Citrix Systems, Inc.

Citrix Password Manager Quick Deployment Guide Install and Use Password Manager on Presentation Server in Under Two Hours Citrix Systems, Inc.

Notice The information in this publication is subject to change without notice. THIS PUBLICATION IS PROVIDED AS IS WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON- INFRINGEMENT. CITRIX SYSTEMS, INC. ( CITRIX ), SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN, NOR FOR DIRECT, INCIDENTAL, CONSEQUENTIAL OR ANY OTHER DAMAGES RESULTING FROM THE FURNISHING, PERFORMANCE, OR USE OF THIS PUBLICATION, EVEN IF CITRIX HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES IN ADVANCE. This publication contains information protected by copyright. Except for internal distribution, no part of this publication may be photocopied or reproduced in any form without prior written consent from Citrix. The exclusive warranty for Citrix products, if any, is stated in the product documentation accompanying such products. Citrix does not warrant products other than its own. Product names mentioned herein may be trademarks and/or registered trademarks of their respective companies. Copyright 2006 Citrix Systems, Inc., 851 West Cypress Creek Road, Ft. Lauderdale, Florida 33309-2009 U.S.A. All rights reserved. Version History Citrix Consulting Version 1.0 Final 08/23/06 Citrix Password Manager Quick Deployment Guide i

Table of Contents DOCUMENT OVERVIEW... 1 OBJECTIVE... 1 TERMINOLOGY GUIDE... 1 QUICK DEPLOYMENT SUMMARY... 2 GETTING STARTED... 2 KEY DECISION MATRIX... 2 CITRIX PASSWORD MANAGER DEPLOYMENT PROCESS... 4 1. CONFIGURE CITRIX ACCESS SUITE LICENSE SERVER 10 MINUTES... 4 2. CONFIGURE CENTRAL STORE 10 MINUTES... 7 3. INSTALL CITRIX ACCESS SUITE CONSOLE 10 MINUTES... 9 4. CONFIGURE APPLICATIONS FOR SINGLE SIGN-ON 30 MINUTES... 16 5. CONFIGURE APPLICATIONS FOR AUTOMATED PASSWORD CHANGE 15 MINUTES... 30 6. ASSIGN CITRIX PASSWORD MANAGER TO USERS/GROUPS 15 MINUTES... 41 7. INSTALL AND TEST CITRIX PASSWORD MANAGER AGENT 20 MINUTES... 52 8. DEPLOY AGENT TO ALL TARGET COMPUTERS RUNNING CITRIX PRESENTATION SERVER 10 MINUTES... 66 APPENDIX... 74 APPENDIX A ADDITIONAL RESOURCES... 74 APPENDIX B OBTAINING SUPPORT... 74 APPENDIX C INSTALLING THE CITRIX ACCESS SUITE LICENSE SERVER... 74 APPENDIX D CREATING A NTFS FILE SHARE CENTRAL STORE IN A SPECIFIC LOCATION... 78 APPENDIX E INTEGRATING THE CITRIX PASSWORD MANAGER AND CITRIX PRESENTATION SERVER ACCESS SUITE CONSOLES... 79 APPENDIX F UTILIZING PRE-BUILT TEMPLATES FOR CONFIGURING APPLICATION SINGLE SIGN-ON... 84 APPENDIX G INSTALLING THE CITRIX PASSWORD MANAGER SERVICE AND CONFIGURING QUESTION-BASED AUTHENTICATION... 90 Citrix Password Manager Quick Deployment Guide ii

Document Overview Objective The purpose of this document is to provide step-by-step instructions on installing and configuring Citrix Password Manager within a Citrix Presentation Server environment. Administrators will be provided simple choices to identify the most efficient and streamlined deployment. For most decisions, a Citrix recommendation will be provided. This includes decisions on component installation and configuration, applications to enable for single sign-on, password change management, security settings, and which end users to provide single sign-on capabilities. By using this document, the administrator will be able to: Quickly implement a basic Citrix Password Manager deployment for use within a Citrix Presentation Server environment Enable single sign-on and automated password change for three to five key Windows and Web applications used within Citrix Presentation Server Provide a Phase I rollout of Citrix Password Manager to 10 to 20 individuals within your organization. This deployment can be expanded to more users, more applications, and more features in future phases as the base Citrix Password Manager infrastructure will already be in place Terminology Guide The following terminology will be used throughout this document to describe the Citrix Password Manager components and features: Citrix Password Manager Agent client component that is installed on Citrix Presentation Server to provide single sign-on and automated password changes to published applications Citrix Access Suite License Server server that centrally stores all Citrix Access Suite Licenses Citrix Access Suite Console administrative console used for configuring a Citrix Access Suite product. Both Citrix Password Manager and Citrix Presentation Server provide an Access Suite Console MMC Snap- In for administering the respective products. Citrix Presentation Server Console administrative console used for configuring the Citrix Presentation Server environment Citrix Password Manager Service optional component used to implement advanced features such as Account Self Service, Password Provisioning, Automatic Key Recovery, Data Integrity, and Multiple Question Authentication. Central Store central repository for storing Citrix Password Manager configurations and user credentials. The central store allows users to roam from agent machine to agent machine and provide single sign-on to these applications without having to re-enter credentials on each machine. This document will leverage an NTFS file share as the central store. Application Definition group of settings that define how the Citrix Password Manager Agent should recognize an application logon screen and supply credentials to the appropriate fields Password Policy set of rules used by the Citrix Password Manager Agent to auto-generate a new password for an application. User Configuration set of application definitions and agent settings assigned to a particular user or group. User configurations allow an administrator to assign different sets of application definitions and settings to different groups within an organization. Citrix Password Manager Quick Deployment Guide 1

Quick Deployment Summary The high level steps for deploying a basic implementation of Citrix Password Manager are as follows. The time estimate for each step is also listed to help you with planning your deployment. Configure Citrix Access Suite License Server 10 minutes Configure Central Store 10 minutes Install Citrix Access Suite Console 10 minutes Configure Applications for Single Sign-On 30 minutes Configure Applications for Automated Password Change 15 minutes Assign Citrix Password Manager to Users/Groups 15 minutes Install and Test Citrix Password Manager Agent 20 minutes Deploy Agent to all Target Computers Running Citrix Presentation Server 10 minutes Getting Started Before beginning this deployment guide, ensure that you have the following: Citrix Password Manager 4.1 CD-ROM Citrix Password Manager 4.1 software license key Download Citrix Password Manager 4.1 Service Pack 1 from the Citrix website (http://support.citrix.com/article/ctx109000). Key Decision Matrix The following matrix will be used as a basic blueprint or design for the Password Manager deployment. Fields will be filled in as you progress through this guide. Upon completion, save this matrix as a reference for your Citrix Password Manager deployment (samples in italics) Decision Point Decision Justification Citrix Password Manager Components Installation Citrix Access Suite License Server Existing license server for the Citrix Presentation Server farm License Server Name Central Store Central Store server name and UNC path Using the license server to host the file share central store provides a centralized location that is accessible by all computers running Citrix Presentation Server where the Agent is installed. The hard drives have adequate spaced and are mirrored for redundancy. Citrix Access Suite Console Server name(s) where Access Suite Console is installed. The Citrix Password Manager Access Suite Console plug-in was installed on SERVERNAME since that is where the Access Suite Console was installed for Citrix Presentation Server Administration. Server name(s) where the Application Definition Tool (ADT) is installed. The Application Definition Tool was installed on SERVERNAME since that is the location where the applications are installed requiring single sign-on. Citrix Password Manager Quick Deployment Guide 2

Decision Point Decision Justification Citrix Password Manager Service Not Installed For the phase I deployment, service-based features will not be utilized. Agents Server names of These are the servers hosting applications enabled for single sign-on. Citrix Presentation Server computers where the agent is installed Application Configuration Applications Configured for Single Sign-On List applications to be single sign-on enabled These applications are only accessed in the Citrix Presentation Server environment and are heavily used. Applications List applications Configured for configured for Automated automated Password Change password change Password Change Management Password Policies List the password policies that will be used including which applications they will be associated with. One password policy should be created for each account authentication authority. Password Change Behavior Specify how a user will interact with the system when a password change event is encountered Security Configuration Identity Specify what option Verification will be used for Identity Verification when a user s AD password changes outside of Presentation Server User Configuration Users or Groups that will be configured for Single Sign-On List the users or Groups that will be configured for single sign-on These applications are only accessed in the Citrix Presentation Server environment and require password changes every X days. These applications require users to change their password every X days. The default option User Prompted for Action will be used as this allows users to choose whether they want to specify their own new password or let the Citrix Password Manager Agent auto-generate a new password for the application. Previous Password will be used as the key recovery mechanism for all users since this method does not require the Citrix Password Manager Service. These users requested to be in the Phase I rollout of Citrix Password Manager to evaluate the product and determine future single sign-on plans. Citrix Password Manager Quick Deployment Guide 3

Citrix Password Manager Deployment Process This section describes the Citrix Password Manager deployment process. 1. Configure Citrix Access Suite License Server 10 Minutes Description The Citrix Access Suite license server is a required component that centrally stores licenses for all products of the Citrix Access Suite, including: Citrix Presentation Server 3.0 and 4.0 Citrix Password Manager 4.0 and 4.1 Citrix Access Gateway Advanced Edition 4.0 and 4.2 The Citrix Password Manager Agent checks out licenses from the license server upon startup and retains the license for a specified lease period. When the lease period expires, the Citrix Password Manager Agent needs to acquire a new license from the license server before functioning again. The Citrix Access Suite license server is administered using the License Management Console. The License Management Console is a web-based utility that allows new licenses to be imported, license usage to be monitored, and license administrators to be managed. Key Decisions and Citrix Recommendations The key decisions and recommendations for the Citrix Access Suite license server component are listed below. License Server Key Decisions and Recommendations Key Decisions License Server Version Number Citrix Password Manager needs to integrate with a Citrix Access Suite license server at the 4.0 level. If you currently have a MetaFrame XP server farm, a license server must be installed from the autorun menu on the Citrix Password Manager product CD. If you currently have a Citrix Presentation Server 3.0 server farm, the current license server must be upgraded to the 4.0 level from the autorun menu on the Citrix Password Manager product CD. If you currently have a Citrix Presentation Server 4.0 server farm, the license server is already at the correct version. Citrix Recommendations License Server Placement If you currently have a MetaFrame XP server farm, install the Citrix Access Suite license server on any IIS Web Server within your organization. If you currently have a Citrix Presentation Server 3.0 server farm, upgrade this license server to the 4.0 release using the Citrix Password Manager 4.1 media. If you currently have a Citrix Presentation Server 4.0 server farm, no license server installation or upgrade needs to be performed. The license file for Citrix Password Manager needs to be uploaded into the license server. Citrix Password Manager Quick Deployment Guide 4

Step-by-Step Guide If you do not have a Citrix Access Suite license server in your environment or you would like to use a separate Citrix Access Suite license server for the Citrix Password Manager deployment, the Appendix C contains instructions on how to install the Citrix Access Suite license server. Citrix Password Manager requires at least the 4.0 version of the Citrix Access Suite license server, so perform the necessary installation or upgrade as needed. The Citrix Password Manager 4.1 media contains a license key to allow you to use the product. Using the MyCitrix website (http://www.mycitrix.com), the license key needs to be imported and a license file for your license server needs to be downloaded. Once the license file is retrieved, it needs to be imported into the license server. The steps for retrieving and installing the license file within the license server are listed in the table below. License File Installation Screen Shot Description 1 Open a browser and navigate to http://www.mycitrix.com. Log into MyCitrix using your account. 2 Within the MyCitrix website, import the Citrix Password Manager license key from the CD-ROM to generate a license file for the Citrix Access Suite license server. Download the license file and save this to an accessible place on the server hosting your Citrix Access Suite license server. Citrix Password Manager Quick Deployment Guide 5

