Citrix Password Manager Administrator s Guide. Citrix Password Manager Citrix Password Manager 4.5 Citrix Access Suite

Transcription

1 Citrix Password Manager Administrator s Guide Citrix Password Manager Citrix Password Manager 4.5 Citrix Access Suite

2 Copyright and Trademark Notice Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. A printable copy of the End User License Agreement is included on your product CD-ROM. Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc. Citrix Password Manager replaces specific end users encryption keys each time their primary authentication method changes, such as a domain password change or issuance of a new smart card. Password Manager can be configured to perform this operation automatically by using the optional Key Management Module. Password Manager can also be configured to use the Microsoft Data Protection API (DPAPI). When using the optional Key Management Module and/or DPAPI, be advised that an administrator may be able to access user business or personal credentials stored in Password Manager if the administrator logs on as this end user. For additional security, end users can be asked to verify the user s identity with unique user-provided information. This provides an additional layer of protection for the user s secondary credentials. Regional government user computing regulations may require that you notify your end users about the possible security and privacy implications of deploying the Key Management Module and DPAPI security configurations. Review your company policies and determine what kind of notification, if any, is required for your end users Citrix Systems, Inc. All rights reserved. v-go code Passlogix, Inc. All rights reserved. Citrix, ICA (Independent Computing Architecture), MetaFrame, MetaFrame XP, NFuse, and Program Neighborhood are registered trademarks, and SpeedScreen is a trademark of Citrix Systems, Inc. in the United States and other countries. RSA Encryption RSA Security Inc., All Rights Reserved. This product includes software developed by The Apache Software Foundation ( This product includes software developed by Salamander Software Ltd Salamander Software Ltd. Parts 2003 Citrix Systems, Inc. All rights reserved. Licensing: Portions of this documentation that relate to Globetrotter, Macrovision, and FLEXlm are copyright Macrovision Corporation and/or Macrovision Europe Ltd.. All rights reserved. Trademark Acknowledgements Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries. Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Solaris is a registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc has not tested or approved this product. Portions of this software are based in part on the work of the Independent JPEG Group. Portions of this software contain imaging code owned and copyrighted by Pegasus Imaging Corporation, Tampa, FL. All rights reserved. Macromedia and Flash are trademarks or registered trademarks of Macromedia, Inc. in the United States and/or other countries. Microsoft, MS-DOS, Windows, Windows Media, Windows Server, Windows NT, Win32, Outlook, ActiveX, Active Directory, and DirectShow are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. in the U.S. and other countries. Novell Directory Services, NDS, and NetWare are registered trademarks of Novell, Inc. in the United States and other countries. Novell Client is a trademark of Novell, Inc. RealOne is a trademark of RealNetworks, Inc. Licensing: Globetrotter, Macrovision, and FLEXlm are trademarks and/or registered trademarks of Macrovision Corporation. All other trademarks and registered trademarks are the property of their respective owners. Document Code: November 1, 2006 (bc)

3 CONTENTS Contents Chapter 1 Welcome Password Manager Components The Central Store Password Manager Console Password Manager Agent Software The Password Manager Service Password Manager Product Line Password Manager Advanced Edition Password Manager Enterprise Edition Password Manager Advanced versus Enterprise Editions New Features in the Advanced Edition Application Definition Extensions Internet Explorer 7 (32-bit and 64-bit) Support Enhanced SAPGUI Support Simplified Password Change Wizard Administration by Active Directory Groups New Features in the Enterprise Edition User Self-Service Integration with Presentation Server Web Interface Kerberos and Federated Environment Support Account Association Enhanced Support for Users Switching between Strong Authentication Methods About this Document Audience and Assumptions Providing Feedback about this Document Document Conventions Getting More Information and Help Product Documentation Pre-Installation Update Bulletin Readme file Getting Started with Citrix Licensing Guide

4 4 Citrix Password Manager Administrator s Guide Citrix Password Manager Administrator s Guide Installation Checklist Online Help for Administrators and Users Citrix Password Manager Evaluator s Guide Getting Service and Support Subscription Advantage Education and Training Chapter 2 Planning Your Password Manager Environment Planning Workflow Diagram Getting Started Which Central Store Type Should I Choose? Choosing an Active Directory Central Store Advantages Considerations Choosing an NTFS Network Share Advantages Considerations Choosing a Novell Shared Folder Advantages Considerations Using Account Association with Multiple Central Stores and User Account Credentials in a Multiple Domain Enterprise Advantages Considerations What about Password Policies for Application Access? Default Password Policy Domain Password Policy Custom Password Policies Considerations Default Settings for the Default and Domain Password Policies Which Type of SSO-Enabled Applications Are Used in My Enterprise? What Do I Need to Know about Each Application? What Type of Smart Cards Are Used in My Enterprise? Smart Card Support Smart Card Software Requirements Do I Need to Use Identity Verification? Verifying User Identity by Using Security Questions (Question-based Authentication) Recovering or Unlocking User Credentials Automatically

5 5 Citrix Password Manager Administrator s Guide Planning Your User Configurations Considerations Default User Configuration Properties Do I Share the Same Resources or a Workstation Among Many Users? (Hot Desktop) Controlling Applications The Hot Desktop User Experience Selecting Optional Password Manager Service Features Account Self-Service Data Integrity Key Management Provisioning Credential Synchronization (Account Association) Password Manager Agent Deployment Scenarios Presentation Server Considerations Access Gateway Considerations Guidelines for Multiple Primary Authentication and User Credential Protection Choices Data Protection Methods Page Secondary Data Protection Page Security Versus Usability User Impersonation User Name and Password Smart Cards with Certificates and User Authentication Data Smart Cards with PINs Roaming Profiles (Microsoft DPAPI) Blank Passwords Chapter 3 Installing Password Manager Summary of Installation Steps Hardware and Software Requirements Supporting System Software Requirements Password Manager Console and Agent Requirements Password Manager Service Requirements ASP.NET Requirements Security and Account Requirements for Password Manager Service Server Authentication Certificate Requirement Accounts Required for Service Modules Service Account Requirements Data Proxy Account Requirements

6 6 Citrix Password Manager Administrator s Guide Self-Service Requirements Account Requirements to Install and Use Password Manager Installing and Using Password Manager Service Installing and Using Password Manager Console and Application Definition Tool Installing and Using Password Manager Agent Installing the Microsoft.NET 2.0 Framework Installing.NET 2.0 Side By Side with.net Installing the Java Runtime Environment If You Install or Upgrade the JRE after Installing the Console, Application Definition Tool, or Agent Software Troubleshooting a Java-Related Error Message During Agent Software Installation or Uninstallation Licensing Requirements Disconnected Mode Managing a Mixed License Type Environment Before You Install Password Manager Installation Order Where Can I Install Each Password Manager Component? Creating a Central Store Optional Creating a Central Store from a Command-Line Creating an Active Directory Central Store Step 1 Extend the Active Directory Schema Step 2 Update Domain Root Permissions Creating an NTFS Network Share Central Store Creating a Novell Shared Folder Central Store Considerations Installing and Configuring the Password Manager Service Password Manager Service Port Number Installing and Configuring the Password Manager Console Installing and Configuring the Password Manager Agent Installation Scenarios Considerations Preserving the GINA Chain When Installing the Agent Silent Installation of Password Manager Agent Chapter 4 Upgrading Password Manager Supported Upgrade Paths Summary of Upgrade Steps Before You Upgrade Password Manager

7 7 Citrix Password Manager Administrator s Guide Using Autorun Upgrade Order If You Used the CtxMoveKeyRecoveryData Tool to Back Up Service Data.127 Back Up the process.xml File (Hot Desktop Environments Only) Back Up Your Existing Central Store Upgraded Policies, Application Definitions, Questions/Questionnaires, and User Configurations Microsoft Web Services Enhancements Microsoft.NET Versions 1.1 and Step 1 Upgrading the Password Manager Service Step 2 Upgrading the Password Manager Console Step 3 Upgrading the Password Manager Agent Chapter 5 Chapter 6 Using Password Policies to Enforce Password Requirements Overview of Password Policies Password Sharing Groups Domain Password Sharing Groups Creating Password Policies: the Password Policy Wizard To Start the Password Policy Wizard Set Basic Password Rules Set Alphabetic Character Rules Set Numeric Character Rules Set Special Character Rules Set Exclusion Rules (Excluding Specific Characters) Set Password History and Expiration Test Password Policy Establish Logon Preferences Customize Password Change Wizard Helping to Increase Password Strength and Security In Your Environment Managing How Password Manager Works with Applications Overview of Application Templates Managing Application Definitions Using Templates Obtaining Application Templates from the Web Importing Application Templates from a Network Share Adding an Application Definition Using a Template Creating Application Templates Exporting Application Templates

8 8 Citrix Password Manager Administrator s Guide How the Password Manager Agent Identifies Applications and User Credential Management Events Identifying the Parts of the Application s User Interface Application Definition Wizard Overview Identify Application Manage Forms Name Custom Fields Specify icon Configure advanced detection Credential submission loops Credential change loops Configure password expiration Confirm settings Form Definition Wizard Overview Windows Type Application Definitions Gathering the Information Required for Windows Application Definitions..160 Form Definition Process Name form Identify form Define form actions Configure other settings Confirm settings Using Advanced Matching to Identify Windows Forms Class Information Control Matching SAP Session Information Window Identifier Identification Extensions Using the Action Editor to Define the Action Sequence for Forms Action Sequence Definition Process Action Descriptions Considerations for Windows Type Definitions Web Type Application Definitions Gathering the Information Required for Web Application Definitions Form Definition Process Name form Identify form Configure other settings Confirm settings Web Form Wizard

9 9 Citrix Password Manager Administrator s Guide Redirect to Windows Application Configuration Advanced Settings Dialog Box for Web Applications Host/Mainframe Type Application Definitions Gathering the Information Required for Host Application Definitions Form Definition Process Name form Identify form Set field description rules Configure other settings Confirm settings Advanced Settings for Host Applications Host Form Additional Settings Ignore Match Considerations for Host Type Definitions Terminal Emulation Support Mfrmlist.ini Field Definitions Chapter 7 Creating User Configurations What Is a User Configuration? Default User Configuration Properties Before You Begin Specifying Domain Controllers for User Configurations Creating a User Configuration: the User Configuration Wizard Name User Configuration Select Product Edition Choose Applications Configure Agent Interaction Advanced Settings Configure Licensing Select Data Protection Methods Select Secondary Data Protection Enable Self-Service Features Locate Service Modules Completing the User Configuration Wizard Synchronizing Credentials by Using Account Association Account Association Configuration Task Workflow Choosing and Configuring a Domain to Host the Credential Synchronization Module Configuring Account Association in the Agent Software Resetting and Deleting User Data

10 10 Citrix Password Manager Administrator s Guide Reset User Data Delete User Data From Central Store Prompting Users to Reregister Answers to Security Questions Assigning Priority to User Configurations Assigning a User Configuration to Different Users Upgrading Existing User Configurations Chapter 8 Chapter 9 Chapter 10 User Authentication and Identity Verification Overview of Password Manager Authentication When Must Users Confirm Their Identities? Overview of Identity Verification Methods Previous Password Security Questions Bypassing Identity Verification If Users Switch Among Multiple Authentication Methods Managing Question-Based Authentication Confirming User Identity Using Question-Based Authentication Considerations Question-Based Authentication Workflow Designing Security Questions: Security Versus Usability Considerations for Security Questions Managing Your Questions Setting a Default Language Creating New Security Questions Adding or Editing Text for Existing Questions (Including Translated Text).245 Creating Security Question Groups Creating and Implementing Your Questionnaire Before You Begin Selecting Questions for Key Recovery Backward Compatibility with Previous Versions of Password Manager Allowing Users to Reregister Answers to Their Security Questions Allowing Users to Manage Their Primary Credentials with Account Self- Service Overview of Self-Service Considerations Using Automatic Key Management with Self-Service Summary of Self-Service Implementation Tasks

11 11 Citrix Password Manager Administrator s Guide When Users Forget Their Security Questions User Experience Chapter 11 Chapter 12 Using Provisioning to Automate Credential Entry Summary of Provisioning Tasks Generating a Credential Provisioning Template Editing the Provisioning Template The <cpm-provision> Tag Example Output The <user> Tag The <add> Command The <modify> Command The <delete> Command The <remove> Command The <reset> Command The <list-credentials> Command Provisioning Credentials Tuning Credential Provisioning Processing The Credential Provisioning SDK Hot Desktop: A Shared Desktop Environment for Users Summary of Hot Desktop Tasks Hot Desktop Start Up and Shut Down Process Flow Hot Desktop Startup and Shutdown Events Troubleshooting Hot Desktop User Startup Creating a Hot Desktop Shared Account Guidelines for the Hot Desktop Shared Account Organizing Hot Desktop Users Restricting User Rights Hot Desktop, Smart Cards, and Key Recovery Requirements for Applications Used with Hot Desktop Controlling How Applications Behave for Hot Desktop Users Before You Begin The session.xml File Launching Applications Using session.xml session.xml Tags <startup_scripts> <shutdown_scripts> Example: Launching Internet Explorer

12 12 Citrix Password Manager Administrator s Guide Example: Cleaning Up a Session with a Script The process.xml File process.xml Tags <persistent_processes> <transient_processes> <shellexecute_processes> User Configuration Settings for Hot Desktop Locating Hot Desktop Settings in a User Configuration Setting the Location of the session.xml File Specifying Hot Desktop Session Time-Out Options Enabling the Hot Desktop Session Indicator Specifying a Custom Bitmap Graphic as a Session Indicator Using the Hot Desktop Screen Saver Installing Hot Desktop Disabling Terminal Services for a Hot Desktop Administrative or Silent Install. 296 Uninstalling Hot Desktop Restoring Terminal Services after Uninstalling Hot Desktop Enabling Multiple Sessions after Uninstalling Hot Desktop Interacting with Citrix Presentation Server Clients Program Neighborhood Agent Citrix Web Interface Viewing Hot Desktop User Profiles Shutting Down a Hot Desktop Workstation Working without AutoAdminLogon Support Changing the Hot Desktop Shared Account Password Hot Desktop Information on the Web Chapter 13 Operations Logging Password Manager Events Enabling Event Logging Password Manager Agent Does not Submit Credentials All Formats (Windows, Web, Terminal Emulators) Windows-Based Applications Web-Based Applications Terminal Emulator-Based Applications Supporting Terminal Emulators Configuring HLLAPI Support for Tested Emulators Application Recognition Initialization (.ini) Files Password Manager Agent Does not Start

13 13 Citrix Password Manager Administrator s Guide Software Upgrades and the GINA Chain Retrieving and Submitting Credentials Creating a New Signing Certificate Signing, Unsigning, Resigning, and Verifying Data Signing Data (-s) Resigning Data (-r) Unsigning Data (-u) Verifying Data (-v) Enabling and Disabling the Data Integrity Service on Password Manager Agent Software Removing Deleted Objects from Your Central Store Moving Data to a Different Central Store Migrating Data to a New Central Store Backing Up Important Files Backing Up Password Manager Service Files Appendix A Appendix B Password Manager Settings List Password Manager 4.5 Settings Reference User Configurations Basic Agent Interaction Agent User Interface Client Side Interaction Synchronization Account Association Application Support Hot Desktop Licensing Data Protection Methods Secondary Data Protection Self Service Features Key Management Module Provisioning Module Application Definitions Edit Application Forms Application Icon Advanced Detection Password Expiration Password Policies Basic Password Rules

14 14 Citrix Password Manager Administrator s Guide Alphabetic Character Rules Numeric Character Rules Special Character Rules Exclusion Rules Password History and Expiration Test Password Policy Logon Preferences Password Change Wizard Appendix C Appendix D Application Definition Extensions Agent Software Operation Identification Extensions Defining Identification Extensions Action Extensions Defining Action Extensions Implementer Requirements Enabling Logging Virtual Key Codes for Host and Windows Applications Codes for VTabKeyN (Windows) Codes for VirtualKeyCode (Windows) and VKEY (Windows) Virtual Key Codes for HLLAPI-Compliant Terminal Emulators

15 CHAPTER 1 Welcome Citrix Password Manager provides password security and single sign-on access to Windows, Web, and host-based applications running in the Citrix environment as well as local applications on the desktop. Users authenticate once and Password Manager does the rest, automatically logging on to password-protected information systems, enforcing password policies, monitoring all passwordrelated events, and even automating user tasks, including password changes. Designed to work seamlessly with all products in the Citrix Access Suite, Password Manager adds value to each of the component products in the Access Suite: Citrix Presentation Server Password Manager provides single sign-on access to any number of password-protected applications published on servers running Presentation Server. Citrix Access Gateway with Advanced Access Control Users authenticate once and Password Manager passes their credentials through to any information and application resource available in the secure, personalized computing environment that is delivered from access centers. This chapter provides: An overview of the capabilities and components of Password Manager A list of new features in this release Information about this document A list of all Password Manager documentation included on the product CD A comprehensive list of online resources for Password Manager and Citrix

16 16 Citrix Password Manager Administrator s Guide Password Manager Components The following sections briefly describe the components you need to install to start using Password Manager. For detailed information, see Planning Your Password Manager Environment on page 29. The main components of Password Manager are: The central store The Password Manager Console Password Manager Agent software Password Manager Service (optional) The Central Store The central store is a centralized repository used by Password Manager to store and manage user and administrative data. User data includes user credentials, security question answers, and other user-focused data. Administrative data includes password policies, application definitions, security questions, and other wider-ranging data. When a user signs on, Password Manager compares that user s credentials to those stored in the central store. As the user opens passwordprotected applications or Web pages, the appropriate credentials are drawn from the central store. Password Manager Console The Password Manager Console is the command center of Password Manager. From the console, you manage the users Password Manager experience. Here, you configure how Password Manager will work, which features will be deployed, which security measures will be used, and other important passwordrelated settings. The console has four main items, or nodes, in the left pane. By selecting a node, tasks specific to that node appear. These nodes are: User Configurations These configurations allow you to tailor particular settings for your users based on their geographic locations or business roles. The settings of the other three nodes are used to create user configurations. Application Definitions These definitions provide the information necessary for the Agent software to supply user credentials to applications, and to detect error conditions if they occur. You can use the application definition templates supplied with

17 Chapter 1 Welcome 17 Password Manager to speed this process, or create your own customized definitions for applications that cannot use these templates. Additional templates are located at gettingstarted. Password Policies Password policies control password length and the type and variety of characters used in both user-defined and automatically-generated passwords. Password policies also allow you to identify characters to exclude from use in passwords and whether or not previous passwords can be reused. Creating password policies consistent with your company s security policies ensures that password security is appropriately managed by Password Manager. Identity Verification The security questions you create provide an added layer of security to your agent software by protecting against user impersonation, unauthorized password changes, and unauthorized account unlocking. Users who enroll and answer your security questions can answer those questions to verify their identity and perform self-service tasks to their account, such as resetting their primary password or unlocking their user account. Password Manager Agent Software The Password Manager Agent is the software users need on their client devices to act as an intermediary between users and their applications. The Password Manager Agent acts as an intermediary between users and applications that require authentication. When a user tries to access an application that requires authentication, the agent software intercepts the application s request for authentication, finds the correct credentials, and submits them to the application. In addition, the Password Manager Agent can provide users with a wide array of features. Which features the users actually receive is determined by the administrative settings you make in their user configurations. See Password Manager 4.5 Settings Reference on page 331 for the specific settings available to you. Password Manager Agent features include: Notification area icon The Password Manager Agent s notification area icon provides access to the Logon Manager and other Password Manager functionality, such as security question registration, pausing, and online Help.

