Citrix Password Manager Evaluator s Guide. Citrix Password Manager 4.6 with Service Pack 1 Citrix XenApp 5.0, Platinum Edition

Transcription

1 Citrix Password Manager Evaluator s Guide Citrix Password Manager 4.6 with Service Pack 1 Citrix XenApp 5.0, Platinum Edition

2 2 Citrix Password Manager Evaluator's Guide Copyright and Trademark Notice Copyright and Trademark Notice Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. A printable copy of the End User License Agreement is included on your installation media. Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc. Citrix Password Manager replaces specific end users encryption keys each time their primary authentication method changes, such as a domain password change or issuance of a new smart card. Password Manager can be configured to perform this operation automatically by using the optional Key Management Module. Password Manager can also be configured to use the Microsoft Data Protection API (DPAPI). When using the optional Key Management Module and/ or DPAPI, be advised that an administrator may be able to access user business or personal credentials stored in Password Manager if the administrator logs on as this end user. For additional security, end users can be asked to verify their identity with unique user-provided information. This provides an additional layer of protection for the user s secondary credentials. Regional government user computing regulations may require that you notify your end users about the possible security and privacy implications of deploying the Key Management Module and DPAPI security configurations. Review your company policies and determine what kind of notification, if any, is required for your end users Citrix Systems, Inc. All rights reserved. v-go code Passlogix, Inc. All rights reserved. Citrix and ICA (Independent Computing Architecture) are registered trademarks, and Citrix XenApp, Citrix Password Manager, and Citrix Access Gateway are trademarks of Citrix Systems, Inc. in the United States and other countries. RSA Encryption RSA Security Inc. All rights reserved. FLEXnet Operations and FLEXnet Publisher are trademarks and/or registered trademarks of Acresso Software Inc. and/ or InstallShield Co. Inc. Trademark Acknowledgements Java, Sun, SunOS, Solaris, JavaServer Pages, and Sun Java System Application Server are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and/or other countries. Microsoft, MS, Windows, Windows Server, Win32, Outlook, ActiveX, Visual J#, ClearType, Excel, SQL Server, Microsoft Access, Windows Vista,.NET, Media Player, and Active Directory are trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Novell, Novell Directory Services, NDS, NetWare, Novell Client, and edirectory are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. This product includes software developed by The Apache Software Foundation ( This product includes software developed by Salamander Software Ltd Salamander Software Ltd. Parts 2003 Citrix Systems, Inc. All rights reserved. Portions of this software are based in part on the work of the Independent JPEG Group. Portions of this software contain imaging code owned and copyrighted by Pegasus Imaging Corporation, Tampa, FL. All rights reserved. All other trademarks and registered trademarks are the property of their respective owners.

3 Citrix Password Manager Evaluator's Guide Contents 3 Contents Chapter 1: Welcome...7 Overview...8 Password Manager Components...8 The Central Store...8 Password Manager Console...8 Password Manager Plugin...9 The Password Manager Service...10 About This Guide...10 Documentation Conventions...10 Chapter 2: Preparing to Evaluate Citrix Password Manager...11 Planning for the Evaluation Environment Scenario...12 User Requirements Scenario...12 System Requirements...12 Obtaining a Server Authentication Certificate...14 Preparing Your Evaluation Environment...14 Join a Domain...14 Add a User...15 Installing and Configuring Test Applications...15 Chapter 3: Creating the Central Store and Installing the Citrix License Management Console...17 Creating the Central Store...18 To create the Citrix Password Manager central store...18 Licensing Citrix Password Manager...18 To install the Citrix License Management Console...18 Chapter 4: Installing the Password Manager Service...21 To install Password Manager Service modules...22 To configure Password Manager Service modules...22 Chapter 5: Installing the Citrix Password Manager Console...23 To install the Citrix Password Manager Console...24 Chapter 6: Setting Up and Administering Your User Environment...25 Opening the Console...26 To open the Password Manager Console...26

4 4 Citrix Password Manager Evaluator's Guide Contents Console Orientation...26 Creating Administrative Data...27 Overview of Password Policies...27 Creating Password Policies...28 Overview of Application Definitions...28 Creating Application Definitions...29 Adding a Windows Application Definition...29 Adding a Web Application Definition...32 Adding a Terminal Emulator-Based Application Definition...34 Setting Question-Based Authentication...35 Chapter 7: Configuring Settings and Applying Them to Users...37 Adding a New User Configuration...38 To add a user configuration for the evaluation environment Phase 1: Identifying the configuration, data location, and product edition...38 To add a user configuration for the evaluation environment Phase 2: Creating application groups...39 To add a user configuration for the evaluation environment Phase 3: Configuring Password Manager Plugin interaction...39 Chapter 8: Installing the Citrix Password Manager Plugin...41 Deploying Password Manager Plugin to Your Users...42 To create the Password Manager Plugin installation package...42 Installing Password Manager Plugin...42 Chapter 9: Using Password Manager Plugin...45 Using Password Manager Plugin for the First Time...46 To register security question answers and passwords...46 Logging On Using Password Manager...46 To start the demonstration Windows application...47 To initiate a password change in a Windows application...47 To start the demonstration Web application...47 To start the demonstration terminal emulator-based application...47 Using the Account Self-Service Features...47 To reset a password with account self-service on a Windows Vista or Windows Server 2008 computer...47 To unlock an account with account self-service on a Windows Vista or Windows Server 2008 computer...48 Chapter 10: Further Information and Resources...49 Moving from Evaluation to Implementation...50 Additional Features and Components...50 The User Experience: Password Manager Plugin...50

5 Citrix Password Manager Evaluator's Guide Contents 5 The Administrator Experience: Password Manager Console...52 Application Definition Tool...52 Credential Provisioning...52 Securing Your Environment...53 Enhancing the User Experience...53 Finding More Information About Password Manager...53

6 6 Citrix Password Manager Evaluator's Guide Contents

7 Chapter 1 Welcome Topics: Overview Password Manager Components About This Guide Citrix Password Manager is an enterprise-class single sign-on product that provides secure and managed access to Windows, Web, and terminal emulatorbased applications running in the Citrix environment as well as locally on the desktop. Users authenticate once and Password Manager does the rest, automatically logging on to password-protected information systems, enforcing password policies, monitoring all password-related events, and even automating user tasks, including password changes. Designed to work seamlessly with Citrix delivery options, Password Manager adds value to each of the following products: Citrix XenApp Citrix Access Gateway Password Manager provides single sign-on access to any number of password-protected applications published on servers running XenApp. Users authenticate once and Password Manager passes their credentials through to any information and application resource available in the secure, personalized computing environment.

8 8 Citrix Password Manager Evaluator's Guide Welcome Overview Password Manager provides a broad range of solutions: Centralized password management that can enforce a verifiable security policy for current and legacy applications Account self-service that allows users to reset their Windows password and unlock their Windows account Time-saving hot desktop feature that allows users to quickly access their own environment on a shared system Multidomain service support for users with accounts in multiple domains, enabling credential synchronization across the domains You will discover that Password Manager is not just a single sign-on tool, but a full-fledged IT security management solution. Addressing all these features is well beyond the scope of this evaluation guide. Instead this guide leads the evaluator through a simple but effective configuration that provides an overview of the basic tools that Password Manager administrators use to: Create password policies Recognize when Windows, Web, and terminal emulator-based applications are started Manage user configurations Provide a view of the user experience through the use of Citrix Password Manager Plugin Password Manager Components The main components of Password Manager are: The central store The Password Manager Console Password Manager Plugin The Password Manager Service The Central Store The central store is the centralized repository Password Manager uses to store and manage user and administrative data. User data includes user credentials, answers to security questions, and other user-focused data. Administrative data includes password policies, application definitions, security questions, and other wider-ranging data. When a user signs on, Password Manager compares that user s credentials to those stored in the central store. As the user opens password-protected applications or Web pages, the appropriate credentials are submitted to the application. Password Manager Console The Password Manager Console is the command center of Password Manager. From the console, you manage the users Password Manager experience. Here, you configure how Password Manager will work, which features will be deployed, which security measures will be used, and other important password-related settings. Password Manager has four main items, or nodes, in the left pane. Selecting a node reveals the associated tasks.