License File Installation 3 On the server hosting the Citrix Access Suite license server, open the License Management Console by navigating to Start Programs Citrix Management Consoles License Management Console. Click Configure License Server on this page. 4 On the Configuration tab, click Copy license file to this license server. 5 Browse to the license file downloaded from the MyCitrix website and click Upload. Citrix Password Manager Quick Deployment Guide 6

License File Installation 6 Once the license file is uploaded, the Current Usage tab displays your new Citrix Password Manager license. 2. Configure Central Store 10 Minutes Description The central store is a central repository for Citrix Password Manager configurations and user credentials. All Citrix Password Manager Agents connect to the central store upon startup to retrieve configurations and stored credentials for the user. By using a central store, users can connect to different agent machines and have their Citrix Password Manager settings and user credentials follow them. Each Citrix Password Manager Agent computer also hosts a local store that represents a local copy of the configurations and logon information (the local store is unique to each user and resides within their user profile). When the Citrix Password Manager Agent is loaded, the agent attempts to synchronize the local store on the agent computer with the central store by comparing date/time stamps with the data in both locations. The agent pulls new configurations and credentials down, and pushes user credentials up to the central store. This allows a user to roam from agent to agent and still retain their credentials and configurations no matter which location they are accessing applications from. Citrix Password Manager supports three different types of central stores: Active Directory, Windows NTFS File Share, and Novell NetWare File Share. For basic or entry level deployments, the Windows NTFS file share central store is recommended and configuration steps will be detailed below. For configuring an Active Directory central store or Novell NetWare file share central store, please refer to the Admin Guide on the Citrix Password Manager product CD. The Windows NTFS file share central store and Active Directory central store support all product features, however, the Novell NetWare file share central store does not support the advanced features provided by the Citrix Password Manager Service. All central store types are equally scalable and secure. Key Decisions and Citrix Recommendations The key decisions and recommendations for the central store component are listed below. Central Store Key Decisions and Recommendations Key Decisions and Notes Central Store Type Both the Windows NTFS file share and Active Directory central store types allow unique configurations to be applied to different users. The Active Directory central store requires a schema extension to be performed and has built in replication among the domain controllers. The NTFS file share store is simpler to set up and maintain and is a viable solution in many organizations. Citrix Password Manager Quick Deployment Guide 7

Central Store Key Decisions and Recommendations Central Store Location The central store must be reachable by all Citrix Password Manager Agents. If a NTFS file share central store is utilized, this file share must be accessible by all computers running Citrix Presentation Server no matter their location. The key factors that influence a decision on where to place a NTFS file share central store are as follows: Network proximity/latency from the Citrix Presentation Server computers to the server hosting the central store Hard drive space and redundancy Server back up frequency Central Store Capacity The amount of disk space required for supporting a central store can be Requirements estimated as follows: Disk Space Required = (#users) * (5Kb + (#apps * 0.6Kb)) Citrix Recommendations Central Store Type Central Store Location Example: 1000 users with 5 single sign-on applications each would be calculated as follows: Disk Space = (1000) * (5Kb + (5 *.6)) = 8000Kb = 8MB of storage space Citrix recommends utilizing an NTFS file share central store for ease of configuration and administration. Citrix recommends placing the NTFS file share central store on the Citrix Access Suite license server machine, or a file server accessible by all computers running Citrix Presentation Server (such as the file server hosting user profiles or the home directory). Step-by-Step Guide The steps for creating an NTFS file share central store are listed in the table below. These steps place the file share central store within the default location on the server (C:\CITRIXSYNC) with the default share name (CITRIXSYNC$). The UNC path to this file share is \\<SERVER_NAME>\CITRIXSYNC$. If you would like to place the NTFS file share store in another location on the server, please see Appendix D for these instructions. NTFS File Share Central Store Configuration Screen Shot Description 1 Insert the Citrix Password Manager CD-ROM. Within the AutoRun wizard, select Prerequisite Create your Central Store. Citrix Password Manager Quick Deployment Guide 8

NTFS File Share Central Store Configuration 2 Select NTFS network share. 3 Click Yes on the dialog to create the file share. 4 The file share has been created at C:\CITRIXSYNC. 3. Install Citrix Access Suite Console 10 Minutes Description The Access Suite Console is an administrative utility that is used to centrally manage all products of the Citrix Access Suite. Each Citrix Access Suite product provides a MMC snap-in for administrating that particular product. If the Access Suite Console for each product is installed on the same administrative server, the MMC snap-ins for each product can be combined into the same MMC interface to provide centralized administration of all Citrix products. The products that provide an Access Suite Console MMC snap-in are as follows: Citrix Password Manager Quick Deployment Guide 9

Citrix Presentation Server 3.0 and 4.0 Citrix Password Manager 4.0 and 4.1 Citrix Access Gateway Advanced Edition 4.0 and 4.2 The Access Suite Console for Citrix Password Manager is used to configure applications for single sign-on and automated password changes, create password policies, configure identify verification questions, and create user configurations. The Access Suite Console provides built-in wizards for configuring single sign-on to Windows, Web, and Host based applications If there are applications that need to be configured for single sign-on that are not hosted or accessible on the Access Suite Console machine, the Citrix Password Manager Application Definition Tool can be utilized to configure these applications for Citrix Password Manager. The Application Definition Tool is installed where these applications are hosted and can be used to create, delete, and modify the application definitions. Both the Access Suite Console and Application Definition Tool need access to the central store to push configurations and settings to the central store for the Citrix Password Manager Agent to pick up during the synchronization process. Key Decisions and Citrix Recommendations The key decisions and recommendations for the Citrix Access Suite Console component are listed below. Citrix Access Suite Console Key Decisions and Recommendations Key Decisions Access Suite Console Installation The Access Suite Console for Citrix Password Manager can be installed on Location any administrative server for management of single sign-on applications, password policies, and other configurations. Application Definition Tool Installation Location Citrix Recommendations Access Suite Console Installation Location Application Definition Tool Installation Location Step-by-Step Guide The Application Definition Tool is used to configure single sign-on to applications for applications that are not hosted on the same server as the Access Suite Console for Citrix Password Manager. Install the Access Suite Console for Citrix Password Manager on the server hosting the Access Suite Console for Citrix Presentation Server. After this installation has been performed, the MMC snap-ins for both Access Suite Consoles can be combined into the same MMC utility to administer all Citrix products from the same location. If a Windows application needs to be configured for single sign-on and it does not reside on the server hosting the Access Suite Console for Citrix Password Manager, install the Application Definition Tool on the Citrix Presentation Server hosting this Windows application. This tool will be used to configure single sign-on for this application and will deploy this configuration to the central store, where the Access Suite Console and Citrix Password Manager Agents can utilize this configuration. The steps for installing the Citrix Access Suite Console for Citrix Password Manager are listed in the table below. These steps should be performed on the server hosting the Access Suite Console for Citrix Presentation Server within your environment. If desired, the Access Suite Console for Citrix Password Manager can be integrated with the Access Suite Console for Citrix Presentation Server. These integration steps can be found within the Appendix E. Note: Before beginning these instructions, ensure you have downloaded Citrix Password Manager 4.1 Service Pack 1 from the Citrix website (http://support.citrix.com/article/ctx109000). Citrix Access Suite Console Installation and Setup Citrix Password Manager Quick Deployment Guide 10

Citrix Access Suite Console Installation and Setup Screen Shot Description 1 Insert the Citrix Password Manager CD-ROM. Within the AutoRun wizard, select Installation Menu. 2 Select Install Citrix Password Manager Console. 3 Click Next on the welcome screen. Citrix Password Manager Quick Deployment Guide 11

Citrix Access Suite Console Installation and Setup 4 Select I accept the license agreement and click Next. 5 Keep all default options and click Next. 6 Click Next. Citrix Password Manager Quick Deployment Guide 12

Citrix Access Suite Console Installation and Setup 7 Click Finish. 8 After the Access Suite Console has been installed, install the Citrix Password Manager 4.1 Service Pack 1 downloaded from the Citrix website. (http://support.citrix.com/article/ctx109000). Click Next. 9 Click Finish. Citrix Password Manager Quick Deployment Guide 13

Citrix Access Suite Console Installation and Setup 10 After the Access Suite Console for Citrix Password Manager is installed, navigate to Start All Programs Citrix Management Consoles Access Suite Console. 11 Configure and run discovery to connect the Password Manager console to the central store. Click Next on the welcome screen. 12 Keep the default components selected and click Next. Citrix Password Manager Quick Deployment Guide 14

Citrix Access Suite Console Installation and Setup 13 Select NTFS network share. Type the UNC path to the NTFS file share central store (\\servername\sharename) Click Next. 14 Click Next. 15 Click Next on the summary screen. Citrix Password Manager Quick Deployment Guide 15

Citrix Access Suite Console Installation and Setup 16 Click Finish once the discovery process has been completed. 4. Configure Applications for Single Sign-On 30 Minutes Description The Citrix Password Manager Agent is designed to detect, recognize, and handle password logon events. To configure the agent to perform single sign-on for an application, the administrator needs to create an application definition for these applications within the Access Suite Console. Application definitions are a series of settings specific to an application that define how the Citrix Password Manager Agent will detect the application, fill in credentials, and submit the credentials. Multiple identifier sets can be created for each application by creating separate forms within each application definition. Being able to create multiple forms is essential because programs often display one page for logging on and another for changing passwords. One application definition can contain the two forms for logon and password changes. Multiple forms can be created to also allow users to access new versions of the product without needing their credentials. The Access Suite Console includes application definition templates for Citrix application such as Web Interface. Additional templates can be downloaded from http://citrix.thinkbuilddeploy.com and imported into the Console. New application definitions can be created for applications that do not have a preconfigured application definition template. Key Decisions and Citrix Recommendations The key decisions and recommendations for the single sign-on configuration of applications are listed below. Single Sign-On Key Decisions and Recommendations Key Decisions Single Sign-On Applications For a basic or Phase 1 rollout, it is suggested that a limited set of Windows and Web applications be selected for single sign-on enablement with the following criteria: Citrix Recommendations Applications that are only accessed via Citrix Presentation Server Applications that are frequently used Applications that have a pre-defined template on http://citrix.thinkbuilddeploy.com Citrix Password Manager Quick Deployment Guide 16

Single Sign-On Key Decisions and Recommendations Single Sign-On Applications Citrix recommends that you select 3 5 applications for the Phase I deployment made of up Windows and/or Web applications. These applications should already be hosted on Citrix Presentation Server. Try to leverage the pre-built templates on http://citrix.thinkbuilddeploy.com whenever possible to simplify the deployment. Step-by-Step Guide The steps in the table below describe how to create an application definition for a sample Windows application. This Windows application, called LogonTester.exe, is located on the Citrix Password Manager CD-ROM within the Tools directory. These steps can be used as a guide for creating new application definitions for Windows applications within your environment. Note: Before creating new application definitions, it is recommended to check for a pre-defined template on http://citrix.thinkbuilddeploy.com as this can simplify and speed-up the deployment process. Appendix F contains information on how to download and leverage the templates from this website. Windows Application Logon Form Configuration Screen Shot Description 1 For the purposes of this walkthrough, the LogonTester.exe application located on the Citrix Password Manager CD-ROM will be configured for single sign-on. The LogonTester.exe application and the accompanying Resources folder from the CD-ROM (located within the Tools directory) need to be copied to the server hosting the Citrix Access Suite Console. 2 In this walkthrough, the LogonTester.exe application and the Resources folder were copied to the C:\Citrix directory of the server hosting the Citrix Access Suite Console. 3 In order to configure a Windows application for single sign-on, the Windows application needs to be launched prior to configuring the logon form within the Access Suite Console. Launch the LogonTester.exe application located within the C:\Citrix folder. This application has three logon fields (username, password, and third). Be sure the logon dialog remains open before proceeding. Citrix Password Manager Quick Deployment Guide 17