18 18 Citrix Password Manager Administrator s Guide Logon Manager The Logon Manager provides a user interface where credentials can be created, viewed, edited, and deleted. Users can also conduct security question registration and access online Help from the Logon Manager. The File menu provides the user with much of the available access: The New Logon command allows users to add new Windows-, Web-, or host-based application credentials to Password Manager. The Properties command gives the user access to properties associated with the credentials for the specified application. From there, the user can change the password, user ID, and other logon information. The Delete command, when invoked, removes users credentials for the selected application from Logon Manager. The Copy command provides a duplicate set of the selected credentials that the user can then edit to create multiple sets of credentials for single applications. Other commands you can give users access to include: The Reveal Passwords command, from the View menu, allows the user to display the passwords of the applications listed in Logon Manager Note: Password policy settings for revealing passwords override this command. If you do not want users to reveal the password for an application, be sure to set the password policy to prevent this. The Security Question Registration command, from the Tools menu, gives the user the option to restart the Security Question Registration wizard and provide new answers to the security questions. The Account Association command, from the Tools menu, allows the user to create an association between accounts on different domains. By using this feature, the user s credentials are synchronized, with password changes carried across domains. Automated new logon setup Users can set up new logon credentials quickly using the New Logon wizard. The Password Manager Agent detects when an application or Web site requests logon information. If the user s credentials are not already

19 Chapter 1 Welcome 19 stored in Password Manager, the New Logon wizard automatically appears, offering to store them. User mobility The Password Manager Agent supports remote and mobile users. By obtaining a license before disconnecting, remote users can access their credentials when they are disconnected from the corporate network. Mobile users can move from one computer to another and multiple users can securely share one workstation. The Password Manager Service The Password Manager Service runs on a Web server that provides the foundation for optional features included in this release. Install the Password Manager Service if you plan to implement at least one of the following modules: Account Self-Service Module, which allows users to reset their Windows passwords and unlock their Windows accounts Data Integrity Module, which protects data from being compromised while in transit from the central store to the agent Key Management Module, which allows users to log on to the network and have immediate access to applications managed by Password Manager Provisioning Module, which allows you to use the console to add, remove, or update credential information for your users Credential Synchronization Module, which synchronizes user credentials using a Web service If you are not implementing the modules mentioned above, do not install the Password Manager Service. For more information about the Password Manager Service, see Installing and Configuring the Password Manager Service on page 108.

20 20 Citrix Password Manager Administrator s Guide Password Manager Product Line Password Manager is now available in two editions: Advanced and Enterprise. Password Manager Advanced Edition The Advanced Edition of Password Manager increases your organization s security with: Strong password policy options Automated password generation Automatically started Password Change Wizard option Password encryption while in memory, storage, and transmission Password expiration options for applications lacking that capability The Advanced Edition also interacts well with other programs, easing the user s logon information storage process as well as your maintenance of that process and information. Password Manager Enterprise Edition The Enterprise Edition of Password Manager is designed for the most demanding and complex enterprise environments. The Enterprise Edition: Provides additional security, user self-service, and on-site user mobility features and performance. Reduces calls to the help desk through user self-service features that enable users to change their own Windows password and unlock their account. Allows on-site mobile workers to quickly access information with Hot Desktop, which facilitates fast user switching at shared workstations. Includes enterprise security features such as integration with smart cards, Kerberos, and Federated Environment Support (ADFS and SAML).

21 Chapter 1 Welcome 21 Password Manager Advanced versus Enterprise Editions User Features Advanced Edition Enterprise Edition Single sign-on to Windows applications X X Single sign-on to Web applications X X Single sign-on to host-based terminal emulator applications X X Citrix Access Client X X Localized user interface X X Support for SAPGUI, Internet Explorer 7 (32-bit, 64-bit) X X Self-service password reset Self-service account unlock Self-service feature integration with Web Interface Hot Desktop fast user switching Hot Desktop/SmoothRoaming integration Account association X X X X X X Security Features Advanced Edition Enterprise Edition Automated password change X X Transparent password change X X Encrypted passwords in memory, storage, during transmission X X Password policy enforcement automatic password changes X X Password policy enforcement manual password changes X X Password expiration X X Password token and biometric support X X Basic support for smart cards X X Smart card support Cryptographic data integrity assurance X X Kerberos and Federated Environment Support (ADFS, SAML) X X

22 22 Citrix Password Manager Administrator s Guide Administrator Features Advanced Edition Enterprise Edition Batch credential provisioning X X Integration with user provisioning products X X Windows NT file share support X X Microsoft Active Directory support X X Novell NetWare network share support X X LDAP directory support X X Administration by Active Directory groups X X Citrix Streaming Server support X X Citrix Access Management Console X X Suite-integrated licensing X X Windows Server bit compatibility X X Named user licensing X X Concurrent user licensing [Citrix Password Manager for Presentation Server only] X New Features in the Advanced Edition The Advanced Edition includes the following new features: Application Definition Extensions The Application Definition Extensions enable greater extensibility through scripting support and the ability to invoke an executable for both application detection and password-related actions. This enhances the ability to configure an application for single sign-on use. See Application Definition Extensions on page 359 for details. Internet Explorer 7 (32-bit and 64-bit) Support Support for both the 32-bit and 64-bit versions of Internet Explorer 7 has been added. For example, if a user switches to an Internet Explorer tab containing a new application, Password Manager Agent prompts the user for credential storage. Enhanced SAPGUI Support SAPGUI scripting for the SAP Logon Pad has been added, giving Password Manager a fifth SAP integration option.

23 Chapter 1 Welcome 23 Simplified Password Change Wizard This Password Change Wizard starts when Password Manager detects that an application requested a password change or the user started the password change process within the application. The wizard includes the administrative option to automatically determine whether or not the password change is successful. Administration by Active Directory Groups Password Manager now enables user settings to be deployed to Active Directory groups in environments with Active Directory or NTFS file shares using Active Directory authentication. Administrators also have the ability to prioritize the group membership list and retain the ability to administer by domain level, organizational unit, or the individual user level. New Features in the Enterprise Edition The Enterprise Edition includes all the new features of the Advanced Edition, plus the following: User Self-Service Integration with Presentation Server Web Interface Users can now reset their primary network password or unlock their account from the Citrix Web Interface as well as the Windows logon screen. Kerberos and Federated Environment Support Password Manager now supports single sign-on to rich-client applications across Web domains. After users authenticate to their organization s primary domain, their credentials are automatically supplied to the applications of a trusted partner company. Standard Federation solutions provide single sign-on to Web applications only, but through the use of Password Manager with Presentation Server, Federation with single sign-on can be employed for all application types. Account Association Account Association allows a users Windows logon credentials to be shared across their multiple Windows accounts over multiple domains. Password Manager stores the user s credentials in one location accessible from the multiple accounts.

24 24 Citrix Password Manager Administrator s Guide About this Document Enhanced Support for Users Switching between Strong Authentication Methods Users are no longer required to answer security questions when switching between strong authentication methods even if automatic key management is not configured (previously, users were not required to authenticate again if automatic key management was configured). For example, users can access their accounts locally with a smart card and then remotely with a one-time password token and not be prompted to verify their identity. The overall objectives of this guide are: To provide you with a good understanding of the features and functionality of Password Manager To provide you with an understanding of the prerequisites and procedures necessary to successfully install Password Manager To provide you with guidelines for planning and implementing the deployment of Password Manager in your organization To provide you with instructions and tips to help you create and maintain the optimum password management environment for your users Audience and Assumptions This document is intended for use by system and security administrators who are implementing Password Manager. It is assumed that you, the reader, have a basic understanding of Windows Server administration. You must have working knowledge of Novell NetWare if this is the platform you are using to install or maintain Password Manager. Providing Feedback about this Document To provide feedback about the documentation, go to and click Support > Knowledge Center > Product Documentation. To access the feedback form, click the Submit Documentation Feedback link.

25 Chapter 1 Welcome 25 Document Conventions Citrix product documentation uses the following typographic conventions for menus, commands, keyboard keys, and items in the program interface: Convention Boldface Italics %SystemRoot% Monospace Meaning Commands, names of interface items such as text boxes, option buttons, and user input. Placeholders for information or parameters that you provide. For example, filename in a procedure means you type the actual name of a file. Italics are also used for new terms and the titles of books. The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or any other name you specify when you install Windows. Text displayed in a text file. { braces } A series of items, one of which is required in command statements. For example, { yes no } means you must type yes or no. Do not type the braces themselves. [ brackets ] Optional items in command statements. For example, [/ping] means that you can type /ping with the command. Do not type the brackets themselves. (vertical bar) A separator between items in braces or brackets in command statements. For example, { /hold /release / delete } means you type /hold or /release or /delete. (ellipsis) You can repeat the previous item or items in command statements. For example, /route:devicename[, ] means you can type additional devicenames separated by commas. Getting More Information and Help This section discusses the documentation for this release. It also describes how to get more information about Password Manager. Product Documentation Password Manager contains a robust library of documentation. With the exception of the Pre-Installation Update Bulletin, the following documents are available in the Documentation directory on the product CD. The bulletin is available at

26 26 Citrix Password Manager Administrator s Guide Pre-Installation Update Bulletin The Pre-Installation Update Bulletin contains installation-related information developed after the Readme file was completed. Readme file The Readme file provides information about Password Manager functionality, known issues, changes, and other important information developed after the Citrix Password Manager Administrator s Guide was completed. Be sure to read this before installing Password Manager. Getting Started with Citrix Licensing Guide The licensing process for Password Manager changed since the release of Password Manager 4.1. See Getting Started with the Citrix Licensing Guide, included on your product CD, for instructions to license Password Manager. Note: Guides are provided as Adobe Portable Document Format (PDF) files. To view, search, and print PDF documents, you need to have Adobe Acrobat Reader with Search, or Adobe Reader 6.0 through 7.0. You can download these products for free from Adobe Systems Web site at Citrix Password Manager Administrator s Guide The manual you are currently reading provides conceptual information, procedures for deployment, and implementation instructions for system administrators who install, configure, and test the components of Password Manager. Installation Checklist This document provides a quick, concise prompt for administrators experienced at installing Password Manager. It approaches the installation process from a broad perspective and is not meant as a substitute for Planning Your Password Manager Environment on page 29 and Installing Password Manager on page 79 of this Administrator s Guide.

27 Chapter 1 Welcome 27 Online Help for Administrators and Users Administrators now have a robust set of Help topics based on this guide. Adminstrators can now view information about common tasks, workflow, and settings on the screen. Users can get information about common tasks, including adding logon information for applications, using the Logon Manager, and setting Password Manager automatic features. Users can access Help through Help menus or Help buttons. Citrix Password Manager Evaluator s Guide This guide delivers a practical overview of Password Manager features and functionality by providing instructions for setting up and running a small-scale deployment of the product. Getting Service and Support Citrix provides technical support primarily through the Citrix Solutions Advisors Program. Contact your supplier for first-line support or check for your nearest Solutions Advisor at In addition to the Citrix Solutions Advisors Program, Citrix offers a variety of self-service, Web-based technical support tools from its Knowledge Center at Knowledge Center features include: A knowledge base containing thousands of technical solutions to support your Citrix environment. A Web-based product documentation library. Interactive support forums for every Citrix product. Access to the latest hotfixes and service packs. Security bulletins. Web-based problem reporting and tracking (for users with valid support contracts). Citrix Live Remote Assistance. Using Citrix's remote assistance product, GoToAssist, a member of our support team can view your desktop and share control of your mouse and keyboard to get you on your way to a solution. Another source of support, Citrix Preferred Support Services, provides a range of options that allows you to customize the level and type of support for your organization s Citrix products.

28 28 Citrix Password Manager Administrator s Guide Subscription Advantage Subscription Advantage gives you an easy way to stay current with the latest server-based software functionality and information. During your subscription period, you get automatic delivery of: Feature releases Software upgrades Enhancements Maintenance releases Priority access to important Citrix technology information. You can find more information about subscribing on the Citrix Web site at (click Subscription Advantage). You can also contact your Citrix sales representative or a member of the Citrix Solutions Advisors Program for more information. Education and Training Citrix offers a variety of instructor-led training and Web-based training solutions. Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. Web-based training courses are available through CALCs, resellers, and from the Citrix Web site. Information about programs and courseware for Citrix training and certification is available from

29 CHAPTER 2 Planning Your Password Manager Environment This section contains information to help you plan your Password Manager environment and to help you decide how to implement Password Manager. The following topics are described in this section: Planning Workflow Diagram on page 30 Getting Started on page 31 Which Central Store Type Should I Choose? on page 33 What about Password Policies for Application Access? on page 42 Which Type of SSO-Enabled Applications Are Used in My Enterprise? on page 48 What Type of Smart Cards Are Used in My Enterprise? on page 50 Do I Need to Use Identity Verification? on page 51 Planning Your User Configurations on page 54 Do I Share the Same Resources or a Workstation Among Many Users? (Hot Desktop) on page 59 Selecting Optional Password Manager Service Features on page 61 Password Manager Agent Deployment Scenarios on page 67 Guidelines for Multiple Primary Authentication and User Credential Protection Choices on page 70

30 30 Citrix Password Manager Administrator s Guide Planning Workflow Diagram

31 Getting Started Chapter 2 Planning Your Password Manager Environment 31 A Password Manager environment can include the following: Shared network folders or Active Directory containing the central store One or more PCs running the Password Manager Console User PCs running the Password Manager Agent A dedicated server hosting the Password Manager Service with one or more feature modules installed on it Citrix Presentation Server environment hosting the Password Manager Agent Authentication devices such as smart cards Password Manager features such as Hot Desktop and key management After you have a basic or complete Password Manager plan, you can start implementing the plan in your environment. The following table shows what you need to do to get started using Password Manager.

32 32 Citrix Password Manager Administrator s Guide Task 1. Research features that you might implement in your environment. See this section Planning Your Password Manager Environment on page 29 (that is, this section) User Authentication and Identity Verification on page 231 Managing Question-Based Authentication on page 237 Allowing Users to Manage Their Primary Credentials with Account Self-Service on page 255 Using Provisioning to Automate Credential Entry on page 261 Hot Desktop: A Shared Desktop Environment for Users on page Create a central store and install the Password Manager components with optional features. Upgrade an existing deployment of Password Manager. 3. Create, edit, or review your password policies. Which Central Store Type Should I Choose? on page 33 Installing Password Manager on page 79 Upgrading Password Manager on page 123 What about Password Policies for Application Access? on page 42 Using Password Policies to Enforce Password Requirements on page Create or edit your application definitions. Which Type of SSO-Enabled Applications Are Used in My Enterprise? on page 48 Managing How Password Manager Works with Applications on page Create user configurations based on your enterprise requirements. 6. Install the agent software on user desktops or a computer running Presentation Server. 7. Notify your users that Password Manager can help securely store their application credentials. Planning Your User Configurations on page 54 Creating User Configurations on page 193 Password Manager Agent Deployment Scenarios on page 67 Installing and Configuring the Password Manager Agent on page 114 Your enterprise s standard operating procedures or IT policy manual.

33 Chapter 2 Planning Your Password Manager Environment 33 Which Central Store Type Should I Choose? Note: You can create a central store automatically as part of the Password Manager installation process or manually by using the central store setup utilities. See Creating a Central Store on page 98 and Optional Creating a Central Store from a Command-Line on page 101. Password Manager uses a repository known as the central store to store and retrieve information about your users and your environment. Password Manager relies on the data in the central store to perform all default and configured single sign-on functions. The central store contains user data and administrative data: User data in the central store includes user secondary credentials, security questions and answers, service-related data (for example, provisioned data, question-based authentication data, key recovery enrollment, and so on), and user Windows registry data associated with Password Manager Administrative data in the central store includes application definitions, password policies, security questions, and other settings made through the console for Password Manager features and components The central store basically enables the agent software running on a user PC or computer running Citrix Presentation Server to communicate with the central store and services, and to provide user credentials to applications to which the user has been granted access. The agent maintains a local store on the user PC. The local store contains only the user s secondary credentials, key recovery information, and security questions and answers (if applicable). It synchronizes with the central store to allow users to roam throughout the enterprise and always have access to saved user credentials. The central store can be one of the following: Active Directory The central store uses the Active Directory environment and objects to store and update Password Manager data. See Choosing an Active Directory Central Store on page 35. NTFS network share The central store uses a Windows network file share to store the Password Manager data. See Choosing an NTFS Network Share on page 37.

34 34 Citrix Password Manager Administrator s Guide Novell shared folder The central store uses a Novell NetWare shared folder to store the Password Manager data. See Choosing a Novell Shared Folder on page 38. Note: Citrix Password Manager allows you to migrate users from one central store type to another if you later decide that one type is more suitable than the current one used in your environment. See Moving Data to a Different Central Store on page 321. Note: If your enterprise forest contains multiple domains, see Using Account Association with Multiple Central Stores and User Account Credentials in a Multiple Domain Enterprise on page 40. Also see Specifying Domain Controllers for User Configurations on page 198 for information about user configurations in multiple domain controller environments.

35 Chapter 2 Planning Your Password Manager Environment 35 Choosing an Active Directory Central Store Choosing to use Active Directory as your central store enables you to leverage the convenience of your existing Active Directory user authentication and object administration. For example, you can apply user-specific settings to any level in a domain domain, organizational unit, group, or user. Two new classes and two attributes are added to the Active Directory schema when you create an Active Directory central store: Class citrix-ssoconfig citrix-ssosecret Description Describes the object containing data for the agent settings, synchronization state, and the ENTLIST.INI application definition file and the FTULIST.INI first-time agent use behavior file. This class includes the following attributes: citrix-ssoconfigdata - contains the actual data citrix-ssoconfigtype - specifies the data type Describes the secret data object used to authenticate a Password Manager user. This class includes the following attribute: citrix-ssosecretdata - contains encrypted credential data for an application and Self-Service Password Reset data Note: See the CitrixMPMSchema.xml file in the \Tools folder of the Password Manager product CD for more information about these classes and attributes. In general, choose Active Directory as your central store if you: Can successfully extend your Active Directory schema without affecting your enterprise Already implement Active Directory backup and restore best practices as recommended by Microsoft (although this is not a requirement) Prefer the high availability that is built in to Active Directory to be extended to the central store data Advantages Active Directory includes built-in failover and redundancy, so additional measures for disaster recovery are not needed Active Directory replication helps to distribute central store administrative and user data across your enterprise

36 36 Citrix Password Manager Administrator s Guide No additional hardware is needed when using an Active Directory central store Considerations You must extend your schema when using an Active Directory central store, which requires careful planning and implementation. Extending the schema affects the entire forest. You might want to extend the schema and create your Active Directory central store during non-peak usage hours. Your Active Directory replication cycle latency affects how quickly these changes are copied to all domain controllers in the forest. Inter-site replication of central store data across large enterprises using WANs requires you to configure replication correctly to reduce latency. (However, intra-site replication typically introduces less latency.)

37 Chapter 2 Planning Your Password Manager Environment 37 Choosing an NTFS Network Share Important: Citrix recommends that you use a hidden share for the central store in this case. Creating a central store as described in Creating a Central Store on page 98 or Optional Creating a Central Store from a Command-Line on page 101 automatically creates a hidden share. Choosing to use an NTFS network share as your central store enables you to leverage the convenience of your existing Active Directory user authentication and tree structure without having to extend the Active Directory schema. For example, you can apply user-specific settings to any level in a domain domain, organizational unit, group, or user. Password Manager creates a shared folder named CITRIXSYNC$ with two subfolders named People and CentralStoreRoot. The People folder contains a subfolder for each user and includes the appropriate read and write permission properties for the user. The CentralStoreRoot folder contains administrative data. Advantages You can emulate the look and feel of an Active Directory central store without having to extend your Active Directory schema. Yet you can take advantage of your existing Active Directory hierarchy or groups. Note: Associating user configurations to groups is supported only in Active Directory domains that use Active Directory authentication. User data is always up-to-date, because it is stored in a central location and avoids any data replication latency associated with Active Directory. You can load balance your shares among multiple computers that can each host an NTFS network share for higher availability. Helps reduce the authentication task workload from your Active Directory environment. If you decide later to implement an Active Directory central store, Password Manager enables you to migrate your NTFS shared folder central store to an Active Directory central store.

38 38 Citrix Password Manager Administrator s Guide Considerations You might need additional hardware to host the central store. You need to back up central store files and folders (including their related permissions) regularly. Ensure that you also maintain and implement disaster recovery plans where you replicate files and folders for site recovery. Your enterprise network topology might require users (and the Password Manager agent) to transfer user data across one or more WAN links. In this case, consider implementing implement the Distributed File System technology included as part of Microsoft Windows Server 2000 or The Microsoft Web site describes the Distributed File System technology in more detail. Choosing a Novell Shared Folder Important: Password Manager services are not supported in Password Manager environments using Novell NetWare shared folders. Choosing to use a Novell NetWare shared folder as your central store enables you to leverage the convenience of your existing Novell NetWare directory services. Using this central store type is similar to using an NTFS network share. Configure a secured network folder in edirectory to store all data associated with your Password Manager environment. Applications and settings can be defined and assigned at the domain level. Advantages You are already implementing Novell NetWare directory services You can choose to use an existing secure shared folder as the central store Considerations This central store type does not support associating user configurations with Active Directory groups. If you use a Novell NetWare shared folder, your users Novell password must be identical to their Windows password. This requirement includes environments running Novell ZENworks for Desktops with Windows Dynamic Local User support configured on your Novell Directory Server and with Novell Workstation Manager on each computer that runs the Password Manager agent software.

39 Chapter 2 Planning Your Password Manager Environment 39 Because the agent uses a Windows password, the use of Novell NetWare file synchronization requires that users Novell password be identical to their Windows passwords. The central store must be located in the same tree as the computers on which the agents are installed. Users must log on to a Novell tree where the shared folder is located. Users must also have accounts with read access permissions to the Novell NetWare shared folder you designate as the central store. Password Manager services are not supported in Password Manager environments using Novell NetWare shared folders.

40 40 Citrix Password Manager Administrator s Guide Using Account Association with Multiple Central Stores and User Account Credentials in a Multiple Domain Enterprise Note: See Synchronizing Credentials by Using Account Association on page 217 to configure Account Association. Administrators can create multiple central stores in enterprises that contain multiple domains. In fact, you can use more than one central store type in these environments. For example, you can associate user configurations with an NTFS network share central store in one domain and an Active Directory central store in another domain. As companies might maintain multiple Windows domains, users might also have more than one Windows account. Password Manager includes a feature known as Account Association to allow a user agent to log on to any application from one or more Windows accounts. Because Password Manager typically binds user credentials to a single account, the credential information is not automatically synchronized among multiple accounts that a user owns. However, administrators can configure Account Association to synchronize user credentials by using the Credential Synchronization Module. Users with Account Association configured have access to all applications from any of their accounts in their Password Manager environment. When user credentials are changed, added, or removed from one account, the credentials are automatically synchronized with each of the user's associated accounts. Without Account Association, users with multiple Windows accounts are forced to manually change their logon information separately from each Windows account. Advantages Account Association can help increase productivity and reduce support calls by synchronizing user credentials to help reduce logon maintenance or failures. Accounts can be synchronized across different central store types. That is, a user account configured to use Active Directory as the central store can synchronize with an associated user account that is configured to use an NTFS network share. Accounts can also be synchronized across different user configuration associations. For example, a user configuration can be associated with an

41 Chapter 2 Planning Your Password Manager Environment 41 Active Directory hierarchy (OU or user) in one domain and associated with an Active Directory group in another domain. Accounts can also be synchronized across different user configuration associations in the same domain and within the same central store. Trust relationships between domain controllers are not necessary to use Account Association. Considerations Consider the following before configuring Account Association: Account Association is not compatible with smart cards when smart cards are used as the primary authentication mechanism to log on to Windows. Note: The user configuration in each domain might have different password policies that might block access to a resource, but Account Association synchronizes user credentials only, not user configuration policies. Consider how you compose password policies in your enterprise. Each associated domain account must use Citrix Password Manager. Application definition names must be the same in each user configuration for the Account Association feature to synchronize credentials. User credentials are shared only for applications specified in application definitions created by the Password Manager administrator. As part of the Password Manager Service, the Credential Synchronization Module is a Web service available through a secure HTTP connection, so this module must be accessible from all computers in your enterprise using Account Association.

42 42 Citrix Password Manager Administrator s Guide What about Password Policies for Application Access? Password policies are rules that control how passwords are created, submitted, and managed. The Password Manager installation includes two standard password policies named Default and Domain, which cannot be deleted. You can copy and modify these policies to suit your enterprise policies and regulations. Default Settings for the Default and Domain Password Policies on page 45 lists the installed default settings for the Default and Domain password policies. You can use this table to help modify them or create your own policies. Default Password Policy Password Manager applies the Default policy to password-enabled applications used in your enterprise (except for those that require user domain credentials; see Domain Password Policy on page 42). This policy is applied to any application that is not defined by an administrator (by using the application definition feature in the console) or any application that is not part of an application group. When a user adds credentials to the agent s Logon Manager for an application that does not have a corresponding application definition, Password Manager applies the Default policy to manage that application. Domain Password Policy Typically, an administrator creates an application group and selects the Domain policy to be applied to the applications in that group. Password Manager then applies the Domain policy to those applications that require the user s domain credentials for access. The Domain policy can be modified or copied to reflect your enterprise s Active Directory or NT domain policies for user accounts. If you want an application group to be treated as a domain password sharing group, you must apply the Domain policy to that application group. Note: An application group is a collection of defined applications associated with one or more user configurations, including the policy to manage the applications.

43 Chapter 2 Planning Your Password Manager Environment 43 Custom Password Policies Important: When creating a custom password policy or modifying existing policies, ensure that your enterprise requirements and application requirements match. For example, if you create a policy that does not at least match an application s requirements, your users might not be able to authenticate to that application. You can create password policies as needed: you can apply one policy for your domain sharing group, create individual policies to apply to individual groups of applications to secure them further, and so on. In general, password policies can specify restrictions such as the following: A minimum and maximum number of characters for a password Alphabetical and numerical character usage Number of times a character can be repeated Excluding or requiring which characters or special characters can be used Whether or not users can view their stored passwords How many times users can try entering their password correctly Password expiration parameters Password history and password exceptions Considerations Consider your security requirements in the context of ease-of-use for your users. Overly restrictive passwords might be hard for users to create, implement, or recall. As Password Manager is secure by design, the Default password policy defines the minimum level of password security recommended by Citrix Systems, Inc. for securing most single sign-on enabled applications. You can modify these settings according to your enterprise policies and regulations. Because Password Manager applies the Default password policy to useradded applications, ensure that you configure the Default policy to be as broad as needed to accept passwords for those applications for which you allow passwords to be stored.

44 44 Citrix Password Manager Administrator s Guide When users change their passwords, Password Manager can be configured through a user configuration setting to check the old password against the new password. This helps prevent users from reusing passwords for the same application twice in a row. Users might have a single password that is used for multiple applications (in a suite of products, for example). This scheme is known as password sharing, where the same authentication authority is used for the applications. While the other credentials for those applications (such as user name and custom fields) might be different, the user s password is the same. In this case, create an application group that is a password sharing group to ensure that the agent software manages the password for all applications in the group as a single entity. When the password is changed in one of the applications, the agent software ensures that the password change is reflected in the stored credentials for all applications in the group. Domain password sharing groups differ from other password sharing groups because the user s domain password is used as the master password for the application group. When the user changes the domain password, the agent software ensures that the change is reflected in the credentials for all other applications in the group. Only the domain password can be changed; users cannot initiate password changes on any of the other applications in the group unless the administrator removes the application from the domain password sharing group.

45 Chapter 2 Planning Your Password Manager Environment 45 Default Settings for the Default and Domain Password Policies The following table describes the settings, as installed, for the Default and Domain password policies. Default and Domain Password Policy Options Agent Password Wizard Alphabetic Character Rules Alphabet case usage Minimum number of lowercase alphabetic characters required Minimum number of uppercase alphabetic characters required Password can begin with lowercase alphabetic character Password can begin with uppercase alphabetic character Password can end with lowercase alphabetic character Password can end with uppercase alphabetic character Basic Password Rules Default Setting User prompted for action Allow uppercase and lowercase 0 0 Yes Yes Yes Yes Your Custom Setting Maximum number of times a character can occur 6 Maximum number of times a character can occur sequentially 4 Maximum password length 20 Minimum password length 8 Logon Preferences Allow user to reveal password for applications Force user to re-authenticate before submitting application credentials No No Number of logon retries 3 Time limit for number of retries 120 seconds Numeric Character Rules

46 46 Citrix Password Manager Administrator s Guide Default and Domain Password Policy Options Allow numeric characters in password Maximum numbers of numeric characters allowed 20 Minimum number of numeric characters allowed 0 Password can begin with a numeric character Password can end with a numeric character Password Exclusion Rules Characters and character groups excluded from a password Do not allow application user name in password. Do not allow portions of application user name in password. No Do not allow portions of Windows user name in password. Do not allow Windows user name in password. Number of characters in the character groups that can be taken from the application user name. Number of characters in the character groups that can be taken from the Windows user name. Password Expiration Enable password expiration Number of days to warn the user before the application password expires Number of days until the user s application password expires 42 Password History Enable password history Number of previous passwords that are kept in the password history Special Character Rules Allow special characters in password Allow special characters list Maximum number of special characters allowed 20 Default Setting Yes Yes Yes Optional setting No No No 0 0 No 14 No 1 No!@#$%^&*( )_+= [ ] \,? Your Custom Setting

47 Chapter 2 Planning Your Password Manager Environment 47 Default and Domain Password Policy Options Minimum number of special characters required 0 Password can begin with a special character Password can end with a special character Default Setting Yes Yes Your Custom Setting

48 48 Citrix Password Manager Administrator s Guide Which Type of SSO-Enabled Applications Are Used in My Enterprise? Note: Password Manager supports the 64-bit version of Internet Explorer. It does not support 64-bit terminal emulator software. You as the Password Manager administrator can create an application definition or modify an application definition template for each application that you want Password Manager to manage for your users. You create application definitions by using the console or the stand-alone Application Definition Tool that can be installed on non-console workstations. You can also allow users to add their credentials to Password Manager for any of their client-side applications that it detects, according to settings in user configurations. See Creating a User Configuration: the User Configuration Wizard on page 200 and Configure Agent Interaction on page 204. The agent software can detect and respond to logon changes for most applications, including the following application types: Application Types Windows Web Host/mainframe Description 32-bit Windows applications (including Java applications) such as Microsoft Outlook, Lotus Notes, SAP, or any password-enabled Windows application Web applications (including Java applets and SAP) accessed through Microsoft Internet Explorer Host-based applications that you access through an HLLAPI-compliant terminal emulator The agent software responds according to application definitions that you can create from scratch or copy from existing templates. An application definition: Enables the agent software to recognize and respond to applications and the forms used by the applications to process user credentials Consists of a set of identifiers that establish parameters to accomplish this recognition and response Within each definition, you create logon and password-related forms required by the application to enable access. The application definition wizards can help you create a definition if you open the application; the wizards can detect the forms and fields of most applications by using Password Manager s window-matching capabilities.

49 Chapter 2 Planning Your Password Manager Environment 49 Note: Password Manager includes default application definition templates for a variety of Citrix applications or application features. Click Application Definitions in the console tree and click Manage templates in the Common Tasks area to view them. (These functions are also available in the Application Definition Tool.) Additional templates are available by searching the Citrix Support Web site at What Do I Need to Know about Each Application? Before you create a definition, collect the following information about each single sign-on (SSO) enabled application in your enterprise. You can also start the application to allow the Application Definition wizard or tool to detect some of this information. Application executable name and, optionally, its path. You can supply a path for the application for added security, ensuring the user is running the specific application qualified for your enterprise. Individual user credential fields required for each application, such as user name, password, and other fields (for example, domain name or secondary password). Other credential-related fields in the form, including these password change fields: Logon, Change Password, Change Password Success (optional), Change Password Failure (optional). Password sharing application requirements. You might also need to know which applications share the same authentication authority and might be part of a password sharing group. Password sharing groups enable the agent software to manage multiple credentials for applications that use the same method of authentication. Also, you can apply the same password policy to application groups. See Creating a User Configuration: the User Configuration Wizard on page 200 for more information. Information associated with terminal emulation applications. Information such as terminal emulator session short names is required by High-Level Language Application Programming Interface (HLLAPI) compliant terminal emulators.

50 50 Citrix Password Manager Administrator s Guide What Type of Smart Cards Are Used in My Enterprise? You must consider the type of authentication used in your enterprise. After you determine your authentication types and choose a data protection method in your user configuration, you can implement user identity verification to further secure credentials. See Do I Need to Use Identity Verification? on page 51. Guidelines for Multiple Primary Authentication and User Credential Protection Choices on page 70 describes data protection methods when multiple primary authentication is allowed in your enterprise Smart Card Support Citrix has tested smart cards that meet Standard 7816 of the International Organization for Standardization (ISO) for cards with electrical contacts (known as a contact card) that interface with a computer system through a device called a smart card reader. The reader can be connected to the host computer by the serial, USB, or PC Card (PCMCIA) port. Citrix supports the use of PC/SC-based cryptographic smart cards. These cards include support for cryptographic operations such as digital signatures and encryption. Cryptographic cards are designed to allow secure storage of private keys such as those used in Public Key Infrastructure (PKI) security systems. These cards perform the actual cryptographic functions on the smart card itself, meaning the private keys never leave the card. In addition, smart cards provide two-factor authentication for increased security: the card and the user s pin number. When these items are used together, the cardholder can be proven to be the rightful owner of the smart card. Smart Card Software Requirements Consult your smart card vendor or integrator to determine detailed configuration requirements for your specific smart card implementation. The following components are required on the server or client: PC/SC software Cryptographic Service Provider (CSP) software Smart card reader software drivers Your Windows server and client operating systems might already include PC/SC, CSP, or smart card reader drivers. See your smart card vendor for information about whether these software components are supported or must be replaced with vendor-specific software.

51 Do I Need to Use Identity Verification? Chapter 2 Planning Your Password Manager Environment 51 Note: You can choose to bypass user identity verification for further ease of use. See Recovering or Unlocking User Credentials Automatically on page 53. Depending on user configuration settings, you might require users to verify their identities when the following events occur: Users change their authentication types; for example, a user might switch between smart card and password authentication (you can create a user configuration that requires initial verification only when switching between authentication types; see If Users Switch Among Multiple Authentication Methods on page 236) An administrator changes a user s primary password Users reset their primary password using Account Self-Service Users unlock their domain account using Account Self-Service Users change their primary password on a device that does not have the agent software installed and then log on to a device where the agent software is installed Password Manager can be configured to verify the user's identity to ensure that the user is authorized to use Password Manager. You can select one of two identity verification methods: Method Previous Password Security questions (also known as question-based authentication) Description In this case, users verify their identities by entering their previous primary password. In this case, you create a questionnaire that contains as many questions and question groups as you want available to users. You can use the default questions Password Manager provides or create your own. See Designing Security Questions: Security Versus Usability on page 241.

52 52 Citrix Password Manager Administrator s Guide Caution: When previous password is the only identity verification method available to your users, users who forget their previous primary password are locked out. An administrator must then use the Password Manager Console task Reset User Data to enable the users to reenroll. An administrator might also need to reset the passwords in the user s applications. Verifying User Identity by Using Security Questions (Question-based Authentication) Note: Managing Question-Based Authentication on page 237 provides more detailed information. If you choose not to set up security questions, users are prompted for their previous primary password when they first log on and when they change their primary password. You can also allow users to choose the method they prefer to use when authenticating (previous passwords or security questions). Password Manager enables you to use question-based authentication to verify user identity. Password Manager includes four questions (in English, French, German, Japanese, and Spanish) that you can use for this purpose. You can use question-based authentication: As part of a user s Security Question Registration during the first-time agent software enrollment After enrollment, if you configured Account Self-Service to allow users to change their primary credentials or unlock their accounts When users change their primary passwords, you can confirm your users identities by prompting them to answer security questions in the form of a questionnaire you create. This questionnaire appears the first time your users launch the agent software. Users answer the required number of security questions and can be prompted to reenter this information at specific password change events.

53 Chapter 2 Planning Your Password Manager Environment 53 Recovering or Unlocking User Credentials Automatically Important: Automatic key management is not as secure as other key recovery mechanisms such as security questions and previous password. You can configure Password Manager to bypass identity verification and retrieve user credentials (that is, encryption keys associated with the user data) automatically by installing the Password Manager Service and using the Key Management Module. The basic workflow to use automatic key management is as follows: 1. Install the Citrix Password Manager Service with the Key Management Module. 2. Create or edit user configurations and select the key recovery method that allows automatic key management without identity verification. This option is available as part of the Secondary Data Protection property in the user configuration. See also: Key Management on page 64 Select Secondary Data Protection on page 215 Enable Self-Service Features on page 216

54 54 Citrix Password Manager Administrator s Guide Planning Your User Configurations Important: You must create user configurations before you deploy the Password Manager Agent to users. A user configuration contains the license server and licensing information required by the agent for operation. Note: Associating user configurations to groups is supported only in Active Directory domains that use Active Directory authentication. A user configuration is a unique collection of settings, password policies, and applications that you apply to users associated with an Active Directory hierarchy (organizational unit or an individual user) or Active Directory group (except for distribution groups and Domain Local groups in Active Directory mixed mode, which are not supported). A user configuration enables you to control the behavior and appearance of the agent software for users. See Default User Configuration Properties on page 56. User configurations set your user information, application definitions, password policies, and identity verification methods. You must also specify license information (license server and license type) in each user configuration. Therefore, your users cannot use the agent software until you establish their user configuration settings. Before you create your user configurations, ensure that you already created or defined the following: Your central store Optional service modules Application definitions Password policies Security questions (optional) User configurations consist of the following: Users associated with an Active Directory domain hierarchy (organizational unit or individual user) or group. Data protection methods (see What Type of Smart Cards Are Used in My Enterprise? on page 50 and Do I Need to Use Identity Verification? on page 51).

55 Chapter 2 Planning Your Password Manager Environment 55 Application definitions you created, which you can combine into an application group when you create a user configuration. Password policies associated with any application groups. (While creating a user configuration, you can create one or more application groups to associate with a user configuration. You can also add an application group to a user configuration after you create the user configuration.) Self-service features (account unlock and password reset) and key management options (use of previous passwords, security questions you create for your users, and automatic key management). Settings for options such as Hot Desktop, credential provisioning, and application support. Considerations If you need to apply the same user configuration settings to a different group of users, duplicate the user configuration in the console and modify the settings accordingly. How you organize your Password Manager user environment might affect how user configurations operate. That is, you associate user configurations in your Password Manager environment with an Active Directory hierarchy (OU or users) or an Active Directory group. If you use both (hierarchy and group) and a user is located in both containers, the user configuration associated with the hierarchy takes precedence and is the one used. This scheme is considered a mixed environment. The user configuration information maintained in the central store takes precedence over information stored in the local store (that is, user data stored on a user s PC). The local store user data is mostly used when the central store is not available or offline.

56 56 Citrix Password Manager Administrator s Guide Default User Configuration Properties The following table shows the properties associated with a user configuration. User Configuration Property Agent User Interface Display computer name in notification icon Tooltip Set the default columns and column order shown in Logon Manager Show notification icon Specify the length of time the agent delays credential submission Application Support Detection of client-side application definitions Enable support for terminal emulators Default Setting No Application Name Description Group, Last Used Modified Password URL/module, Username ID Yes 0 All applications No Your Custom Setting Number of domain name levels to match 99 Time interval in which the agent checks the terminal emulator for changes 3000 milliseconds Basic Agent Interaction Allow users to pause agent Allow users to reveal passwords in Logon Manager Automatically detect applications and prompt user to store credentials Force re-authentication before revealing user passwords Submit application credentials automatically Time between agent re-authentication requests Yes No Yes Yes Yes 8 hours Client-side Interaction Delete user s data folder and registry keys when the agent is shut down No

57 Chapter 2 Planning Your Password Manager Environment 57 User Configuration Property Enable users to cancel credential storage when a new application is detected Enforce password matching during initial credential setup Yes Yes Limit the number of days to keep track of deleted credentials 180 days Log Citrix Password Manager events using Windows event logging Redirect users to this location Data Protection Methods Allow Blank Passwords Allow Smart Card PINs Microsoft Data Protection API Regulate account administrator access to data Smart Card Certificate Smart Card key source Users authentication data Hot Desktop Enable session indicator Lock time-out Session indicator graphic path Session settings script path Session time-out Key Management Module Service location Licensing No No No No Yes No Smart Card Data Protect Yes Yes 10 minutes 5 minutes Concurrent user disconnected mode period 1 hours 30 minutes Enable concurrent user disconnected mode period License model License server name and port number Named user disconnected mode period Default Setting No Concurrent user server: days Your Custom Setting

58 58 Citrix Password Manager Administrator s Guide User Configuration Property Provisioning module Enable provisioning service Provisioning service location Secondary Data Protection Identity verification method Self-Service Features Reset password Unlock account Synchronization Allow agent to operate when unable to reconnect to central store Allow users to update agent settings Notify user when agent synchronization fails Synchronization server Synchronize every time users launch recognized application or Logon Manager Time between automatic synchronization requests Default Setting No Previous Password No No Yes Yes Yes No 0 minutes Your Custom Setting

59 Chapter 2 Planning Your Password Manager Environment 59 Do I Share the Same Resources or a Workstation Among Many Users? (Hot Desktop) Note: Hot Desktop: A Shared Desktop Environment for Users on page 275 describes how to configure Hot Desktop. The Hot Desktop feature allows users to share workstations efficiently and securely. With Hot Desktop, you get the convenience of fast user switching in addition to single sign-on capability through Password Manager. Before you can implement Hot Desktop, however, you must: Create Hot Desktop-related user configurations Configure a Hot Desktop shared account Edit the scripts that define what applications run on Hot Desktop devices and their start up and shut down behavior Hot Desktop functionality is not installed by default; you can select it during the initial agent installation process. You can also upgrade existing agent deployments to use Hot Desktop. Note: If you deploy Hot Desktop in an environment where users log on with smart cards and your selected smart card key source is DPAPI with Profile, do not select Prompt user to enter the previous password as the only key recovery method for those users. Users in such an environment cannot enter the correct previous password and, consequently, are irretrievably locked out of the system. To avoid this problem, select the automatic key management option or make question-based authentication available as an option. This section describes the following topics: Controlling Applications on page 60 The Hot Desktop User Experience on page 60

60 60 Citrix Password Manager Administrator s Guide Controlling Applications With Hot Desktop, users can authenticate quickly using their Windows account credentials or smart card strong authenticator. As the administrator, you can configure Hot Desktop to launch applications in the Hot Desktop environment so your users do not have to search for and wait for their applications to launch. You can also configure Hot Desktop to help ensure that all applications terminate properly, leaving behind a clean environment for the next user session. See Controlling How Applications Behave for Hot Desktop Users on page 283. The Hot Desktop User Experience When the shared account logs on, it places the device into fast user switch mode, which causes a standard Windows authentication prompt to appear on the screen. The shared account remains logged on regardless of Hot Desktop user activity. When users authenticate, they do not log on to Hot Desktop in the traditional sense. Instead, Hot Desktop uses their Windows credentials to start a Hot Desktop session. Because users are not truly logging on but simply authenticating, time-consuming events normally associated with logging on, such as applying group policy, initializing printers, and so on, do not occur. This creates the fast-switch users experience when running Hot Desktop. A user can start a session, perform any job-related tasks, and end the session so the next user can enter the system and do the same. The switch from user to user occurs quickly and efficiently. The Password Manager Agent launches when the Hot Desktop session starts. After the session is established, Hot Desktop accesses the user s Windows account credentials to launch applications using the standard shell interface. Typically, these lightweight client applications prompt users for their credentials, which can be supplied by the agent using settings associated with their Windows account. See Hot Desktop Start Up and Shut Down Process Flow on page 278.

61 Chapter 2 Planning Your Password Manager Environment 61 Selecting Optional Password Manager Service Features The Password Manager Service is a Web service that uses Secure Sockets Layers (SSL) to encrypt the data shared by the Password Manager Service, the console, and the agent. It uses a dedicated Web server to host the optional features included in Password Manager. Install the Password Manager Service if you plan to implement one or more of the following modules: Self Service, which allows users to reset their Active Directory passwords and unlock their accounts from the Account Self-Service button in the Windows Logon dialog box Data Integrity, which digitally signs data before it is transmitted from the central store to the agent software Key Management, which allows users to log on to the network and have immediate access to applications managed by Password Manager without needing to verify their identities through question-based authentication Provisioning, which allows you to use the console to add, remove, or update credential information for your users Credential Synchronization, which allows users to synchronize their credentials among different accounts (also known as Account Association) Important: The server that hosts the Password Manager Service contains highly sensitive user-related information. Citrix recommends that you use a dedicated server and that you place the server in a physically secure location.

62 62 Citrix Password Manager Administrator s Guide Account Self-Service Note: You can use the Account Self-Service feature only in an Active Directory environment to allow your users to reset their primary password or unlock their Windows domain accounts. You can configure the self-service features of Password Manager to allow your users to reset their primary password or unlock their Windows domain accounts without intervention by administrative or help desk staff. Depending on your needs, you can implement one or both of the self-service password reset and account unlock features securely in your Password Manager environment. Self-Service Password Reset allows users who forgot their primary password to reset their password and unlock their own accounts. Account Unlock allows your users to unlock their domain accounts when a lockout event occurs. These account features are protected by Question-Based Authentication to help ensure that your users are authorized to reset their passwords or unlock their accounts. See Do I Need to Use Identity Verification? on page 51. With Account Self-Service enabled, users must enroll, a process that requires them to answer the security questions you create and select. These security questions are then presented to users when they need to reset their password or unlock their account. When the questions are answered correctly, users are allowed to reset their password or unlock their account. You can also use Account Self-Service with Web Interface. Web Interface is a component of Citrix Presentation Server that allows users to access their published applications by clicking links on a Web page.

63 Chapter 2 Planning Your Password Manager Environment 63 Data Integrity Note: If you already implement a security framework that protects data in transit, such as IPsec (Internet Protocol Security) or SMB (Server Message Block) signing, you do not need to install the Data Integrity Module. Install the Data Integrity Module if you want to ensure that data transmitted among the Password Manager components is provided by a trusted and authorized source. This module is optional and is designed for users who have non-trusted networks. The Data Integrity Module contains the public and private key files used for signing the data. It utilizes RSA public key cryptography to ensure that the agent software obtains configuration data provided by an authorized source only. Important: The Data Integrity Module never distributes its private key. After the console signs the data, the console sends both the data and the signature to the central store. The agent receives the data and signature from the central store during synchronization. The agent then contacts the Password Manager Service to obtain a copy of the public key it needs to verify the signature it received from the central store. If the agent is configured to use the Data Integrity Module, it never accepts configuration data that failed the data integrity check. If a check fails, the agent logs the event and displays an error message telling users to directly contact their administrator. The agent software then defaults to previous configurations or returns to an offline state.

64 64 Citrix Password Manager Administrator s Guide Key Management With Key Management, users log on to the network and have immediate access to applications managed by Password Manager without using question-based authentication (this scheme also known as automatic key management). When users change their primary passwords, the agent detects these password changes and recovers the users encryption keys using the Password Manager Service. This automatic key management provides users with the easiest and fastest access to their applications. However, automatic key management does not protect against access by an unauthorized user or administrator impersonating a user because there is no user secret to protect the user s network password. To help prevent this potential problem, implement automatic key management in combination with the Account Self-Service Module and question-based authentication. Automatic key management uses key splitting (the process of dividing a private key into two parts) to help reduce security threats. Important: Depending on the security policy your organization implements, system administrators might be able to access passwords for applications managed by Password Manager. Check your organization s security policy before allowing Password Manager to handle passwords that users want to keep completely private. Clearing automatic key management features in the Data Protection Methods setting in the user configuration can also help prevent this unauthorized access. See User Impersonation on page 72, Select Data Protection Methods on page 212, and Select Secondary Data Protection on page 215 for more information.

65 Chapter 2 Planning Your Password Manager Environment 65 Provisioning Note: Using Provisioning to Automate Credential Entry on page 261 describes the provisioning process. Provisioning (also known as credential provisioning) adds to the flexibility and functionality of Password Manager within your organization s environment by allowing you to automate a number of time-consuming processes. Whether you are rolling out a new installation of Password Manager, adding several hundred new users and new applications, or simply clearing out unneeded information, credential provisioning gives you the ability to complete these tasks quickly. For example, you can use credential provisioning to add all user names and passwords for all of your applications to the central store. Doing so eliminates the need for first-time users of the agent software to go through the process of Initial Credential Setup. Additionally, if you plan to roll out new software to your users, you simply create an application definition for the application and use credential provisioning to add the credentials for all users who will use the application. Using credential provisioning, you can: Add, modify, and delete credentials in the central store Reset user credential information Remove users and their application credentials from Password Manager Credential provisioning is achieved by using information about your environment to create a template that you can use to add, remove, or change credential information in your central store. Credential provisioning is processed as part of the Password Manager Service.

66 66 Citrix Password Manager Administrator s Guide Credential Synchronization (Account Association) See Using Account Association with Multiple Central Stores and User Account Credentials in a Multiple Domain Enterprise on page 40 and Synchronizing Credentials by Using Account Association on page 217. Account Association allows a user agent to log on to any application from one or more Windows accounts. Because Password Manager typically binds user credentials to a single account, the credential information is not automatically synchronized among multiple accounts that a user owns. However, administrators can configure Account Association to synchronize user credentials. Users with Account Association configured have access to all applications from any of their accounts in their Password Manager environment. When user credentials are changed, added, or removed from one account, the credentials are automatically synchronized with each of the user's associated accounts.

67 Chapter 2 Planning Your Password Manager Environment 67 Password Manager Agent Deployment Scenarios How you decide to implement Password Manager depends on how users access applications in your enterprise. For example, if you are running a Presentation Server environment, you can publish the Password Manager agent on each server in your farm that is currently hosting applications requiring authentication. Users access these applications through their Citrix connections. If users run applications locally on their workstations, laptops, handheld computers, or other client devices, the agent is installed on these devices. The agent software in this case provides credentials and access to applications running locally on the client device. You can also implement the agent in a mixed environment, with local applications and applications published on computers running Presentation Server. The locally-installed agent provides credentials to the applications installed on the client device and the Presentation Server-based agent provides credentials to the published applications. If you are also running Access Gateway Advanced Edition, applications are available from Presentation Server through a Web browser. Password Manager can be used with the following: Access Gateway Advanced Edition Citrix Presentation Server features such as: Web Interface 32-bit Windows Citrix Presentation Server clients Presentation Server Considerations When you use Password Manager in a Presentation Server environment, you must install the agent software on each server that publishes applications that require authentication. The agent software provides credentials for published applications only. Install the console on a desktop or server that is not a member of the server farm. This desktop or server should run the same operating system as each server on which the applications are published or the same operating system of each server where the agent software will be installed. Use this console to create user configurations to control the agent behavior. Users access the published applications in the server farm through ICA connections using a client. When a user tries to connect to a published application that requires credentials, the agent recognizes the request for authentication sent by the server running Presentation Server. The agent

68 68 Citrix Password Manager Administrator s Guide determines the application type (Windows, Web, or host-based) and retrieves the appropriate credentials from the local credential store stored in the user s profile. Access Gateway Considerations Note: For more information about Access Gateway, see the Access Gateway Advanced Edition Administrator s Guide. In an enterprise that includes Access Gateway Advanced Edition, users can access applications hosted on the server farm running Presentation Server by using one of the following: Program Neighborhood CDA Embedded Application CDA Website Viewer CDA Add/Launch menus Content redirection If users need to access applications on servers running Presentation Server and content (CDAs) in the access server farm, the agent must be installed on each client device. This implementation allows the agent software on the server running Presentation Server to detect and submit logon and password change events for published applications, while the local agent handles applications from the access server farm and locally installed applications. The central store location is kept in the local registry of the client device. When the agent launches, it accesses the central store and connects to it using the user s current credentials. Consider the following when using Password Manager with Access Gateway: Each CDA instance that requires authentication must be defined as an individual Web application definition in the Password Manager Console. Users can move CDAs around on a page and Password Manager recognizes them with no adverse effects. However, CDAs that are added to a page, copied, or moved from one page to another (or one folder to another) require the creation of a new Web application definition. If you export an access center to another server, the CDAs are recognized as the same CDAs as those in the original access center.

69 Chapter 2 Planning Your Password Manager Environment 69 If you want Password Manager to handle authentication to a CDA, you need to disable the auto-logon feature in that CDA s Advanced Configuration wizard. When generating application definitions for Access Gateway, define the Submit button. Modified CDAs redeployed using Access Gateway require the creation of new Web application definitions. If you are using Secure Access Manager 2.0 and you define a Web application definition for the Login CDA, synchronize the setting to the agents. Users are automatically logged back on to Secure Access Manager when they attempt to log off. To end this loop, users must close their browsers when they log off. To prevent this authentication loop, make sure you are using at least Secure Access Manager 2.0 Service Pack 1 or alter the CDA to include a logoff tag.

70 70 Citrix Password Manager Administrator s Guide Guidelines for Multiple Primary Authentication and User Credential Protection Choices When you create a user configuration, you can select user credential protection methods depending on the authentication schemes you use in your enterprise. The following user configuration property pages enable you to tune the Password Manager Agent behavior and credential data protection method used when users implement one or more primary authentication methods. Note: Creating a User Configuration: the User Configuration Wizard on page 200 describes how to create a user configuration. Select Data Protection Methods on page 212 and Select Secondary Data Protection on page 215 provides more information about these choices. Data Protection Methods Page on page 71 Secondary Data Protection Page on page 71 Security Versus Usability on page 71 User Name and Password on page 73 Smart Cards with Certificates and User Authentication Data on page 74 Smart Cards with PINs on page 75 Roaming Profiles (Microsoft DPAPI) on page 76 Blank Passwords on page 77

71 Chapter 2 Planning Your Password Manager Environment 71 Data Protection Methods Page The user configuration Data Protection Methods properties page enables you to select single or multiple primary authentication data protection methods. Additionally, you can also regulate administrator access to user credential data to help prevent administrators from impersonating a user and gaining unauthorized access to user information. Secondary Data Protection Page For added security when users change their primary authentication (for example, a domain password is changed or smart card is replaced), the user configuration Secondary Data Protection properties page enables you to require users to reauthenticate and verify their identities before unlocking their application credentials. Security Versus Usability Two key questions to ask when deciding which options to choose on these two user configuration property pages is: Which authentication types are used in my environment for the users I am administering in this user configuration? How can I balance security requirements for the enterprise and usability for all users? Consider also that the following choices are not mutually exclusive and that you can use a mix of them in your enterprise (that is, multiple primary authentication). Your decision is ultimately based on your need for security versus ease-of-use for your enterprise users.

72 72 Citrix Password Manager Administrator s Guide User Impersonation If you want to disallow administrator access to user credentials, select Yes for the following option. Credentials are protected against administrators seeking to impersonate a user and to gain access to user information. Do you need to regulate account administrator access to user data? Yes is the default setting for the Data Protection Methods page. With this configuration, the account or other administrator does not have access to user passwords or user data. This setting helps prevent an administrator from impersonating a user. The administrator cannot log on as the user with this default setting and possibly access data located in the user local credential store. The Yes setting disables the use of the Microsoft Data Protection API option on this page and the Do not prompt users; restore primary data protection automatically option on the following Secondary Data Protection page. Smart cards and roaming profiles are not allowed in this case, and credentials are not restored automatically upon a password change without authentication or verification. Select No if you want to allow use of all the multiple authentication features available from this page and the Secondary Data Protection page (including the ability to restore credentials automatically without reauthentication or identity verification).

73 Chapter 2 Planning Your Password Manager Environment 73 User Name and Password The simplest implementation is the default setting for the Data Protection Methods page: a password-only environment. The default setting lets your users simply employ their user name and password while protecting their credentials against unauthorized access by administrators. Important: The security of this setting choice depends on the relative strength of your domain password policy. The stronger (or more complex) the password requirement, the more secure this choice is. Option Do you need to regulate account administrator access to user data? Users authentication data Description See User Impersonation on page 72. Selected. A user secret is used to access and help protect user data. In this case, the user secret is a password. Password security can be derived from the user s typed domain password or a one-time password from token, proximity, or biometric devices.

74 74 Citrix Password Manager Administrator s Guide Smart Cards with Certificates and User Authentication Data Important: This option is not supported by Versions 4.0 and 4.1 of the Password Manager Agent. Select Use data protection as in previous versions of Password Manager and Smart Card Data Protect if you plan to use these legacy agents. See Select Data Protection Methods on page 212. Use this option if you combine smart cards with embedded certificates or digital signatures and user authentication data in your enterprise. Combining smart cards with a user name and password for authentication is the the most secure choice for protecting user authentication data. If you are also storing roaming profiles on workstations, see Roaming Profiles (Microsoft DPAPI) on page 76 for required option selection. Note: Select the Smart Card Certificate option if you use smart cards with Hot Desktop. Option Do you need to regulate account administrator access to user data? Users authentication data Smart Card Certificate Description See User Impersonation on page 72. Selected. A user secret is used to access and help protect user data. In this case, the user secret is a password. Selected. In this case, the user secret is protected by the encryption and decryption provided by the card s security certificate.

75 Chapter 2 Planning Your Password Manager Environment 75 Smart Cards with PINs Note: This option is supported by Versions 4.0 and 4.1 of the Password Manager Agent if you select Use data protection as in previous versions of Password Manager and PIN as Password, if you plan to use legacy agents If you use smart cards that do not support security certificates as the primary authenticator in a Windows domain or you do not use roaming profiles, use the Allow Smart Card PINs option. When you select this option, the encryption keys used to protect secondary credentials are derived from the smart card PIN. Consider enforcing the use of a strong PIN. In some enterprises, smart card PINs are four-digit numbers that do not provide as strong a level of protection as, for example, an eight-character password and might be more vulnerable to attack. Citrix recommends that you use the PIN as password option only if your organization enforces a smart card PIN policy that requires a mixture of letters and numbers, and requires a minimum length of eight characters. Option Do you need to regulate account administrator access to user data? Users authentication data Allow Smart Card PINs Description See User Impersonation on page 72. Selected. A user secret is used to access and help protect user data. In this case, the user secret is a personal identification number (PIN). Selected. Allow the Smart Card PIN to be used as the user secret for protection. Use this only if your enterprise or environment has a strong PIN policy

76 76 Citrix Password Manager Administrator s Guide Roaming Profiles (Microsoft DPAPI) Note: This method is supported by Versions 4.0 and 4.1 of the Password Manager Agent and is supported on Windows XP, Windows 2000, and Windows 2003 Server platforms. Select Use data protection as in previous versions of Password Manager and DPAPI with Profile if you plan to use legacy agents. Select No in response to Do you need to regulate account administrator access to user data? to enable the use of the roaming profiles and Microsoft Data Protection API in your environment. This option is the next-most secure option after Smart Cards with Certificates and User Authentication Data on page 74 Select this option if you are using roaming profiles implementing a Kerberos network authentication protocol for users. This option works only if roaming profiles are available. If you are storing roaming profiles on workstations, you must select this option. Password Manager derives the encryption keys that protect secondary credentials from the user s primary password. However, if a user uses a smart card for primary authentication, a primary password does not exist and cannot be used. In this case, the best agent option is Microsoft Data Protection API. This option uses the Microsoft DPAPI to derive encryption keys and protect secondary credentials. This encryption mechanism uses the user s Windows or domain credentials to derive the encryption keys. If users employ passwords to access their PCs and a Kerberos network authentication protocol to access servers running Citrix Presentation Server, select: No in response to Do you need to regulate account administrator access to user data? Users authentication data Microsoft Data Protection API This method also allows the use of user credentials and smart cards to log on. See Smart Cards with Certificates and User Authentication Data on page 74.

77 Chapter 2 Planning Your Password Manager Environment 77 Blank Passwords Important: If you do not select this option and a blank password is allowed in your environment, the agent software does not derive a user secret or otherwise perform any data protection with the blank password. Allowing the use of a blank password should be considered a special case and should only be used in low security environments that require extreme ease of use. One scenario is when a common PC or workstation is placed on a factory floor and is accessed by many users. You can still use Password Manager to control access to applications but the user credentials to access the workstation include a blank password. Option Do you need to regulate account administrator access to user data? Users authentication data Allow protection using blank passwords Description See User Impersonation on page 72. Selected. A user secret is used to access and help protect user data. In this case, the user secret is a password. Selected. When you select this option and the agent software detects that the user has a blank password, a user secret for data protection is derived from the user ID.

78 78 Citrix Password Manager Administrator s Guide

79 CHAPTER 3 Installing Password Manager This section describes the pre-installation, installation, and configuration tasks required to successfully install Citrix Password Manager: Summary of Installation Steps on page 80 Hardware and Software Requirements on page 81 Security and Account Requirements for Password Manager Service on page 84 Account Requirements to Install and Use Password Manager on page 88 Installing the Microsoft.NET 2.0 Framework on page 89 Installing the Java Runtime Environment on page 90 Licensing Requirements on page 93 Before You Install Password Manager on page 95 Creating a Central Store on page 98 Optional Creating a Central Store from a Command-Line on page 101 Installing and Configuring the Password Manager Service on page 108 Installing and Configuring the Password Manager Console on page 112 Installing and Configuring the Password Manager Agent on page 114 Silent Installation of Password Manager Agent on page 120

80 80 Citrix Password Manager Administrator s Guide Summary of Installation Steps Task Pre-Installation Choose the computers in your environment where you will install the software. See This Section or Document Planning Your Password Manager Environment on page 29 Hardware and Software Requirements on page 81 Prepare the computers for installation. ASP.NET Requirements on page 83 Security and Account Requirements for Password Manager Service on page 84 Installing the Microsoft.NET 2.0 Framework on page 89 Installing the Java Runtime Environment on page 90 Install the license server and add licenses for Password Manager Installation Review the Autorun menu. Create a central store. Install the Password Manager Service. Install the Password Manager Console. Install the Password Manager Agent. Licensing Requirements on page 93 Citrix Access Suite Licensing Guide, available in the Documentation folder on the product CD Before You Install Password Manager on page 95 Which Central Store Type Should I Choose? on page 33 Creating a Central Store on page 98 Installing and Configuring the Password Manager Service on page 108 Installing and Configuring the Password Manager Console on page 112 Installing and Configuring the Password Manager Agent on page 114

81 Hardware and Software Requirements Chapter 3 Installing Password Manager 81 Important: Do not install Password Manager on a domain controller. Installation of any Password Manager component (agent, service, console, or central store) on a domain controller is not supported. This section describes the hardware and software requirements for your Password Manager environment. This section assumes that each computer meets the minimum hardware requirements for the installed operating system. Supporting System Software Requirements Computers in your Password Manager environment might require the following supporting system software. Software Component Required By Available From... Microsoft Windows Installer 3.0 or later Microsoft.NET Framework 2.0 Java 2 Standard Edition (J2SE) runtime environment version 5.0 Microsoft Internet Explorer Version 6.0 or 7.0 (nonprotected mode) All Password Manager Service Password Manager Console Application Definition Tool If you require Java application support: Password Manager Console Application Definition Tool Password Manager Agent Users accessing SSO-enabled Web applications Support folder on the Password Manager CD Support folder on the Password Manager CD Support folder on the Password Manager CD

82 82 Citrix Password Manager Administrator s Guide Password Manager Console and Agent Requirements This table shows the software and hardware requirements for the Password Manager Console and Agent. Note: You can install the Password Manager Application Definition Tool on any computer in your environment without having to install the full console. Supported Environment or Microsoft Windows Operating System with the Latest Service Pack Additional Hardware Requirements Password Manager Central Store Password Manager Console Password Manager Agent Password Manager Application Definition Tool Active Directory NTFS File Share Novell Shared Folder Microsoft Windows 2000 Professional Microsoft Windows XP Professional (32-bit) Microsoft Windows 2000 Advanced Server with Service Pack 4 Microsoft Windows 2003 Server Enterprise Edition (32-bit) with Service Pack 1 Microsoft Windows 2000 Professional Microsoft Windows XP Professional (32-bit and 64-bit) Microsoft Windows XP Embedded Microsoft Windows 2000 Advanced Server with Service Pack 4 Microsoft Windows 2003 Server Enterprise Edition (32-bit and 64-bit) with Service Pack 1 Same as Password Manager Agent 30KB disk space per user 64MB RAM 60MB disk space 10MB RAM 25MB disk space (if optional features such as Hot Desktop and so on are not installed) 35MB disk space (if optional features such as Hot Desktop and so on are installed) Same as Password Manager Agent Note: Hot Desktop is not supported on 64-bit Microsoft Windows operating systems.

83 Chapter 3 Installing Password Manager 83 Password Manager Service Requirements This table shows the hardware and software requirements for the Password Manager Service. Important: The server that hosts the Password Manager Service contains highly sensitive user-related information. Citrix recommends that you use a dedicated server and that you place the server in a physically secure location. The Password Manager Service software modules also have special account and security requirements. See Security and Account Requirements for Password Manager Service on page 84. Password Manager Password Manager Service Supported Environment or Microsoft Windows Operating System with the Latest Service Pack Microsoft Windows 2003 Enterprise Edition Server (32-bit) with Service Pack 1 Additional Hardware Requirements 128MB RAM 30MB disk space ASP.NET (Application Server components available) ASP.NET Requirements Make sure the ASP.NET Windows component is installed on your Windows 2003 Server computer. 1. Open the Control Panel and click Add or Remove Programs. 2. Click Add/Remove Windows Components and select Application Server. 3. Click Details to verify if ASP.NET is installed. If the ASP.NET checkbox is selected, it is installed. If the ASP.NET checkbox is not selected, it is not installed 4. If ASP.NET is not installed, select it and click Next. Click Finish when the installation is complete.

84 84 Citrix Password Manager Administrator s Guide Security and Account Requirements for Password Manager Service Before you install the Password Manager Service, ensure that the appropriate accounts and components are available to support the service. Also, because the service uses secure HTTP (HTTPS), the service requires a server authentication certificate for Secure Sockets Layer (SSL) communication with the console and agent software. Server Authentication Certificate Requirement Note: When you install the Password Manager Service, Password Manager creates signing and validation certificates to authenticate the information in the central store. These certificates are not related to the required SSL certificate. Before you install the service, obtain a server authentication certificate for SSL communication from a Certificate Authority (CA) or, if you have an existing Public Key Infrastructure (PKI), download your own certificate to the service server. An SSL certificate is necessary to ensure secure communication from the service to the console and agent software, and to guarantee that the agent and console are communicating with the correct service server. Because this certificate is used for SSL communication, the certificate common name must match the service server s fully qualified domain name (FQDN). Specify a minimum key size of You must install the certificate in your local computer certificate store and establish the appropriate trust relationships for the console and the agent. You must install this certificate on the service, console, and agent workstations. In a load balancing or clustered service environment, you can use one certificate for multiple service servers if the common name of the SSL certificate uses a wildcard (typically an asterisk character) in it. For example, you can use an SSL certificate with a common name of server*.mycompany.com for an environment with servers named server1.mycompany.com, server2.mycompany.com, and server3.mycompany.com. You could also use an SSL certificate with a common name of *.mycompany.com in this case, where the common name does not match the server FQDN. See To Configure the Password Manager Service(s) on page 109 for information describing how to configure this scenario.

85 Chapter 3 Installing Password Manager 85 Important: If you obtain your certificate from an authority that is not trusted by default (such as a certificate authority installed in your company), you need to install the root authority certificate to your local computer s trusted root certificate store to establish the trust relationship. If users are experiencing SSL failures, it is most likely because the server certificate is not trusted. Refer to the Microsoft Web site for instructions about extracting and deploying CA root certificates.

86 86 Citrix Password Manager Administrator s Guide Accounts Required for Service Modules The Password Manager Service can require up to three system account types to read and write data as it operates in your environment: Service account (required for all services except Credential Synchronization) Data proxy account Self-service account The number and type of accounts required depend on the service modules you choose to use. The table shows the accounts required by each module of the service. In cases where different modules require the same type of account, you can use the same account for multiple modules or you can specify different customized accounts for each module. Module Accounts Required Service Account Requirements Service Data Proxy Self-Service Data Integrity Yes No No Key Management Yes Yes No Provisioning Yes Yes No Self-Service Yes Yes Yes Credential Synchronization Yes No No On the server running the Password Manager Service, use the following accounts to run the service. Operating System Windows 2003 Server Account Specification Use the existing Network Service or Local Service accounts. Note: If you choose to create a domain account as the service account, you must register a service principal name for this domain account and the service computer in Active Directory by using the setspn.exe utility. See the Microsoft Web site for more information about service principal names. You cannot specify a local user account as the service account in this version of Password Manager. You can specify the built-in Local Service account.

87 Chapter 3 Installing Password Manager 87 Data Proxy Account Requirements On the server running the Password Manager Service, create an account with the following settings, to be used for data proxy communication with the service. The account requires read and write access to the central store. The account requirements depend on the central store type you are implementing. Central Store Type NTFS Network Share Account Description The account: Requires read and write access to the central store. Is a member of the domain Is a member of the service server s local Administrators group Is a member of the central store server s local Administrators group After you create the central store: Grant the account Full Control sharing permissions to the CITRIXSYNC$ share. Grant the account Full Control permissions to the CITRIXSYNC folder and its subfolders: CentralStoreRoot folder and People folder Ensure that the Authenticated Users group has the right to create folders inside the People folder. Active Directory The account: Requires read and write access to the central store. Is a member of the domain administrator group. Is a member of the service computer s local Administrators group. Note: You cannot use the Password Manager Service if your central store type is a Novell Shared Folder. Self-Service Requirements If you are using the Self-Service Password Reset or Self-Service Account Unlock features of the Account Self-Service Module, use an account that is a member of the domain administrators group.

88 88 Citrix Password Manager Administrator s Guide Account Requirements to Install and Use Password Manager The following section describes the account requirements for those users installing and using Password Manager components. Installing and Using Password Manager Service The user installing the service and running the Service Configuration wizard must be a member of the domain (a Domain User) and a member of the local Administrators group on the service computer (add a domain user account to the local Administrators group). The domain user account does not need to be a domain administrator. Installing and Using Password Manager Console and Application Definition Tool The user installing the console, performing a console discovery and configuration operation, and using the console must be a domain administrator and a member of the local Administrators group on the console workstation. This user account must have read and write access to the central store. A non-administrator user account can be assigned the right to manage the console and its related functions through Active Directory delegation or constrained delegation. Installing and Using Password Manager Agent The user installing the agent software must be a member of the domain (a Domain User) and a member of the local Administrators group on the agent computer. The domain user account does not need to be a domain administrator. The user running the agent software must be a member of the domain (a domain user).

89 Chapter 3 Installing Password Manager 89 Installing the Microsoft.NET 2.0 Framework This section describes how to install the Microsoft.NET 2.0 framework from the Password Manager CD. You must install this framework on any computer in your environment where you plan to install the following: Console Service Application Definition Tool. Important: Citrix has included the.net 2.0 framework version required for Password Manager installation on the Password Manager CD. Use this version and do not install any subsequent versions of the.net framework (if available). Always read the readme.htm file located in the Documentation folder on the CD and check the Citrix Web site ( for updates and late-breaking information. If you inadvertently install a subsequent version, attempts to start the Password Manager Console might fail. Installing.NET 2.0 Side By Side with.net 1.1 You can install.net 2.0 on a workstation or server that also includes.net 1.1. This installation is known as a side by side installation of the framework. You do not need to uninstall the.net 1.1 framework from any computer where you plan to install the following Password Manager features: Console Service Application Definition Tool Note: If you are upgrading the console software, see Microsoft.NET Versions 1.1 and 2.0 on page 128.

90 90 Citrix Password Manager Administrator s Guide To Install Microsoft.NET Insert the CD into the CD-ROM drive on the computer where you plan to install the Console, Service, or Application Definition Tool. 2. Perform one of the following steps: If autorun is enabled, the Citrix Password Manager installation screen appears. Click Browse This CD to open Windows Explorer. If autorun is disabled, open Windows Explorer and navigate to the CD-ROM drive. 3. Open the Support folder and then open the DotNet20 folder. 4. Perform one of the following: For 32-bit systems, open the x86 folder, open the appropriate language folder (for example, open the en folder to install the English version of the framework), and then click the dotnetfx.exe file. For 64-bit systems, open the x64 folder, open the appropriate language folder (for example, open the en folder to install the English version of the framework), and then click the dotnet.exe file. 5. Click Run in the Security Warning window. 6. Click through the installation dialog windows to install the.net 2.0 framework. 7. Click Finish to complete the installation. Installing the Java Runtime Environment Password Manager supports the Java Runtime Environment (JRE), Version 5.0 update 9 (also known as JRE Version 1.5, update 9). This version is located on the product CD in the Support\JRE15009 subfolder and also available from the Sun Microsystems Web site You can install it on computers where you install the following: Console Application Definition Tool Agent software

91 Chapter 3 Installing Password Manager 91 If You Install or Upgrade the JRE after Installing the Console, Application Definition Tool, or Agent Software If you install or upgrade the JRE after installing the console, Application Definition Tool, or agent software, use the Control Panel to update the Password Manager software installed on that computer. This procedure associates the current JRE with these Password Manager components. See also Troubleshooting a Java-Related Error Message During Agent Software Installation or Uninstallation on page 91. To Associate the JRE with Password Manager 1. Click Start > Settings > Control Panel. 2. Click Add or Remove Programs. 3. Select one of the following and click Change: Citrix Password Manager Console Citrix Password Manager Agent Citrix Password Manager Application Definition Tool 4. In the setup dialog, select Repair and click Next twice. 5. Click Finish when the console is successfully repaired. Troubleshooting a Java-Related Error Message During Agent Software Installation or Uninstallation You might see the following error message when you attempt to install or uninstall the agent software: Citrix Password Manager has detected that one or more Java software programs or files are currently in use. Please close all programs and stop all Java-related services before continuing. Typically, this error occurs if you are installing the agent software on a computer also running a Web server service such as Apache Tomcat, Apache HTTP server, or others. Also, this error might be seen if you are installing the agent software on a computer running Citrix Presentation Server with License Management Console installed. In this case, perform the following steps: 1. Stop the service.

92 92 Citrix Password Manager Administrator s Guide 2. Install or uninstall the agent software. 3. Restart the service.

93 Licensing Requirements Chapter 3 Installing Password Manager 93 Citrix recommends that you install the license server and add licenses before installing Password Manager. For details about licensing requirements, terms, and installation, see the Getting Started with Citrix Licensing Guide, available in the Documentation folder of your product CD. Disconnected Mode Note: This mode is set as part of a user configuration. See Configure Licensing on page 210. If you have users who will be disconnected from the license server for extended periods of time, such as mobile users with laptops, you must specify a disconnected mode period for these users. The disconnected mode period is specified as part of the licensing settings in an agent s user configuration. The disconnected mode period specifies two important aspects of licensing behavior: The amount of time the user can be disconnected from the license server without entering the licensing grace period. When the disconnected mode period expires, the users employing the associated user configuration lapse into the licensing grace period, which is 30 days. The amount of time until a checked out license, which is being used in disconnected mode, is returned to the pool of available Password Manager licenses on the license server regardless of whether the product reconnects to the license server. If a license is checked out and the disconnected mode associated with that license expires before the license is checked in, the license server automatically checks the license back in so the license is available again. For example, if a laptop running Password Manager is lost and never reconnects with your organization s network, the license server automatically checks the license back in at the end of the disconnected mode period. When you set the disconnected mode, you are actually specifying how long you want to wait until the license is returned to the pool of available licenses. Citrix recommends that you set long disconnected mode periods for users who do not connect to your organization s network regularly, such as Sales personnel who work remotely. Set the period to be the longest amount of time you anticipate users in this configuration could be away from your network. However, keep in mind you cannot retrieve any checked out licenses, even from lost or broken equipment, for the duration of this period.

94 94 Citrix Password Manager Administrator s Guide Managing a Mixed License Type Environment Depending on your Password Manager environment and enterprise needs, you might have purchased named user and concurrent user Password Manager licenses. For example, you might create user configurations based on the named user license model for mobile users who use the agent software through a desktop computer and laptop computer. You might also create user configurations based on the concurrent license model for Hot Desktop users, for example. In some cases, all of your named user licenses might be in use, making Password Manager unavailable for some users. If so, you can use any available concurrent user licenses in your user configuration to be consumed offline. To Employ Available Concurrent Licenses to be Used Offline 1. Create a user configuration as described in Creating a User Configuration: the User Configuration Wizard on page On the Configure Licensing page, select Concurrent User License (Enterprise Edition Only). 3. Select Enable Disconnected Mode Period and set the amount of time the license can be checked out from the license server. See Disconnected Mode on page Finish setting the user configuration. For users associated with this user configuration, the license model for this user configuration is the same as a named user license it can be consumed by users who might occasionally work remotely and be offline for periods of time. Concurrent user licenses are then consumed on a per-user basis.

95 Before You Install Password Manager Chapter 3 Installing Password Manager 95 Note: See Account Requirements to Install and Use Password Manager on page 88. Use autorun to perform Password Manager tasks such as creating a central store or installing Password Manager components. After you insert the product CD into your CD-ROM drive, the autorun installation options screen appears. If it does not automatically appear: 1. Open Windows Explorer and select the CD-ROM drive. 2. Click Autorun.exe. Installation Order The suggested installation order of Password Manager is as follows: License Password Manager (see Licensing Requirements on page 93). Create your central store. Install the Password Manager Service if you want to use one or more of the following modules: Key management Self-service Provisioning Credential synchronization Data integrity Note: If you decide to install the Data Integrity Module at a later date or after installing the console and agent, you must digitally sign your existing central store data by using the data signing tool CtxSignData.exe. (This tool is available after you install the Data Integrity Module.) Conversely, if you uninstall the Data Integrity Module, you must unsign your central store data. See Enabling and Disabling the Data Integrity Service on Password Manager Agent Software for information about signing data. Install the Password Manager Console on one or more computers in your environment.

96 96 Citrix Password Manager Administrator s Guide Install the Application Definition Tool on one or more computers in your environment when you need to create application definitions only. After configuring Password Manager features in the console, install the Password Manager agent on each user computer in your environment. You can also deploy the agent software as a published application in a Citrix Presentation Server environment. Where Can I Install Each Password Manager Component? Important: Do not install the service and agent on the same computer. Do not install Password Manager on a domain controller. Installation of any Password Manager component (agent, service, console, or central store) on a domain controller is not supported. Also, see Account Requirements to Install and Use Password Manager on page 88. You can install the service, console, and agent software in any of the following allowed combinations or scenarios: You can install the service and console on the same computer. You can install the console and agent on the same computer. You can install the agent on any computer or client device in your environment for access to locally-installed SSO-enabled applications. You can install the console and Application Definition Tool on any computer in your environment. For testing purposes, you can install the console and the agent on the same computer so that you can verify that changes you make at the console are reflected on the agent. You can deploy the agent software in a Citrix Presentation Server environment. In this case, the agent submits or provides credentials for Presentation Server published applications only (not applications installed locally on the user workstation or client device).

97 Chapter 3 Installing Password Manager 97 Important: The server that hosts the Password Manager Service and central store contains highly sensitive user-related information. Citrix recommends that you use a dedicated server and that you place the server in a physically secure location.

98 98 Citrix Password Manager Administrator s Guide Creating a Central Store The following procedures assume that the Password Manager CD is loaded on the computer that you chose to host the central store and that the autorun screen appears. Before you create a central store, make sure that you read the following topics: Planning Your Password Manager Environment, Which Central Store Type Should I Choose? on page 33 Using Account Association with Multiple Central Stores and User Account Credentials in a Multiple Domain Enterprise on page 40 Before You Install Password Manager on page 95 Note: If you want to specify custom parameters for your central store, you can choose to create the central store from a command-line. See Optional Creating a Central Store from a Command-Line on page 101.

99 Chapter 3 Installing Password Manager 99 To Create an NTFS Network Share Central Store 1. Click Step 2: Create your central store. 2. Click Create your central store in an NTFS network share. 3. Click Yes in the confirmation dialog window. A command window appears. 4. After the central store is created successfully, press any key to close the command window. An NTFS Network Share folder is now created as C:\CITRIXSYNC$. Note: If you have users who are not administrators on the file servers but need to manage Password Manager folders, you can add them to the root shared folder and allow them full control. You must also add those users to the People folder and the CentralStoreRoot folder because those folders do not inherit access rights from the root shared folder. Associating user configurations to groups is supported only in Active Directory domains that use Active Directory authentication. To Create a Novell Shared Folder Central Store Note: Ensure that you are creating this central store from a computer where the Novell client is installed. Also, agent software running on 64-bit computers cannot connect to Novell shared folder central stores. 1. Click Step 2: Create your central store. 2. Click Create your central store in a Novell shared folder. 3. Click Yes in the confirmation dialog window. A command window appears. 4. At the PATH: prompt, type a UNC path to the NetWare server, volume, and folder(s) you want to create. For example: \\NW5SRV\DATA\CITRIXSYNC. 5. After the central store is created successfully, press any key to close the Windows command window. A Novell shared folder is now created.

100 100 Citrix Password Manager Administrator s Guide To Create an Active Directory Central Store Note: Ensure the current server is part of the Active Directory domain and that the current user is a member of the Schema Administrators group and Domain Administrators group. Ensure that the Active Directory Schema Master is configured to allow updates. 1. Click Step 2: Create your central store. 2. Click Create your central store in your Active Directory domain. 3. Click Step 1: Extend your Active Directory schema for the new directory objects. 4. Click Yes in the confirmation dialog window. A command window appears. 5. After the schema is extended successfully, press any key to close the command window. Note: Before you complete the next step, ensure that the schema extension propagated to all domain controllers throughout your Active Directory environment. 6. Click Step 2: Create your central store in the extended schema. 7. Click Yes in the confirmation dialog window. A command window appears. 8. After the schema is extended successfully, press any key to close the command window. The Active Directory central store is now created. Also see Choosing an Active Directory Central Store on page 35.

101 Chapter 3 Installing Password Manager 101 Optional Creating a Central Store from a Command- Line The Password Manager installation process enables you to create a central store from a command prompt by using the command-line. Creating a central store from the command-line enables you to use custom parameters instead of the default parameters available from the Password Manager installation screen. This table shows the central store types and the associated utilities. These utilities are located in the Tools folder on the Password Manager CD. Utility File Name Use and Description Active Directory Schema Extension Utility Active Directory Domain Preparation Utility File Synchronization Setup Utility File Synchronization Setup Utility for Novell NetWare See: CtxSchemaPrep.exe CtxDomainPrep.exe CtxFileSyncPrep.exe CtxNWFileSyncPrep.exe Use to create an Active Directory central store. Extends your Active Directory schema for use with Password Manager. Use to create an Active Directory central store. Updates the permissions of the Active Directory domain root to allow users to create Password Manager objects under their User object. Use to create an NTFS network share central store. Use to create a Novell publiclyaccessible shared folder central store. Creating an Active Directory Central Store on page 102 Creating an NTFS Network Share Central Store on page 104 Creating a Novell Shared Folder Central Store on page 106

102 102 Citrix Password Manager Administrator s Guide Creating an Active Directory Central Store Creating an Active Directory central store is a two-step process: 1. Extend your Active Directory schema for use with Password Manager. 2. Update the permissions of the Active Directory domain root to allow users to create Password Manager objects under their User object. Note: Ensure that the Active Directory Schema Master is configured to allow updates. To Create the Central Store Automatically from a Command-Line Step 1 Extend the Active Directory Schema 1. Using an account with Schema Admins group credentials, log on to a server in the Active Directory domain. 2. Verify that the computer that has the Schema Master role is configured to allow schema updates. 3. From a command prompt, access the /Tools directory on the product CD. 4. Type CtxSchemaPrep.exe. 5. Ensure that schema changes are completely propagated to all domain controllers in the enterprise before continuing. Step 2 Update Domain Root Permissions 1. Before continuing, ensure that the schema changes made in Step 1 are completely propagated to all domain controllers in the enterprise. 2. Using an account with Domain Admin group credentials, log on to a computer that resides in the domain that you want to configure. 3. From a command prompt, access the /Tools directory on the product CD. 4. Type CtxDomainPrep.exe [distinguished name].

103 Chapter 3 Installing Password Manager 103 where: distinguished name Relative distinguished name (DN) of the organizational unit (OU) on which to set the permissions. This DN is appended to the DN of the domain root. By using this option, you can specify an OU to set permissions at the OU level, rather than the domain root level. This technique limits Password Manager use to the OU specified. For example: CtxDomainPrep.exe OU=Employees sets the permissions on OU=Employees,DC=your domain, DC=com. 5. Follow the instructions on-screen to finish creating the central store.

104 104 Citrix Password Manager Administrator s Guide Creating an NTFS Network Share Central Store The NTFS File Synchronization setup utility CtxFileSyncPrep.exe automatically creates the folders you need for your central store. It also creates the the shared folder, the CentralStoreRoot folder, and the People folder with the correct sharing and security permissions. Ensure the following: The central store must belong to the same domain as the workstations or computers running Presentation Server where the agent software is installed Run CtxFileSyncPrep.exe on the server that hosts the NTFS network share Note: If you have users who are not administrators on the file servers but need to manage Password Manager folders, you can add them to the root shared folder and allow them full control. You must also add those users to the People folder and the CentralStoreRoot folder because those folders do not inherit access rights from the root shared folder. Associating user configurations to groups is supported only in Active Directory domains that use Active Directory authentication. To Create an NTFS Network Share Central Store Automatically from a Command Line 1. From a command prompt on the server that will host the NTFS network share, access the /Tools directory on the product CD. 2. Type CtxFileSyncPrep [/path:pathname] [/share:sharename] where: /path:pathname /share:sharename Specifies the pathname for the NTFS network share on the local server. If you use this parameter, the pathname must be located on the local server. If you do not specify /path:pathname, this command creates the central store in %SystemDrive%\CITRIXSYNC. Specifies the sharename for the NTFS network share on the local server. If you do not specify /share:sharename, this command creates the central store share parameter as CITRIXSYNC$.

105 Chapter 3 Installing Password Manager 105 The CentralStoreRoot folder and the People folder are created with appropriate sharing and security permissions. Your shared folder is now ready to be used for synchronization.

106 106 Citrix Password Manager Administrator s Guide Creating a Novell Shared Folder Central Store The Novell Shared Folder setup utility CtxNWFileSyncPrep.exe automatically creates the folders you need for your central store. It also creates the shared folder, the CentralStoreRoot folder, and the People folder with the correct sharing and security permissions. Considerations Because the agent uses a Windows password, the use of Novell NetWare file synchronization requires that users Novell password be identical to their Windows password. The central store must be located in the same tree as the computers where the agents are installed. Users must log on to a Novell tree where the shared folder is located. Users must also have accounts with read access permissions to the Novell NetWare shared folder you designate as the central store. Any users without supervisor rights who need to manage Password Manager folders can be added to the root synchronization folder as a Trustee with all rights. This addition grants them the required access to all other folders and files under the root synchronization folder. Important: Citrix recommends that you do not use the system volume to host the shared folder. The system volume typically has a limited amount of space available. As data is written to the central store, the system volume could possibly reach capacity, causing your Password Manager environment (and possibly your Novell NetWare server) to stop functioning. To Create a Novell Shared Folder Central Store Automatically from a Command Line 1. From a command prompt on the server that will host the Novell shared folder, access the /Tools directory on the product CD. 2. Type CtxNWFileSyncPrep /path:\\netware server\volume\folder [allowsysvol]

107 Chapter 3 Installing Password Manager 107 where: /path:\\netware server/volume/ folder Required parameter that specifies the UNC path to the NetWare server, volume, and central store folder to be created. Do not use an existing folder because this utility creates the folder. For example: /path:\\nw5srv\data\citrixsync The CentralStoreRoot folder and the People folder are now created with appropriate sharing and security permissions. Your shared folder is ready to be used for synchronization.

108 108 Citrix Password Manager Administrator s Guide Installing and Configuring the Password Manager Service Selecting Optional Password Manager Service Features on page 61 describes each Password Manager Service module that you can install. After you install the service, the Service Configuration wizard runs so that you can configure and enable the service. The installation and configuration workflow is as follows: 1. Acquire and install an SSL certificate on the service, console, and agent computers. See Security and Account Requirements for Password Manager Service on page Create the account type required by the service(s) you are going to install. See Accounts Required for Service Modules on page Install the service(s). See Before You Install Password Manager on page Complete the Service Configuration wizard. The following procedures assume that the Password Manager CD is loaded on the computer that you have chosen to host the service and that the autorun screen appears. To Install the Service Modules 1. Click Step 3: Install administrative components. 2. Click Step 2: Install Password Manager Service (if applicable). 3. Click Next, accept the license agreement, and click Next again. 4. In the Select Modules window, select the modules you want to install: Key Management Data Integrity Provisioning Self-service Credential Synchronization 5. Click Next. You can click Back if you want to change your choice of modules. 6. Click Install. 7. Click Finish.

109 Chapter 3 Installing Password Manager 109 The Service Configuration wizard is now launched. To Configure the Password Manager Service(s) Note: The Service Configuration wizard is launched after successfully installing one or more service modules. After initial configuration, you can run the wizard at any time by clicking Start > Programs > Citrix > Password Manager > Service Configuration. The Welcome screen lists any service modules detected as installed. 1. Click Next in the Service Configuration Welcome screen. 2. In the Configure Service screen, specify the following: Connection Setting SSL Certificate Virtual host name Specify the port number for the service connection. The default port is 443. See Password Manager Service Port Number on page 111. Select the SSL certificate installed on the service computer to use for communication with client devices. Select the Display Long Name check box to show the LDAP information contained in the certificate. Use default value is selected by default if the SSL certificate name and virtual host name match. The virtual host name must match the SSL certificate name. The virtual host is the machine name visible to users when the certificate was created and might not be the actual machine name. For example, the certificate name might include a wildcard (asterisk character) or upper- or lowercase domain name that does not match the certificate domain name case. This setting is useful in a load-balanced or clustered service environment. See Security and Account Requirements for Password Manager Service on page 84. Account Credentials Select the local computer account to use for the service. Typically, you can select the Network Service account. See Service Account Requirements on page Click Next. The Create signing certificate screen appears.

110 110 Citrix Password Manager Administrator s Guide 4. Perform one of the following: If the wizard detects a signing certificate, click Next. If the signing certificate does not exist, specify a signing certificate expiration time, in months. The default expiration time is 12 months. Click Next. 5. Select the central store that you created in Creating a Central Store on page 98 and click Next. Note: If you created an NTFS network share or Novell shared folder central store, type the UNC path to the share. 6. Type the user name, password, and domain of the data proxy account used to communicate with the central store and click Next. See Data Proxy Account Requirements on page Select one of the following options and click Next: I do not plan to use the Data Integrity module in this environment I plan to use the Data Integrity module in this environment Select this option if you do not require your central store data to be digitally signed and written securely. Select this option also if you did not install the Data Integrity Module. Select this option if you do require your central store data to be digitally signed and written securely and you select this service module to be installed. Type the name of the computer hosting the Data Integrity Module. Select a port for the service. The default port number is 443. See Password Manager Service Port Number on page 111 Note: If you decide to install the Data Integrity Module at a later date or after installing the console and agent, you must digitally sign your existing central store data by using the data signing tool CtxSignData.exe. This tool is available after you install the Data Integrity Module. Conversely, if you uninstall the Data Integrity Module, you must unsign your central store data. See Enabling and Disabling the Data Integrity Service on Password Manager Agent Software for information about about signing data.

111 Chapter 3 Installing Password Manager Perform one of the following If you installed the Self Service module, the account credentials screen appears. Type the credentials for this feature and click Next. See Self-Service Requirements on page 87. If you did not install the Self Service module, click Next. The Service Configuration wizard displays the properties sheet for your service module configuration. Click Back to correct or change any information. 9. Click Finish to commit the service configuration information. Click Finish again to close the Applying Settings dialog windows. Password Manager Service Port Number The default Password Manager Service port number is 443. When you configure the Password Manager Service as described in To Configure the Password Manager Service(s) on page 109, you can use any other available port on the service server if port 443 is already in use. This port number is used by Password Manager to access each service module you install. If you install one or more service modules later, make sure that you use the port number that you specified when you first installed the service The service cannot run on multiple ports; if you specify the wrong port, Password Manager might later display cannot communicate or connect with the Password Manager Service type error messages Also remember to specify the correct service port number when using the Data Integrity Signing Tool on the command-line

112 112 Citrix Password Manager Administrator s Guide Installing and Configuring the Password Manager Console You can install the console on any computer in your environment. If you want to use Password Manager in a multiple domain environment with multiple central stores, you can install the console on any computer in the domain. Install the Application Definition Tool on any computer in your environment if you want to create application definitions in standalone mode, without needing to install the console. The following procedures assume that the Password Manager CD is loaded on the computer that you have chosen to host the console and that the autorun screen appears. To Install the Password Manager Console 1. Click Step 3: Install administrative components. 2. Click Step 3: Install Password Manager Console. 3. Click Next, accept the license agreement, and click Next again. The Install Type screen appears. 4. Select one or more of the following components to install and click Next: Console Application Definition Tool Citrix Access Suite Console - Licensing Citrix Access Suite Console - Diagnostics Select this option to install the console, required to create and manage policies, application definitions, user configurations, and so on. Select this option to install the tool that enables you to create application definitions without needing to start or use the full console. You can install this tool in standalone mode, on computers where the console is not or cannot be installed. Select this option to help manage your licensing from the console. This option enables you to add a shortcut to the license server. Select this option to help Citrix Support troubleshoot console issues. 5. Click Next and click Finish when the installation is complete. You can now configure the console.

113 Chapter 3 Installing Password Manager 113 To Configure the Password Manager Console Note: The first time you open the console after installation, it performs a discovery operation and enables you to configure the console settings. After this initial step is completed, you can perform a discovery operation and change the configuration settings at any time by clicking Start > Programs > Citrix > Management Consoles > Access Management Console and clicking Configure and run discovery in the Common Tasks area. 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. The Configure and run discovery screen appears. 2. Click Next. The Select Products or Components screen appears. 3. Click Citrix Resources to select Configuration Tools and Password Manager and click Next. 4. Select the central store type that you previously created and click Next. Note: If you created an NTFS network share or Novell shared folder central store, type the UNC path to the share. If you are running discovery as part of an upgrade to Version 4.5 and your central store type is an NTFS network share, you will be prompted to upgrade the central store. Click OK to upgrade or Cancel to exit. If you do not upgrade your central store at this time, you can use previous versions (4.0 and 4.1) only of the console to work with the central store. 5. Perform one of the following: If you installed the Data Integrity Module and enabled it during the service configuration, select the checkbox, type the server name and port number in the text fields, and click Next. If you installed the Data Integrity Module and do not want to enable it, leave the check box cleared and click Next. Make sure that you first disabled it through the Service Configuration wizard on the service computer. See To Configure the Password Manager Service(s) on page 109. The Preview Discovery screen with the configuration summary appears. 6. Click Next to start discovery.

114 114 Citrix Password Manager Administrator s Guide 7. When discovery is successfully completed, click Finish. The console is now configured for use. You can now use the console to set up your Password Manager environment and ultimately distribute the agent software to users. Installing and Configuring the Password Manager Agent Note: For testing purposes, you can install the console and the agent on the same computer so that you can verify that changes you make at the console are reflected on the agent. Important: Ensure that you create user configurations before installing the agent software on user desktops. If you install the agent software without performing the tasks listed in Getting Started on page 31, users might see an error message when the agent software launches. Also, agent software running on 64-bit computers cannot connect to Novell shared folder central stores. The Password Manager Agent is designed to run on client devices: desktop and laptop computers, handheld computers, and other devices. The agent software in this case provides credentials and access to applications running locally on the client device. You can also publish the agent software on a computer running Citrix Presentation Server. The agent software in this case provides credentials and access to published applications. Users can use the agent software to access local applications even when they are not connected to a network. User credentials are synchronized when users reconnect to your enterprise network. When you install the agent software using the Autorun option provided on the Password Manager CD, the installation software detects your operating system (32- or 64-bit) and installs the appropriate agent. This section describes the following topics: Installation Scenarios on page 115 Considerations on page 116 Preserving the GINA Chain When Installing the Agent on page 116 To Install the Password Manager Agent on a Local Client on page 117

115 Chapter 3 Installing Password Manager 115 To Create an Agent Software Image for Network Installation on page 119 Silent Installation of Password Manager Agent on page 120 Installation Scenarios The following table shows some environments and schemes for installation: Presentation Server and Access Gateway Mixed Environment Local Installation Software Image for Network Installation Silent Agent Installation Access Client Package Presentation Server and Access Gateway provide applications that users access through their Web browsers. Publish Password Manager Agent software on each server running Presentation Server. Users access published applications as well as other local applications. Publish Password Manager Agent software on each server running Presentation Server and on each desktop. You can also use Installation Manager for Presentation Server to install the agent software. Install Password Manager Agent software on a local client device. See To Install the Password Manager Agent on a Local Client on page 117. Create an installation image to be made available on your network. See To Create an Agent Software Image for Network Installation on page 119. Use the Windows Installer options to install the agent. See Silent Installation of Password Manager Agent on page 120. You can use the Access Client Package to install the agent software. See the most recent Citrix Knowledge Base article more information. On client devices, the agent software notification icon indicates how it is being deployed: Agent software installed on a client device displays a notification icon of a key on a blue background Agent software published on a computer running Presentation Server displays a notification icon of a key and computer on a blue background

116 116 Citrix Password Manager Administrator s Guide Considerations If you are performing a fresh installation of the Citrix Access Suite that includes Password Manager, install Password Manager Agent last. When you configure or change the location of the license server or any other parameter related to licensing, the changes are not applied to any agent software that is in use within your environment. You must shut down and restart the agent software to apply the changes. If you plan to use Hot Desktop in your environment as part of your agent installation, see The Hot Desktop User Experience on page 60. You must restart the device after you install the agent software so that the GINA DLL can be installed. See Preserving the GINA Chain When Installing the Agent on page 116 for more information about the GINA. The agent software will not run until the workstation is restarted. However, if you prefer that the workstation not be restarted immediately, you can suppress the restart action. To suppress the restart action, use the optional /norestart parameter with the Microsoft installer package msiexec command. To run the installer package with the suppress option, use the command: msiexec /norestart /i path to msi file including the filename For the complete list of Windows Installer options, from a command prompt on a workstation where the Windows Installer is installed, type: msiexec /? Preserving the GINA Chain When Installing the Agent Important: If you are performing a fresh installation of the Citrix Access Suite that includes Password Manager, install the Password Manager agent last. Software that uses a custom GINA might disrupt the GINA chain if it is installed after you install the Password Manager agent. This installation might prevent your users from logging on to the agent or accessing the workstation.

117 Chapter 3 Installing Password Manager 117 Graphical Identification and Authentication (GINA) is the Windows component that controls the dialog box that users see when they press the key combination CTRL+ALT+DEL. The dialog box collects the data needed to perform authentication. Presentation Server, Password Manager, and the Novell NetWare client all interact with or require the replacement of the Microsoft GINA dynamic link library (DLL). If you install any software that uses a custom GINA DLL, make sure that you do not disrupt the GINA chain. You might be required to install or uninstall software in a specific order to preserve proper GINA chaining. By installing the Password Manager Agent last, you ensure that the Password Manager GINA is called first by the Winlogon process. To Install the Password Manager Agent on a Local Client Note: If you plan to use Hot Desktop in your environment as part of your agent installation, see The Hot Desktop User Experience on page 60. The following procedures assume that the Password Manager CD is loaded on the computer where you chose to install the agent software and that the autorun screen appears. 1. Click Step 4: Install the Password Manager agent software. 2. Click Install Password Manager agent. The Password Manager Agent Installation Wizard screen appears. 3. Click Next, accept the license agreement, and click Next again. The optional features screen appears. 4. Select one or more of the optional features to install and click Next: Data integrity (if you installed this service). Self-service. Hot Desktop (this option requires an existing account to use as the Hot Desktop shared account. See Hot Desktop: A Shared Desktop Environment for Users on page 275.). Java support (this option installs the Password Manager support for the Java Runtime Environment already installed on the client.). The Central Store Configuration screen appears. 5. Select the central store type, type its location, and click Next.

118 118 Citrix Password Manager Administrator s Guide The Specify Server Address screen appears. 6. Type the address and port number of the computer hosting the service and click Next. In the address text field, use the fully-qualified domain name of the service computer. The default port number is 443. See also Password Manager Service Port Number on page 111. If you selected Hot Desktop, the Hot Desktop Shared Account Configuration screen appears. Note: You cannot have Remote Desktop or Terminal Services running if you are using Hot Desktop. During a Hot Desktop installation, the installer resets the AllowMultipleSessions registry key value to Type the user credentials for the Hot Desktop shared account and click Next. Specify the domain name to which the workstation belongs using the domain s NetBIOS name, not the fully qualified domain name (FQDN). 8. Click Install. You can click Back if you decide to change any settings or selections. 9. Click Finish to complete the installation. 10. Click Yes to restart the client device. You must restart the client device. See Considerations on page 116 and Preserving the GINA Chain When Installing the Agent on page 116.

119 Chapter 3 Installing Password Manager 119 To Create an Agent Software Image for Network Installation Important: If you create an image from a 32-bit computer, this image can be installed on 32-bit computers. If you create an image from a 64-bit computer, this image can be installed on 64-bit computers. You can install an image of the agent software on a network share using a utility available on the product CD. The utility creates an installation image of the Password Manager Agent that contains your custom parameters. The following procedures assume that the Password Manager CD is loaded on the computer where you chose to install the agent software and that the autorun screen appears. 1. Click Step 4: Install the Password Manager agent software. 2. Click Create Password Manager agent installation image. The Password Manager Agent Installation Wizard screen appears. 3. Click Next. 4. In the Administrative Installation Package Creation screen, type the network share location for the image and click Next. 5. Select one or more of the optional features to install and click Next: Data integrity (if you installed this service). Self-service. Hot Desktop (this option requires an existing account to use as the Hot Desktop shared account. See Hot Desktop: A Shared Desktop Environment for Users on page 275). Java support (this option installs the Password Manager support for the Java Runtime Environment already installed on the client). The Central Store Configuration screen appears. 6. Select the central store type, type its location, and click Next. The Specify Server Address screen appears. 7. Type the address and port number of the computer hosting the service and click Next. In the address text field, use the fully-qualified domain name of the service computer. The default port number is 443. See also Password Manager Service Port Number on page 111.

120 120 Citrix Password Manager Administrator s Guide If you selected Hot Desktop, the Hot Desktop Shared Account Configuration screen appears. Note: You cannot have Remote Desktop or Terminal Services running if you are using Hot Desktop. During a Hot Desktop installation, the installer resets the AllowMultipleSessions registry key value to Type the user credentials for the Hot Desktop shared account and click Next. Specify the domain name to which the workstation belongs using the domain s NetBIOS name, not the fully qualified domain name (FQDN). 9. Click Install. You can click Back if you decide to change any settings or selections. 10. Click Finish to complete the installation. The setup.msi and supporting files are now installed in the network share location you specified. Silent Installation of Password Manager Agent You can install the Password Manager Agent silently from a command-line by using the Windows Installer quiet mode option /quiet. Navigate to the product CD Agent folder to locate the Windows Installer setup.msi file to use. For the complete list of Windows Installer options, from a command prompt on a workstation where the Windows Installer is installed, type: msiexec /? The following table lists the Password Manager-specific options to use when installing Password Manager from a command-line. Each option requires an equals sign (=) to set the value (for example, SSPR_SELECT=1 enables the Self- Service features).

121 Chapter 3 Installing Password Manager 121 Option SYNCPOINTTYPE SYNCPOINTLOC DI_SELECT SSPR_SELECT SERVICEURL SERVICEURLPORT /forcerestart Hot Desktop-Specific Options HD_SELECT HD_USERNAME HD_PASSWORD HD_DOMAIN DISABLE_TERMINAL_SERVICE Description Specifies the central store type. Specify FileSyncPath to use an NTFS network share central store. Specify ADSyncPath to use an Active Directory central store. Specify NovellSyncPath to use a Novell shared folder central store. Specifies the UNC path for the NTFS network share central store. Specify \\servername\foldername$ where servername is the name of the computer hosting the central store and foldername is the name of the shared folder. This option is not required for an Active Directory central store. Specify 1 to enable the Data Integrity feature. Specify 1 to enable the Self-Service feature. Specifies the URL of the service computer. Specify \\FQDN\MPMService, where FQDN is the fully qualified domain name of the service computer. Specifies the port of the service server. The default port is 443. See also Password Manager Service Port Number on page 111. Specify /forcerestart to shut down and restart the workstation after installation. A restart is required for agent software installation. Type msiexec /? for more options. See also Guidelines for the Hot Desktop Shared Account on page 280. Specify 1 to install Hot Desktop. Specifies the Hot Desktop shared account user name. Specifies the Hot Desktop shared account password. Specifies the Hot Desktop shared account domain. Specify 1 to disable Terminal Services, required for Hot Desktop operation.

122 122 Citrix Password Manager Administrator s Guide

123 CHAPTER 4 Upgrading Password Manager Important: Do not install Password Manager on a domain controller. Installation of any Password Manager component (agent, service, console, or central store) on a domain controller is not supported. This section describes the tasks required to successfully upgrade Citrix Password Manager from previous versions to the current Version 4.5: Supported Upgrade Paths on page 123 Summary of Upgrade Steps on page 124 Before You Upgrade Password Manager on page 125 Step 1 Upgrading the Password Manager Service on page 130 Step 2 Upgrading the Password Manager Console on page 131 Step 3 Upgrading the Password Manager Agent on page 133 Supported Upgrade Paths You can upgrade Password Manager to version 4.5 from these versions: Password Manager 4.0 Password Manager 4.1 (including any service packs or hotfixes) Important: You can upgrade to Password Manager 4.5 from Versions 4.0 and 4.1 only. Version 2.5 is not supported as part of the upgrade path. Citrix considers the previous Versions 4.0 and 4.1 as equivalent to Password Manager 4.5 Enterprise Edition for licensing purposes when you upgrade.

124 124 Citrix Password Manager Administrator s Guide Summary of Upgrade Steps Task Before Upgrading Choose the computers in your environment where you will upgrade the software. See This Section or Document Planning Your Password Manager Environment on page 29 Hardware and Software Requirements on page 81 Prepare the computers for upgrade and export any administrative data. Back up your central store. Back up the process.xml file on each Hot Desktop workstation. Install the license server and add licenses for Password Manager Upgrade Review the Autorun menu. Upgrade your central store. Upgrade the Password Manager Service. Upgrade the Password Manager Console. Upgrade the Password Manager Agent. Before You Upgrade Password Manager on page 125 Before You Upgrade Password Manager on page 125 Licensing Requirements on page 93 Citrix Access Suite Licensing Guide, available in the Documentation folder on the product CD-ROM Before You Install Password Manager on page 95 Which Central Store Type Should I Choose? on page 33 Step 2 Upgrading the Password Manager Console on page 131 Step 1 Upgrading the Password Manager Service on page 130 Step 2 Upgrading the Password Manager Console on page 131 Step 3 Upgrading the Password Manager Agent on page 133 Installing and Configuring the Password Manager Agent on page 114

125 Before You Upgrade Password Manager Chapter 4 Upgrading Password Manager 125 Consider the following before you begin to upgrade your Password Manager environment. Upgrading Existing User Configurations on page 229 Account Requirements to Install and Use Password Manager on page 88 Using Autorun on page 126 Upgrade Order on page 126 If You Used the CtxMoveKeyRecoveryData Tool to Back Up Service Data Back Up the process.xml File (Hot Desktop Environments Only) on page 127 Back Up Your Existing Central Store on page 127 Upgraded Policies, Application Definitions, Questions/Questionnaires, and User Configurations on page 128 Microsoft Web Services Enhancements on page 128 Microsoft.NET Versions 1.1 and 2.0 on page 128

126 126 Citrix Password Manager Administrator s Guide Using Autorun Use autorun to perform Password Manager tasks such as creating a central store or upgrading Password Manager components. After you insert the product CD- ROM into your CD-ROM drive, the autorun options screen appears. If it does not display automatically: 1. Open Windows Explorer and select the CD-ROM drive. 2. Click Autorun.exe. Upgrade Order The suggested upgrade order of Password Manager is as follows: Install your licenses (see Licensing Requirements on page 93). Upgrade the Password Manager Service if you are using one or more of the following modules: Key management Self-service Provisioning Credential synchronization Data integrity Note: You can also install additional modules at this time. Make sure you read Security and Account Requirements for Password Manager Service on page 84 before installing them. If you decide to install the Data Integrity Module at a later date or after installing the console and agent, you must digitally sign your existing central store data by using the data signing tool CtxSignData.exe. (This tool is available after you install the Data Integrity Module.) Conversely, if you uninstall the Data Integrity Module, you must unsign your central store data. See Enabling and Disabling the Data Integrity Service on Password Manager Agent Software for information about about signing data. Upgrade the Password Manager Console on one or more computers in your environment. Upgrade or install the Application Definition Tool on one or more computers in your environment when you need to create application definitions only.

127 Chapter 4 Upgrading Password Manager 127 After configuring Password Manager features in the console, upgrade or install the Password Manager Agent on each user computer in your environment. If You Used the CtxMoveKeyRecoveryData Tool to Back Up Service Data If you used the ctxmovekeyrecoverydata.exe tool to back up your service data, you must use this tool to restore or import the service data to the service computer. This tool was available in Password Manager Versions 4.0 and 4.1. Important: You cannot use the Version 4.5 CtxMoveServiceData.exe tool to import any service data that was exported (backed up) by using the ctxmovekeyrecoverydata.exe tool. Service data corruption will occur if you attempt this. See Backing Up Password Manager Service Files on page 324. Back Up the process.xml File (Hot Desktop Environments Only) If you previously used the Hot Desktop feature, ensure that you back up the process.xml file, located in the C:\Program Files\Citrix\Metaframe Password Manager\HotDesktop folder on each Hot Desktop workstation. After you upgrade Password Manager, you can restore this file to each Hot Desktop workstation. Back Up Your Existing Central Store Citrix recommends that you back up your existing central store. Even though you cannot use a Version 4.0 or 4.1 central store with Password Manager 4.5, back up the central store in case you have to revert to your previously-installed version of Password Manager. You also cannot use a Version 4.5 central store with Password Manager Version 4.0 or 4.1. Note: Password Manager Agent 4.0 and 4.1 can work with a Password Manager 4.5 central store. However, new features introduced in Version 4.5 are not available to those agent versions. Citrix recommends upgrading the agent software whenever possible to match the service and console versions. An upgrade helps ensure that users have access to the latest features and security enhancements.

128 128 Citrix Password Manager Administrator s Guide Upgraded Policies, Application Definitions, Questions/Questionnaires, and User Configurations Note: See Upgrading Existing User Configurations on page 229. The first time you configure and run discovery in the upgraded console for Password Manager 4.5, you have the option to upgrade your central store (and the data in it). Existing policies, questions, questionnaires, application definitions, and user configurations are preserved. Citrix recommends that you upgrade all agent software to the latest version to provide users with access to updated features and enhanced security. Citrix also recommends that you consider modifying your policies, application definitions, and user configurations for the same reason. Microsoft Web Services Enhancements Password Manager 4.0 and 4.1 environments required that you installed the Microsoft Web Services Enhancements (WSE) to support Microsoft.NET 1.1 and use the Password Manager Console. Password Manager 4.5 does not require WSE to be installed because it uses the Microsoft.NET 2.0 framework. However, your enterprise might include programs that require WSE to be installed, so you do not have to uninstall WSE to use Password Manager 4.5. Microsoft.NET Versions 1.1 and 2.0 You can install.net 2.0 on a workstation or server that also includes.net 1.1. This installation is known as a side by side installation of the framework. You do not need to uninstall the.net 1.1 framework from any computer in your environment. See Installing the Microsoft.NET 2.0 Framework on page 89. Important: Previous releases of the Access Management Console required Version 1.1 of Microsoft s.net Framework. Where later versions of the.net Framework were also present, Citrix provided a workaround in the form of a file named mmc.exe.config that ensured Version 1.1 was loaded. See the Citrix Knowledge Base article at This workaround is no longer required and must be removed. If you do not remove the workaround, the console does not start and displays an error messagesuch as Snap-in failed to initialize. To prevent this issue, remove the file \Windows\system32\mmc.exe.config (if it is present).

129 Chapter 4 Upgrading Password Manager 129 These operations prevent previous releases of the console from working (because they rely on Version 1.1 of.net Framework). If you have earlier releases and do not want to upgrade them, contact Citrix Technical Support for an alternative workaround.

130 130 Citrix Password Manager Administrator s Guide Step 1 Upgrading the Password Manager Service If your environment uses the Password Manager Service, you must upgrade all modules of the service in use at the same time. The Password Manager 4.0 service is uninstalled by the upgrade process. You must provide service configuration information, such as settings, service account user name and password, and the location of your central store as part of the upgrade process. See To Configure the Password Manager Service(s) on page 109. Important: You cannot specify a local user account as the service account in this version of Password Manager. See Service Account Requirements on page 86. If you installed the service and the console on the same computer, you must upgrade both. Note: If you are not using the Password Manager Service in your Password Manager 4.0 or 4.1 environment, you need to upgrade only the console, central store, and agent software. The following procedures assume that the Password Manager CD-ROM is loaded on the computer that you chose to host the service and that the autorun screen appears. To Upgrade the Password Manager Service 1. Click Step 3: Install administrative components. 2. Click Step 2: Install Password Manager Service (if applicable). 3. Click Yes in the confirmation popup to remove the previous version of the service and proceed with the installation. 4. Click Next, accept the license agreement, and click Next again.

131 Chapter 4 Upgrading Password Manager In the Select Modules window, select the modules you want to install: Key Management Data Integrity Provisioning Account Self-Service Credential Synchronization 6. Click Next. You can click Back if you change your selection. 7. Click Install. 8. Click Finish. When the installation wizard is finished, the Service Configuration wizard opens. Provide the information needed to configure the service, such as connection settings, certificate name, service user account name and password, and the location of your central store. For more information, see To Configure the Password Manager Service(s) on page 109. Step 2 Upgrading the Password Manager Console The console you use to manage your Password Manager 4.0 or 4.1 environment is removed when you install the console for Password Manager 4.5. For best results, upgrade all installed consoles and the Application Definition Tool. The following procedures assume that the Password Manager CD-ROM is loaded on the computer that you chose to host the console and that the autorun screen appears. Important: The first time you configure and run discovery on the console for Password Manager 4.5, your central store (and the data in it) is upgraded. Upgraded central stores are not compatible with older versions of the console. See Back Up Your Existing Central Store on page 127. If you installed the service and the console on the same computer, you must upgrade both. Also see Microsoft.NET Versions 1.1 and 2.0 on page 128. To Upgrade the Password Manager Console 1. Click Step 3: Install administrative components.

132 132 Citrix Password Manager Administrator s Guide 2. Click Step 3: Install Password Manager Console. 3. Click Yes in the confirmation popup to remove the previous version of the service and proceed with the installation. 4. Click Next, accept the license agreement, and click Next again. The Install Type screen appears. 5. Select one or more of the following components to install and click Next: Console Application Definition Tool Citrix Access Suite Console - Licensing Citrix Access Suite Console - Diagnostics Select this option to install the console, required to create and manage policies, application definitions, user configurations, and so on. Select this option to install the tool that enables you to create application definitions without needing to start or use the full console. You can install this tool in standalone mode, on computers where the console is not or cannot be installed. Select this option to help manage your licensing from the console. This option enables you to add a shortcut to the license server. Select this option to help Citrix Support troubleshoot console issues. 6. Click Next and click Finish when the installation is complete. 7. Start the console to configure it. When you start the console, you are asked if you want to upgrade the Access Suite Console. 8. Click Upgrade. Note: If you click Don t Upgrade, you must configure and run discovery from the console each time until you upgrade (that is, exit and restart the console and click Upgrade). You cannot save any settings or results of the discovery in the console that appears if you click Don t Upgrade. 9. Configure the console according to the procedures described in To Configure the Password Manager Console on page 113.

133 Chapter 4 Upgrading Password Manager 133 Note: If you subsequently configure and run discovery from the Version 4.5 console as part of the upgrade process and your central store type is an NTFS network share, you will be prompted to upgrade the central store. Click OK to upgrade or Cancel to exit. If you do not upgrade your central store at this time, you can only use previous Versions (4.0 and 4.1) of the console to work with the central store. Step 3 Upgrading the Password Manager Agent Note: If you upgrade the Password Manager Service and console but do not upgrade the agent software, the agent will still provide basic functionality to users whose user configurations are associated with Active Directory hierarchies (organizational units or users). However, your users will not have access to the latest Password Manager features. Citrix recommends upgrading the agent software whenever possible to match the service and console versions. The procedures for this step are the same as if you are installing or deploying the agent for the first time. See Installing and Configuring the Password Manager Agent on page 114.

134 134 Citrix Password Manager Administrator s Guide

135 CHAPTER 5 Using Password Policies to Enforce Password Requirements Citrix Password Manager enables you to define rules to control the characteristics of the passwords stored by your users and required by single sign-on (SSO) enabled applications. These rules comprise password policies that you can apply to all users or to specific groups of applications as determined by your organization s needs. This section describes how to create password policies within your Password Manager environment. See also What about Password Policies for Application Access? on page 42. Overview of Password Policies on page 136 Creating Password Policies: the Password Policy Wizard on page 138 Helping to Increase Password Strength and Security In Your Environment on page 146 Note: Presentation Server provides policy rules that allow you to configure and control which users can access Password Manager when they connect to servers and published applications in the server farm. See the Presentation Server Administrator s Guide for more information.

