PASSWORD MANAGER OVERVIEW

Previous page
Table of content
Next page

Citrix Password Manager provides password security and single sign-on access to Windows , Web, proprietary, and host-based applications running in the Citrix environment as well as local applications on the desktop. Users authenticate once and Password Manager does the rest, automatically logging on to password protected information systems, enforcing password policies, monitoring all password- related events, and even automating user tasks , including password changes.

The primary components of Password Manager are:

  • The Central Store

  • The Password Manager Console

  • Password Manager agent software

  • The Password Manager Service

Password Manager Central Store

An organization's network directory service determines how and where Password Manager stores information. This information is kept in the central store; it includes credentials, application policies, user data, and more. The central store can be a network share on a Windows server, a container in your Active Directory schema, or a shared folder in your Novell NetWare directory.

The central store is also the synchronization location that allows the agent software and the console to communicate with each other. The agent synchronizes data in its local store with the data in the central store.

Creating a Central Store in an NTFS Network Share

To use an NTFS network share, start by creating a shared folder for the Password Manager Central Store. The root-shared folder must be created, as well as a folder named People under that shared folder. Access permissions must be set appropriately to allow the agent and console to access Password Manager information securely.

The setup of the folder can be done manually by referencing the Citrix Password Manager Administrator's guide or by using the File Synchronization Setup utility. The File Synchronization Setup utility ensures that the shared folder and the folder named People are created and shared with correct sharing and security permissions. Therefore, as Password Manager is used with file synchronization, all of the data in this folder is appropriately secured and manageable.

Note 

The computer you use to host the shared folder is called the Central Store (synchronization location). The Central Store must belong to the same domain as the machines on which the agent software is installed.

To Use File Synchronization Setup From the Autorun screen of your product CD, under Prerequisites: Create Your Central Store, select NTFS network share. The central store is created using default parameters of %SystemDrive%\CITRIXSYNC for the path and CITRIXSYNC$ for the share.

Alternatively, at a command prompt, access the /Tools directory on the product CD and type CtxFileSyncPrep /path: pathname / share: sharename . The central store share should always be a hidden share.

Note 

Run CtxFileSyncPrep on the server that is hosting the NTFS network share. The pathname parameter must be local to the server.

When the program is finished, the shared folder and the People folder are created with appropriate sharing and security permissions set. The shared folder is now ready to be used for synchronization.

Note 

Any group of users who are not administrators on the file servers but need to manage Password Manager folders can be added to the root shared folder with full control. The group also needs to be added to the People folder because the People folder does not inherit access rights from the root shared folder. Adding the group to the People folder grants group members the required access to all other folders and files in the share.

Installing the Password Manager Console

To install the Password Manager Console, open Autorun.exe from the product CD and select Installation Menu Install Password Manager Console and follow the wizard prompts.

Note 

Microsoft .NET Framework 1.1, Service Pack 1 or Microsoft .NET Framework 2.0 must be installed before installing the Password Manager Console. Microsoft .NET Framework Version 1.1 is available on the product CD at \Support\dotNet11\dotnetfix.exe. Download Service Pack 1 from the Microsoft Windows Update Web site at http://www.windowsupdate.microsoft.com/. Console installation requires Windows Installer 3.0. The installer is available from the product CD at \Support\MSI30\ WindowsInstaller-KB884016-v2-x86.exe. Running the console on Windows NT 4.0 is not supported.

Password Manager supports the use of Versions 1.4 and 1.5 of the Java Runtime Environment (JRE). Before installing the console, application definition tool, or agent software, install either version of the JRE. If the JRE is installed or upgraded after installing the console, application definition tool, or agent software, Password Manager software installation must be repaired using the Control Panel. This allows the software to recognize the installed or upgraded JRE.

Installing the Application Definition Tool

The Application Definition Tool is a wizard-based tool for creating and editing application definitions. Install the Application Definition Tool on desktop machines or servers on which the full console is not installed, or if application definitions need to be created or edited for the network environment. The Application Definition Tool must be installed on the same device on which the password-protected applications are running.

Note 

The Application Definition Tool can be installed directly from the Password Manager Console, or it can be run as a stand-alone module. The stand-alone mode of the Application Definition Tool can be run without having to install a console; however, the Application Definition Tool is installed automatically with the Password Manager Console.

Installing the Agent Software

To access local applications, users must run the agent software on their client devices. Mobile users can also install the agent on their laptops so that they can use the agent features even when they are not connected to the network. Synchronization of user credentials occurs when mobile users reconnect to the network.

When the agent software is installed using the Autorun.exe option provided on the Password Manager CD, the agent software appropriate to the local operating system (32-or 64-bit) is installed. If the agent software is installed manually, the appropriate agent software MSI file for the machine operating system should be used. The 32-bit agent software is on the Password Manager CD in the Agent folder. The 64-bit agent software is in the x64 folder within the Agent folder.

Note 

Before installation of the agent software, there must be a central store, management console installation, and user configurations.