Windows Application Logon Form Configuration 4 Within the Access Suite Console, select the Application Definitions node and click Create application definition. 5 Select Windows for the application type and click Start Wizard. Note: If a template was available for this application and the template had been previously imported into the Application Definition Tool, you would select Create from application template and choose the desired template. See Appendix F for more information. 6 Type a name for the application definition (LogonTester in this example). Click Next. Citrix Password Manager Quick Deployment Guide 18

Windows Application Logon Form Configuration 7 The application definition will consist of a series of forms that the Citrix Password Manager Agent will use to recognize and supply credentials to the application. For those applications that just require single sign-on, only the logon form needs to be created. For those applications that also provide a change password dialog, a second form for the change password dialog will need to be created (see the next section for more information). Click Add Form to begin the wizard for configuring the logon form. 8 Type the name for the form (Logon in this example). Select Submit Credentials as the form type. Click the Next button. 9 Click Select. Citrix Password Manager Quick Deployment Guide 19

Windows Application Logon Form Configuration 10 The Select Window dialog displays a list of all open windows on the desktop. Search for the application logon dialog in the list (LogonTester.exe in this example). You will know if you have the right window selected as the application logon dialog will be highlighted in orange (see bottom screen shot) Once the correct application window is selected, click OK on the Select Window dialog. Note: If you do not see your application within this list, be sure the application is still open on the desktop. Re-launch the application, and click Refresh on this screen to locate the dialog. If your application still does not appear within this list, try clicking the Show hidden windows option and clicking Refresh. 11 After the correct application window is selected, the Window Title (Logon Tester) and Executable File Name (LogonTester.exe) will be filled in automatically. Click Next. 12 Select Control ID as the field detection method. Click Select. Note: Control ID is the preferred field detection method. If you click Select and no Control IDs are visible, then Send Keys will need to be used as the field detection method. Citrix Password Manager Quick Deployment Guide 20

Windows Application Logon Form Configuration 13 The Select Control dialog is used to inform Citrix Password Manager which controls on the logon dialog function as the username field, password field, etc. To determine the function of each control, select the control in the list. The selected control will be highlighted in orange within the application itself (see bottom screen shot). Once the username control is selected in the list, right-click and select Username/ID. Repeat this process for all other fields on the logon dialog (password field, third field, and OK button). 14 When all logon fields have been assigned, click the OK button on this dialog. In this example, the LogonTester application has four assigned controls (username field, password field, third field, and OK button). 15 Verify the Control IDs and assignments are listed within this dialog and click Next. Citrix Password Manager Quick Deployment Guide 21

Windows Application Logon Form Configuration 16 Click Next. 17 Click Finish on the summary screen to complete the configuration of the logon form. 18 The Logon form is now completed. Click Next. Citrix Password Manager Quick Deployment Guide 22

Windows Application Logon Form Configuration 19 If the logon dialog has a third or fourth field, labels can be assigned to tell Citrix Password Manager how it should present these labels within the agent. Click Next. 20 Click Next. 21 Select Process only the first logon for this application. Select Process only the first password change for this application. Click Next. Citrix Password Manager Quick Deployment Guide 23

Windows Application Logon Form Configuration 22 Click Next. 23 Click Finish to complete the configuration of the application definition. 24 The Access Suite Console now lists the application definition. The steps in the table below describe how to create an application definition for a sample Web application. This Web application is the MyCitrix website (http://www.mycitrix.com) that all customers utilize for accessing their Citrix licensing information and product downloads. These steps can be used as a guide for creating new application definitions for Web applications within your environment. Web Application Logon Form Configuration Screen Shot Description Citrix Password Manager Quick Deployment Guide 24

Web Application Logon Form Configuration 1 For the purposes of this walkthrough, the MyCitrix web application (http://www.mycitrix.com) will be configured for single sign-on. Within the Access Suite Console, select the Application Definitions node and click Create application definition. 2 Select Web for the application type and click Start Wizard. Note: If a template was available for this application, you would select Create from application template and choose the desired template. 3 Type a name for the application definition (MyCitrix in this example). Click Next. Citrix Password Manager Quick Deployment Guide 25

Web Application Logon Form Configuration 4 The application definition will consist of a series of forms that the Citrix Password Manager Agent will use to recognize and supply credentials to the application. For those applications that just require single sign-on, only the logon form needs to be created. For those applications that also provide a change password page, a second form for the change password page will need to be created (see the next section for more information). Click Add Form to begin the wizard for configuring the logon form. 5 Type the name for the form (Logon in this example). Select Submit Credentials as the form type. Click the Next button. 6 Click the Select button. Citrix Password Manager Quick Deployment Guide 26

Web Application Logon Form Configuration 7 The Web Form Wizard is used to inform Citrix Password Manager which fields on the logon page function as the username field, password field, etc. This wizard provides a web browser to connect to the web application to assign these fields. Within the Web Form URL section, type the URL to the logon page of the web application and click Go. In this example (http://www.mycitrix.com) was typed in. The MyCitrix website then performed an internal redirect to the URL shown here. When the logon page is displayed, the fields on the logon page are listed at the bottom of the dialog. If you select a field, the field is highlighted within the web browser at the top. Continue selecting fields until you come across the username field. Once the username field is selected in the list, right-click and select Username/ID. Repeat this process for all other fields on the logon dialog and the OK button. 8 When all logon fields have been assigned, click the OK button on this dialog. In this example, the MyCitrix web application has three assigned fields (username field, password field, and OK button). 9 Verify the URL and fields are populated within this dialog. Select Case-Insensitive URL and click Next. Citrix Password Manager Quick Deployment Guide 27

Web Application Logon Form Configuration 10 Click Next. 11 Click Finish to complete the configuration of the logon form. 12 Click Next. Citrix Password Manager Quick Deployment Guide 28

Web Application Logon Form Configuration 13 If the logon page has a third or fourth field, labels can be assigned to tell Citrix Password Manager how it should present these labels within the agent. In this example, the MyCitrix logon page did not have a third and fourth field so no information can be specified here. Click Next. 14 Select Process only the first logon for this application. Select Process only the first password change for this application. Click Next. 15 Click Next. Citrix Password Manager Quick Deployment Guide 29

Web Application Logon Form Configuration 16 Click Finish to complete the configuration of the application definition. 17 The Access Suite Console now lists the application definition. 5. Configure Applications for Automated Password Change 15 Minutes Description The Citrix Password Manager Agent is designed to detect, recognize, and handle password change events. To configure the agent to perform an automated password change for an application, the administrator needs to configure the change password form within the application definition and then create a password policy to use with this application definition. Password policies define password properties such as password length, character repetition, and alphanumeric requirements. Utilizing password policies allows the automation of password changes for applications. It also provides the capability to implement sophisticated security schemes including complex passwords, frequent password changes, and application specific passwords not visible to the users. Password policies are assigned to application definitions during the creation of user configurations within the Access Suite Console. Password Policies are mapped to an application group. Password Change behavior is a part of the policy that dictates whether a user manually supplies new passwords during a change password event or if the Citrix Password Manager Agent will automatically generate and submit a new password on behalf of the end user. Citrix Password Manager Quick Deployment Guide 30

Key Decisions and Citrix Recommendations The key decisions and recommendations for the configuration of automated password changes are listed below. Automated Password Change Key Decisions and Recommendations Key Decisions Password Change Applications Determine if any applications configured for single sign-on also require a password change and/or password expiration If yes, the password change forms must be configured within the Application Definitions If no, then this section can be bypassed. Go to the next section. Password Policy Complexity If Citrix Password Manager is configured to automate password changes for applications, make sure the password policies are at least as strict as those set within the application itself to prevent new passwords from being rejected by the application Password Change Wizard Behavior Citrix Recommendations Password Change Applications Password Policy Complexity Password Change Wizard Behavior Step-by-Step Guide If the Citrix Password Manager Agent is configured to interact with application password changes, decisions need to be made about how the user interacts with the system during a password change event. The Administrator can specify several options for how the Password Change Wizard is utilized, such as allowing a user to specify a new password or having the agent auto-generate a new password according to the password policy rules. If the single sign-on enabled applications are accessed inside and outside of Citrix Presentation Server it is highly recommended that the user manually perform the password change so they know the password outside of the Citrix Presentation Server environment. If the single sign-on enabled applications are only accessed inside of the Citrix Presentation Server environment, then automated password generation can be used for maximum usability and security Review the targeted applications for the Phase I rollout and determine if any of these applications also require a password change. If an application with a password change is part of the Phase I scope, continue with this section. Consult with the application owners to determine the password complexity rules on the application(s) in question. If the application requires a password of a certain length, character set, complexity, etc., duplicate these rules within the password policy configured within the Access Suite Console. Leverage the default Change Password Wizard behavior Allow user to choose. This provides the flexibility of giving the user a choice of specifying their own new password for the application or having the Citrix Password Manager Agent to perform an automated password change. The steps in the table below describe how to configure a change password form for a sample Windows application. This Windows application, called LogonTester.exe, is located on the Citrix Password Manager media within the Tools directory. In the previous section, the logon form for the LogonTester application was configured. These steps can be used as a guide for configuring change password forms for other applications within your environment. Note: These steps only need to be performed if the applications that you configured for single sign-on also provide password change capabilities and that you desire the Citrix Password Manager Agent to provide automated password changes to these applications. If this functionality is not needed or desired at this time, this section can be bypassed. Citrix Password Manager Quick Deployment Guide 31

Windows Application Change Password Form Configuration Screen Shot Description 1 For the purposes of this walkthrough, the LogonTester.exe application will be configured for automated password change. In the previous section, the LogonTester.exe application was copied from the Citrix Password Manager CD-ROM to the C:\Citrix directory of the server hosting the Citrix Access Suite Console. To configure this application for automated password change, the LogonTester.exe application needs to be launched prior to configuring the password change form within the Access Suite Console. Launch the LogonTester.exe application and navigate to the Change Password dialog. Be sure the Change Password dialog is visible before proceeding. 2 Within the Access Suite Console, select the application definition and click Edit the application definition. 3 Select Application Forms in the left pane. Click Add Form to begin the wizard for configuring the password change form. Citrix Password Manager Quick Deployment Guide 32

Windows Application Change Password Form Configuration 4 Type the name for the form (ChangePassword in this example). Select Change Credentials as the form type. Click Next. 5 Click Select. 6 The Select Window dialog displays a list of all open windows on the desktop. Search for the application change password dialog in the list (LogonTester.exe in this example with a Window Title of Dialog ). You will know if you have the right window selected as the application change password dialog will be highlighted in orange (see bottom screen shot). Once the correct application window is selected, click OK on the Select Window dialog. Note: If you do not see your application within this list, be sure the application is still open on the desktop. Re-launch the application, and click Refresh on this screen to locate the dialog. If your application still does not appear within this list, try clicking the Show hidden windows option and clicking Refresh. Citrix Password Manager Quick Deployment Guide 33