136 136 Citrix Password Manager Administrator s Guide Overview of Password Policies Password Manager includes two standard password policies named Default and Domain, which cannot be deleted. These policies can be used as is, copied, or modified to suit your enterprise policies and regulations. When a user adds credentials to Logon Manager for an application not defined by an administrator, Password Manager uses the Default policy to manage that application. If you want an application group to be treated as a domain password sharing group, you must apply the Domain policy to that application group. Note: Because Password Manager applies the Default password policy to useradded applications, ensure that you configure the Default policy to be as broad as needed to accept passwords for those applications for which you allow passwords to be stored. You can create as many policies as you need in your enterprise. For example, you can apply one policy for your domain sharing group, and create individual policies to apply to individual groups of applications to define the requirements further. A password policy allows you to: Automate password changes for applications Implement security schemes that include complex passwords and application-specific passwords not visible to the users Define password expiration for applications, even if the application does not have a password expiration feature Note: When users change their passwords, Password Manager can check the old password against the new password. This option helps prevent users from reusing passwords for the same application twice in a row. See Set Password History and Expiration on page 142. Password Sharing Groups Users might have a single password that is used for multiple applications (in a suite of products, for example). This scheme is known as password sharing, where the same authentication authority is used for the applications.

137 Chapter 5 Using Password Policies to Enforce Password Requirements 137 While the other credentials for those applications (such as user name and custom fields) might be different, the user s password is the same. In this case, create an application group that is a password sharing group to ensure that the agent software manages the password for all applications in the group as a single entity. When the password is changed in one of the applications, the agent software ensures that the password change is reflected in the stored credentials for all applications in the group. Domain Password Sharing Groups Domain password sharing groups differ from other password sharing groups because the user's domain password is used as the master password for the application group. When the user changes the domain password, the agent software ensures that the change is reflected in the credentials for all other applications in the group. Only the domain password can be changed; users cannot initiate password changes on any of the other applications in the group unless the administrator removes the application from the domain password sharing group.

138 138 Citrix Password Manager Administrator s Guide Creating Password Policies: the Password Policy Wizard Important: When creating a custom password policy or modifying existing policies, ensure that your enterprise requirements and application requirements match. For example, if you create a policy that does not at least match an application s requirements, your users might not be able to authenticate to that application. Default Settings for the Default and Domain Password Policies describes the default settings for these policies. When you create a new password policy in the wizard described here, Password Manager uses the default settings for the Default policy. You can then change your settings as needed and apply the newly created policy to your desired application group. The wizard consists of the following pages: Set Basic Password Rules on page 139 Set Alphabetic Character Rules on page 139 Set Numeric Character Rules on page 140 Set Special Character Rules on page 140 Set Exclusion Rules (Excluding Specific Characters) on page 141 Set Password History and Expiration on page 142 Test Password Policy on page 143 Establish Logon Preferences on page 144 Customize Password Change Wizard on page 144 To Start the Password Policy Wizard 1. Click Start > Programs > Citrix > Management Consoles > Access Management Console. 2. Expand the Password Manager node and select Password Policies. 3. In the Common Tasks area, click Create new password policy. The Password Policy wizard appears. 4. Type a name and description for the password policy and click Next.

139 Chapter 5 Using Password Policies to Enforce Password Requirements 139 Set Basic Password Rules This page enables you to set the basic rules for configuring password length and allowable repeating characters in the password. Password length Specify the minimum number of characters required. The minimum allowed value is 0. The maximum allowed value is 128. Ensure that the values you set here match the SSO-enabled application requirements for password length. Character occurrence in passwords Maximum number of times a character can occur This setting can be a value between one and 128 (default value is six). Maximum number of times the same character can occur sequentially This setting can be a value between between one and 128 (default value is four). For example, with default value of four, abc1xxxxbb is a legal password, where XXXX occurs four times in a row. Set Alphabetic Character Rules This page enables you to define the use of uppercase and lowercase alphabetic characters for user passwords. You can control the following settings: Allow lowercase characters Password can begin with a lowercase character Password can end with a lowercase character Minimum number of lowercase characters required (default is zero, maximum value is 128) Allow uppercase characters Password can begin with an uppercase character Password can end with an uppercase character Minimum number of uppercase characters required (default is zero, maximum value is 128)

140 140 Citrix Password Manager Administrator s Guide Set Numeric Character Rules This page enables you to define the use of numeric characters for user passwords. You can control the following settings: Allow numeric characters Password can begin with a numeric character Password can end with a numeric character Minimum number of numeric characters required (default is zero, maximum value is 128) Maximum number of numeric characters required (default is 20, maximum value is 128) Set Special Character Rules This page enables you to define the use of special (non-alphabetic and nonnumeric) characters for user passwords. You can control the following settings: Allow special characters Password can begin with a special character Password can end with a special character Minimum number of special characters required (default is zero, maximum value is 128) Maximum number of special characters required (default is 20, maximum value is 128) The allowed special characters list includes the # $ % ^ & * ( ) _ + = [ ] \?

141 Chapter 5 Using Password Policies to Enforce Password Requirements 141 Set Exclusion Rules (Excluding Specific Characters) This page enables you to prevent specific characters or groups of characters from being used in passwords, such as common words or easily-guessed sequential groups of characters like abc123 or asdfjkl. You can also prevent the use of passwords that include all or part of Windows and individual application user names. You can specify up to 256 different groups of characters to be excluded Each group of characters can be from one to 32 characters long The characters within the groups are not case-sensitive; an exclusion list that includes abcdefg also prevents the use of AbCDefG in a password Additionally, an exclusion list that includes a group of characters such as defg also prevents the group of characters abcdefg from use To Create an Exclusion List 1. Click Edit List. The Edit Exclusion List window appears. 2. Type the characters or groups of characters you want to exclude from passwords. You can copy and paste text from a text editor into the text field in the window You can type one character or group of characters per line (press Enter after each line to separate each entry) Each group can contain up to 32 characters Characters are not case sensitive 3. Click OK to save your changes and close the window. To further restrict the password, select one or both of the following: Do not allow application user name in password Select this option to prevent the entire application user name from being used in the password. Select Do not allow portions of application user name in password to disallow parts of the application user name from being used in the password. Number of characters in portion enables you to specify the

142 142 Citrix Password Manager Administrator s Guide number of characters from the user name that would prevent the password from being used. For example, if set to four, a user password could not be formed that included the characters citr, trix, or itri with a user name of citrix.4 Do not allow Windows user name in password Select this option to prevent the entire Windows user name from being used in the password. Select Do not allow portions of Windows user name in password to disallow parts of the Windows user name from being used in the password. Number of characters in portion enables you to specify the number of characters from the user name that would prevent the password from being used. For example, if set to four, a user password could not be formed that included the characters citr, trix, or itri with a user name of citrix.4 Set Password History and Expiration This page enables you to enforce the use of new passwords when older passwords expire. The password history is maintained for each application managed by Password Manager. After this option is applied to an application or application group, any password changes made after the policy is active are retained in the user s password history. Password changes made before the policy is active are not retained or used to prevent password reuse. Important: Password history is retained on a per-user basis. If you reset the user data for a user, the password history is removed and password history cannot be enforced for the deleted passwords. Password history New password must not be the same as previous passwords Select this option to require a new password when a user s password expires. You can optionally prevent users from reusing up to 24 passwords previously used within your Password Manager environment.

143 Chapter 5 Using Password Policies to Enforce Password Requirements 143 Password expiration Note: The password expiration option notifies users only that a password will or has expired. Your users can use expired credentials, but are shown password change reminders or password change requests until the password is changed in Logon Manager. Application definitions also enable you to run a script when passwords expire. You can also use the built-in Password Manager password expiration warning. Password expiration settings in Password Manager are independent of any password expiration settings built into software applications. Use the password expiration settings associated with the application definitions Select this option to specify password expiration settings. These settings are associated with the application definition to which this password policy applies. You can select the number of days until the current password expires and the number of days to warn the user before the password expires. Test Password Policy This page enables you to test your policies before implementing them in your environment. It helps ensure that they work as intended and that a reasonable pool of passwords is available to your users. Using the Test Password Policy page, you can: Click Test to manually test a password Click Generate to have Password Manager create a single password policy-compliant password Click Generate multiple passwords to have Password Manager create a list of passwords that meet the settings you defined for this password policy

144 144 Citrix Password Manager Administrator s Guide Establish Logon Preferences This page enables you to control agent settings related to credential submission and logon errors. Allow users to reveal passwords for applications Select this option to allow users to see the password associated with the applications in the user configuration. This option controls whether the Reveal button in Logon Manager is available. Note: To allow users to see their application passwords, you must also enable the Allow users to reveal all passwords in Logon Manager option in the the user configuration associated with this password policy. See Configure Agent Interaction on page 204. Force user to re-authenticate before submitting application credentials Select this option to force users to type their primary logon credentials before the Password Manager Agent submits their credentials to an application. This setting is useful for applications that access confidential or sensitive information because it forces users to verify their identities. Customize Password Change Wizard This page enables you to customize the behavior of the Password Change Wizard, which is launched when users need to change their password. The Password Change Wizard responds to Password Change forms and can guide users through the password change process. You can select one of the following options: Allow users to choose a system-generated password or create their own password Only allow users to create their own password When selected, the Password Change Wizard requires users to type a new password. Only allow users to choose a system-generated password When selected, the Password Change wizard does not allow users to type a new password but automatically uses a system-generated password. Generate a password and submit it to the application without displaying the Password Change Wizard

145 Chapter 5 Using Password Policies to Enforce Password Requirements 145 When selected, the wizard automatically submits a system-generated password. Users might see password change form fields being automatically filled in and any response from the application indicating if the password change succeeded or failed.

146 146 Citrix Password Manager Administrator s Guide Helping to Increase Password Strength and Security In Your Environment As the Password Manager administrator, you can help increase the strength of user passwords by controlling them with intelligently-created password policies. As usual, only you can balance having stronger passwords with ease-of-use for all users in your enterprise. Consider the following. Use the Provisioning Module to preset user passwords. Users do not need to know passwords in this case, and prevents them from accidentally revealing them. This technique requires coordination between the user configuration and the password policy that is associated with it. Require users to change their passwords at regular intervals. Do not allow blank passwords. Do not allow users to reveal passwords. Make sure that passwords are not reused or repeated. Do not allow user or application names to be part of the password. Force users who have regular access to confidential or sensitive information to have stronger or more complex passwords. Further group these users into user configurations containing these applications.

147 CHAPTER 6 Managing How Password Manager Works with Applications The Citrix Password Manager Agent recognizes and responds to applications based on the settings identified in application definitions. The application definitions contain forms that allow the agent software to analyze each application as it is started, recognize certain identifying features, and determine if the starting application requires the agent software to perform some specific action such as: Submit user credentials at a logon prompt Negotiate a credential changing interface Process a credential confirmation interface Application definitions consist of sets of specific user credential form recognition and action characteristics referred to as form definitions, and the set of configuration options that apply to all the forms in the configuration. The form definition settings are defined to recognize when an application requests a specific user credential action, and further defines the actions that must be performed to process those credentials. An application definition is a collection of all the user credential management forms associated with a single application. Although most applications and their corresponding application definitions use only two forms for managing user credentials, as many forms as an application requires for managing user credentials can be defined and contained in a single application definition. Password Manager provides support for a variety of applications including Windows, Web, and host-based applications. It works with Java applications, SAP solutions, and applications hosted on a mainframe, AS/400 system, or UNIX server.

148 148 Citrix Password Manager Administrator s Guide To simplify the application definition process, a variety of predefined application definition templates can be imported into the Password Manager from the Citrix Web site ( This site provides an interactive exchange where Citrix Consultants, Sales Engineers, System Integrators, and Password Manager administrators share application definitions. By sharing application definitions, single sign-on enabling application definitions can be implemented with less effort and more confidence. Using predefined application definition templates should always be the first choice for administrators as they define application definitions for their environment. To create application definitions for applications that do not have predefined application templates, the application definition support interface has an Application Definition wizard used to configure the characteristics associated with all the forms included in the definition, and a Form Definition wizard that leads administrators through a step-by-step procedure to define support for Windows, Web, and host-based applications. Password Manager also provides the ability to perform external application discovery and action processing support. This feature allows third-party implementers to extend the application detection and credential submission tasks associated with a form by providing access to external processes during the application detection and action submission processing phases in the Password Manager Agent. All these features combine to provide Password Manager administrators a flexible and adaptable application definition development environment to support their user community with secure and flexible single sign-on access to critical applications. Topics described in this chapter include the following: Overview of Application Templates on page 149 How the Password Manager Agent Identifies Applications and User Credential Management Events on page 152 Windows Type Application Definitions on page 159 Web Type Application Definitions on page 176 Host/Mainframe Type Application Definitions on page 183

149 Chapter 6 Managing How Password Manager Works with Applications 149 Overview of Application Templates Application templates are XML files that are used to share application definitions between different Citrix Password Manager environments. Application templates save time and effort because they are converted to application definitions with minimal administrator intervention or configuration. Templates require the administrator to supply some information to complete the application definition, but the information required is usually limited to a URL or executable file name, password expiration, and any advanced detection settings. Application templates are installed using the Password Manager Console or the Application Definition Tool. Both of these tools include application templates for commonly-used Windows and Web applications. Additional templates are located on the Citrix Web site ( passwordmanager/gettingstarted). You can also create application templates and share them with other Citrix administrators by uploading them to the Web site. When an application template cannot be found for an application, an application definition can be created using the Password Manager Console or the Application Definition Tool (see How the Password Manager Agent Identifies Applications and User Credential Management Events on page 152 for additional information). Managing Application Definitions Using Templates To add an application definition with a template, you must first make sure the template is available in your Password Manager environment. As previously stated, administrators can obtain application templates from the Web or, if you ve created your own application templates and saved them to a network share, you can import them from the network share. After an application template is imported to your environment, use it to create an application definition. Templates can also be created from application definitions. These templates can be used to archive application definitions, or share application definitions with other Password Manager administrators. Use the following procedures to manage application definitions using templates: Obtaining Application Templates from the Web on page 150 Importing Application Templates from a Network Share on page 150 Adding an Application Definition Using a Template on page 150 Creating Application Templates on page 152 Exporting Application Templates on page 152

150 150 Citrix Password Manager Administrator s Guide Obtaining Application Templates from the Web Use the following procedure to download application templates from the Citrix Web site ( 1. With the Application Definition node highlighted in the left panel of the Application Definition Tool or the Password Manager Console, select Manage templates from the Common Tasks options to open the Manage Templates dialog box. 2. Select the Application templates on the web hyperlink to open the Password Manager Applications Definitions Web page. 3. Select the application template to import. 4. Save the template XML file to a location that is accessible from your Password Manager Console. 5. Click Close when the download is complete. 6. Follow the steps in Importing Application Templates from a Network Share on page 150 Importing Application Templates from a Network Share Use this procedure to import an application template from a network share: 1. With the Application Definition node highlighted in the left panel of the Application Definition Tool or the Password Manager Console, select Manage templates from the Common Tasks options to open the Manage Templates dialog box. 2. Click Import Template. 3. Locate the template XML file and click Open. The template you just imported now appears on the list in the Manage Templates dialog box. 4. Follow the steps in Adding an Application Definition Using a Template. Adding an Application Definition Using a Template Use this procedure to add an application definition using a template: 1. Launch the application you want to define. 2. Open the console or the Application Definition Tool on the device where the application you want to define is running. 3. From the Action menu of the console or File menu of the Application Definition Tool, select Create Application Definition. 4. Select the application type for the type of application definition to create (Windows, Web, or Host/Mainframe).

151 Chapter 6 Managing How Password Manager Works with Applications Designate the Starting format by selecting Create from application template. 6. Choose the template from the drop-down list. The drop-down list displays templates for the selected application type. 7. Click Start Wizard. 8. Provide the information required to complete the application definition (see Application Definition Wizard Overview on page 154 for additional information). 9. Verify that the new application definition is listed in the Application Definitions node of the console. Alternatively, you can start an application definition from the Manage Templates dialog box using the following procedure. Creating an Application Definition From an Imported Template 1. With the Application Definition node highlighted in the left panel of the Application Definition Tool or the Password Manager Console, select Manage templates from the Common Tasks options to open the Manage Templates dialog box. 2. Highlight an application template name and click Create Application Definition. This action starts the Application Definition wizard for the application type associated with the template. 3. Provide the information required to complete the application definition (see Application Definition Wizard Overview on page 154 for additional information). 4. Verify that the new application definition is listed in the Application Definitions node of the console. If you are running an application that does not have a template, use the Password Manager Console or the Application Definition Tool to create application definitions for that application (see How the Password Manager Agent Identifies Applications and User Credential Management Events for additional information). After creating an application definition, create a template that can be exported for archival purposes or for use by other Password Manager administrators by uploading it to the Citrix Web site ( passwordmanager/gettingstarted).

152 152 Citrix Password Manager Administrator s Guide Creating Application Templates Use this procedure to create a template from an existing application definition: 1. With the Application Definition node highlighted in the left panel of the Application Definition Tool or the Password Manager Console, select the application definition to use for the template being created. 2. Select the Save application definition as template option to open the Save as Template dialog box. 3. To archive the template or share it with other Password Manager administrators, export the template into an XML format. Follow the steps described in Exporting Application Templates. Exporting Application Templates Use this procedure to export a template from an exiting application definition: 1. With the Application Definition node highlighted in the left panel of the Application Definition Tool or the Password Manager Console, select Manage templates from the Common Tasks options to open the Manage Templates dialog box. 2. Highlight the template in the list of available templates and click Export. 3. Define the name and the location to store the exported template definition and click OK. The exported template is saved in the designated location. This template can be archived to preserve the data and/or made available to other Password Manager administrators ( passwordmanager/gettingstarted). How the Password Manager Agent Identifies Applications and User Credential Management Events Application definitions are created using the Password Manager Console or the Application Definition Tool. A single application definition supports all user credential management events associated with a single application including: Authenticating the user Changing user credentials Confirming credential changes When creating an application definition, the type of application is identified after the Application Definition wizard starts. The selected application type determines the information that is collected.

153 Chapter 6 Managing How Password Manager Works with Applications 153 Application definitions are categorized into three main types: Windows applications (including Java applications and the SAP LogonPad) Web applications (including Java applets) Host applications (accessed using a HLLAPI-compliant terminal emulator) An application definition consists of: Application characteristics that apply to all forms included in the definition. These are defined using the Application Definition wizard. Form-specific data used to recognize each different credential management event associated with the application. These are defined using the Form Definition wizard that is started during the Application Definition wizard operation. The application characteristics for all types of applications contain similar configuration information. However form-specific data contained in the application definition varies greatly based on the type of application being defined. To create an application definition, the application must be accessible to the administrator from the computer where the application definition is created. Because some application signatures can vary depending on the underlying operating system, administrators must be careful to test application definitions in all the operating system environments that occur in their organization. Any changes or upgrades to an application after an application definition is developed and deployed should be tested to ensure that there are no changes to the application signatures that would require a change to the application definition. Identifying the Parts of the Application s User Interface The user interface to an application includes different forms that are used to manage user credential management events associated with the application. For example, one form can be used to enter the logon credentials, another form can be used to change an application password, and yet another form can be used to confirm or acknowledge a successful change to user credentials.

154 154 Citrix Password Manager Administrator s Guide Here is an example of an application credential submission form. Depending on the type of application being defined (Windows, Web, or Host), Password Manager uses a variety of different kinds of identifiers to uniquely respond to and identify the forms. These include but are not limited to the application type, window title (Log on in this example) and the executable file name. When the agent software identifies the application and form, it then prompts users to provide or store their credentials, submits stored credentials, or prompts users to update their credential information, depending on the defined settings. Application Definition Wizard Overview All application definitions are initially created using the Application Definition wizard and the integrated Form Definition wizard. The Application Definition wizard is started by selecting the Application Definitions node in the Citrix Access Management Console, and selecting the Create application definition task from the Common Tasks area. The following information is collected for each type of application (Windows, Web, and Host) using the Application Definition wizard. Data Collected Windows Web Host Identify application X X X Manage forms X X X Name custom fields X X X Specify icon Configure advanced detection X X X X Configure password X X X expiration Confirm settings X X X