For testing purposes, both the console and the agent can be installed on the same machine. This provides an efficient way to verify that changes made at the console are reflected on the agent.

Note 

Agent software installed on a client device displays a notification icon of a key on a yellow background. Agent software installed on a server running Presentation Server displays a notification icon of a key and globe on a yellow background.

An image of the agent software can be installed on a network share using a utility available on the product CD. Go to AutorunMain MenuAdvanced Installation TasksCreate Password Manager Agent Installation Image and follow the wizard prompts. The utility creates an installation image of the Password Manager agent that contains custom parameters.

Note 

A device must be restarted after the installation of the agent software so that the Graphical Identification and Authentication dynamic link library (GINA) can be installed.

Installing, Configuring, and Enabling the Account Self-Service Features

To implement the Account Self-Service feature, do the following:

  1. Complete the Password Manager Service Installation Prerequisites.

  2. Install the Password Manager service.

  3. Configure the Password Manager service.

  4. Enable Account Self-Service for user configurations.

  5. Enable deployment of the agent software to users with Account Self-Service.

Password Manager Service Installation Prerequisites

The server that hosts the Password Manager Service contains highly sensitive user-related information. We highly recommend dedicating a server to this task and placing it in a physically secure location.

The following steps must be carried out before installation of the Password Manager service:

  1. Obtain a server authentication certificate from a Certificate Authority (CA) or, using an existing internal Public Key Infrastructure (PKI), download your own certificate to the server.

  2. Install the Microsoft .NET Framework Version 1.1, Service Pack 1 or Version 2.0.

  3. Install the Web Services Enhancements Runtime 2.0 Service Pack 3, available on the product CD under Support\WSE20.

  4. On the server running the Password Manager service, create or use an existing account to run the service. This account needs the logon as a service privilege.

  5. Create an account to be used for data proxy communication. If the central store is an NTFS network share, create an account that

    • Is a member of the domain.

    • Is a local administrator for the server hosting the central store.

    • Is a local administrator for the server hosting the Password Manager service.

  6. Designate an account to be used to reset passwords and unlock the accounts of users. Create a separate domain account for account self-service with the following permissions or assign these permissions to the data proxy account:

    • Reset Password

    • Read lockoutTime

    • Write lockoutTime

    • Read pwdLastSet

    • Write pwdLastSet

Installing the Password Manager Service

Follow these steps to install the Password Manager Service and the Account Self-Service module:

  1. From the Autorun.exe page of the product CD, under Advanced Installation Tasks, select Install Password Manager Service.

  2. Read and accept the license agreement.

  3. Select Account Self-Service as the module to install.

  4. Specify the location to install the Password Manager Service and the Account Self-Service module.

  5. Click Install to start the installation.

Configuring the Password Manager Service

After installing the Password Manager Service, the Configuration Wizard appears. The wizard guides you through a set of questions. Enter answers according to the following:

  1. Enter the port number associated with the server hosting the Password Manager Service (the default port number is 443).

  2. Select an SSL certificate previously created for the Password Manager Service.

  3. Enter the time, in months, before the signing certificate expires .

  4. Select and enter credentials for the service account that was created to run the Password Manager Service.

  5. Configure the data proxy by selecting your central store type and providing credentials for the account that the data proxy uses to access data on the central store.

  6. Indicate whether or not you are using Data Integrity.

  7. Enter the credentials associated with the account that allows users to reset their network password.

  8. Confirm your settings.

Enabling Account Self-Service for User Configurations

Account Self-Service features can be enabled when a user configuration is created or edited. In the Password Manager Console, go to the User Configuration item and either select a user configuration to edit or click Add New User Configuration. Follow the wizard steps to enable the Account Self-Service options desired in the environment. By default, Account Self-Service is enabled.

Enabling the Account Self-Service Features on the Agent Software

Run the Agent Software Installation Wizard to enable Account Self-Service. When the Account Self-Service features are enabled, the URL associated with the Password Manager Service must be specified.

When Users Forget Their Security Questions

If users forget answers to their security questions, the Password Manager Console must be used to reset Account Self-Service registration for users. After a user or users are reset, the Account Self-Service Registration Wizard appears the next time the users open the agent software. Users can then register answers to their security questions.

To reset Account Self-Service user registration, do the following:

  1. In the Password Manager Console, expand the Identity Verification node and select Question-Based Authentication node.

  2. In the task pane, under Other Tasks, select Reset Security Questions For A User.

  3. Confirm the reset request for the selected user.


Previous page
Table of content
Next page
Citrix Access Suite 4 for Windows Server 2003. The Official Guide
Citrix Access Suite 4 for Windows Server 2003: The Official Guide, Third Edition
ISBN: 0072262893
EAN: 2147483647
Year: 2004
Pages: 137
Authors: Steve Kaplan, Tim Reeser, Alan Wood
BUY ON AMAZON
VBScript Programmers Reference
Oracle Developer Forms Techniques
Mapping Hacks: Tips & Tools for Electronic Cartography
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
.NET System Management Services
Python Standard Library (Nutshell Handbooks) with
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy