password manager installation guide

Citrix Password Manager™ 4.6 with Service Pack 1Citrix XenApp™ 5.0, Platinum Edition

Citrix® Password Manager Installation Guide

Copyright and Trademark NoticeUse of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. A printable copy of the End User License Agreement is included with the installation media.

Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.

Citrix Password Manager replaces specific end users’ encryption keys each time their primary authentication method changes, such as a domain password change or issuance of a new smart card. Password Manager can be configured to perform this operation automatically by using the optional Key Management Module. Password Manager can also be configured to use the Microsoft Data Protection API (DPAPI). When using the optional Key Management Module and/or DPAPI, be advised that an administrator may be able to access user business or personal credentials stored in Password Manager if the administrator logs on as this end user. For additional security, end users can be asked to verify the user’s identity with unique user-provided information. This provides an additional layer of protection for the user’s secondary credentials.

Regional government user computing regulations may require that you notify your end users about the possible security and privacy implications of deploying the Key Management Module and DPAPI security configurations. Review your company policies and determine what kind of notification, if any, is required for your end users.

© 2003-2008 Citrix Systems, Inc. All rights reserved.

v-GO code © 1998-2003 Passlogix, Inc. All rights reserved.

Citrix, ICA (Independent Computing Architecture), and Program Neighborhood are registered trademarks, and XenApp and SpeedScreen are trademarks of Citrix Systems, Inc. in the United States and other countries.

RSA Encryption © 1996-1997 RSA Security Inc., All Rights Reserved.

This product includes software developed by The Apache Software Foundation (http://www.apache.org/)

This product includes software developed by Salamander Software Ltd. © 2002 Salamander Software Ltd. Parts © 2003 Citrix Systems, Inc. All rights reserved.

Trademark Acknowledgements

Adobe, Acrobat, Flash, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries.

Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Solaris is a registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc has not tested or approved this product.

Portions of this software are based in part on the work of the Independent JPEG Group.

Portions of this software contain imaging code owned and copyrighted by Pegasus Imaging Corporation, Tampa, FL. All rights reserved.

Macromedia is a trademark or registered trademarks of Macromedia, Inc. in the United States and/or other countries.

Microsoft, MS-DOS, Windows, Windows Media, Windows Server, Windows NT, Win32, Outlook, ActiveX, Active Directory, and DirectShow are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. in the U.S. and other countries.

Novell Directory Services, NDS, and NetWare are registered trademarks of Novell, Inc. in the United States and other countries. Novell Client is a trademark of Novell, Inc.

RealOne is a trademark of RealNetworks, Inc.

Licensing: FLEXnet Operations and FLEXnet Publisher are trademarks and/or registered trademarks of Acresso Software Inc. and/or InstallShield Co. Inc..

All other trademarks and registered trademarks are the property of their respective owners.

Document Code: August 22, 2008 (nwa)

Contents

1 Welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Password Manager Product Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Password Manager Advanced Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Password Manager Enterprise Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Finding Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Documentation Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Getting Support and Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

2 Planning Your Password Manager Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Password Manager Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Planning Workflow Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Which Central Store Type Should I Choose?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Choosing an Active Directory Central Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17Choosing an NTFS Network Share. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18Choosing a Novell Shared Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Using Account Association with Multiple Central Stores and User Account Credentials in a Multiple Domain Enterprise . . . . . . . . . . . . . . . . . . .20

What about Password Policies for Application Access? . . . . . . . . . . . . . . . . . . . . . . . . . . . .22Default Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22Domain Password Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22Custom Password Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Password Policy Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Default Settings for the Default and Domain Password Policies . . . . . . . . . . . . . . . . . . .24

Which Type of SSO-Enabled Applications Are Used in My Enterprise?. . . . . . . . . . . . . . .26What Do I Need to Know about Each Application?. . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

What Type of Smart Cards Are Used in My Enterprise?. . . . . . . . . . . . . . . . . . . . . . . . . . . .28Smart Card Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29Smart Card Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

4 Citrix Password Manager Installation Guide

Do I Need to Use Identity Verification?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29Verifying User Identity by Using Security Questions(Question-Based Authentication) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Recovering or Unlocking User Credentials Automatically . . . . . . . . . . . . . . . . . . . . . . .31

Planning Your User Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32Planning Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Do I Share the Same Resources or a Workstation Among Many Users? (Hot Desktop) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

Controlling Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34The Hot Desktop User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35

Licensing Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35Disconnected Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35Managing a Mixed License Type Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36To employ available concurrent user licenses to be used offline . . . . . . . . . . . . . . . . . . .37

Selecting Optional Password Manager Service Features. . . . . . . . . . . . . . . . . . . . . . . . . . . .37Account Self-Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38Data Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39Key Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40Credential Synchronization (Account Association) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Password Manager Agent Software Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . .41XenApp Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Guidelines for Multiple Primary Authentication and User Credential Protection Choices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

Data Protection Methods Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42Secondary Data Protection Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43Security Versus Usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43User Impersonation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43User Name and Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44Smart Cards with Certificates and User Authentication Data . . . . . . . . . . . . . . . . . . . . .44Smart Cards with PINs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45Roaming Profiles (Microsoft DPAPI). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46Blank Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47

3 Installing Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Summary of Installation Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49Hardware and Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Supporting System Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50Password Manager Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50ASP.NET Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Contents 5

Security and Account Requirements for Password Manager Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Server Authentication Certificate Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53Accounts Required for Service Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54

Account Requirements to Install and Use Password Manager . . . . . . . . . . . . . . . . . . . . . . .56Installing and Using Password Manager Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56Installing and Using Password Manager Console and Application Definition Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56Installing and Using the Password Manager Agent Software . . . . . . . . . . . . . . . . . . . . .57

Installing the Microsoft .NET 2.0 Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57Installing .NET 2.0 Side By Side with .NET 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57To install Microsoft .NET 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58

Installing the Java Runtime Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58If You Install or Upgrade the JRE after Installing the Console, Application Definition Tool, or Agent Software. . . . . . . . . . . . . . . . . . . . . . . .59To associate the JRE with Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59Troubleshooting a Java-Related Error Message When Installing or Uninstalling the Agent Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59

Licensing Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60Before You Install Password Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60

Installation Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60Where Can I Install Each Password Manager Component?. . . . . . . . . . . . . . . . . . . . . . .61

Creating a Central Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62To create an NTFS network share central store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62To create a Novell shared folder central store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63To create an Active Directory central store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63

Optional - Creating a Central Store from a Command Prompt . . . . . . . . . . . . . . . . . . . . . . .65Creating an Active Directory Central Store from a Command Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65Creating an NTFS Network Share Central Store from a Command Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67Creating a Novell Shared Folder Central Store from a Command Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68

Installing and Configuring the Password Manager Service. . . . . . . . . . . . . . . . . . . . . . . . . .69To install the service modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70To configure the Password Manager Service(s) with the Service Configuration wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71Password Manager Service Port Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73

Installing and Configuring the Password Manager Console . . . . . . . . . . . . . . . . . . . . . . . . .74To install the Password Manager Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74


To configure the Password Manager Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75Installing and Configuring the Password Manager Agent Software . . . . . . . . . . . . . . . . . . .76

Installation Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77Configuring and Using the Multi-Domain Service Feature. . . . . . . . . . . . . . . . . . . . . . . . . .84

Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84Task Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85To configure the service for multidomain use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

4 Upgrading Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Supported Upgrade Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87Summary of Upgrade Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87Before You Upgrade Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88

Using Autorun . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89Upgrade Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89Backing Up Service Data Prior to Upgrading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90Backing Up the Process.xml File (Hot Desktop Environments Only). . . . . . . . . . . . . . .90Backing Up Your Existing Central Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90Upgraded Policies, Application Definitions, Questions/Questionnaires, and User Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . .91Microsoft .NET Versions 1.1 and 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91

Step 1 - Upgrading the Password Manager Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92To upgrade the Password Manager Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92

Step 2 - Upgrading the Password Manager Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93To upgrade the Password Manager Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94

Step 3 - Upgrading the Password Manager Agent Software . . . . . . . . . . . . . . . . . . . . . . . . .95To upgrade the Password Manager Agent Software on a local device . . . . . . . . . . . . . .96

1

Welcome

Citrix Password Manager provides password security and single sign-on access to Windows, Web, and terminal emulator applications running in the Citrix environment as well as applications running on the desktop. Users authenticate once and Password Manager does the rest, automatically logging on to password-protected information systems, enforcing password policies, monitoring all password-related events, and even automating user tasks, including password changes.

This document, the Citrix Password Manager Installation Guide, presents the information you need to plan and carry out the installation of Password Manager 4.6 with Service Pack 1 or the upgrade of your existing version of Password Manager to Password Manager 4.6 with Service Pack 1.

Password Manager Product LinePassword Manager is available in two editions:

• Password Manager Advanced Edition

• Password Manager Enterprise Edition

In addition, Citrix XenApp 5.0, Platinum Edition, includes a feature comparable to Password Manager Enterprise Edition called Single Sign-on Powered by Password Manager.

Password Manager Advanced Edition The Advanced Edition of Password Manager increases your organization’s security with:

• Strong password policy options

• Automated password generation

• Automatically started Password Change Wizard option

• Password encryption while in memory, storage, and transmission


• Password expiration options for applications lacking that capability

The Advanced Edition also interacts well with other programs, easing the user’s logon information storage process as well as your maintenance of that process and information.

Password Manager Enterprise Edition The Enterprise Edition of Password Manager is designed for the most demanding and complex enterprise environments. The Enterprise Edition:

• Provides additional security, user self-service, and on-site user mobility features and performance

• Reduces calls to the help desk through user self-service features that enable users to change their own Windows password and unlock their account

• Allows on-site mobile workers to quickly access information with Hot Desktop, which facilitates fast user switching at shared workstations

• Includes enterprise security features such as integration with smart cards, Kerberos, and Federated Environment Support (ADFS and SAML)

Finding DocumentationWelcome to Citrix Password Manager, sometimes referred to as Password_Manager_Read_Me_First.html, is included on the installation media and contains links to documents that help get you started. It also contains links to the most up-to-date product documentation, plus related technologies. You can access this document by clicking, from Autorun, Step 1: View installation checklist and other documentation.

The Citrix Knowledge Center Web site, http://support.citrix.com, contains links to all product documentation, organized by product. Select the product you want to access and then click the Documentation tab from the product information page.

Known issues information is included in the product readme.

To provide feedback about the documentation, click the Article Feedback link located on the right side of the product documentation page.

Documentation ConventionsFor consistency, Windows Vista and Windows Server 2008 terminology is used throughout the documentation set; for example, “Documents” rather than “My Documents” and “Computer” rather than “My Computer” are used.

http://support.citrix.com

1 Welcome 9

Password Manager documentation uses the following typographic conventions.

Getting Support and TrainingThe Citrix Knowledge Center (http://support.citrix.com) offers a variety of technical support services, tools, and developer resources.

Information about Citrix training is available at http://www.citrix.com/edu/.

Convention Meaning

Boldface Commands, names of interface items such as text boxes, option buttons, and user input.

Italics Placeholders for information you provide. For example, filename means you type the actual name of a file. Italics are also used for new terms and titles of books.

Monospace Text displayed in a text file.

{braces} In a command, a series of items, one of which is required. For example, {yes | no } means you must type yes or no. Do not type the braces themselves.

[ brackets ] In a command, optional items. For example, [/ping] means you can type /ping with the command. Do not type the brackets themselves.

| (vertical bar) In a command, a separator between items in braces or brackets. For example, { /hold | /release | /delete } means you must type /hold or /release or /delete.

... (ellipsis) The previous item(s) in the command can be repeated. For example, /route:devicename[,…] means you can type additional devicenames separated by commas.

http://support.citrix.com

http://www.citrix.com/edu/

2

Planning Your Password Manager Environment

This section contains information to help you plan your Password Manager environment and help you decide how to implement Password Manager.

Password Manager ComponentsThe following sections briefly describe the main components of Password Manager.

• The central store. The central store is a centralized repository used by Password Manager to store and manage user and administrative data. User data includes user credentials, security question answers, and other user-focused data. Administrative data includes password policies, application definitions, security questions, and other wider-ranging data. When a user signs on, Password Manager compares the user’s credentials to those stored in the central store. As the user opens password-protected applications or Web pages, the most up-to-date credentials are drawn from the central store.

• Password Manager Console. The Password Manager Console is the command center of Password Manager. From the console, you manage the users’ Password Manager experience. Here, you configure how Password Manager works, which features you deploy, which security measures you use, and other important password-related settings.

The console has four main items, or nodes, in the left pane. By selecting a node, tasks specific to that node appear. These nodes are:

• User Configurations, which allow you to tailor particular settings for your users based on their geographic locations or business roles. The settings of the other three nodes are used to create user configurations.

• Application Definitions, which provide the information necessary to supply user credentials to applications, and to detect error conditions


if they occur. You can use the application definition templates supplied with Password Manager to speed this process, or create your own customized definitions for applications that cannot use these templates. Additional templates are located at http://www.citrix.com/passwordmanager/gettingstarted.

• Password Policies, which control password length and the type and variety of characters used in both user-defined and automatically-generated passwords. Password policies also allow you to identify characters to exclude from use in passwords and whether or not previous passwords can be reused. Creating password policies consistent with your company’s security policies ensures that password security is appropriately managed by Password Manager.

• Identity Verification, which uses the security questions you create to provide an added layer of security by protecting against user impersonation, unauthorized password changes, and unauthorized account unlocking. Users who enroll and answer your security questions can then verify their identity by providing the same answers when challenged. Once verified, the users can perform self-service tasks to their account, such as resetting their primary password or unlocking their user account. The security questions can also be used for key recovery

A limited version of the console, the Application Definition Tool, is also provided with Password Manager. Install this tool to enable others to create application definitions without needing access to the full console and the more sensitive features available there, such as password policies and security questions.

• Password Manager agent software. The Password Manager agent software submits the appropriate credentials to the applications running on the user’s client device, enforces password policies, provides self-service functionality, and enables users to manage their credentials with the Logon Manager.

• The Password Manager Service. The Password Manager Service runs on a Web server that provides the foundation for optional features included in this release. Install the Password Manager Service if you plan to implement at least one of the following modules:

• Self-Service, which allows users to reset their Windows passwords and unlock their Windows accounts

• Data Integrity, which protects data from being compromised while in transit from the central store to the agent software

http://www.citrix.com/passwordmanager/gettingstarted


2 Planning Your Password Manager Environment 13

• Key Management, which provides users with the capability to recover their secondary credentials when their primary password changes, either with automatic key recovery or after answering security questions with question-based authentication

• Provisioning, which allows you to use the console to add, remove, or update Password Manager user data and credential information

• Credential Synchronization, which synchronizes user credentials among domains using a Web service

Related topics:

“Planning Your Password Manager Environment” on page 11

“Installing Password Manager” on page 49

Planning Workflow Diagram


Getting StartedA Password Manager environment can include the following:

• Shared network folders or Active Directory containing the central store

• One or more computers running the Password Manager Console

• User computers running the Password Manager agent software

• A dedicated server hosting the Password Manager Service with one or more feature modules installed on it

• Citrix XenApp environment hosting the Password Manager agent software

• Authentication devices such as smart cards

• Password Manager features such as Hot Desktop and key management

After you have your Password Manager plan, you can start implementing it in your environment. The following table shows what you need to do to get started using Password Manager.

Task See this section

1. Research features that you might implement in your environment.

• Citrix Password Manager Administrator’s Guide

• “User Authentication and Identity Verification” in the Citrix Password Manager Administrator’s Guide

• “Managing Question-Based Authentication” in the Citrix Password Manager Administrator’s Guide

• “Allowing Users to Manage Their Primary Credentials with Account Self-Service” in the Citrix Password Manager Administrator’s Guide

• “Using Provisioning to Automate Credential Entry” in the Citrix Password Manager Administrator’s Guide

• “Hot Desktop: A Shared Desktop Environment for Users” in the Citrix Password Manager Administrator’s Guide

2. Create a central store and install the Password Manager components with optional features.orUpgrade an existing deployment of Password Manager.

• “Which Central Store Type Should I Choose?” on page 15

• “Installing Password Manager” on page 49

• “Upgrading Password Manager” on page 87


Which Central Store Type Should I Choose?Note: You can create a central store automatically as part of the Password Manager installation process or manually by using the central store setup utilities. See “Creating a Central Store” on page 62 and “Optional - Creating a Central Store from a Command Prompt” on page 65.

Password Manager uses a repository known as the central store to store and retrieve information about your users and your environment. Password Manager relies on the data in the central store to perform all default and configured single sign-on functions.

The central store contains user data and administrative data:

• User data in the central store includes user secondary credentials, security questions and answers, service-related data (for example, provisioned data, question-based authentication data, key recovery enrollment, and so on), and user Windows registry data associated with Password Manager

3. Create, edit, or review your password policies. • “What about Password Policies for Application Access?” on page 22

• Citrix Password Manager Administrator’s Guide

4. Create or edit your application definitions. • “Which Type of SSO-Enabled Applications Are Used in My Enterprise?” on page 26

• “Using Password Policies to Enforce Password Requirements” in the Citrix Password Manager Administrator’s Guide

5. Create user configurations based on your enterprise requirements.

• “Planning Your User Configurations” on page 32

• “Creating User Configurations” in the Citrix Password Manager Administrator’s Guide

6. Install the agent software on user desktops or a computerXenApp server.

• “Password Manager Agent Software Deployment Scenarios” on page 41

• “Installing and Configuring the Password Manager Agent Software” on page 76

7. Notify your users that Password Manager can help securely store their application credentials.

Your enterprise’s standard operating procedures or IT policy manual.

Task See this section


• Administrative data in the central store includes application definitions, password policies, security questions, and other settings made through the console for Password Manager features and components

The central store basically enables the agent software running on a user computer or computer running Citrix XenApp to communicate with the central store and services, and to provide user credentials to applications to which the user is granted access.

The agent software maintains a local store on the user computer. The local store contains only the user’s secondary credentials, key recovery information, and security questions and answers (if applicable). It synchronizes with the central store to allow users to roam throughout the enterprise and always have access to saved user credentials.

The central store can be one of the following types:

• Active Directory

The central store uses the Active Directory environment and objects to store and update Password Manager data.

See “Choosing an Active Directory Central Store” on page 17.

• NTFS network share

The central store uses a Windows network file share to store the Password Manager data. See “Choosing an NTFS Network Share” on page 18.

• Novell shared folder

The central store uses a Novell NetWare shared folder to store the Password Manager data.

See “Choosing a Novell Shared Folder” on page 19.

Note: Citrix Password Manager allows you to migrate users from one central store type to another if you later decide that one type is more suitable than the current one used in your environment. See “Moving Data to a Different Central Store” in the Citrix Password Manager Administrator’s Guide.

Note: If your enterprise forest contains multiple domains, see “Using Account Association with Multiple Central Stores and User Account Credentials in a Multiple Domain Enterprise” on page 20.

Also see “Specifying Domain Controllers for User Configurations” in the Citrix Password Manager Administrator’s Guide for information about user configurations in multiple domain controller environments.


Choosing an Active Directory Central StoreChoosing to use Active Directory as your central store enables you to leverage the convenience of your existing Active Directory user authentication and object administration. For example, you can apply user-specific settings to any level in a domain—domain, organizational unit, group, or user.

Two new classes and two attributes are added to the Active Directory schema when you create an Active Directory central store:

Note: See the CitrixMPMSchema.xml file in the \Tools folder on the Password Manager installation media for more information about these classes and attributes.

In general, choose Active Directory as your central store if you:

• Can successfully extend your Active Directory schema without affecting your enterprise

• Already implement best practices for Active Directory backup and restore as recommended by Microsoft (although this is not a requirement)

• Prefer the high availability that is built in to Active Directory to be extended to the central store data

Advantages of an Active Directory Central Store• Active Directory includes built-in failover and redundancy, so additional

measures for disaster recovery are not needed

• Active Directory replication helps to distribute central store administrative and user data across your enterprise

Class Description

citrix-SSOConfig Describes the object containing data for the agent software settings, synchronization state, and the application definitions and the first-time agent software use behavior.This class includes the following attributes:citrix-SSOConfigData - contains the actual datacitrix-SSOConfigType - specifies the data type

citrix-SSOSecret Describes the secret data object used to authenticate a Password Manager user. This class includes the following attribute:citrix-SSOSecretData - contains encrypted credential data for an application and Account Self-Service password reset data


• No additional hardware is needed when using an Active Directory central store

Active Directory Central Store Considerations • You must extend your schema when using an Active Directory central

store, which requires careful planning and implementation. Extending the schema affects the entire forest.

• You might want to extend the schema and create your Active Directory central store during non-peak usage hours. Your Active Directory replication cycle latency affects how quickly these changes are copied to all domain controllers in the forest.

• Inter-site replication of central store data across large enterprises using WANs requires you to configure replication correctly to reduce latency. (However, intra-site replication typically introduces less latency.)

Choosing an NTFS Network ShareImportant: Use a hidden share for the central store in this case.

Choosing to use an NTFS network share as your central store enables you to leverage the convenience of your existing Active Directory user authentication and tree structure without having to extend the Active Directory schema. For example, you can apply user-specific settings to any level in a domain—domain, organizational unit, group, or user.

Password Manager creates a shared folder named CITRIXSYNC with two subfolders named People and CentralStoreRoot.

The People folder contains a subfolder for each user and includes the appropriate read and write permission properties for the user. The CentralStoreRoot folder contains administrative data.

Advantages of an NTFS Network Share• You can emulate the look and feel of an Active Directory central store

without having to extend your Active Directory schema. Yet you can take advantage of your existing Active Directory hierarchy or groups.

Note: Associating user configurations to groups is supported only in Active Directory domains that use Active Directory authentication.


• User data is always up-to-date, because it is stored in a central location and avoids any data replication latency associated with Active Directory.

• You can load balance your shares among multiple computers that can each host an NTFS network share for higher availability.

• NTFS network share helps reduce the authentication task workload from your Active Directory environment.

• Password Manager enables you to migrate your NTFS shared folder central store to an Active Directory central store if you decide later to implement an Active Directory central store.

NTFS Network Share Considerations • You might need additional hardware to host the central store.

• You need to back up central store files and folders (including their related permissions) regularly. Ensure that you also maintain and implement disaster recovery plans where you replicate files and folders for site recovery.

• Your enterprise network topology might require users (and the Password Manager agent software) to transfer user data across one or more WAN links. In this case, consider implementing the Distributed File System technology included as part of Microsoft Windows Server 2000, 2003, and 2008. The Microsoft Web site http://support.microsoft.com describes the Distributed File System technology in more detail.

Choosing a Novell Shared FolderImportant: Password Manager services are not supported in Password Manager environments using Novell NetWare shared folders.

Choosing to use a Novell NetWare shared folder as your central store enables you to leverage the convenience of your existing Novell NetWare directory services. Using this central store type is similar to using an NTFS network share.

Configure a secured network folder in eDirectory to store all data associated with your Password Manager environment. Applications and settings can be defined and assigned at the domain level.

Advantages of a Novell Shared Folder• You are already implementing Novell NetWare directory services

• You can choose to use an existing secure shared folder as the central store

http://support.microsoft.com


Novell Shared Folder Considerations • This central store type does not support associating user configurations

with Active Directory groups.

• If you use a Novell NetWare shared folder, your users’ Novell password must be identical to their Windows password. This requirement includes environments running Novell ZENworks for Desktops with Windows Dynamic Local User support configured on your Novell Directory Server and with Novell Workstation Manager on each computer that runs the Password Manager agent software.

• Because the agent uses a Windows password, the use of Novell NetWare file synchronization requires that users’ Novell password be identical to their Windows passwords.

• The central store must be located in the same tree as the computers on which the agent software is installed. Users must log on to a Novell tree where the shared folder is located. Users must also have accounts with read access permissions to the Novell NetWare shared folder you designate as the central store.

• Password Manager services are not supported in Password Manager environments using Novell NetWare shared folders.

Using Account Association with Multiple Central Stores and User Account Credentials in a Multiple Domain EnterpriseNote: See “Synchronizing Credentials by Using Account Association” in the Citrix Password Manager Administrator’s Guide to configure Account Association.

Administrators can create multiple central stores in enterprises that contain multiple domains. In fact, you can use more than one type of central store in these environments. For example, you can associate user configurations with an NTFS network share central store in one domain and an Active Directory central store in another domain.

Because companies might maintain multiple Windows domains, users might also have more than one Windows account. Password Manager includes a feature known as Account Association to allow a user to log on to any application from one or more Windows accounts. Because Password Manager typically binds user credentials to a single account, the credential information is not synchronized automatically among multiple accounts that a user owns.


However, administrators can configure Account Association to synchronize user credentials by using the Credential Synchronization Module. Users with Account Association configured have access to all applications from any of their accounts in their Password Manager environment. When user credentials are changed, added, or removed from one account, the credentials are synchronized automatically with each of the user’s associated accounts.

Without Account Association, users with multiple Windows accounts are forced to manually change their logon information separately from each Windows account.

Advantages of Using Account Association• Account Association can help increase productivity and reduce support

calls by synchronizing user credentials to help reduce logon maintenance or failures.

• Accounts can be synchronized across different central store types. That is, a user account configured to use Active Directory as the central store can synchronize with an associated user account that is configured to use an NTFS network share.

• Accounts can also be synchronized across different user configuration associations. For example, a user configuration can be associated with an Active Directory hierarchy (OU or user) in one domain and associated with an Active Directory group in another domain.

• Accounts can also be synchronized across different user configuration associations in the same domain and within the same central store.

• Trust relationships between domain controllers are not necessary to use Account Association.

Account Association Considerations Consider the following before configuring Account Association:

• Account Association is not compatible with smart cards when smart cards are used as the primary authentication mechanism to log on to Windows.

Note: The user configuration in each domain might have different password policies that might block access to a resource, but Account Association synchronizes user credentials only, not user configuration policies. Consider how you compose password policies in your enterprise.

• Each associated domain account must use Citrix Password Manager.


• Application definition names must be the same in each user configuration for the Account Association feature to synchronize credentials.

• User credentials are shared only for applications specified in application definitions created by the Password Manager administrator.

• As part of the Password Manager Service, the Credential Synchronization Module is a Web service available through a secure HTTP connection, so this module must be accessible from all computers in your enterprise using Account Association.

What about Password Policies for Application Access?Password policies are rules that control how passwords are created, submitted, and managed. The Password Manager installation includes two standard password policies named Default and Domain, which cannot be deleted. You can copy these policies and make modifications to suit your enterprise policies and regulations.

Related topics:

“Default Settings for the Default and Domain Password Policies” on page 24

Default Password PolicyPassword Manager applies the Default policy to password-enabled applications used in your enterprise (except for those that require user domain credentials). This policy is applied to any application that is not defined by an administrator (by using the application definition feature in the console) or any application that is not part of an application group.

When a user adds credentials to the Logon Manager for an application that does not have a corresponding application definition, Password Manager applies the Default policy to manage that application.

Domain Password PolicyTypically, an administrator creates an application group and selects the Domain policy to be applied to the applications in that group. Password Manager then applies the Domain policy to those applications that require the user’s domain credentials for access. The Domain policy can be modified or copied to reflect your enterprise’s Active Directory or NT domain policies for user accounts.

If you want an application group to be treated as a domain password sharing group, you must apply the Domain policy to that application group.


Note: An application group is a collection of defined applications associated with one or more user configurations, including the policy to manage the applications.

Custom Password PoliciesImportant: When creating a custom password policy or modifying existing policies, ensure that your enterprise requirements and application requirements match. For example, if you create a policy that does not at least match an application’s requirements, your users might not be able to authenticate to that application.

You can create password policies as needed: you can apply one policy for your domain sharing group, create individual policies to apply to individual groups of applications to secure them further, and so on.

In general, password policies can specify restrictions such as the following:

• A minimum and maximum number of characters for a password

• Alphabetical and numerical character usage

• Number of times a character can be repeated

• Excluding or requiring which characters or special characters can be used

• Whether or not users can view their stored passwords

• How many times users can try entering their password correctly

• Password expiration parameters

• Password history and password exceptions

Password Policy Considerations • Consider your security requirements in the context of ease-of-use for your

users. Overly restrictive passwords might be hard for users to create, implement, or recall.

• Because Password Manager is secure by design, the Default password policy defines the minimum level of password security recommended by Citrix for securing most single sign-on enabled applications. You can modify these settings according to your enterprise policies and regulations.


• Because Password Manager applies the Default password policy to user-added applications, ensure that you configure the Default policy to be as broad as needed to accept passwords for those applications for which you allow passwords to be stored.

• When users change their passwords, Password Manager can be configured through a user configuration setting to check the old password against the new password. This helps prevent users from reusing passwords for the same application twice in a row.

• Users might have a single password that is used for multiple applications (in a suite of products, for example). This scheme is known as password sharing, where the same authentication authority is used for the applications.

While the other credentials for those applications (such as user name and custom fields) might be different, the user’s password is the same. In this case, create an application group that is a password sharing group to ensure that the agent software manages the password for all applications in the group as a single entity. When the password is changed in one of the applications, the agent software ensures that the password change is reflected in the stored credentials for all applications in the group.

• Domain password sharing groups differ from other password sharing groups because the user’s domain password is used as the master password for the application group. When the user changes the domain password, the agent software ensures that the change is reflected in the credentials for all other applications in the group. Only the domain password can be changed; users cannot initiate password changes on any of the other applications in the group unless the administrator removes the application from the domain password sharing group.

Default Settings for the Default and Domain Password PoliciesThe following table describes the settings, as installed, for the Default and Domain password policies.

Default and Domain Password Policy Options

Default Setting

Your Custom Setting

Basic Password Rules

Minimum password length 8

Maximum password length 20

Maximum number of times a character can occur 6


Maximum number of times the same character can occur sequentially

4

Alphabetic Character Rules

Allow lowercase characters Yes

Password can begin with a lowercase alphabetic character Yes

Password can end with a lowercase alphabetic character Yes

Minimum number of lowercase alphabetic characters required

0

Allow uppercase characters Yes

Password can begin with an uppercase alphabetic character Yes

Password can end with an uppercase alphabetic character Yes

Minimum number of uppercase alphabetic characters required

0

Numeric Character Rules

Allow numeric characters Yes

Password can begin with a numeric character Yes

Password can end with a numeric character Yes

Minimum number of numeric characters required 0

Maximum numbers of numeric characters allowed 20

Special Character Rules

Allow special characters No

Password can begin with a special character Yes

Password can end with a special character Yes

Minimum number of special characters required 0

Maximum number of special characters allowed 20

Allow special characters list !@#$^&*( )_+= [ ] \ | ,?

Exclusion Rules

Exclude the following list of characters or character groups from passwords

Optional setting

Do not allow application user name in password No

Do not allow portions of application user name in password No


Default Setting

Your Custom Setting


Which Type of SSO-Enabled Applications Are Used in My Enterprise?

Note: Password Manager supports the 64-bit version of Internet Explorer. It does not support 64-bit terminal emulator software.

Number of characters in portions (the character groups that can be taken from the application user name)

3

Do not allow Windows user name in password No

Do not allow portions of Windows user name in password No

Number of characters in portions (the character groups that can be taken from the Windows user name)

3

Password History and Expiration

New password must not be the same as previous password No

Number of previous passwords remembered 1

Use the password expiration settings associated with the application definitions

No

Number of days until password expires 42

Number of days to warn user before password expires 14

Logon Preferences

Allow user to reveal password for applications No

Force user to re-authenticate before submitting application credentials

No

Number of logon retries 3

Time limit for number of retries (in seconds) 120 seconds

Password Change Wizard

Allow users to choose a system-generated password or create their own password

Yes

Only allow users to create their own password No

Only allow users to choose a system-generated password No

Generate a password and submit it to the application without displaying the Password Change Wizard

No


Default Setting

Your Custom Setting


As the Password Manager administrator, you can create an application definition or modify an application definition template for each application that you want Password Manager to manage for your users. You create application definitions by using the console or the stand-alone Application Definition Tool that can be installed on non-console workstations.

You can also allow users to add their credentials to Password Manager for any of their client-side applications that it detects, according to settings in user configurations. The agent software can detect and respond to logon changes for most applications, including the following application types:

The agent software responds according to application definitions that you create from scratch or copy from existing templates. An application definition:

• Enables the agent software to recognize and respond to applications and the forms used by the applications to process user credentials

• Consists of a set of identifiers that establish parameters to accomplish this recognition and response

Within each definition, you create logon and password-related forms required by the application to enable access. The application definition wizards can help you create a definition if you open the application; the wizards can detect the forms and fields of most applications by using Password Manager’s window-matching capabilities.

Note: Password Manager includes default application definition templates for a variety of Citrix applications or application features. Click Application Definitions in the console tree and click Manage templates in the Common Tasks area to view them. These templates are also available in the Application Definition Tool. Additional templates are available by searching the Citrix Support Web site at http://www.citrix.com/passwordmanager/gettingstarted.

Application Types Description

Windows 32-bit Windows applications (including Java applications) such as Microsoft Outlook, Lotus Notes, SAP, or any password-enabled Windows application

Web Web applications (including Java applets and SAP) accessed through Microsoft Internet Explorer

Terminal Emulator Applications that you access through a HLLAPI-compliant terminal emulator



What Do I Need to Know about Each Application?Before you create a definition, collect the following information about each single sign-on (SSO) enabled application in your enterprise. You can also start the application to allow the Application Definition wizard or tool to detect some of this information.

• Application executable name and, optionally, its path.

You can supply a path for the application for added security, ensuring the user is running the specific application qualified for your enterprise.

• Individual user credential fields required for each application, such as user name, password, and other fields (for example, domain name or secondary password).

• Other credential-related fields in the form, including these password change fields: Logon, Change Password, Change Password Success (optional), Change Password Failure (optional).

• Password sharing application requirements.

You might also need to know which applications share the same authentication authority and might be part of a password sharing group. Password sharing groups enable Password Manager to manage multiple credentials for applications that use the same method of authentication. Also, you can apply the same password policy to application groups.

• Information associated with terminal emulation applications.

Information such as terminal emulator session short names is required by High-Level Language Application Programming Interface (HLLAPI) compliant terminal emulators.

What Type of Smart Cards Are Used in My Enterprise?You must consider the type of authentication used in your enterprise.

After you determine your authentication types and choose a data protection method in your user configuration, you can implement user identity verification to further secure credentials.

Related topics:

“Do I Need to Use Identity Verification?” on page 29

“Guidelines for Multiple Primary Authentication and User Credential Protection Choices” on page 42


Smart Card SupportCitrix has tested smart cards that meet Standard 7816 of the International Organization for Standardization (ISO) for cards with electrical contacts (known as a contact card) that interface with a computer system through a device called a smart card reader. The reader can be connected to the host computer by the serial, USB, or PC Card (PCMCIA) port.

Citrix supports the use of PC/SC-based cryptographic smart cards. These cards include support for cryptographic operations such as digital signatures and encryption. Cryptographic cards are designed to allow secure storage of private keys such as those used in Public Key Infrastructure (PKI) security systems.

These cards perform the actual cryptographic functions on the smart card itself, meaning the private keys never leave the card. In addition, smart cards provide two-factor authentication for increased security: the card and the user’s pin number. When these items are used together, the cardholder can be proven to be the rightful owner of the smart card.

Smart Card Software RequirementsConsult your smart card vendor or integrator to determine detailed configuration requirements for your specific smart card implementation. The following components are required on the server or client:

• PC/SC software

• Cryptographic Service Provider (CSP) software

• Smart card reader software drivers

Your Windows server and client operating systems might already include PC/SC, CSP, or smart card reader drivers. See your smart card vendor for information about whether these software components are supported or must be replaced with vendor-specific software.

Important: To use smart cards in a Windows Server 2008 or Windows Vista environment, your central store must be created with or updated by a Password Manager 4.5 or later console and Microsoft Data Protection API (requires roaming profiles) must be selected in your user configurations.

Do I Need to Use Identity Verification?Depending on user configuration settings, you might require users to verify their identities when the following events occur:


• Users change their authentication types; for example, a user might switch between smart card and password authentication (you can create a user configuration that requires initial verification only when switching between authentication types

• An administrator changes a user’s primary password

• Users reset their primary password using Account Self-Service

• Users unlock their domain account using Account Self-Service

• Users change their primary password on a device that does not have the agent software installed and then log on to a device where the agent software is installed

Password Manager can be configured to verify the user's identity to ensure that the user is authorized to use Password Manager. You can select one of two identity verification methods:

Caution: When previous password is the only identity verification method available to your users, users who forget their previous primary password are locked out. An administrator must then use the Password Manager Console task Reset User Data to enable the users to reenroll. An administrator might also need to reset the passwords in the user’s applications.

Related topics:

“Recovering or Unlocking User Credentials Automatically” on page 31

Method Description

Previous Password In this case, users verify their identities by entering their previous primary password.

Security questions (also known as question-based authentication)

In this case, you create a questionnaire that contains as many questions and question groups as you want to make available to users. You can use the default questions Password Manager provides or create your own.


Verifying User Identity by Using Security Questions (Question-Based Authentication)Note: If you choose not to set up security questions, users are prompted for their previous primary password when they first log on and when they change their primary password. You can also allow users to choose the method they prefer to use when authenticating (previous passwords or security questions).

Password Manager enables you to use question-based authentication to verify user identity. Password Manager includes four questions (in English, French, German, Japanese, and Spanish) that you can use for this purpose.

You can use question-based authentication:

• As part of a user’s Security Question Registration during the first-time agent software enrollment

• After enrollment, if you configured Account Self-Service to allow users to change their primary credentials or unlock their accounts

When users change their primary passwords, you can confirm your users’ identities by prompting them to answer security questions in the form of a questionnaire you create. This questionnaire appears the first time your users launch the agent software. Users answer the required number of security questions and can be prompted to reenter this information at specific password change events.

Recovering or Unlocking User Credentials AutomaticallyImportant: Automatic key management is not as secure as other key recovery mechanisms such as security questions and previous password.

You can configure Password Manager to bypass identity verification and retrieve user credentials (that is, encryption keys associated with the user data) automatically by installing the Password Manager Service and using the Key Management Module.

The basic workflow to use automatic key management is as follows:

1. Install the Citrix Password Manager Service with the Key Management Module.

2. Create or edit user configurations and select the key recovery method that allows automatic key management without identity verification. This


option is available as part of the Secondary Data Protection property in the user configuration.

Planning Your User ConfigurationsImportant: You must create user configurations before you deploy the Password Manager agent software to users. A user configuration contains the license server and licensing information required by the agent software for operation.

Note: Associating user configurations to groups is supported only in Active Directory domains that use Active Directory authentication.

A user configuration is a unique collection of settings, password policies, and applications that you apply to users associated with an Active Directory hierarchy (organizational unit or an individual user) or Active Directory group (except for distribution groups and Domain Local groups in Active Directory mixed mode, which are not supported). A user configuration enables you to control the behavior and appearance of the agent software for users.

User configurations set your user information, application definitions, password policies, and identity verification methods. You must also specify license information (license server and license type) in each user configuration. Therefore, your users cannot use the agent software until you establish their user configuration settings.

Before you create your user configurations, ensure that you already created or defined the following:

• Your central store

• Optional service modules

• Application definitions

• Password policies

• Security questions (optional)

User configurations consist of the following:

• Users associated with an Active Directory domain hierarchy (organizational unit or individual user) or group.

• Data protection methods.


• Application definitions you created, which you can combine into an application group when you create a user configuration.

• Password policies associated with any application groups. (While creating a user configuration, you can create one or more application groups to associate with a user configuration. You can also add an application group to a user configuration after you create the user configuration.)

• Self-service features (account unlock and password reset) and key management options (use of previous passwords, security questions you create for your users, and automatic key management).

• Settings for options such as Hot Desktop, credential provisioning, and application support.

Related topics:

“What Type of Smart Cards Are Used in My Enterprise?” on page 28

“Do I Need to Use Identity Verification?” on page 29

Planning Considerations • If you need to apply the same user configuration settings to a different

group of users, duplicate the user configuration in the console and modify the settings accordingly.

• How you organize your Password Manager user environment might affect how user configurations operate. That is, you associate user configurations in your Password Manager environment with an Active Directory hierarchy (OU or users) or an Active Directory group. If you use both (hierarchy and group) and a user is located in both containers, the user configuration associated with the hierarchy takes precedence and is the one used. This scheme is considered a mixed environment.

• The user configuration information maintained in the central store takes precedence over information stored in the local store (that is, user data stored on a user’s computer). The local store user data is mostly used when the central store is not available or offline.


Do I Share the Same Resources or a Workstation Among Many Users? (Hot Desktop)

Note: “Hot Desktop: A Shared Desktop Environment for Users” in the Citrix Password Manager Administrator’s Guide describes how to configure Hot Desktop.

The Hot Desktop feature allows users to share workstations efficiently and securely. With Hot Desktop, you get the convenience of fast user switching in addition to single sign-on capability through Password Manager.

Before you can implement Hot Desktop, however, you must:

• Create Hot Desktop-related user configurations

• Configure a Hot Desktop shared account

• Edit the scripts that define what applications run on Hot Desktop devices and their start up and shut down behavior

Hot Desktop functionality is not installed by default; you can select it during the initial installation of the agent software. You can also upgrade existing deployments to use Hot Desktop.

Note: If you deploy Hot Desktop in an environment where users log on with smart cards and your selected smart card key source is DPAPI with Profile, do not select Prompt user to enter the previous password as the only key recovery method for those users. Users in such an environment cannot enter the correct previous password and, consequently, are irretrievably locked out of the system. To avoid this problem, select the automatic key management option or make question-based authentication available as an option.

Controlling ApplicationsWith Hot Desktop, users can authenticate quickly using their Windows account credentials or smart card strong authenticator. As the administrator, you can configure Hot Desktop to launch applications in the Hot Desktop environment so your users do not have to search for and wait for their applications to launch.

You can also configure Hot Desktop to help ensure that all applications terminate properly, leaving behind a clean environment for the next user session.


The Hot Desktop User ExperienceWhen the shared account logs on, it places the device into “fast user switch” mode, which causes a standard Windows authentication prompt to appear on the screen. The shared account remains logged on regardless of Hot Desktop user activity.

When users authenticate, they do not log on to Hot Desktop in the traditional sense. Instead, Hot Desktop uses their Windows credentials to start a Hot Desktop session. Because users are not truly logging on but rather authenticating, time-consuming events normally associated with logging on, such as applying group policy, initializing printers, and so on, do not occur. This creates the “fast-switch” users experience when running Hot Desktop. A user can start a session, perform any job-related tasks, and end the session so the next user can enter the system and do the same. The switch from user to user occurs quickly and efficiently.

The Password Manager agent software launches when the Hot Desktop session starts. After the session is established, Hot Desktop accesses the user’s Windows account credentials to launch applications using the standard shell interface. Typically, these lightweight client applications prompt users for their credentials, which can be supplied by the agent software using settings associated with their Windows account.

Licensing RequirementsInstall the license server and add licenses before installing Password Manager.

Important: To run this release, you must have the license server (Version 11.5) that is available from the Licensing folder in the installation media. If you are running an earlier version of the license server, you must upgrade your license server to Version 11.5.

For details about licensing requirements, terms, and installation, see the Getting Started with Citrix Licensing Guide, available at http://support.citrix.com/pages/licensing/ under the “Top Licensing Resources” title on the page.

Disconnected ModeNote: This mode is set as part of a user configuration. See “Configure Licensing” in the Citrix Password Manager Administrator’s Guide.

http://support.citrix.com/pages/licensing/



If you have users who will be disconnected from the license server for extended periods of time, such as mobile users with laptops, you must specify a disconnected mode period for these users. The disconnected mode period is specified as part of the licensing settings in the user configuration. The disconnected mode period specifies two important aspects of licensing behavior:

• The amount of time the user can be disconnected from the license server without entering the licensing grace period. When the disconnected mode period expires, the users employing the associated user configuration lapse into the licensing grace period, which is 30 days.

• The amount of time until a checked out license, which is being used in disconnected mode, is returned to the pool of available licenses on the license server regardless of whether or not the product reconnects to the license server. If a license is checked out and the disconnected mode associated with that license expires before the license is checked in, the license server automatically checks the license back in so the license is available again. For example, if a laptop running Password Manager is lost and never reconnects with your organization’s network, the license server automatically checks the license back in at the end of the disconnected mode period.

When you set the disconnected mode, you are actually specifying how long you want to wait until the license is returned to the pool of available licenses.

Consider setting long disconnected mode periods for users who do not connect to your organization’s network regularly, such as Sales personnel who work remotely. Set the period to be the longest amount of time you anticipate users in this configuration could be away from your network. However, keep in mind you cannot retrieve any checked out licenses, even from lost or broken equipment, for the duration of this period.

Managing a Mixed License Type EnvironmentDepending on your Password Manager environment and enterprise needs, you might have purchased named user and concurrent user Password Manager licenses. For example, you might create user configurations based on the named user license model for mobile users who use the agent software through a desktop computer and laptop computer. You might also create user configurations based on the concurrent user license model for Hot Desktop users, for example.

In some cases, all of your named user licenses might be in use, making Password Manager unavailable for some users. If so, you can use any available concurrent user licenses in your user configuration to be consumed offline.


To employ available concurrent user licenses to be used offline1. Create a user configuration as described in “Creating a User Configuration:

the User Configuration Wizard” in the Citrix Password Manager Administrator’s Guide.

2. On the Configure Licensing page, select Concurrent User License (Enterprise and Platinum Edition Only).

3. Select Allow license to be consumed for offline use and set the amount of time the license can be checked out from the license server.

4. Finish setting the user configuration.

For users associated with this user configuration, the license model is the same as a named user license—it can be consumed by users who might occasionally work remotely and be offline for periods of time. Concurrent user licenses are then consumed on a per-user basis.

Selecting Optional Password Manager Service FeaturesThe Password Manager Service is a Web service that uses Secure Sockets Layers (SSL) to encrypt the data shared by the Password Manager Service, the console, and the agent software. It uses a dedicated Web server to host the optional features included in Password Manager.

Install the Password Manager Service if you plan to implement one or more of the following modules:

• Key Management, which allows users to log on to the network and have immediate access to applications managed by Password Manager without needing to verify their identities through question-based authentication

• Data Integrity, which digitally signs data before it is transmitted from the central store to the agent software

• Provisioning, which allows you to use the console to add, remove, or update credential information for your users

• Self-Service, which allows users to reset their Active Directory passwords and unlock their accounts

• Credential Synchronization, which allows users to synchronize their credentials among different accounts (also known as Account Association)


Important: The server that hosts the Password Manager Service contains highly sensitive user-related information. Citrix recommends that you use a dedicated server and that you place the server in a physically secure location.

Account Self-ServiceNote: You can use the Account Self-Service feature only in an Active Directory environment to allow your users to reset their primary password or unlock their Windows domain accounts.

You can configure the self-service features of Password Manager to allow your users to reset their primary password or unlock their Windows domain accounts without intervention by administrative or help desk staff. Depending on your needs, you can implement one or both of the self-service password reset and account unlock features securely in your Password Manager environment.

Self-Service Password Reset allows users who forgot their primary password to reset their password and unlock their own accounts. Account Unlock allows your users to unlock their domain accounts when a lockout event occurs.

These account features are protected by Question-Based Authentication to help ensure that your users are authorized to reset their passwords or unlock their accounts.

With Account Self-Service enabled, users must enroll, a process that requires them to answer the security questions you create and select. These security questions are then presented to users when they need to reset their password or unlock their account. When the questions are answered correctly, users are allowed to reset their password or unlock their account.

You can also use Account Self-Service with Web Interface. Web Interface is a component of Citrix XenApp that allows users to access their published applications by clicking links on a Web page.

Note: Account Self-Service does not support user principal name (UPN) logons, such as [email protected].


Data IntegrityNote: If you already implement a security framework that protects data in transit, such as IPsec (Internet Protocol Security) or SMB (Server Message Block) signing, you do not need to install the Data Integrity Module.

Install the Data Integrity Module if you want to ensure that data transmitted among the Password Manager components is provided by a trusted and authorized source. This module is optional and is designed for users who have non-trusted networks.

The Data Integrity Module contains the public and private key files used for signing the data. It utilizes RSA public key cryptography to ensure that the agent software obtains configuration data provided by an authorized source only.

Important: The Data Integrity Module never distributes its private key.

After the console signs the data, the console sends both the data and the signature to the central store. The agent software receives the data and signature from the central store during synchronization. The agent software then contacts the Password Manager Service to obtain a copy of the public key it needs to verify the signature it received from the central store.

If the agent software is configured to use the Data Integrity Module, it never accepts configuration data that failed the data integrity check. If a check fails, the agent software logs the event and displays an error message telling users to contact their administrator directly. The agent software then defaults to previous configurations or returns to an offline state.

Key ManagementWith Key Management, users log on to the network and have immediate access to applications managed by Password Manager without using question-based authentication (this scheme is also known as automatic key management). When users change their primary passwords, the agent software detects these changes and recovers the users’ encryption keys using the Password Manager Service.

This automatic key management provides users with the easiest and fastest access to their applications. However, automatic key management does not protect against access by an unauthorized user or administrator impersonating a user because there is no “user secret” to protect the user’s network password. To help prevent this potential problem, implement automatic key management in combination with the Account Self-Service Module and question-based authentication.


Automatic key management uses key splitting (the process of dividing a private key into two parts) to help reduce security threats.

Important: Depending on the security policy your organization implements, system administrators might be able to access passwords for applications managed by Password Manager. Check your organization’s security policy before allowing Password Manager to handle passwords that users want to keep completely private. Clearing automatic key management features in the Data Protection Methods setting in the user configuration can also help prevent this unauthorized access.

ProvisioningProvisioning (also known as credential provisioning) adds to the flexibility and functionality of Password Manager within your organization’s environment by allowing you to automate a number of time-consuming processes. Whether you are rolling out a new installation of Password Manager, adding several hundred new users and new applications, or clearing out unneeded information, credential provisioning gives you the ability to complete these tasks quickly.

For example, you can use credential provisioning to add all the user names and passwords for all of your applications to the central store. Doing so eliminates the need for first-time users of the agent software to go through the process of Initial Credential Setup. Additionally, if you plan to roll out new software to your users, create an application definition for the application and use credential provisioning to add the credentials for all users who will use the application.

Using credential provisioning, you can:

• Add, modify, and delete credentials in the central store

• Reset user credential information

• Remove users and their application credentials from Password Manager

Credential provisioning is achieved by using information about your environment to create a template that you can use to add, remove, or change credential information in your central store. Credential provisioning is processed as part of the Password Manager Service.


Credential Synchronization (Account Association)Account Association allows a user to log on to any application from one or more Windows accounts. Because Password Manager typically binds user credentials to a single account, the credential information is not automatically synchronized among multiple accounts that a user owns. However, administrators can configure Account Association to synchronize user credentials. Users with Account Association configured have access to all applications from any of their accounts in their Password Manager environment. When user credentials are changed, added, or removed from one account, the credentials are automatically synchronized with each of the user’s associated accounts.

Password Manager Agent Software Deployment Scenarios

How you decide to implement Password Manager depends on how users access applications in your enterprise. For example, if you are running a XenApp environment, you can publish the Password Manager agent software on each server in your farm that is currently hosting applications requiring authentication. Users access these applications through their Citrix connections.

If users run applications locally on their workstations, laptops, handheld computers, or other client devices, the agent software is installed on these devices. The agent software in this case provides credentials and access to applications running locally on the client device.

You can also implement the agent software in a mixed environment, with local applications and applications published on computers running XenApp. The locally-installed agent software provides credentials to the applications installed on the client device and the XenApp-based agent software provides credentials to the published applications.

If you are also running Access Gateway Advanced Edition, applications are available from XenApp through a Web browser.

Password Manager can be used with the following:

• Access Gateway Advanced Edition

• Citrix XenApp features such as:

• Citrix XenApp Plugin for Hosted Apps

• Citrix XenApp Plugin for Streamed Apps

• Web Interface


XenApp Considerations• When you use Password Manager in a XenApp environment, you must

install the agent software on each server that publishes applications that require authentication. The agent software provides credentials for published applications only.

• Install the console on a desktop or server that is not a member of the server farm. This desktop or server should run the same operating system as each server on which the applications are published or the same operating system of each server where the agent software will be installed. Use this console to create user configurations to control the agent software behavior.

• Users access the published applications in the server farm through ICA connections using a client. When a user tries to connect to a published application that requires credentials, the agent software recognizes the request for authentication sent by the XenApp server. The agent software determines the application type (Windows, Web, or terminal emulator) and retrieves the appropriate credentials from the local credential store in the user’s profile.

Guidelines for Multiple Primary Authentication and User Credential Protection Choices

When you create a user configuration, you can select user credential protection methods depending on the authentication schemes you use in your enterprise.

The following user configuration property pages enable you to tune the Password Manager agent software behavior and credential data protection method used when users implement one or more primary authentication methods.

Data Protection Methods PageThe user configuration Data Protection Methods properties page enables you to select single or multiple primary authentication data protection methods. Additionally, you can also regulate administrator access to user credential data to help prevent administrators from impersonating a user and gaining unauthorized access to user information.


Secondary Data Protection PageFor added security when users change their primary authentication (for example, a domain password is changed or smart card is replaced), the user configuration Secondary Data Protection properties page enables you to require users to reauthenticate and verify their identities before unlocking their application credentials.

Security Versus UsabilityTwo key questions to ask when deciding which options to choose on these two user configuration property pages is:

• Which authentication types are used in my environment for the users I am administering in this user configuration?

• How can I balance security requirements for the enterprise and usability for all users?

Consider also that the following choices are not mutually exclusive and that you can use a mix of them in your enterprise (that is, multiple primary authentication). Your decision is ultimately based on your need for security versus ease-of-use for your enterprise users.

User ImpersonationIf you want to disallow administrator access to user credentials, select Yes for the following option. Credentials are protected against administrators seeking to impersonate a user and to gain access to user information.

Yes is the default setting for the Data Protection Methods page. With this configuration, the account or other administrator does not have access to user passwords or user data. This setting helps prevent an administrator from impersonating a user. The administrator cannot log on as the user with this default setting and possibly access data located in the user local credential store.

The Yes setting disables the use of the Microsoft Data Protection API option on this page and the Do not prompt users; restore primary data protection automatically option on the following Secondary Data Protection page. Smart cards and roaming profiles are not allowed in this case, and credentials are not restored automatically upon a password change without authentication or verification.

Do you need to regulate account administrator access to user data?


Select No if you want to allow use of all the multiple authentication features available from this page and the Secondary Data Protection page (including the ability to restore credentials automatically without reauthentication or identity verification).

User Name and PasswordThe simplest implementation is the default setting for the Data Protection Methods page: a password-only environment. The default setting lets your users employ their user name and password while protecting their credentials against unauthorized access by administrators.

Important: The security of this setting choice depends on the relative strength of your domain password policy. The stronger (or more complex) the password requirement, the more secure this choice is.

Smart Cards with Certificates and User Authentication DataImportant: This option is not supported by Version 4.1 of the Password Manager Agent. Select Use data protection as in Password Manager 4.1 and previous versions and Smart Card Data Protect if you plan to use these legacy agents. See “Select Data Protection Methods” in the Citrix Password Manager Administrator’s Guide.

Important: To use smart cards in a Windows Server 2008 or Windows Vista environment, your central store must be created with or updated by a Password

Option Description


See “User Impersonation” on page 43.

Users authentication data Selected.A user secret is used to access and help protect user data. In this case, the user secret is a password.Password security can be derived from the user’s typed domain password or a one-time password from token, proximity, or biometric devices.


Manager 4.5 or later console and Microsoft Data Protection API (requires roaming profiles) must be selected in your user configurations.

Use this option if you combine smart cards with embedded certificates or digital signatures and user authentication data in your enterprise. Combining smart cards with a user name and password for authentication is the most secure choice for protecting user authentication data.

Note: Select the Smart Card Certificate option if you use smart cards with Hot Desktop.

Smart Cards with PINsNote: This option is supported by Version 4.1 of the Password Manager Agent if you select Use data protection as in Password Manager 4.1 and previous versions and PIN as password, if you plan to use legacy agents.

If you use smart cards that do not support security certificates as the primary authenticator in a Windows domain or you do not use roaming profiles, use the Allow Smart Card PINs option. When you select this option, the encryption keys used to protect secondary credentials are derived from the smart card PIN.

Option Description



Users authentication data Selected.A user secret is used to access and help protect user data. In this case, the user secret is a password.Password security can be derived from the user’s typed domain password or a one-time password from token, proximity, or biometric devices.

Smart Card Certificate Selected.In this case, the user secret is protected by the encryption and decryption provided by the card’s security certificate.


Consider enforcing the use of a strong PIN. In some enterprises, smart card PINs are four-digit numbers that do not provide as strong a level of protection as, for example, an eight-character password and might be more vulnerable to attack. Use the PIN as password option only if your organization enforces a smart card PIN policy that requires a mixture of letters and numbers, and requires a minimum length of eight characters.

Roaming Profiles (Microsoft DPAPI)Important: To use smart cards in a Windows Server 2008 or Windows Vista environment, your central store must be created with or updated by a Password Manager 4.5 or later console and Microsoft Data Protection API (requires roaming profiles) must be selected in your user configurations.

Note: This method is supported by Version 4.1 of the Password Manager Agent and is supported on Windows XP, Windows 2000, and Windows 2003 Server platforms. Select Use data protection as in Password Manager 4.1 and previous versions and DPAPI with Profile if you plan to use legacy agents.

Select No in response to Do you need to regulate account administrator access to user data? to enable the use of the roaming profiles and Microsoft Data Protection API in your environment. This option is the next-most secure option after smart cards with certificates and user authentication data.

Select this option if you are using roaming profiles implementing a Kerberos network authentication protocol for users. This option works only if roaming profiles are available. If you are storing roaming profiles on workstations, you must select this option.

Option Description



Users authentication data Selected.A user secret is used to access and help protect user data. In this case, the user secret is a personal identification number (PIN).

Allow Smart Card PINs Selected.Allow the Smart Card PIN to be used as the user secret for protection. Use this only if your enterprise or environment has a “strong PIN” policy


Password Manager derives the encryption keys that protect secondary credentials from the user’s primary password. However, if a user uses a smart card for primary authentication, a primary password does not exist and cannot be used. In this case, the best agent option is Microsoft Data Protection API. This option uses the Microsoft DPAPI to derive encryption keys and protect secondary credentials. This encryption mechanism uses the user’s Windows or domain credentials to derive the encryption keys.

If users employ passwords to access their computers and a Kerberos network authentication protocol to access XenApp servers, select:

• No in response to Do you need to regulate account administrator access to user data?

• Users authentication data

• Microsoft Data Protection API

This method also allows the use of user credentials and smart cards to log on.

Related topics:

“Smart Cards with Certificates and User Authentication Data” on page 44

Blank PasswordsImportant: If you do not select this option and a blank password is allowed in your environment, the agent software does not derive a user secret or otherwise perform any data protection with the blank password.

Allowing the use of a blank password should be considered a special case and should only be used in low security environments that require extreme ease of use. One scenario is when a common workstation is placed on a factory floor and is accessed by many users. You can still use Password Manager to control access to applications but the user credentials to access the workstation include a blank password.

Option Description



Users authentication data Selected.A user secret is used to access and help protect user data. In this case, the user secret is a password.


Allow protection using blank passwords Selected.When you select this option and the agent software detects that the user has a blank password, a user secret for data protection is derived from the user ID.

Option Description

3

Installing Password Manager

This section describes the pre-installation, installation, and configuration tasks required to successfully install Citrix Password Manager.

Summary of Installation StepsTask See this Section or Document

Pre-Installation

Choose the computers in your environment where you will install the software.

• “Planning Your Password Manager Environment” on page 11

• “Hardware and Software Requirements” on page 50

Prepare the computers for installation. • “ASP.NET Requirements” on page 53• “Security and Account Requirements for

Password Manager Service” on page 53• “Installing the Microsoft .NET 2.0

Framework” on page 57• “Installing the Java Runtime

Environment” on page 58

Install the license server and add licenses for Password Manager.

• “Licensing Requirements” on page 60• Getting Started with Citrix Licensing

Guide, available at http://support.citrix.com/pages/licensing/ under the “Top Licensing Resources” title on the page

Installation

Review the Autorun menu. “Before You Install Password Manager” on page 60

Create a central store. • “Which Central Store Type Should I Choose?” on page 15

• “Creating a Central Store” on page 62

Install the Password Manager Service. “Installing and Configuring the Password Manager Service” on page 69

Install the Password Manager Console. “Installing and Configuring the Password Manager Console” on page 74




Hardware and Software RequirementsImportant: Do not install Password Manager on a domain controller. Installation of Password Manager agent software, service, console, or NTFS network share central store on a domain controller is not supported.

This section describes the hardware and software requirements for your environment. This section assumes that each computer meets the minimum hardware requirements for the installed operating system.

Supporting System Software RequirementsComputers in your Password Manager environment might require the following supporting system software.

Password Manager Software RequirementsThis table shows the software and hardware requirements for Password Manager.

Install the Password Manager Plugin/agent software.

“Installing and Configuring the Password Manager Agent Software” on page 76

Task See this Section or Document

Software Component Required by Available from...

Microsoft Windows Installer 3.0 or later

All • Support folder on the Password Manager installation media

• http://www.microsoft.com

Microsoft .NET Framework 2.0

• Password Manager Service

• Password Manager Console

• Application Definition Tool

Support folder on the Password Manager installation media

Java Standard Edition Runtime Environment (JRE) Versions 1.4.x, 5, and 6

• Password Manager Console


• Password Manager agent software

http://www.java.com

Microsoft Internet Explorer Version 6.0 or 7.0 (non-protected mode)

Users accessing SSO-enabled Web applications

http://www.microsoft.com


http://www.java.com


3 Installing Password Manager 51

Important: The server that hosts the Password Manager Service contains highly sensitive user-related information. Citrix recommends that you use a dedicated server and that you place the server in a physically secure location.

Password Manager Component

Supported Environment or Microsoft Windows Operating System

Hardware Requirements

Central store • Active Directory• NTFS File Share • Novell Shared Folder

30KB disk space per user

Console • Microsoft Windows Vista (Business Edition, Ultimate Edition, Enterprise Edition)—32-bit and 64-bit

• Microsoft Windows XP Professional, Service Pack 2—32-bit

• Microsoft Windows XP Professional x64 Edition—64-bit

• Microsoft Windows 2000 Professional, Service Pack 4

• Microsoft Windows Server 2008 (Standard Edition, Enterprise Edition, Datacenter Edition )—32-bit and 64-bit

• Microsoft Windows Server 2003 R2 (Standard Edition, Enterprise Edition, Datacenter Edition )—32-bit and 64-bit

• Microsoft Windows Server 2003 with Service Pack 2 (Standard Edition, Enterprise Edition, Datacenter Edition )—32-bit and 64-bit

• Microsoft Windows 2000 Server, Service Pack 4 (Windows 2000 Server, Advanced Server, Datacenter Server)—32-bit

• 64MB RAM• 60MB disk

space


Note: Password Manager is not supported on Microsoft Windows XP Home Edition.

Hot Desktop is supported only on Microsoft Windows 2000 Professional, Microsoft Windows XP Embedded, and Microsoft Windows XP Professional, Service Pack 2—32-bit. It is not supported on 64-bit operating systems or any server operating systems.

Agent software • Microsoft Windows Vista (Business Edition, Ultimate Edition, Enterprise Edition)—32-bit and 64-bit

• Microsoft Windows XP Professional, Service Pack 2—32-bit

• Microsoft Windows XP Professional x64 Edition—64-bit

• Microsoft Windows XP Embedded• Microsoft Windows 2000 Professional,

Service Pack 4• Microsoft Windows Fundamentals for

Legacy PCs• Microsoft Windows Server 2008 (Standard

Edition, Enterprise Edition, Datacenter Edition )—32-bit and 64-bit

• Microsoft Windows Server 2003 R2 (Standard Edition, Enterprise Edition, Datacenter Edition )—32-bit and 64-bit

• Microsoft Windows Server 2003 with Service Pack 2 (Standard Edition, Enterprise Edition, Datacenter Edition )—32-bit and 64-bit

• Microsoft Windows 2000 Server, Service Pack 4 (Windows 2000 Server, Advanced Server, Datacenter Server)—32-bit


space (if optional features are not installed)

• 35MB disk space (if optional features are installed)

Service • Microsoft Windows Server 2008 (Standard Edition, Enterprise Edition, Datacenter Edition )—32-bit

• Microsoft Windows Server 2003 R2 (Standard Edition, Enterprise Edition, Datacenter Edition )—32-bit

• Microsoft Windows Server 2003 with Service Pack 2 (Standard Edition, Enterprise Edition, Datacenter Edition )—32-bit

• ASP.NET (Application Server components available)


space

Application Definition Tool

Same as agent software Same as agent software

Password Manager Component

Supported Environment or Microsoft Windows Operating System

Hardware Requirements


ASP.NET RequirementsMake sure the ASP.NET Windows component is installed on the computer running the Password Manager Service.

Security and Account Requirements for Password Manager Service

Before you install the Password Manager Service, ensure that the appropriate accounts and components are available to support the service. Also, because the service uses secure HTTP (HTTPS), the service requires a server authentication certificate for Secure Sockets Layer (SSL) communication with the console and agent software.

Server Authentication Certificate RequirementNote: When you install the Password Manager Service, Password Manager creates signing and validation certificates to authenticate the information in the central store. These certificates are not related to the required SSL certificate.

Before you install the service, obtain a server authentication certificate for SSL communication from a certificate authority (CA) or, if you have an existing public key infrastructure (PKI), download your own certificate to the server running the service.

An SSL certificate is necessary to ensure secure communication from the service to the console and agent software, and to guarantee that the agent software and console are communicating with the correct service server.

• Because this certificate is used for SSL communication, the certificate common name must match the service server’s fully qualified domain name (FQDN). Specify a minimum key size of 1024.

• You must install the certificate in your local computer certificate store and establish the appropriate trust relationships for the console and the agent software.

• You must install this certificate on the computers running the service, console, and agent software.

• In a load balancing or clustered service environment, you can use one certificate for multiple service servers if the common name of the SSL certificate uses a wildcard (typically an asterisk character) in it. For example, you can use an SSL certificate with a common name of


server*.mycompany.com for an environment with servers named server1.mycompany.com, server2.mycompany.com, and server3.mycompany.com. You could also use an SSL certificate with a common name of *.mycompany.com in this case, where the common name does not match the server FQDN.

Important: If you obtain your certificate from an authority that is not trusted by default (such as a certificate authority installed in your company), you need to install the root authority certificate to your local computer’s trusted root certificate store to establish the trust relationship.

If users are experiencing SSL failures, it is most likely because the server certificate is not trusted. Refer to the Microsoft Web site http://www.microsoft.com for instructions about extracting and deploying CA root certificates.

Related topics:

“To configure the Password Manager Service(s) with the Service Configuration wizard” on page 71

Accounts Required for Service ModulesThe Password Manager Service can require up to three system account types to read and write data as it operates in your environment:

• Service account

• Data proxy account

• Self-service account

The number and type of accounts required depend on the service modules you choose to use. The table shows the accounts required by each module of the service. In cases where different modules require the same type of account, you can use the same account for multiple modules or you can specify different customized accounts for each module.

Module Accounts Required

Service Data Proxy Self-Service

Data Integrity Yes No No

Key Management Yes Yes No

Provisioning Yes Yes No

Self-Service Yes Yes Yes



Service Account RequirementsOn the server running the Password Manager Service, use the following accounts to run the service.

Note: If you choose to create a domain account as the service account, you must register a service principal name for this domain account and the service computer in Active Directory by using the setspn.exe utility. See the Microsoft Web site for more information about service principal names.

You cannot specify a local user account as the service account in this version of Password Manager. You can specify the built-in Local Service account.

Data Proxy Account RequirementsOn the server running the Password Manager Service, create an account with the following settings, to be used for data proxy communication with the service.

The account requires read and write access to the central store. The account requirements depend on the central store type you are implementing.

Credential Synchronization Yes No No

Operating System Account Specification

Windows Server 2003 Windows Server 2008

Use the existing Network Service or Local Service accounts.

Central Store Type Account Description

NTFS Network Share The account:• Requires read and write access to the central store.• Is a member of the domainAfter you create the central store: • Grant the account Full Control sharing permissions to the

CITRIXSYNC$ share.• Grant the account Full Control permissions to the

CITRIXSYNC folder and its subfolders: CentralStoreRoot folder and People folder

• Grant the account Full Control permissions to all file objects within the CITRIXSYNC folder and its subfolders

• Ensure that the Authenticated Users group has the right to create folders inside the People folder.

Module Accounts Required

Service Data Proxy Self-Service


Note: You cannot use the Password Manager Service if your central store type is a Novell Shared Folder.

Self-Service RequirementsIf you are using the Self-Service Password Reset or Self-Service Account Unlock features of the Account Self-Service Module, use an account that is a member of the domain administrators group.

Account Requirements to Install and Use Password Manager

The following section describes the account requirements for those users installing and using Password Manager components.

Installing and Using Password Manager ServiceThe user installing the service and running the Service Configuration wizard must be a member of the domain (a Domain User) and a member of the local Administrators group on the service computer (add a domain user account to the local Administrators group). The domain user account does not need to be a domain administrator.

Installing and Using Password Manager Console and Application Definition ToolThe user installing the console, performing a console discovery and configuration operation, and using the console must be a domain administrator and a member of the local Administrators group on the console workstation. This user account must have read and write access to the central store. A non-administrator user account can be assigned the right to manage the console and its related functions through Active Directory delegation or constrained delegation.

Active Directory The account:• Requires read and write access to the central store.• Is a member of the domain administrator group.

Central Store Type Account Description


Installing and Using the Password Manager Agent SoftwareThe user installing the agent software must be a member of the domain (a domain user) and a member of the local Administrators group on the service computer. The domain user account does not need to be a domain administrator.

The user running the agent software must be a member of the domain (a domain user).

Installing the Microsoft .NET 2.0 FrameworkThis section describes how to install the Microsoft .NET 2.0 framework from the Password Manager installation media. You must install this framework on any computer in your environment where you plan to install the following:

• Console

• Service

• Application Definition Tool.

Important: Citrix has included the .NET 2.0 framework version required for Password Manager installation on the Password Manager installation media. Use this version or .NET 3.0.

Always read the readme.htm file located on the Citrix Web site (http://www.citrix.com) for updates and late-breaking information. (You can find the readme and all other Password Manager documentation by opening Password_Manager_Read_Me_First.html in the Documentation folder on the installation media.)

Installing .NET 2.0 Side By Side with .NET 1.1You can install .NET 2.0 on a workstation or server that also includes .NET 1.1. This installation is known as a side by side installation of the framework. You do not need to uninstall the .NET 1.1 framework from any computer where you plan to install the following Password Manager features:

• Console

• Service


http://www.citrix.com


Related topics:

“Microsoft .NET Versions 1.1 and 2.0” on page 91

To install Microsoft .NET 2.01. Access the installation media from the computer where you plan to install

the console, service, or Application Definition Tool.

2. If Autorun is enabled: When the Citrix Password Manager installation screen appears, click Browse CD to open Windows Explorer.

If Autorun is disabled: Open Windows Explorer and navigate to the product files.

3. Open the Support folder and then open the DotNet20 folder.

4. For 32-bit systems: open the x86 folder and then click the dotnetfx.exe file.

For 64-bit systems: open the x64 folder and then click the dotnet.exe file.

5. In the Security Warning window, click Run.

6. Click through the installation dialog windows to install the .NET 2.0 framework.

7. Click Finish to complete the installation.

Note: For non-English operating systems, set up .NET Framework language support by installing the Microsoft .NET Framework Version 2.0 language pack. This is available from the Microsoft Web site (http://www.microsoft.com).

Installing the Java Runtime EnvironmentPassword Manager supports the Java Runtime Environment (JRE), Versions 1.4.x, 5 (1.5.x), and 6 (1.6.x). Download the current supported version from the Sun Microsystems Web site (http://java.sun.com).

You can install it on computers where you install the following:

• Console


• Agent software

http://java.sun.com



If You Install or Upgrade the JRE after Installing the Console, Application Definition Tool, or Agent SoftwareIf you install or upgrade the JRE after installing the console, Application Definition Tool, or agent software, use the Control Panel to update the Password Manager software installed on that computer. This procedure associates the current JRE with these Password Manager components.

To associate the JRE with Password Manager 1. In the Control Panel, go to the Programs area, select one of the following

and click Change.

• Citrix Password Manager Console 4.6 with Service Pack 1

• Citrix Password Manager Service 4.6 with Service Pack 1

• Citrix Password Manager 4.6 with Service Pack 1

2. In the setup dialog, select Repair and click Next twice.

3. Click Finish when the console is successfully repaired.

Troubleshooting a Java-Related Error Message When Installing or Uninstalling the Agent SoftwareYou might see the following error message when you attempt to install or uninstall the agent software:Citrix Password Manager has detected that one or more Java software programs or files are currently in use. Please close all programs and stop all Java-related services before continuing.

Typically, this error occurs if you are installing the agent software on a computer also running a Web server service such as Apache Tomcat, Apache HTTP server, or others. Also, this error might be seen if you are installing the agent software on a computer running Citrix XenApp with License Management Console installed.

In this case, perform the following steps:

1. Stop the service.

2. Install or uninstall the agent software.

3. Restart the service.


Licensing RequirementsInstall the license server and add licenses before installing Password Manager.


For details about licensing requirements, terms, and installation, see the Getting Started with Citrix Licensing Guide, available at http://support.citrix.com/pages/licensing/ under the “Top Licensing Resources” title on the page. Information about using named and concurrent user licenses with Password Manager is in the Citrix Password Manager Administrator’s Guide.

Note: You can find Getting Started with Citrix Licensing Guide, Citrix Password Manager Administrator’s Guide, and all other Password Manager documentation by opening Password_Manager_Read_Me_First.html in the Documentation folder on the installation media. You can find additional licensing resources at http://support.citrix.com/pages/licensing/ under the “Top Licensing Resources” title on the page.

Before You Install Password ManagerUse Autorun to perform Password Manager tasks such as creating a central store or installing Password Manager components. After you access the installation media, the Autorun installation options screen appears.

If it does not automatically appear:

1. Open Windows Explorer and navigate to the installation files.

2. Click Autorun.exe.

Installation OrderThe suggested installation order of Password Manager is as follows:

• License Password Manager.

• Create your central store.

• Install the Password Manager Service if you want to use one or more of the following modules:





• Key management

• Self-service

• Provisioning

• Credential synchronization

• Data integrity

Note: If you decide to install the Data Integrity Module at a later date or after installing the console and agent software, you must digitally sign your existing central store data by using the data signing tool CtxSignData.exe. (This tool is available after you install the Data Integrity Module.) Conversely, if you uninstall the Data Integrity Module, you must unsign your central store data.

• Install the Password Manager Console on one or more computers in your environment.

• Install the Application Definition Tool on one or more computers in your environment when you need to create application definitions only.

• After configuring Password Manager features in the console, install the Password Manager agent software on each user computer in your environment. You can also deploy the agent software as a published application in a Citrix XenApp environment.

Where Can I Install Each Password Manager Component?Important: Do not install the service and agent software on the same computer.

Do not install Password Manager on a domain controller. Installation of Password Manager agent software, service, console, or NTFS network share central store on a domain controller is not supported.

You can install the service, console, and agent software in any of the following allowed combinations or scenarios:

• You can install the service and console on the same computer.

• You can install the console and agent software on the same computer.


• You can install the agent software on any computer or client device in your environment for access to locally-installed SSO-enabled applications.

• You can install the console and Application Definition Tool on any computer in your environment.

• For testing purposes, you can install the console and the agent software on the same computer so that you can verify that changes you make at the console are reflected on the agent software.

• You can deploy the agent software in a XenApp environment. In this case, the agent software submits or provides credentials for XenApp-published applications only (not applications installed locally on the user workstation or client device).