Windows Application Change Password Form Configuration 7 After the correct application window is selected, the Window Title (Dialog) and Executable File Name (LogonTester.exe) will be filled in automatically. Click Next. 8 Select Control ID as the field detection method and click Select. Note: Control ID is the preferred field detection method. If you click Select and no Control IDs are displayed within this dialog, the Send Keys field detection option must be chosen. 9 The Select Control dialog is used to inform Citrix Password Manager which controls on the change password dialog function as the old password field, new password field, etc. To determine the function of each control, select the control in the list. The selected control will be highlighted in orange within the application itself (see bottom screen shot). Once the old password control is selected in the list, right-click and select Old Password. Repeat this process for all other fields on the change password dialog (new password field, confirm new password field, and OK button). Citrix Password Manager Quick Deployment Guide 34

Windows Application Change Password Form Configuration 10 When all change password fields have been assigned, click the OK button on this dialog. In this example, the LogonTester application has four assigned controls (old password field, new password field, confirm new password field, and OK button). 11 Verify the Control IDs and assignments are listed within this dialog and click Next. 12 Click Next. Citrix Password Manager Quick Deployment Guide 35

Windows Application Change Password Form Configuration 13 Click Finish on the summary screen to complete the configuration of the change password form. 14 Click OK to close the application definition. Once the change password form has been configured within the application definition, a password policy needs to be created to use with the change password form. The steps in the table below describe how to configure a password policy for an application. Consult with the application owner to determine the password complexity rules for the application, such as minimum/maximum password length, numeric character requirements, special character requirements, etc. These same rules will need to be applied within the password policy within the Access Suite Console. Password Policy Configuration Screen Shot Description Citrix Password Manager Quick Deployment Guide 36

Password Policy Configuration 1 For the purposes of this walkthrough, a sample password policy will be created for the LogonTester.exe windows application located on the Citrix Password Manager CD-ROM. For this password policy, we will specify the minimum and maximum password length to be 8 characters, exactly 1 number needs to be contained within the password, and no special characters will be contained within the password. To begin, select the Password Policies node within the Access Suite Console and select Create new password policy 2 Type a name for the password policy (LogonTester Password Policy in this example). Click Next. 3 Within the Basic Password Rules screen, set the following: Minimum password length = 8 Maximum password length = 8 Click Next. Citrix Password Manager Quick Deployment Guide 37

Password Policy Configuration 4 Click Next. 5 Within the Numeric Character Rules screen, set the following: Enable Allow numeric characters Minimum number of numeric characters required = 1 Maximum number of numeric characters required = 1 Click Next. 6 Within the Special Character Rules screen, set the following: Disable Allow special characters in password Click Next. Citrix Password Manager Quick Deployment Guide 38

Password Policy Configuration 7 Click Next. 8 Click Next. 9 Click Next. Citrix Password Manager Quick Deployment Guide 39

Password Policy Configuration 10 Within the Logon Preferences screen, set the following: Enable Allow users to reveal password for application Click Next. 11 The Define Password Wizard screen is used to define the behavior of the Change Password Wizard. This wizard is used by the Citrix Password Manager Agent to auto-generate new passwords for applications upon a password change event. This wizard is displayed when the Citrix Password Manager Agent encounters a change password dialog within the application (the application definition for this application needs to have the change password form configured in order for the agent to recognize the change password dialog). Keep the default setting of User Prompted for action. This setting configures the Change Password Wizard to give the user a choice for whether they want to manually set their own new password for the application or let the Citrix Password Manager Agent auto-generate a new password for the application according to the password policy. Click Next. 12 Click Finish on the summary screen. Citrix Password Manager Quick Deployment Guide 40

Password Policy Configuration 13 The new password policy is listed within the Access Suite Console. 6. Assign Citrix Password Manager to Users/Groups 15 Minutes Description A user configuration is a set of application definitions and agent settings assigned to a particular user or group. User configurations allow an administrator to assign different sets of application definitions and settings to different groups within an organization. For example, an HR user configuration can be created for Human Resource users that contain HR application definitions and special agent settings for the HR group. An IT user configuration can be created for IT users that contain IT application definitions and special agent settings for the IT group. User configurations are assigned to users and groups based on the location it is placed within the central store. User configurations can be stored at the root of the central store, at the container level, and at the user level. Placing a user configuration at the root level provides a default set of application definitions and agent settings to apply to users. Placing a user configuration at the container level allows the user configuration to apply to all users within the container. Placing a user configuration at the user level allows a particular user to receive special application definitions and agent settings that only apply to the user account. Further restrictions can be applied via a Citrix Presentation Server 3.0/4.0 policy to control which Active Directory users or groups are single sign-on enabled. When a user logs onto the agent, the agent attempts to first locate a user configuration at the user level. If a user configuration is not found within the user level, the parent container is checked for a user configuration. This process proceeds up to the root container until a user configuration is found. The first user configuration found is synchronized with the agent. Each user configuration consists of one or more application groups. An application group is a set of application definitions that utilize the same password policy. An application group can be set up as a password sharing group if all applications within the group utilize the same password for authentication. Password sharing groups can automate and simplify the password change process. If an application is in a password sharing group and a password change occurs, the change propagates to all the other applications within the password sharing group. All application definitions within an application group have the same password policy assigned to them. If two application definitions need to be included within a user configuration and both application definitions need to have a unique password policy, then two application groups need to be created within the user configuration. Two special password policies, Default and Domain, can be assigned to an application group in certain circumstances. If the application definitions within the application group do not have a password change screen, the Default password policy can be assigned to the application group. If all application definitions within the application group share the same credential as the windows logon, then the Domain password policy can be assigned to the application group. Each user configuration also consists of series of agent settings that define the behavior and functionality of the agent. Agent settings include synchronization settings, Logon Manager functionality, support for password revealing, support for host emulators, etc. Including agent settings within the user configuration allows different Citrix Password Manager Quick Deployment Guide 41

sets of users to receive different agent settings. This can be beneficial since different user groups may require different agent features or different levels of security on the agent. The Citrix Password Manager Agent protects the stored user credentials by utilizing a randomly generated key and protects that key in part with the user s primary domain, username, and password. When the user s primary password is changed from a machine without the agent running, (such as an administrator changes the user s primary Active Directory password), the agent needs to verify the identity of the user before allowing the user to re-launch the agent. The agent provides the following three identity verification options to recover the key during a primary password change: Previous Password option: The Citrix Password Manager Agent will prompt the user to provide their previous password after a primary password change. If they do not know their previous password, they will be locked out and need to have their Citrix Password Manager account and all unknown credentials reset. This option does not require the Password Manager Service. This option should not be used in smart card deployments since users do not know their previous password. Previous Password or Security Questions option: The Citrix Password Manager Agent will prompt the user to provide their previous password or answer a series of security questions if their primary password changed from a machine that was not running the Citrix Password Manager Agent. If using the security questions there are two options: o Question Based Authentication. The user answers a series of questions to unlock the agent after a primary password change. This option requires the Citrix Password Manager Service. This option first became available in Citrix Password Manager 4.0 release and is preferred in o environments where users are required to verify their identities. Identity Verification Question. The user answers a single identity verification question to unlock the agent after a primary password change. This option does not require the Citrix Password Manager Service and is intended to be used only for backwards compatibility with previous versions of the product. This option is not recommended for product releases after MetaFrame Password Manager 2.5. No Identity Verification option: The Citrix Password Manager Agent will recover the key automatically after a primary password change. This is highest usability option but requires the installation of the Citrix Password Manager Service. Key Decisions and Citrix Recommendations The key decisions and recommendations for the creation of User Configurations are listed below. User Configurations Key Decisions and Recommendations Key Decisions Users/Groups to single sign-on A user configuration can be deployed to a single user, a group of users, or Enable all users within the Active Directory domain structure. The key decisions are to determine which users and groups should be the focus of the Phase I deployment of Citrix Password Manager to ensure a successful project and gain the most traction within the organization. Agent Settings Each user configuration provides a series of agent settings that control the functionality and behavior of the Citrix Password Manager Agent. The agent settings range from how often synchronization with the central store is performed, whether to allow the revealing of passwords, and whether to allow users to add their own single sign-on applications for two-field websites. Citrix Password Manager Quick Deployment Guide 42

User Configurations Key Decisions and Recommendations Identity Verification Method after There are three methods for how the Citrix Password Manager Agent can Primary Password Change verify the identity of a user after their primary password is changed. Previous Password does not require the Citrix Password Manager Service, but may result in a lockout situation should the user forget their previous password. Previous Password or Security Questions requires the installation and configuration of the Citrix Password Manager Service to use the multiple question based authentication method. No Identity Verification requires the installation and configuration of the Citrix Password Manager Service Citrix Recommendations Users/Groups to single sign-on Enable Agent Settings Identity Verification Method after Primary Password Change Step-by-Step Guide Limit the Phase I users for Citrix Password Manager to users that meet the following criteria: Users who frequently (or even better exclusively) access their applications via Citrix Presentation Server Users who adapt to technology changes Users who are experience the most amount of password management pain Visible users in the organization that can commend you for making their life easier Use all default agent settings. If a host emulator application definition has been configured, the host emulator support option will need to be enabled. The allow password reveal option can also be enabled to allow to reveal their passwords within the Citrix Password Manager Agent this can be especially helpful if the agent is configured to auto-generate new passwords for users and these applications are accessible both within Citrix Presentation Server and on the local workstation. Utilize the Previous Password method for identity verification as this option does not require extra configuration. The steps in the table below describe how to create a user configuration and assign it to a set of users. Before starting these steps, be sure that you are logged onto the server hosting the Access Suite Console with a domain account (not a local machine account). This is needed to allow the Access Suite Console to enumerate your domain structure to allow you to apply the user configuration to a domain object. User Configuration Creation Process Screen Shot Description 1 Within the Access Suite Console, select the User Configurations node and click Add new user configuration. Citrix Password Manager Quick Deployment Guide 43

User Configuration Creation Process 2 Type a name for the user configuration. In general, this name refers to the users, groups, or Active Directory container that the user configuration will be applied to. In this example, the name of the user configuration is Domain Root, as this user configuration will be applied to the root of the Active Directory domain so that all users within Active Directory can leverage it. (Once the user configuration is completed, a Citrix Presentation Server Policy will be used to further restrict access to Citrix Password Manager). Click the Browse button. Citrix Password Manager Quick Deployment Guide 44

User Configuration Creation Process 3 The Browse Location dialog displays the Active Directory domain structure for the logged on user account on the server. This dialog is used to specify which users/groups the user configuration will be applied. The user configuration can be applied to one of the following items in the tree: User Account (Used to give a particular user account special Citrix Password Manager settings. To apply to an individual user account, navigate to the organizational unit containing the user account within the Active Directory structure and click Show Users checkbox at the bottom) Active Directory Organizational Unit (Used to apply Citrix Password Manager settings to the group of users contained within the organizational unit) Active Directory Domain Root (Used to apply default Citrix Password Manager settings to all domain users. The domain root is the second object in the tree) File Share Root (Used to apply default Citrix Password Manager settings to all domain and non-domain users that connect to the file share central store. The file share root is the top-most object in the tree). Within this walkthrough, the user configuration will be applied to the domain root. A Citrix Presentation Server policy will be used to further restrict access to Citrix Password Manager. In your environment, if all of your Citrix Password Manager Phase I users reside within a specific organizational unit, it is recommended to apply the user configuration to that specific organizational unit. Once the preferred object is selected, click OK. Citrix Password Manager Quick Deployment Guide 45

User Configuration Creation Process 4 Verify the User configuration data location field contains an LDAP string pointing to the desired location. Click Next. 5 The Choose Policies and Applications screen is used to define which application definitions are assigned to the user configuration. To configure this screen, one or more application groups need to be defined. If all application definitions that need to be assigned to the user configuration have a unique password policy (i.e. they have a different authentication backend), then an application group needs to be created for each application definition. If some application definitions can share the same password policy, then these application definitions can be added to the same application group. In our walkthrough, we want to assign two application definitions (LogonTester and MyCitrix) to this user configuration. These application definitions have a different authentication backend and different password policies, so we will create two application groups (one for each application definition). Click Add to add a new application group. Citrix Password Manager Quick Deployment Guide 46

User Configuration Creation Process 6 Specify a name for the application group. If only a single application definition will be assigned to this group, give the application group the same name as the application definition. In this example, the application group is called LogonTester. The LogonTester Password Policy is assigned to this group. The LogonTester application definition is moved over to belong to this group. Click OK. 7 The LogonTester application group has now been added to the user configuration. Click Add to add an application group for the second application definition (MyCitrix). 8 Continue to add the application groups that are needed for your environment. In this example, a new application group is added called MyCitrix. The Default Policy is assigned to this group. The MyCitrix application definition is moved over to belong to this group. Click OK. Citrix Password Manager Quick Deployment Guide 47

User Configuration Creation Process 9 Once all application groups have been created, click Next. 10 The Configure Agent Interaction screen is displayed. This screen contains settings that control the basic behavior of the Citrix Password Manager Agent. Select Allow users to reveal all passwords in Logon Manager. Keep Force re-authentication before revealing user passwords enabled as a security measure. Click Next. 11 Specify the license server name and licensing model. Click Next. Citrix Password Manager Quick Deployment Guide 48

User Configuration Creation Process 12 The Configure Key Management screen is used to define how Citrix Password Manager will identify the identity of a user after their primary password has been changed. Click Next. 13 Click Next. Keep the default setting of Prompt user to enter the previous password. When this setting is used, a user will have to enter their previous password into the agent to use Citrix Password Manager if their primary password is changed by the Administrator or from a machine not running the agent. If one of the other two options is desired, the Citrix Password Manager Service needs to be installed and configured. Please see the Appendix F for more information. 14 Click Next. Citrix Password Manager Quick Deployment Guide 49

User Configuration Creation Process 15 Click Next. 16 Click Finish to complete the creation of the user configuration. 17 The user configuration is now listed within the Access Suite Console. Additional user configurations can be created to assign Citrix Password Manager settings to different users/groups. Citrix Presentation Server 3.0/4.0 includes a policy setting that can be used to provide a phased rollout of Citrix Password Manager. It is recommended to leverage this policy setting for your deployment to ensure that only those users designated for the Phase I rollout will be able to use Citrix Password Manager. The table below describes the steps for how to create a Citrix Presentation Server policy for providing a phased rollout of Citrix Password Manager. Citrix Password Manager Quick Deployment Guide 50

Citrix Presentation Server Policy Configuration (to control the Citrix Password Manager Rollout to Users) Screen Shot Description 1 Open the Citrix Presentation Server Admin Console. Right-click on the Policies node and select Create Policy. 2 Specify a name for the policy (such as Citrix Password Manager). Click OK to create the policy. 3 Right-click the policy and select Properties. 4 Navigate to the following section: User Workspace MetaFrame Password Manager. The setting Do not use MetaFrame Password Manager is used to control which users cannot use Citrix Password Manager for single sign-on and automated password change. Enable this setting and click OK to close this dialog. Citrix Password Manager Quick Deployment Guide 51

Citrix Presentation Server Policy Configuration (to control the Citrix Password Manager Rollout to Users) 5 Right-click the policy and select Apply this policy to 6 To specify which users can/cannot use Citrix Password Manager for published applications hosted on Citrix Presentation Server, it is recommended to configure this policy as follows: Add the Domain Users group with a setting of Allow. This ensures that, by default, domain users will not be able to use Citrix Password Manager for published applications unless explicitly permitted. Add the user/group accounts for the Phase I rollout with a setting of Deny. This ensures that these users will be permitted to use Citrix Password Manager for published applications (since this Citrix Presentation Server policy will not be applied to them). Click OK to close this dialog. 7. Install and Test Citrix Password Manager Agent 20 Minutes Description The Citrix Password Manager Agent is the client component that performs single sign-on to Windows, Web, and Host-based applications. In a Citrix Presentation Server deployment, the agent is installed only on the Citrix Presentation Server computers in the farm that will utilize Citrix Password Manager. This makes Citrix Password Manager available to every application published on the Citrix Presentation Server computers. When the Citrix Password Manager Agent is installed on Citrix Presentation Server, the agent runs within the ICA session and launches prior to the launching of the published application in order to provide single sign-on with the application. The first time the Citrix Password Manager Agent is launched for a user within a published session, the user is required to run through the First Time Use (FTU) wizard. This wizard allows users to respond to a security questionnaire and pre-set their application credentials (if configured). Once the wizard is completed, the agent is launched and is ready to provide single sign-on to the published application. When the agent encounters a change password screen within the published application, the change password wizard is displayed that allows a user to manually specify a new password or have the agent auto-generate a new password for the application (depending on how the change password wizard is configured). The Citrix Password Manager Agent needs to be tested for single sign-on and automated password change prior to rolling it out to all computers running Citrix Presentation Server and users. Typically, the Citrix Password Citrix Password Manager Quick Deployment Guide 52

Manager Agent is initially installed and tested on only one server (or a handful of servers) that host the published applications requiring single sign-on. If all applications requiring single sign-on reside on a single server, then the agent only needs to be installed and tested on this server prior to rolling it out to other servers. Key Decisions and Citrix Recommendations The key decisions and recommendations for the Citrix Password Manager Agent testing are listed below. Citrix Password Manager Agent Testing Key Decisions and Recommendations Key Decisions Testing Strategy The Citrix Password Manager Agent needs to be tested on Citrix Presentation Server to ensure that single sign-on and automated password change with published applications can be properly performed. Citrix Recommendations Testing Strategy The Citrix Presentation Server(s) used for testing purposes needs to be identified. If all applications requiring single sign-on reside on the same server, then this server can be utilized. Otherwise, the Citrix Password Manager Agent will need to be installed and tested on all servers to ensure that each application requiring single sign-on and automated password change is tested prior to rollout. Try to minimize the number of Citrix Presentation Server computers that are used for testing purposes. If all published applications requiring single sign-on reside on the same server, install the Citrix Password Manager Agent only on this server for testing. If the published applications requiring single sign-on are hosted on different servers, install the Citrix Password Manager Agent on the minimum number of required servers. The target servers used for testing purposed should have the least impact to the user community and environment. Once the agent is installed on the computers running Citrix Presentation Server, two forms of testing should be conducted: Log onto the Citrix Presentation Server locally and test the Citrix Password Manager Agent (by launching the applications as local applications on this server) Log onto a client workstation and launch a Citrix Presentation Server published application using the current preferred access method (Citrix Web Interface, Citrix Advanced Access Control, Citrix Program Neighborhood, Citrix Program Neighborhood Agent, etc.) and test the Citrix Password Manager Agent. Step-by-Step Guide The steps in the table below describe how to manually install the Citrix Password Manager Agent on a Citrix Presentation Server. Citrix Password Manager Agent Manual Installation Screen Shot Description Citrix Password Manager Quick Deployment Guide 53

Citrix Password Manager Agent Manual Installation 1 Insert the Citrix Password Manager CD-ROM. Within the AutoRun wizard, select Installation Menu. 2 Select Install Citrix Password Manager Agent. 3 Click Next on the welcome screen. Citrix Password Manager Quick Deployment Guide 54

Citrix Password Manager Agent Manual Installation 4 Scroll down to the bottom of the license agreement and select I accept the license agreement before clicking Next. 5 Accept the default components and click Next. Note: Ensure Data Integrity, Account Self-Service, and Hot Desktop are not selected. 6 Select NTFS Network Share and type the UNC path to the file share central store. Click Next. 7 Click Install. Citrix Password Manager Quick Deployment Guide 55

Citrix Password Manager Agent Manual Installation 8 Click Finish once the installation is completed. 9 Click Yes to reboot the server. After the Citrix Password Manager Agent is installed, it needs to be tested with all applications requiring single sign-on and automated password changes. The steps in the table below describe how to test the Citrix Password Manager Agent for performing single sign-on with a windows application. Single sign-on is first tested by logging onto Citrix Presentation Server locally, launching the windows application, and ensuring single sign-on to the logon dialog is performed successfully. Once this has been tested and verified, the Citrix Password Manager Agent is tested with the published version of the application using your current published application access method (Citrix Web Interface, Citrix Advanced Access Control, Citrix Program Neighborhood, Citrix Program Neighborhood Agent, etc.). These steps should be repeated for each windows application definition you have within your environment. Citrix Password Manager Agent Testing Process (Single sign-on to Windows Applications) Screen Shot Description 1 Log into the Citrix Presentation Server using a domain account. This account should have been given rights to use Citrix Password Manager by ensuring that a Citrix Password Manager user configuration has been applied to it. If the user configuration has been applied to the domain root, than any domain account can be used here. Citrix Password Manager Quick Deployment Guide 56

Citrix Password Manager Agent Testing Process (Single sign-on to Windows Applications) 2 After logging in, the Citrix Password Manager Agent is loaded into the system tray (the yellow icon second from the left). 3 Launch the Windows application to test the single sign-on process. For the purposes of this walkthrough, the LogonTester.exe application will be launched. 4 When the logon dialog for the Windows application is displayed, verify that the Citrix Password Manager Agent displays a pop-up window for storing the application credentials. Click Yes. 5 The New Logon dialog is displayed and should contain the name of the application definition assigned to this application within the title (e.g. New Logon for LogonTester). Enter your credentials for this application and click Finish. Citrix Password Manager Quick Deployment Guide 57

Citrix Password Manager Agent Testing Process (Single sign-on to Windows Applications) 6 Verify that the Citrix Password Manager Agent supplies the credentials for the application. 7 If you double-click the Citrix Password Manager Agent icon in the system tray, the Logon Manager dialog is displayed. Verify that the Logon Manager displays all of your stored credentials. 8 Once you have verified that the Citrix Password Manager Agent provides single sign-on to the application correctly on the local Citrix Presentation Server machine, verify that single sign-on also functions correctly through your current published application access method (Citrix Web Interface, Citrix Advanced Access Control, Citrix Program Neighborhood, Citrix Program Neighborhood Agent, etc.). In the walkthrough shown here, Citrix Web Interface is utilized to launch the published application. Log into Web Interface using the same domain account used for testing single sign-on on the local Citrix Presentation Server machine. Citrix Password Manager Quick Deployment Guide 58