9 Citrix Password Manager Evaluator's Guide Welcome 9 Figure 1: This picture shows the left pane of the Password Manager Console with its four nodes. By selecting a node, tasks specific to that node appear. These nodes are: User Configurations Application Definitions These configurations allow you to tailor particular settings for your users based on their geographic locations or business roles. The settings of the other three nodes are used to create items that are used for user configurations. These definitions provide the information necessary for the agent software to supply user credentials to applications, and to detect error conditions if they occur. You can use the application definition templates supplied with Password Manager to speed this process, or create your own customized definitions for applications that cannot use these templates. Additional templates are on the Citrix Web site at gettingstarted. Password Policies Password policies control password length and the type and variety of characters used in both user-defined and automatically-generated passwords. Password policies also allow you to identify characters to exclude from use in passwords and whether or not previous passwords can be reused. Creating password policies consistent with your company s security policies ensures password security is appropriately managed by Password Manager. Identity Verification Password Manager Plugin The security questions you create provide an added layer of security to your agent software by protecting against user impersonation, unauthorized password changes, and unauthorized account unlocking. Users who enroll and answer your security questions can answer those questions to verify their identity and perform self-service tasks to their account, such as resetting their primary password or unlocking their user account. Password Manager Plugin submits the appropriate credentials to the applications running on the user s client device, enforces password policies, provides self-service functionality, and enables users to manage their credentials with the Logon Manager. Note: Password Manager Plugin is the new name for the Password Manager agent software. When a user tries to access an application that requires authentication, Password Manager Plugin intercepts the application s request for authentication, finds the correct credentials, and submits them to the application. Password Manager Plugin provides users with a wide array of features. Which features the users actually receive is determined by the administrative settings you make in their user configurations.

10 10 Citrix Password Manager Evaluator's Guide Welcome The Password Manager Service The Password Manager Service runs on a Web server that provides the foundation for optional features included in this release. Install the Password Manager Service only if you plan to implement at least one of the following modules: Self-Service, which allows users to reset their Windows passwords and unlock their Windows accounts Data Integrity, which protects data from being compromised while in transit from the central store to Password Manager Plugin Key Management, which provides users with the capability to recover their secondary credentials when their primary password changes, either with automatic key recovery or after answering security questions with questionbased authentication Provisioning, which allows you to use the console to add, remove, or update Password Manager user data and credential information Credential Synchronization, which synchronizes user credentials among domains using a Web service About This Guide To help you evaluate Password Manager, this guide leads you through a basic deployment. It provides procedures to install, configure, and test a small-scale deployment of the product so you can experience how it is used. To help you evaluate Password Manager, scenarios involving Windows-based, Web-based, and terminal emulatorbased applications are provided. If your company does not use terminal emulator-based applications, skip the steps relating to that scenario. Important: The instructions in this guide are intended for rapid deployment only and should not be used in production environments. For complete deployment information, including capacity sizing and configuration issues, see the Citrix Password Manager Installation Guide. Documentation Conventions For consistency, Windows Vista and Windows Server 2008 terminology is used throughout the documentation set; for example, Documents rather than My Documents and Computer rather than My Computer are used. Password Manager documentation uses the following typographic conventions. Convention Boldface Italics Monospace Meaning Commands, names of interface items such as text boxes, option buttons, and user input. Placeholders for information you provide. For example, filename means you type the actual name of a file. Italics are also used for new terms and titles of books. Text displayed in a text file. {braces} In a command, a series of items, one of which is required. For example, {yes no } means you must type yes or no. Do not type the braces themselves. [ brackets ] In a command, optional items. For example, [/ping] means you can type /ping with the command. Do not type the brackets themselves. (vertical bar) In a command, a separator between items in braces or brackets. For example, { /hold / release /delete } means you must type /hold or /release or /delete.... (ellipsis) The previous item(s) in the command can be repeated. For example, /route:devicename[, ] means you can type additional devicenames separated by commas.

11 Chapter 2 Preparing to Evaluate Citrix Password Manager Topics: Planning for the Evaluation Environment Scenario Preparing Your Evaluation Environment This guide is organized by the tasks the evaluator must perform. Preparing to evaluate Citrix Password Manager Installing the Password Manager Service Configuring the Password Manager Service Installing the administration environment Setting up and administering your user environment Configuring settings and applying them to users Installing the Citrix Password Manager Plugin Using the Citrix Password Manager Plugin It concludes with how to move from the evaluation to an implementation, a discussion of additional features and components, and where to find additional information.

12 12 Citrix Password Manager Evaluator's Guide Preparing to Evaluate Citrix Password Manager Planning for the Evaluation Environment Scenario The evaluation environment scenario is provided to give you an idea of the flexibility and customization available when Citrix Password Manager is deployed to end users. Allow four to six hours to complete the tasks. This environment, while small, demonstrates how the administrator controls the user experience as driven by user needs and company policy. User Requirements Scenario Our evaluation environment is for a single-user deployment. A user s needs and requirements are based on companyspecific information such as the resources required to perform the job and the applications required. Global User Requirements The user requirements for this evaluation scenario are: Users need access to a Windows application. Users need access to a Web application. Users need access to a terminal emulator-based application that runs on the client workstation through a high-level language API-compliant (HLLAPI) terminal emulator. Users can have the option of revealing their passwords on request, with certain special exceptions noted. Users should have the option of entering their passwords for all administrator-defined applications at once, the first time they use the agent software. Users can access the Account Self-Service features. User passwords should include a combination of uppercase and lowercase letters, numbers, or special characters. However, for this scenario, the terminal emulator does not accept special characters in passwords. Note: These requirements are for the purposes of this evaluation scenario only and should not be taken as recommendations to meet your organization's specific needs. Application-Specific Policy Requirements The application-specific requirements for this evaluation scenario are: Because the terminal emulator application provides access to financial software and sensitive company information, we want to apply a stricter password policy to the emulator. Internal policies for our demonstration company also dictate that the users be unable to reveal application passwords for the terminal emulator application. Users must also enter their Windows domain password every time they want to access the host application. System Requirements Ensure that the computers used in this evaluation are running supported operating systems. Password Manager Component Supported Environment or Microsoft Windows Operating System Hardware Requirements Password Manager Console Microsoft Windows Vista (Business Edition, Ultimate Edition, Enterprise Edition) 32-bit and 64-bit Microsoft Windows XP Professional, Service Pack bit Microsoft Windows XP Professional x64 Edition 64-bit Microsoft Windows 2000 Professional, Service Pack 4 64MB RAM 60MB disk space

13 Citrix Password Manager Evaluator's Guide Preparing to Evaluate Citrix Password Manager 13 Password Manager Component Supported Environment or Microsoft Windows Operating System Microsoft Windows Server 2008 (Standard Edition, Enterprise Edition, Datacenter Edition ) 32-bit and 64-bit Microsoft Windows Server 2003 R2 (Standard Edition, Enterprise Edition, Datacenter Edition ) 32-bit and 64-bit Microsoft Windows 2003 Server with Service Pack 2 (Standard Edition, Enterprise Edition, Datacenter Edition ) 32-bit and 64-bit Microsoft Windows 2000 Server, Service Pack 4 (Windows 2000 Server, Advanced Server, Datacenter Server) 32-bit Hardware Requirements Password Manager Plugin Windows Vista (Business Edition, Ultimate Edition, Enterprise Edition) 32-bit and 64-bit Microsoft Windows XP Professional, Service Pack bit Microsoft Windows XP Professional x64 Edition 64-bit Microsoft Windows XP Embedded Microsoft Windows 2000 Professional, Service Pack 4 Microsoft Windows Fundamentals for Legacy PCs Windows Server 2008 (Standard Edition, Enterprise Edition, Datacenter Edition ) 32-bit and 64-bit Microsoft Windows Server 2003 R2 (Standard Edition, Enterprise Edition, Datacenter Edition ) 32-bit and 64-bit Microsoft Windows 2003 Server with Service Pack 2 (Standard Edition, Enterprise Edition, Datacenter Edition ) 32-bit and 64-bit Microsoft Windows 2000 Server, Service Pack 4 (Windows 2000 Server, Advanced Server, Datacenter Server) 32-bit Password Manager Service Microsoft Windows Server 2008 (Standard Edition, Enterprise Edition, Datacenter Edition ) 32-bit Microsoft Windows Server 2003 R2 (Standard Edition, Enterprise Edition, Datacenter Edition ) 32-bit Microsoft Windows Server 2003 with Service Pack 2 (Standard Edition, Enterprise Edition, Datacenter Edition ) 32-bit ASP.NET (Application Server components available) 10MB RAM 25MB disk space (if optional features are not installed) 35MB disk space (if optional features are installed) 128MB RAM 30MB disk space The required hardware is the minimum needed to run the required operating systems. The following are also required for this evaluation: Software Component Required by Available from... Microsoft Windows Installer 3.0 or later Password Manager Service Password Manager Console Password Manager Plugin Support folder on the Password Manager product media

14 14 Citrix Password Manager Evaluator's Guide Preparing to Evaluate Citrix Password Manager Software Component Required by Available from... Microsoft.NET Framework 2.0 Password Manager Service Password Manager Console Support folder on the Password Manager product media Java Standard Edition Runtime Environment (JRE) Versions 1.4.x, 5, and 6 If you require Java application support: Password Manager Console Password Manager Plugin For this evaluation, Internet Information Services (IIS) must be installed and running on your Windows server because that is where Password Manager Service will be installed. Important: To successfully install the evaluation environment, your test environment must allow access to the Internet and software downloads. Citrix Password Manager supports Web browsing using Microsoft Internet Explorer 6.0 or 7.0 (non-protected mode). Obtaining a Server Authentication Certificate Before you install the service, obtain a server authentication certificate from a certificate authority for Secure Sockets Layer (SSL) communication. Alternatively, if you have an existing public key infrastructure, download your own certificate to the server running the service. An SSL certificate is necessary to ensure secure communication between the service and Password Manager Plugin, and to guarantee Password Manager Plugin and the console are communicating with the correct service server. Preparing Your Evaluation Environment To follow the procedures in this guide, prepare your computers as described in this section. For this demonstration, your evaluation computers run the: Citrix License Management Console Citrix Access Management Console, which contains the Password Manager Console Citrix Password Manager Service Citrix Password Manager Plugin This evaluation is planned for two computers. At least one of those computers must run Windows Server 2003 or Windows Server Install Password Manager Service and the console on the computer running the server operating system. Any supported operating system can be installed on the second computer, which will run Password Manager Plugin. Important: Install Password Manager Service on a 32-bit system. It is not supported on 64-bit systems. To simplify identification during this evaluation, the computer running the Password Manager Service and the console is referred to as the administrator's computer. The computer running Password Manager Plugin is called the user's computer. Join a Domain Assign the evaluation computers to a domain to which you have administrator privileges, preferably a testing domain. To work with the Citrix License Management Console or the Citrix Access Management Console for this evaluation, you must be logged on as the domain administrator. You must also be a member of the local administrators group on all computers used in this evaluation.

15 Citrix Password Manager Evaluator's Guide Preparing to Evaluate Citrix Password Manager 15 Add a User Add a new user to the domain users group. Make sure that the user is not required to change the password at the next logon. Installing and Configuring Test Applications To demonstrate the compatibility of Password Manager with Windows applications and terminal emulator-based applications, you must install and configure a Windows application and a terminal emulator. To demonstrate the compatibility of Citrix Password Manager with Web applications, you must have access to the Internet. To install the Citrix Windows test application Use the following procedure to install a Windows application (provided by Citrix for testing purposes only). 1. On the administrator's computer, create a folder called WinApp on the desktop. 2. On the user's computer, create a folder called WinApp in %SystemDrive%\Users\Public\Public Desktop or %SystemDrive%\Documents and Settings\All Users\Desktop, depending on which version of Windows is installed. 3. From the \Tools directory of your Password Manager installation media, copy the LogonTester.exe file and the \en folder to the WinApp folder to both the adminstrator's and the user's computers. Install a Terminal Emulator Terminal emulator-based applications are accessed using a high level language API-compliant (HLLAPI) terminal emulator. For demonstration purposes, install a terminal emulator on both the administrator's and user's computers. Important: When you deploy terminal emulator applications to your Password Manager users, a session short name is required for the application definition to work. You must create a session short name to explore how Password Manager works with terminal emulator-based applications in this scenario.

16

17 Chapter 3 Creating the Central Store and Installing the Citrix License Management Console Topics: Creating the Central Store Licensing Citrix Password Manager After the prerequisites are installed on the administrator's and user's computers, begin the Password Manager installation process by creating the central store and installing the Citrix License Management Console.

18 18 Citrix Password Manager Evaluator's Guide Creating the Central Store and Installing the Citrix License Management Console Creating the Central Store For the purposes of this evaluation, you must use an NTFS shared folder as your central store. The central store is the location where Citrix Password Manager stores data used for your entire environment. Your user settings called user configurations are also part of your central store. To create the Citrix Password Manager central store 1. From your Password Manager installation media, start the installation program (%installation media%\autorun.exe). 2. From the Citrix Password Manager installation main menu, click Step 2: Create your central store. 3. Click Create your central store in an NTFS network share. 4. When asked Would you like to continue creating the default NTFS network share?, click Yes. 5. When prompted, press any key to continue. This procedure creates a shared folder with the name CITRIXSYNC in the root directory of your computer. By default, the folder is a hidden share so a dollar sign ($) is required at the end (CITRIXSYNC$). Licensing Citrix Password Manager Before you can evaluate Password Manager, install and configure the Citrix License Management Console. Using Citrix software requires that you follow the terms of Citrix license agreements. Note: For more information about licensing, see the Getting Started with Citrix Licensing Guide, available with other Citrix licensing information in the Citrix Knowledge Center ( To install the Citrix License Management Console Important: The installation process verifies that the J2SE Runtime Environment (JRE) required to support the Citrix License Management Console is installed. If not, you are prompted to install it. You must then restart the installation process. 1. From your Password Manager installation media, start the installation program (%installation media%\autorun.exe). 2. From the main menu, click Step 3: Install administrative components. 3. Click Step 1: Install Citrix Licensing. 4. Follow the instructions presented on the screen. Use the following table when the wizard requests input. Installation Wizard Page License Agreement Select Features License Files Location Entry Accept Console and Server %Program Files%\Citrix\Licensing\MyFiles\ Server and Vendor Daemon Ports License Server ; Vendor Daemon Web Server Restart Microsoft IIS Server Microsoft Internet Information Services (IIS) OK to restart 5. When the Citrix Licensing has been successfully installed page appears, click Finish to complete the installation.

19 Citrix Password Manager Evaluator's Guide Creating the Central Store and Installing the Citrix License Management Console 19 After the License Management Console is installed, you have to install a license file. Specific instructions for obtaining and managing your evaluation license is included with your evaluation letter. If not, contact Citrix Customer Care for additional information.

20

21 Chapter 4 Installing the Password Manager Service Topics: To install Password Manager Service modules To configure Password Manager Service modules After the evaluation applications are installed, it is time to install and configure the Citrix Password Manager Service. The service allows you to meet the account self-service requirements stated in the scenario. For more details about this Password Manager component, see The Password Manager Service on page 10. This chapter has instructions for: Installing the Password Manager Service modules Configuring the modules

22 22 Citrix Password Manager Evaluator's Guide Installing the Password Manager Service To install Password Manager Service modules For this evaluation task, log on to the domain admininistrator account. The Password Manager installation window should be open. If it does not start automatically, navigate through the Password Manager installation media and doubleclick Autorun.exe. Install the Self-Service module to meet the requirements of this evaluation scenario. Important: Install all prerequisites prior to installing the Password Manager Service. 1. In the Password Manager installation window, click Step 3. Install administrative components. The administrative components installation options appear. 2. Click Step 2: Install Password Manager Service (if applicable). 3. Follow the instructions presented on the screen. Use the following table when the wwizard requests input. Installation Wizard Page License Agreement Select Modules Entry Accept Self-Service The Citrix Password Manager Service Configuration Wizard appears. To configure Password Manager Service modules The Citrix Password Manager Service Configuration Wizard starts automatically once the Service is installed. 1. Accept the defaults and click Next on the following pages: Welcome Configure service Signing certificate 2. On the Configure data proxy page, select NTFS network share and type the UNC path to the central store. 3. On the Configure domain page: a) Ensure the check box next to the domain to be used for this evaluation is selected. b) Select the domain and click Properties. c) In the Edit Configuration dialog box, click Data Proxy Account and type the user name, password, and domain of the data proxy account used to communicate with the central store. d) Click Self-Service Features Account, type the credentials for this feature, and click OK. The Edit Configuration dialog box closes. 4. Click Finish to commit the service configuration information and Yes to confirm that you want to save the settings. Click Finish again to close the Applying Settings window. The Password Manager Service is configured.

23 Chapter 5 Installing the Citrix Password Manager Console Topics: To install the Citrix Password Manager Console The Citrix Password Manager Console is integrated with the Citrix Access Management Console, which in turn is integrated with the Microsoft Management Console (MMC). The Password Manager Console must be installed and configured before Password Manager Plugin can be used. Without administrator-defined console settings which includes licensing information the plugin will not run.

24 24 Citrix Password Manager Evaluator's Guide Installing the Citrix Password Manager Console To install the Citrix Password Manager Console For this evaluation task, log on to the domain administrator account. The Password Manager installation window should be open. If it does not start automatically, navigate through the Password Manager installation media and doubleclick Autorun.exe. Important: Install all prerequisites prior to installing the Password Manager Console. 1. In the Password Manager installation window, click Step 3. Install administrative components. The administrative components installation options appear. 2. Click Step 3: Install Password Manager Console. 3. On the Welcome page of the Citrix Password Manager Console Setup wizard, click Next. 4. Review and accept the license agreement and click Next. 5. Click Next to install the default components to the default location. 6. Click Next to install. The installation procedure starts. This action can take a few minutes while the software is installed and the system is updated. 7. When the Citrix Password Manager Console Setup has completed successfully message appears, click Finish.

