions Gathering the Information Required for Windows Application Definitions Form Definition Process Using Advanced Matching to Identify Windows Forms Class Information Control Matching SAP Session Information Window Identifier Identification Extensions Using the Action Editor to Define the Action Sequence for Forms Action Sequence Definition Process Action Descriptions

5 Contents 5 Considerations for Windows Type Definitions Web Type Application Definitions Gathering the Information Required for Web Application Definitions Form Definition Process Name Form Identify Form Configure Other Settings Confirm Settings Web Form Wizard Redirect to Windows Application Configuration Advanced Settings Dialog Box for Web Applications Host/Mainframe Type Application Definitions Gathering the Information Required for Host Application Definitions Form Definition Process Advanced Settings for Host Applications Considerations for Host Type Definitions Terminal Emulation Support Mfrmlist.ini Field Definitions Creating User Configurations What Is a User Configuration? Default User Configuration Properties Before You Begin Specifying Domain Controllers for User Configurations Creating a User Configuration: the User Configuration Wizard Name User Configuration Select Product Edition Specify your Synchronization Server Choose Applications Configure Agent Interaction Configure Licensing Select Data Protection Methods Select Secondary Data Protection Enable Self-Service Features Locate Service Modules Completing the User Configuration Wizard Synchronizing Credentials by Using Account Association To Manually Synchronize Application Definitions among Domains Configuring Account Association in the Agent Software

6 6 Citrix Password Manager Administrator s Guide Resetting and Deleting User Data Reset User Data Delete User Data From Central Store Prompting Users to Reregister Answers to Security Questions Assigning Priority to User Configurations Assigning a User Configuration to Different Users Upgrading Existing User Configurations User Authentication and Identity Verification Overview of Password Manager Authentication When Must Users Confirm Their Identities? Overview of Identity Verification Methods Previous Password Security Questions Bypassing Identity Verification If Users Switch among Multiple Primary Authentication Methods Managing Question-Based Authentication Confirming User Identity Using Question-Based Authentication Considerations Question-Based Authentication Workflow Designing Security Questions: Security Versus Usability Considerations for Security Questions Managing Your Questions Setting a Default Language Creating New Security Questions Adding or Editing Text for Existing Questions (Including Translated Text) Creating Security Question Groups Creating and Implementing Your Questionnaire Selecting Questions for Key Recovery Enabling Security Answer Masking Backward Compatibility with Password Manager Versions 4.0 and Allowing Users to Reregister Answers to Their Security Questions Allowing Users to Manage Their Primary Credentials with Account Self-Service Overview of Self-Service Considerations Using Automatic Key Management with Self-Service

7 Contents 7 Summary of Self-Service Implementation Tasks When Users Forget Their Security Questions User Experience Using Provisioning to Automate Credential Entry Summary of Provisioning Tasks Generating a Credential Provisioning Template Editing the Provisioning Template The <cpm-provision> Tag Example Output The <user> Tag The <add> Command The <modify> Command The <delete> Command The <remove> Command The <reset> Command The <list-credentials> Command Provisioning Credentials Tuning Credential Provisioning Processing The Credential Provisioning SDK Hot Desktop: A Shared Desktop Environment for Users Summary of Hot Desktop Tasks Hot Desktop Start Up and Shut Down Process Flow Hot Desktop Startup and Shutdown Events Troubleshooting Hot Desktop User Startup Creating a Hot Desktop Shared Account Guidelines for the Hot Desktop Shared Account Organizing Hot Desktop Users Restricting User Rights Hot Desktop, Smart Cards, and Key Recovery Requirements for Applications Used with Hot Desktop Controlling How Applications Behave for Hot Desktop Users Before You Begin The Session.xml File Launching Applications Using Session.xml Session.xml Tags

8 8 Citrix Password Manager Administrator s Guide User Configuration Settings for Hot Desktop Locating Hot Desktop Settings in a User Configuration Specifying Hot Desktop Session Time-Out Options Enabling the Hot Desktop Session Indicator Specifying a Custom Bitmap Graphic as a Session Indicator Using the Hot Desktop Screen Saver Installing Hot Desktop Disabling Terminal Services for a Hot Desktop Administrative or Silent Install Uninstalling Hot Desktop Restoring Terminal Services after Uninstalling Hot Desktop Enabling Multiple Sessions after Uninstalling Hot Desktop Interacting with Citrix Presentation Server Clients Program Neighborhood Agent Citrix Web Interface Viewing Hot Desktop User Profiles Shutting Down a Hot Desktop Workstation Working without AutoAdminLogon Support Changing the Hot Desktop Shared Account Password Hot Desktop Information on the Web Operations Logging Password Manager Events Mfrmlist.ini File Password Manager Agent Does not Submit Credentials Web-Based Applications Terminal Emulator-Based Applications Supporting Terminal Emulators Configuring HLLAPI Support for Tested Emulators Password Manager Agent Does not Start Software Upgrades and the GINA Chain Creating a New Signing Certificate Signing, Unsigning, Resigning, and Verifying Data Signing Data (-s) Resigning Data (-r) Unsigning Data (-u) Verifying Data (-v) Displaying Help (-h) Enabling and Disabling the Data Integrity Service on Password Manager Agent Software

9 Contents 9 Removing Deleted Objects from Your Central Store Moving Data to a Different Central Store Migrating Data to a New Central Store Backing Up Important Files Backing Up Password Manager Service Files Password Manager Settings List Password Manager 4.6 Settings Reference User Configurations Synchronization Server Basic Agent Interaction Agent User Interface Client Side Interaction Synchronization Account Association Application Support Hot Desktop Licensing Data Protection Methods Secondary Data Protection Self Service Features Key Management Module Provisioning Module Application Definitions Edit Application Forms Application Icon Advanced Detection Password Expiration Password Policies Basic Password Rules Alphabetic Character Rules Numeric Character Rules Special Character Rules Exclusion Rules Password History and Expiration Test Password Policy Logon Preferences Password Change Wizard

10 10 Citrix Password Manager Administrator s Guide 13 Application Definition Extensions Agent Software Operation Identification Extensions Defining Identification Extensions Action Extensions Implementer Requirements Enabling Logging Virtual Key Codes for Host and Windows Applications Codes for VTabKeyN (Windows) Codes for VirtualKeyCode (Windows) and VKEY (Windows) Virtual Key Codes for HLLAPI-Compliant Terminal Emulators

11 1 Welcome Citrix Password Manager provides password security and single sign-on access to Windows, Web, and host-based applications running in the Citrix environment as well as local applications running on the desktop. Users authenticate once and Password Manager does the rest, automatically logging on to password-protected information systems, enforcing password policies, monitoring all passwordrelated events, and even automating user tasks, including password changes. This chapter describes the following: Password Manager Components on page 11 Password Manager Product Line on page 15 About this Document on page 18 Getting More Information and Help on page 20 Password Manager Components The following sections briefly describe Password Manager s components you need to install to start using Password Manager. For detailed information, see Planning Your Password Manager Environment in the Citrix Passwordd Manager Installation Guide. The main components of Password Manager are: The Central Store Password Manager Console Password Manager Agent Software The Password Manager Service (optional)

12 12 Citrix Password Manager Administrator s Guide The Central Store The central store is a centralized repository used by Password Manager to store and manage user and administrative data. User data includes user credentials, security question answers, and other user-focused data. Administrative data includes password policies, application definitions, security questions, and other wider-ranging data. When a user signs on, Password Manager compares that user s credentials to those stored in the central store. As the user opens passwordprotected applications or Web pages, the appropriate credentials are drawn from the central store. Password Manager Console The Password Manager Console is the command center of Password Manager. From the console, you manage the users Password Manager experience. Here, you configure how Password Manager will work, which features will be deployed, which security measures will be used, and other important passwordrelated settings. The console has four main items, or nodes, in the left pane. By selecting a node, tasks specific to that node appear. These nodes are: User Configurations These configurations allow you to tailor particular settings for your users based on their geographic locations or business roles. The settings of the other three nodes are used to create user configurations. Application Definitions These definitions provide the information necessary for the Agent software to supply user credentials to applications, and to detect error conditions if they occur. You can use the application definition templates supplied with Password Manager to speed this process, or create your own customized definitions for applications that cannot use these templates. Additional templates are located at: Password Policies Password policies control password length and the type and variety of characters used in both user-defined and automatically-generated passwords. Password policies also allow you to identify characters to exclude from use in passwords and whether or not previous passwords can be reused. Creating password policies consistent with your company s security policies ensures that password security is appropriately managed by Password Manager.

13 1 Welcome 13 Identity Verification The security questions you create provide an added layer of security to your agent software by protecting against user impersonation, unauthorized password changes, and unauthorized account unlocking. Users who enroll and answer your security questions can then verify their identity by providing the same answers when challenged. Once verified, the users can perform self-service tasks to their account, such as resetting their primary password or unlocking their user account. The security questions can also be used for key recovery. Password Manager Agent Software The Password Manager Agent is the software users need on their client devices to act as an intermediary between users and their applications. When a user tries to access an application that requires authentication, the agent software intercepts the application s request for authentication, finds the correct credentials, and submits them to the application. In addition, the Password Manager Agent can provide users with a wide array of features. Which features the users actually receive is determined by the administrative settings you make in their user configurations. See Password Manager Settings List on page 199 for the specific settings available to you. Password Manager Agent features include: Notification area icon The Password Manager Agent s notification area icon provides access to the Logon Manager and other Password Manager functionality, such as security question registration, pausing, and online Help. Logon Manager The Logon Manager provides a user interface where credentials can be created, viewed, edited, and deleted. Users can also conduct security question registration and access online Help from the Logon Manager. The File menu provides the user with much of the available access: The New Logon command allows users to add new Windows-, Web-, or host-based application credentials to Password Manager. The Properties command gives the user access to properties associated with the credentials for the specified application. From there, the user can change the password, user ID, and other logon information. The Delete command, when invoked, removes users credentials for the selected application from Logon Manager.

14 14 Citrix Password Manager Administrator s Guide The Copy command provides a duplicate set of the selected credentials that the user can then edit to create multiple sets of credentials for single applications. Other commands you can give users access to include: The Reveal Passwords command, from the View menu, allows the user to display the passwords of the applications listed in Logon Manager Note: Password policy settings for revealing passwords override this command. If you do not want users to reveal the password for an application, be sure to set the password policy to prevent this. The Security Question Registration command, from the Tools menu, gives the user the option to restart the Security Question Registration wizard and provide new answers to the security questions. The Account Association command, from the Tools menu, allows the user to create an association between accounts on different domains. By using this feature, the user s credentials are synchronized, with password changes carried across domains. Automated new logon setup Users can set up new logon credentials quickly using the New Logon wizard. The Password Manager Agent detects when an application or Web site requests logon information. If the user s credentials are not already stored in Password Manager, the New Logon wizard automatically appears, offering to store them. User mobility The Password Manager Agent supports remote and mobile users. By obtaining a license before disconnecting, remote users can access their credentials when they are disconnected from the corporate network. Mobile users can move from one computer to another and multiple users can securely share one workstation. The Password Manager Service The Password Manager Service runs on a Web server that provides the foundation for optional features included in this release. Install the Password Manager Service if you plan to implement at least one of the following modules: Self-Service, which allows users to reset their Windows passwords and unlock their Windows accounts

15 1 Welcome 15 Data Integrity, which protects data from being compromised while in transit from the central store to the agent Key Management, which provides users with the capability to recover their secondary credentials when their primary password changes, either with automatic key recovery or after answering security questions with questionbased authentication. Provisioning, which allows you to use the console to add, remove, or update Password Manager user data and credential information Credential Synchronization, which synchronizes user credentials among domains using a Web service If you are not implementing the modules mentioned above, do not install the Password Manager Service. For more information about the Password Manager Service, see Installing and Configuring the Password Manager Service in the Citrix Password Manager Installation Guide. Password Manager Product Line Password Manager is now available in two editions: Password Manager Advanced Edition Password Manager Enterprise Edition In addition, Citrix Presentation Server 4.5 with Feature Pack 1, Platinum Edition, includes a feature comparable to Password Manager Enterprise Edition called Single Sign-on Powered by Password Manager. Password Manager Advanced Edition The Advanced Edition of Password Manager increases your organization s security with: Strong password policy options Automated password generation Automatically started Password Change Wizard option Password encryption while in memory, storage, and transmission Password expiration options for applications lacking that capability The Advanced Edition also interacts well with other programs, easing the user s logon information storage process as well as your maintenance of that process and information.

16 16 Citrix Password Manager Administrator s Guide Password Manager Enterprise Edition The Enterprise Edition of Password Manager is designed for the most demanding and complex enterprise environments. The Enterprise Edition: Provides additional security, user self-service, and on-site user mobility features and performance. Reduces calls to the help desk through user self-service features that enable users to change their own Windows password and unlock their account. Allows on-site mobile workers to quickly access information with Hot Desktop, which facilitates fast user switching at shared workstations. Includes enterprise security features such as integration with smart cards, Kerberos, and Federated Environment Support (ADFS and SAML). Password Manager Advanced versus Enterprise Editions User Features Advanced Edition Enterprise Edition Single sign-on to Windows applications X X Single sign-on to Web applications X X Single sign-on to host-based terminal emulator applications X X Citrix Access Client X X Localized user interface X X Support for SAPGUI, Internet Explorer 7 (32-bit, 64-bit) X X Self-service password reset Self-service account unlock Self-service feature integration with Web Interface Hot Desktop fast user switching Hot Desktop/SmoothRoaming integration Account association X X X X X X Security Features Advanced Edition Enterprise Edition Automated password change X X Transparent password change X X

17 1 Welcome 17 Security Features Advanced Edition Enterprise Edition Encrypted passwords in memory, storage, during transmission X X Password policy enforcement automatic password changes X X Password policy enforcement manual password changes X X Password expiration X X Password token and biometric support X X Smart card support X Cryptographic data integrity assurance X X Kerberos and Federated Environment Support (ADFS, SAML) X Administrator Features Advanced Edition Enterprise Edition Batch credential provisioning X X Integration with user provisioning products X X Windows NT file share support X X Microsoft Active Directory support X X Novell NetWare network share support X X LDAP directory support X X Administration by Active Directory groups X X Citrix Streaming Server support X X Citrix Access Management Console X X Platinum-integrated licensing X X Windows Server bit compatibility X X Named user licensing X X Concurrent user licensing [Citrix Password Manager for Presentation Server only] X New Features in Citrix Password Manager 4.6 Citrix Password Manager 4.6 includes the following:

18 18 Citrix Password Manager Administrator s Guide Windows Vista Support for Password Manager Agent Password Manager Agent now offers its full range of features in the Windows Vista environment. For the full list of environments supported by Password Manager, see Password Manager Console and Agent Requirements and Password Manager Service Requirements in the Citrix Password Manager Installation Guide. Improved Credential Provisioning Application credentials can now be provisioned to users any time their Password Manager Agent is running. Previously, provisioning could be carried out only during the agent software startup process. Multiple Domain Service Support Password Manager now enables you to share the Password Manager Service among users in different domains. You can install the Password Manager Console on computers in different domains and then create one or more user configurations in each domain. Masked Security Answers for Question-Based Authentication Password Manager now provides you the option to mask user answers to question-based authentication security questions. If enabled, users answers are protected during answer registration and when provided for identity verification. Account Self-Service Available When the Computer is Locked The Account Self-Service button, which has been available on the Windows logon dialog box, is now also available on the Unlock Computer dialog box. This feature enables users to reset their network password or unlock their Windows domain accounts. Note: Account Self-Service is available with the Enterprise Edition only. About this Document The overall objectives of this guide are to provide you with: An understanding of the features and functionality of Password Manager Instructions and tips to help you create and maintain the optimum password management environment for your users

19 1 Welcome 19 Audience and Assumptions This document is intended for use by system and security administrators who are implementing Password Manager. It is assumed that you, the reader, have a basic understanding of Windows Server administration. You must have a working knowledge of Novell NetWare if this is the platform you are using to install or maintain Password Manager. Providing Feedback about this Document To provide feedback about the documentation, go to and click Support > Knowledge Center > Product Documentation. To access the feedback form, click the Submit Documentation Feedback link. Document Conventions Citrix product documentation uses the following typographic conventions for menus, commands, keyboard keys, and items in the program interface: Convention Boldface Italics %SystemRoot% Monospace Meaning Commands, names of interface items such as text boxes, option buttons, and user input. Placeholders for information or parameters that you provide. For example, filename in a procedure means you type the actual name of a file. Italics are also used for new terms and the titles of books. The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or any other name you specify when you install Windows. Text displayed in a text file. { braces } A series of items, one of which is required in command statements. For example, { yes no } means you must type yes or no. Do not type the braces themselves. [ brackets ] Optional items in command statements. For example, [/ping] means that you can type /ping with the command. Do not type the brackets themselves. (vertical bar) A separator between items in braces or brackets in command statements. For example, { /hold /release / delete } means you type /hold or /release or /delete. (ellipsis) You can repeat the previous item or items in command statements. For example, /route:devicename[, ] means you can type additional devicenames separated by commas.

20 20 Citrix Password Manager Administrator s Guide Getting More Information and Help This section discusses the documentation for this release. It also describes how to get more information about Password Manager. The following topics are explored: Product Documentation Getting Service and Support Subscription Advantage Education and Training Product Documentation Password Manager contains a robust library of documentation. Much of this documentation can be found on the Citrix Web site ( Direct links to the documentation are in the Password_Manager_Read_Me_First.html file in the Documentation folder on the product CD. Pre-Installation Update Bulletin The Pre-Installation Update Bulletin contains installation-related information developed after the Readme file was completed. The bulletin is available at Password_Manager_Read_Me_First Also known as Welcome to Citrix Password Manager, the Password_Manager_Read_Me_First.html document is located in the Documentation folder of the product CD. The document contains direct links to the library of Password Manager documentation on the Citrix Web site. Readme file The Readme file provides information about Password Manager functionality, known issues, changes, and other important information developed after the Citrix Password Manager Administrator s Guide was completed. Be sure to read this before installing Password Manager. It is located on the Citrix Web site and can be accessed directly through Password_Manager_Read_Me_First.html. Getting Started with Citrix Licensing Guide The licensing process for Password Manager changed since the release of Password Manager 4.1. See Getting Started with the Citrix Licensing Guide, available from the Citrix Web site and accessible through Password_Manager_Read_Me_First.html, for instructions to license Password Manager.

21 1 Welcome 21 Note: Guides are provided as Adobe Portable Document Format (PDF) files. To view, search, and print PDF documents, you need to have Adobe Acrobat Reader with Search, or Adobe Reader 6.0 or later. You can download these products for free from Adobe Systems Web site at Citrix Password Manager Installation Guide The Citrix Password Manager Installation Guide provides procedures for the installation and upgrade of Password Manager. It is located on the Citrix Web site and can be accessed directly through Password_Manager_Read_Me_First.html. Citrix Password Manager Administrator s Guide The Administrator s Guide, the document you are currently reading, provides conceptual information and instructions for system administrators who maintain, configure, and test the components of Password Manager. It is located on the Citrix Web site and can be accessed directly through Password_Manager_Read_Me_First.html. Installation Checklist This document provides a quick, concise prompt for administrators experienced at installing Password Manager. It approaches the installation process from a broad perspective and is not meant as a substitute for this Installation Guide. It is located on the Citrix Web site and can be accessed directly through Read_Me_First.html. Online Help for Administrators and Users Administrators now have a robust set of Help topics based on the Installation Guide and Administrator s Guide. Administrators can now view information about common tasks, workflow, and settings on the screen. Users can get information about common tasks, including adding logon information for applications, using the Logon Manager, and setting Password Manager automatic features. Users can access Help through Help menus or Help buttons. Citrix Password Manager Evaluator s Guide This guide delivers a practical overview of Password Manager features and functionality by providing an overview of how to set up and run a small-scale deployment of the product.

22 22 Citrix Password Manager Administrator s Guide Getting Service and Support Citrix provides technical support primarily through the Citrix Solutions Advisors Program. Contact your supplier for first-line support or check for your nearest Solutions Advisor at In addition to the Citrix Solutions Advisors Program, Citrix offers a variety of self-service, Web-based technical support tools from its Knowledge Center at Knowledge Center features include: A knowledge base containing thousands of technical solutions to support your Citrix environment. A Web-based product documentation library. Interactive support forums for every Citrix product. Access to the latest hotfixes and service packs. Security bulletins. Web-based problem reporting and tracking (for users with valid support contracts). Citrix Live Remote Assistance. Using Citrix s remote assistance product, GoToAssist, a member of our support team can view your desktop and share control of your mouse and keyboard to get you on your way to a solution. Another source of support, Citrix Preferred Support Services, provides a range of options that allows you to customize the level and type of support for your organization s Citrix products. Subscription Advantage Subscription Advantage gives you an easy way to stay current with the latest server-based software functionality and information. During your subscription period, you get automatic delivery of: Feature releases Software upgrades Enhancements Maintenance releases Priority access to important Citrix technology information.

23 1 Welcome 23 You can find more information about subscribing on the Citrix Web site at (click Subscription Advantage). You can also contact your Citrix sales representative or a member of the Citrix Solutions Advisors Program for more information. Education and Training Citrix offers a variety of instructor-led training and Web-based training solutions. Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. Web-based training courses are available through CALCs, resellers, and from the Citrix Web site. Information about programs and courseware for Citrix training and certification is available from

24 24 Citrix Password Manager Administrator s Guide

25 2 Using Password Policies to Enforce Password Requirements Citrix Password Manager enables you to define rules to control the characteristics of the passwords stored by your users and required by single sign-on (SSO) enabled applications. These rules comprise password policies that you can apply to all users or to specific groups of applications as determined by your organization s needs. This section describes how to create password policies within your Password Manager environment. See also What about Password Policies for Application Access? in the Citrix Password Manager Installation Guide. Overview of Password Policies on page 25 Creating Password Policies: the Password Policy Wizard on page 27 Helping to Increase Password Strength and Security In Your Environment on page 34 Note: Citrix Presentation Server provides policy rules that allow you to configure and control which users can access Password Manager when they connect to servers and published applications in the server farm. See the Presentation Server Administrator s Guide for more information. Overview of Password Policies Password Manager includes two standard password policies named Default and Domain, which cannot be deleted. These policies can be used as is, copied, or modified to suit your enterprise policies and regulations. When a user adds credentials to Logon Manager for an application not defined by an administrator, Password Manager uses the Default policy to manage that application. If you want an application group to be treated as a domain password sharing group, you must apply the Domain policy to that application group.

26 26 Citrix Password Manager Administrator s Guide Note: Because Password Manager applies the Default password policy to useradded applications, ensure that you configure the Default policy to be as broad as needed to accept passwords for those applications for which you allow passwords to be stored. You can create as many policies as you need in your enterprise. For example, you can apply one policy for your domain sharing group, and create individual policies to apply to individual groups of applications to define the requirements further. A password policy allows you to: Automate password changes for applications Implement security schemes that include complex passwords and application-specific passwords not visible to the users Define password expiration for applications, even if the application does not have a password expiration feature Note: When users change their passwords, Password Manager can check the old password against the new password. This option helps prevent users from reusing passwords for the same application twice in a row. See Set Password History and Expiration on page 31. Also see Password Policies Enforcement on page 27. Password Sharing Groups Users might have a single password that is used for multiple applications (in a suite of products, for example). This scheme is known as password sharing, where the same authentication authority is used for the applications. While the other credentials for those applications (such as user name and custom fields) might be different, the user s password is the same. In this case, create an application group that is a password sharing group to ensure that the agent software manages the password for all applications in the group as a single entity. When the password is changed in one of the applications, the agent software ensures that the password change is reflected in the stored credentials for all applications in the group.

27 2 Using Password Policies to Enforce Password Requirements 27 Domain Password Sharing Groups Domain password sharing groups differ from other password sharing groups because the user's domain password is used as the master password for the application group. When the user changes the domain password, the agent software ensures that the change is reflected in the credentials for all other applications in the group. Only the domain password can be changed; users cannot initiate password changes on any of the other applications in the group unless the administrator removes the application from the domain password sharing group. Password Policies Enforcement Password Manager enforces password policies upon password change events, regardless of whether the password is user-defined or automatically generated by Password Manager. A password policy is not enforced when: A user registers with Password Manager (during first-time use) A user edits a password from the agent software Logon Manager An administrator creates an application definition Password Manager also does not enforce a password policy on existing passwords (that is, those created before Password Manager is implemented in the enterprise) because users might be denied access to applications or resources that they are already using. Creating Password Policies: the Password Policy Wizard Important: When creating a custom password policy or modifying existing policies, ensure that your enterprise requirements and application requirements match. For example, if you create a policy that does not at least match an application s requirements, your users might not be able to authenticate to that application. Default Settings for the Default and Domain Password Policies in the Citrix Password Installation Guide describes the default settings for these policies. When you create a new password policy in the wizard described here, Password Manager uses the default settings for the Default policy. You can then change your settings as needed and apply the newly created policy to your desired application group. The wizard consists of the following pages:

28 28 Citrix Password Manager Administrator s Guide Set Basic Password Rules on page 28 Set Alphabetic Character Rules on page 29 Set Numeric Character Rules on page 29 Set Special Character Rules on page 29 Set Exclusion Rules (Excluding Specific Characters) on page 30 Set Password History and Expiration on page 31 Test Password Policy on page 32 Establish Logon Preferences on page 33 Customize Password Change Wizard on page 33 To start the Password Policy Wizard 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node and select Password Policies. 3. In the Common Tasks area, click Create new password policy. The Password Policy wizard appears. 4. Type a name and description for the password policy and click Next. Set Basic Password Rules This page enables you to set the basic rules for configuring minimum and maximum password length and allowable repeating characters in the password. Password length Specify the minimum number of characters required. The minimum allowed value is 0. The maximum allowed value is 128. Ensure that the values you set here match the SSO-enabled application requirements for password length. Character occurrence in passwords Maximum number of times a character can occur This setting can be a value between one and 128 (default value is six). Maximum number of times the same character can occur sequentially This setting can be a value between between one and 128 (default value is four). For example, with default value of four, abc1xxxxbb is a legal password, where XXXX occurs four times in a row.

29 2 Using Password Policies to Enforce Password Requirements 29 Set Alphabetic Character Rules This page enables you to define the use of uppercase and lowercase alphabetic characters for user passwords. You can control the following settings: Allow lowercase characters Password can begin with a lowercase character Password can end with a lowercase character Minimum number of lowercase characters required (default is zero, maximum value is 128) Allow uppercase characters Password can begin with an uppercase character Password can end with an uppercase character Minimum number of uppercase characters required (default is zero, maximum value is 128) Set Numeric Character Rules This page enables you to define the use of numeric characters for user passwords. You can control the following settings: Allow numeric characters Password can begin with a numeric character Password can end with a numeric character Minimum number of numeric characters required (default is zero, maximum value is 128) Maximum number of numeric characters allowed (default is 20, maximum value is 128) Set Special Character Rules This page enables you to define the use of special (non-alphabetic and nonnumeric) characters for user passwords. You can control the following settings: Allow special characters Password can begin with a special character Password can end with a special character

30 30 Citrix Password Manager Administrator s Guide Minimum number of special characters required (default is zero, maximum value is 128) Maximum number of special characters allowed (default is 20, maximum value is 128) The allowed special characters list includes the # $ ^ & * ( ) _ - + = [ ] \?, Set Exclusion Rules (Excluding Specific Characters) This page enables you to prevent specific characters or groups of characters from being used in passwords, such as common words or easily-guessed sequential groups of characters like abc123 or asdfjkl. You can also prevent the use of passwords that include all or part of Windows and individual application user names. You can specify up to 256 different groups of characters to be excluded Each group of characters can be from one to 32 characters long The characters within the groups are not case-sensitive; an exclusion list that includes abcdefg also prevents the use of AbCDefG in a password Additionally, an exclusion list that includes a group of characters such as defg also prevents the group of characters abcdefg from use To create an exclusion list 1. Click Edit List. The Edit Exclusion List window appears. 2. Type the characters or groups of characters you want to exclude from passwords. You can copy and paste text from a text editor into the text field in the window You can type one character or group of characters per line (press Enter after each line to separate each entry) Each group can contain up to 32 characters Characters are not case sensitive 3. Click OK to save your changes and close the window. To further restrict the password, select one or both of the following:

31 2 Using Password Policies to Enforce Password Requirements 31 Do not allow application user name in password Select this option to prevent the entire application user name from being used in the password. Select Do not allow portions of application user name in password to disallow parts of the application user name from being used in the password. Number of characters in portion enables you to specify the number of characters from the user name that would prevent the password from being used. For example, if set to four, a user password could not be formed that included the characters citr, trix, or itri with a user name of citrix.4 Do not allow Windows user name in password Select this option to prevent the entire Windows user name from being used in the password. Select Do not allow portions of Windows user name in password to disallow parts of the Windows user name from being used in the password. Number of characters in portion enables you to specify the number of characters from the user name that would prevent the password from being used. For example, if set to four, a user password could not be formed that included the characters citr, trix, or itri with a user name of citrix.4 Set Password History and Expiration This page enables you to enforce the use of new passwords when older passwords expire. The password history is maintained for each application managed by Password Manager. After this option is applied to an application or application group, any password changes made after the policy is active are retained in the user s password history. Password changes made before the policy is active are not retained or used to prevent password reuse. Important: Password history is retained on a per-user basis. If you reset the user data for a user, the password history is removed and password history cannot be enforced for the deleted passwords.

32 32 Citrix Password Manager Administrator s Guide Password History New password must not be the same as previous passwords Select this option to require a new password when a user s password expires. You can optionally prevent users from reusing up to 24 passwords previously used within your Password Manager environment. Password Expiration Note: The password expiration option notifies users only that a password will or has expired. Your users can use expired credentials, but are shown password change reminders or password change requests until the password is changed in Logon Manager. Application definitions also enable you to run a script when passwords expire. You can also use the built-in Password Manager password expiration warning. Password expiration settings in Password Manager are independent of any password expiration settings built into software applications. Use the password expiration settings associated with the application definitions Select this option to specify password expiration settings. These settings are associated with the application definition to which this password policy applies. You can select the number of days until the current password expires and the number of days to warn the user before the password expires. Test Password Policy This page enables you to test your policies before implementing them in your environment. It helps ensure that they work as intended and that a reasonable pool of passwords is available to your users. Using the Test Password Policy page, you can: Click Test to manually test a password Click Generate to have Password Manager create a single password policy-compliant password Click Generate multiple passwords to have Password Manager create a list of passwords that meet the settings you defined for this password policy

33 2 Using Password Policies to Enforce Password Requirements 33 Establish Logon Preferences This page enables you to control agent settings related to credential submission and logon errors. Allow users to reveal passwords for applications Select this option to allow users to see the password associated with the applications in the user configuration. This option controls whether the Reveal button in Logon Manager is available. Note: To allow users to see their application passwords, you must also enable the Allow users to reveal all passwords in Logon Manager option in the the user configuration associated with this password policy. See Configure Agent Interaction on page 91. Force user to re-authenticate before submitting application credentials Select this option to force users to type their primary logon credentials before the Password Manager Agent submits their credentials to an application. This setting is useful for applications that access confidential or sensitive information because it forces users to verify their identities. Number of logon retries This setting enables you to limit the number of additional times the agent software can submit credentials to an application or resource. If you set the value to 0, an error message appears upon the second attempt to submit credentials. Time limit for number of retries Specify the amount of time (in seconds) during which the agent software is allowed to continue to submit credentials after the initial submission to the application or resource. The Number of logon retries setting determines how many logon retries are allowed during this time period. Customize Password Change Wizard This page enables you to customize the behavior of the Password Change Wizard, which is launched when users need to change their password. The Password Change Wizard responds to Password Change forms and can guide users through the password change process. You can select one of the following options: Allow users to choose a system-generated password or create their own password

34 34 Citrix Password Manager Administrator s Guide Only allow users to create their own password When selected, the Password Change Wizard requires users to type a new password. Only allow users to choose a system-generated password When selected, the Password Change wizard does not allow users to type a new password but automatically uses a system-generated password. Generate a password and submit it to the application without displaying the Password Change Wizard When selected, the wizard automatically submits a system-generated password. Users might see password change form fields being automatically filled in and any response from the application indicating if the password change succeeded or failed. Helping to Increase Password Strength and Security In Your Environment As the Password Manager administrator, you can help increase the strength of user passwords by controlling them with intelligently-created password policies. As usual, only you can balance having stronger passwords with ease-of-use for all users in your enterprise. Consider the following. Use the Provisioning Module to preset user passwords. Users do not need to know passwords in this case, and prevents them from accidentally revealing them. This technique requires coordination between the user configuration and the password policy that is associated with it. Require users to change their passwords at regular intervals. Do not allow blank passwords. Do not allow users to reveal passwords. Make sure that passwords are not reused or repeated. Do not allow user or application names to be part of the password. Force users who have regular access to confidential or sensitive information to have stronger or more complex passwords. Further group these users into user configurations containing these applications.

35 3 Using and Managing Application Definitions The Citrix Password Manager Agent recognizes and responds to applications based on the settings identified in application definitions. The application definitions contain forms that allow the agent software to analyze each application as it is started, recognize certain identifying features, and determine if the starting application requires the agent software to perform some specific action such as: Submit user credentials at a logon prompt Negotiate a credential changing interface Process a credential confirmation interface Application definitions consist of sets of specific user credential form recognition and action characteristics referred to as form definitions, and the set of configuration options that apply to all the forms in the configuration. The form definition settings are defined to recognize when an application requests a specific user credential action, and further defines the actions that must be performed to process those credentials. An application definition is a collection of all the user credential management forms associated with a single application. Although most applications and their corresponding application definitions use only two forms for managing user credentials, as many forms as an application requires for managing user credentials can be defined and contained in a single application definition. Password Manager provides support for a variety of applications including Windows, Web, and host-based applications. It works with Java applications, SAP solutions, and applications hosted on a mainframe, AS/400 system, or UNIX server.

36 36 Citrix Password Manager Administrator s Guide To simplify the application definition process, a variety of predefined application definition templates can be imported into the Password Manager from the Citrix Web site ( This site provides an interactive exchange where Citrix Consultants, Sales Engineers, System Integrators, and Password Manager administrators share application definitions. By sharing application definitions, single sign-on enabling application definitions can be implemented with less effort and more confidence. Using predefined application definition templates should always be the first choice for administrators as they define application definitions for their environment. To create application definitions for applications that do not have predefined application templates, the application definition support interface has an Application Definition wizard used to configure the characteristics associated with all the forms included in the definition, and a Form Definition wizard that leads administrators through a step-by-step procedure to define support for Windows, Web, and host-based applications. Password Manager also provides the ability to perform external application discovery and action processing support. This feature allows third-party implementers to extend the application detection and credential submission tasks associated with a form by providing access to external processes during the application detection and action submission processing phases in the Password Manager Agent. All these features combine to provide Password Manager administrators a flexible and adaptable application definition development environment to support their user community with secure and flexible single sign-on access to critical applications. Topics described in this chapter include the following: Overview of Application Templates on page 37 How the Password Manager Agent Identifies Applications and User Credential Management Events on page 40 Windows Type Application Definitions on page 46 Web Type Application Definitions on page 63 Host/Mainframe Type Application Definitions on page 70

37 3 Using and Managing Application Definitions 37 Overview of Application Templates Application templates are XML files that are used to share application definitions between different Citrix Password Manager environments. Application templates save time and effort because they are converted to application definitions with minimal administrator intervention or configuration. Templates require the administrator to supply some information to complete the application definition, but the information required is usually limited to a URL or executable file name, password expiration, and any advanced detection settings. Application templates are installed using the Password Manager Console or the Application Definition Tool. Both of these tools include application templates for commonly-used Windows and Web applications. Additional templates are located on the Citrix Web site ( You can also create application templates and share them with other Citrix administrators by uploading them to the Web site. When an application template cannot be found for an application, an application definition can be created using the Password Manager Console or the Application Definition Tool (see How the Password Manager Agent Identifies Applications and User Credential Management Events on page 40 for additional information). Managing Application Definitions Using Templates To add an application definition with a template, you must first make sure the template is available in your Password Manager environment. As previously stated, administrators can obtain application templates from the Web or, if you ve created your own application templates and saved them to a network share, you can import them from the network share. After an application template is imported to your environment, use it to create an application definition. Templates can also be created from application definitions. These templates can be used to archive application definitions, or share application definitions with other Password Manager administrators. Use the following procedures to manage application definitions using templates: Obtaining Application Templates from the Web on page 38 Importing Application Templates from a Network Share on page 38 Adding an Application Definition Using a Template on page 38 Creating Application Templates on page 39 Exporting Application Templates on page 40

38 38 Citrix Password Manager Administrator s Guide Obtaining Application Templates from the Web Use the following procedure to download application templates from the Citrix Web site ( 1. With the Application Definition node highlighted in the left panel of the Application Definition Tool or the Password Manager Console, select Manage templates from the Common Tasks options to open the Manage Templates dialog box. 2. Select the Application templates on the web hyperlink to open the Password Manager Applications Definitions Web page. 3. Select the application template to import. 4. Save the template XML file to a location that is accessible from your Password Manager Console. 5. Click Close when the download is complete. 6. Follow the steps in Importing Application Templates from a Network Share on page 38 Importing Application Templates from a Network Share Use this procedure to import an application template from a network share: 1. With the Application Definition node highlighted in the left panel of the Application Definition Tool or the Password Manager Console, select Manage templates from the Common Tasks options to open the Manage Templates dialog box. 2. Click Import Template. 3. Locate the template XML file and click Open. The template you just imported now appears on the list in the Manage Templates dialog box. 4. Follow the steps in Adding an Application Definition Using a Template on page 38. Adding an Application Definition Using a Template Use this procedure to add an application definition using a template: 1. Launch the application you want to define. 2. Open the console or the Application Definition Tool on the device where the application you want to define is running. 3. From the Action menu of the console or File menu of the Application Definition Tool, select Create Application Definition. 4. Select the application type for the type of application definition to create (Windows, Web, or Host/Mainframe).

39 3 Using and Managing Application Definitions Designate the Starting format by selecting Create from application template. 6. Choose the template from the drop-down list. The drop-down list displays templates for the selected application type. 7. Click Start Wizard. 8. Provide the information required to complete the application definition (see Application Definition Wizard Overview on page 42 for additional information). 9. Verify that the new application definition is listed in the Application Definitions node of the console. Alternatively, you can start an application definition from the Manage Templates dialog box using the following procedure. Creating an Application Definition From an Imported Template 1. With the Application Definition node highlighted in the left panel of the Application Definition Tool or the Password Manager Console, select Manage templates from the Common Tasks options to open the Manage Templates dialog box. 2. Highlight an application template name and click Create Application Definition. This action starts the Application Definition wizard for the application type associated with the template. 3. Provide the information required to complete the application definition (see Application Definition Wizard Overview on page 42 for additional information). 4. Verify that the new application definition is listed in the Application Definitions node of the console. If you are running an application that does not have a template, use the Password Manager Console or the Application Definition Tool to create application definitions for that application (see How the Password Manager Agent Identifies Applications and User Credential Management Events on page 40 for additional information). After creating an application definition, create a template that can be exported for archival purposes or for use by other Password Manager administrators by uploading it to the Citrix Web site ( Creating Application Templates Use this procedure to create a template from an existing application definition: 1. With the Application Definition node expanded in the left panel of the Application Definition Tool or the Password Manager Console, select the application definition to use for the template being created.

40 40 Citrix Password Manager Administrator s Guide 2. Select the Save as template option to open the Save as Template dialog box. 3. To archive the template or share it with other Password Manager administrators, export the template into an XML format. Follow the steps described in Exporting Application Templates on page 40. Exporting Application Templates Use this procedure to export a template from an exiting application definition: 1. With the Application Definition node highlighted in the left panel of the Application Definition Tool or the Password Manager Console, select Manage templates from the Common Tasks options to open the Manage Templates dialog box. 2. Highlight the template in the list of available templates and click Export. 3. Define the name and the location to store the exported template definition and click OK. The exported template is saved in the designated location. This template can be archived to preserve the data and/or made available to other Password Manager administrators ( How the Password Manager Agent Identifies Applications and User Credential Management Events Application definitions are created using the Password Manager Console or the Application Definition Tool. A single application definition supports all user credential management events associated with a single application including: Authenticating the user Changing user credentials Confirming credential changes When creating an application definition, the type of application is identified after the Application Definition wizard starts. The selected application type determines the information that is collected. Application definitions are categorized into three main types: Windows applications (including Java applications and the SAP LogonPad) Web applications (including Java applets) Host applications (accessed using a HLLAPI-compliant terminal emulator)

41 3 Using and Managing Application Definitions 41 An application definition consists of: Application characteristics that apply to all forms included in the definition. These are defined using the Application Definition wizard. Form-specific data used to recognize each different credential management event associated with the application. These are defined using the Form Definition wizard that is started during the Application Definition wizard operation. The application characteristics for all types of applications contain similar configuration information. However form-specific data contained in the application definition varies greatly based on the type of application being defined. To create an application definition, the application must be accessible to the administrator from the computer where the application definition is created. Because some application signatures can vary depending on the underlying operating system, administrators must be careful to test application definitions in all the operating system environments that occur in their organization. Any changes or upgrades to an application after an application definition is developed and deployed should be tested to ensure that there are no changes to the application signatures that would require a change to the application definition. Identifying the Parts of the Application s User Interface The user interface to an application includes different forms that are used to manage user credential management events associated with the application. For example, one form can be used to enter the logon credentials, another form can be used to change an application password, and yet another form can be used to confirm or acknowledge a successful change to user credentials. Depending on the type of application being defined (Windows, Web, or Host), Password Manager uses a variety of different kinds of identifiers to uniquely respond to and identify the forms. These include but are not limited to the application type, window title, and the executable file name. When the agent software identifies the application and form, it then prompts users to provide or store their credentials, submits stored credentials, or prompts users to update their credential information, depending on the defined settings.

42 42 Citrix Password Manager Administrator s Guide Application Definition Wizard Overview All application definitions are initially created using the Application Definition wizard and the integrated Form Definition wizard. The Application Definition wizard is started by selecting the Application Definitions node in the Citrix Access Management Console, and selecting the Create application definition task from the Common Tasks area. The following information is collected for each type of application (Windows, Web, and Host) using the Application Definition wizard. Data Collected Windows Web Host Identify application X X X Manage forms X X X Name custom fields X X X Specify icon Configure advanced detection Configure password expiration X X X X X X X Confirm settings X X X Identify Application This page is used to define the application definition name and provide a description to the application definition. Any name you prefer can be defined as the application name. Consider that: The name can be used to distinguish among multiple versions of the same application This is the name to look for in your central store Your agent software users will see this name and this description in the Logon Manager Manage Forms Most applications have separate forms for logon and password changes. Some applications also have separate forms that notify users of a successful password change or a failed password change.

43 3 Using and Managing Application Definitions 43 This page is used to add a form to the application definition. To add a new form, select the Add form option. This action starts the Form Definition wizard that is used to collect the form data for a single form. The Form Definition wizard is repeated for each form in the application definition. See Form Definition Wizard Overview on page 45 for additional information. After a form is defined, the Properties window is used to provide a synopsis of the form properties associated with the highlighted form in the Defined application form panel. These properties are also presented on the Confirmation settings page of the Form Definition wizard. Name Custom Fields Password Manager includes the user name and password fields as standard information required for any logon form. Some applications require additional information such as a database name, domain name, or system name as part of the user credentials that must be included to authenticate the user. Up to two custom fields can be added when a form is created using the Define form actions page of the Form Definition wizard (see Form Definition Process on page 47 for additional information). If one or two custom fields are defined when the form is created, this page is used to define the content of the associated field when the form appears to your users. To create a hot key for the custom field name, place an ampersand (&) in the field name immediately before the letter you want to specify as the hot key. If no hot key is identified, the agent software dynamically appends a numeric value as the hot key for the control. This appears on the button as (1) or (2) depending on the number of custom fields that are defined. Be sure to test the resulting form to ensure that the defined name does not exceed the amount of space allocated to the custom field name. Specify Icon By default the Password Manager uses a different icon to denote each application type in the Logon Manager. However, for Windows applications, a custom icon can be defined to help your users identify specific applications within Logon Manager. Consider that when a custom icon is used to denote a specific Windows application, the identified path to the icon file must be available to all users. Configure Advanced Detection The configure advanced detection check boxes are used to mitigate credential submission loops and credential change loops.

44 44 Citrix Password Manager Administrator s Guide Credential Submission Loops In this scenario, when users log off from an application and are returned to a logon screen, the agent software can prompt the users to choose to log on again or to ignore the logon form. Select the Process only the first logon for this application check box to not automatically submit credentials for subsequent logon forms. When a predefined application is launched for the first time and this option is selected, the agent software submits credentials on the initial instance of the logon form without any additional user action required. When the user logs off and the logon screen appears again, a sliding window appears and stays visible for approximately 10 seconds. The user has three options: Close the window - no credentials are submitted Ignore the window - no credentials are submitted Click the link - credentials are submitted Closing the application terminates the session and Password Manager submits the credentials the next time the application is opened. Credential Change Loops In this scenario, when the Process only the first password change for this application is selected and users attempt to change their passwords multiple times while accessing a specified application, they are asked to verify subsequent password changes. Configure Password Expiration The password expiration settings and features include options to: Optionally identify a script to run when the password expires Optionally use the Citrix Password Manager expiration warning To run a script when the password policy associated with this application definition expires, activate the run script option and identify the user-created script to run. The script path must be available to all users. The user-created script can prompt users to change passwords on any or all of their applications at regular intervals, change passwords on any or all of their applications automatically, or a combination of these processes to meet your security and regulatory requirements. Typically, the script invokes an associated application using a command-line interface with a change password parameter or something similar.

45 3 Using and Managing Application Definitions 45 You can also optionally activate the Use Citrix Password Manager expiration warning. Activating this option causes a Citrix Password Manager password expiration warning to appear when the password policy associated with the application indicates that the password expired. This action displays a reoccurring message that the associated time period has expired but does not force a password change action. Confirm Settings The confirmation settings page permits you to review the current settings you have defined for an application definition to identify any errors, and to go back to correct those settings if a problem was discovered before saving the configuration. Form Definition Wizard Overview The Form Definition wizard is used to define the characteristics associated with each of the user credential management forms that can be included in an application definition. The Form Definition wizard is used to initially define a form during the application definition process when using the Application Definition wizard, when editing a form, or adding a form to an existing application definition. Several types of standard user credential management forms can be defined using the Form Definition wizard including: Logon form Used to identify the logon interface to an application, and to manage the user credential actions required to gain access to the associated application. Password change form Used to identify the password change interface to an application, and to manage the user credential actions required to change the user password to the associated application. Successful password change form Used to identify the password change interface to an application, and to manage the user credential actions required to acknowledge the successful change to a password for the associated application. Failed password change form Used to identify the unsuccessful password change interface to an application, and to define the actions to take when a credential change operation is unsuccessful.

46 46 Citrix Password Manager Administrator s Guide Password Manager Agent Versions 4.0 and 4.1 do not support successful or failed change credentials forms and do not respond to application definitions containing these forms. The data collected for each form performs two functions: Uniquely identifies when an application-specific form is started Performs the appropriate user credential processing actions associated with the form All form definitions are initially created using the Form Definition wizard that is initiated when defining an application definition using the Application Definition wizard. See Application Definition Wizard Overview on page 42 for additional information. The Form Definition wizard is started from the Manage forms page of the Application Definitions wizard by selecting the Add Form option. The following table shows the form information that is collected for each type of application (Windows, Web, and Host) using the Form Definition wizard. Data Collected Windows Web Host Name form X X X Identify form X X X Define form actions Set field detection rules X Configure other settings X X X Confirm settings X X X X Identifying when an application presents a form that requires action is different for each type of application. An overview of the information required to create forms for each application type is located here: Windows Type Application Definitions on page 46 Web Type Application Definitions on page 63 Host/Mainframe Type Application Definitions on page 70 Windows Type Application Definitions Windows type application definitions are used to identify Windows applications, Java applications, and applications that are started from an SAP Logon Pad.

47 3 Using and Managing Application Definitions 47 Typically, any application that is launched with an executable (exe) file is categorized as a Windows application for the purposes of defining an application definition. Windows application definitions are created, in part, by identifying parts of the application as it runs. In the Password Manager application definition for a Windows application, information is provided about the application forms and the fields used to collect user credential information using the Form Definition wizard. The Form Definition wizard is started when: Using the Application Definition wizard to create a new application definition Editing a form in an existing application definition Adding a form to an existing application definition. The type of application being defined is identified when a new application definition is initiated. See Application Definition Wizard Overview on page 42 and Form Definition Wizard Overview on page 45 for additional information. Gathering the Information Required for Windows Application Definitions Usually the best (and simplest) way to gather information required for Windows application definitions is to launch the application and navigate to the form that requires a user credential management event (user logon, change password, successful password change, or failed password change) while running the Form Definition wizard from the console or from the Application Definition Tool. The wizard s on-screen text provides instructions for locating and identifying the applicable parts of the application. Form Definition Process The form definition process consists of collecting the form-specific identification information and action information using the following pages in the Form Definition wizard for Windows applications: Name form Identify form Define form actions Configure other settings Confirm settings

48 48 Citrix Password Manager Administrator s Guide After completing the actions required for a specific page, click Next to proceed through the wizard. The Back button is generally available on each page to return to some previously configured options. However, changing some previously configured options may require you to alter subsequent settings. Name Form When creating application definitions for Windows type applications, the Name form page of the Form Definition wizard is used to assign a user-defined name to the form being created, and to identify the type of form being created. Consider that the name assigned to the form appears on the Manage forms page of the Application Definition wizard. Assign a name that is meaningful to the type of form being defined. Several types of standard user credential processing forms can be defined using the Form Definition wizard including: Logon form Used to identify the logon interface to an application, and to manage the user credential actions required to gain access to the associated application. Password change form Used to identify the password change interface to an application, and to manage the user credential actions required to change the user password to the associated application. Successful password change form Used to identify the password change interface to an application, and to manage the user credential actions required to acknowledge the successful change to a password for the associated application. Failed password change form Used to identify the unsuccessful password change interface to an application, and to define the actions to take when a credential change operation is unsuccessful. Password Manager Agent Versions 4.0 and 4.1 do not support successful or failed change credentials forms and do not respond to application definitions containing these forms. Identify Form When creating application definitions for Windows type applications, the Identify form page is used to provide the information required to have the Password Manager Agent software uniquely recognize the form being defined.

49 3 Using and Managing Application Definitions 49 The identifying information includes the Window title and the executable file name. When the agent software detects the executable file name, it monitors the application for the defined Window titles. When a window title is detected, the agent software performs the actions defined for the form. To simplify the definition process, ensure that the subject Windows application is started and that the form associated with the credential-specific actions to be performed appears (such as the logon form or the password change form). Click Select to identify the subject program already open on your computer. This action opens the Select a Program Window dialog box that is used to identify the Windows title and executable file name for the form. The Select a Program Window dialog box has a Program windows area and three options that can be selected. The Program windows area displays the following for each identified program: Window Title Executable File Name Window Class The Program windows area is used to locate and select the application form being defined from among all the applications currently running on your computer. To help identify the correct application, the corresponding application is highlighted on the screen with a clearly visible border when it is selected. Two options are used to expand the number of available choices. If the executable sought is open on your system but is not currently displayed, select one or both of the following check boxes to display additional choices: Show hidden program windows Show child windows Select the third option Include full executable path name in identification (secure path) to define explicit path information required when using secure paths. After selecting the target application, the Identify form page is populated with the information based on the selected options. The form identifiers include: Window titles for this form Displays the window titles associated with the form. Executable file names and paths

50 50 Citrix Password Manager Administrator s Guide Displays the executable file name and any optional path information required to use secure paths. Window titles for this form The Window title can be edited to manage dynamic Window title data such as a date or session identifier. To support dynamic data, wildcard characters can be substituted for dynamic data that appears in the Window title as follows: Wildcard Description? Use only for a single dynamic/changing character in a Windows title. * Use this value to represent dynamic title data for one or more characters. This value is not recommended for empty Windows titles. Use NULL for these situations. NULL Use this value for empty Windows titles (the word NULL must be all uppercase). Executable file names and paths The Executable file names and paths area displays the name of the identified executable file and any secure path information. Secure paths limit recognition of the application to only those program instances initiated from the paths defined here. If one or more secure paths are identified, the agent software submits credentials only when the identified program is run from the defined path and all other defined form identifiers are present. If no path information is defined, None provided appears and the agent software provides credential information to any program that matches the other form identifiers. Separate multiple paths using semi-colons. Absolute paths or environment variables can be used to identify the path. Note: Application definitions that include secure path information can be used to create an application definition template; however, the secure path is not included as part of the template. Advanced Matching Although most Windows forms can be identified using the features on the Identify form page, some types of forms require more advanced matching options that are accessed using the Advanced Matching dialog box. Click Advanced Matching to access the Advanced Matching dialog box. See Using Advanced Matching to Identify Windows Forms on page 53 for additional information about this dialog box.

51 3 Using and Managing Application Definitions 51 Define Form Actions The Define form actions page is used to define the actions that must be performed by the agent software to submit the credentials for the specific form being defined. The top of the page displays the selection of user credentials associated with the specific form: Logon form Password change form Successful password change form Username/ID X X X X Password X X X Old Password New Password Confirm Password X X X Custom Field 1 X X X Custom Field 2 X X X OK X X X X Failed password change form The bottom of the page displays the defined action sequence. The objective of this page is to define the actions to be taken by the agent software to successfully submit the required user credentials to the identified form. For many Windows applications, the following process is all that is required: 1. Select the Set/Change hyperlink associated with a specific user credential. This action opens the Configure Control Text dialog box is used to identify the control to receive the selected credential. If the form is already open, this dialog box displays all the possible candidates for the control type associated with the selected user credential or submit option.

52 52 Citrix Password Manager Administrator s Guide Credential Username/ID Password Old Password New Password Confirm Password Custom Field 1 Custom Field 2 OK Control Type Edit, List, Combo Box, Undefined Edit, List, Combo Box, Undefined Edit, List, Combo Box, Undefined Edit, List, Combo Box, Undefined Edit, List, Combo Box, Undefined Edit, List, Combo Box, Undefined Edit, List, Combo Box, Undefined Button. Undefined If the application credential form is not currently open, start the application and navigate to the correct user credential form. Then select the Select a program running on your computer option on this dialog box to select the program. After the application form is selected, this dialog box is populated with control type candidates that are appropriate for the selected user credential. 2. Select the control type candidate to receive the credential. As the different candidates are selected, the associated control type is visibly highlighted on the application to make it easier to identify the control type that is to receive the identified user credential or submit button. 3. Repeat this action for all the user credentials required by the form and for the button required to submit the form. Some forms require domains or other user-configurable credentials that must be successfully submitted to process the form. To accommodate these requirements, two custom fields are made available. Assign specialrequirement credentials to these fields. The names associated with these fields are defined on the Name custom fields page of the Application Definition wizard (see Application Definition Wizard Overview on page 42 for additional information) after the form is defined. Note: Not all the credentials identified in the top of the Define form actions page must be configured. For many Windows applications, after you define which fields on the form are to receive the identified user credential and which button to select to submit the form, you have completed the form action definition process and you can continue with the next page in the wizard.

53 3 Using and Managing Application Definitions 53 However some forms require more information, steps, special keys, or other actions to successfully complete a credential management task. For these forms, click Action Editor to open the Action Editor dialog box (see Using the Action Editor to Define the Action Sequence for Forms on page 59 for additional information about defining form actions using the Action Editor). Configure Other Settings For Windows definitions, this page is used to specify if the submit button is automatically pressed by the agent software or if the user is required to manually press the button. Select the Agent submits this form automatically check box to automatically submit the form without user intervention. Confirm Settings The Confirm settings page is the last page of the Forms Definition wizard. It is used to review the configuration options and settings associated with the form. It allows the administrator to review the configuration before finishing the form and returning to the Application Definition wizard to define additional forms or to complete an application definition editing task. Using Advanced Matching to Identify Windows Forms For most Windows applications, form identification matching for user credential management events can be specified on the Identify forms page of the Form Definition wizard (see Form Definition Process on page 64 for additional information). However some user credential management forms are more difficult to identify than simply evaluating the combination of the executable file name and the associated Windows title. For these types of forms, administrators can click Advanced Matching on the Identify form page of the Form Definition wizard to open the Advanced Matching dialog box. The Advanced Matching dialog box supports the following Windows identification features: Class Information Control Matching SAP Session Information Window Identifier Identification Extensions

54 54 Citrix Password Manager Administrator s Guide Class Information This setting is used to define the window class identifiers to ignore or the Windows class identifier to react to when multiple windows can match the specified window title and associated executable file. Do not use this type of matching for.net applications or applications that use Windows class (default class). This setting is useful when the window class is dynamic. In this case, use wildcard characters to match a dynamic Windows class identifier. Wildcard Description? Use only for a single dynamic/changing character. * Use this value to represent dynamic identifier data for one or more characters. This value is not recommended for empty Windows class identifiers. Use NULL for these situations. NULL Use this value for empty Windows class identifiers (the word NULL must be all uppercase). This control is also useful when trying to identify one window class from among many possible window class targets. The following conditions apply: The specified window title and associated executable file result in multiple matching candidates. This condition most often occurs when the windows title contains dynamic data and wild cards are specified. The target form must be associated with a unique window class identifier and all other candidates must use different window class identifiers. When defining user credential management event forms that meet these conditions, this setting is used to identify the window class identifiers to ignore, or the window class identifier to allow. For application definitions that meet these conditions, define a Windows application until you reach the Identify form page of the Form Definition wizard (see Form Definition Process on page 64 for additional information). Click Advanced Matching and then select the Class Information option. Continue as follows: 1. Click Select to choose the target application from among the applications currently open on your computer.

55 3 Using and Managing Application Definitions 55 Note: To expand your choices, select the Show hidden program windows check box and/or the Show child windows check box. If the Include full executable path name in identification (secure path) check box is selected, it will be ignored. 2. After choosing a target application, click OK to return to the Advanced Matching dialog box. 3. Populate the Ignore this window class field with the window class of the windows to ignore and the Allow window class field with the window class that the agent software is to recognize. 4. When complete, click OK and continue defining the form actions (see Define Form Actions on page 51 for additional information). Control Matching Some applications assign dynamic information to control labels. In these cases, the window title, its associated executable application, and the control ID (or IDs) can be the same for several different user credential management forms while the text labels or other properties on the form change in response to applicationspecific events. For these types of forms, use the control matching configuration options to uniquely identify a form for a specific agent action based on the unique class, style, or text values associated with control ID (or multiple control IDs if multiple definitions are required to uniquely identify the form). For application definitions that meet these conditions, define a Windows application until you reach the Identify form page of the Form Definition wizard (see Form Definition Process on page 47 for additional information). Click Advanced Matching and then select the Control Information option. Continue as follows: 1. Click Add Match to open the Define Matching Criteria dialog box used to define the matching criteria. Note: You need to define only enough control matching criteria to uniquely identify the user credential management form being defined. 2. From the Define Matching Criteria dialog box, click Select to open the Control Match wizard.

56 56 Citrix Password Manager Administrator s Guide This wizard is used to identify a control ID characteristic (Class, Style, or Text) and the value that must be present or not present to uniquely identify the form. 3. Select the target application from the list and click Next. Note: box. To view hidden windows, select the Show hidden windows check This action displays the class, text label, and style settings for each identified control ID for the selected application. 4. Right-click a control ID entry. This action opens a popup to select the control ID characteristic (Class, Style, or Text) that is to be used to qualify the form for the selected control ID. 5. Select the characteristic (or None to close the popup without making a selections). An icon representing the selected characteristic appears to the left of the entry. 6. Repeat steps 4 and 5 for each control ID that is to be used to uniquely identify the form. When all the selections and assignments are made, click Finish to close the Define Matching Criteria dialog box. 7. The control ID and the associated characteristic to be used to uniquely identify the form are now identified. Now it is time to assign the values to each control ID characteristic. Highlight a control ID and select Edit. This action opens the Define Control Matching dialog box used to edit the content of the selected control ID. Set the Variables associated with each identified control ID to equal or not equal (Condition) the defined Values to uniquely identify the form. After all the Values are defined, ensure that a Match Name is defined to be able to click OK and save the data. This action returns you to the Advanced Matching dialog box with the newly defined control ID matching values saved under the Match Name entry you just defined. 8. When complete, select OK and continue defining the form actions (see Define Form Actions on page 51 for additional information). SAP Session Information Older versions of SAP are managed using the standard Windows and Web application definitions. However, the Advanced Matching dialog box provides support for SAP applications when multiple SAP systems are defined to use the same SAP GUI user logon interface (such as SAP Logon Pad).

57 3 Using and Managing Application Definitions 57 SAP Session Information support requires that the SAP administrator enable GUI scripting on the server. This allows the console and the agent software to interrogate the SAP Logon Pad and determine the System ID and/or Server name required to uniquely identify the specific user credential management form. By using the SAP Session Information option, the session information can be extracted from an SAP window to uniquely identify and differentiate one SAP logon window from another. For SAP application definitions that meet these conditions, define a Windows application until you reach the Identify Form page of the Form Definition wizard (see Form Definition Process on page 47 for additional information). Click Advanced Matching and then select the SAP Session Information option. Continue as follows: 1. Ensure that the SAP LogonPad application is started. 2. To identify the target application, click Use Selected Window, or Select Another Window. If Select Another Window is clicked, the Select a Program Window dialog box is opened to display the application candidates that are open on your system. Note: The target SAP Logon Pad should appear. No check box options that appear on this dialog box are applicable. 3. After selecting an application, the SAP System ID and Server Name field data is obtained automatically from the window. These values can also be manually entered. Both fields can accept regular expressions for their respective values. This is useful for controlling the ability to match multiple servers. Another reason to manually enter the values is to match DNS and NetBIOS names of a server. Use the following regular expression format to support both. ^servername(\.domain\.com)?$ 4. When complete, click OK and continue defining the form actions (see Define Form Actions on page 51 for additional information). Note: To identify a Change password form, identify the form using Control Matching features (see Control Matching on page 55 for additional information).

58 58 Citrix Password Manager Administrator s Guide SAP GUI scripting messages can be generated whenever a program attempts to establish a connection to the SAP LogonPad using the SAP GUI. In this case a registry setting can be changed to prevent the message. The key is HKEY_CURRENT_USER\Software\SAP\SAPGUI Front\SAP Frontend Server\Security\WarnOnAttach. It is a DWORD. If this key value is set to 0, a message is not shown. The default value is 1. Window Identifier This page is used to define a Windows control ID that uniquely identifies a form when more than one window can be identified using only the defined Windows title and the executable file name. It useful only if the Windows control ID can be used to differentiate between the multiple forms that can be identified. Select the Enable matching by Window Control ID check box and provide the control ID that uniquely differentiates the window for the form being defined from all the other possible forms. Identification Extensions Identification extensions are part of the Application Definition Extensions. These extensions provide support for using applications that are external to the agent software to recognize the occurrence of a user credential management event and perform the credential submission process. Although Password Manager administrators can generally create application definitions using the Password Manager Console and the Application Definition Tool, some applications have special considerations or requirements that require an alternate means of detecting the application and submitting the user credentials or performing other similar actions. To support these applications, Password Manager administrators can use the Application Definition Extensions to provide an abstraction for the application controls and the associated data input mechanisms. Identification extensions are developed by third-party implementers and implementation is application-specific. Therefore the procedures required to configure their use are application-specific. Generally Password Manager administrators are not involved in the development of these extensions. Extensions are created by third-party implementers. Because configuration of these extensions is extension-specific, instructions for configuring the extension will most likely accompany the extension. See Application Definition Extensions on page 231 for additional information.

59 3 Using and Managing Application Definitions 59 Using the Action Editor to Define the Action Sequence for Forms The Define form actions page is used to define the actions that must be performed by the agent software to submit the credentials for the specific user credential management form being defined. For many Windows applications, the process described in Define Form Actions on page 51 is all that is required. However some forms require more information, steps, special keys, or other actions to successfully complete a user credential management task. For these forms, click Action Editor (on the Define Form Actions page) to open the Action Editor dialog box. The Action Editor dialog box consists of: Available actions Displays all possible action-sequence actions: Action configuration Used to define the action-specific options to include in the action sequence. Action sequence Displays the sequence of defined actions to perform to process the specific user credential management form. At the bottom of the Action Editor dialog box is the Advanced Settings button that is used to access the Advanced Settings dialog box. The Advanced Settings dialog box has two controls: Control ordinal numbers Select this check box to use control ordinal numbers (often referred to as Z- order) instead of control ID numbers. Control ordinal numbers are independently enumerated during the definition process (and by the agent software) to uniquely identify the controls independently of the control ID numbers defined by the application. Citrix recommends selecting this feature defining.net applications that dynamically generate control ID numbers or for applications that have duplicate control ID numbers. Initial delay Select this option and define the amount of time that the agent software is to delay processing before beginning the action sequence. A delay can also can be configured by starting the action sequence with a delay using the Insert delay action (see Action Descriptions on page 60 for additional information).

60 60 Citrix Password Manager Administrator s Guide Unlike using the Insert delay option that is accessed from the Available actions area on the Action Editor dialog box (defined as a send key operation), any initial delay defined here can be used to avoid creating an application definition that is supported only on Versions 4.5 and 4.6 of the agent software. Action Sequence Definition Process The definition process consists of the following: 1. Select an action from among the choices in Available actions. 2. Configure the action using the Action configuration options. When you are satisfied with the configuration settings, click Insert. The configured action appears in Action sequence. 3. Repeat Steps 1 and 2 for all actions required by the user credential form. 4. Highlight the actions and click Move Up or Move Down to arrange the actions in the correct execution sequence required by the user credential management form being defined. 5. When satisfied that the action sequence is correct and complete, click OK. This action returns you to the Define form actions page with the defined action sequence displayed in the Action sequence area. 6. Click Next to continue the form definition process on the Configure other settings page. If any combination of form actions limits the defined sequence to only Versions 4.5 or 4.6 of the agent software, a message appears to allow you to continue or return to modify your configuration. Action Descriptions In the following action descriptions, each action is identified as a control ID operation, send key operation (mimic a keystroke), or advanced operation. To avoid creating an application definition that is not supported by Versions 4.0 and 4.1 of the agent software, identify action sequences that include only control ID operations or only send key operations. Password Manager Agent Versions 4.0 and 4.1 do not support action descriptions and do not respond to application definitions containing these action descriptions. Set Control Text (Control ID Operation) The Set control text action is used to assign user credential values to their target window controls on the form. Only unassigned user credential values appear in the list. Selecting this option displays all the editable controls in the selected form. As a Window control is selected, the associated control is visibly highlighted in the application to assist in assigning the correct user credential value to a control.

61 3 Using and Managing Application Definitions 61 To assign a value to a control, select a User credential value and its associated Window control, then click Insert. Submit Form The Submit form action is used to associate a submit action with a button. This action control allows you to either Click a window button (control ID operation) or Send the Enter key (send key operation). Select the Click a window button to associate the button to use on the form for the submit action. As a Window button is selected, the associated control is visibly highlighted in the application to assist in assigning the correct user credential value to a control. After making your selection, click Insert. Send Text to Window (Send Key Operation) The Send text to window action is used to send text or a user credential value to the form as a send key operation. When sending user credential values, only unassigned user credential values appear in the list. After making your selection, click Insert. Send Hot Key (Send Key Operation) The Send hot key action is used to send any combination of key modifiers and a selected key to the form. After making your selection, click Insert. Send Special Key (Send Key Operation) The Send special key action is used to send a special key to the form. To send a value to the form, select a Category value and a Key value and click Insert. Insert Delay (Send Key Operation) The Insert delay action is used to wait for the defined amount of time before processing the next action in the action sequence. To insert a delay, enter a value in the Length of delay and click Insert. Launch Action Extension (Advanced Operation) Action extensions are part of the Application Definition Extensions. These extensions provide support for using applications that are external to the agent software to recognize the occurrence of a user credential management event and perform the credential submission process. Although Password Manager administrators can generally create application definitions using the Password Manager Console and the Application Definition Tool, some applications have special considerations or requirements that require an alternate means of identifying an application and submitting the user credentials or performing other similar actions.

62 62 Citrix Password Manager Administrator s Guide To support these applications, Password Manager administrators can use the Application Definition Extensions to provide an abstraction for the application controls and the associated data input mechanisms. The extensions developed by third-party implementers are application-specific. Therefore the procedures required to configure their use are application-specific. Generally Password Manager administrators are not involved in the development of these extensions. Extensions are created by third-party implementers. Because configuration of these extensions is extension specific, instructions for configuring the extension will most likely accompany the extension. See Application Definition Extensions on page 231 for additional information. Considerations for Windows Type Definitions When defining Windows type application definitions, consider the following: Application templates help reduce the effort of creating application definitions. Citrix provides application templates for many commonly used applications. If the template you are looking for is not available with the installed product, go to the Citrix Web site ( to see if an existing template is available. See Overview of Application Templates on page 37 for additional information. Test your application definitions with the agent software before you make them available to users. Most application definitions work using only the basic information. If an application definition does not work as expected in your test environment, it may be due to unique features such as a dynamic window title, dynamic control IDs, or other special identifiers or actions that were programmed into the application. To export application definitions from your test environment to your production environment, use the Export administrative data task from the Password Manager Console. Settings that are selected at the application definition level apply to all forms within the application definition. Some settings that are selected at the application definition level can be overridden at the form level. For example, for an application with three defined forms, the auto-submit can be enabled at the application definition level. Each time the agent software encounters one of these three forms for this application, the user credentials are supplied and submitted automatically. However, auto-submit can be disabled for one of the forms at the form level and the agent software will not submit the information for

63 3 Using and Managing Application Definitions 63 that specific form automatically in this case the user is required to click Submit or OK for the selected form. To create a hot key for the custom field name, place an ampersand (&) in the field name immediately before the letter you want to specify as the hot key. If no hot key is identified, the agent software dynamically appends a numeric value as the hot key for the control. This will appear on the button as (1) or (2) depending on the number of custom fields that are defined. Be sure to test the resulting form to ensure that the defined name does not exceed the amount of space allocated to the custom field name. Web Type Application Definitions Web type application definitions are used to identify Web-based applications, including Java applets. Typically, any application that runs in a browser is categorized as a Web application for the purposes of defining an application definition. Password Manager supports Web applications running on Internet Explorer Version 6.0 or 7.0. Web application definitions are created, in part, by identifying parts of the Web application as it runs. In the Password Manager application definition for a Web application, information is provided about the application forms and the fields used to collect user credential information using the Form Definition wizard. The Form Definition wizard is started when: Using the Application Definition wizard to create a new application definition Editing a form in an existing application definition Adding a form to an existing application definition. The type of application being defined is identified when a new application definition is initiated. See Application Definition Wizard Overview on page 42 and Form Definition Wizard Overview on page 45 for additional information.

64 64 Citrix Password Manager Administrator s Guide Gathering the Information Required for Web Application Definitions Usually the best (and simplest) way to gather the information required for Web application definitions is to launch the application and navigate to the form that requires a user credential management event (user logon, change password, successful password change, or failed password change) while running the Form Definition wizard from the console or from the Application Definition Tool. The wizard s on-screen text provides instructions for locating and identifying the applicable parts of the application. Form Definition Process The form definition process consists of collecting the form-specific identification information, and action information using the following pages in the Form Definition wizard for Web applications: Name form Identify form Configure other settings Confirm settings After completing the actions required for a specific page, click Next to proceed through the wizard. The Back button is generally available on each page to return to some previously configured options. However, changing some previously configured options may require you to alter subsequent settings. Name Form When creating application definitions for Web type applications, the Name form page of the Form Definition wizard is used to: Assign a user-defined name to the form being created Identify the type of form being created Identify any special actions Consider that the name assigned to the form appears on the Manage forms page of the Application Definition wizard. Assign a name that is meaningful to the type of form being defined. Several types of standard user credential processing forms can be defined using the Form Definition wizard including:

65 3 Using and Managing Application Definitions 65 Logon form Used to identify the logon interface to an application, and to manage the user credential actions required to gain access to the associated application. Password change form Used to identify the password change interface to an application, and to manage the user credential actions required to change the user password to the associated application. Successful password change form Used to identify the password change interface to an application, and to manage the user credential actions required to acknowledge the successful change to a password for the associated application. Failed password change form Used to identify the unsuccessful password change interface to an application, and to define the actions to take when a credential change operation is unsuccessful. Password Manager Agent Versions 4.0 and 4.1 do not support successful or failed change credentials forms and do not respond to application definitions containing these forms. Use the Special actions area to identify any special form treatments for the form being defined: No special action Select this option for normal Web form processing. Redirect to Windows application Select this option when no form is recognized for the web application in the Web Form wizard (see Identify Form ). This occurs when the Web application uses ActiveX controls, Flash-based controls, some types of Ajax controls, or other non-html based controls used to manage user credential management events. See Redirect to Windows Application Configuration on page 67 for additional configuration information. Ignore this form when it is detected by the agent software Select this option to have the agent software ignore the form. Identify Form When creating application definitions for Web type applications, the Identify form page is used to provide the information required to have the Password Manager Agent software uniquely recognize the form being defined.

66 66 Citrix Password Manager Administrator s Guide Web applications are identified using the URL address associated with the user credential management form being defined. Click Select to open the Web Form wizard that is used to identify the URL address and define the user credential management actions for the form being defined (see Web Form Wizard on page 67). After completing the Web Form wizard, you are returned to this page. Two check boxes are available to manage how to interpret identified URLs: Strict URL matching Select this check box to recognize only user credential management events from Web applications that are started using the specified URL(s). Some URLs may contain dynamic data such as session management identifiers, application parameters, or other identifiers that can change for each instance. In these circumstances, using strict matching results in the URL to not be recognized. Case-sensitive URL Select this check box to use exact case matching URL(s). Configure Other Settings For Web definitions, this page is used to specify if the submit button is automatically pressed by the agent software or if the user is required to manually press the button. Select the Agent submits this form automatically check box to automatically submit the form without user intervention. Some Web applications use dynamic URLs. If this condition is encountered, click Advanced to access the Advanced Settings dialog box that is used to specify additional form definition criteria to match the Web form (see Advanced Settings Dialog Box for Web Applications on page 68 for additional information). Confirm Settings The Confirm settings page is the last page of the Forms Definition wizard. It is used to review the configuration options and settings associated with the form. It allows the administrator to review the configuration before finishing the form and returning to the Application Definition wizard to define additional forms or to complete an application definition editing task.

67 Web Form Wizard 3 Using and Managing Application Definitions 67 The Web Form wizard is used to identify which fields in the selected Web application are to receive user credentials and which control is used to submit the form. The identified form appears in the top half of the page while the identified form fields appear on the bottom half of the page. If no form fields are identified, the form definition must be redirected to a Windows type application to use send key options to manage the form interface. In this case, ensure that Redirect to Windows application is selected on the Identify form page and see Redirect to Windows Application Configuration on page 67 for additional configuration information. Otherwise, right-click entries on the bottom half of the page to visibly highlight the corresponding form field on the top half of page. Using the visual indication, assign the user credential that should populate the associated field. Repeat for all the credentials associated with the user credential management form being defined. Sometimes field names are dynamically populated. In this case, select the Use ordinals as field names check box to identify the fields using ordinal numbers. Ordinal numbers are independently numbered and not dependent on information provided by the application. After all the credentials are assigned and the control used to submit the form has been identified, click OK to return to Identify Form on page 48. Redirect to Windows Application Configuration When no form is recognized for the Web application in the Web Form wizard (see Web Form Wizard on page 67), the form definition must be redirected to use a form definition defined for a Windows application. Forms may not be recognized when the Web application uses ActiveX controls, Flash-based controls, some types of Ajax controls, or other non-html-based controls used to manage user credential management events. In these cases, ensure that the Redirect to Windows application check box is selected on the Identify form page (see Identify Form on page 48). Click Next to progress through each of the remaining Form Definition wizard pages, and click Finish on the Confirm settings page. The form recognition characteristics and credential actions must now be defined using Windows type definitions and send key actions (see Windows Type Application Definitions on page 46 for additional information).

68 68 Citrix Password Manager Administrator s Guide Advanced Settings Dialog Box for Web Applications Some Web applications use dynamic URLs. When this condition is encountered additional form definition criteria (referred to as detection matching entries) must be used to uniquely identify a specific user credential management form. These detection matching entries are defined using the Match Detail dialog box and appear on the Advanced Settings dialog box. To access the Match Detail dialog box, click Advanced on the Configure other settings page to access the Advanced Settings dialog box, then click Add. Use the Match Detail dialog box options and controls to define the criteria used to uniquely identify a specific user credential management form. It works by looking for specific values in the tagged content of the HTML form presented to manage a specific user credential management action. You need to define only enough match conditions to uniquely identify the user credential management form being defined. To create a detection match entry, ensure that you have a source view of the specific HTML user credential management form open to be able identify the tags and matching criteria that will be used to create detection matching entries. 1. From the Configure other settings page of the Form Definition wizard, click Advanced. This action opens the Advanced Settings dialog box. 2. From the Advanced Settings dialog box, click Add. This action opens the Match Detail dialog box. Use this dialog box to create a detection matching entry used to uniquely identify the form being defined. This dialog box is divided as follows: Tag This field is used to search for the identified HTML tag. If the specific instance of the tag is known, select the Match tag instance check box and identify which instance in the document to use. If no specific instance is identified, all instances in the document will be evaluated. Only the tag needs to be specified, not the delimiter (for example p rather than <p>). As a guideline, select the tag nearest to the content you are matching. Note: Because the match tag instance option can vary from browser to browser, use this feature only when necessary and test your configuration well. Matching criteria

69 3 Using and Managing Application Definitions 69 This area is used to define the criteria to match. Select one of the following criteria: Text can be any text found in the HTML code. HTML any specific code found within the specified tag Attribute any attribute of the HTML code (such as a name attribute of a form tag). Value to match This field is used to enter the value to match. Select the Match whole value check box to enforce strict matching of the value (any unspecified text that is found in the tag element will cause the match to fail). Include all delimiters and quotes that could be encountered. Note: The Match the whole-value check box should only be selected when there are multiple instances of similar matching criteria. Operator This area is used to define the relationship of this match entry to others defined for this form. The options include: AND select this option when this match entry is one of multiple matches that must succeed to identify the form. By selecting this option the current match outcome is compared with the next match outcome. If both are true, the match succeeds. OR select this option when this match alone can successfully identify the form. By selecting this option, the current match outcome is compared with the next match outcome. If either is true, the match succeeds. This option is used for single match definitions. NOT select this operation to apply negative logic to the operator. This operator is used to define match criteria that should not appear on the page to succeed. 3. After creating the detection matching entry, click OK. This action displays a newly created detection matching entry in the Advanced Settings dialog box. 4. Repeat Steps 2 and 3 for each detection matching entry required to uniquely identify the user credential management event form being defined.

70 70 Citrix Password Manager Administrator s Guide 5. If more than one detection matching entry appears in the Advanced Settings dialog box, use the up and down buttons to arrange the entries in the correct processing order. The detection entries are evaluated from top to bottom and the evaluation sequence can be very important to confirm a proper match. Host/Mainframe Type Application Definitions Host/Mainframe type application definitions are used to identify host-based applications including mainframe, AS/400, OS/390, UNIX, or other host-based sessions. Password Manager provides single sign-on functionality to host-based applications through terminal emulators that implement a High-Level Language Application Programming Interface (HLLAPI), or that have a built-in scripting language that can display a dialog box. Gathering the Information Required for Host Application Definitions Usually the best (and simplest) way to gather the information required for Host application definitions is to launch the application. Host-based application definitions are created using the Form Definition wizard. The wizard is used to identify one or more text strings that must be present (or not present) on the host application screens for a specific user credential management form (user logon, change password, successful password change, or failed password change). As you navigate to the user credential management form being defined, record all the user actions required to access the form. These actions must be provided in the form definition for each form while running the Form Definition wizard from the console or from the Application Definition Tool. After identifying the correct user credential management form, the coordinates of the data entry fields used for submitting the appropriate user credential information to the application are defined. These are defined by specifying the sequence of actions, or keystrokes required to move between fields or screens and enter text. The Form Definition wizard is started when: Using the Application Definition wizard to create a new application definition Editing a form in an existing application definition Adding a form to an existing application definition

71 3 Using and Managing Application Definitions 71 The type of application being defined is identified when a new application definition is initiated. See Application Definition Wizard Overview on page 42 and Form Definition Wizard Overview on page 45 for additional information. Form Definition Process The form definition process consists of collecting the form-specific identification information, and action information using the following pages in the Form Definition wizard for Host applications: Name form Identify form Set field detection rules Configure other settings Confirm settings After completing the actions required for a specific page, click Next to proceed through the wizard. The Back button is generally available on each page to return to some previously configured options. However, changing some previously configured options may require you to alter subsequent settings. Name Form When creating application definitions for Host type applications, the Name form page of the Form Definition wizard is used to: Assign a user-defined name to the form being created Identify the type of form being created Consider that the name assigned to the form appears on the Manage forms page of the Application Definition wizard. Assign a name that is meaningful to the type of form being defined. Several types of standard user credential processing forms can be defined using the Form Definition wizard including: Logon form Used to identify the logon interface to an application, and to manage the user credential actions required to gain access to the associated application. Password change form

72 72 Citrix Password Manager Administrator s Guide Used to identify the password change interface to an application, and to manage the user credential actions required to change the user password to the associated application. Successful password change form Used to identify the password change interface to an application, and to manage the user credential actions required to acknowledge the successful change to a password for the associated application. Failed password change form Used to identify the unsuccessful password change interface to an application, and to define the actions to take when a credential change operation is unsuccessful. Password Manager Agent Versions 4.0 and 4.1 do not support successful or failed change credentials forms and do not respond to application definitions containing these forms. If the emulator you are using displays more than one logon or password change page, you must create a form for each page. Identify Form When creating application definitions for Host type applications, the Identify form page is used to provide the information required to have the Password Manager Agent software uniquely recognize the form being defined. Host applications are identified by locating text strings that appear at specified row and column locations on the host application page. Only enough text string matches required to uniquely identify the host need to be defined. To add a text-match qualification entry, perform the following procedure: 1. Ensure that the Host application is started and that you already determined the text strings that will be used to uniquely identify the target application. 2. Click Add to add a new text match entry to the list of text match entries used to qualify the application. This action opens the Text to Match dialog box. 3. Complete the following fields on the Text to Match dialog box: Text string Enter the exact text that will be used to identify the application. Row Enter the exact row number for the string. Column

73 3 Using and Managing Application Definitions 73 Enter the exact column number for the string. Note: When the agent software scans a host application, the agent examines the screen for the exact text string to appear at the defined row and column location. If the text at the defined coordinates does not match the specified text, the screen is ignored. 4. After entering the string value to compare and the coordinates where the string appears, click OK. The defined Text to Match entry appears on the Identity form page. 5. Often, more than one text string must be defined to exactly identify the correct start of the target Host application. If more Text to Match strings are required, repeat Steps 2 through 4 for each string. 6. After all Text to Match entries are defined, click Next to continue. Set Field Detection Rules The Set field detection rules page is used to identify the location and key actions required to manage the user credential form being defined. The objective is to create field entries that indicate the user credential to process, the location on the screen where the user credential is to be inserted (row and column coordinates), and the keystrokes required to advance the cursor to the next credential or submit action. To add a field entry, perform the following procedure: 1. Click Add to open the Define Field dialog box. 2. Complete the following fields on the Define Field dialog box: Field function Select the user credential to be submitted from among the choices that appear in the drop-down list box. Row Enter the exact row number for the string. Column Enter the exact column number for the string. Keys after Enter the key codes required to advance to the next credential field, or to perform the submit action

74 74 Citrix Password Manager Administrator s Guide Note: Select the Virtual key codes hyperlink to access help information about the valid key codes. 3. After entering all the data required for the field entry, click OK. This action displays the defined field entry on the Set field detection rules page. 4. Repeat Steps 1 through 3 for each user credential required by the form being defined. 5. The field entries displayed on the Set field detection rules page are processed from top to bottom as they appear on the page. Use the Up and Down arrow keys to arrange the entries in the sequence required by the user credential form being processed. 6. After all field entries are defined and sequenced, click Next to continue. Configure Other Settings The Configure other settings page is used to access advanced settings options for the form being defined. Advanced settings include: Defining an initial form processing delay Defining the keystrokes required to access the user credential management form being defined Defining whether or not to use ENTER instead of TAB to move between fields on the form Defining text string matching criteria that tells the agent software to ignore processing If any additional advanced configuration is required for the user credential management form being defined, click Advanced to open the Advanced Settings dialog box and continue with Advanced Settings for Host Applications on page 74, otherwise click Next to continue. Confirm Settings The Confirm settings page is the last page of the Forms Definition wizard. It is used to review the configuration options and settings associated with the form. It allows the administrator to review the configuration before finishing the form and returning to the Application Definition wizard to define additional forms or to complete an application definition editing task. Advanced Settings for Host Applications Some Host applications require additional configuration support to ensure that the correct user credential management form is identified. That might include:

75 3 Using and Managing Application Definitions 75 Waiting a defined amount of time for the host application to start before attempting to identify the application Processing a series of keystrokes to navigate to the initial logon page or change password page Ignore processing a page when specific text appears When advanced configuration settings are required for the user credential management form being defined, click Advanced on the Configure other settings page (see Configure Other Settings on page 74) to open the Advanced Settings dialog box. The Advanced Settings dialog box has two configuration pages that are accessed from the left panel on the page: Host Form Additional Settings Ignore Match Host Form Additional Settings Highlight the Host Form Additional Settings option in the left panel to access the Additional settings options: Delay field entries Enter the number of milliseconds to delay processing the form while waiting for the application to complete loading. Keys before Enter the virtual key codes that must be entered to access the first field of the user credential management form being processed. Select the Virtual key codes hyperlink to access the help for the valid virtual key codes. Use ENTER instead of TAB to move between fields on this form Select this check box if applicable. Ignore Match Highlight the Ignore Match option in the left panel to access the Text match to stop credential submission option. This option is used to specify text strings that appear on the application page for forms that are to be ignored. Its configuration options are identical to those described in Identify Form on page 72. Considerations for Host Type Definitions When defining Host type application definitions, consider the following:

76 76 Citrix Password Manager Administrator s Guide Terminal emulation support must be enabled for each user configuration that uses host applications. Verify that your terminal emulator program is HLLAPI compliant. Verify that your terminal emulator program is defined in the agent software mfrmlist.ini file (see Terminal Emulation Support on page 76 for additional information). Save time by using a terminal emulator that shows the row and column coordinates of the cursor position. This allows you to more easily determine the location of the text and fields used to identify the host application and its logon forms. For HLLAPI detection, the terminal emulator must set a short name for each session. The agent software cannot detect a host-based application without the terminal emulator s session short name. The documentation for your host-based application may include unique identifiers, such as screen numbers, for the screens used to submit user logon information. In this case use the screen number as the unique identifier that ensures the agent software is identifying and submitting credentials to the correct form. Terminal Emulation Support The supported terminal emulators are included in a Mfrmlist.ini file. This file represents all the terminal emulators tested by Citrix. It is possible to add emulators to this list. However, these definitions should be tested and verified before being introduced into your production environment. A sample section of this file is included below: [Emulators] Ver= EMU1=Rumba6 EMU2=Attachmate myextra! EMU3=Attachmate Extra! 6.3 EMU4=Attachmate Extra! 6.4 EMU5=Attachmate Extra! 6.5 EMU6=Attachmate Extra! 2000 EMU7=Attachmate Extra! 7.1 EMU8=Reflection7 EMU9=Reflection8 EMU10=Reflection9

77 3 Using and Managing Application Definitions 77 EMU11=Reflection10 EMU12=PCOM EMU13=HostOnDemand 4.1 EMU14=GLink EMU15=Aviva EMU16=ViewNow EMU17=ZephyrPC EMU18=ZephyrWeb ;EMU19=BOSaNOVA ;EMU20=HostExplorer6 ;EMU21=HostExplorer8 [Rumba6] DisplayName=Rumba RegistryLoc=WALLDATA\Install ValueName= DLLFile=SYSTEM\EHLAPI32.DLL UpdateNotificationHandling=0.FirstLogin Process=shared ConvertPosType=long QuerySessionsType=long QuerySessionStatusType=long QueryHostUpdateType=long StartNotificationType=long IntSize=16 WindowClass=WdPageFrame WindowTitle=RUMBA The emulator entries in the [Emulators] section of the Mfrmlist.ini file must be in numeric sequence, from EMU1 up to and including EMU99. Any break in sequence causes the Ssomho.exe process to terminate before reading all of the entries. Removing or commenting out unused emulators can improve the startup process. Ssomho.exe does not waste resources or time scanning for the location of unnecessary HLLAPI DLLs. To comment out an entry, move the entry to the bottom of the list, place a semicolon before the entry, then renumber the remaining EMU entries so no numeric value is skipped.

78 78 Citrix Password Manager Administrator s Guide Password Manager cannot globally update this mfrmlist.ini file; you must overwrite the file manually after installing the agent. For large deployments, Citrix recommends using batch files or scripts run through System Management Server (SMS), CA-Unicenter, or Active Directory software installation. Mfrmlist.ini Field Definitions Emulators added to the Mfrmlist.ini file will function only if they follow the HLLAPI standard. The field definitions for the Mfrmlist.ini file are provided below. If you must add an emulator definition, check with the emulator s manufacturer to determine whether or not the emulator supports HLLAPI and to obtain the correct field definition entries. To determine whether or not an emulator works with Password Manager, test it outside of your production environment. Field [EmulatorName] GroupName DisplayName RegistryLoc ExplicitPath ValueName DLLFile StripFileName IntSize Definitions The value for EmulatorName must match the value used for the EMUnn=EmulatorName line in the [Emulators] section. Internal use only. The display name of the emulator, which will be one of the two parameters used when spawning a new process to handle the session. Must be unique to the Mfrmlist.ini file. The registry key in HKEY_LOCAL_MACHINE\SOFTWARE that points to the path where the HLLAPI DLL is stored. If the program does not store this information in HKEY_LOCAL_MACHINE\SOFTWARE, use the ExplicitPath setting instead of the RegistryLoc setting. If both RegistryLoc and ExplicitPath settings are defined, the ExplicitPath setting takes precedence. The explicit path of the HLLAPI DLL file used by this emulator. This setting is used in place of the RegistryLoc setting when the emulator program does not store the HLLAPI DLL location in the system registry. If both RegistryLoc and ExplicitPath settings are defined, the ExplicitPath setting takes precedence. The name of the value in the RegistryLoc key that contains the actual path value. The name of the HLLAPI DLL file. Indicates the value stored in ValueName contains a backslash \ that must be stripped when assembling the HLLAPI DLL path from ValueName and DLL File entries. Defines the integer size supported by the emulator, 16-bit or 32-bit.

79 3 Using and Managing Application Definitions 79 Field WindowClass WindowTitle UseSendKeys Definitions The Window Class name for the emulator. Obtained by using the Password Manager Console or the Application Definition Tool. A portion of the Window Title that can be used by Password Manager to ensure this window is associated with the emulator. Must contain at least one word that will always be in the Windows title. Wildcards are assumed on either side of the text Instructs Password Manager to use SendKeys for communicating with the emulator. The option is not the same as the one used for Windows applications. Additional information for terminal emulators is found in Operations on page 179. Supporting Terminal Emulators on page 184 Terminal Emulator-Based Applications on page 183

80 80 Citrix Password Manager Administrator s Guide

81 4 Creating User Configurations Note: If you are using a Novell shared folder as your central store, you can create one user configuration only. Citrix Password Manager does not support hierarchical or user level configurations in this case. A user configuration enables you to control the behavior and appearance of the agent software for users. Creating one or more user configurations is the final step you take before distributing the Citrix Password Manager Agent to users in your environment. Note that you can add new or edit existing user configurations at any time. This section describes the following topics: What Is a User Configuration? on page 82 Before You Begin on page 86 Creating a User Configuration: the User Configuration Wizard on page 87 Synchronizing Credentials by Using Account Association on page 101 Resetting and Deleting User Data on page 106 Prompting Users to Reregister Answers to Security Questions on page 108 Assigning Priority to User Configurations on page 109 Assigning a User Configuration to Different Users on page 110 Upgrading Existing User Configurations on page 111 Note: Read Planning Your Password Manager Environment in the Citrix Password Manager Installation Guide.

82 82 Citrix Password Manager Administrator s Guide What Is a User Configuration? A user configuration is a unique collection of settings, password policies, and applications that you apply to users associated with an Active Directory hierarchy (organizational unit [OU] or an individual user) or Active Directory group. A user configuration consists of the following: Users associated with an Active Directory domain hierarchy (OU or individual user) or Active Directory group Note: Distribution groups and Domain Local groups in Active Directory mixed mode are not supported. License type and related settings associated with the users (concurrent or named user license model) Data protection methods (see Do I Need to Use Identity Verification? and Planning Your User Configurations in the Citrix Password Manager Installation Guide) Application definitions that you created, which you can combine into an application group when you create a user configuration Password policies associated with any application groups Self-service features (account unlock and password reset) and key management options (use of previous passwords, security questions, and automatic key management) Settings for options such as credential provisioning and application support Default User Configuration Properties The following table shows the properties associated with a user configuration. You can use it to track your settings. User Configuration Property Account Association Account association default domain Account association default service address Allow users to associate accounts Allow users to edit domain Default Setting Not provided Not provided No No Your Custom Setting

83 4 Creating User Configurations 83 User Configuration Property Allow users to edit service address Allow users to remember password Agent User Interface Display computer name in notification icon Tooltip Set the default columns and column order shown in Logon Manager Show notification icon Specify the length of time the agent delays credential submission Application Support Detection of client-side application definitions Enable support for terminal emulators Number of domain name levels to match 99 Time interval in which the agent checks the terminal emulator for changes Default Setting No No No Application Name Description Group, Last Used Modified Password URL/module, Username ID Yes 0 seconds All applications No 3000 milliseconds Your Custom Setting

84 84 Citrix Password Manager Administrator s Guide User Configuration Property Basic Agent Interaction Allow users to pause agent Allow users to reveal all passwords in Logon Manager Automatically detect applications and prompt user to store credentials Automatically process defined forms when the agent detects them Force re-authentication before revealing user passwords Notify user when agent synchronization fails Time between agent re-authentication requests Client-side Interaction Delete user s data folder and registry keys when the agent is shut down Enable users to cancel credential storage when a new application is detected Enforce password matching during initial credential setup Yes No Yes Yes Yes Yes 8 hours No Yes Yes Limit the number of days to keep track of deleted credentials 180 days Log Citrix Password Manager events using Windows event logging Data Protection Methods Allow protection using blank passwords Allow Smart Card PINs Microsoft Data Protection API Regulate account administrator access to data Smart Card Certificate Smart Card key source Users authentication data Hot Desktop Enable graphic Enable session indicator Graphic path Lock time-out Default Setting No No No No Yes No Smart Card Data Protect Yes No Yes 10 minutes Your Custom Setting

85 4 Creating User Configurations 85 User Configuration Property Session settings script path Session time-out Key Management Module Service location Licensing Allow license to be consumed for offline use 5 minutes Concurrent user disconnected mode period 1 hour 30 minutes Continue withoutvalidating licensing informaation License server name and port number Named user disconnected mode period Product Edition Product edition Provisioning module Use provisioning Provisioning service location Secondary Data Protection Identity verification method Self-Service Features Reset domain password Unlock domain account Synchronization Allow agent to operate when unable to reconnect to central store Allow users to update agent settings Allow user credentials to be accessed through the Credential Synchronization Module Synchronize every time users launch recognized application or Logon Manager Time between automatic synchronization requests Default Setting No No server:port 21 days Select Product edition No Previous Password No No Yes Yes No No 0 minutes Your Custom Setting

86 86 Citrix Password Manager Administrator s Guide Before You Begin Note: See Account Requirements to Install and Use Password Manager in the Citrix Password Manager Installation Guide. Before you create your user configurations, ensure that you already created or defined the following: Central store Application definitions Password policies Security questions You must create user configurations before you deploy the Password Manager Agent to users. Among other settings, a user configuration contains the license server and licensing information required by the agent software for operation. The following section describes topics to consider before creating your user configuration: Specifying Domain Controllers for User Configurations In environments where you are using an Active Directory-based central store and you have more than one domain controller, you can select the domain controller to bind user configurations to when writing to the central store. This binding scheme helps to reduce synchronization delays caused by Active Directory replication. Such delays might occur in environments where users access Password Manager in multiple Active Directory sites simultaneously. During the discovery process available through the console, Password Manager can discover every domain controller in your domain. You can then bind user configurations that you created to a specific domain controller by selecting that controller when you create a user configuration. For example, you can require users to be bound to a domain controller within their local network. After you specify a domain controller, users are bound to that domain controller the next time they log on to Password Manager.

87 4 Creating User Configurations 87 By default, users bind to any writeable domain controller until you select a domain controller they must bind to. You can change the domain controller setting at any time by updating the user configuration as needed without losing user data integrity. Note: When choosing a domain controller for binding, verify that the resources available on the domain controller can accept the communication traffic users generate when connecting to the domain controller during peak operational times. If the specified domain controller is unavailable or offline, the agent software uses the local store s user data (that is, the user data located on the user s PC). If the domain controller is offline for a long period of time (as defined by you), you can select the Edit User Configuration task from the console and choose another domain controller or the Any writeable domain controller option. To specify a domain controller for an existing user configuration 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node and User Configurations. 3. Select a user configuration. 4. From the Common Tasks area, select Edit user configuration. 5. The Edit User Configuration wizard appears. Select Synchronization Server from the options on the left side of the wizard page. 6. Select an available domain controller or select Any writeable domain controller. 7. Click OK to save your changes. Depending on the setting you select, the next time users in the specified user configuration log on to Password Manager, they will bind to the newly designated or writeable domain controller. Creating a User Configuration: the User Configuration Wizard The User Configuration wizard enables you to control how the agent software interacts with the Password Manager software and which features to use in your environment. The wizard consists of the following pages: Name User Configuration on page 88

88 88 Citrix Password Manager Administrator s Guide Select Product Edition on page 89 Choose Applications on page 89 Configure Agent Interaction on page 91 Configure Licensing on page 96 Select Data Protection Methods on page 97 Select Secondary Data Protection on page 100 Enable Self-Service Features on page 101 Locate Service Modules on page 101 Completing the User Configuration Wizard on page 101 To create a user configuration 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node and select User Configurations. 3. Click Add new user configuration in the Common Tasks area. Name User Configuration Name your user configuration Consider naming the user configuration according to how you plan to group your users and associate them with specific applications. For example, Marketing Users, Software Development Users, North American Users, and so on. Specify how you associate the user configuration You have two choices: associate users according to Active Directory hierarchy (OU or individual user) or Active Directory Group. If necessary, you can associate the user configuration with a different hierarchy or group later, by clicking Move user configuration in the Common Tasks area. Note: How you organize your Active Directory environment might affect how user configurations operate. If you use both (Active Directory hierarchy and group) and a user is located in both containers, the user configuration associated with the hierarchy takes precedence and is the one used. This scheme is considered a mixed environment.

89 4 Creating User Configurations 89 Also, if a user belongs to two Active Directory groups and each group is associated with a user configuration, the user configuration with the highest priority takes precedence and is the one used. Associating user configurations to groups is supported only in Active Directory domains that use Active Directory authentication. Select Product Edition Select the Password Manager product edition to associate with this user configuration: Presentation Server Platinum, Password Manager Enterprise, or Password Manager Advanced. Note: The functionality and maintenance of the Presentation Server Platinum and Password Manager Enterprise Editions are identical. If you are using Citrix Presentation Server 4.5 with Feature Pack 1, Platinum Edition, select Presentation Server Platinum from the list. Specify your Synchronization Server If you are using an Active Directory, select an available domain controller or select Any writeable domain controller. See Specifying Domain Controllers for User Configurations on page 86 for more information. Choose Applications Add the applications for the user configuration. When you click the Add button, a window appears and shows the application definitions you previously created. You can now add them to create an application group. Name your application group Consider naming the application group according to how you plan to group your applications. For example, Web Applications, Citrix Software, and so on. A group can also consist of one application. Select password policy. Select the Default, Domain, or a custom password policy to apply to all applications in the group. Make this application group a password sharing group. You can create a password sharing group to automate and simplify the password change process. If the password for an application definition that is part of a password sharing group changes, the agent software ensures that

90 90 Citrix Password Manager Administrator s Guide the password change is reflected in the stored credentials for all applications in the group. Password sharing groups enable the agent software to manage multiple credentials for applications that use the same authentication authority. For example, if you have two applications that use the same Oracle database to authenticate, such as a financial application and a human resources application, you can place these two applications in the same password sharing group. When your users change their password for either application, the other application s credentials are updated automatically. Important: For best results, ensure that all passwords in the password sharing group are managed by a common authentication authority. For example, you would implement a password sharing group if the applications in a password sharing group share a common back-end authentication authority like a database, where the user would submit the same credentials to each application to authenticate to the database. You would not group unrelated applications like an program, a Web application, and a custom SSO-enabled program on your intranet where a user could potentially submit three different sets of credentials, but only by coincidence is using the same credentials for all three applications. In this case, if a user changed the credentials for one application in this password sharing group, it does not necessarily follow that those credentials would be valid for the other two applications. Check to enable initial credential setup. Select this option to allow users to add credentials for the application during first time use of the Password Manager Agent (that is, during the enrollment and registration process). This feature helps your users save time and effort by enabling them to configure credentials for the applications at once. Do not select this feature if you want to require users to supply the credentials for each application when the application actually starts. Note: If you add applications to this user configuration later and this option is selected, users are prompted to store credentials the next time the agent starts on their workstation or client device.

91 4 Creating User Configurations 91 Configure Agent Interaction This page enables you to determine the user experience for all agent software users in your environment. Advanced Settings on page 92 describes the advanced agent settings. Allow users to reveal all passwords in Logon Manager Select this option to allow users to see the password associated with the applications in the user configuration. Note: To allow users to see their application passwords, you must also enable the reveal password option in the the password policy you selected on the Choose applications page. Force re-authentication before revealing user passwords Select this option to force users to enter their Windows credentials first before allowing them to see their passwords. It is enabled by default. You can enable or disable this option if you enabled Allow users to reveal all passwords in Logon Manager. Allow users to pause agent Select this option to enable users to prevent the agent software from submitting credentials to applications. In this case, the agent software temporarily does not detect or respond to applications and users must submit their credentials manually. The agent is paused but not shut down. Notify user when agent synchronization fails Select this option to notify users when agent synchronization fails. Depending on how Allow agent to operate when unable to reconnect to central store on the Advanced Settings Synchronization page is set, users may be able to continue working after a synchronization failure. Automatically detect applications and prompt user to store credentials Select this option to prompt users to submit their credentials to Password Manager for applications newly detected by the agent software. Clear this option to disable the Password Manager Agent's ability to detect any applications that are not associated with this user configuration. If this option is cleared, users must submit credentials manually to these applications. Use this setting to prevent users from adding applications that are not currently part of their assigned user configuration to their set of SSO-enabled applications.

92 92 Citrix Password Manager Administrator s Guide If cleared, this option overrides the Enable users to cancel credential storage when a new application is detected option available on the Advanced Settings Client-Side Interaction page. Also, if you plan to use provisioning, clearing this option prevents users from being prompted to enter their credentials. Using Provisioning to Automate Credential Entry on page 141 describes the Provisioning service module. Automatically process defined forms when the agent detects them Select this option to enable the agent software to submit stored credentials automatically without user intervention. Credential fields in the application will automatically populate if you enabled the corresponding setting Agent submits this form automatically in the application definition associated with this user configuration. Time between agent re-authentication requests Specify the time between agent reauthentication requests. When the time expires, the user s PC is locked and users must reauthenticate by typing their Windows credentials. Minimum allowed value is one minute. Advanced Settings Click the Advanced Settings button on the Configure Agent Interaction page to access these settings. Agent User Interface Display computer name in notification icon ToolTip Show notification icon Specify the length of time the agent delays credential submission Controls whether the computer name appears in the notification icon ToolTip (in the notification area of the user s toolbar). If enabled, the computer name is appended to the notification icon ToolTip. This option is helpful in Citrix Presentation Server environments or mixed environments (published and local applications) to help the user identify which agent is running. Enabled by default. Controls whether to show the Citrix Password Manager notification icon when the agent is active. When the icon is disabled, users cannot start or stop the agent software or access other user-controlled options. Specifies the length of time in seconds that the agent software delays credential submission after detecting an allowed application. Use this setting to ensure that the application is ready to receive the credentials. During this time, the agent software will show a progress indicator, indicating that the agent is working.

93 4 Creating User Configurations 93 Set the default columns and column order shown in Logon Manager Client Side Interaction Enforce password matching during initial credential setup Log Citrix Password Manager events using Windows event logging Delete user s data folder and registry keys when the agent is shut down Enable users to cancel credential storage when a new application is detected Limit the number of days to keep track of deleted credentials Synchronization Allow users to update agent settings Synchronize every time users launch recognized applications or Logon Manager Controls which columns are shown in the Logon Manager s Details view and the order in which they are presented. This setting does not affect the List or Icon views in the Logon Manager. Enabled by default. Controls whether users must enter passwords twice for confirmation during initial credential setup. Controls whether agent error and warning events will be tracked in the local workstation Windows Event Log. Controls whether the user s registry keys and data folder (including encrypted credentials) are deleted when the agent is shut down. Enabled by default. Controls whether users are prompted to store credentials every time the agent recognizes an application for which no credentials are stored. If enabled, users can choose to store their credentials in the Logon Manager now, later, or never. Note: If the setting Automatically detect applications and prompt users to store credentials is disabled, the agent software does not prompt users to store credentials. See the description of this setting under Configure Agent Interaction on page 91. Enabled by default as 180 days. Specifies how long in days that the central store tracks credentials deleted from Logon Manager. When user credentials are stored on multiple client devices, the agent deletes the credentials when it synchronizes with the central store during this time period. If the credentials are still stored on the client device when the time has elapsed, they are restored when the agent synchronizes with the central store. Enabled by default. Controls whether users are allowed to refresh agent settings in Logon Manager. When the setting is disabled, the Logon Manager Refresh button is unavailable. Controls whether the agent synchronizes user configuration information whenever a user launches a recognized application or Logon Manager. Note: Frequent synchronization can degrade performance on both the client and server, as well as increase network traffic.s

94 94 Citrix Password Manager Administrator s Guide Allow agent to operate when unable to reconnect to central store Time between automatic synchronization requests Allow user credentials to be accessed through the Credential Synchronization Module Account Association Enabled by default. Controls whether Citrix Password Manager operates when unable to connect to the central store for synchronization. When enabled, a licensed instance of the agent software continues to operate even if the connection fails. If the setting is unavailable, the agent operates only when connected to the central store. Specifies the time in minutes between automatic synchronization attempts. Automatic synchronization is independent of user activity and takes place in addition to events that trigger synchronization. Controls whether or not remote clients can access user credentials through this service module. This option is used with the Account Association feature that allows an agent user to log on to any application from one or more Windows accounts. See Synchronizing Credentials by Using Account Association on page 101 for configuring this feature. See also Using Account Association with Multiple Central Stores and User Account Credentials in a Multiple Domain Enterprise in the Citrix Password Manager Installation Guide. Application Support Detect client-side application definitions Enabled by default. Allows the agent software to detect client-side application definitions by selecting one of the the following options: All applications detects and responds to applications defined by an administrator or a user (in Logon Manager) and defined in the default settings at installation Only applications that are included with Password Manager Agent detects and responds to applications defined by an administrator and defined in the default settings at installation. Users cannot create their own application definitions from Logon Manager Only applications that are defined by users in Logon Manager detects and responds to applications defined by an administrator and a user in Logon Manager. The agent software will not recognize or respond to applications defined in the default settings at installation.

95 4 Creating User Configurations 95 Enable support for terminal emulators Web application settings Controls support for terminal emulation programs. The agent software requires support for terminal emulators to detect Host or Mainframe applications. When enabled, the agent software runs a process that detects terminal emulators. You can optionally select, in milliseconds, the Time interval in which the agent checks the terminal emulator for changes. This option specifies how much time must pass before the agent software checks the host emulator for screen changes. Lower values can use more CPU time on the client and increase network traffic. If not selected, agent software uses 3000 milliseconds as the default value. Specifies the minimum number of domain name levels to match for allowed Web applications. For example, a value of two or less would match *.domain1.topleveldomain; a value of three would match *.domain2.domain1.topleveldomain. Domain name levels beyond the specified number are treated as wild cards. To strictly control URL matching for Web applications, you might prefer to set strict URL matching in your application definitions. Hot Desktop (see also User Configuration Settings for Hot Desktop on page 167) Session settings script path Lock time-out Session time-out Enable session indicator Specifies the path of the session settings file that defines the scripts to be executed at the start and end of a Hot Desktop session. The start script can be used to start applications. The shutdown script can be used to perform cleanup tasks such as file removal. The file used must be accessible to all users. Specifies the length of time in minutes that a Hot Desktop session will remain active when the workstation is idle. If this interval is exceeded, the desktop is locked. The default is 10 minutes. Specifies the length of time that a Hot Desktop session will run while the desktop is locked. If this time is exceeded, the session is terminated and a new session is started when the desktop is unlocked. The default is five minutes. Enabled by default. Controls whether a window identifying the Hot Desktop session is enabled. When enabled, a transparent moveable window is shown on the desktop during Hot Desktop sessions. This window indicates the user s name and the elapsed time of the active session.

96 96 Citrix Password Manager Administrator s Guide Session indicator graphic Specifies the path of the graphic file displayed in the Hot Desktop session indicator. The file used must be in a location accessible to all users and in Windows bitmap (.bmp) file format. Configure Licensing Select a license server and licensing model at this page. For more information about licensing, see the Getting Started with Citrix Licensing Guide, available with other Citrix licensing information in the Citrix Knowledge Center ( Important: If you edit the user configuration later and change product editions, your license model will change. For example, changing the product edition from Password Manager Enterprise to Password Manager Advanced will change your licensing model from Concurrent User to Named User. License server name Type the license server fully qualified domain name in this field. Port number The default port number is which you can select by enabling the Use default value checkbox. Named User Licensing This option is enabled if you purchased this license type and selected Password Manager Advanced as the product edition. You can also choose this option if you select the Presentation Server Platinum or Password Manager Enterprise product editions. With this license type, Password Manager can be used only by specific, named users. Disconnected mode period Specify the time period that the license is assigned to the named user before the license expires and the agent reconnects to the license server. The license is consumed for the specified time period even if the user PC shuts down. The default time period is 21 days. See also the Synchronization setting Allow agent to operate when unable to reconnect to central store described in Advanced Settings on page 92. Concurrent User Licensing (Enterprise and Platinum Edition only)

97 4 Creating User Configurations 97 This option is enabled if you select the Presentation Server Platinum or Password Manager Enterprise product edition. It is disabled if you select the Password Manager Advanced product edition. Note: This license model is enabled if you upgraded from Password Manager Version 4.1. Citrix Systems considers this previous version as equivalent to Password Manager 4.6 Enterprise Edition for licensing purposes when you upgrade. With this license type, a single Password Manager license can be shared by different users (although not at the same time; this license type is sometimes also known as a floating license). Allow license to be consumed for offline use Select this option to specify the amount of time that the user can be disconnected (offline) before the license expires and returns to the pool of available licenses. If enabled, the license is consumed for the specified time period even if the user PC shuts down. The default time period is 21 days; it can range from 2 to 365 days. If this option is not selected, the license expires and returns to the pool after 1 hour and 30 minutes. This time is not adjustable. See also the Synchronization setting Allow agent to operate when unable to reconnect to central store described in Advanced Settings on page 92. Select Data Protection Methods This page enables you to select the data protection methods to protect user credentials based on the various authentication methods your users are authorized to use. In some environments, users can use more than one method. See Do I Need to Use Identity Verification? and Planning Your User Configurations in the Citrix Password Manager Installation Guide, and If Users Switch among Multiple Primary Authentication Methods on page 117. Note: If you upgraded your Password Manager central store from Version 4.1 to Version 4.6, the Use data protection as in Password Manager 4.1 and previous versions option is automatically selected. Important: To use smart cards in a Windows Vista environment, you must enable Microsoft Data Protection API (DPAPI) in your user configurations.

98 98 Citrix Password Manager Administrator s Guide Do you need to regulate account administrator access to user data? Select Yes if you want to disallow administrator access to user credentials. Yes is the default setting for this page. With this configuration, the account or other administrator does not have access to user passwords or user data. This setting helps prevent an administrator from impersonating a user. The administrator cannot log on to the agent software as the user with the default setting and possibly access data located in the user local credential store. If you select Yes, the Microsoft Data Protection API options (including the DPAPI with profile selection in the Smart Card key source drop-down menu) on this page and the Do not prompt users; restore primary data protection automatically over the network option on the following Select secondary data protection page are disabled. Select No if you want to allow use of all the multiple authentication features available from this page and the secondary data protection methods on the following page in the wizard (described in Select Secondary Data Protection on page 100). For improved user experience upon logon events, please select all data protection methods that apply This selection enables you to use the multiple primary authentication features in this version of Password Manager and control the agent software behavior. The options include the following:

99 4 Creating User Configurations 99 Users authentication data Microsoft Data Protection API A user secret is used to access and protect user data. The authentication secret can be a user password or PINbased device used in your environment. To further protect the user data, you can also select the following: Allow Smart Card PINs Select to allow the smart card PIN to be used as the user secret for protection. Use this only if your enterprise or environment has a strong PIN policy. Allow protection using blank passwords Select this option only if your domain has low security requirements and allows users to have blank domain passwords. If you select this option and the agent software detects that the user has a blank password, a user secret is derived from the user ID. If you do not select this option, the agent software does not derive a user secret or otherwise perform any data protection with the blank password. If you select Users authentication data and do not select Allow Smart Card PINs and Allow protection using blank passwords, after the user logs on for the first-time enrollment and registration process with a blank password, an error message appears and the agent software is disabled. Select this option if you are using roaming profiles implementing a Kerberos network authentication protocol for users. This option works only if roaming profiles are available. For example, select Users authentication data and this option if users are using passwords to access their PCs and a Kerberos network authentication protocol to access a farm of computers running Citrix Presentation Server. This method also allows the use of user credentials and smart cards to log on. Smart Card Certificate Select to allow users to use cryptographic cards that enable encryption and decryption of authentication data. Citrix recommends that, if possible, you select this option if you are using Hot Desktop in your environment. Use data protection as in Password Manager 4.1 and previous versions Select this option and choose one of the following methods from the Smart Card key source drop-down menu if you want to permit users to use a single primary authentication method and/or you might be using Versions 4.0 or 4.1 of the agent software. Also, if you upgraded your Password Manager central store from Version 4.1 to Version 4.6, this option is automatically selected: PIN as password

100 100 Citrix Password Manager Administrator s Guide Smart Card Data Protect DPAPI with profile (not available if No is selected for Do you need to regulate account administrator access to user data? Select Secondary Data Protection When users change their primary authentication (for example, a domain password change or a replaced smart card), this page enables you to specify secondary credential data protection options to use before unlocking user credentials. It also enables you to require that users verify their identity for added security. Alternatively, it also enables you to specify that credentials are restored automatically by implementing the Key Management Module. Prompt users to verify identity Choose this button to select one of the following user reauthentication methods: Prompt user to enter the previous password Prompt user to select the method: previous password or security questions If you select this option, note that users who forget their previous password will be locked out and must reenroll their secondary credentials. Do not select this option if your users employ smart cards for their primary authentication. If you select this option, users are prompted according to their choice of verification method. This option includes this suboption: Use identity verification as in previous versions of Password Manager Select this option if you upgraded from Password Manager Versions 4.0 or 4.1 and you enabled question-based authentication or identity verification questions. The 4.0 and 4.1 Versions of the agent software do not need access to the service in this case. Do not prompt users; restore primary data protection automatically over the network Choose this option if you are implementing the Key Management Module to bypass identity verification and automatically unlock user credentials. This method is less secure than other data protection methods but increase ease-of-use for your users by retrieving credentials automatically.

101 4 Creating User Configurations 101 Enable Self-Service Features The options available on this page require the installation of the Key Management Module. This feature inserts an Account Self-Service button on the Windows logon and Unlock Computer dialog boxes and can help reduce costs associated with administrator intervention or help desk support in your enterprise. These options enable users who might have forgotten their password to reset their primary domain password and unlock their domain account without needing to call your help desk. The options are as follows: Allow users to reset their primary domain password Allow users to unlock their domain account Locate Service Modules These pages require you to specify the URL and service port of any installed service modules. See Selecting Optional Password Manager Service Features and Installing and Configuring the Password Manager Service in the Citrix Password Manager Installation Guide. 1. Select the options associated with each service module. 2. Specify the fully qualified domain name of the computer hosting the service and the port number (the default port number is 443). See also Password Manager Service Port Number in the Citrix Password Manager Installation Guide. Completing the User Configuration Wizard 1. Review the settings on the Confirm settings page. You can click Back to change any setting. 2. Click Finish on the Confirm Settings page to create the user configuration. Synchronizing Credentials by Using Account Association As described in Using Account Association with Multiple Central Stores and User Account Credentials in a Multiple Domain Enterprise in the Citrix Password Manager Installation Guide, in companies that might maintain multiple Windows domains, users might also have more than one Windows account. Password Manager includes a service known as Credential Synchronization to enable Account Association.

102 102 Citrix Password Manager Administrator s Guide Account Association allows a user agent to log on to any application from one or more Windows accounts. Because Password Manager typically binds user credentials to a single account, the credential information is not automatically synchronized among multiple accounts that a user owns. However, administrators can configure Account Association to synchronize user credentials. Users with Account Association configured have access to all applications from any of their accounts in their Password Manager environment. When user credentials are changed, added, or removed from one account, the credentials are synchronized automatically with each of the user s associated accounts. Without Account Association, an individual with multiple Windows accounts is forced to manually change their logon information separately from each Windows account. Account Association Configuration Task Workflow To configure Account Association, the enterprise Windows domain administrators must perform the following steps in order: Task 1. Choose a domain in which to install and run the Credential Synchronization Module, which is part of the Password Manager Service. 2. Deploy the trusted root certificate to all computers in the enterprise that will use Account Association. 3. Manually synchronize application definitions among domains. 4. Configure the Account Association user settings in other domains to connect to the Credential Synchronization Module. 5. Each user must enable Account Association in the agent software. See this section Choosing and Configuring a Domain to Host the Credential Synchronization Module on page 102 To configure the credential synchronization features in the host domain on page 103 Server Authentication Certificate Requirement in the Citrix Password Manager Installation Guide. To Manually Synchronize Application Definitions among Domains on page 104 To configure Account Association user settings in other domains on page 104 Configuring Account Association in the Agent Software on page 105 To configure Account Association in the agent software on page 105 Choosing and Configuring a Domain to Host the Credential Synchronization Module Choose the domain that contains the accounts for all users in your enterprise who will use Account Association. The Credential Synchronization Module acts as the hub for all user credential information in the enterprise. Install this module in this domain as you would any other Password Manager Service. See Installing and Configuring the Password Manager Service in the Citrix Password Manager Installation Guide.

103 4 Creating User Configurations 103 Important: Contact your network administrator to determine if any firewall changes are necessary and if the changes are compliant with your company s policies. After you install the Credential Synchronization Module, create or edit user configurations from the Password Manager Console to authorize individual user accounts to use the Credential Synchronization Module, as follows. To configure the credential synchronization features in the host domain Note: Open the console from the domain that is hosting the Credential Synchronization Module. Some domains can access multiple central stores. Ensure that the console you are using is configured to connect to the same central store as the Credential Synchronization Module service. 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node and select User Configurations. 3. Select an existing user configuration or create a new one. If you are creating a new user configuration, the following options are available from the Advanced Settings button on the Configure Agent Interaction page. If you are editing an existing user configuration, the following options are available from the Edit User Configuration properties page. 4. Click Synchronization and select the Allow user credentials to be accessed through the Credential Synchronization Module check box. 5. Click OK and repeat these steps for each existing and new user configuration.

104 104 Citrix Password Manager Administrator s Guide To Manually Synchronize Application Definitions among Domains Note: Accounts can also synchronize across different user configuration associations. That is, a user configuration can be associated with an Active Directory hierarchy (OU or user) in one domain and associated with an Active Directory group in another domain. As long as the application definition names are the same in each user configuration, the Account Association feature will synchronize credentials. User credentials are shared only for applications defined by the Password Manager administrator. Administrators must ensure that each application definition on each domain has the same name in each central store. For example, if the application definition for SAP is named SAP Logon on one domain, SAP on another, and SAP Launch Pad on another, user credentials for these applications will not be synchronized across accounts for these domains. A best practice when creating a new application definition across domains is to use the Export administrative data and Import administrative data tasks in the console. Use these tasks to export newly-created application definitions to import into each central store. Existing, previously-defined applications must be manually renamed. To configure Account Association user settings in other domains Note: Install and open the console from a workstation in each domain that is not hosting the Credential Synchronization Module. Some domains have multiple central stores; therefore, ensure that you configure each central store. All domain administrators must allow the domain users to associate their accounts with their host domain account. Edit the Account Association section of the appropriate user configurations in the console. 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node and select User Configurations. 3. Select an existing user configuration or create a new one. If you are creating a new user configuration, the following options are available from the Advanced Settings button on the Configure Agent Interaction page.

105 4 Creating User Configurations 105 If you are editing an existing user configuration, the following options are available from the Edit User Configuration properties page. 4. Click Account Association. 5. Select Allow users to associate accounts. The following options are not required but help provide a seamless user experience. 6. Select Provide the default service address and type the Password Manager Service address and port for the domain hosting the Credential Synchronization Module. 7. Clear Allow users to edit service address. 8. Select Provide default domain and type the name for the domain hosting the Credential Synchronization Module. Note: If you do not provide the domain, users might be confused as to which domain account user credentials they should provide. 9. Clear Allow users to edit domain. 10. Depending on your company s security policies, select Allow users to remember password. 11. Click OK and repeat for each user configuration. Once you complete the steps described here, users can associate their Windows accounts. Configuring Account Association in the Agent Software When logging on to the domain hosting the Credential Synchronization Module, users do not need to perform any action to enable Account Association. These accounts act as a central repository for each user s credential information. When logging on to others domains, users will now see an option under the Tools menu in the agent software named Account Association. Users must choose this option to configure Account Association. To configure Account Association in the agent software 1. Do one of the following: From the Password Manager Agent notification area icon, select Tools > Account Association.

106 106 Citrix Password Manager Administrator s Guide From the Logon Manager, select Tools > Account Association. The Account Association dialog box appears. 2. Select Enable Account Association. Note: If you did not provide the service address that is hosting the Credential Synchronization Module, users must type it in the text field. If the field is unavailable, you already provided this service address and users cannot type in this field. See To configure Account Association user settings in other domains on page Click OK. The Authenticate for Account Association dialog box appears. 4. Type your username and password for your associated Windows account. If the domain where the Credential Synchronization Module is installed is not shown, type it in the Domain field. Note: If you provided the domain name, users cannot type text in this field. See To configure Account Association user settings in other domains on page Click OK. Account Association is now configured. The user s credentials are synchronized whenever agent synchronization occurs. Resetting and Deleting User Data Password Manager provides two user configuration tasks to help you manage changes in your environment and enterprise: Reset User Data on page 106 Delete User Data From Central Store on page 108 Reset User Data Note: The Reset user data task requires that you install and configure the Provisioning Module.

107 4 Creating User Configurations 107 Reset user data enables you to reset user information in your central store, which results in the selected user being returned to an initial state. In Active Directory central stores, the user data (credentials, security questions and answers, and so on) is deleted and the user is flagged as having had their data reset. In NTFS network share and Novell shared folder central stores, the user folders are retained, all user data is deleted, and the user is flagged as having had their data reset. You can use Reset user data if users forget the answers to their security questions or to reset their credential data if the user s data somehow is corrupted. When the user later uses the agent software to contact your central store, the user s local credential store is cleared of all data, and the user must reenroll, similar to initial credential setup. This task is also useful when a user cannot log on to the agent. Important: Password history is retained on a per-user basis. If you reset the data for a user, the password history is removed and password history cannot be enforced for the deleted passwords. To reset user data 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node and select User Configurations. 3. Click Reset user data in the Other Tasks area. The Select User dialog box appears. 4. Type a user name in the text field and click Check Names. 5. If the user is found, click OK. 6. Select a user in your central store and click Reset. 7. Click OK. A warning message appears. 8. Verify that any users who might be running Password Manager as an application hosted by Citrix Presentation Server are logged off and click Continue to flag the user s data for reset. If users are not logged off, click Cancel and reset their ICA session and return to this procedure.

108 108 Citrix Password Manager Administrator s Guide 9. Click OK in the Reset User data dialog box when the user information is verified and reset, The user s data is reset the next time the user logs on to Password Manager using the agent software. Delete User Data From Central Store The Delete user data from central store task deletes all user data and information from the central store. You can use Delete user data from central store when a user leaves your enterprise permanently. The local credential store on the user PC remains intact until it is explicitly deleted by an administrator or operator. Note: If the agent software is run by the now-deleted user, the agent software synchronizes its local credential store with the central store unless the local credential store is explicitly deleted by an administrator or operator. To prevent this, delete this user from your enterprise (for example, disable or delete the user from Active Directory). To delete user data 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node and select User Configurations. 3. Click Delete user data from central store in the Other Tasks area. The Select user dialog box appears. 4. Type a user name in the text field and click Check Names. 5. If the user is found, click OK. Click Yes to confirm. A confirmation message appears. 6. Click OK. The user is now deleted from the central store. Prompting Users to Reregister Answers to Security Questions You can prompt one user or all users to reregister answers to their security questions. You would use these features for security purposes or when user data becomes corrupted:

109 4 Creating User Configurations 109 Revoke security question registration for a user Select this option to delete a user s security question data. Any questionbased authentication is unavailable until the user reregisters. Prompt all users to reregister security questions Select this option to prompt all users to reregister their security questions and answers when they launch the agent software. Security question data is retained and any feature requiring question-based authentication is still available with the current answers. Users are prompted until they reregister. Note: If users choose not to reregister their answers by cancelling the Citrix Password Manager Registration dialog box when prompted, they will not be able to use features that use question-based authentication such as Account Self- Service until they choose to reregister their answers. To prompt users to reregister 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node and select User Configurations. 3. Click one of the following: Revoke security question registration for a user The Select User dialog box appears. Type or select a user. Confirm that you want to revoke that user s security question registration. Prompt all users to reregister security questions Click Yes to prompt all users, then click OK. Assigning Priority to User Configurations When you create or edit a user configuration, you can associate users located in Active Directory groups with user configurations. It is possible that a user in a group can be associated with more than one user configuration. In this case, you can set the priority of the user configuration.

110 110 Citrix Password Manager Administrator s Guide Important: How you organize your Password Manager user environment might affect how user configurations operate. That is, you associate user configurations in your Password Manager environment with an Active Directory hierarchy (OU or users) or an Active Directory group. If you use both (hierarchy and group) and a user is located in both containers, the user configuration associated with the hierarchy takes precedence and is the one used. This scheme is considered a mixed environment. To set a user configuration priority 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node and select User Configurations. 3. Click Set user configuration priority. The Set User Configuration Priority dialog box appears. 4. Select a user configuration and click Move Up or Move Down, according to your preference. 5. Click OK. Assigning a User Configuration to Different Users When you edit an existing user configuration, note that you cannot edit the user configuration location. You can perform one of the following procedures: Apply a user configuration to an additional set of users by duplicating it Apply a user configuration to a different set of users by moving it To duplicate a user configuration 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node and select User Configurations. 3. Select the user configuration. 4. Click Duplicate user configuration. 5. Type a name for the duplication configuration. 6. Specify the OU, user, or group that contains the users to which the user configuration will apply.

111 4 Creating User Configurations Click OK. To move a user configuration to different users Note: You cannot move a user configuration that is associated with an Active Directory group. To associate the user configuration with an Active Directory hierarchy (OU or user), duplicate the user configuration and specify the desired association. See To duplicate a user configuration on page Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node and select User Configurations. 3. Select the user configuration. 4. Click Move user configuration. 5. Specify the OU, user, or group that contains the users to which the user configuration will apply. 6. Click OK. Upgrading Existing User Configurations In Citrix Password Manager Versions 4.0 and 4.1, you associated users to a user configuration by an Active Directory hierarchy (OU or user). In Version 4.5, you can choose to associate users by an Active Directory group. Consider the following if you want to upgrade existing user configurations whose users are organized by OU or user: If you use an existing user configuration organized by hierarchy and now create user configurations organized by group and a user is located in both containers, the user configuration associated with the hierarchy takes precedence and is the one used. This scheme is considered a mixed environment. In this case, your users might experience unintended agent software behavior. That is, they will have access to resources associated with the hierarchy-based user configuration instead of resources associated with the group-based user configuration. If you wish to preserve the settings in your existing hierarchy-based user configurations but change their association, move the user configuration according to the procedure described in To move a user configuration to different users on page 111. This procedure is applicable for 4.1, Version 4.5, and Version 4.6 hierarchy-based user configurations.

112 112 Citrix Password Manager Administrator s Guide Note: If you upgrade the Password Manager Service and console but do not upgrade the agent software, the agent will still provide basic functionality to users whose user configurations are associated with Active Directory hierarchies (organizational units or users). However, your users will not have access to the latest Password Manager features. Citrix recommends upgrading the agent software whenever possible to match the service and console versions.

113 5 User Authentication and Identity Verification Password Manager provides you with several authentication methods for verifying your users identities. This section describes the strategies to consider when deciding which authentication method to use. This chapter contains information about the following topics: Overview of Password Manager Authentication on page 113 When Must Users Confirm Their Identities? on page 114 Overview of Identity Verification Methods on page 115 If Users Switch among Multiple Primary Authentication Methods on page 117 Overview of Password Manager Authentication Two types of authentication exist in Password Manager: Primary authentication, which occurs when users type their primary user names, passwords, and, optionally, domain name in the Windows logon dialog box to access their corporate or enterprise network. The existing Windows security subsystem is responsible for managing network authentication. Secondary authentication, which occurs when you configure Password Manager to submit credentials that allow users to access protected single sign-on enabled resources. These resources can include an enterprise application, a Web application, a protected field in an application, an IP address, a URL, and so on.

114 114 Citrix Password Manager Administrator s Guide After a successful network authentication, Password Manager obtains the primary password from the Windows logon and, along with other variables, uses this information to create the encryption key that protects user credentials. The agent software uses this key to retrieve and decrypt the credentials as applications or resources request them. Important: If a user s password is compromised, reset the user's password twice, rather than once, to ensure that the compromised password is removed from the previous password feature. Users need to log on with each of the new passwords so that the agent software can capture the changes. When Must Users Confirm Their Identities? Each time users log on to your environment, they confirm their identity by typing their user name and password or by using a smart card or other authentication device that uniquely identifies who they are. However, several events require a second layer of authentication to verify that the user initiating the change is the user authorized to do so: Event Bypassing Password Manager An administrator changes a user's primary password Users reset their primary password using Account Self-Service Users unlock their domain account using Account Self-Service Description If users change their primary password on a device that has Password Manager installed without using Ctrl+Alt+Del, Password Manager cannot confirm that the authorized user initiated the password change. When administrators change users primary passwords, users will then be further prompted to confirm their identities to ensure the authorized user is logged on. When users reset their primary password using Self-Service Password Reset, they are prompted to further confirm their identity. Do not use the Previous Password authentication option with Self-Service Password Reset exclusively. When users unlock their account using Account Unlock, they are prompted to further confirm their identity. Users change their authentication types For example, when users switch from smart card authentication to password-based authentication, they are prompted to further confirm their identity.

115 5 User Authentication and Identity Verification 115 Event Password change on a client device not running Password Manager Description Users who change their primary password on a client device not running the agent software are prompted to confirm their identity the next time they log on to a client device running the agent software. Your users can confirm their identity using one or more of the options you can specify to meet your organization s requirements, as described in Overview of Identity Verification Methods on page 115. Overview of Identity Verification Methods According to the events described in When Must Users Confirm Their Identities? on page 114, Password Manager includes two identity verification methods to help ensure that the user is authorized to use Password Manager: Previous Password on page 115 Security Questions on page 116 You can also choose to bypass identity verification by using the automatic key management feature. See Bypassing Identity Verification on page 116 Select Secondary Data Protection on page 100 describes the user configuration options associated with authentication and identity verification. Note: You can allow users to choose the identity verification method (previous passwords or security questions) they prefer to use when authenticating. This option is available as part of Secondary Data Protection property in the user configuration. Previous Password With this method, users verify their identities by typing their previous primary password. Caution: When previous password is the only method available to your users, users who forget their previous primary password are locked out of the system. Their user data must be deleted from the central store and from all client devices on which it is stored, and they must reenter their credentials for all of their applications. See Resetting and Deleting User Data on page 106.

116 116 Citrix Password Manager Administrator s Guide Security Questions Note: See Managing Question-Based Authentication on page 119 for information about creating security questions. When users change their primary passwords, you can confirm your users identities by prompting them to answer security questions in the form of a questionnaire you create. This questionnaire appears the first time your users launch the agent software. Users answer the required number of security questions and are prompted to reenter this information at specific password change events. The questions in your questionnaire should be of a nature that ensures the person answering the question is the only person who knows or could easily provide the answer. You can use the default questions Password Manager provides or create your own. See Designing Security Questions: Security Versus Usability on page 122 Bypassing Identity Verification Important: Automatic key management is not as secure as other key recovery mechanisms such as security questions and previous password. If you want Password Manager to bypass identity verification and retrieve user encryption keys automatically, you can specify the Secondary Data Protection option Do not prompt users, restore primary data protection automatically over the network. This method, known as automatic key management, is available when you install the Key Management Module and you create a user configuration with this option selected. See Select Secondary Data Protection on page 100. With this method, users log on to the network and have immediate access to applications managed by Password Manager. There are no questions to answer. When users change their primary passwords, the agent detects these password changes and recovers the users encryption keys using the Password Manager Service.

117 5 User Authentication and Identity Verification 117 Automatic key management provides users with the easiest and fastest access to their applications. However, it does not protect against access by an unauthorized user because there is no user secret to protect the user s network password. To help prevent this potential problem, implement automatic key management in combination with the Self-Service Module. This module requires question-based authentication to allow your users to confirm their identity when resetting their primary passwords or unlocking their domain accounts. If Users Switch among Multiple Primary Authentication Methods In Citrix Password Manager, users can switch among multiple primary authentication methods. Password Manager protects user passwords with a unique copy of the security key as a reauthentication method to efficiently unlock the user s data each time the user switches between authentication methods, without the user having to verify identity. The option to select multiple primary authentication methods is available as part of the Data Protection Method page in the user configuration. See Planning Your User Configurations in the Citrix Password Manager Installation Guide and Select Data Protection Methods on page 97. Consider the following user scenario: A call center supervisor logs in to a PC using primary credentials (Windows user name and password). Password Manager Agent is installed on the PC and allows the supervisor to use single sign-on (SSO) enabled applications. The supervisor occasionally uses a smart card with PIN to log on to a shared PC on the call center floor and launch another published application through Presentation Server. This PC uses Hot Desktop to enable fast user switching among different accounts. In Password Manager Versions 4.0 and 4.1, the call center supervisor is required to verify identify before using the SSO-enabled applications when changing primary authentication methods. In this use case, the supervisor used two primary authentication methods: first a user name and password, then a smart card with PIN. Password Manager Versions 4.0 and 4.1 treat the change of authentication method as requiring security key recovery and possibly required the supervisor to verify identity.

118 118 Citrix Password Manager Administrator s Guide Note: Users are required to register or enroll each new authentication method the first time they use or switch to the method. However, later switches do not require a registration or enrollment (that is, a key recovery is not subsequently required).

119 6 Managing Question-Based Authentication Important: If you plan to use the password reset or domain account unlock self-service features available from the Password Manager Key Management Module, you must use the question-based authentication method to allow your users to confirm their identity when resetting their primary passwords or unlocking their domain accounts. Question-based authentication allows you to provide secure authentication to users who change their primary password under specific circumstances, change their method of authentication, or have their accounts locked. The use of security questions and question-based authentication can help protect against access by unauthorized users by requesting information known only to your individual users. The questions you create must request non-public information that would be difficult for anyone other than the authorized users to provide or find (for example, difficult for brute force guessing, dictionary based attacks, and so on). This section describes the following topics: Confirming User Identity Using Question-Based Authentication on page 120 Question-Based Authentication Workflow on page 121 Designing Security Questions: Security Versus Usability on page 122 Managing Your Questions on page 124 Backward Compatibility with Password Manager Versions 4.0 and 4.1 on page 133 Allowing Users to Reregister Answers to Their Security Questions on page 134

120 120 Citrix Password Manager Administrator s Guide Confirming User Identity Using Question-Based Authentication If you are implementing the password reset or domain account unlock selfservice features available from the Password Manager Key Management Module, use question-based authentication for user identity verification. You can also choose question-based authentication as a form of secondary data protection if a user s primary authentication changes. See Select Secondary Data Protection on page 100. Depending on the user configuration settings in the console, users might be required to verify their identities when the following events occur: Users change their authentication types; for example, a user might switch between smart card and password authentication. An administrator changes a user s primary password Users reset their primary password using Account Self-Service Users unlock their domain account using Account Self-Service Users change their primary password on a device that does not have the agent software installed and then log on to a device where the agent software is installed Note: You can also create a user configuration that does not require subsequent verification when switching among authentication types; see If Users Switch among Multiple Primary Authentication Methods on page 117. If configured, the Password Manager Agent prompts users to answer the security questions during the first-time use of the Password Manager Agent. When one of these events occur that require users to verify their identity, the agent launches the questionnaire you created for them. A questionnaire is a preconfigured list of questions you create. Each question in the questionnaire appears on a separate page. For example, if five questions are in your questionnaire, users will see five separate pages one for each question. Users must answer every question correctly. Depending on administrator settings, answers must be an exact match, including case, to the answers users gave when Password Manager was launched for the first time. The correct combination of questions and answers confirms the user s identity. After a user is confirmed, the agent software encrypts the keys again using the new primary password and stores the user s secondary credentials.

121 6 Managing Question-Based Authentication 121 Considerations Note: Depending on administrator settings, alphabet case usage, punctuation, and spaces are included in the user s answer and must match exactly when the user is asked to answer the selected security questions at a later date. If you choose not to configure answers to security questions as required for your users, users are prompted for their previous primary password when they change their primary password and attempt to log on with their new password. You can allow users to choose the identity verification method they prefer to use when authenticating. This option is available as part of the Secondary Data Protection property in the user configuration. See Select Secondary Data Protection on page 100. To prevent user lockout, do not combine Self-Service Password Reset with the Previous Password option exclusively. Users who reset their password are unlikely to recall their previous primary password and cannot retrieve their secondary credentials. Multiple questions provide the best data protection. For more information about creating secure questions, see Designing Security Questions: Security Versus Usability on page 122. By default, Question-Based Authentication is populated with four security questions. While you can use these four questions exclusively, Citrix recommends you add your own security questions and question groups. For more information, see Managing Your Questions on page 124. Question-Based Authentication Workflow Important: Create and make available your security questions before deploying the agent software. After a user selects a question, that question must always be available. If you change or remove a question that is in use, those users cannot use the security questions to recover their secondary credentials, until and unless you force them to reenroll. See Prompting Users to Reregister Answers to Security Questions on page Create your security questions, defining the minimum length and case sensitivity. These questions can be made available in the languages Password Manager supports. 2. Optionally, group these questions in security question groups. You can create a number of questions for your users to choose from, giving them

122 122 Citrix Password Manager Administrator s Guide flexibility to choose a question to which they are more likely to recall an answer. This scheme allows you to define the number of questions from each group users are required to answer. 3. Add your questions, or questions and question groups, to your questionnaire. 4. Select one or two questions to be used for key recovery. These questions are used to encrypt the data for key recovery; your users will still be required to provide answers for questions they answered at enrollment. 5. Optionally, enable Security questions answer masking. This feature provides you the option to mask user answers to question-based authentication security questions. If enabled, users answers are protected during answer registration and identity verification. Important: Enabling Security question masking for existing users with input method editors, or IMEs, may prevent these users from being able to provide answers during registration and identity verification. Eastern Asian languages, such as Chinese, Japanese, and Korean, require the use of an IME to enter characters into the Password Manager interface. Enabling the masking feature automatically disables the IME during registration and identity verification for those users who are upgraded to Password Manager 4.6. There is no impact on users new to Password Manager with Version 4.6. Note: Security question answer masking is available on console and agent software running Password Manager 4.6 only. Designing Security Questions: Security Versus Usability Password Manager provides four default questions that you can use to manage user registration. These questions are available in all supported languages (English, French, German, Japanese, and Spanish). Citrix recommends you create your own security questions and make them available in each of the languages your environment must support. Someone trying to gain access to a user password needs to know the answers to all the questions the user originally answered. Consider that requiring users to answer too many questions might make it too difficult for your users to confirm their identity.

123 6 Managing Question-Based Authentication 123 Security questions should request non-public information that would be difficult for anyone other than the valid user to provide (for example, difficult for brute force guessing or dictionary-based attacks). The key factor in determining the security of questions is the degree of difficulty involved when someone attempts to guess the answer. A good questions is one that has high entropy; that is, a question for which: The number of unique answers possible is very high The probability of guessing any one specific answer is very low For usability purposes, the question should be easy for a user to remember but difficult for an adversary to determine. For example: What is the name of your favorite college professor or high school teacher? Where would you go for your ultimate dream vacation? (city, country) What is the title of your favorite song and who is the artist? What is the title of your favorite book and who is its author? What is the name of your favorite work of art, who is the artist, and where did you see it? However, in these examples, cultural bias could make it more likely for users in the same population to have identical answers to these questions, even if they do not deliberately share the answers. This bias potentially increases the risk of an insider attack. Avoid creating questions that: Return simple answers, such as What is your favorite color? Request information likely to be known, or change, such as What is your address? Considerations for Security Questions If you edit the existing default questions after users register their answers, consider the meaning of the edited questions. Editing a question does not force a user reenrollment; but if you change the meaning of a question, users who answered that question originally might not be able to provide the correct answer. Adding, deleting, and replacing security questions after users are enrolled means that all users who were previously enrolled using an older set of questions cannot authenticate and reset their password until they reenroll.

124 124 Citrix Password Manager Administrator s Guide Users must answer the new set of questions when they open the agent software. Individual security questions can belong to multiple security question groups. When you create your security question groups, all questions you create are available for use with any security question group. Managing Your Questions The Question-Based Authentication node in the Password Manager Console provides you with a central location for managing all security questions associated with identity verification, self-service password reset, and account unlock. You can add your own security questions to the list of default questions and create question groups and target them to specific users. This section describes the following: Setting a Default Language on page 124 Creating New Security Questions on page 125 Adding or Editing Text for Existing Questions (Including Translated Text) on page 126 Creating Security Question Groups on page 128 Creating and Implementing Your Questionnaire on page 129 Selecting Questions for Key Recovery on page 131 Enabling Security Answer Masking on page 132 See also: Backward Compatibility with Password Manager Versions 4.0 and 4.1 on page 133 Allowing Users to Reregister Answers to Their Security Questions on page 134 Setting a Default Language In most instances, users see security questions displayed in the language associated with their current user profile. If the language is not available, Password Manager displays the questions in the default language that you specify.

125 6 Managing Question-Based Authentication 125 To set a default language 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager and Identify Verification nodes and select Question-Based Authentication on your Password Manager Console. 3. Click Manage Questions from the Common Tasks area. The Manage Questions dialog box appears. 4. Select Question-Based Authentication. 5. Select the default language from the Language drop-down box. 6. Click OK. Note: The Perform backward compatibility check selection in this dialog ensures that agents associated with Password Manager versions 4.0 and 4.1 can continue to display identity verification questions. See Backward Compatibility with Password Manager Versions 4.0 and 4.1 on page 133 for more information. Creating New Security Questions You can create many different questions and designate a language for each question. You can also provide multiple translations of a single question. The agent software presents the user with the questionnaire in the language that corresponds to the language settings of the user s profile. If the language is not available, Password Manager displays the questions in the default language. To create new security questions Note: The default language display is English. When you specify a language for a security question, the question appears to users whose operating system settings are configured for that designated language. If the selected operating system settings do not match any of the questions available, users are shown your selected default language. 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node, expand Identity Verification, and select the Question-Based Authentication node. 3. Click Manage Questions in the Common Tasks area.

126 126 Citrix Password Manager Administrator s Guide The Manage Questions dialog box appears with five available tasks: Question-Based Authentication Security Questions Questionnaire Key Recovery Security Answer Masking 4. Select Security Questions. 5. Select a language from the Language drop-down box and click Add Question. The Security Question editor appears. 6. In the editor: A. Type a new question in the Security Question text field. B. Choose the minimum length of the required answer C. Select Answer is case sensitive to select the case-sensitivity of the answer. Clear this check box if you do not require an exact case match for the answer. 7. Click OK to save your question and settings. 8. Click OK to close the Manage Questions dialog box. Important: You must use the Edit command to include the translated text of existing questions. If you select Add, you are creating a new question that is not associated with the original. Adding or Editing Text for Existing Questions (Including Translated Text) Important: Adding, deleting, and replacing security questions after users are enrolled means that all users who were previously enrolled using an older set of questions cannot authenticate and reset their password until they reenroll. Users must answer the new set of questions when they open the agent software. Editing a question does not force a user reenrollment; but if you change the meaning of a question, users who answered that question originally may not be able to provide the correct answer.

127 6 Managing Question-Based Authentication 127 To add or edit text for existing questions 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node, expand Identity Verification, and select the Question-Based Authentication node. 3. Click Manage Questions in the Common Tasks area. The Manage Questions dialog box appears with five available tasks: Question-Based Authentication Security Questions Questionnaire Key Recovery Security Answer Masking 4. Select Security Questions. 5. Select a language from the Language drop-down box. 6. Select the question and click Edit. Important: If you are editing an existing question, a warning appears saying that changing the meaning of a question might cause a mismatch in user answers during reauthentication. That is, a user might provide a different answer that might not match the stored answer. The Security Question editor appears. 7. In the editor: A. Type or edit the question in the Security Question text field. B. Choose the minimum length of the required answer. C. Select Answer is case sensitive to select the case-sensitivity of the answer. Clear this check box if you do not require an exact case match for the answer. 8. Click OK to save your question and settings. 9. Repeat Steps 5 through 8 as required for each question and language. 10. Click OK to close the Manage Questions dialog box.

128 128 Citrix Password Manager Administrator s Guide Creating Security Question Groups You can create a number of security questions that your users answer to confirm their identities. Each question you add to the questionnaire must be answered by your users. However, you can also group these questions together in a security question group. For example, putting your questions in a group enables you to add a group of six questions to your questionnaire, and allows your users to choose from that group of questions, answering, for example, three of the six. This scheme gives your users flexibility in selecting questions and providing answers to be used for identity verification. To create a security question group 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node, expand Identity Verification, and select the Question-Based Authentication node. 3. Click Manage Questions in the Common Tasks area. The Manage Questions dialog box appears with five available tasks: Question-Based Authentication Security Questions Questionnaire Key Recovery Security Answer Masking 4. Select Security Questions. 5. Click Add Group. The Security Question Group dialog box appears, with a list of security questions available to be added to the group. 6. In the dialog box: A. Type a name for your security question group. You can implement a naming scheme to identify your groups, such as adding a description of the questions to the word group as in movie-group or hobbygroup. B. Select the check box next to each question you want to add to the group.

129 6 Managing Question-Based Authentication 129 C. Select the number of questions from this group that a user must answer. 7. Click OK to save your group and settings. 8. Repeat Steps 5 through 7 to create additional groups. 9. Click OK to close the Manage Questions dialog box. To edit a security question group 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node, expand Identity Verification, and select the Question-Based Authentication node. 3. Click Manage Questions in the Common Tasks area. The Manage Questions dialog box appears with five available tasks: Question-Based Authentication Security Questions Questionnaire Key Recovery Security Answer Masking 4. Select Security Questions. 5. Select the security group you want to edit and click Edit. The Security Question Group dialog box appears, with a list of security questions available to be part of the group. The questions currently in the group are indicated by a check mark. Here you can edit the name of the group, add questions to the group, and select the number of questions from this group a user must answer. 6. Click OK to save your group and settings. 7. Click OK to close the Manage Questions dialog box. Creating and Implementing Your Questionnaire Your users view and answer the security questions you select in the form of a questionnaire. The questionnaire draws on a pool of questions and question groups you create and make available to your users.

130 130 Citrix Password Manager Administrator s Guide A questionnaire consists of a list of one or more questions and/or one or more question groups. You cannot repeat a question in the questionnaire. For example, you cannot create a question group that includes a question that is already in the questionnaire. Before You Begin Individual security questions can belong to multiple security question groups. When you create your security question groups, all questions you create are available for inclusion in any security question group. If you are upgrading from a previous release of Password Manager, you might need to add questions and question groups with specific settings for backward-compatibility with older versions of the Password Manager Agent. To add, remove, or change the order of the security questions in the questionnaire 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node, expand Identity Verification, and select the Question-Based Authentication node. 3. Click Manage Questions in the Common Tasks area. The Manage Questions dialog box appears with five available tasks: Question-Based Authentication Security Questions Questionnaire Key Recovery Security Answer Masking 4. Select Questionnaire and click Add. 5. Select the security questions or security question groups you want to add to the questionnaire. If the question group you add contains more questions than you require users to answer (for example, three of six), users will select and answer questions from a drop-down list until the required number of questions is answered. 6. Optionally, click Move Up or Move Down to change the order in which the questions or question groups are presented to your users.

131 6 Managing Question-Based Authentication Optionally, select a question and click Remove to remove it from the questionnaire. Note: When you remove a question from the questionnaire, this question is not included in the list of questions displayed to new users, but it still appears for existing users. 8. Click OK to save your questionnaire. A message might appear asking if you want to force users to reenroll answers. Click Yes to force reenrollment. Selecting Questions for Key Recovery You must select one or two of the questions your users answer to encrypt the data for key recovery. Your users need to provide answers for all of the questions they originally answered when enrolling, but the questions you select are used to provide data to include as part of the encryption and key recovery process. To select one or more question for key recovery 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node, expand Identity Verification, and select the Question-Based Authentication node. 3. Click Manage Questions in the Common Tasks area. The Manage Questions dialog box appears with five available tasks: Question-Based Authentication Security Questions Questionnaire Key Recovery Security Answer Masking 4. Select Key Recovery. 5. Select the check box next to each question or question groups to use for key recovery during identity verification. 6. Click OK to save your question and settings. A message might appear asking if you want to force users to reenroll answers. Click Yes to force reenrollment.

132 132 Citrix Password Manager Administrator s Guide Enabling Security Answer Masking Note: Security answer masking is available with Password Manager 4.6 only. Important: Enabling security answer masking for existing users with input method editors, or IMEs, may prevent these users from being able to provide answers during registration and identity verification. Eastern Asian languages, such as Chinese, Japanese, and Korean, require the use of an IME to enter characters into the Password Manager interface. Enabling the masking feature automatically disables the IME during registration and identity verification for those users who are upgraded to Password Manager 4.6. There is no impact on users new to Password Manager with Version 4.6. Security answer masking provides an added level of security for your users when they register their security question answers or provide their answers during identity verification. When this feature is enabled, the answers of users running Password Manager 4.6 are hidden. During the answer registration process, these users will be asked to type their answers twice to avoid typing and spelling errors. Users will need to type their answers only once during identity validation because they are prompted to retry if there is an error. Note: Security question answers registered with Password Manager 4.5 agent software can be masked when your software is upgraded to Version 4.6. Security question answers for users with agent software for Password Manager 4.5, 4.1, or 4.0 remain visible regardless of the console setting. To enable security answer masking 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node, expand Identity Verification, and select the Question-Based Authentication node. 3. Click Manage Questions in the Common Tasks area. The Manage Questions dialog box appears with five available tasks: Question-Based Authentication Security Questions Questionnaire

133 6 Managing Question-Based Authentication 133 Key Recovery Security Answer Masking 4. Select Security Answer Masking. 5. Select Mask answers for security questions. 6. Click OK to save your setting. Backward Compatibility with Password Manager Versions 4.0 and 4.1 Backward compatibility mode enables the agent software to continue prompting users with identity verification questions you used for Password Manager Versions 4.0 and 4.1. Backward compatibility mode also allows you to continue using the default question, What is your identity verification phrase? If you are upgrading from Password Manager 4.1, the identity verification questions and the questions you used for self-service password reset appear as a questionnaire in the Manage Questions editor. Important: When creating and editing user configurations, do not enable backward compatibility if you have a new installation of Password Manager because that limits agent software functionality to Versions 4.0 and 4.1 of the product. Conversely, do not disable backward compatibility mode if agents from Version 4.0 or 4.1 of Password Manager are running because that prevents them from performing key recovery and self-service password reset registrations. If you are using automatic key management, do not enable backward compatibility. Automatic key recovery does not require users to answer identity verification questions. To make your questionnaire backward compatible For Password Manager 4.0 and 4.1 backward compatibility, the questionnaire must include at least one security question associated with the self-service password reset feature. Each security question must include the following settings: Case sensitivity disabled Minimum answer length set to one Questions cannot be enabled for key recovery

134 134 Citrix Password Manager Administrator s Guide To check for backward compatibility You can check for backward compatibility if you are upgrading from a previous version of Password Manager: 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node, expand Identity Verification, and select the Question-Based Authentication node. 3. Click Manage Questions in the Common Tasks area. The Manage Questions dialog box appears with five available tasks: Question-Based Authentication Security Questions Questionnaire Key Recovery Security Answer Masking 4. Select Question-Based Authentication. 5. Select Perform backward compatibility check and click OK. Password Manager performs the backward compatibility check and displays any errors in a dialog box. Allowing Users to Reregister Answers to Their Security Questions Password Manager allows your users to reregister answers to their security questions at any time without intervention of an administrator. If your environment includes security questions or account self-service features, users who register security questions and answers can use the agent software to provide new answers to their available security questions. Users can select Security Questions Registration from the Tools menu in Logon Manager or from the shortcut menu associated with the notification icon for the agent software. Selecting this option starts the Security Questions Registration wizard where users can reregister answers to their security questions. After users successfully provide their answers and receive confirmation that the new answers are saved to the central store, their old answers are no longer valid.

135 6 Managing Question-Based Authentication 135 This feature is available only to users connecting to Password Manager using the current version agent software and who previously registered answers to their security questions.

136 136 Citrix Password Manager Administrator s Guide

137 7 Allowing Users to Manage Their Primary Credentials with Account Self-Service You can configure the self-service features of Password Manager to allow your users to reset their primary password or unlock their Windows domain accounts without intervention by administrative or help desk staff. Depending on your needs, you can implement one or both of the self-service password reset and account unlock features securely in your Password Manager environment. This section describes the following topics: Overview of Self-Service on page 137 Summary of Self-Service Implementation Tasks on page 139 When Users Forget Their Security Questions on page 139 User Experience on page 140 Note: To implement Account Self-Service with Citrix Web Interface, see the Web Interface Administrator s Guide, available from the Citrix support Web site at Overview of Self-Service The Self-service Module features are protected by question-based authentication, which ensures that your users are authorized to reset their passwords or unlock their accounts. During the first-time use of the Password Manager Agent or firsttime use after Self-service is configured, users must register answers to security questions you create and select during Password Manager setup.

138 138 Citrix Password Manager Administrator s Guide These security questions are then presented to users when they need to reset their password or unlock their account. When the questions are answered correctly, users are allowed to reset their password or unlock their account, avoiding the need to call the help desk or administrator. Managing Question-Based Authentication on page 119 describes question-based authentication. Important: The self-service password reset and account unlock features require that you implement question-based authentication. Users must register answers to security questions to use these features. If you choose not to use question-based authentication in your Password Manager environment, the selfservice password reset and account unlock features are not available to your users. Considerations You can implement the features of the the Self-service Module to allow your users to reset their primary (domain account) password or unlock their Windows domain accounts in an Active Directory environment only. When users change their application password by using the Password Manager Agent or primary password by using the Ctrl+Alt+Del key combination on a device in which the agent software is installed, Password Manager automatically captures the password change. To prevent user lockout, do not combine the self-service password reset with the previous password method of confirming users identities exclusively. When previous password is the only method available to your users, users who forget their previous primary password are locked out of the system. Their user data must be reset or deleted from the central store and from all client devices on which it is stored, and they must reenter their credentials for all of their applications. See Resetting and Deleting User Data on page 106. Using Automatic Key Management with Self- Service Combining automatic key management with self-service provides greater easeof-use to users needing access to password-protected applications handled by the Password Manager Agent. For example, if users reset their primary passwords, they do not need to answer security questions after successfully resetting their passwords. (However, they do need to answer security questions during the selfservice password reset process.)

139 7 Allowing Users to Manage Their Primary Credentials with Account Self-Service 139 With automatic key management, users do not have to verify their identities after unlocking their accounts or resetting their domain passwords. See User Experience on page 140 for more information. Summary of Self-Service Implementation Tasks To use self-service, perform the following steps: Task Install the Password Manager Self-Service module. Install the Key Management Module. Configure your question-based authentication. Create a user configuration with one or both of the self-service password reset or account unlock features enabled. Install and configure the agent software. See This Section Installing and Configuring the Password Manager Service in the Citrix Password Manager Installation Guide Managing Question-Based Authentication on page 119 Enable Self-Service Features on page 101 Installing and Configuring the Password Manager Agent in the Citrix Password Manager Installation Guide When Users Forget Their Security Questions If users forget answers to their security questions, you must use the Password Manager Console to reset self-service registration for users. After you reset a user or users, the Self-Service Registration wizard appears the next time the users open the agent software. Your users can then register answers to their security questions. To reset self-service user registration 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node, expand the Identity Verification node and select Question Based Authentication. 3. In the Other Tasks area, click Revoke security question registration for a user. 4. In the Select User dialog box, type the user or user group name and click OK. 5. Confirm the reset request for the selected user.

140 140 Citrix Password Manager Administrator s Guide User Experience After the service and agent software is installed and configured, the Self-Service Module modifies the user s Windows logon dialog box and the Unlock Computer dialog box, or the Welcome screen for Windows Vista users, (available when users lock their computers with the CTRL-ALT-DELETE key combination) by including an Account Self-Service button. Before users can access the self-service features, they must log on to their primary domain account and register answers to security features. After successfully enrolling, they can use the self-service password reset and account unlock features. As described in Using Automatic Key Management with Self-Service on page 138, with automatic key management, users do not have to verify their identities after unlocking their accounts or resetting their domain passwords. The following table shows the user experience when using these features. Without Automatic Key Management With Automatic Key Management User clicks the Account Self-Service button. User clicks the Account Self-Service button. User selects Unlock my account or Reset my Password. User selects Unlock my account or Reset my Password. User answers security questions successfully. User answers security questions successfully. User types and confirms new password, clicks Finish and is logged off. User logs on with new password and the agent software synchronizes with the central store. Depending on user configuration settings, the user provides a previous password or answers to security questions to verify identity after the password change. With a correct response, the user has access to SSOenabled applications configured in Password Manager. See Considerations on page 138 to help prevent user lockout. User types and confirms new password, clicks Finish and is logged off. User logs on with new password and the agent software synchronizes with the central store. No identity verification is required. The user has access to SSO-enabled applications configured in Password Manager.

141 8 Using Provisioning to Automate Credential Entry Note: You can use the Provisioning service to reset user credential information and delete users and their application credentials from Password Manager for multiple users. See Resetting and Deleting User Data on page 106 for information on how to accomplish this for a single user. The agent software will process each reset command when the agent is started or restarted (if currently running on the user s PC). Otherwise, the agent software will process any other provisioning command when the agent is started or restarted, when the user clicks Refresh from the agent Logon Manager, or when the user clicks Refresh from the agent icon context menu. If a reset command is in the queue when the user clicks Refresh, a message appears stating that the user data has been reset and directing the user to restart Password Manager Agent. This section describes how to use the Provisioning Module (also known as credential provisioning) to manipulate user credentials associated with applications defined in a user configuration. Provisioning enables you to automate these procedures and apply them to multiple users. For example, you can use credential provisioning to eliminate the need for first-time agent software users to perform initial credential setup. If you plan to deploy new software to your users, create an application definition for the application and use credential provisioning to add the credentials for all users who will use the application. This section describes the following topics: Summary of Provisioning Tasks on page 142 Generating a Credential Provisioning Template on page 143 Editing the Provisioning Template on page 144 Provisioning Credentials on page 151 Tuning Credential Provisioning Processing on page 152

142 142 Citrix Password Manager Administrator s Guide The Credential Provisioning SDK on page 152 Summary of Provisioning Tasks To manipulate credential information in your central store for SSO-enabled applications contained in user configurations, you must perform the following tasks: Task 1. Install the Provisioning Module of the Password Manager Service. 2. Create a user configuration that uses the provisioning service. 3. Generate a credential provisioning template. 4. Populate the template with user credential data and select a command to run. See This Section Installing and Configuring the Password Manager Service in the Citrix Password Manager Installation Guide. Creating User Configurations on page 81. Generating a Credential Provisioning Template on page 143. Editing the Provisioning Template on page Process your provisioning data. Provisioning Credentials on page 151. Important: The XML file you use to provision credentials contains highly sensitive user-related information. Citrix recommends that you delete the file or move the file to a secure location when credential provisioning is completed. After the credentials are added, removed, or modified in the central store, the credentials are ready for use in your environment. When users start the agent software, the credentials are recognized by SSO-enabled applications and made available to your users. First-time users of the agent software do not need to perform initial credential setup if you added all credential information to the central store by the process of credential provisioning. If you need to manipulate the credentials of many users, consider using the Credential Provisioning Software Development Kit (SDK) located in the \Support\Provisioning folder on your product CD. See The Credential Provisioning SDK on page 152. Note: Adding, changing, or removing credentials from the central store can consume a large amount of system resources. Citrix recommends that you perform credential provisioning during off peak hours.

143 8 Using Provisioning to Automate Credential Entry 143 Generating a Credential Provisioning Template Note: The following procedure assumes that you created a user configuration consisting of at least one of the following: application definition, application group, password policy (perhaps including an optional password sharing group) and provisioning is enabled in the user configuration. A provisioning template is an XML document that contains information about the applications included in your selected user configuration: Application group Application definition name and globally unique identifier number (GUID) User information like user name and password It also includes add, remove, and modify commands that you use when you import the edited template into Password Manager. To generate a credential provisioning template 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node and select User Configurations. 3. Select a user configuration. 4. In the Common Tasks area, click Generate Provisioning Template. 5. In the Generate Provisioning Template dialog box, type a name for the template and click Save. 6. Click OK to confirm that a template in XML file format was created. The resulting template includes example command information and specific information about the selected user configuration. See Editing the Provisioning Template on page 144.

144 144 Citrix Password Manager Administrator s Guide Editing the Provisioning Template Note: Use a text editor or XML file editor to edit the generated template. The provisioning template uses SPML (Service Provisioning Markup Language), an XML-based standard for data interchange. As with XML, ensure that each SPML tag or element (for example, the <add> tag) is well-formed and conforms to XML syntax rules. For example, when removing comment characters such as!-- and --, ensure that you remove any extraneous angle bracket characters (< or >) or errors might result during processing of the provisioning template. For detailed information about XML, see the W3C Web site at Ensure that you remove comment characters (!-- and --) where applicable. The provisioning template XML file enables you to use the following tags and commands. The <cpm-provision> Tag on page 144 The <user> Tag on page 146 The <add> Command on page 146 The <modify> Command on page 147 The <delete> Command on page 148 The <remove> Command on page 149 The <reset> Command on page 150 The <list-credentials> Command on page 150 The <cpm-provision> Tag Note that you must include your desired tags and commands within the <cpm-provision> provisioning tag (located around line 70 in the generated XML file): <cpm-provision version="1.0" xmlns=" Provision/Import"> insert <user> tag and commands here </cpm-provision> Example Output The generated template includes the following:

145 8 Using Provisioning to Automate Credential Entry 145 <user> information about the user who generated the template <add> command for the application name in the user configuration <modify> command with the application definition name Near the bottom of the XML file is the specific information about the selected user configuration that you can copy and use in your template. For example: <user fqdn="domain\fred-admin"> <!--Application Group: PNA--> <!--Application Definition: Citrix GoToMeeting--> <!--<add> <application name="citrix GoToMeeting">0998ac2c-baa a-b2daeea047f3</application> <name>citrix GoToMeeting</name> <description>citrix GoToMeeting Login</description> <hidden-description>citrix GoToMeeting hidden Description</hidden-description> <userid>userid</userid> <password>password</password> </add>--> <!--<modify> <credential-id> </ credential-id> <name>citrix GoToMeeting</name> <description>citrix GoToMeeting Login</description> <hidden-description>citrix GoToMeeting hidden Description</hidden-description> <userid>userid</userid> <password>password</password> </modify>--> </user> For example, you can copy the user information between the <user> and </user> tags, uncomment it, and edit it for each user whose credentials you wish to add.

146 146 Citrix Password Manager Administrator s Guide Note: In the example above, <user fqdn="domain\fred-admin"> is the domain and user name of the user who generated the template. You can comment out this information or delete it if you do not want to store it in the template. The <user> Tag Use the <user> tag to add domain and user name information for each user whose application credentials you wish to provision. You must provide one <user> tag for each user to be provisioned. Each <user> tag will also contain the commands to execute on this user account. The syntax for this command is as follows. <user fqdn= yourdomain\usrid > </user> where: <command> yourdomain userid command Indicates the domain name of the user to be added Indicates the username of the user to be added Indicates one or more commands that you can execute on this user: <add> <modify> <delete> <remove> <reset> <list-credentials> The <add> Command The <add> command enables you to add a user name and password required for the applications included in the user configuration. The syntax for this command is as follows. <add> <application name="%appname%">%appguid%</application> <name>%credentialname%</name> <description>longdescription</description> <hidden-description>%appname% hidden description </hidden-description>

147 8 Using Provisioning to Automate Credential Entry 147 </add> where: <userid>userid</userid> <password>password</password> <custom-field index="1" label="%labeltext%"> custom-field1 </custom-field> <custom-field index="2" label="%labeltext%"> custom-field2 </custom-field> <application> <name> <description> <hidden-description> <userid> <password> <custom-field> Required. The <application> element and its attributes are typically generated automatically when you generate a template. The name= attribute is optional. %APPNAME% is the name of the application definition in the selected user configuration. %APPGUID% is the GUID of the application and must match Required. The <name> element and its attributes are typically generated automatically. %CREDENTIALNAME% is the name of the application in the application definition. Optional. Type text that describes the user configuration. Optional. Type any text here. Required. userid is the user name of the user to be added. Required. password is the password for the user to be added. Required if another field is required for authentication (for example, for a field where the user must enter the domain). Use as many custom fields as required by the application. The <modify> Command The <modify> command enables you to modify a user name and password required for the applications included in the user configuration. Important: This command requires the user s credentials. You can retrieve user credentials by using the <list-credentials> command before using the <modify> command. See The <list-credentials> Command on page 150. Include only those elements you want to modify: To leave a value unchanged, delete the line. For example, delete the <name> element to leave the application name as is.

148 148 Citrix Password Manager Administrator s Guide To change a value, specify the value in the template. For example, include the <name> element to specify a new application name. A value is cleared by including the element without a value. For example, use <description></description> to delete the current description. The syntax for this command is as follows. <modify> <credential-id>%credential-id%</credential-id> <name>%credentialname%</name> <description>longdescription</description> <hidden-description>%appname% hidden description </hidden-description> <userid>userid</userid> <password>password</password> <custom-field index="1" label="%labeltext%"> custom-field1 </custom-field> <custom-field index="2" label="%labeltext%"> custom-field2 </custom-field> </modify> where: <credential-id> <name> <description> <hidden-description> <userid> <password> <custom-field> Required. The credential GUID value %CREDENTIAL-ID% of the user must match the value returned by a <listcredentials> command. See The <list-credentials> Command on page 150. Optional. The <name> element and its attributes are typically generated automatically. %CREDENTIALNAME% is the name of the application in the application definition. Optional. Type text that describes the user configuration. Optional. Type any text here. Required. userid is the user name of the user to be modified. Required. password is the password for the user to be modified. Required if another field is required for authentication (for example, for a field where the user must enter the domain). Use as many custom fields as required by the application. The <delete> Command The <delete> command enables you to delete a user s credentials for a specific SSO-enabled application.

149 8 Using Provisioning to Automate Credential Entry 149 Important: This command requires the user s credentials. You can retrieve user credentials by using the <list-credentials> command before using the <delete> command. See The <list-credentials> Command on page 150. The syntax for this command is as follows. <user fqdn="yourdomain\userid"> <delete> <credential-id>%credential-id%</credential-id> </delete> </user> where: yourdomain userid <credential-id> Indicates the domain name of the user. Indicates the user name of the user. Required. The credential GUID value %CREDENTIAL-ID% of the user must match the value returned by a <listcredentials> command. See The <list-credentials> Command on page 150. The <remove> Command Note: This command is similar to the Password Manager Console Delete user data from central store task. See Delete User Data From Central Store on page 108. The <remove> command enables you to remove user data and information from the central store. Use this command when a user leaves your enterprise permanently. The local credential store on the user PC remains intact until it is explicitly deleted by an administrator or operator. The syntax for this command is as follows. <user fqdn="yourdomain\userid"> </user> where: <remove /> yourdomain userid Indicates the domain name of the user. Indicates the user name of the user.

150 150 Citrix Password Manager Administrator s Guide The <reset> Command Note: This command is similar to the Password Manager Console Reset user data task. See Reset User Data on page 106. The agent software will process each reset command when the agent is started or restarted (if currently running on the user s PC). Otherwise, the agent software will process any other provisioning command when the agent is started or restarted, when the user clicks Refresh from the agent Logon Manager, or when the user clicks Refresh from the agent icon context menu. If a reset command is in the queue when the user clicks Refresh, a message appears stating that the user data has been reset and directing the user to restart Password Manager Agent. The <reset> command enables you to reset user information in your central store, which results in the selected user being returned to an initial state. In the case of non-active Directory central stores, the user folders are retained, but all user data (credentials, enrollment questions and answers, and so on) is deleted. In Active Directory central stores, the user data is deleted and the user is flagged as having had data reset. The syntax for this command is as follows. <user fqdn="yourdomain\userid"> </user> where: <reset /> yourdomain userid Indicates the domain name of the user. Indicates the user name of the user. The <list-credentials> Command The <list-credentials> command enables you to retrieve a specific user s credentials for each application in the associated user configuration. The <modify> and <delete> commands require that you use the retrieved credential GUID as the value for the %CREDENTIAL-ID% parameter. (See The <modify> Command on page 147 and The <delete> Command on page 148.) The identification number that this command retrieves is a credential GUID; for example, 634EE015-10C2-4ed2-80F5-75CCA9AA5C11. The syntax for this command is as follows. <user fqdn="yourdomain\userid">

151 8 Using Provisioning to Automate Credential Entry 151 </user> where: <list-credentials /> yourdomain userid Indicates the domain name of the user to be added. Indicates the user name of the user to be added. Provisioning Credentials Use the console to perform the provisioning tasks specified in your XML file. Password Manager validates the syntax of each command, executes the commands, and adds or modifies the data in the central store. To process your provisioning template Caution: Do not close the provisioning process screen until provisioning has fully stopped or fully completed. Closing this screen does not halt the provisioning process. If the screen is closed while the previsioning process is running, there is no way to capture any information or halt the process until it completes. 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node and expand User Configurations. 3. Select a user configuration or application group of a user configuration. 4. In the Common Tasks area, click Run Provisioning. The Provisioning Wizard appears. 5. Click Next. 6. Type the name of your provisioning XML file or click Browse to locate it, then click Next. Password Manager validates the XML file. If no syntax errors are found, a summary of the changes that can be made is shown. You can save the summary. If syntax or other errors are found, an error log appears. You can save the error log, then click Cancel to close the wizard. 7. If no errors were found, click Next to execute the commands in the file.

152 152 Citrix Password Manager Administrator s Guide As the information is changed in the central store, any errors that occur as a result of provisioning appear. To stop provisioning while it is in process, click Abort. When Password Manager reaches the end of the current section of data in process (by default, data is processed in groups of 50 lines of code), provisioning terminates. 8. Click Finish to close the wizard. You can also click Save to file to store the provisioning results. Tuning Credential Provisioning Processing Caution: This information describes manually editing registry settings. Always back up your registry before manually editing it. By default, if you use Password Manager for credential provisioning, your information is processed in batches of 50 commands with a time-out of 100,000 milliseconds. The following registry keys can be edited to change these default values: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Console\Provisioning\BatchSize Type: DWORD Default value if left blank: 50 HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Console\Provisioning\ServiceTimeout Type: DWORD Default value in milliseconds if left blank: The Credential Provisioning SDK Located in the \Support\Provisioning folder on your product CD, the Credential Provisioning Software Development Kit (SDK) provides a description of the APIs made available when you install the Provisioning Module of the Password Manager Service. Use this SDK and included sample code to create your own provisioning client for use with Password Manager.

153 9 Hot Desktop: A Shared Desktop Environment for Users Note: Hot Desktop is supported only on Microsoft Windows 2000 Professional, Microsoft Windows XP Embedded, and Microsoft Windows XP Professional, Service Pack 2 32-bit. It is not supported on 64-bit operating systems or any server operating systems. The Citrix Password Manager Hot Desktop feature allows users to share workstations efficiently and securely. Hot Desktop extends the standard Windows environment by allowing a user to: Quickly authenticate to Windows using the standard GINA interactive logon dialog box Run SSO-enabled applications in the interactive user shell by using the user s Citrix Password Manager credentials Log off from the Hot Desktop workstation so that other users can run applications Hot Desktop combines the convenience of fast user switching with security of single sign-on capability through Password Manager. Hot Desktop functionality is not installed by default; you can select it during the initial agent installation process. You can also upgrade existing agent deployments to use Hot Desktop. Before you can implement Hot Desktop, however, you must configure Hot Desktop according to requirements in your environment and enterprise. This section describes the following topics: Summary of Hot Desktop Tasks on page 154 Hot Desktop Start Up and Shut Down Process Flow on page 155 Creating a Hot Desktop Shared Account on page 157 Requirements for Applications Used with Hot Desktop on page 159

154 154 Citrix Password Manager Administrator s Guide Controlling How Applications Behave for Hot Desktop Users on page 160 User Configuration Settings for Hot Desktop on page 167 Installing Hot Desktop on page 170 Uninstalling Hot Desktop on page 171 Interacting with Citrix Presentation Server Clients on page 174 Viewing Hot Desktop User Profiles on page 174 Shutting Down a Hot Desktop Workstation on page 175 Working without AutoAdminLogon Support on page 175 Changing the Hot Desktop Shared Account Password on page 176 Hot Desktop Information on the Web on page 176 Summary of Hot Desktop Tasks Before you can implement Hot Desktop, however, you must: Create a Hot Desktop shared account Create user configurations with specific Hot Desktop-related settings to control the Hot Desktop user experience Define Hot Desktop startup and shutdown behavior, including: Deciding which applications are launched at startup, and which applications use Hot Desktop User or Hot Desktop shared account credentials and permissions Deciding which applications are persistent and run even when users log off (for fast user switching) and which applications terminate when users log off, including your optional cleanup scripts or applications to delete user information from session to session Perform the following tasks to configure and enable Hot Desktop: Task 1. Create a Hot Desktop shared account that is available for each workstation or client device running Hot Desktop. 2. Decide which of your SSO-enabled applications should run in the Hot Desktop environment. See this section Creating a Hot Desktop Shared Account on page 157 Requirements for Applications Used with Hot Desktop on page 159

155 9 Hot Desktop: A Shared Desktop Environment for Users 155 Task 3. Decide how applications run in Hot Desktop and configure the Hot Desktop user environment. 4. Create or modify a user configuration to select Hot Desktop options. 5. Install the agent software with the Hot Desktop feature selected. Hot Desktop Start Up and Shut Down Process Flow This section describes the following topics: See this section Controlling How Applications Behave for Hot Desktop Users on page 160 The Session.xml File on page 162 The process.xml File on page 165 User Configuration Settings for Hot Desktop on page 167 Configure Agent Interaction on page 91 Advanced Settings on page 92 Installing Hot Desktop on page Uninstall Hot Desktop if necessary. Uninstalling Hot Desktop on page 171 Hot Desktop Startup and Shutdown Events on page 155 Troubleshooting Hot Desktop User Startup on page 156 Hot Desktop Startup and Shutdown Events This process flow describes the events associated with Hot Desktop startup and shutdown. When the workstation or client device starts, it is logged on automatically to the shared account, allowing the device to run in shared desktop mode. Note: The Hot Desktop shared account remains active at all times. Users do not have the permissions to terminate the shared account. 1. A Hot Desktop user logs on to the workstation and enters a user name and password or uses a strong authenticator such as a smart card. 2. When the user is authenticated, the Hot Desktop session starts. 3. Password Manager launches. The agent synchronizes its data with the central store. This ensures that the user has the most current application definitions, password policies, and other agent-related settings. 4. The session.xml file is read and any applications that you specified to run under the shared account or Hot Desktop User account launch. See The Session.xml File on page 162. These applications can be local applications

156 156 Citrix Password Manager Administrator s Guide or remote applications that are published by Presentation Server. The user accesses the applications to perform job-related tasks. 5. The Hot Desktop user logs off. Note: When users leave a workstation idle, Hot Desktop initiates a session time-out period. Using the Password Manager Console, you specify how long a workstation can remain inactive. When the interval is exceeded, Hot Desktop locks the workstation. If additional time passes and the user does not return, Hot Desktop terminates the session. See Specifying Hot Desktop Session Time-Out Options on page Hot Desktop leaves applications running or terminates them according to settings in process.xml. See The process.xml File on page Password Manager exits. 8. Any shutdown scripts specified in session.xml run. 9. The Hot Desktop session terminates. Troubleshooting Hot Desktop User Startup When a user logs on to a computer running Password Manager Agent configured for Hot Desktop, it is possible that the startup scripts specified in the session.xml file might run before Password Manager Agent has fully launched. During its startup, Hot Desktop waits 30 seconds for the agent software to start before it begins running the startup scripts. After 30 seconds, these startup scripts run, even if Password Manager Agent is not yet fully launched. This situation is most likely to occur during the user's initial logon (also known as first-time user), where the Password Manager administrator identified a list of applications requiring logon credential registration or required answers for security questions. The sequence in this case is: 1. The user logs on to the computer or client device running the agent software and a prompt appears for the user to register logon credentials for the listed applications or register answers to security questions. 2. While performing these tasks, the 30 seconds pass and Hot Desktop startup scripts run. A series of windows might open and close, depending on the applications specified in the session.xml startup scripts. 3. User frustration might result as the computer keeps moving focus to the startup script windows.

157 9 Hot Desktop: A Shared Desktop Environment for Users When the startup scripts are completed, an error message appears. The error is similar to One or more errors occurred. Please consult the Event log for more information. While this behavior might cause user frustration, it does not damage the user's data, work environment, or Password Manager. Citrix recommends that you advise users not to register their logon credentials and security question answers until the error message appears. Users can then close the error message and complete the enrollment and registration process. Following the error message and registration, if any application specified in session.xml does not opened, advise the user to log off and then log back on to the account. This scheme restarts any Hot Desktop startup scripts, which run uninterrupted because registration is complete and not delaying the process. For more information about startup and shutdown scripts, see Controlling How Applications Behave for Hot Desktop Users on page 160. Creating a Hot Desktop Shared Account You must create a Hot Desktop shared account for the client devices or workstations on which Hot Desktop will run. This shared account can be a domain account or a local account on the device. When you install Hot Desktop on the client device, you provide credentials for the shared account. When the device or workstation starts, it is logged on automatically to the shared account, allowing it to run in the Hot Desktop shared workstation mode. User sessions run on top of the shared account Windows session (users cannot make changes to the shared account unless you allow them to). Users start a Hot Desktop session by typing their Windows domain credentials. In a Hot Desktop environment, a user s Windows account is referred to as the Hot Desktop User. Guidelines for the Hot Desktop Shared Account Follow these guidelines to create a shared account: Ensure that the account does not belong to the local or domain Administrators group. The shared account can be a local or domain account. Any privileges available to the shared account are available to the Hot Desktop User only for those applications you specify. That is, you can specify those applications that launch with Hot Desktop shared account credentials and those that launch with the user s Windows domain credentials.

158 158 Citrix Password Manager Administrator s Guide The Hot Desktop installation process verifies the logon name and domain of the shared account. When you create this account, ensure that you select the Password never expires option. Do not use expired credentials. Ensure that the account has limited privileges. Limit permissions to Hot Desktop use only. Specify the domain name to which the workstation belongs using the domain s NetBIOS name and not the fully qualified domain name (FQDN). If you are using a local account, specify the host name of the device. As a best practice, name the shared account Hot Desktop. This ensures that users see the message Logoff Hot Desktop when they log off from a Windows 2000 environment. If you give the shared account a cryptic name, users see the name as they log off and might get confused. If you have more than one group of Hot Desktop Users, you can name each shared account accordingly; for example, Hot Desktop Marketing, Hot Desktop Accounting, and so on. Organizing Hot Desktop Users If you plan to deploy Hot Desktop, you might want to set up your user environment first. For example, you might group Hot Desktop users under one or more Active Directory organizational units or groups. Also, you can organize users who are Hot Desktop users and also use their own workstations into multiple groups (and prioritize these groups). This scheme enables you to apply Hot Desktop settings, application definitions, password policies, and other user configuration information to multiple Hot Desktop users in those organizational units. Restricting User Rights Because the Hot Desktop device is shared by all Hot Desktop users, it may be necessary to restrict permissions and set them to a minimum required to use their assigned applications. For example, Hot Desktop users should not have the right to shut down the device. Restrict this right to members of the Administrators group. Hot Desktop, Smart Cards, and Key Recovery Note: Select the Smart Card Certificate user configuration Data Protection option if users use smart cards in the Hot Desktop environment.

159 9 Hot Desktop: A Shared Desktop Environment for Users 159 If you deploy Hot Desktop in an environment where users log on with smart cards, do not select Prompt user to enter the previous password as the only key recovery and data protection method for those users. Users in such an environment cannot enter the correct previous password and, consequently, are locked out of the system. To avoid this problem, select the key recovery option for automatic key management or make question-based authentication available as an option. For more information, see: Guidelines for Multiple Primary Authentication and User Credential Protection Choices in the Citrix Password Manager Installation Guide Creating User Configurations on page 81 User Authentication and Identity Verification on page 113 Managing Question-Based Authentication on page 119 Requirements for Applications Used with Hot Desktop Applications that you use in a Hot Desktop environment must meet the following requirements: Applications that require user credentials must be defined for use with Password Manager in application definitions and user configurations. Applications that are launched by the shared account must be able to run in the Windows interactive environment. In this scenario, the applications (and the Hot Desktop users) must have access to the user profiles, network shares, and other resources associated with the shared account. Applications must shut down cleanly when sent the request to do so. Hot Desktop terminates applications using procedures similar to a log off from a Windows interactive session. Graceful application termination is particularly important in a Hot Desktop environment because the application might be used many times before the workstation or client device is shut down. Any application that must save sensitive data in the user s profile or needs access to the user s profile for settings should run as the Hot Desktop User account. Applications that can share community configuration information can run as a shared account. Administrators can use a session shutdown script specified in the session.xml file to ensure that user-specific files are removed at the end of each session. See Controlling How Applications Behave for Hot Desktop Users on page 160.

160 160 Citrix Password Manager Administrator s Guide Important: If you want Password Manager to submit credentials in a Hot Desktop environment for terminal emulators that store information in the HKEY_CURRENT_USER registry hive, you must run these applications as the Hot Desktop User account. Specify terminal emulators to run as the Hot Desktop User account in the ShellExecute section of the process.xml file. To run a terminal emulator at session start up, specify it in the start script section of the session.xml file. Terminal emulators must run as the Hot Desktop User account in the start script. See Controlling How Applications Behave for Hot Desktop Users on page 160. Controlling How Applications Behave for Hot Desktop Users Password Manager makes two files available to control the behavior of applications in a Hot Desktop environment: session.xml and process.xml. This section describes the following topics: Before You Begin on page 160 The Session.xml File on page 162 Launching Applications Using Session.xml on page 162 Session.xml Tags on page 162 Example: Launching Internet Explorer on page 164 Example: Cleaning Up a Session with a Script on page 164 The process.xml File on page 165 Note: 155. See also Hot Desktop Start Up and Shut Down Process Flow on page Before You Begin Important: You cannot specify that a process runs as the Hot Desktop shared account in the session.xml file and then specify it to run as the Hot Desktop User in the process.xml file. Entries in the session.xml file override any entries you make under the <shellexecute_processes> element in the process.xml file.

161 9 Hot Desktop: A Shared Desktop Environment for Users 161 To log on to the PC, workstation, or client device for administrative purposes (for example, to edit the process.xml file), hold down the Shift key during the Windows startup process. For more information about bypassing the Windows autologon process, visit the Microsoft Web site. When running Hot Desktop session.xml, password expiration scripts, or any other scripts, executable files, or batch files from within a Hot Desktop User session, the following environment variables are not supported: APPDATA, HOMEDRIVE, HOMEPATH, HOMESHARE, and LOGONSERVER. If any of the unsupported variables are used, the script, application, or executable file might fail to run. To avoid this problem, applications should not access unsupported environment variables while running in a Hot Desktop User session. You must instruct users to shut down applications that are specified as persistent processes. For example, if a user launches a persistent process, creates a file, and leaves the file open when exiting the Hot Desktop session, the next user who logs on can see the contents of the file. Important: Instruct users to always shut down sensitive applications that are defined as persistent before they end their Hot Desktop sessions. When you define an application as persistent in process.xml and specify it in a start script in session.xml, the number of application instances might increase if users do not terminate new application instances during a Hot Desktop session. To prevent this from occurring, limit the number of instances by creating a script or wrapper application that launches the application. You can also modify the application itself to ensure that only one instance is running at any given time. Applications launched from a command prompt run as the Hot Desktop shared account even if they are specified as the Hot Desktop User account. To launch applications from a command prompt as the Hot Desktop User, you must specify the command prompt in the <shellexecute_processes> section of the process.xml file. Also, if the command prompt is running as the shared account and the file type association (such as *.txt) is defined in the process.xml file <shellexecute_processes> section, if the user runs a file with a.txt extension, the application launches as the Hot Desktop User. Persistent applications that use the 8.3 file format must use the 8.3 format in the path of the executable when specified in process.xml. While the XML tags and formatting in process.xml file are case-sensitive, the paths and executable names are not.

162 162 Citrix Password Manager Administrator s Guide If your users are running SAP Logon for Windows (saplogon.exe), it must run as the Hot Desktop User. In the process.xml file, specify saplogon.exe under the <shellexecute_processes> tag. See <shellexecute_processes> on page 167. The Session.xml File Note: A sample session.xml file is located in the \Support folder of the Password Manager CD. Use the session.xml file to specify the applications that launch when a Hot Desktop session starts (start script) and remove files or other information left behind by a user session (shutdown script). After you edit this file as needed, put it on a network share or other central location for your Hot Desktop workstations to access. You specify this location of the session.xml file in the user configuration; see User Configuration Settings for Hot Desktop on page 167 and Advanced Settings on page 92). Launching Applications Using Session.xml Consider the following: The applications you specify in the session.xml file must already be installed on the workstation. Because Hot Desktop is part of the Password Manager agent, the agent starts up automatically and does not need to be specified in this file. Other applications specified in session.xml can launch under the Hot Desktop shared account shell, which can prompt users for credentials. The agent software then performs according to settings in the user configurations. Important: Save the session.xml file in UTF-8 format. ANSI encoding is acceptable if all characters are in the 0 to 127 (standard English character set) range. If your session.xml file contains special or foreign characters such as Asian language characters, you must save it in UTF-8 format. Session.xml Tags Note that you must include your desired tags within the <session_settings> and </session_settings> tags in the file.

163 9 Hot Desktop: A Shared Desktop Environment for Users 163 <startup_scripts> This section of the file is used to specify any applications to launch under the Hot Desktop shared account and the Windows account associated with the Hot Desktop User. <startup_scripts> <script> <account>account</account> <working_directory>wd</working_directory> <path>path_options</path> </script> </startup_scripts> where: account wd path_options Indicates the account under which to run the application. Choices are HDU or the Hot Desktop shared account user name. Indicates the working directory of the application. Indicates the fully qualified folder path to the application executable file or script on the local PC and any options to run with the application. For example: c:\program files\internet Explorer\iexplore.exe <shutdown_scripts> Edit the session.xml shutdown applications to remove all unused data from the previous user session. Typically, these applications should remove configuration files that might prevent the next user from working, sensitive files such as logs, and documents stored on the system. These applications should ensure that the Hot Desktop environment is clean for the next user session. This part of the file is especially useful for data security. Note: If necessary, you can initiate administrator programs or scripts to clean up the user environment at logoff. For example, you can write a Visual Basic script using a third-party application to delete user-specific.ini files. <shutdown_scripts> <script> <account>account</account> <working_directory>wd</working_directory> <path>path_options</path>

164 164 Citrix Password Manager Administrator s Guide </script> </shutdown_scripts> where: account wd path_options Indicates the account under which to run the shutdown application. Choices are HDU and the Hot Desktop shared account user name. Indicates the working directory of the application. Indicates the fully qualified folder path to the application executable file or script on the local PC and any options to run with the application. For example: c:\cleanup.vbs Example: Launching Internet Explorer Launch Internet Explorer with the URL of your mycompany.com intranet. In this case, Internet Explorer runs as a process associated with the Hot Desktop User. Note that you would enclose your desired tags within the <session_settings> and </session_settings> tags in the file. <startup_scripts> <script> <account>hdu</account> <working_directory>c:\program files\ Internet Explorer</working_directory> <path>c:\program files\internet Explorer\ iexplore.exe </script> </startup_scripts> Example: Cleaning Up a Session with a Script Use a shutdown Visual Basic script to clean up any user data left behind at the end of a session. The session_cleanup.vbs script launches as the shared account (named HDSA) and is located in C:\. <shutdown_scripts> <script> <account>hdsa</account> <working_directory>c:\</working_directory> <path>c:\session_cleanup.vbs</path> </script> </shutdown_scripts>

165 9 Hot Desktop: A Shared Desktop Environment for Users 165 The process.xml File Note: The process.xml file is created on each workstation or device where Hot Desktop is installed in the C:\Program Files\Citrix\MetaFrame Password Manager\HotDesktop folder. A sample process.xml file is also located in the \Support folder of the Password Manager CD. Therefore, any changes you want to make to this file must be performed on a device-by-device basis. However, refer to the Citrix Support article to learn how to replace each user process.xml file through a Machine Group Policy in Active Directory. Use the process.xml file to specify which applications continue to run after a Hot Desktop User logs off. These applications are known as persistent applications or persistent processes. You can also use the process.xml file to specify applications that terminate after a Hot Desktop User logs off. These applications are known as transient applications or transient processes. Important: Save the process.xml file in UTF-8 format. ANSI encoding is acceptable if all characters are in the 0 to 127 (standard English character set) range. If your process.xml file contains special or foreign characters such as Asian language characters, you must save it in UTF-8 format. process.xml Tags Note that you must include your desired tags within the <configuration> and </configuration> tags in the file. <persistent_processes> This section of the file is used to specify any applications that continue to run after the Hot Desktop User logs off. Specified applications are not terminated on shutdown (logoff) of Hot Desktop sessions, even if they were started during a session. Specify the full path of the persistent process to ensure that only the correct processes remain running after each session. <persistent_processes> <process> <name>path_options</name> </process> </persistent_processes> where:

166 166 Citrix Password Manager Administrator s Guide path_options Indicates the fully qualified folder path to the application executable file or script on the local PC and any options to run with the application. For example: c:\program files\internet Explorer\iexplore.exe Note: After installation, the agent software automatically creates an entry for a persistent application named activator.exe in the process.xml file. The activator.exe application provides users with their Hot Desktop session indicator. The session indicator is a transparent moveable window users see when they are logged on; it contains information about users and their sessions as defined by the administrator. By default, activator.exe is specified as a persistent process so that it is not restarted when each Hot Desktop User logs on or off. <transient_processes> Note: After installation, the agent software automatically specifies a transient application named shellexecute.exe in the process.xml file. By default, it is specified as a transient process so that it is terminated when each Hot Desktop User logs off. This section of the file is used to specify any applications that will terminate after the Hot Desktop User logs off. <transient_processes> <process> <name>appname</name> </process> </transient_processes> where: appname Indicates the application name only of the process or application to be terminated. The full path is not required. For example: pnagent.exe.

167 9 Hot Desktop: A Shared Desktop Environment for Users 167 <shellexecute_processes> Note: After installation, the agent software automatically specifies a shell executable application named ssoshell.exe (the Password Manager Agent) in the process.xml file. By default, it is specified as a process to be run as the Hot Desktop User. This section of the file is used to specify any applications or file types to be run as the Hot Desktop User. This setting helps ensure the security of those applications to be run using the credentials of the currently logged on users. For example, you could specify the Program Neighborhood Agent; when started, it runs under that user s credentials. While the start script in the session.xml file specifies the applications that launch when a Hot Desktop session first starts up, <shellexecute_processes> lists those applications that users can launch in the context of their Hot Desktop session. <shellexecute_processes> <process> <name>appname</name> </process> </shellexecute_processes> where: appname Indicates the application name only of the process or application to be run. The full path is not required. For example: pnagent.exe. Note: process.xml allows the use of a wildcard (*) in addition to static file names such as Notepad.exe. Wildcards can be used alone or in combination with file names. For example, *.txt, pnagent.exe, and *.doc are all valid appnames. User Configuration Settings for Hot Desktop You can further control the Hot Desktop user experience through the following user configuration settings: Setting See this section Session settings script path To set the location of the session.xml file on page 168

168 168 Citrix Password Manager Administrator s Guide Setting Lock time-out Session time-out See this section Specifying Hot Desktop Session Time-Out Options on page 168 Specifying Hot Desktop Session Time-Out Options on page 168 Enable session indicator Enabling the Hot Desktop Session Indicator on page 169 Session indicator graphic Specifying a Custom Bitmap Graphic as a Session Indicator on page 169 Locating Hot Desktop Settings in a User Configuration When you create a new user configuration, these settings are available from the Advanced Settings of the Configure Agent Interaction dialog box When you modify an existing user configuration, these settings are available from the Hot Desktop panel of the Edit User Configuration dialog box See also Creating User Configurations on page 81. To set the location of the session.xml file 1. In the Session settings script path text field, type the location of the session.xml file. The location can be a network shared folder. For example, if you place your session.xml file on a network share such as \\Citrix\MPM\Share\, type that path here. 2. Restart the Hot Desktop workstation after you save the user configuration and install the session.xml file. Specifying Hot Desktop Session Time-Out Options Time-out options allow you to define how long Hot Desktop sessions can remain inactive before the workstation is locked or the session is terminated. Session time-out Specifies how long in minutes a Hot Desktop session can run while the workstation is locked. If this time is exceeded, the session is terminated and a new session is started when the desktop is unlocked. The default is five minutes.

169 9 Hot Desktop: A Shared Desktop Environment for Users 169 Lock time-out Specifies the length of time in minutes that a Hot Desktop session will remain active when the workstation is idle. If this time is exceeded, the desktop is locked. The default is 10 minutes. Note: If your Password Manager environment combines the automatic key recovery feature with Hot Desktop, password changes performed by the administrator are not communicated to the agent software of affected users with active Hot Desktop sessions. If those users lock and then attempt to unlock their active sessions, they might be prompted unexpectedly to provide their previous passwords. Users should close the previous password dialog box, then terminate and restart the Hot Desktop session by logging off to continue using the agent software. See also Hot Desktop, Smart Cards, and Key Recovery on page 158. Enabling the Hot Desktop Session Indicator To help users quickly identify a workstation that is running Hot Desktop, select the Enable session indicator option. (It is selected by default.) The session indicator is a transparent moveable window users see when they are logged on. The session indicator displays the Hot Desktop user name, domain name, user description, and time the user logged on. An optional bitmap that contains company branding can also be displayed. Specifying a Custom Bitmap Graphic as a Session Indicator If you plan to use a custom bitmap as a session indicator, you can copy the bitmap to each Hot Desktop workstation and use the appropriate local graphic path or place it on a network share accessible to all Hot Desktop workstations and use a UNC path. A default bitmap named Citrix.bmp is available from the %ProgramFiles%\Citrix\MetaFrame Password Manager\Hot Desktop folder on each Hot Desktop workstation. Using the Hot Desktop Screen Saver To make it easier for users to identify which workstations are running Hot Desktop, a custom screen saver is included in a Hot Desktop installation. The screen saver does not launch until the workstation is idle for 10 minutes.

170 170 Citrix Password Manager Administrator s Guide Note: A locked session is considered active. The screen saver does not launch until 10 minutes of idle time passes and after all users are logged off from the workstation. Installing Hot Desktop Caution: Any software packages that modify the GINA chain, such as software that supports authentication devices, must be installed before Hot Desktop. For more information, see Preserving the GINA Chain When Installing the Agent in the Citrix Password Manager Installation Guide. Hot Desktop is an optional feature of the agent software installation. See Installing and Configuring the Password Manager Agent in the Citrix Password Manager Installation Guide. This section describes the following topics: To install Hot Desktop, new agent installation on page 171 To install Hot Desktop, existing agent installation on page 171 Disabling Terminal Services for a Hot Desktop Administrative or Silent Install on page 170 Note: Hot Desktop is supported only on Microsoft Windows 2000 Professional, Microsoft Windows XP Embedded, and Microsoft Windows XP Professional, Service Pack 2 32-bit. It is not supported on 64-bit operating systems or any server operating systems. Disabling Terminal Services for a Hot Desktop Administrative or Silent Install Terminal Services must be disabled for Hot Desktop to be installed correctly. If you are creating a Microsoft Windows Installer package (.msi) for a Hot Desktop administrative or silent install, you must set the DISABLE_TERMINAL_SERVICE property to 1 before installing Hot Desktop on your workstations. See Installing and Configuring the Password Manager Agent in the Citrix Password Manager Installation Guide. You can also create a transform that sets the property value for packages that are deployed automatically through the Active Directory Group Policy.

171 9 Hot Desktop: A Shared Desktop Environment for Users 171 To install Hot Desktop, new agent installation See Installing and Configuring the Password Manager Agent in the Citrix Password Manager Installation Guide. To install Hot Desktop, existing agent installation 1. Log on to the workstation as a local administrator. 2. From the Control Panel, select Add or Remove Programs. 3. Select Citrix Password Manager Agent and click Change. 4. Select Modify and click Next. 5. Select Hot Desktop and click Next. 6. Click Yes to the confirmation message to disable Terminal Services and Remote Desktop. 7. Specify the location of the central store and click Next. 8. Specify the service server addess and click Next. 9. Type the user credentials for the Hot Desktop shared account and click Next. Specify the domain name to which the workstation belongs using the domain s NetBIOS name, not the fully qualified domain name (FQDN). 10. Click Install. You can click Back if you decide to change any settings or selections. 11. Insert the product CD in the CD-ROM drive so that the install process can find the agent setup.msi file. 12. Click Finish to complete the installation. 13. Click Yes to restart the client device. Uninstalling Hot Desktop If you need to remove the Hot Desktop feature from a workstation, perform the procedures described in To uninstall Hot Desktop on page 172. You might also need to perform these procedures after uninstallling the Hot Desktop feature: Restoring Terminal Services after Uninstalling Hot Desktop on page 173 Enabling Multiple Sessions after Uninstalling Hot Desktop on page 173

172 172 Citrix Password Manager Administrator s Guide Caution: This procedure requires you to edit the registry. Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Always back up a copy of your system registry before continuing. To uninstall Hot Desktop 1. To log on to the shared workstation or client device to perform administrator tasks, hold down the Shift key during the Windows startup process. This prevents the Hot Desktop shared account from logging on and starting the Hot Desktop environment. For more information about bypassing the Windows autologon process, visit the Microsoft Web site. Log on as the administrator. 2. Open the Control Panel and select Add or Remove Programs. 3. Select Citrix Password Manager Agent. 4. Click Change to remove the Hot Desktop feature only. 5. On the Application Maintenance page, select Modify. 6. On the Feature Selection page, select Hot Desktop and make the feature unavailable. 7. Follow the prompts to select your central store type and to confirm the agent software changes. 8. Restart the workstation. Hot Desktop is not removed completely until the workstation is restarted. Important: When uninstalling software that may have disrupted the GINA chain, it is important to uninstall the software in the reverse order in which it was installed on the client device. Failure to uninstall in the reverse order in which GINA-altering software was installed can leave the computer in an invalid state. Do not edit the registry. For more information see Preserving the GINA Chain When Installing the Agent in Citrix Password Manager Installation Guide.

173 9 Hot Desktop: A Shared Desktop Environment for Users 173 Restoring Terminal Services after Uninstalling Hot Desktop Caution: This procedure requires you to edit the registry. Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Always back up a copy of your system registry before continuing. The Hot Desktop installation process disables Terminal Services. Perform the following to enable Terminal Services. To enable terminal services after you uninstall Hot Desktop 1. Log on to the workstation as an administrator. 2. Click Start > Run and type regedit. 3. Change the value of the registry key to 1 as follows: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Termi nal Server]TSEnabled=dword: Enabling Multiple Sessions after Uninstalling Hot Desktop Caution: This procedure requires you to edit the registry. Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Always back up a copy of your system registry before continuing. During a Hot Desktop installation, the installer resets this registry key value to zero. Perform the following procedure to enable multiple sessions. To enable multiple sessions 1. Log on to the workstation as an administrator. 2. Click Start > Run and type regedit. 3. Change the value of the registry key to 1 as follows: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon] AllowMultipleSessions =dword:

174 174 Citrix Password Manager Administrator s Guide Interacting with Citrix Presentation Server Clients Password Manager supports the use of Citrix Presentation Server Client packages with Hot Desktop. This section describes general guidelines to consider if you plan to use Hot Desktop with Presentation Server Clients such as the Program Neighborhood Agent and Web Interface: Edit the process.xml file to ensure the Presentation Server Clients are transient processes (in case the client is set to be launched by windows startup program, and is running after the first Hot Desktop session starts). If you are using the Security Service Provider Interface, you must run the client as the Hot Desktop User. You may also run the client as the Hot Desktop User if you are concerned about security; the ICA files are stored in the profile. Edit the <shellexecute_processes> section of the process.xml file to ensure clients run as the Hot Desktop User when launched from the Windows shell Edit the session.xml file to specify a start script or executable to launch the client when the first Hot Desktop session starts Program Neighborhood Agent You can configure Program Neighborhood Agent to use the Security Service Provider Interface. Security Service Provider Interface allows the Program Neighborhood Agent to authenticate to the computer running Presentation Server using the Hot Desktop User credentials. You must ensure that Presentation Server trusts the Windows security authority used to authenticate the Hot Desktop User. For more information about configuring the Security Service Provider Interface for the Program Neighborhood Agent, see the Citrix Presentation Server Administrator s Guide. Citrix Web Interface The Hot Desktop agent can submit credentials through the Web Interface Client to a Presentation Server. For more information about configuring the Web Interface, see the Web Interface Administrator s Guide. Viewing Hot Desktop User Profiles In a Hot Desktop environment, the shell (explorer.exe) runs as the Hot Desktop shared account. Consequently, the shell does not have the access rights to navigate to the Hot Desktop User profile folder.

175 9 Hot Desktop: A Shared Desktop Environment for Users 175 To view Hot Desktop profiles 1. In the process.xml file, under <shellexecute_processes> section, include Internet Explorer (iexplore.exe) so that it runs as the Hot Desktop User. 2. Log on as the Hot Desktop User and launch Internet Explorer. 3. To view the profiles, in the address bar, type the full path to the Hot Desktop User profile directory. For example: C:\Documents and Settings\All Users\Application Data\Citrix\MetaFrame Password Manager Shutting Down a Hot Desktop Workstation Because only administrators are allowed to shut down Hot Desktop workstations, the Shut Down option is not available from the Start menu of a Hot Desktop workstation. To shut down a Hot Desktop workstation for administrative use, press CTRL+ALT+DEL. When the Windows Security dialog box appears, click Shut Down. Working without AutoAdminLogon Support Some third-party authenticators might not work if the AutoAdminLogon feature is enabled. Some third-party applications disable or remove the AutoAdminLogon value during installation. If this is the case, you must perform the following steps to disable Hot Desktop AutoAdminLogon: 1. Restart the shared workstation or client device, while holding down the Shift key during the Windows start process. This prevents the Hot Desktop shared account from logging on and starting the Hot Desktop environment. For more information about bypassing the Windows autologon process, visit the Microsoft Web site. 2. Log on as an administrator. 3. Edit the registry and set the following values under HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\HotDesktop Value Name Type Value AutoAdminLogon REG_SZ 0 to disable

176 176 Citrix Password Manager Administrator s Guide 4. After the value is set, restart the workstation and log on manually using the shared account. The Hot Desktop logon page appears, allowing users to use the third-party authenticator. Changing the Hot Desktop Shared Account Password It might become necessary to change the Hot Desktop shared account password. You first entered the account credentials during the agent installation. To change the password, perform the following procedure. To change the Hot Desktop shared account password 1. Log on to a workstation where Hot Desktop is installed. Important: Do not use an administrator account or the Hot Desktop shared account credentials for Step Press the Ctrl+Alt+Delete key combination to display the Windows Security dialog. 3. Click Change Password. 4. Type or select the following: Hot Desktop shared account user name Domain name or local computer name Old password New password 5. Click OK. 6. Click Shutdown, then Restart in the Windows Security dialog to restart the PC. Hot Desktop Information on the Web For more information about Hot Desktop, see the following Citrix Knowledge Center articles: Hot Desktop FAQ Hot Desktop Shared AccountUpdate Tool

177 9 Hot Desktop: A Shared Desktop Environment for Users Replacing Users Process.xml File in Hot Desktop Through a Machine Group Policy

178 178 Citrix Password Manager Administrator s Guide

179 10 Operations Use this chapter as a reference if you are having problems with your installation of Password Manager or need additional information about specific features. For best results, refer to the other sections of this guide for procedures for configuring Password Manager. This chapter contains information about the following topics: Logging Password Manager Events on page 179 Password Manager Agent Does not Submit Credentials on page 182 Supporting Terminal Emulators on page 184 Mfrmlist.ini File on page 181 Password Manager Agent Does not Start on page 185 Signing, Unsigning, Resigning, and Verifying Data on page 187 Enabling and Disabling the Data Integrity Service on Password Manager Agent Software on page 192 Removing Deleted Objects from Your Central Store on page 192 Moving Data to a Different Central Store on page 192 Backing Up Important Files on page 195 Backing Up Password Manager Service Files on page 195 Logging Password Manager Events The Password Manager Agent can log agent or user-generated events in the host computer s Windows event application log. Events are classified as information, warnings, or errors.

180 180 Citrix Password Manager Administrator s Guide The event log captures and verifies security-related events that you may need to track for regulatory compliance, such as for the Federal Information Processing Standard (FIPS) or for the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Password Manager s event log capabilities also help increase your IT security. If you are using Password Manager in a Presentation Server environment, the event log identifies both user and session information. All logon attempt failures are captured. Standard logging is disabled by default but you can enable the event log on the console after you create your user configuration. Hot Desktop event logging is always on. Password Manager logs events for features such as: Hot Desktop (enabled by default) Smart cards Licensing Password Manager Service The following table contains some of the standard events that Password Manager logs: Standard Event Types Logon attempt failure (agent authentication) Logged during unsuccessful user authentication to Password Manager Agent. Failure to open the credential store. Logon attempt success (agent authentication) Logged during successful user authentication and success opening the central store. Logon attempt (submitting credentials) Logged during attempts to submit credentials to an external application. Operations with credentials Logged during operations involving passwords, such as change, reveal, and identity verification. Synchronization failures (communication) Logged during failure to synchronize with the central store due to communication issues. Synchronization failures (permissions) Logged during failure to synchronize with the central store due to incorrect user credentials. Smart card DataProtect encrypt/decrypt failure Logged during general failure associated with encrypting or decrypting smart card data.

181 10 Operations 181 Standard Event Types Smart card DataProtect encrypt/decrypt failure (missing card) Logged when smart card is not available. Agent start up and shut down Logged when smart card is not available. Missing or corrupted.dll files Logged when a.dll cannot be loaded correctly. The following table contains some of the Hot Desktop events that Password Manager logs. Hot Desktop Event Types Hot Desktop session logon failure Logged only when there is a fatal error at session start up. Hot Desktop session logon success Logged when Hot Desktop starts a session due to successful user authentication. Hot Desktop session logoff failure Logged only when there is a fatal error during session termination. Hot Desktop logoff success Logged when a session terminates successfully due to user input or session time-out. Mfrmlist.ini File Enabling event logging To enable event logging, follow these instructions: 1. In the console, find your user configuration and select Edit user configuration. 2. In the properties of the user configuration, select Client-Side Interaction. 3. Click Log Citrix Password Manager events using Windows event logging. The Mfrmlist.ini file contains a list of the terminal emulators and locations to the HLLAPI dll that Password Manager Agent software monitors. The file is located at: %ProgramFiles%\Citrix\MetaFrame Password Manager\Helper\MFEmu

182 182 Citrix Password Manager Administrator s Guide Password Manager Agent Does not Submit Credentials Occasionally the Password Manager Agent does not submit a user s credentials to a configured application. This problem is typically caused by an error in the application definition. This section contains troubleshooting tips for resolving application detection issues. Do the following initial activities to determine the cause of the submission failure: Check all settings for potential conflicts Verify that Password Manager Agent is configured to detect applications Compare Password Manager Agent and Password Manager Console definitions Note: Password Manager contains a wide variety of settings available to you as you build application definitions, password policies, user configurations, and identification verification methods. It is possible to create contradictory settings where, among other things, credentials are not submitted to an application. See Password Manager Settings List on page 199 for specific settings. If the Password Manager Agent still fails to submit the user s credentials, try the following troubleshooting techniques for Web-based and terminal emulator-based applications. Web-Based Applications Create Web application definitions using the Application Definition Wizard and Form Definition Wizard. The Form Definition wizard ensures that Password Manager configures a Web page using the exact URL (redirected, case-sensitive, and so on); it also prevents the occurrence of typographical errors. To verify that StrictURL Is used correctly The StrictURL setting is found in a Web application s form edit page within the console. 1. In the console, select the application you want to view. 2. From the Action menu, click Edit application definition. 3. Click Application Forms, select an application form and then click Edit. 4. Click Form Identity. From here, you can enable Strict URL matching as well as URL casesensitivity.

183 10 Operations Make sure that pages use HTML-compliant field types. Web application definitions require HTML-compliant field types. Undefined and user-defined field types are not detected. Terminal Emulator-Based Applications Create terminal emulator-based application definitions using the Application Definition Wizard and Form Definition Wizard. When adding the application definition to a user configuration, be sure to enable support for terminal emulators. Verify that the emulator is configured in the Mfrmlist.ini file The Ssomho.exe process that controls Password Manager Agent s interaction with terminal emulators recognizes only emulators defined in the Mfrmlist.ini file. If the HLLAPI-compliant emulator is not defined in this file, the Ssomho.exe process does not attempt to communicate with the emulator. Verify that an HLLAPI session short name is specified The Ssomho.exe process uses the session short name to communicate with the HLLAPI dll. Without a session short name, Ssomho.exe loads, but cannot monitor the screen activity. Configure the session short name on the emulator on your client device. For more information about configuring HLLAPI-supported emulators, see Configuring HLLAPI Support for Tested Emulators on page 184. Verify that the Ssomho.exe process is running Follow these instructions to make sure Ssomho.exe is running: A. On the computer running Password Manager Agent, open Task Manager and select the Processes tab. B. Click the Image Name heading to sort the processes by image name. C. Verify that Ssomho.exe is listed. If the Ssomho.exe process is not listed, the process could be failing to locate any HLLAPI dlls, or it could be terminating prematurely because of third-party HLLAPI-related issues. Note: Even if the Ssomho.exe process is listed, it may not be communicating with the HLLAPI dll successfully. Verify the session short name is correct before pursuing further troubleshooting alternatives. Test each emulator individually

184 184 Citrix Password Manager Administrator s Guide If you installed multiple supported emulators on the same system, Ssomho.exe attempts to communicate with all of them. Occasionally, one of the HLLAPI dll implementations may cause Ssomho.exe to be unstable. Test each host emulator individually by removing the other host emulators or by commenting out and resequencing the entries in the Mfrmlist.ini file. This step works well to verify that the ssomho process is not inadvertently connecting to an emulator other than the one you are attempting to troubleshoot. Supporting Terminal Emulators This section describes how to configure Password Manager and its components for use with terminal emulators. Password Manager supports HLLAPI-compliant terminal emulators. To enable HLLAPI support for any terminal emulator in Password Manager, you must enable support for terminal emulators in the console. When host/mainframe emulator support is enabled, SSOShell starts the Ssomho.exe process. This process first reads the Mfrmlist.ini file located at %Program Files%\Citrix\MetaFrame Password Manager\Helper\MFEmu, then looks for all configured emulators and attempts to load the HLLAPI-compliant.dll assigned in the file. The Mfrmlist.ini file can be extended to accommodate additional HLLAPIcompliant emulators. The Ssomho.exe process looks in the HKEY_LOCAL_MACHINE\SOFTWARE registry hive for the location of the HLLAPI-compliant.dll unless otherwise specified in the Mfrmlist.ini file. Some emulators place the location in the HKEY_CURRENT_USER hive. For those emulators, manually specify the location of the DLL file using the explicit path setting in the mfrmlist.ini file. Configuring HLLAPI Support for Tested Emulators Configuring Password Manager to work with the tested emulator programs is a multistep process that requires installing the emulator software, creating an emulator session to be used with Password Manager, and configuring Password Manager with a host application definition that uses text matching so it can recognize a particular emulator session. To configure emulator support 1. Install the emulator software and restart the computer.

185 10 Operations Start the emulator software and create a new session, defining the display and the connection. 3. Set the session short name. 4. Enable HLLAPI API support. Note: A separate host application definition is required for each unique session that will be used with Password Manager. The agent software detects sessions by matching text on the host application screen with text in a specified row and column provided in the application definition. Password Manager Agent submits the credentials based on row and column information provided in the application definition. Therefore, each unique session requires its own host application definition. 5. Save and close your session. 6. Exit the emulator. 7. Create an application definition for the host application. 8. Open the console and verify that host and mainframe support is enabled in the appropriate user configurations. 9. Run the emulator and open the session. 10. Start or refresh Password Manager Agent. The agent software recognizes the connection screen and displays a form for credentials to be entered and saved. Password Manager Agent Does not Start The Password Manager Agent software should be the last GINA-altering software installed on your non-windows Vista client devices. If the Password Manager Agent is installed but does not start as expected, one possible cause is a broken GINA chain, caused when software installed or upgraded after the Password Manager Agent alters the Windows GINA chain. Software packages that support smart card authentication, Novell clients, Symantec, and Presentation Server are all known to alter the Windows GINA chain.

186 186 Citrix Password Manager Administrator s Guide Software Upgrades and the GINA Chain If Password Manager is already installed and you plan to install or upgrade software that alters the Windows GINA chain, Citrix recommends that you first uninstall the Password Manager Agent. When the Password Manager Agent is uninstalled, install the new software (or upgrade), then reinstall the Password Manager Agent. This ensures that the correct.dll file is installed and registered for use with Password Manager. Recommended Reinstallation Steps 1. Uninstall any third-party software that alters the GINA chain. 2. Uninstall the agent software. 3. Install the third-party software. 4. Install the agent software. If you recently upgraded or installed third-party software and you suspect that it may have altered the Windows GINA chain, check the Windows registry entry and the client device to verify the presence and the location of the GINA chain.dll files appropriate to your installation. If the files are not located on the computer, uninstall and reinstall the Password Manager Agent. Important: When uninstalling software that may have disrupted the GINA chain, it is important to uninstall the software in the reverse order in which it was installed on the client device. Failure to uninstall in the reverse order in which GINA-altering software was installed can leave the computer in an invalid state. Do not edit the registry. Creating a New Signing Certificate The Password Manager Service generates event log alerts just prior to and upon signing certificate expiration. Create a new certificate to stop event log alerts. Use CtxCreateSigningCert.exe to create a new certificate. Use the Data Signing Tool, CtxSignData.exe, to sign the data (using keys supplied by the new certificate) in your central store. See Signing, Unsigning, Resigning, and Verifying Data on page 187. You do not need to create a new signing certificate after you first configure the Password Manager Service unless one of the following statements is true: Your signing certificate is about to expire or has expired You believe your signing certificate is compromised

187 10 Operations 187 To create a new certificate, you must run CtxCreateSigningCert.exe, available from the %ProgramFiles%\Citrix\MetaFrame Password Manager\Service folder. At a command prompt of the computer running the Password Manager Service, type CtxCreateSigningCert.exe. Enter the public key file name, the private key file name, and the time, in months, before the signing certificate expires. The new certificate is created. CtxCreateSigningCert Usage: CtxCreateSigningCert <name_of_public_cert> <name_of_private_cert> <expiration_period_in_months> Where: <name_of_public_cert> = File name to use for the public certificate <name_of_private_cert> = File name to use for the private certificate <expiration_period_in_months> = Number of months before the certificate expires Example: ctxcreatesigningcert C:\PublicKeyCert.cert C:\PrivateKeyCert.cert 12 Signing, Unsigning, Resigning, and Verifying Data The Data Signing Tool, CtxSignData.exe, allows you to sign, resign, unsign, and verify in your central store. It is a command-line driven tool available from the product CD under \Service. CtxSignData.exe is also installed on the server hosting the service at %ProgramFiles%\Citrix\MetaFrame PasswordManager\Service\SigningTool\CtxSignData.exe. Note: The Data Signing Tool is installed with the Data Integrity Module of Password Manager Service. This module can be installed at a later time if it was not part of the initial Password Manager installation. The following parameters are used with CtxSignData.exe: Signing Data (-s) on page 188 Resigning Data (-r) on page 189 Unsigning Data (-u) on page 190 Verifying Data (-v) on page 191

188 188 Citrix Password Manager Administrator s Guide To start the Data Signing Tool At a command prompt of the computer running Password Manager Service, type CtxSignData.exe and use the appropriate command line parameter (-s, -r, -u, -v). Signing Data (-s) Use the sign command-line parameter to enable data integrity in an environment with existing unsigned data. Note: If you have a Password Manager environment that is running without data integrity implemented and you later decide to use data integrity, you must use the Data Signing Tool to sign data in the existing central store. You must supply the signing certificate file name, the Password Manager Service Uniform Resource Identifier (URI), the location of the central store, and central store type (NTFS network share, Active Directory, or Novell shared folder). All data is read and signed using the new signing certificate. The syntax for the CtxSignData command with the -s parameter is: CtxSignData [-s service_path certificate_file centralstore_location NTFS NNFS AD] where: -s Signs data files in the central store service_path certificate_file centralstore_location NTFS NNFS AD Indicates the Password Manager Service path in URI format Indicates the filename of the certificate to use for signing or resigning data Indicates the Universal Naming Convention (UNC) path to the location of the file share or Domain Name System (DNS) of the Active Directory domain controller NTFS NNFS AD = Central store network directory service type, where NTFS = Microsoft NTFS file share NNFS = Novell file share AD = Microsoft Active Directory The following are examples of the CtxSignData command with the -s parameter: ctxsigndata -s mpmserver.mycompany.com/mpmservice "C:\priv12mos.cert" \\MPMCentralServer\citrixsync$ NTFS ctxsigndata -s mpmserver.mycompany.com/mpmservice "C:\priv12mos.cert" \\NVLServer1\SYS\citrixsync NNFS

189 10 Operations 189 ctxsigndata -s mpmserver.mycompany.com/mpmservice C:\priv12mos.cert" DC1.mycompany.com AD Resigning Data (-r) Use the resign command-line parameter when the existing signing certificate is nearing expiration, has expired, or is compromised. You must supply the new signing certificate file name, the Password Manager Service URI, the location of the central store, and central store type (NTFS network share, Active Directory, or Novell shared folder). All data is read and verified and then signed using the new certificate. No setting changes are necessary in the console or agent because they already have data integrity enabled. To resign corrupt data 1. Open the Password Manager Console and locate the user configuration that is affected. 2. Open the user configuration to verify the data can be read from the central store. 3. Close the user configuration to save new corruption-free data in the central store. 4. Use the signing tool (ctxsigndata) to resign the data in the central store. Note: If the corruption appears to be caused by a security breach, Citrix recommends performing the procedure described above for all user configurations before resigning the data to avoid inadvertently signing unsecured data. The syntax for the CtxSignData command with the -r parameter is: CtxSignData [-r service_path certificate_file centralstore_location NTFS NNFS AD] where: -r Resigns data files in the central store (includes -v) service_path certificate_file centralstore_location Indicates the Password Manager Service path in URI format Indicates the filename of the certificate to use for signing or resigning data Indicates the Universal Naming Convention (UNC) path to the location of the file share or Domain Name System (DNS) of the Active Directory domain controller

190 190 Citrix Password Manager Administrator s Guide NTFS NNFS AD NTFS NNFS AD = Central store network directory service type, where NTFS = Microsoft NTFS file share NNFS = Novell file share AD = Microsoft Active Directory The following are examples of the CtxSignData command with the -r parameter: ctxsigndata -r mpmserver.mycompany.com/mpmservice "C:\priv12mos.cert" \\MPMCentralServer\citrixsync$ NTFS ctxsigndata -r mpmserver.mycompany.com/mpmservice "C:\priv12mos.cert" \\NVLServer1\SYS\citrixsync NNFS ctxsigndata -r mpmserver.mycompany.com/mpmservice "C:\priv3mos.cert" DC1.mycompany.com AD Unsigning Data (-u) Use the unsign command-line parameter when you disable data integrity. You must supply the signing certificate file name, the Password Manager Service URI, the location of the central store, and central store type (NTFS network share, Active Directory, or Novell shared folder). All data is read without verification and the signatures are removed. The syntax for the CtxSignData command with the -u parameter is: CtxSignData [-u centralstore_location NTFS NNFS AD] where: -u Unsigns all the data files in the central store centralstore_location NTFS NNFS AD Indicates the Universal Naming Convention (UNC) path to the location of the file share or Domain Name System (DNS) of the Active Directory domain controller NTFS NNFS AD = Central store network directory service type, where NTFS = Microsoft NTFS file share NNFS = Novell file share AD = Microsoft Active Directory The following are examples of the CtxSignData command with the -u parameter: ctxsigndata -u \\MPMCentralServer\citrixsync$ NTFS ctxsigndata -u \\NVLServer1\SYS\citrixsync NNFS ctxsigndata -u DC1.mycompany.com AD

191 10 Operations 191 Verifying Data (-v) Use the verify command-line parameter to check that all data in the central store is signed and verified. You must supply the signing certificate file name, the Password Manager Service URI, the location of the central store, and central store type (NTFS network share, Active Directory, or Novell shared folder). All data is read with verification and signed. The syntax for the CtxSignData command with the -v parameter is: CtxSignData [-v service_path centralstore_location NTFS NNFS AD] Where: -v Verifies signatures on the data files in the central store service_path centralstore_location NTFS NNFS AD Indicates the Password Manager Service path in URI format Indicates the Universal Naming Convention (UNC) path to the location of the file share or Domain Name System (DNS) of the Active Directory domain controller NTFS NNFS AD = Central store network directory service type, where NTFS = Microsoft NTFS file share NNFS = Novell file share AD = Microsoft Active Directory The following are examples of the CtxSignData command with the -v parameter: ctxsigndata -v mpmserver.mycompany.com/mpmservice \\MPMCentralServer\citrixsync$ NTFS ctxsigndata -v mpmserver.mycompany.com/mpmservice \\NVLServer1\SYS\citrixsync NNFS ctxsigndata -v mpmserver.mycompany.com/mpmservice mpmserver.mycompany.com/mpmservice DC1.mycompany.com AD Displaying Help (-h) Use the help command-line parameter to display help for the CtxSignData command. The syntax for the CtxSignData command with the -h parameter is: CtxSignData [-h] Where: -h Displays the help The following is an example of the CtxSignData command with the -h parameter:

192 192 Citrix Password Manager Administrator s Guide ctxsigndata -h Enabling and Disabling the Data Integrity Service on Password Manager Agent Software The following registry key can be edited to enable or disable the Data Integrity for Password Manager Agent software. HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Extensions\SyncManager\PerformIntegrityCheck Type: DWORD Values: 0=Data Integrity Validation Disabled 1=Data Integrity Validation Enabled Removing Deleted Objects from Your Central Store CtxFileSyncClean.exe removes any objects in your central store that point to objects that were deleted. This ensures that your environment contains the most up-to-date information. Run CtxFileSyncClean.exe from the \Tools directory of your product CD-ROM. Moving Data to a Different Central Store Note: When importing administrative data into the Password Manager Console, only new administrator-created password policies are overwritten. The Default and Domain policies are not imported and, as a result, retain any changes made to them previously. There are several reasons why you may need to migrate password policies, application templates, application definitions, security questions, and other types of Password Manager administrative data. These reasons include: The user moves to a new domain A new server is added to the Password Manager environment A new domain is added so users can use Password Manager s Account Association feature Users begin using Account Association across existing domains

193 10 Operations 193 Password Manager is moved from a test environment to a production environment The steps associated with migrating administrative data are the same regardless of the circumstances that require the migration. In all cases, you first export the administrative data from its existing environment and then import it into your new environment. In most instances, you must also redirect users to the new central store. You perform these tasks using the Password Manager Console commands. The following table lists the data that does and does not migrate when you use the Export command: Migrates Password policies (except for the Default and Domain policies) Application templates Application definitions Security questions and security question groups used as part of question-based authentication Does not migrate User configurations People folders Application groups User credentials Questionnaires User configurations do not migrate from one central store to another automatically. Instead, you must recreate user configurations and redirect users to the new central store. When Password Manager Agent synchronizes its data with data in the original central store, it recognizes that the values changed; Password Manager Agent then copies the credentials to the new central store. Important: Using the Service Configuration Tool, point the Password Manager Service to the new central store. Migrating Data to a New Central Store Use the Password Manager Console to export your administrative data. When you export the data from the original central store, Password Manager creates an.xml file that contains your administrative data. You must then import the information in the file into your new central store. To export administrative data 1. In the original console, click the Password Manager node and then click Export administrative data.

194 194 Citrix Password Manager Administrator s Guide The Export Admin Data Wizard appears. 2. On the Welcome page, click Next. 3. On the Select Data page, select the types of data to export and click Next. 4. On the Specify file page, save the data as an.xml file to a location you will be able to access from the new console s computer and click Next. 5. On the Export data page, click Finish. The Export Admin Data Wizard closes. To import administrative data 1. Install and start Password Manager on the new location, completing the Configure and Run Discovery process. 2. In the new console, click the Password Manager node and then click Import administrative data. The Import Admin Data Wizard appears. 3. On the Welcome page, click Next. 4. On the Specify file page, select the exported xml data file and click Next. You will be prompted if the contents of the data file and target central store share names or IDs. In such cases, use the Yes, Yes to All, and No buttons to overwrite or avoid overwriting the existing contents of the central store. 5. On the Import data page, click Finish. The Import Admin Data Wizard closes. To redirect users to the new central store 1. In the new console, after migrating your data to the new central store, create new user configurations. Important: If the Password Manager Service is also being migrated to a new computer, you must include the new service address in the user configurations. 2. In the original console, select the user configuration to be redirected to the new central store and click Redirect users. 3. In the Redirect Users dialog box, identify the type and location of the new central store and click OK. The dialog box closes and the user configuration now points to the new central store.

195 10 Operations 195 Note: The Redirect Users command disables the Delete user s data folder and registry keys when agent is shut down setting. This ensures that agents keep all the data in the user s local store including credentials, settings, and the information that redirects them to the new central store. This setting must remain disabled in the new environment until the registry is changed on the Password Manager Agent device to point to the new central store location. In some environments, user profiles are deleted automatically at logoff by the operating system. In this instance, you can either disable the deletion of user profiles so that agents are redirected to the new central store, or you can perform a redirect and have users refresh Password Manager Agent to force synchronization. The forced synchronization copies the user credentials to the new central store. Note: During a redirect, all users who are being redirected must be logged on. Password Manager Agent refresh occurs as soon as Password Manager Agent provides credentials. Backing Up Important Files Be sure to include the central store and its contents, certificates, and personal and private keys in your company s regular backup procedures. Important: You must modify the permissions for these files in Windows if your central store is in an NTFS network share or Novell shared folder for them to be accessible to your backup program. Backing Up Password Manager Service Files These steps describe how to backup and restore the Citrix Password Manager Service. Note: See also If You Used the CtxMoveKeyRecoveryData Tool to Back Up Service Data in the Citrix Password Manager Installation Guide. To back up the service 1. Take note of the settings you make when running the Service Configuration Tool to set up your service.

196 196 Citrix Password Manager Administrator s Guide 2. Export the service data to a secure share or disk using CtxMoveServiceData.exe: A. From a command prompt, go to C:\Program Files\Citrix\Metaframe Password Manager\Service\Tools. B. Type CtxMoveServiceData.exe export\\server\share\backupfile. Note: Do not use environment variables in your path. C. When asked, type a password of your choice. Make note of the password. Important: The service data you save to your backup file will be encrypted using this password. Do not lose your password. D. When asked to confirm your password, type it again. E. Verify your backup file was created. To restore the service 1. Install the service from the installation media. 2. Configure the service with the proper settings, using the notes you made prior to back up. Note: If you are using data integrity, make sure you configure the data integrity server location properly, whether the data integrity server location has changed or stayed the same. 3. Finish the configuration and allow the service to start. After the service starts, you can immediately stop the service if you choose. 4. Import the service data from a secure share or disk, using CtxMoveServiceData.exe: A. From a command prompt, go to C:\Program Files\Citrix\Metaframe Password Manager\Service\tools. B. Type CtxMoveServiceData.exe import <\\server\share\backupfile>. C. Enter the correct password when prompted. D. When asked if you want to overwrite AKR.DAT, select Yes.

197 5. Restart the service. The service is now ready for use. 10 Operations 197

198 198 Citrix Password Manager Administrator s Guide

199 11 Password Manager Settings List allow agent to operate when unable to reconnect to central store allow agent to operate when unable to reconnect to central store allow lowercase characters allow numeric characters allow protection using blank passwords allow smart card PINs allow special characters allow uppercase characters allow user credentials to be accessed through the Credential Synchronization Module allow user to pause agent allow user to reveal password for applications allow users to associate accounts allow users to choose a system-generated password or create their own password allow users to edit domain allow users to edit service address allow users to remember password allow users to reset their primary domain password allow users to reveal all passwords in Logon Manager allow users to unlock their domain account allow users to update agent settings allowed special characters list application icon automatically detect applications and prompt user to store credentials concurrent user licensing (Enterprise Edition only) delete user s data folder and registry keys when the agent is shut down detect client-side application definitions display computer name in notification icon ToolTip do not allow application user name in password do not allow application user name in password do not allow portions of application user name in password do not allow portions of application user name in password do not prompt users; restore primary data protection automatically over the network do you need to regulate account administrator access to user data? enable graphic enable session indicator

200 200 Citrix Password Manager Administrator s Guide enable support for terminal emulators enable users to cancel credential storage when a new application is detected enforce password matching during initial credential setup exclude the following list of characters or character groups from passwords for improved user experience upon logon events, please select all data protection methods that apply. 214 force re-authentication before revealing passwords force user to reauthenticate before submitting application credentials generate a password and submit it without displaying the Password Change Wizard generate a random policy-compliant password generate and test a number of unique policy-compliant passwords license server address limit the number of days to keep track of deleted credentials lock time-out log Citrix Password Manager events using Windows event logging maximum number of numeric characters allowed maximum number of numeric characters required maximum number of times a character can occur sequentially maximum number of times a character can occur maximum password length Microsoft Data Protection API minimum number of lowercase characters required minimum number of numeric characters required minimum number of special characters required minimum number of uppercase characters required minimum password length named user licensing new password must not be the same as previous password notify user when agent synchronization fails number of characters in portions number of characters in portions number of days to warn user before password expires number of days until password expires number of domain name levels to check number of logon retries number of previous passwords remembered only allow users to choose a system-generated password only allow users to create their own password password can begin with a lowercase character password can begin with a numeric character password can begin with a special character password can begin with an uppercase character password can end with a lowercase character password can end with a numeric character password can end with a special character

201 password can end with an uppercase character password expiration process only the first logon for this application process only the first password change for this application prompt user to enter the previous password prompt user to select the method: previous password of security questions prompt users to verify identity provide default domain provide default service address run script when password expires service location (Key Managment Module) service location (Provisioning Module) session settings script path session time-out set the default columns and column order in Logon Manager show notification icon Smart Card Certificate specify the length of time the agent delays credential submission synchronize every time users launch recognized applications or Logon Manager test the compliance of a manually created password time between agent re-authentication requests time interval in which the agent checks the terminal emulator for changes time limit for number of retries use Citrix Password expiration warning use default value (for license server port number) use provisioning users authentication data

202 202 Citrix Password Manager Administrator s Guide

203 12 Password Manager 4.6 Settings Reference This reference describes the settings and setting default conditions available in the Password Manager node of the Access Management Console, grouped by their locations in the console. To quickly find a specific setting name, click the specific setting name in Password Manager Settings List and a hyperlink takes you directly to the setting s definition and default configuration. User Configurations This section describes the user configuration settings and controls. All navigation hints provided in this section are made to an existing user configuration when performing an edit function. To access the Edit User Configuration dialog box, navigate as follows: Management Consoles > Access Management Console > Password Manager > User Configurations > [configuration] > Edit user configuration Synchronization Server This setting specifies the domain controller to bind users to when synchronizing with the central store.... User Configurations > [configuration] > Edit user configuration > Synchronization Server Basic Agent Interaction These controls customize how the agent works for this user configuration. The agent user interface and synchronization preferences are set here.... User Configurations > [configuration] > Edit user configuration > Basic Agent Interaction

204 204 Citrix Password Manager Administrator s Guide allow users to reveal all passwords in Logon Manager This setting controls if users can reveal passwords in the Logon Manager. When the setting is not selected, the Logon Manager Reveal button is disabled. To restrict the ability to reveal a password to specific applications, select this setting and then use the corresponding password policy setting to control whether or not users can reveal passwords for applications managed by that policy. default setting: not selected force re-authentication before revealing user passwords This setting controls if users must re-authenticate to Citrix Password Manager before a reveal password request is honored. default setting: selected allow users to pause agent This setting controls if users have the option to temporarily pause the Citrix Password Manager agent. If selected, users are allowed to pause the agent without shutting it down. When the agent is paused, Citrix Password Manager does not recognize applications that require authentication and users must enter and submit their own credentials. default setting: selected notify user when agent synchronization fails Select this setting to notify users when agent synchronization fails. default setting: selected automatically detect applications and prompt user to store credentials This setting controls if the agent software prompts the user to add credentials for new applications. Disable this setting to force users to enter all credentials manually in Logon Manager. When this setting is not selected, it overrides the enable users to cancel credential storage when a new application is detected setting in the client-side interaction settings. default setting: selected automatically process defined forms when the agent detects them Select this option to permit the agent software to submit stored credentials automatically without user intervention. Credential fields in the application will automatically populate if the corresponding setting Agent submits this form automatically is selected in the application definition associated with this user configuration.

205 12 Password Manager 4.6 Settings Reference 205 default setting: selected time between agent re-authentication requests This setting specifies the time between agent re-authentication requests. When the specified time expires, the workstation is locked and users must reauthenticate by entering their primary credentials. This is a way to verify that the user who initiated the session remains present at the workstation. The minimum allowed value for this setting is 1 minute. default setting: 8 hours Agent User Interface These controls are used to set the content of the icon ToolTip, show or hide the Citrix Password Manager icon, and set the credential submission delay.... User Configurations > [configuration] > Edit user configuration > Agent User Interface display computer name in notification icon ToolTip Select this setting to display the computer name in the notification icon ToolTip. default setting: not selected show notification icon Select this control to display the Citrix Password Manager notification icon when the agent is active. When the icon is not selected, users cannot start or stop the agent software or access other user-controlled options. default setting: selected specify the length of time the agent delays credential submission Select this setting to specify the length of time the agent software delays credential submission after detecting an allowed application. If selected, specify the length of time (in seconds) to delay credential submission. Use this setting to ensure that the application is ready to receive the credentials. If selected, the agent software will show a progress indicator, indicating that the agent is working during the delay period. default setting: not selected set the default columns and column order in Logon Manager This setting controls which columns are shown in the Logon Manager's Details view and the order in which they are presented. This setting does not affect the List or Icon views in the Logon Manager.

206 206 Citrix Password Manager Administrator s Guide default setting: Application Name Description Group Last Used Modified Password URL/Module Username ID Client Side Interaction These settings are used to configure password matching, agent event logging, registry key retention on shutdown, and credential storage on newly detected applications.... User Configurations > [configuration] > Edit user configuration > Client Side Interaction enforce password matching during initial credential setup Select this control to require users to enter passwords twice for confirmation during initial credential setup. default setting: selected log Citrix Password Manager events using Windows event logging Select this control to track agent error and warning events in the Windows Event Log. default setting: not selected delete user s data folder and registry keys when the agent is shut down Select this control to delete the user s registry keys and data folder (including encrypted credentials) when the agent is shut down. default setting: not selected

207 12 Password Manager 4.6 Settings Reference 207 enable users to cancel credential storage when a new application is detected This setting is used to control whether or not users are prompted to store credentials every time the agent recognizes an application for which no credentials are stored. If selected, users can choose to store their credentials in the Logon Manager now, later, or never. If the setting Automatically detect applications and prompt users to store credentials is not selected, the agent software does not prompt users to store credentials. default setting: selected limit the number of days to keep track of deleted credentials Use these controls to specify how long the central store tracks credentials deleted from Logon Manager. When user credentials are stored on multiple client devices, the agent deletes the credentials when it synchronizes with the central store during this time period. If the credentials are still stored on the client device when the time elapses, they are restored when the agent synchronizes with the central store. default setting: selected / 180 days Synchronization These controls are used to allow users to refresh agent settings, synchronize user configuration information, allow the agent software to continue to operate if it cannot connect to the central store, and to specify automatic synchronization intervals... User Configurations > [configuration] > Edit user configuration > Synchronization allow users to update agent settings Select this setting to allow users to refresh agent settings in Logon Manager. When the setting is not selected, the Logon Manager Refresh button is disabled. default setting: selected synchronize every time users launch recognized applications or Logon Manager Select this setting to have the agent synchronize user configuration information whenever a user launches a recognized application or Logon Manager. Frequent synchronization can degrade performance on both the client and server, as well as increase network traffic. default setting: not selected

208 208 Citrix Password Manager Administrator s Guide allow agent to operate when unable to reconnect to central store This setting controls whether or not Citrix Password Manager operates when unable to connect to the central store for synchronization. When selected, a licensed instance of the agent software continues to operate even if the connection fails. If not selected, the agent operates only when connected to the central store. default setting: selected time between automatic synchronization requests This control is used to specify the time between automatic synchronization attempts. Automatic synchronization is independent of user activity and takes place in addition to other events that trigger synchronization. default setting: not selected / 0 minutes allow user credentials to be accessed through the Credential Synchronization Module Select this setting to allow remote clients to access user credentials through the service. This setting controls whether or not remote clients can access user credentials through the service module. This option is used with the Account Association feature, which allows an agent user to log on to any application from one or more Windows accounts. default setting: not selected Account Association Because companies can maintain multiple Windows domains, users can also have more than one Windows account. The Account Association options allows a user agent to log on to any application from one or more Windows accounts. These controls allow users to associate logon information among multiple Windows accounts.... User Configurations > [configuration] > Edit user configuration > Account Association allow users to associate accounts Select this setting to allow users to associate multiple Windows accounts, provide the URL, and port where the Credential Synchronization Module is installed. This option cannot be set when initially configuring a User Configuration. It can be defined only when editing an existing configuration. default setting: not selected

209 12 Password Manager 4.6 Settings Reference 209 provide default service address Select this setting to allow the default service address and service port to the Credential Synchronization Module to be defined. After defining the settings, you can select the Validate option to validate the address path and service port. default setting: <AddressOfYourServer > /MPMService/ service port: 443 allow users to edit service address If a service address is defined, select this setting to allow the user to edit the settings through the agent interface. Select this option if credential syncronization is run in multiple places and users need to be able to switch. default setting: not selected provide default domain Select this setting to specify the default domain used for authentication when the agent synchronizes with the associated Windows account. If this setting is selected, enter the default domain name in the space provided. If you do not provide the domain, users might be confused as to which user credentials they should provide. default setting: not selected allow users to edit domain Select this setting to allow users to edit the default domain used for authentication when the agent synchronizes with the associated Windows account. default setting: not selected allow users to remember password Select this setting to allow the user to save their associated Window account password in the agent. default setting: not selected Application Support These controls allow the agent software to detect client-side application definitions, enable support for terminal emulator, and specify the minimum number of domain name levels to match for Web applications.... User Configurations > [configuration] > Edit user configuration > Application Support

210 210 Citrix Password Manager Administrator s Guide detect client-side application definitions Select this setting to allow Password Manager to detect applications defined in one of the following ways in addition to applications defined by administrators. Selected by default. When selected, one of the following options must be selected: All applications Detects and responds to applications defined by an administrator or a user (in Logon Manager) and defined in the default settings at installation Only applications that are included with Password Manager Agent Detects and responds to applications defined by an administrator and defined in the default settings at installation. Users cannot create their own application definitions from Logon Manager Only applications that are defined by users in Logon Manager Detects and responds to applications defined by an administrator and a user in Logon Manager. The agent software will not recognize or respond to applications defined in the default settings at installation. default setting: All applications enable support for terminal emulators This setting controls support for terminal emulation programs. The agent software requires support for terminal emulators to detect Host/Mainframe applications. When selected, the agent software runs a process that detects terminal emulators. default setting: not selected time interval in which the agent checks the terminal emulator for changes This setting is used to specify how much time must pass before the agent software checks the host emulator for screen changes. Lower values can use more CPU time on the client and increase network traffic. If not selected, agent software uses 3000 milliseconds as the default value. If selected, enter the time in milliseconds. default setting: not selected

211 12 Password Manager 4.6 Settings Reference 211 number of domain name levels to match This setting is used to specify the minimum number of domain name levels to match for allowed Web applications. A value of 2 or less would match *.domain1.topleveldomain; a value of 3 would match *.domain2.domain1.topleveldomain. Domain name levels beyond the specified number are treated as wild cards. To strictly control URL matching for Web applications, set strict URL matching in your application definitions. default setting: 99 Hot Desktop These controls specify: The path of the session settings file that defines the scripts to be executed at the start and end of a Hot Desktop session The length of time in minutes that a Hot Desktop session will remain active when the workstation is idle The length of time that a Hot Desktop session will run while the desktop is locked Whether or not a window identifying the Hot Desktop session is selected The graphic file to be displayed in the Hot Desktop session indicator... User Configurations > [configuration] > Edit user configuration > Hot Desktop session settings script path This control specifies the path of the session settings file that defines the scripts to be executed at the start and end of a Hot Desktop session. The start script can be used to start applications. The stop script can be used to perform cleanup tasks such as file removal. The file used must be accessible to all users. default setting: [blank] lock time-out This control is used to specify the length of time in minutes that a Hot Desktop session will remain active when the workstation is idle. If this interval is exceeded, the desktop is locked. default setting: 10 minutes

212 212 Citrix Password Manager Administrator s Guide session time-out This control is used to specify the length of time in minutes that a Hot Desktop session will run while the desktop is locked. If this time is exceeded, the session is terminated and a new session is started when the desktop is unlocked. default setting: 5 minutes enable session indicator This setting controls whether or not a window identifying the Hot Desktop session is selected. When selected, a transparent moveable window appears on the desktop during Hot Desktop sessions. This window displays the user's name and the elapsed time of the active session. default setting: selected enable graphic This control is used to specify the path of the graphic file displayed in the Hot Desktop session indicator. The specified file must be in a location accessible to all users and must be in Windows bitmap (.bmp) file format. default setting: [none] Licensing These controls are used to identity the license server name and access port, select the licensing model, and to continue configuration without validating license information... User Configurations > [configuration] > Edit user configuration > Licensing license server name The fully qualified name (hostname.domain.tld) and access port associated with the license server must be identified. The default port number is default setting: [blank] default port: use default value (for license server port number) Select this setting to use the default access port on the license server. If the license server is listening on a different port than its default port, disable this setting and enter the access port in the provided field. default setting: selected default port: 27000

213 12 Password Manager 4.6 Settings Reference 213 named user licensing (Enterprise and Advanced Editions only) This option is selected if you choose Password Manager Advanced as the product edition. You can also choose this option if you select Password Manager Enterprise as the product edition. With this license type, Password Manager can be used only by specific, named users. If this option is selected you must specify the time period (in days, hours, and minutes) that the license is assigned to the named user before the license expires and the agent reconnects to the license server. The user maintains control of the license for the specified time period even if the user PC shuts down. default setting: selected if Password Manager Advanced Edition; not available if Presentation Server Platinum Edition default disconnect setting: 21 days concurrent user licensing (Enterprise and Platinum Editions only) This option is selected automatically if you select the product edition as Password Manager Enterprise or Presentation Server Platinum. It is not available if you select Advanced Edition as the product edition default setting: selected if Password Manager Enterprise or Presentation Server Platinum Edition; not available if Password Manager Advanced Edition default disconnect setting: 1 hour, 30 minutes if Allow license to be consumed for offline use is not selected; 21 days if Allow license to be consumed for offline use is selected allow license to be consumed for offline use This option is available only if Concurrent User Licensing is selected. Select this setting to specify the amount of time that the user can be disconnected (offline) before the license expires and is returned to the pool of available licenses. If specified, the user maintains control of the license for the specified time period even if the user PC shuts down. The default time period is 1 hour 30 minutes; the recommended value is between 2 and 365 days. default setting: Not selected continue without validating licensing information This setting allows the editing process to continue without requiring a valid license server name and access port. default setting: not selected Data Protection Methods These settings are used to select the primary data protection methods to use to protect the credentials of your users.