Citrix Password Manager Agent Testing Process (Single sign-on to Windows Applications) 9 Launch the published application. In this walkthrough, the LogonTester application has been published on Citrix Presentation Server. If you are following the walkthrough you will need to publish the LogonTester application and grant your domain account access to launch this application. 10 When the published application is displayed, verify the Citrix Password Manager Agent was also loaded within the system tray and provided single sign-on to the published application. If the Citrix Password Manager Agent was not loaded when launching the published application, check the following: The Citrix Presentation Server that is hosting the launched application has the Citrix Password Manager Agent installed. The user account used to authenticate to Web Interface belongs to a Citrix Password Manager user configuration. The Citrix Presentation Server policy used for controlling the rollout of the Citrix Password Manager Agent allows this user to use the Citrix Password Manager Agent. The steps in the table below describe how to test the Citrix Password Manager Agent for performing single signon with a web application. Single sign-on is first tested by logging onto Citrix Presentation Server locally, launching an Internet Explorer browser, navigating to the web application logon page, and ensuring single sign-on to the logon page is performed successfully. Once this has been tested and verified, the Citrix Password Manager Agent is tested with the published version of the application using your current published application access method (Citrix Web Interface, Citrix Advanced Access Control, Citrix Program Neighborhood, Citrix Program Neighborhood Agent, etc.). These steps should be repeated for each Web application definition you have within your environment. Citrix Password Manager Agent Testing Process (Single Sign-On to Web Applications) Screen Shot Description Citrix Password Manager Quick Deployment Guide 59

Citrix Password Manager Agent Testing Process (Single Sign-On to Web Applications) 1 Log into the Citrix Presentation Server using a domain account. This account should have been given rights to use Citrix Password Manager by ensuring that a Citrix Password Manager user configuration has been applied to it. If the user configuration has been applied to the domain root, than any domain account can be used here. 2 Open Internet Explorer and navigate to the web application that has been configured for single signon. For the purposes of this walkthrough, the MyCitrix website is leveraged (http://www.mycitrix.com). When the login page is displayed, verify that the Citrix Password Manager Agent displays a pop-up dialog for storing the application credentials. Click Yes. 3 The New Logon dialog is displayed and should contain the name of the application definition assigned to this application within the title (e.g. New Logon for MyCitrix). Enter your credentials for the application and click Finish. Citrix Password Manager Quick Deployment Guide 60

Citrix Password Manager Agent Testing Process (Single Sign-On to Web Applications) 4 Verify that the Citrix Password Manager Agent supplied your credentials to this application and that you were logged in successfully. 5 If you double-click the Citrix Password Manager Agent icon in the system tray, the Logon Manager dialog is displayed. Verify that the Logon Manager displays all of your stored credentials. 6 Once you have verified that the Citrix Password Manager Agent provides single sign-on to the application correctly on the local Citrix Presentation Server machine, verify that single sign-on also functions correctly through your current published application access method (Citrix Web Interface, Citrix Advanced Access Control, Citrix Program Neighborhood, Citrix Program Neighborhood Agent, etc.). In the walkthrough shown here, Citrix Web Interface is utilized to launch the published application. Log into Web Interface using the same domain account used for testing single sign-on on the local Citrix Presentation Server machine. Citrix Password Manager Quick Deployment Guide 61

Citrix Password Manager Agent Testing Process (Single Sign-On to Web Applications) 7 Launch the published application. In this walkthrough, the MyCitrix application has been published on Citrix Presentation Server. If you are following the walkthrough you will need to publish the MyCitrix application and grant your domain account access to launch this application. 8 When the published application is displayed, verify the Citrix Password Manager Agent was also loaded within the system tray and provided single sign-on to the published application. The steps in the table below describe how to test the Citrix Password Manager Agent for performing automated password change with a windows application. Automated password change is first tested by logging onto Citrix Presentation Server locally, launching the windows application, and ensuring automated password change to the change password dialog is performed successfully. Once this has been tested and verified, the Citrix Password Manager Agent is tested with the published version of the application using your current published application access method (Citrix Web Interface, Citrix Advanced Access Control, Citrix Program Neighborhood, Citrix Program Neighborhood Agent, etc.). These steps only need to be performed if an application definition has a change password form configured. Citrix Password Manager Agent Testing Process (Automated Password Change to Windows Applications) Screen Shot Description Citrix Password Manager Quick Deployment Guide 62

Citrix Password Manager Agent Testing Process (Automated Password Change to Windows Applications) 1 Log into the Citrix Presentation Server using a domain account. This account should have been given rights to use Citrix Password Manager by ensuring that a Citrix Password Manager user configuration has been applied to it. If the user configuration has been applied to the domain root, than any domain account can be used here. 2 Launch the Windows application to test the single sign-on process. For the purposes of this walkthrough, the LogonTester.exe application will be launched. 3 When the application is launched, navigate to the change password dialog. 4 When the change password dialog is displayed for the application, verify that the Citrix Password Manager Agent displays the Change Password Wizard. The default behavior for this wizard is to give the user the choice on whether to have them manually enter a new password or have the Citrix Password Manager Agent auto-generate a new password according to the password policy. Select Generate a new, random password based on the current application s password policy and click Next. Citrix Password Manager Quick Deployment Guide 63

Citrix Password Manager Agent Testing Process (Automated Password Change to Windows Applications) 5 Click Next to continue with the wizard. 6 Click Finish to close the wizard. 7 Verify that the Citrix Password Manager Agent supplies the new password to the application and that the application accepts the new password. 8 To verify that the new auto-generated password adheres to the password policy assigned to this application, the new password can be revealed within the Citrix Password Manager Agent Logon Manager. Open the Citrix Password Manager Agent Logon Manager dialog from the system tray. With the Logon Manager, select View Reveal Passwords. Citrix Password Manager Quick Deployment Guide 64

Citrix Password Manager Agent Testing Process (Automated Password Change to Windows Applications) 9 The Citrix Password Manage Agent may require you to re-authenticate to the operating system for security purposes. Click OK and re-authenticate to the server using the same credentials as the logged on account. 10 Verify that the new password that is generated adheres to the password policy applied to this application. For the LogonTester application, the new password should be exactly 8 characters long and have an appropriate number of numeric and special characters. 11 Once you have verified that the Citrix Password Manager Agent provides automated password change to the application correctly on the local Citrix Presentation Server machine, verify that automated password change also functions correctly through your current published application access method (Citrix Web Interface, Citrix Advanced Access Control, Citrix Program Neighborhood, Citrix Program Neighborhood Agent, etc.). In the walkthrough shown here, Citrix Web Interface is utilized to launch the published application. Log into Web Interface using the same domain account used for testing single sign-on on the local Citrix Presentation Server machine. 12 Launch the published application. In this walkthrough, the LogonTester application has been published on Citrix Presentation Server. If you are following the walkthrough you will need to publish the LogonTester application and grant your domain account access to launch this application. 13 When the published application is launched, navigate to the change password dialog. Citrix Password Manager Quick Deployment Guide 65

Citrix Password Manager Agent Testing Process (Automated Password Change to Windows Applications) 14 When the change password dialog is displayed, verify that the Citrix Password Manager Agent displays the Change Password Wizard. Select Generate a new, random password based on the current application s password policy and click Next. 15 Run through the Change Password Wizard and verify that the Citrix Password Manager Agent autogenerates and supplies a new password for the application successfully. 8. Deploy Agent to all Target Computers Running Citrix Presentation Server 10 Minutes Description The Citrix Password Manager Agent can be deployed as part of a stand-alone MSI installation or as part of the Citrix Access Client MSI installation. During a stand-alone installation, the user/administrator specifies the location of the central store and chooses whether to install advanced features. Both the standalone agent package and Citrix Access Client package are MSI packages, so they can easily be distributed to computers running Citrix Presentation Server using Installation Manager or installed manually. Key Decisions and Citrix Recommendations The key decisions and recommendations for deploying the Citrix Password Manager Agent to all target computers running Citrix Presentation Server are listed below. Citrix Password Manager Quick Deployment Guide 66

Citrix Password Manager Agent Deployment Key Decisions and Recommendations Key Decisions Citrix Presentation Server The Citrix Password Manager Agent needs to be installed on all computers computers for Agent Deployment running Citrix Presentation Server that host the applications requiring single sign-on. Agent Deployment Method The Citrix Password Manager Agent is a MSI package and can be installed manually, through Citrix Installation Manager, through Active Directory policies, and other mechanisms. To use these utilities to deploy the Citrix Password Manager Agent, a Citrix Access Client MSI package needs to be created that contains the pre-configured settings for the Citrix Password Manager Agent. Network Share Point The Citrix Access Client MSI package needs to be placed within a network share point to allow it to be deployed through a MSI distribution utility such as Citrix Installation Manager. Citrix Recommendations Citrix Presentation Server Install the Citrix Password Manager Agent on all computers running Citrix computers for Agent Deployment Presentation Server requiring single sign-on. Agent Deployment Method If there are only a few computers running Citrix Presentation Server that require the Citrix Password Manager Agent, manual installation of the agent may be the simplest option. Network Share Point If you have several computers running Citrix Presentation Server that require the Citrix Password Manager Agent, using an automated deployment mechanism is the best approach. If you are using Citrix Presentation Server Enterprise Edition, then Installation Manager is the recommend choice for deployment. If you have another preferred MSI package deployment mechanism, then use the utility that you are most comfortable with. Place the Citrix Access Client MSI Package within the same network share used for the other Citrix Installation Manager packages. Step-by-Step Guide The steps in the table below describe how to create a Citrix Access Client MSI package for the Citrix Password Manager Agent. This MSI package will contain pre-configured settings for the Citrix Password Manager Agent to allow it to be deployed using your preferred MSI deployment mechanism, such as Citrix Installation Manager, Active Directory Group Policy Objects (GPOs), etc. Creating a Citrix Access Client MSI Package for the Citrix Password Manager Agent Screen Shot Description 1 Insert the Citrix Password Manager CD-ROM. Within the AutoRun wizard, select Advanced Installation Tasks. Citrix Password Manager Quick Deployment Guide 67

Creating a Citrix Access Client MSI Package for the Citrix Password Manager Agent 2 Select Create Citrix Password Manager Agent Installation Image. 3 Click Next on the welcome screen. 4 Specify a network location on where to place the Client Access Package. This can just be a temporary location and the package can be moved later. Citrix Password Manager Quick Deployment Guide 68

Creating a Citrix Access Client MSI Package for the Citrix Password Manager Agent 5 Specify the features of the Citrix Password Manager Agent. Keep all default settings and click Next. 6 Select NTFS Network Share and specify the UNC Path to the NTFS file share central store. Click Next. 7 Click Next. Citrix Password Manager Quick Deployment Guide 69

Creating a Citrix Access Client MSI Package for the Citrix Password Manager Agent 8 Click Finish. 9 Once the package is created, move the package to a network share point so it can be used by Citrix Installation Manager or another MSI deployment utility. With Citrix Installation Manager, all application packages are stored within a file share. In the screen shot to the left, the UNC path to this file share is \\<file-server>\impackages. The CPMAgent package is a sub-folder within this file share. The steps in the table below describe how to deploy the Citrix Password Manager Agent using Installation Manager. Installation Manager is a feature of Citrix Presentation Server Enterprise Edition that allows for streamlined rollout of applications, MSI packages, and other files. A Citrix Access Client MSI package should be created before beginning these steps (see above). Deploying the Citrix Password Manager Agent using Installation Manager Screen Shot Description 1 Open the Citrix Presentation Server Admin Console. Right-click on the Installation Manager node and select Properties. 2 Verify that the Network Account and Network Share for Installation Manager have been set. Click OK when done. Note: The Citrix Access Client MSI package for the Citrix Password Manager Agent needs to be contained within a sub-folder of this Network Share. If this package is not already located within the Network Share, move the Citrix Access Client MSI package and files to this location now. Citrix Password Manager Quick Deployment Guide 70

Deploying the Citrix Password Manager Agent using Installation Manager 3 Right-click on the Packages node and select Add Package. 4 Type a Name for the package (e.g. CPM Agent). Browse to the location of the Citrix Access Client MSI package (Setup.msi). 5 Click No. 6 Click OK. 7 A server group is a logical grouping of Citrix Presentation Server computers that are the targets for one or more Installation Manager packages. Since the Citrix Password Manager Agent needs to be deployed to multiple computers running Citrix Presentation Server, those servers that need the agent installed can be designated as a server group. To create a new server group, right-click the Server Groups node and select Create Server Group. Citrix Password Manager Quick Deployment Guide 71

Deploying the Citrix Password Manager Agent using Installation Manager 8 Specify a Name for the server group (e.g. CPS Servers with CPM Agent). Move over the computers running Citrix Presentation Server that will be the target of the Citrix Password Manager package installation. Click OK. 9 To initiate the installation of the Citrix Password Manager package, right click on the package (CPM Agent) and select Install Package. 10 Specify the server group (or individual servers) to deploy the Citrix Password Manager Agent on. Click Next. Citrix Password Manager Quick Deployment Guide 72

Deploying the Citrix Password Manager Agent using Installation Manager 11 Specify a start time for the installation (now or at a specified date/time). Specify a reboot after installation. Click Finish. 12 Watch the progress of the installation. The status will change from Pending to Started. 13 Once the package is completed, Success or Failure will be displayed. Citrix Password Manager Quick Deployment Guide 73

Appendix This appendix contains supplementary material relating to the deployment of Citrix Password Manager. Appendix A Additional Resources The following is a list of additional resources that can be used to help you with your Citrix Password Manager implementation. Application Template Online Library the website (http://citrix.thinkbuilddeploy.com) contains an online library of application definitions submitted by IT professionals from many organizations that have worked with Citrix Password Manager. This website should be consulted prior to creating a new application definition to see if the application definition has been previously created. Citrix Password Manager Administrator s Guide administrative guide located on the Citrix Password Manager CD-ROM that contains detailed information regarding the deployment of Citrix Password Manager Citrix Password Manager Readme web-based bulletin located on the Citrix Password Manager CD-ROM that provides the latest information on the product release Appendix B Obtaining Support If you need support on particular issues you are having with your implementation or need assistance on configuring single sign-on to your applications, the following support links from the online Knowledge Center can be utilized: Online Technotes this website, http://knowledgebase.citrix.com/kb/category.jspa?categoryid=931, contains a list of common issues and ways to troubleshoot and correct them Online Support Forum this website, http://knowledgebase.citrix.com/forums/forum.jspa?forumid=97, is an online support forum where you can post and respond to Citrix Password Manager inquiries. Hotfixes and Service Packs this website, http://knowledgebase.citrix.com/hotfixes.jspa?categoryid=934&subcategoryid=934&splevels=&languages =English&productName=Password%20Manager%204.1, contains the latest hotfixes and service packs for Citrix Password Manager 4.1 Appendix C Installing the Citrix Access Suite License Server The Citrix Access Suite license server is used to centrally manage all Citrix Access Suite product licenses. The installation requirements for the license server are as follows: Microsoft Internet Information Server 5.0/6.0 web server or Apache web server Java Runtime Environment (JRE) 1.4.2_06 The steps for installing the Citrix Access Suite license server are listed within the table below. License Server Installation Screen Shot Description Citrix Password Manager Quick Deployment Guide 74

License Server Installation 1 Insert the Citrix Password Manager CD-ROM. Within the AutoRun wizard, select Installation Menu. 2 Select Install Citrix Access Suite Licensing. 3 Click Next on the welcome screen. Citrix Password Manager Quick Deployment Guide 75

License Server Installation 4 Select I accept the license agreement and click Next. 5 Keep the default installation location and click Next. 6 Keep the default installed features and click Next. Citrix Password Manager Quick Deployment Guide 76

License Server Installation 7 Keep the default installation location and click Next. 8 Select the web server type and click Next. 9 Select OK to restart Microsoft IIS Server and click Next. Citrix Password Manager Quick Deployment Guide 77

License Server Installation 10 Click Next to perform the installation. Appendix D Creating a NTFS File Share Central Store in a Specific Location The Citrix Password Manager CD-ROM Auto-Run menu provides administrators with a quick and easy way for setting up an NTFS File Share central store in a default location on the hard-drive (C:\CITRIXSYNC). In many cases, administrators want to have more control over where the NTFS file share is stored. The Citrix Password Manager CD-ROM also contains a utility called CtxFileSyncPrep.exe (located within the Tools folder) that allows administrators to create an NTFS file share store in any desired location on the hard-drive. The following steps describe how to use this utility to create the file share central store within a specific location on the server. Creating a NTFS File Share Central Store in a Specific Location Screen Shot Description 1 Open the command prompt and navigate to D:\Tools (the Tools folder on the Citrix Password Manager CD- ROM). Execute the following command: CtxFileSyncPrep /path:<folder_path> /share:<share_name> Example Usage: CtxFileSyncPrep /path:c:\citrix\centralstore /share:centralstore Note: The /path parameter contains the location of the central store. The /share parameter contains the name of the file share. In the example above, The folder C:\Citrix\CentralStore is used as the central store. The name of this shared folder is CentralStore. Citrix Password Manager Quick Deployment Guide 78

Creating a NTFS File Share Central Store in a Specific Location 2 Verify that the NTFS file share central store was created on the local machine in the specified location. Appendix E Integrating the Citrix Password Manager and Citrix Presentation Server Access Suite Consoles The Access Suite Console for Citrix Password Manager can be combined with the Access Suite Console for Citrix Presentation Server to perform administration of both Citrix products from within the same admin utility. To combine the Access Suite Consoles together, both Access Suite Consoles need to be installed on the same server. Once both Consoles are installed on the same server, the steps within the table below can be used to integrate the Consoles. Citrix Access Suite Console Integration Screen Shot Description 1 Within the Run window, type MMC to launch the MMC snap-in utility. 2 Once the MMC snap-in utility is displayed, select File- >Add/Remove Snap-In. Citrix Password Manager Quick Deployment Guide 79

Citrix Access Suite Console Integration 3 Click Add to add a new snap-in. 4 Select MetaFrame Access Suite Console and click Add. Citrix Password Manager Quick Deployment Guide 80

Citrix Access Suite Console Integration 5 Repeat this process to add in the second MMC snapin (MetaFrame Presentation Server Administration) Click OK. 6 Both Access Suite Console snap-ins are displayed. The yellow Citrix Access Suite Console snap-in is used to administer Citrix Password Manager. Select this node to begin the discovery process. 7 Click Next on the Welcome screen. Citrix Password Manager Quick Deployment Guide 81

Citrix Access Suite Console Integration 8 Keep all default options selected and click Next. 9 Select NTFS network share. Type the UNC path to the NTFS file share central store (\\servername\sharename) Click Next. 10 Click Next. Citrix Password Manager Quick Deployment Guide 82

Citrix Access Suite Console Integration 11 Click Next on the summary screen. 12 Click Finish once the discovery process has been completed. 13 Citrix Password Manager can now be configured within this console. Citrix Password Manager Quick Deployment Guide 83

Appendix F Utilizing Pre-Built Templates for Configuring Application Single Sign-On Application templates are templates that contain pre-configured settings for how the Citrix Password Manager Agent recognizes and submits credentials to an application. All application definition templates have at least a preconfigured form for the logon dialog/page. The application definition template may also contain a pre-configured form for the change password dialog/page. Leveraging pre-built templates can simplify administration since the Citrix Password Manager administrator does not have to configure the logon and/or change password form themselves. Application definition templates for Citrix Password Manager can be downloaded free of charge from the website http://citrix.thinkbuilddeploy.com. This website contains a collection of various Windows, Web, and Host-based application definitions uploaded by Citrix or customers using Citrix Password Manager. Before creating a new application definition for an application within your environment, it is always recommended to check this website to see if an application definition template has already been created for the application. As this website is a living repository, it is beneficial to upload your new application definitions to this website to allow other customers and Citrix Password Manager administrators to leverage your templates. To download an application definition template from http://citrix.thinkbuilddeploy.com, following the steps below. Once the template is downloaded it needs to be placed on the server hosting the Citrix Access Suite Console for Citrix Password Manager. Downloading Application Definition Templates from the Internet Screen Shot Description 1 Open a browser and navigate to http://citrix.thinkbuilddeploy.com. 2 Browse or search for an application definition template that you need for your environment. Once you find a template, click the link to download the template. Citrix Password Manager Quick Deployment Guide 84

Downloading Application Definition Templates from the Internet 3 Save the application definition template to the server hosting the Access Suite Console for Citrix Password Manager. After the application definition template is downloaded and placed on the server hosting the Citrix Access Suite Console, the template can be imported into either the Citrix Access Suite Console or Application Definition Tool so that it can be leveraged within the Citrix Password Manager environment. The Application Definition Tool is included as part of the Citrix Access Suite Console installation so these steps can be performed on the server hosting the Citrix Access Suite Console. The steps for importing the application definition template are listed in the table below. These steps also describe how to create an application definition using the template. Importing Application Definition Templates into the Access Suite Console Screen Shot Description 1 Within the Access Suite Console, select the Application Definitions node and click Manage Templates. 2 Click Import Template. Citrix Password Manager Quick Deployment Guide 85

Importing Application Definition Templates into the Access Suite Console 3 Browse to the application definition template that was downloaded from the http://citrix.thinkbuilddeploy.com website. Click Open. 4 The template should now appear in the list. Click Done. 5 Now that the template is imported, an application definition needs to be created from the template. Select the Application Definitions node and click Create application definition. Citrix Password Manager Quick Deployment Guide 86

Importing Application Definition Templates into the Access Suite Console 6 Select the application type (Windows, Web, Host) for the template that was imported. Within the Starting Format section, select Create from application template and choose the template from the list. Click Start Wizard. 7 Specify a Name for the application definition. A default name is already supplied. Click Next. 8 Click Next. Citrix Password Manager Quick Deployment Guide 87

Importing Application Definition Templates into the Access Suite Console 9 Click Next. 10 Click Finish. 11 The application definition is now listed under the Application Definitions node. After an application definition has been created using the template, the application definition needs to be applied to Citrix Password Manager users. The steps in the table below describe how to leverage the application definition within the Citrix Access Suite Console and apply the application definition to users. Leveraging Application Definition Templates within the Citrix Access Suite Console Citrix Password Manager Quick Deployment Guide 88

Leveraging Application Definition Templates within the Citrix Access Suite Console Screen Shot Description 1 Select the user configuration within the Access Suite Console that you want to assign this new application definition to. Select Create new application group. 2 Specify a name for the application group, choose a password policy, and move over the application definition. Click OK. 3 The new application definition has now been assigned to the users of the user configuration. This process can be repeated for additional user configurations if needed. Citrix Password Manager Quick Deployment Guide 89