25 Chapter 6 Setting Up and Administering Your User Environment Topics: Opening the Console Creating Administrative Data You are now ready to use the console to create global password policies and application definitions. After the global settings are configured, you will configure user settings user configurations to customize Password Manager Plugin experience for each group of users. Every time a user starts Password Manager Plugin, all settings configured by the administrator for that user are updated immediately, allowing users to access their applications on the terms specified by the administrator. This chapter guides you through the following: Opening the console Creating a password policy Creating an application definition Setting up question-based authentication

26 26 Citrix Password Manager Evaluator's Guide Setting Up and Administering Your User Environment Opening the Console The first time you open the Password Manager Console, you must configure and run discovery. Discovery is the process used to enumerate all of the Citrix products and components. For Password Manager environments, the discovery process connects to your central store and the Citrix Password Manager Service, if applicable, and identifies any administrative data that exists in your central store. To open the Password Manager Console 1. From the Start menu, select All Programs > Citrix > Management Consoles > Access Management Console. The console opens and the Configure and run discovery wizard appears. 2. On both the Welcome and Select Products or Components pages, click Next. 3. On the Identify Central Store page, choose NTFS network share and type the UNC path in the text field: \ \computer name\citrixsync$. Note that drive letters such as c: or d: are not used in UNC names. Click Next. 4. On both the Configure Data Integrity Options and Preview Discovery pages, click Next. The discovery process begins. 5. When Discovery completes, click Finish. You are ready to begin tailoring the environment to your requirements. Console Orientation The Citrix Password Manager Console uses configuration wizards to create password policies, create application definitions, set up identity verification, and manage users credentials and agent settings. Different user configurations can be configured to customize the user experience for different user groups. The Citrix Password Manager Console (referred to as a snap-in) displays nodes (items) in the left pane (A) that are used to manage: User Configurations Application Definitions Password Policies Identity Verification When a node is selected, the associated tasks appear in the task pane (B). The details pane (C) shows specific properties or contents for the selected node.

27 Citrix Password Manager Evaluator's Guide Setting Up and Administering Your User Environment 27 Figure 2: This picture shows the Citrix Password Manager Console, a snap-in of the Citrix Access Management Console, and identifies the three main areas of the console: the left pane, the task pane, and the details pane. With the Citrix Password Manager Console, you can: Create password policies Configure applications for single sign-on support Create questionnaires for question-based authentication for identity verification Manage users Password Manager Plugin settings Control all aspects of application password management Create application definitions used by Password Manager Plugin and enforce password policies for your organization s password-protected applications Control how much or how little interaction your users have with the Citrix Password Manager Plugin and whether or not users are authorized to access their stored credentials Creating Administrative Data The administrative data you create includes definitions and settings that are used throughout your Citrix Password Manager environment. These definitions and settings include: Password Policies Application Definitions Identity Verification Overview of Password Policies Password policies are used to quantify the password requirements for your environment. These policies must take into consideration the password requirements for the applications and general security policies used in your organization. For example, some applications already have a strict set of rules that govern the form a valid password can take. Your organization can also use password policies to place those same requirements on other applications with less restrictive password rules.

28 28 Citrix Password Manager Evaluator's Guide Setting Up and Administering Your User Environment Creating Password Policies Create as many password policies as necessary to manage your applications. When you install Citrix Password Manager, two policies are created automatically: Default policy Domain policy These policies cannot be deleted. When a user adds credentials to Logon Manager for an application that was not defined by an administrator, Citrix Password Manager uses the default policy to manage that application. For this evaluation scenario, you will create a password policy. To create a password policy The scenario requirements specify that the password policy for terminal emulator-based applications be more restrictive than the policies for Windows and Web-based applications. Follow these steps to create a password policy that meets these scenario requirements. 1. In the left pane of the console, select Password Policies. 2. From the Action menu, choose Create new password policy. 3. Use the Password Policy Wizard to create your password policy. Accept the default settings on each page of the wizard except as detailed in the following table: Wizard Page Control Setting Requirement Name password policy Name Accounting Terminal Emulator Application Stricter password policy included in the applicationspecific policy requirements. Set special character rules Allow special characters Clear Special characters are prohibited for terminal emulator-based application passwords in the global user requirements. Establish logon preferences Allow user to reveal password for application Clear While the global requirements grant users the ability to reveal their passwords, the more restrictive application-specific requirements rescind this privilege for terminal emulator-based application users. Force user to reauthenticate before submitting application credentials Select This extra security precaution is also included in the application-specific policy requirements. This completes the new password policy definition process. This policy is used later in the evaluation process to manage an application group. Overview of Application Definitions Each application managed by Password Manager has one or more user credential management events and each credential management event requires its own form definition: Logon form

29 Citrix Password Manager Evaluator's Guide Setting Up and Administering Your User Environment 29 Password change form Successful password change form Failed password change form The form definitions contain the information to recognize when the specific form is started, and the actions performed to provide the form-specific user credentials. By convention, application definitions contain all the form definitions required by a single application. The definition process begins by starting the Application Definition Wizard. The integrated Form Definition Wizard starts during the operation of the Application Definition Wizard. The Form Definition Wizard reruns for each credential management form required by the application. After definitions are created for all the forms, the Application Definition Wizard continues until the definition process is complete. Most applications and corresponding application definitions use only two forms for managing user credentials. However, you can create as many forms as an application requires to manage user credentials and contain them in a single application definition. Password Manager provides support for a variety of applications including Windows, Web, and terminal emulatorbased applications. It works with Java applications, SAP solutions, and applications hosted on a mainframe, AS/400 system, or UNIX server. Application Templates Citrix Password Manager provides templates for many application definitions. Application templates are XML files that allow you to share application definitions among different Citrix Password Manager environments. Application templates save time and effort because they can be converted to application definitions with minimal administrator intervention. Citrix Password Manager administrators can find and download application templates created by Citrix and other Citrix Password Manager administrators at: You can also create your own application templates and share them with other Citrix Password Manager administrators at the same Web site. Creating Application Definitions Citrix Password Manager provides two interfaces for creating application definitions: The Password Manager Console provides full access to manage your entire Citrix Password Manager environment, including application definitions The Application Definition Tool is a stand-alone tool that provides access to manage application definitions only The procedure used to create application definitions is identical for both interfaces. In the next few pages you will use the Password Manager Console to create the following application definitions: Windows application definition for the test application you installed while preparing for this evaluation scenario Web application definition for the MyCitrix Web site Terminal emulator-based application definition for an emulator of your choice Adding a Windows Application Definition The Windows application definition for this demonstration is created in several phases: Phase 1: Identifying the application definition. Phase 2: Creating a definition for the application s logon form. Phase 3: Creating a definition for the application s password change form. Phase 4: Specifying custom values, if any, for the application definition.

30 30 Citrix Password Manager Evaluator's Guide Setting Up and Administering Your User Environment For this scenario, use the LogonTester test application you copied to the desktop of the administrator's computer when setting up the evaluation environment. To create a Windows application definition for the Logon Tester Phase 1: Identifying the Logon Tester application definition The first phase in creating an application definition is to assign a name used to identify the application definition. This procedure also takes you through the steps required to identify the application type and the format used to create the application definition. Tip: To make it easier to create an application definition, it is best practice to start the application and leave it open on your desktop during the definition process. 1. On the administrator's computer, start LogonTester.exe. 2. Open the Password Manager Console and select the Application Definitions node. 3. From the Action menu, click Create application definition. The Create Application Definition dialog box appears. 4. Click Windows, Create New, and Start Wizard. The Application Definition Wizard starts. 5. On the Identify Application page, in the Enter the application name field, type Logon Tester and click Next. The Manage forms page appears. Continue with Phase 2 where the Form Definition Wizard will be started from the Manage forms page. To create a Windows application definition for the Logon Tester Phase 2: Creating a definition for the Logon Tester logon form Password Manager Plugin monitors user computers for application logon forms. In this phase, the characteristics of an application s logon form are specified so Password Manager Plugin recognizes the form and submits the credentials and other data required for application logon. You must complete To create a Windows application definition for the Logon Tester Phase 1: Identifying the Logon Tester application definition on page 30 before starting this task. 1. On the Manage form page, click Add Form. The Form Definition Wizard starts. 2. On the Name form page, in the Enter form name field, type User logon form, ensure Logon form is selected from the Select form type list, and click Next. 3. On the Identify form page, click Select. The Select a Program Window dialog box appears, showing a list of active programs and windows. Most Windows applications can be identified by extracting the window title and executable file name from the program while it is running on your desktop. Although these are the most common elements used to identify a window application, this page provides access to many other advanced matching tools that are beyond the scope of this evaluation scenario. 4. If necessary, rearrange the windows on your desktop so you can see both the wizard and the Logon Tester. 5. From the Select a Program Window dialog box, select Logon Tester. A flashing border appears around the Logon Tester window. 6. Click OK to close the Select a Program Window dialog box and then, on the Identify form page, click Next. All of the possible user credential management fields available for a Logon form appear in the Credential fields and button status area of the Define form actions page. The Define form actions page is used to define which of the available credential fields and buttons are associated with specific fields on the selected application. 7. If necessary, rearrange the windows on your desktop so you can see both the wizard and the Logon Tester window.

31 Citrix Password Manager Evaluator's Guide Setting Up and Administering Your User Environment 31 An examination of the Logon Tester form reveals that credential information must be provided for three fields and the user must clickok to submit the form. 8. To identify which form field to associate with the Username/ID credential, select its associated Set/Change option. 9. In the Configure Control Text dialog box, select a control type (D). The associated field or control is highlighted in Logon Tester (E). Figure 3: This picture shows the relationship between the selected control type in the Configure Control Text dialog box and the User Name field in the Logon Test window. 10. When the correct field is highlighted for the Username/ID credential, click OK to make the assignment. After the assignment is made, it appears in the Action sequence area of the Define form actions page and the status of the Username/ID credential changes from Not Configured to Configured. 11. Repeat Steps 7 11 for the Password, Third field, and OK button assignments. When complete, the Action sequence appears as follows: Actions Target Value Set Control Text Control ID: 1000 {Username/ID} Set Control Text Control ID: 1001 {Password} Set Control Text Control ID: 1002 {Custom Field 1} Click Button Control ID: 1 {OK} 12. After all the assignments are made on the Define form actions page, click Next. 13. In the Configure other settings page, ensure that the Agent submits this form automatically option is selected, then click Next. 14. Verify your settings and then click Finish. The Form Definition Wizard closes. The Manage Forms page of the Application Definition Wizard appears. Do not click Next or close this page. This completes the definition for the Logon Tester application logon form. In Phase 3, a form definition for the Logon Tester password change form is created. To create a Windows application definition for the Logon Tester Phase 3: Creating a definition for the Logon Tester change password form Password Manager Plugin monitors user computers for the defined application forms. In this phase, identify the characteristics of an application s change password form so Password Manager Plugin recognizes the form and takes the action defined by the administrator to change the application password. You must complete To create a Windows application definition for the Logon Tester Phase 2: Creating a definition for the Logon Tester logon form on page 30 before starting this task.

32 32 Citrix Password Manager Evaluator's Guide Setting Up and Administering Your User Environment 1. On the Logon Tester window, click Change. A Dialog window appears. 2. Move the Dialog window so you can see the wizard, the Logon Tester window, and the Dialog window. 3. Using the steps from Phase 2, create a change password form. Use the following information in place of what is provided for Phase 2. Wizard Page Control Setting Name form Enter form name Change Logon Tester Password Select form type Password change form Select a Program Window Program window Dialog When complete, the Action sequence appears as follows: Actions Target Value Set Control Text Control ID: 1003 {Old password} Set Control Text Control ID: 1004 {New password} Set Control Text Control ID: 1005 {Confirm new password} Click Button Control ID: 1 {OK} You will complete the application definition for the Logon Tester application in Phase 4. To create a Windows application definition for the Logon Tester Phase 4: Specifying custom values for the application definition As you can see, different forms require different types of user credentials. Some credential management forms require information beyond the user name and password. To support these types of forms, Password Manager allows the definition of up to two additional custom fields. When an application requires custom field entries for a user logon form, the content of the text labels can be customized. This ensures that Password Manager presents the field to the user with the same field name (or label) that the user recognizes from the application. Password Manager also allows you to define a specific icon to identify the application in the Logon Manager application list. Logon Tester has a custom field labeled Third. You configured that field in Phase 2. Use the following procedure to define the content of this custom field and to finish creating your application definition. You must complete To create a Windows application definition for the Logon Tester Phase 3: Creating a definition for the Logon Tester change password form on page 31 before starting this task. 1. From the Manage forms page, click Next. 2. In the Name custome fields page, type Third as the label for Enter label to use for custom field 1 and click Next. 3. If it is not already selected, select Use default icon and click Next. 4. Accept the default settings for the remaining pages of the wizard, clicking Finish on the Confirm settings page. The Logon Tester application definition is now listed in the left pane under Application Definitions. Note: You can now close the Dialog and Logon Tester windows. They are no longer required. Adding a Web Application Definition

33 Citrix Password Manager Evaluator's Guide Setting Up and Administering Your User Environment 33 Use the Application Definition Wizard to define user credential management forms for Web applications. The next procedures guide you through setting up a Web application definition for the MyCitrix Web site. The Web application definition for this demonstration is created in several phases: Phase 1: Identifying the application definition. Phase 2: Creating a definition for the application s logon form. Phase 3: Specifying custom values, if any, for the application definition. To add an application definition for MyCitrix Phase 1: Identifying the application definition 1. In the Access Management Console, select the Application Definitions node. 2. From the Action menu, choose Create application definition. 3. In the Create Application Definition dialog box, click Web, Create New, and Start Wizard. The Application Definition Wizard starts. 4. On the Identify Application page, in the Enter the application name field, type MyCitrix.com and click Next. The Manage forms page appears. Continue with Phase 2 where the Form Definition Wizard will be started from the Manage forms page. To add an application definition for MyCitrix Phase 2: Creating a definition for the application s logon form You must complete To add an application definition for MyCitrix Phase 1: Identifying the application definition on page 33 before starting this task. 1. On the Manage forms page, click Add Form. The Form Definition Wizard starts. 2. On the Name form page, in the Enter form name field, type User logon form, ensure Logon form is selected from the Select form type list, ensure No Special Action is selected, and click Next. 3. On the Identify form page, click Select. The Web Form Wizard starts. This wizard is used to identify the user credential management controls for a Web site. 4. Maximize the wizard window to fill your screen. The Web Form Wizard acts as a Web browser so you can see the Web application form and its fields as you create the form definition. Tip: If you do not know the exact URL of the Web application form, use the Web Form Wizard as a browser to navigate to the form. 5. In the Web form URL field, type and click Go. The Web form you are defining (the My Citrix logon form) is shown in the upper frame of the Web Form Wizard. The lower frame shows a list of the fields on the form and their properties. 6. In the lower frame, right-click the following field names and assign these field types from the menu: Field Name userid password Field Type Username/ID Password Submit After the fields are assigned, an icon appears to indicate the type of credential that was defined. 7. Click OK to close the Web Form Wizard. 8. Verify your settings and then click Next. The Configure other settings page appears.

34 34 Citrix Password Manager Evaluator's Guide Setting Up and Administering Your User Environment This completes Phase 2. Continue with Phase 3, where you will complete the Web application definition. To add an application definition for MyCitrix Phase 3: Specifying custom values, if any, for the application definition You must complete To add an application definition for MyCitrix Phase 2: Creating a definition for the application s logon form on page 33 before starting this task. 1. On the Configure other settings page, ensure that Agent submits this form automatically is selected and click Next. 2. Verify your settings and then click Finish. This action closes the Form Definition Wizard and the Manage forms page of the Application Definition Wizard appears. 3. Accept the default settings for the remaining pages of the wizard, clicking Finish on the Confirm settings page. The MyCitrix.com application definition is now listed in the left pane under Application Definitions. Adding a Terminal Emulator-Based Application Definition A terminal emulator allows a user to connect to a mainframe, AS/400, OS/390, UNIX, or other terminal-based session from a Windows workstation. Citrix Password Manager provides single sign-on functionality to terminal emulatorbased applications when high-level language API (HLLAPI)-compliant terminal emulators are installed and used on the local Windows computer. This exercise uses your previously installed terminal emulator. The terminal emulator-based application definition for this demonstration is created in two phases: Phase 1: Identifying the application definition. Phase 2: Creating a definition for the application s logon form. To add an application definition for a terminal emulator-based client Phase 1: Identifying the application definition 1. Open the Access Management Console and select the Application Definitions node. 2. From the Action menu, choose Create application definition. The Create Application Definition dialog box appears. 3. Click Terminal emulator (HLLAPI), Create New, and Start Wizard. The Application Definition Wizard starts. 4. On the Identify Application page, in the Enter the application name field, type your application s name and click Next. The Manage forms page appears. Continue with Phase 2 where the Form Definition Wizard will be started from the Manage forms page. To add an application definition for a terminal emulator-based client Phase 2: Creating a definition for the application s logon form You must complete To add an application definition for a terminal emulator-based client Phase 1: Identifying the application definition on page 34before starting this task. 1. On the Manage form page, click Add Form. The Form Definition Wizard starts. 2. On the Name form page, in the Enter form name field, type User logon form, ensure Logon form is selected from the Select form type list, and click Next. 3. On the Identify form page, click Add. 4. In the Text to Match dialog box, type the text string to be used to identify the user logon form as well as its location (row and column numbers) and then click OK.

35 Citrix Password Manager Evaluator's Guide Setting Up and Administering Your User Environment 35 Note: Password Manager Plugin scans the terminal emulator application screen. If the text at the specified coordinates matches, the plugin continues processing this screen. If the text at those coordinates does not match, the screen is ignored. Tip: You can define multiple text string matches. Sometimes multiple text string matches are required to uniquely identify a logon screen. 5. On the Identify form page, click Next. 6. On the Set field detection rules page, click Add. The Define Field dialog box appears. 7. Type the following information for each field function. Click OK after completing each function and then click Add to reopen the Define Field dialog box. Field Function Row, Column Keys After Key After Reason Username/ID Type the row and column numbers indicating the location of the Username/ ID field Tip: If your terminal emulator can display row and column numbers, enable that feature if it is not already Indicates that the plugin should submit a TAB key after the user name is entered in the field. Password Type the row and column numbers indicating the location of the Password Indicates that the agent should submit an ENTER key after the password is entered in the field. 8. On the Set field detection rules page, click Next. Accept the default settings for the remaining pages of the Form Definition Wizard, clicking Finish on the Confirm settings page. The Form Definition Wizard closes and the Manage forms page of the Application Definition Wizard appears. 9. Accept the default settings for the remaining pages of the Application Definition Wizard, clicking Finish on the Confirm settings page. The terminal emulator-based application definition is now listed in the left pane under Application Definitions. Setting Question-Based Authentication Question-based authentication allows you to provide secure authentication to users who change their primary password under specific circumstances, change their method of authentication, or have their accounts locked. The use of security questions and question-based authentication can help protect against access by unauthorized users by requesting information known only to your individual users. The questions you create must request nonpublic information that would be difficult for anyone other than the authorized users to provide or find (for example, difficult for brute force guessing or dictionary based attacks). For this scenario, setting up question-based authentication will take place over three phases: Phase 1: Preparing to manage questions. Phase 2: Creating and editing questions. Phase 3: Adding a question to a questionnaire. To set question-based authentication Phase 1: Preparing to manage questions Citrix Password Manager contains a number of prepared questions. This scenario will use those as well as allow you to create additional questions.

36 36 Citrix Password Manager Evaluator's Guide Setting Up and Administering Your User Environment 1. In the Password Manager Console, expand the Identity Verification node and select Question-Based Authentication. 2. From the Action menu, choose Manage questions. The Manage Questions dialog box appears. Navigate through the Manage Questions dialog box by selecting page names in the left pane of the dialog box. 3. On the Question-Based Authentication page, ensure the default language is English. Continue with Phase 2 where you will find existing questions and add a new one. To set question-based authentication Phase 2: Creating and editing questions In this task, you will create and then edit a security question. You must complete To set question-based authentication Phase 1: Preparing to manage questions on page 35 before starting this task. 1. On the Security Questions page, click Add Question. 2. In the Security Question dialog box: a) Type the following: What is the name of your favorite television program? b) Set the value in the Minimum number of characters in user answer to 4. c) Click OK. The question is added to the list of questions on the Security Questions page. While each of the earlier questions show Yes in the In Use column, the new question shows No. 3. Select the new question and click Edit. Click OK to acknowledge the warning not to change the meaning of the question. The Security Question dialog box, containing the new question, appears. 4. In the Security Question dialog box, change "program" to "show" and click OK. The revised question appears on the list of questions on the Security Questions page. Continue to Phase 3 where you will work with a questionnaire. To set question-based authentication Phase 3: Adding a question to a questionnaire In this task you will add the new question to the existing questionnaire. You must complete To set question-based authentication Phase 2: Creating and editing questions on page 36 before starting this task. 1. On the Questionnaire page, click Add. The Add Questions and Question Groups dialog box appears. 2. Click the check box for What is the name of your favorite television show? and click OK. The question is added to the bottom of the list on the Questionnaire page where it will be the last one presented to users. 3. Select your new question and click Move Up four times. Your new question is now at the top of the questionnaire and is the first one seen by users. You added all of the administrative data needed to continue building your evaluation environment. In the next chapter, you will create user configurations to deploy your required settings to the users in your environment.

37 Chapter 7 Configuring Settings and Applying Them to Users Topics: Adding a New User Configuration In this portion of the evaluation, you create a user configuration and use it to apply the required settings and policies to the user account defined for your evaluation environment. User configurations define the settings that control how Password Manager Plugin works in your environment. Each user configuration is assigned to specific users, groups, organizational units, or domains. A user configuration contains information about the applications, password policies, licensing, and the plugin behavior for the user environment.

38 38 Citrix Password Manager Evaluator's Guide Configuring Settings and Applying Them to Users Adding a New User Configuration The following table contains a summary of the user requirements first presented when you were preparing for the evaluation environment. As you create the user configuration, refer to this table to ensure that the settings you select comply with these requirements. Requirement 1 Strict password policy for host-based application 2 Terminal emulator-based application does not allow special characters in passwords 3 Force user to reauthenticate before submitting application credentials (host application only) 4 Do not allow user to reveal password (host application only) 5 Host application access 6 Windows application access 7 Web application access 8 Users set up credentials for all applications the first time they use Password Manager Plugin 9 Users can reveal passwords 10 Users must reauthenticate before their password is revealed The user configuration definition used for this scenario is created in three phases: Phase 1: Identifying the configuration, data location, and product edition. Phase 2: Creating application groups. Phase 3: Configuring Password Manager Plugin interaction. To add a user configuration for the evaluation environment Phase 1: Identifying the configuration, data location, and product edition For this evaluation task, log on to the administrator's computer with the domain administrator account. The Password Manager Console should be open. 1. In the Password Manager Console left pane, select User Configurations. 2. From the Action menu, click Add new user configuration. 3. Use the User Configuration Wizard to create your user configuration. Accept the default settings on the first two pages of the wizard except as detailed in the following table: Wizard Page Control Setting Name user configuration Name Evaluation User configuration association > Active Directory Hierarchy (OU or User) Click Browse to navigate to the user you set up earlier. Select product edition Product edition XenApp Platinum or Password Manager Enterprise After completing the first two pages of the wizard, proceed to Phase 2 to create application groups.

39 Citrix Password Manager Evaluator's Guide Configuring Settings and Applying Them to Users 39 To add a user configuration for the evaluation environment Phase 2: Creating application groups Application groups are used to assign applications to user configurations. As you will see in this scenario task, application groups can consist of only one password policy. All applications in an application group follow the constraints of a password policy. If you don't specify a password policy, the default password policy is used. Because this scenario requires a stricter password policy for terminal emulator-based applications, you must create two application groups: one for the terminal emulator-based application, the other for the remaining applications. You must complete To add a user configuration for the evaluation environment Phase 1: Identifying the configuration, data location, and product edition on page 38 before starting this task. 1. Create an application group for the terminal emulator-based application. a) On the page, click Add. The New Application Group dialog box appears. b) In the application group name field, type Accounting Terminal Emulator Application. c) From the Select password policy list, select the Accounting Terminal Emulator Application password policy you created in To create a password policy on page 28. d) From the Available Applications list, select the terminal emulator-based application and click the right arrow to move it into the Selected applications list. e) Click Check All to place a check mark in the box next to terminal emulator-based application. The application is enabled for initial credential setup, which means users are prompted to store their credentials the first time they use Password Manager Plugin. f) Click OK to close the New Application Group dialog box. A message appears asking if you want to enable support for terminal emulators in Password Manager Plugin. g) Click Yes. This action returns you to the Choose applications page. 2. Create an application group for the remaining applications. a) Click Add to add a second application group. b) Create a new application group named General Use Applications. c) Select Default Policy for the password policy. d) On the Available Applications list, select Logon Tester and MyCitrix.com and click the right arrow to move the applications to the Selected Applications list. e) Click Check All to enable initial credential setup for Logon Tester and MyCitrix.com. f) Click OK to close the New Application Group window. The two application groups you created are shown in the list on the Choose applications page. This completes Phase 2. Continue with Phase 3. To add a user configuration for the evaluation environment Phase 3: Configuring Password Manager Plugin interaction After you create the application groups, you configure how Password Manager Plugin interacts with the user configuration. You must complete To add a user configuration for the evaluation environment Phase 2: Creating application groups on page 39 before starting this task. 1. From the Choose applications page, click Next. The Configure agent interaction page appears. 2. Enable Allow users to reveal all passwords in Logon Manager to satisfy our evaluation scenario requirement that users be able to reveal passwords for applications. This setting is overridden when the terminal emulator-based application is used because the Accounting Terminal Emulator Application password policy does not allow users to reveal their passwords.

40 40 Citrix Password Manager Evaluator's Guide Configuring Settings and Applying Them to Users 3. Verify that Force re-authentication before revealing user passwords is enabled. 4. Click Advanced Settings and in the Advanced Agent Settings dialog box: a) In the left pane, select Application Support. b) Verify that the Enable support for terminal emulators check box is selected. c) Click OK. The Advanced Agent Settings dialog box closes and the Configure agent interaction page appears. 5. Click Next. 6. On the Configure licensing page, in the License server name field, type the administrator's computer name, where the License Management Console is installed for this scenario, and click Next. 7. Proceed through the remaining pages of the wizard. Ensure the settings in the following table are enabled. Otherwise, accept the default settings. Click Finish on the Confirm settings page. Wizard Page Control Setting Select data protection methods Users' authentication data Selected Select secondary data protection method Enable self-service features Prompt user to enter the previous password or security questions Allow users to reset their primary domain password Allow users to unlock their domain account Selected Selected Selected Key Management Module URL Type the fully qualified domain name for the computer running Password Manager service (for this scenario, the administrator's computer) The user configuration, Evaluation, is added to the left pane under User Configurations. 8. Close the console. Your user configuration settings are now complete. You are ready to deploy Citrix Password Manager Plugin.