214 214 Citrix Password Manager Administrator s Guide... User Configurations > [configuration] > Edit user configuration > Data Protection Methods do you need to regulate account administrator access to user data? Select Yes to disallow administrator access to user credentials. Selecting this option disables the Microsoft Data Protection API options (including the DPAPI with profile selection in the smart card key source drop-down menu) and the Do not prompt users; restore primary data protection automatically over the network option on the secondary data protection settings. With this configuration, the account or other administrator does not have access to user passwords or data. This setting helps prevent an administrator from impersonating a user. The administrator cannot log on as the user with the default setting and possibly access data located in the user s local credential store. Select No to allow use of all the multiple authentication features here and the secondary data protection methods on the Secondary data protection configuration settings. default setting: Yes for improved user experience upon logon events, please select all data protection methods that apply Choose this selection to use the primary authentication features that are made available in the subsequent settings. default setting: selected users authentication data This setting is available only when the for improved user experience upon logon events, please select all data protection methods that apply setting is selected. Select this setting to use an authentication secret to access and protect user data. The authentication secret can be a user password or PIN-based device used in your environment. default setting: not selected allow smart card PINs Select this option to allow the smart card PIN to be used as the user secret for protection. Select this option only if your enterprise or environment has a strong PIN policy. default setting: not selected

215 12 Password Manager 4.6 Settings Reference 215 allow protection using blank passwords Select this option only if your domain has low security requirements and you allow users to have blank domain passwords. If you select this option and the agent software detects that the user has a blank password, a user secret is derived from the user ID. If not selected, the agent software does not derive a user secret or otherwise perform any data protection with the blank password. If you select Users authentication data and do not select Allow Smart Card PINs and Allow protection using blank passwords, when the user attempts to log on with a blank password, an error message appears and the agent software is disabled. default setting: not selected Microsoft Data Protection API Select this option if you are using roaming profiles implementing a Kerberos network authentication protocol for users. This option works only if roaming profiles are available. For example, select Users authentication data and this option if users are using passwords to access their PCs and a Kerberos network authentication protocol to access a Citrix Presentation Server farm. This method also allows the use of user credentials and smart cards to log on. default setting: not selected Smart Card Certificate Select this option to allow users to use cryptographic cards that enable encryption and decryption of authentication data. Citrix recommends that, if possible, you select this option if you are using Hot Desktop with smart cards in your environment. default setting: not selected Use data protection as in Password Manager 4.1 and previous versions Select this option and select a method from the Smart Card key source drop-down menu to permit users to use a single primary authentication method and/or if you are using Versions 4.0 or 4.1 of the agent software. If you upgraded your Password Manager central store from Version 4.1 to Version 4.6, this option is selected automatically. default setting: not selected

216 216 Citrix Password Manager Administrator s Guide Secondary Data Protection These options allow you to specify secondary credential data protection features to use before unlocking user credentials when users change their primary authentication (for example, when a domain password is changed, or a smart card is replaced). Alternatively, it also enables you to specify that credentials are restored automatically when implementing the Key Management Module.... User Configurations > [configuration] > Edit user configuration > Secondary Data Protection prompt users to verify identity Use this option to identify which of the following user reauthentication methods is used: Prompt user to enter the previous password Prompt user to select the method: previous password or security questions default setting: selected prompt user to enter the previous password Choose this option to force users who forget their previous password to be locked out and require them to reenroll their secondary credentials. To prevent user lockout, do not combine the self-service password reset with the previous password method of confirming users identities exclusively. When previous password is the only method available to your users, users who forget their previous primary password are locked out of the system. Their user data must be reset or deleted from the central store and from all client devices on which it is stored, and they must reenter their credentials for all of their applications default setting: selected prompt user to select the method: previous password or security questions Select this option to prompt users according to their choice of verification method. Enabling this option enables the Use identity verification as in previous versions of Password Manager option. default setting: not selected Use data protection as in Password Manager 4.1 and previous versions Select this option if upgrading from Password Manager Version 4.1 and questionbased authentication or identity verification questions are selected.

217 12 Password Manager 4.6 Settings Reference 217 default setting: not selected do not prompt users; restore primary data protection automatically over the network Select this option when implementing the Key Management Service Module to bypass identity verification and automatically unlock user credentials. This method is less secure than other data protection methods but increases ease-ofuse for your users by retrieving credentials automatically. default setting: not selected Self Service Features The options available in this section require installation of the Key Management service module. This module inserts a button on the Windows logon dialog box that is used to allow users to reset their passwords.... User Configurations > [configuration] > Edit user configuration > Self Service Features allow users to reset their primary domain password Select this setting to allow users to reset their primary domain password without administrative intervention. default setting: not selected allow users to unlock their domain account Select this setting to allow users to unlock their domain account. default setting: not selected Key Management Module These controls identify the service location and port for the Key Management Module.... User Configurations > [configuration] > Edit user configuration > Key Management Module service location (Key Management Module) This setting is used to identify the service address and port for the Key Management Module. Use the Validate button to ensure the settings are valid. default setting: [blank] service port: 443

218 218 Citrix Password Manager Administrator s Guide Provisioning Module The Provisioning Module allows the credentials associated with users in this user configuration to be imported, modified, and removed. These pages require you to specify the location and service port of the Provisioning Module.... User Configurations > [configuration] > Edit user configuration > Provisioning Module use provisioning Select this setting to use provisioning. default setting: not selected service location (Provisioning Module) This setting is used to identify the service address and port for the Provisioning Module. Use the Validate button to ensure the settings are valid. default setting: [blank] service port: 443 Application Definitions This section describes the application definition settings and controls. All navigation hints provided in this section are made to an application definition when performing an edit function. To access the Edit Application Definition dialog box, navigate as follows: Management Consoles > Access Management Console > Password Manager > Application Definitions > [definition] > Edit application definition Edit Application Forms These controls set the rules that govern password length and character repetition.... Application Definitions > [definition] > Edit application definition > Application Forms > [defined form] > Edit > Other Settings agent submits this form automatically This setting is used to specify if the submit button is pressed automatically by the agent software or if the user is required to press it manually. Select the Agent submits this form automatically check box to automatically submit the form without user intervention. default setting: selected

219 12 Password Manager 4.6 Settings Reference 219 Application Icon This control is used to identify the icon that is displayed next to the application in the Logon Manager.... Application Definitions > [definition] > Edit application definition > Application Icon application icon This setting controls the application icon that appears next to the application name in the Logon Manager. Two options are available: Use default icon Use custom icon (enter icon path below). If a custom icon is to be used, use the browse feature to identify the path to the icon file. Any standard Windows icon file can be identified. Microsoft Windows environment variables are supported. default setting: use default icon Advanced Detection These controls are used to force the agent software to ignore subsequent logon or password change forms during an application session when a logon or password change was already processed.... Application Definitions > [definition] > Edit application definition > Application Detection process only the first logon for this application Select this control to only process the first logon for this application and to ignore subsequent logon requests. default setting: not selected process only the first password change for this application Select this control to process only the first password change request for this application and to ignore subsequent password change requests. default setting: not selected Password Expiration These controls are used to specify the settings for this application when the password expires. Citrix Password Manager expiration policy is enforced only if it is selected in the password policy associated with this application.

220 220 Citrix Password Manager Administrator s Guide... Application Definitions > [definition] > Edit application definition > Password Expiration run script when password expires Select this setting and identify the script and its path to run a specific script file when the password expires. See Configure Password Expiration on page 44 for additional information. default setting: not selected use Citrix Password Manager expiration warning Select this setting to use the Citrix Password Manager expiration warning when the password expires. See Configure Password Expiration on page 44 for additional information. default setting: not selected Password Policies This section describes the password policy settings and controls. All navigation hints provided in this section are made to an existing password policy when performing an edit function. To access the Edit Password Policy dialog box, navigate as follows: Management Consoles > Access Management Console > Password Manager > Password Policies > [policy] > Edit password policy Basic Password Rules These controls set the rules that govern password length and character repetition.... Password Policies > [policy] > Edit password policy > Basic Password Rules minimum password length Specifies the minimum number of characters required in the password. Minimum allowed value = 0. Maximum allowed value = 128. default setting: 8 maximum password length Specifies the maximum number of characters allowed in the password. Minimum allowed value = 1. Maximum allowed value = 128. default setting: 20

221 12 Password Manager 4.6 Settings Reference 221 maximum number of times a character can occur Specifies the maximum number of times a character can occur in a password. Minimum allowed value = 1. Maximum allowed value = 128. default setting: 6 maximum number of times the same character can occur sequentially Specifies the maximum number of times the same character can occur sequentially. Minimum allowed value = 1. Maximum allowed value = 128. default setting: 4 Alphabetic Character Rules These controls set the rules that govern alphabetic character use in passwords.... Password Policies > [policy] > Edit password policy > Alphabetic Character Rules allow lowercase characters Controls whether or not lowercase alphabetic characters can be used in passwords. default setting: allow lowercase characters password can begin with a lowercase character Controls whether or not passwords can begin with a lowercase character. default setting: allow passwords to begin with a lowercase character password can end with a lowercase character Controls whether or not passwords can end with a lowercase character. default setting: allow passwords to end with a lowercase character minimum number of lowercase characters required Specifies the minimum number of lowercase alphabetic characters required in a password. Minimum allowed value = 0. Maximum allowed value = 128. default setting: 0 allow uppercase characters Controls whether or not uppercase alphabetic characters can be used in passwords. default setting: allow uppercase characters

222 222 Citrix Password Manager Administrator s Guide password can begin with an uppercase character Controls whether or not passwords can begin with an uppercase character. default setting: allow passwords to begin with an uppercase character password can end with an uppercase character Controls whether or not passwords can end with an uppercase character. default setting: allow passwords to end with an uppercase character minimum number of uppercase characters required Specifies the minimum number of uppercase alphabetic characters required in a password. Minimum allowed value = 0. Maximum allowed value = 128. default setting: 0 Numeric Character Rules These controls set the rules that govern numeric character (0-9) use in passwords.... Password Policies > [policy] > Edit password policy > Numeric Character Rules allow numeric characters Controls whether or not numeric characters can be used in passwords. default setting: allow numeric characters password can begin with a numeric character Controls whether or not passwords can begin with a numeric character. default setting: allow passwords to begin with a numeric character password can end with a numeric character Controls whether or not passwords can end with a numeric character. default setting: allow passwords to end with a lowercase character minimum number of numeric characters required Specifies the minimum number of numeric characters required in a password. Minimum allowed value = 0. Maximum allowed value = 128. default setting: 0 maximum number of numeric characters allowed Specifies the maximum number of numeric characters allowed in a password. Minimum allowed value = 1. Maximum allowed value = 128.

223 12 Password Manager 4.6 Settings Reference 223 default setting: 20 Special Character Rules These controls set the rules that govern special (non-alphabetic and non-numeric) character use in passwords.... Password Policies > [policy] > Edit password policy > Special Character Rules allow special characters Controls whether or not special (non-alphabetic and non-numeric) characters can be used in passwords. default setting: allow numeric characters password can begin with a special character Controls whether or not passwords can begin with a special character. default setting: allow passwords to begin with a special character password can end with a special character Controls whether or not passwords can end with a special character. default setting: allow passwords to end with a special character minimum number of special characters required Specifies the minimum number of special characters required in a password. Minimum allowed value = 0, Maximum allowed value = 128. default setting: 0 maximum number of special characters allowed Specifies the maximum number of special characters allowed in a password. Minimum allowed value = 0, Maximum allowed value = 128. default setting: 20 allowed special characters list Specifies the special characters allowed in a password. default setting:!@#$^&*()_-+=[]\,? Exclusion Rules These controls specify the characters and character strings that are not allowed in passwords.

224 224 Citrix Password Manager Administrator s Guide... Password Policies > [policy] > Edit password policy > Exclusion Rules exclude the following list of characters or character groups from passwords Select the Edit List option to open the Edit Exclusion List dialog box that is used to specify up to 256 individual characters or groups of characters that are not allowed in passwords. Enter one character or group of characters per line. Each group can contain up to 32 characters. Individual characters or groups of characters are not case-sensitive. default setting: [blank] do not allow application user name in password Controls whether or not the application user name is allowed in password. Select this check box if the application user name is allowed in the password. default setting: not selected do not allow portions of application user name in password Controls whether or not portions of the application user name are allowed in a password. This includes all possible character groups that can be taken from the user name. This setting is closely coupled to the number of characters in portions setting. For example, when this setting is selected and the number of characters in portions setting is set to four a password that includes character groups of citr or itri or trix would not be allowed for a user with a user name of citrix. default setting: not selected number of characters in portions Defines the number of characters that comprise a portion of the password that must be examined to determine if the supplied password contains a portion of the application user name. For example, when the do not allow portions of application user name in password option is selected and this setting is set to four a password that includes character groups of citr or itri or trix would not be allowed for a user with a user name of citrix. default setting: 3 do not allow Windows user name in password Controls whether or not the Windows user name is allowed in password. If not selected, the Windows user name is allowed in the password. default setting: not selected)

225 12 Password Manager 4.6 Settings Reference 225 do not allow portions of Windows user name in password Controls whether or not portions of the user s Windows user name are allowed in password. This includes all possible character groups that can be taken from the user name. This setting is closely coupled to the number of characters in portions setting. For example, when this setting is selected and the number of characters in portions setting is set to four, a password that includes character groups of citr or itri or trix would not be allowed for a user with a user name of citrix. default setting: portions of passwords allowed (check box not selected) number of characters in portions Defines the number of characters that comprise a portion of the password that must be examined to determine if the supplied password contains a portion of the application user name. For example, when the do not allow portions of application user name in password option is selected and this setting is set to four, a password that includes character groups of citr or itri or trix would not be allowed for a user with a user name of citrix. default setting: 3 Password History and Expiration These controls specify whether or not a new password can be a repeat of a previous password, and the password expiration setting.... Password Policies > [policy] > Edit password policy > Password History and Expiration new password must not be the same as previous password Controls whether or not the new password can be the same as a previous password. Previous passwords are kept in a password history. default setting: new password can be the same as previous password (check box not selected) number of previous passwords remembered Specifies the number of previous passwords that are kept in the password history. Minimum allowed value is 1. Maximum allowed value is 24. default setting: 1

226 226 Citrix Password Manager Administrator s Guide password expiration When selected, the settings (Number of days until password expires and Number of days to warn user before password expires) specified here are applied to application definitions associated with this policy. Citrix Password Manager policy operates independently of any existing password expiration policy built into the application. default setting: password expiration not specified (check box not selected) number of days until password expires Specifies the maximum number of days that a password can remain unchanged. Minimum allowed value is 1. Maximum allowed value is default setting: 42 number of days to warn user before password expires Specifies the number of days before a password expires that a user starts to receive pending password expiration warnings. Minimum allowed value is 0. Maximum allowed value is default setting: 14 Test Password Policy These controls are used to test a manually generated password to verify compliance with the defined policy, automatically generate a compliant password, and verify that the defined constraints do not restrict the ability to generate enough passwords for your organization.... Password Policies > [policy] > Edit password policy > Test Password Policy test the compliance of a manually created password This field is used to test the compliance of a manually created password. Enter the manually created password and press Test. The entered password is tested against all the defined criteria. default setting: none generate a random policy-compliant password This control is used to generate a password that complies with the currently defined password criteria. Press Generate to generate a compliant password that can be copied from the field (Ctrl-C). default setting: none

227 12 Password Manager 4.6 Settings Reference 227 generate and test a number of unique policy-compliant passwords It is possible to define a set of password constraints that support a limited number of total password possibilities. This control is used to generate a user-defined number of compliant passwords to determine if the defined policy is flexible enough to meet the password needs of the organization. Press Generate multiple passwords to open a dialog box that allows you to generate a user-defined number of passwords. default setting: none Logon Preferences These controls are used to define if the Reveal option is available for application definitions that use this policy, mandate that the user reauthenticate before submitting application credentials, set the number of logon retries, and set the amount of time the user has to successfully authenticate after a failed authentication attempt.... Password Policies > [policy] > Edit password policy > Logon Preferences allow user to reveal password for applications This control is used to determine whether or not the Reveal button in the Logon Manager is available for applications managed by this policy. When users select the Reveal button in Logon Manager they can see their password in clear text. If this setting is not selected, users cannot reveal their passwords. default setting: Reveal button not displayed (check box not selected) force user to re-authenticate before submitting application credentials This control is used to determine if users must enter their primary logon credentials before the agent submits credentials to the application. When this setting is selected, the agent immediately locks the workstation when it recognizes an application that is managed by this setting. Users must enter their primary credentials to unlock the workstation. When the workstation is unlocked with the proper credentials, the agent submits the user credentials to the application. This setting is useful for applications that access confidential or sensitive information because it forces users to verify their identities before the agent submits the credentials to the application. default setting: User not forced to reauthenticate (check box not selected)

228 228 Citrix Password Manager Administrator s Guide number of logon retries This control is used to set the number of additional times the agent can submit user credentials to the same application within the specified time limit. When set to the minimum value of 0, users get an error message immediately upon a second attempt to submit credentials to the application. default setting: 1 time limit for number of retries This control is used to specify the amount of time (in seconds) the user is allowed to submit user credentials to the same application after the initial credential submission failed. default setting: 30 seconds Password Change Wizard This control is used to determine how the Password Change Wizard responds to Password Change Forms. One of four possible options must be configured: Allow users to choose a system-generated password or create their own password Only allow users to create their own password Only allow users to choose a system-generated password Generate a password and submit it to the application without displaying the Password Change Wizard... Password Policies > [policy] > Edit password policy > Password Change Wizard allow users to choose a system-generated password or create their own password Select this option to have the Password Control Wizard allow users to choose a system-generated password or create their own. default setting: selected only allow users to create their own password Select this option to have the Password Control Wizard not allow users to choose a system-generated password, and require users to enter their own password. default setting: not selected

229 12 Password Manager 4.6 Settings Reference 229 only allow users to choose a system-generated password Select this option to have the Password Control Wizard automatically use a system-generated password without allowing users to create their own password. default setting: not selected generate a password and submit it to the application without displaying the Password Change Wizard Select this option to have the agent software automatically submit a systemgenerated password without displaying the Password Change Wizard to the user. The user can see the fields on the password change screen being filled in and the resulting feedback from the application indicating whether or not the password was changed successfully. default setting: not selected

230 230 Citrix Password Manager Administrator s Guide

231 13 Application Definition Extensions Although Password Manager administrators can generally create application definitions using the Password Manager Console and the Application Definition Tool, some applications have special considerations or requirements that need an external process to determine if an application started or to submit user credentials using the agent software. To support applications that have these types of requirements, third-party implementers that create processes to satisfy these external processing requirements can use Application Definition Extensions in the Password Manager Console and the Application Definition Tool to configure when and how these processes are initiated. This appendix describes how these extensions are configured. This appendix does not describe how to define or create the external processes to determine if an application started or to submit user credentials using the agent software. Agent Software Operation There are two different types of application definition extensions: Identification Extensions Use external processes to determine if the target application is a form that requires user credential management actions. These external processes can be used instead of or in conjunction with other window detection algorithms defined in the form definition Actions Extensions Use external processes to perform the required user credential management actions. These external processes can be used instead of or in conjunction with other window action algorithms defined in the form definition A single form definition can be configured to use application definition extensions to perform either or both of these operations.

232 232 Citrix Password Manager Administrator s Guide Identification Extensions The agent software uses listener hooks to detect events on the desktop such as application instantiation, URL loading, HTML page document complete notices, and other similar events. As these events occur, the agent software determines if the target application requires any user credential management action (such as ignore, logon, change password, and so on). The determination is made by comparing the characteristics exposed by application against the defined characteristics that uniquely identify a form. These characteristics include the Windows title and the executable file name (at a minimum) and, if required, other advanced matching characteristics that can include using an external process to identify the form (identification extension). If an external identification process is required, the process or processes are identified in the form definition. The form definition includes information about the identification extension and any associated parameters. These are directly associated with a registry setting. After the agent software successfully processes the minimum matching and advanced matching algorithms, identification extensions that use an external process are evaluated. When multiple identification extensions are defined to evaluate a form, the extensions are executed in the order that they appear in the identification extensions page (from top to bottom). For each identification extension, the agent software waits the specified amount of time (defined in the registry setting) for the external process to exit before it analyzes the process exit code. If the minimum matching, advanced matching, and external matching processes complete with a zero return code, the target application is considered a match. If any matching process exits with any other value, the evaluation process stops and the application is considered not a match. If a negative value is returned, an error is logged to the Windows Event Viewer. Positive values are written to a log file, if enabled (see Enabling Logging on page 238 for additional information). The subsequent user credential management action can be performed by using any combination of standard Windows form actions, action sequences, or action extensions (see Action Extensions on page 235). See Define Form Actions on page 51 or Using the Action Editor to Define the Action Sequence for Forms on page 59 for additional information.

233 13 Application Definition Extensions 233 Defining Identification Extensions Identification extensions are configured using the Form Definition wizard during the application definition development process (see Application Definition Wizard Overview on page 42 and Form Definition Wizard Overview on page 45 for additional information). To define an identification extension 1. Start the Form Definition wizard (see Form Definition Wizard Overview on page 45). 2. Advance through the definition process until the Identify form page appears (see Identify Form on page 65). 3. On the Identify form page, click Advanced Matching. This action opens the Advanced Matching dialog box (see Using Advanced Matching to Identify Windows Forms on page 53). 4. From the Advanced Matching dialog, select the Identification Extensions option. The Identification Extensions page is displayed. This page is used to view, edit, or add identification extension entries. 5. To add an identification extension, click Add. This action opens the Add Identification Extension dialog. The Add Identification Extension dialog box is used to define the following: Extension ID Description Parameters The extension ID identifies the ExtensionName to look for in the registry settings. A user-defined description of the identification extension being defined. Any name/value pairs (parameter name/parameter value) that are used to pass implementer-defined parameters to the external process that is launched by this extension. The ExtensionName identifies a registry key name. This key name and its associated key values define the external identification process executable and its operating characteristics. The registry key name and its associated keys are located at: [HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Extension\{ExtensionName}] Where the ExtensionName value is identified using the Extension ID value in the Add Identification Extension dialog. On 64-bit platforms the registry key name and its associated keys are located at:

234 234 Citrix Password Manager Administrator s Guide [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\MetaFr ame Password Manager\Extension\{ExtensionName}] The following table defines the key value characteristics. Key Type Value Type REG_SZ Must be EXECUTABLE Timeout REG_DWORD 0 to wait forever for application to complete. Any other value is time to wait in milliseconds. TerminateProces s Executable BOOL implemented as a REG_DWORD REG_EXPAND_S Z (optional) On time-out, terminate process. TRUE (default) Terminate process. FALSE (0) Do not terminate process. The executable process and its fully qualified path. Arguments REG_SZ Parameters for the executable. The Executable value is the full path to the executable file. Environment variables are allowed. If the extension is implemented as a script, the script interpreter must be used for the Executable, and the script name as part of the Arguments. External processes can be developed using any editor/ language or IDE of your choosing. The Arguments value supports parameters that the agent software can replace with run-time parameters or the parameter name/value pairs specified in the Add Identification Extension dialog. Each parameter that needs substitution must be prefixed and suffixed with a dollar sign ($) delimiter. For example, the following command line Arguments: /h $_HANDLE$ /s $SAPSERVER$ /t $SAPTYPE$ appears to the executable as: /h /s "Houston, TX" /t 43 The Microsoft Windows handle associated with the application is a supported internal parameter defined as $_HANDLE$. All internal parameters use $_ as a preface to avoid naming conflicts. Implementer parameters are not allowed to use underscores in key names. Substitution precedence is defined to preserve parameter values after they are written. The precedence is defined as internal parameters (such as $_HANDLE$), followed by implementer parameters, followed by environmental variables.

235 13 Application Definition Extensions 235 All implementer parameters are permitted to use lowercase and uppercase letters and numbers in key names. Key names are case-insensitive. If the extension identification executable requires parameters to be presented in a specific sequence, the Argument must support the required sequence. The sequence that parameter name/value pairs are defined in the Add Identification Extension dialog box can be in any order. Action Extensions Action extensions use an external process to manage user credential management actions. The extension definition process has the ability to pass user credentials to the external application. After a user credential management form is successfully identified (see Identification Extensions on page 232), the subsequent user credential management action can be performed using any combination of standard Windows form actions, action sequences, or action extensions. The agent software supports the same features described in Identification Extensions on page 232. The agent software executes the external process and waits the specified time for the process to exit (if WaitForCompletion is set to TRUE) and then analyzes its Process Exit Code. If the process exits with a zero return value, the extension executed successfully. Any non-zero return indicates an error. If a negative value is returned, the error is logged to the Windows Event Viewer. Positive values are written to a log file, if enabled (see Enabling Logging on page 238 for additional information). Defining Action Extensions Action extensions are configured using the Form Definition wizard during the application definition development process (see Application Definition Wizard Overview on page 42 and Form Definition Wizard Overview on page 45 for additional information). To define an action extension 1. Start the Form Definition Wizard (see Form Definition Wizard Overview on page 45). 2. Advance through the definition process until the Define form actions page appears (see Define Form Actions on page 51). 3. On the Define form actions page, click Action Editor... This action opens the Action Editor dialog box (see Using the Action Editor to Define the Action Sequence for Forms on page 59).

236 236 Citrix Password Manager Administrator s Guide 4. From the Action Editor... dialog, select the Launch action extension option. The Action configuration panel appears. This panel is used to view, edit, or add Launch action extension entries to the action sequence. 5. To add an action extension to the action sequence, provide the following information and click Insert: Extension ID Description Parameters The extension ID identifies the ExtensionName to look for in the registry settings. A user-defined description of the action extension being defined. Any name/value pairs (parameter name/parameter value) that are used to pass implementer-defined parameters to the external process that is launched by this extension. As with the identification extensions, the ExtensionName identifies a registry key name. This key name and its associated key values define the action processing executable and its operating characteristics. The registry key name and its associated keys are located at: [HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Extension\{ExtensionName}] Where the ExtensionName value is identified using the ID value in Action configuration panel. On 64-bit platforms the registry key name and its associated keys are located at: [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\MetaFr ame Password Manager\Extension\{ExtensionName}] The following table defines the key value characteristics. Key Type Value Type REG_SZ Must be EXECUTABLE Timeout REG_DWORD 0 to wait forever for application to complete. Any other value is time to wait in milliseconds. TerminateProcess BOOL implemented as a REG_DWORD (optional) On time-out, terminate process. TRUE (default) Terminate process. FALSE (0) Do not terminate process.

237 13 Application Definition Extensions 237 Key Type Value WaitForCompletio n The Executable value follows the same conventions as the identification extensions. The Arguments value supports parameters that the agent software can replace with run-time parameters or the parameter name/value pairs specified in the Launch action extension view of the Action Editor. Each parameter that needs substitution must be prefixed and suffixed with a dollar sign ($) delimiter. For example, the following command line Arguments: /h $_HANDLE$ /s $SAPSERVER$ /t $SAPTYPE$ appears to the executable as: BOOL implemented as a REG_DWORD /h /s "Houston, TX" /t 43 The Microsoft Windows handle associated with the application is a supported internal parameter defined as $_HANDLE$. All internal parameters use $_ as a preface to avoid naming conflicts. Implementer parameters are not allowed to use underscores in key names. In addition to the Windows handle, the following internal parameters are supported to manage user credentials: Username ($_USERNAME$) Password ($_PASSWORD$) Custom1 ($_CUSTOM1$) Custom2 ($_CUSTOM2$) (optional) Agent waits for process to exit. TRUE (default) Wait. FALSE (0) Do not wait. Executable REG_EXPAND_SZ The executable process and its fully qualified path. Arguments REG_SZ Parameters for the executable. Old Password ($_OLDPASSWORD$) Substitution precedence is defined to preserve parameter values after they are written. The precedence is defined as internal parameters, followed by implementer parameters, followed by environmental variables. All implementer parameters are permitted to use lowercase and uppercase letters and numbers in key names. Key names are case-insensitive.

238 238 Citrix Password Manager Administrator s Guide If the extension identification executable requires parameters to be presented in a specific sequence, the Argument must support the required sequence. The sequence that parameter name/value pairs are defined in the Action configuration page can be in any order. Implementer Requirements The external process that performs advanced matching or credential management actions is defined as any process or application that can be initiated using a command-line interface. Any required or optional arguments for identification extensions or action extensions must also be able to be specified in-line using a command-line interface. For action extensions, the implementer must support the same features as previously described for the Windows detection implementation. The Username, Password, Custom1, Custom2, and Old Password credentials can be passed to the executable. For identification extensions and action extensions, the implementer is responsible for: Deploying all executable, support modules and files to support the extension on the agent Maintaining all deployed modules Adding all the specified registry entries on the agent Maintaining extension name uniqueness in their domains The recommended extension naming schema is a reverse domain naming schema (that is, com.citrix.cpm.ext4). Enabling Logging To activate debug tracing for the agent software, a registry modification must be made. The registry key name and its associated keys are located at: [HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Log] The following table defines the key value characteristics. Key Type Value Enabled REG_DWORD Default value is 0. 0 disabled. 1 enabled.

239 13 Application Definition Extensions 239 Key Type Value Filter REG_DWORD Bitmask that dictates what is to be logged. 0x Windows application flag used to log identification extension errors. 0x Windows password filling used to log action extension errors. MaxSizeInBytes REG_DWORD Maximum size of the log file in bytes. Maximum theoretical value can be 4GB (2^32). Default Log file data is recorded in an sso_<username>.log file in: C:\Documents and Settings\<username>\Application Data\Citrix\MetaFrame Password Manager

240 240 Citrix Password Manager Administrator s Guide

241 14 Virtual Key Codes for Host and Windows Applications This appendix serves as a key code reference for Windows and Host applications, including. Codes for VTabKeyN (Windows) Codes for VirtualKeyCode (Windows) and VKEY (Windows) Virtual Key Codes for HLLAPI-Compliant Terminal Emulators Codes for VTabKeyN (Windows) Use the following identifiers to create a key code sequence for Windows. Code `DELAY=N` `VKEY=N` Description N is the number of milliseconds to delay. N is the virtual key code to send. For example, to send a Tab, End, Space, a 1.5 second delay, Logon username, Space, the username/id, Home, a 0.35 second delay, Tab, and then the password use the following: VTabKey1=`VKEY=9``VKEY=35` `DELAY=1500`Logon username`vkey=32` VTabKey2=`VKEY=36``DELAY=350``VKEY=9` Codes for VirtualKeyCode (Windows) and VKEY (Windows) These codes are used to send specific keystrokes to logon or password change form fields when configuring host application logons.

242 242 Citrix Password Manager Administrator s Guide Key Code Key Code Key Code Key Code Break V 86 F5 116 Backspace W 87 F6 117 Tab X 88 F7 118 Clear Y 89 F8 119 Enter Z 90 F9 120 Shift 16 A 65 Left (window) 91 F Ctrl 17 B 66 Right (window) 92 F Alt 18 C 67 NumPad 0 96 F Caps Lock 20 D 68 NumPad 1 97 F Esc 27 E 69 NumPad 2 98 F Spacebar 32 F 70 NumPad 3 99 F Page Up 33 G 71 NumPad F Page Down 34 H 72 NumPad F End 35 I 73 NumPad F Home 36 J 74 NumPad F Left 37 K 75 NumPad F Up 38 L 76 NumPad F Right 39 M 77 Asterisk(*) 106 F Down 40 N 78 Plus (+) 107 F Print Screen 44 O 79 Minus (-) 109 F Help 47 P 80 Period (.) 110 Num Lock Q 81 Slash (/) 111 Scroll Lock R 82 F1 112 Left Shift S 83 F2 113 Right Shift T 84 F3 114 Left Ctrl U 85 F4 115 Right Ctrl 163

243 14 Virtual Key Codes for Host and Windows Applications 243 Virtual Key Codes for HLLAPI-Compliant Terminal Emulators Char/Cmd Code Char/Cmd Code Char/Cmd Code Alt Local x Field - Field + Field y Tab Cursor Alt Cursor Erase Input Sys Request Insert Toggle Cursor Select Attention Print Screen Hexadecimal Cmd/Func Key Cursor Cursor Page Page Back/Left

244 244 Citrix Password Manager Administrator s Guide Char/Cmd Code Char/Cmd Code Char/Cmd Code Erase New