Appendix G Installing the Citrix Password Manager Service and Configuring Question-Based Authentication The Citrix Password Manager Service is an optional component used to provide various advanced features for a Citrix Password Manager deployment. Implemented as a Windows Service (Citrix XTE Service), the Citrix Password Manager Service is an SSL-based Apache web service that listens for requests from Citrix Password Manager Agents and responds with the appropriate action. The Citrix Password Manager Service cannot be installed on a Citrix Presentation Server since a Citrix Presentation Server also implements the Citrix XTE Service. Typically, the Citrix Password Manager Service is placed on a dedicated, locked down machine due to the nature of services that it provides. The Citrix Password Manager Service provides the following advanced features and services: Account Self Service Allows a user to reset or unlock their primary Active Directory password directly from the Microsoft Windows Logon GINA, helping to avoid unnecessary help desk calls for password management. Password Provisioning Allows administrators to pre-provision application credentials for users, so that users do not need to add their own credentials to the Citrix Password Manager Agent for performing single sign-on to applications. Automatic Key Recovery The Citrix Password Manager Agent protects the stored user credentials by utilizing a randomly generated key and protects that key in part with the user s primary domain, username, and password. When the user s primary password is changed from a machine without the agent running, (such as an administrator changes the user s primary Active Directory password), the agent needs to verify the identity of the user before allowing the user to re-launch the agent. The automatic key recovery feature recovers the key for the user automatically behind the scenes so that the user is not prompted to enter their previous domain password or answer security questions to prove their identity to the agent. Question-Based Authentication Provides an extra layer of security to the Citrix Password Manager Agent after a primary password change. When the user s primary Active Directory password is changed outside the scope of the Citrix Password Manager Agent, the agent prompts the user to respond to a set of security questions that the user initially answered during the agent First-Time-Use wizard. After answering all questions successfully, the user is allowed to proceed using the agent. The multiple identity verification questions feature is also used in conjunction with the Account Self Service feature. To allow a user to reset or unlock their primary password from the Windows Logon GINA, the user is required to answer the multiple security questions to prove their identity so they can be allowed to reset or unlock their primary password. Data Integrity Adds an extra layer of security and protection to the Citrix Password Manager Agent synchronization process. Without data integrity, agent settings are stored within the central store and sent across wire unencrypted. With data integrity, the agent settings in the central store are signed by a certificate and sent across the wire with the data signature. The Citrix Password Manager Agent then verifies the signature before accepting the settings. This extra layer of protection ensures the integrity of the configuration data sent during the agent synchronization process. The following is a list of pre-requisites for installing and configuring the Citrix Password Manager Service: Identify a server to host the Citrix Password Manager Service (this cannot be a Citrix Presentation Server) Microsoft Windows Server 2000/2003 operating system. Windows Server 2003 is recommended. Microsoft Internet Information Services (IIS) 5.0/6.0 (with ASP.NET included). To allow the Citrix Password Manager Service to use SSL Port 443, change the IIS SSL Port to a different number (such as 444). Microsoft.NET Framework 1.1 SP2 (ensure that.net Framework 2.0 is not installed) The server needs to be member of domain A SSL certificate needs to be installed within the Certificates MMC Snap-In (The common name of the certificate needs to map to the FQDN of the server hosting the Citrix Password Manager Service. Also, the Citrix Password Manager Quick Deployment Guide 90

agent machines and the server hosting the Citrix Access Suite Console need to have the corresponding root certificate installed in order to allow these components to communicate with the Citrix Password Manager Service) Identify a domain account to use for the Data Proxy (this account needs to have read/write access to the central store and also needs to be a local administrator of the server hosting the Citrix Password Manager Service) Identify a domain account to use for Account Self Service (this account needs to have permissions within Active Directory to reset and unlock passwords) Install the Microsoft Web Services Enhancements (WSE) 2.0 SP3 Runtime (located on the Citrix Password Manager CD-ROM) Download Citrix Password Manager 4.1 Service Pack 1 from the Citrix website (http://support.citrix.com/article/ctx109000). Important Note: For the purposes of this walkthrough, only the Key Management module of the Citrix Password Manager Service will be enabled to allow the Multiple Question-Based Authentication mechanism to be used as a key recovery option. When Multiple Question-Based Authentication is enabled, users will be required to run through a security questionnaire upon their first time use (or next use) of the agent. When the user s primary Active Directory password is changed from a machine not running the Password Manager agent, and they re-launch the agent (i.e. they launch a published application that uses the agent), the agent will require the user to supply their answers to prove their identity before allowing the agent to start. The Multiple Question-Based Authentication option for key recovery can be used as a replacement to the Previous Domain password key recovery option that was configured and enabled earlier within this document. The table below describes the steps for installing and configuring the Citrix Password Manager Service. Before beginning these steps, ensure that each pre-requisite listed above has been satisfied. Installing and Configuring the Citrix Password Manager Service Screen Shot Description 1 Insert the Citrix Password Manager CD-ROM on the server that will host the Citrix Password Manager Service. (Note: this cannot be a server hosting Citrix Presentation Server) Within the AutoRun wizard, select Advanced Installation Tasks. Citrix Password Manager Quick Deployment Guide 91

Installing and Configuring the Citrix Password Manager Service 2 Select Install Citrix Password Manager Service. 3 Click Next on the welcome screen. 4 Select I accept the license agreement and click Next. Citrix Password Manager Quick Deployment Guide 92

Installing and Configuring the Citrix Password Manager Service 5 Select the Key Management module and de-select the other modules (Data Integrity, Provisioning, and Account Self-Service). Click Next. 6 Click Install. 7 Click Finish. Citrix Password Manager Quick Deployment Guide 93

Installing and Configuring the Citrix Password Manager Service 8 The configuration wizard for the Citrix Password Manager Service pops up automatically after the installation has been completed. It is recommended to install the Citrix Password Manager 4.1 Service Pack 1 before configuring the Citrix Password Manager Service. Click Cancel to exit this wizard. 9 Install the Citrix Password Manager 4.1 Service Pack 1 downloaded from the Citrix website. (http://support.citrix.com/article/ctx109000). Click Next. 10 Click Finish. Citrix Password Manager Quick Deployment Guide 94

Installing and Configuring the Citrix Password Manager Service 11 Launch the Citrix Password Manager Service Configuration Wizard by navigating to Start Programs Citrix Password Manager Service Configuration. 12 The Welcome screen is displayed. Click Next. 13 Specify the SSL Port Number for the Citrix Password Manager Service (443 is the preferred port number. Ensure that IIS is not using this port for SSL) Select the SSL certificate to use for the Citrix Password Manager Service. The common name of the certificate needs to match the FQDN of the server hosting the Citrix Password Manager Service. (Note the certificates listed here are contained within the Certificates MMC Snap-In on this server). Select NT Authority\Network Service for the system account if the server hosting the Citrix Password Manager Service is Windows Server 2003. Otherwise, select NT Authority\Local Service. Click Next. Citrix Password Manager Quick Deployment Guide 95

Installing and Configuring the Citrix Password Manager Service 14 Click Next. 15 Select NTFS Network Share and type the UNC Path to the file share central store. Click Next. 16 The Data Proxy account is the account used by the Citrix Password Manager Service to contact the central store. Specify a domain account that has read/write access to the file share central store and that is also a local administrator of this machine. Click Next. Citrix Password Manager Quick Deployment Guide 96

Installing and Configuring the Citrix Password Manager Service 17 Click Next. 18 Click Finish. 19 The Applying Settings dialog is displayed. Ensure that the last line of this dialog is Processing finished successfully. Click Finish. Citrix Password Manager Quick Deployment Guide 97

Installing and Configuring the Citrix Password Manager Service 20 Verify that the Citrix XTE Service has been started within the Services control panel. This is the Citrix Password Manager Service. Once the Citrix Password Manager Service has been installed and configured, multiple question-based authentication can be configured and applied to users within the Citrix Access Suite Console. The table below describes how to configure multiple question authentication within the Access Suite Console. Configuring Multiple Question Authentication within the Citrix Access Suite Console Screen Shot Description 1 Open the Citrix Access Suite Console for Citrix Password Manager. On the Question-Based Authentication node, select Manage Questions. 2 Within the Question-Based Authentication section, choose the default language for how the questions are presented to the user. Citrix Password Manager Quick Deployment Guide 98

Configuring Multiple Question Authentication within the Citrix Access Suite Console 3 Within the Security Questions section, add or edit the list of security questions that are available for question-based authentication and key recovery. Four sample questions are provided by default. If these questions are satisfactory, the default questions can be used. 4 Within the Questionnaire section, specify the questions that will be presented to the user for question-based authentication. Four sample questions are used by default, however this list can be modified and the number and order of the questions can be changed. Note: There is a balance for how many questions should be used for the questionnaire. Four questions is a typical amount however this number can be changed. Selecting fewer questions makes it easier for the user since they do not have to answer and remember several questions. Selecting more questions increases the security of Citrix Password Manager however users have to remember their answers to more questions. 5 Within the Key Recovery section, specify which questions from the questionnaire will also be used for key recovery. Click OK when done. This completes the configuration of which questions are used for question-based authentication. In order to use question-based authentication as a key recovery option (in place of Previous Domain Password), the user configuration now needs to be modified. Citrix Password Manager Quick Deployment Guide 99

Configuring Multiple Question Authentication within the Citrix Access Suite Console 6 Select the user configuration and click Edit user configuration. 7 Within the Key Management section, select Prompt user to select the method: previous password or security questions. This changes the key recovery mechanism from just Previous Domain Password to the new multiple question-based key recovery mechanism. 8 Within the Key Management Module section, update the URL field to include the FQDN of the server hosting the Citrix Password Manager Service. Click Validate to ensure that this path is correct. Click OK to close the user configuration. Citrix Password Manager Quick Deployment Guide 100

Configuring Multiple Question Authentication within the Citrix Access Suite Console 9 The Citrix Password Manager Agent now needs to be tested to ensure that the question-based key recovery mechanism will be utilized. To begin, if the Citrix Password Manager Agent on the local server is started, close the agent by rightclicking the agent within the system tray and selecting Exit. Click Yes when prompted about shutting down the Citrix Password Manager Agent. 10 Once the agent has been shut down, re-launch the agent by navigating to All Programs Citrix Password Manager Password Manager Agent within the Start Menu. The agent may prompt you to re-authenticate to the server before launching the agent. Click OK and reauthenticate to the server. 11 Once you have re-authenticated to the server, verify that the Citrix Password Manager Agent displays a Registration dialog. Click Register. Citrix Password Manager Quick Deployment Guide 101

Configuring Multiple Question Authentication within the Citrix Access Suite Console 12 Click Next on the welcome screen. 13 Answer the security questions within the questionnaire. These are the same security questions specified within the Citrix Access Suite Console. Be sure to remember your answers, as you will need to supply these again to the agent if you need to reset your password, unlock your account, or prove your identity because your primary password changed outside of the Citrix Password Manager Agent. 14 Click Next. Citrix Password Manager Quick Deployment Guide 102

Configuring Multiple Question Authentication within the Citrix Access Suite Console 15 Click Finish. 16 Click Finish to complete the registration process. 17 The Citrix Password Manager should now be reloaded in the system tray. The next time that you change your primary Active Directory password from a machine not running the Citrix Password Manager Agent, the agent will require you to re-answer the security questions to prove your identity before the agent is re-launched (either when using the agent locally or through a published application). This change is also now applied to all users within the user configuration. The next time they launch a published application, the agent will require them to run through the security questionnaire as well. Citrix Password Manager Quick Deployment Guide 103

851 West Cypress Creek Road Fort Lauderdale, FL 33309 954-267-3000 http://www.citrix.com Copyright 2005 Citrix Systems, Inc. All rights reserved. Citrix, the Citrix logo, Citrix ICA, Citrix MetaFrame, and other Citrix product names are trademarks of Citrix Systems, Inc. All other product names, company names, marks, logos, and symbols are trademarks of their respective owners.