41 Chapter 8 Installing the Citrix Password Manager Plugin Topics: Deploying Password Manager Plugin to Your Users In the previous chapter, you created the user configuration that provides the settings to our evaluation user. You will now create an installation package for Password Manager Plugin and use it to deploy the plugin to your user's computer.

42 42 Citrix Password Manager Evaluator's Guide Installing the Citrix Password Manager Plugin Deploying Password Manager Plugin to Your Users To access local applications, users must run Password Manager Plugin on their client devices. Mobile users can also install Password Manager Plugin on their laptop so they can use the plugin features even when they are not connected to the network. Synchronization of user credentials occurs when mobile users reconnect to the network. To create the Password Manager Plugin installation package This task creates a Password Manager Plugin installation package matching the requirements set for this scenario. Create the installation package with the administrator's computer and save it to a location accessible from the user's computer, such as a shared folder or a flash drive. 1. From your Password Manager installation media, start the installation program (%installation media%\autorun.exe). 2. From the Citrix Password Manager installation main menu, click Step 4: Install Password Manager Plugin. 3. Click Create Password Manager Plugin installation image. 4. In the Password Manager Plugin Installation Wizard welcome page, click Next. 5. On the Administrative Installation Package Creation page, navigate to the location in which you want to save the installation package file and then click Next. 6. On the Feature Selection page, select and enable the installation of Self-Service, then click Next. 7. On the Central Store Configuration page, select NTFS Network Share, type the central store location you created earlier: \\computer name\citrixsync$, and then click Next. 8. On the Specify Server Address page, type the address of the computer running Password Manager Service, which, in this scenario, is the administrator's computer. Click Next. 9. A warning appears stating that you must install the C Run-Time Libraries before installing the image from an installation package onto a computer using Windows Vista, Windows Server 2008, or Active Directory. The C Run- Time Libraries are on the Password Manager installation media. Click OK to continue. 10. On the Admin Installation Verify Ready page, click Next. The installation package, Citrix Password Manager Plugin.msi, with the settings you specified is created and saved in the directory you specified. 11. Click Finish to close the wizard and Exit to close the installation program. Installing Password Manager Plugin In To create the Password Manager Plugin installation package on page 42, you created an installation package called Citrix Password Manager Plugin.msi. You will now use that file to install the Password Manager Plugin on your user's computer. To install Password Manager Plugin You must complete To create the Password Manager Plugin installation package on page 42 before starting this task. Important: Before installing Password Manager Plugin from a command prompt onto a Windows Vista computer, you must first install the updated C Run-Time Libraries available from the installation media. The installation will fail without the updated C Run-Time Libraries. 1. If using Windows Vista or Windows Server 2008, install the C Run-Time Library: For 32-bit computers: From the installation media, run Support\vcredist\vcredist_x86.exe For 64-bit computers: From the installation media, run Support\vcredist\vcredist_x86.exe and Support\vcredist \vcredist_x64.exe 2. Copy Citrix Password Manager Plugin.msi to the user's computer.

43 Citrix Password Manager Evaluator's Guide Installing the Citrix Password Manager Plugin Launch Citrix Password Manager Plugin.msi. 4. On the Installation Wizard welcome page, click Next. 5. On the Destination Folder page, click Next to accept the default installation path. 6. On the Ready to install the application page, click Install. 7. When the installation is complete, click Finish to close the wizard. 8. If prompted to restart the computer, click Yes. The next chapter covers the user experience including starting Password Manager Plugin, registering to use Password Manager, and using the plugin to log on to applications and change passwords.

44

45 Chapter 9 Using Password Manager Plugin Topics: Using Password Manager Plugin for the First Time Logging On Using Password Manager Using the Account Self-Service Features Now that Password Manager Plugin is installed, this chapter describes how to use it. You will assume the role of the user and logon to Password Manager Plugin for the first time. As part of this initial logon, you will register to use Password Manager Plugin. That means you will provide credentials for the three applications you defined earlier as well as provide answers for the security questions. We begin by registering to use Citrix Password Manager. Then we continue through using Password Manager Plugin to log on to applications and to change passwords. Topics in this chapter include: Registering with Citrix Password Manager Storing passwords in the Logon Manager Logging on to applications using Password Manager Plugin Changing an application password Changing your domain password

46 46 Citrix Password Manager Evaluator's Guide Using Password Manager Plugin Using Password Manager Plugin for the First Time This section describes how to start Password Manager Plugin, and how to register to use Citrix Password Manager. When you created the user configuration, you indicated that you wanted Password Manager to have your users provide answers for the security questions when they log on for the first time. You also configured the application groups to request and store the users' credentials for the grouped applications. When users provide these answers and credentials, they are registering to use Password Manager. To register security question answers and passwords During this initial logon to Password Manager, you will be asked to answer the five security questions you established while setting up question-based authentication. Be sure to remember your answers because you will need them in upcoming tasks. During this task, you are also prompted to provide logon information for the three test applications. You enabled this prompt while creating the application group portion of the user configuration. Receiving this prompt meets one of the user requirements set at the beginning of this evaluation. 1. Log on to the user's computer using the user account you created when preparing for this scenario. 2. In the Citrix Password Manager Registration dialog box, click Register. The Security Questions Registration wizard appears. 3. Click Next. The question that you created and assigned to be first in the questionnaire appears. 4. Complete this wizard by answering this and the next four questions with responses you can recall in upcoming tasks. The Citrix Password Manager Registration dialog box appears 5. Click Store. The Setup Wizard - Application Logons dialog box appears. 6. From the Application list, select the terminal emulator-based client and then click Edit. 7. In the Setup Wizard - <host-based client> Logons page, provide your user name and password for the terminal emulator-based application you are using and click OK.. 8. From the Application list, select Logon Tester and then click Edit. 9. In the Setup Wizard - Logon Tester Logons page, do the following: a) In the Username/ID field, type Citrix. b) In the Password and Confirm fields, type Citrixdemo. c) In the Third (1) field, type reviewers. d) Click OK. 10. From the Application list, select MyCitrix.com and then click Edit. 11. In the Setup Wizard - MyCitrix.com Logons page, do the following: a) In the Username/ID field, type prodtest1. b) In the Password and Confirm fields, type genlogon123. c) Click OK. 12. Click OK. 13. Click Finish. Logging On Using Password Manager When Password Manager stores credentials, you do not have to enter them again when logging on to an application. Password Manager detects the logon forms for defined applications and automatically submits your credentials.

47 Citrix Password Manager Evaluator's Guide Using Password Manager Plugin 47 To start the demonstration Windows application 1. Locate the \WinApp folder where you saved the Logon Tester executable file (LogonTester.exe) and launch Logon Tester. Password Manger automatically fills in the User Name, Password, and Third fields with the information you provided in Using Password Manager Plugin for the First Time on page 46 and clicks Submit, logging you on to the application. 2. Click OK to close the message. To initiate a password change in a Windows application 1. In the Logon Tester dialog box, click Change. The Dialog form defined in Adding a Windows Application Definition on page 29 appears. Password Manager Plugin detects this and starts the Password Change Wizard. 2. Click Next to continue. 3. On the Choose how to create your new password page, click Create your own password and then click Next. 4. On the Create your own password page, in the New Password and Confirm new password field, type demo2 and click Next. An error message appears because the new password violates the default password policy that states the password must contain between 8 and 20 characters. 5. Click OK. The error message closes and the Create your own password page remains on your screen. 6. In the New Password and Confirm new password fields, type password and click Next twice. 7. Click Finish to close the Password Change Wizard. To start the demonstration Web application Open Internet Explorer and go to Password Manager automatically submits the logon information you provided in Creating Application Definitions on page 29. Indicators that you successfully logged on, such as "Welcome Reviewer," appear on the Welcome Web page. To start the demonstration terminal emulator-based application 1. Start your terminal emulator-based application. When the Sign On screen appears, the Citrix Password Manager Authentication dialog box appears. You are required to re-authenticate because you enabled Force user to re-authenticate before submitting application credentials in Creating Password Policies on page Click OK to close the dialog box and then press CTRL+ALT+DEL. 3. Log on using the same user name and password you used to log on to the computer. After you re-authenticate, Password Manager submits the logon information for the terminal emulator-based client. Using the Account Self-Service Features One of the requirements for this scenario was for the user to be able to use the account self-service features: password reset and account unlock. When you installed Password Manager Service, you specified that the Self-Service Module should be included. Additionally, when you created the user configuration, you enabled the self-service features. To reset a password with account self-service on a Windows Vista or Windows Server 2008 computer To prepare for this task, lock your computer by pressing CTRL+ALT+DELETE.

48 48 Citrix Password Manager Evaluator's Guide Using Password Manager Plugin 1. At the Welcome screen, press CTRL+ALT+DELETE. The Logon screen, indicating that the computer is locked, appears. 2. Click Other Credentials. 3. Click Account Self-Service. 4. On the Account Self Service screen, click the text Click here to reset your password or unlock your account. The Account Self-Service Wizard appears. 5. Click Reset my password and then Next. 6. On the Identify Your Account page, ensure that the correct user name and domain are shown and click Next. The Reset My Password page appears, informing you that you must confirm your identity by answering the security questions. Your answers must match those that you provided in To register security question answers and passwords on page Click Next. The first of your five security questions appears. 8. Answer the five security questions. 9. Provide your new password and click Next. To unlock an account with account self-service on a Windows Vista or Windows Server 2008 computer To prepare for this task, lock your computer by pressing CTRL+ALT+DELETE. 1. At the Welcome screen, press CTRL+ALT+DELETE. The Logon screen, indicating that the computer is locked, appears. 2. Click Other Credentials. 3. Click Account Self-Service. 4. On the Account Self Service screen, click the text Click here to reset your password or unlock your account. The Account Self-Service Wizard appears. 5. Click Reset my password and then Next. 6. On the Identify Your Account page, ensure that the correct user name and domain are shown and click Next. The Reset My Password page appears, informing you that you must confirm your identity by answering the security questions. Your answers must match those that you provided in To register security question answers and passwords on page Click Next. The first of your five security questions appears. 8. Answer the five security questions. The account is unlocked and you can log on as usual.

49 Chapter 10 Further Information and Resources Topics: Moving from Evaluation to Implementation Additional Features and Components Securing Your Environment Enhancing the User Experience Finding More Information About Password Manager Using this guide, you installed and licensed Citrix Password Manager and tested some basic features, such as creating administrative data and demonstrating how that data works with Password Manager Plugin in an example scenario. This chapter includes further information about Password Manager, as well as resources for finding more information about this product and integrating it into your network environment.

50 50 Citrix Password Manager Evaluator's Guide Further Information and Resources Moving from Evaluation to Implementation To implement Citrix Password Manager in a pilot or production environment: Plan your deployment, determining your hardware and environment needs Build your test environment and use it to validate your design and pilot Deploy Password Manager to your users In addition to the features and functionality shown during this evaluation, a number of other features and components of Password Manager are designed to improve the security and flexibility of your environment. You may want to include these additional features and components in your test environment and, ultimately, when you deploy Password Manager to your users. These other features and components are briefly described in this chapter. Note: The evaluation was designed to quickly show a number of basic features available for Password Manager. Full implementation of Password Manager should be done by domain-level administrators after careful research and planning. For more information, see the Citrix Password Manager Installation Guide and the Citrix Password Manager Administrator s Guide. Additional Features and Components A number of other features and components are designed to add to the security of your implementation, and improve both the user and administrative experience. Password Manager reduces help desk calls for password support, allows users to quickly move among client devices, allows users to log on to any application from one or more Windows accounts, and allows you flexibility in implementing and updating your environment. The User Experience: Password Manager Plugin Password Manager Plugin resides locally on a user s client device; alternatively, it can be run by a user on a computer running Citrix XenApp. Password Manager Plugin submits the appropriate credentials to the applications running on the user s client device, enforces password policies, provides self-service functionality, and enables users to manage their credentials with the Logon Manager. As administrator, you define the settings and application definitions that are kept in the central store.

51 Citrix Password Manager Evaluator's Guide Further Information and Resources 51 Figure 4: This picture shows that when a user tries to access an application that requires authentication, the agent software detects the application s request for authentication. The agent finds the correct credentials in the local or central credential store and submits them to the application. The local and centralized stores are synchronized. The diagram also shows how administrative data is created with Password Manager Console or the Application Definition Tool and passed to the user through the central store. Finally, if Password Manager Service is installed, it communicates with the other Password Manager components to provide the user with features defined by the administrator. Password Manager Plugin includes the following features, any or all of which can be centrally disabled by the administrator. Easy configuration from the notification area Logon Manager for individual user support New logon setup The Password Manager Plugin notification area icon provides direct access to user-specific configuration, allowing users to pause and restart the plugin, manage their credentials, and access online help. Users can launch their Logon Manager to view, edit, and delete credentials. Users can add credentials for additional applications using the New Logon Wizard. Password Manager Plugin stores information entered in the New Logon Wizard for retrieval the next time the user launches the application.

52 52 Citrix Password Manager Evaluator's Guide Further Information and Resources User mobility Rapid user switching Password sharing groups Custom levels of authentication Account association Password Manager Plugin supports remote and mobile users. Remote users can access their credentials whether they are connected to or disconnected from the corporate network. Mobile users can easily move from one computer to another and multiple users can securely share one workstation. The Hot Desktop feature is designed for environments where users share workstations and need quick access to their applications. When you use Hot Desktop, users can pick up their application sessions from where they left off at the last client device on which they worked. Users log on and log off in seconds, saving time. Because users log on with their own user name and password, security is not compromised and you can ensure that users have access only to the system resources they need. This feature requires additional configuration and installation steps. For more information about Hot Desktop, see the Citrix Password Manager Administrator s Guide. Password sharing groups allow Password Manager Plugin to manage multiple credentials for applications that use the same method of authentication. You can create a password sharing group to automate and simplify the password change process. If an application is in a password sharing group and a password change occurs, the change propagates to all the other application definitions within the password sharing group. Depending on your environment s needs, you can design Password Manager to accept varied groups of users who authenticate using different methods, such as passwords, smart cards, or RSA tags. Password Manager integrates smoothly with your existing environment with no need to adopt or change your existing authentication methods. The Account Association option allows users to log on to any application from one or more Windows accounts. These controls allow users to associate logon information among multiple Windows accounts. Users can create an association between accounts on different domains. By using this feature, users' credentials are synchronized, with password changes carried across domains. The Administrator Experience: Password Manager Console Using Citrix Password Manager Console as part of this evaluation, you created password policies, configured an application for single sign-on support, and managed your users Password Manager Plugin settings. Using the console in a pilot or production environment, you can also control all aspects of application password management: Configure application definitions used by Password Manager Plugin to communicate with password-protected applications Enforce password policies for your organization Control how much or how little interaction your users have with Password Manager Plugin and whether or not users are authorized to access their stored credentials Console wizards walk you through the steps required to create password policies and application definitions, and manage users credentials and settings. You can create different user configurations to customize the user experience for different user groups. Application Definition Tool Included with Citrix Password Manager is an Application Definition Tool that allows your administrators to create application definitions for use in your network environment. Built using the exact functionality and user interface provided with Password Manager Console, the tool can be installed or run on a variety of servers and workstations, allowing administrators to add application definitions to your central store without installing the console software. Credential Provisioning Credential provisioning is provided through Password Manager Service. Provisioning is used to manipulate user credentials associated with applications defined in a user configuration. Provisioning enables you to automate the credential management procedures and apply them to multiple users. For example, you can use credential provisioning to eliminate the need for first-time Password Manager Plugin users to perform initial credential setup. If

53 Citrix Password Manager Evaluator's Guide Further Information and Resources 53 you plan to deploy new software to your users, create a definition for the application and use credential provisioning to add the credentials automatically for all users who will use the application. Securing Your Environment Password Manager is the secure way to manage credentials within your organization. We also provide additional layers of security to allow you to meet higher standards set by Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, and European Union Data Protection Directive. This is provided in the form of the Citrix Password Manager Service, which includes Data Integrity for securing communication between the components of Password Manager and Self- Service Password Reset to allow users to reset their own passwords. Self-Service Password Reset Cryptographic data integrity assurance Self-Service Password Reset allows users in an Active Directory environment to reset their primary password from their desktops by responding to a series of life-related questions. This feature further reduces help desk costs associated with resetting user passwords. Data Integrity provides an additional layer of security control by using cryptographic signing to ensure the integrity of configuration settings and policies read by Password Manager Plugin. This feature also protects against man-in-the-middle attacks on the corporate network. Enhancing the User Experience Key features incorporated by Password Manager to enhance the user experience include: Automatic Key Recovery Password Sharing Groups Hot Desktop This is a Password Manager Service that seamlessly allows users to change their main password and access their stored credentials without answering further identity verification challenges. This process is completely transparent to your users. Password sharing groups allow your users to use the same password for a number of applications that use the same method of authentication. For example, if you have two applications that use the same Oracle database to authenticate, you can place these two applications in the same password sharing group. When your users change their password for either application, the other application s credentials are updated automatically. Hot Desktop provides improved user productivity and more seamless access to IT resources. Less time spent waiting for a computer to start and load a user s profile means productivity time and money saved. In environments with locally installed applications on shared workstations, such as health care, retail, and manufacturing, users can log on and log off in seconds, not minutes. Finding More Information About Password Manager Welcome to Citrix Password Manager (Password_Manager_Read_Me_First.html) contains links to documents that help get you started. It also contains links to the most up-to-date product documentation, plus related technologies. You can access this document from the Password Manager installation media Autorun, by clicking Step 1: View installation checklist and other documentation. Alternatively, you can find the Welcome to Citrix Password Manager in the Citrix Knowledge Center ( The Citrix Knowledge Center contains links to all product documentation, organized by product. Select the product you want to access and then click the Documentation tab from the product information page. Known issues information is included in the product readme. Information about Citrix training is available at

54