Important: The server that hosts the Password Manager Service and central store contains highly sensitive user-related information. Use a dedicated server and place that server in a physically secure location.

Creating a Central StoreThe following procedures assume that the Password Manager installation media is loaded on the computer that you chose to host the central store and that the Autorun screen appears.

Related topics:

“Which Central Store Type Should I Choose?” on page 15

“Using Account Association with Multiple Central Stores and User Account Credentials in a Multiple Domain Enterprise” on page 20

“Before You Install Password Manager” on page 60

“Optional - Creating a Central Store from a Command Prompt” on page 65

To create an NTFS network share central store1. Click Step 2: Create your central store.

2. Click Create your central store in an NTFS network share.

3. Click Yes in the confirmation dialog window.

A command window appears.

4. After the central store is created successfully, press any key to close the command window.


An NTFS Network Share folder is now created as %SystemDrive%\CITRIXSYNC.

Note: If you have users who are not administrators on the file servers but need to manage Password Manager folders, you can add them to the root shared folder and allow them full control. You must also add those users to the People folder and the CentralStoreRoot folder because those folders do not inherit access rights from the root shared folder.

Associating user configurations to groups is supported only in Active Directory domains that use Active Directory authentication.

To create a Novell shared folder central storeNote: Ensure that you are creating this central store from a computer where the Novell client is installed.

Also, agent software running on 64-bit computers cannot connect to Novell shared folder central stores.

1. Click Step 2: Create your central store.

2. Click Create your central store in a Novell shared folder.



4. At the PATH: prompt, type a UNC path to the NetWare server, volume, and folder(s) you want to create.

For example: \\NW5SRV\DATA\CITRIXSYNC$.

5. After the central store is created successfully, press any key to close the Windows command window.

A Novell shared folder is now created.

To create an Active Directory central storeNote: Ensure the current server is part of the Active Directory domain and that the current user is a member of the Schema Administrators group and Domain Administrators group. Ensure that the Active Directory Schema Master is configured to allow updates.


Important: If the server you are extending the Active Directory schema from is not the domain controller, ensure the Microsoft Windows utility Ldifde.exe is installed on it before beginning this step. The utility can be found on the Windows installation media or at the Microsoft Web site (http://www.microsoft.com). You will not be able to complete this process if Ldifde.exe is not installed.

1. Click Step 2: Create your central store.

2. Click Create your central store in your Active Directory domain.

3. Click Step 1: Extend your Active Directory schema for the new directory objects.



5. After the schema is extended successfully, press any key to close the command window.

Note: Before you complete the next step, ensure that the schema extension propagated to all domain controllers throughout your Active Directory environment.

6. Click Step 2: Create your central store in the extended schema.



8. After the schema is extended successfully, press any key to close the command window.

The Active Directory central store is now created.

Related topics:

“Choosing an Active Directory Central Store” on page 17




Optional - Creating a Central Store from a Command Prompt

The Password Manager installation process enables you to create a central store from a command prompt. Creating a central store from a command prompt enables you to use custom parameters instead of the default parameters available from the Password Manager installation screen.

This table shows the central store types and the associated utilities. These utilities are located in the Tools folder on the Password Manager installation media.

Creating an Active Directory Central Store from a Command PromptCreating an Active Directory central store from a command prompt is a two-step process:

• Extend your Active Directory schema for use with Password Manager.

• Update the permissions of the Active Directory domain root to allow users to create Password Manager objects under their User object.

Note: Ensure that the Active Directory Schema Master is configured to allow updates.

Utility File Name Use and Description

Active Directory Schema Extension Utility

CtxSchemaPrep.exe Use to create an Active Directory central store.Extends your Active Directory schema for use with Password Manager.

Active Directory Domain Preparation Utility

CtxDomainPrep.exe Use to create an Active Directory central store.Updates the permissions of the Active Directory domain root to allow users to create Password Manager objects under their User object.

File Synchronization Setup Utility

CtxFileSyncPrep.exe Use to create an NTFS network share central store.

File Synchronization Setup Utility for Novell NetWare

CtxNWFileSyncPrep.exe Use to create a Novell publicly-accessible shared folder central store.


To create the Active Directory central store from a command prompt—Step 1: Extending the Active Directory schema

Important: If the server you are extending the Active Directory schema from is not the domain controller, ensure the Microsoft Windows utility Ldifde.exe is installed on it before beginning this step. The utility can be found on the Windows installation media or at the Microsoft Web site (http://www.microsoft.com). You will not be able to complete this process if Ldifde.exe is not installed.

1. Using an account with Schema Admins group credentials, log on to a server in the Active Directory domain.

2. Verify that the computer that has the Schema Master role is configured to allow schema updates.

3. From a command prompt, access the Tools folder from the installation media.

4. Type CtxSchemaPrep.exe.

5. Ensure that schema changes are completely propagated to all domain controllers in the enterprise before continuing to Step 2: Update domain root permissions.

To create the Active Directory central store from a command prompt—Step 2: Updating domain root permissions1. Before continuing, ensure that the schema changes made in Step 1: Extend

the Active Directory Schema are completely propagated to all domain controllers in the enterprise.

2. Using an account with Domain Admin group credentials, log on to a computer that resides in the domain that you want to configure.

3. From a command prompt, access the Tools folder from the installation media.

4. Type CtxDomainPrep.exe [distinguished name].

where:




5. Follow the instructions on-screen to finish creating the central store.

Creating an NTFS Network Share Central Store from a Command PromptThe NTFS file synchronization setup utility CtxFileSyncPrep.exe automatically creates the folders you need for your central store. It also creates the shared folder, the CentralStoreRoot folder, and the People folder with the correct sharing and security permissions.

Ensure the following:

• The central store must belong to the same domain as the workstations or computers running XenApp where the agent software is installed

• Run CtxFileSyncPrep.exe on the server that hosts the NTFS network share

Note: If you have users who are not administrators on the file servers but need to manage Password Manager folders, you can add them to the root shared folder and allow them full control. You must also add those users to the People folder and the CentralStoreRoot folder because those folders do not inherit access rights from the root shared folder. Give these users full permission to share permissions, files, and subfolders inside the people folder and central storeRoot folder.

Associating user configurations to groups is supported only in Active Directory domains that use Active Directory authentication.

To create an NTFS network share central store from a command prompt1. From a command prompt on the server that will host the NTFS network

share, access the Tools folder on the product media.

distinguished name Relative distinguished name (DN) of the organizational unit (OU) on which to set the permissions. This DN is appended to the DN of the domain root.By using this option, you can specify an OU to set permissions at the OU level, rather than the domain root level. This technique limits Password Manager use to the OU specified.For example:CtxDomainPrep.exe OU=Employees

sets the permissions on OU=Employees, DC=your domain, DC=com.


2. Type CtxFileSyncPrep [/path:pathname] [/share:sharename][/Admin:[+|-]accountname]

where:

The CentralStoreRoot folder and the People folder are created with appropriate sharing and security permissions. Your shared folder is now ready to be used for synchronization.

Creating a Novell Shared Folder Central Store from a Command PromptThe Novell Shared Folder setup utility CtxNWFileSyncPrep.exe automatically creates the folders you need for your central store. It also creates the shared folder, the CentralStoreRoot folder, and the People folder with the correct sharing and security permissions.

Considerations• Because the agent software uses a Windows password, the use of Novell

NetWare file synchronization requires that users’ Novell password be identical to their Windows password.

• The central store must be located in the same tree as the computers where the agent software is installed.

/path:pathname Specifies the pathname for the NTFS network share on the local server. If you use this parameter, the pathname must be located on the local server.If you do not specify /path:pathname, this command creates the central store in %SystemDrive%\CITRIXSYNC.

/share:sharename Specifies the sharename for the NTFS network share on the local server.If you do not specify /share:sharename, this command creates the central store share parameter as CITRIXSYNC$.

/Admin:[+ | -]accountname Adds or removes an account name to enable that account to administer a shared folder. If the plus or minus sign is not specified, the plus sign is the default operation to add an account.Use the plus sign (+) to add an account, where account name is in the form domain\username or [email protected] the minus sign (-) to remove the account, or disable the account administration rights.


• Users must log on to a Novell tree where the shared folder is located.

• Users must also have accounts with read access permissions to the Novell NetWare shared folder you designate as the central store.

• Any users without supervisor rights who need to manage Password Manager folders can be added to the root synchronization folder as a Trustee with all rights. This addition grants them the required access to all other folders and files under the root synchronization folder.

Important: Do not use the system volume to host the shared folder. The system volume typically has a limited amount of space available. As data is written to the central store, the system volume could possibly reach capacity, causing your Password Manager environment (and possibly your Novell NetWare server) to stop functioning.

To create a Novell shared folder central store from a command prompt1. From a command prompt on the server that will host the Novell shared

folder, access the Tools directory from the installation media.

2. Type CtxNWFileSyncPrep /path:\\NetWare server\volume\folder

where:

The CentralStoreRoot folder and the People folder are now created with appropriate sharing and security permissions. Your shared folder is ready to be used for synchronization.

Installing and Configuring the Password Manager Service

After you install the service, the Service Configuration wizard runs so that you can configure and enable the service.

The installation and configuration workflow is as follows:

• Acquire and install an SSL certificate on the computers running the service, console, and agent software

/path:\\NetWare server/volume/folder

Required parameter that specifies the UNC path to the NetWare server, volume, and central store folder to be created. Do not use an existing folder because this utility creates the folder.For example:/path:\\NW5SRV\DATA\CITRIXSYNC


• Create the account type required by the service(s) you are going to install

• Install the service(s)

• Complete the Service Configuration wizard

Related topics:

“Selecting Optional Password Manager Service Features” on page 37

“Security and Account Requirements for Password Manager Service” on page 53

“Accounts Required for Service Modules” on page 54

“Before You Install Password Manager” on page 60

To install the service modulesThe following procedure assumes that the Password Manager installation media is loaded on the computer that you chose to host the central store and that the Autorun screen appears.

1. Click Step 3: Install administrative components.

2. Click Step 2: Install Password Manager Service (if applicable).

3. Click Next, accept the license agreement, and click Next again.

4. In the Destination Folder window, accept the default destination folder or identify a different one, and then click Next.

5. In the Select Modules window, select the modules you want to install:

• Key Management

• Data Integrity

• Provisioning

• Self-Service

• Credential Synchronization

6. Click Next.

You can click Back if you want to change your choice of modules.

7. Click Install.

8. Click Finish.

The Service Configuration wizard is launched.


To configure the Password Manager Service(s) with the Service Configuration wizardNote: The Service Configuration wizard is launched after successfully installing one or more service modules. After initial configuration, you can run the wizard at any time by clicking Start > All Programs > Citrix > Password Manager > Service Configuration.

The Welcome page lists any service modules detected as installed.

1. On the Welcome page, click Next.

2. On the Configure service page, specify the following:

3. Click Next.

The Create signing certificate page appears.

4. If the wizard detects a signing certificate: Click Next.

If the signing certificate does not exist: Specify a signing certificate expiration time, in months. The default expiration time is 12 months. Click Next.

5. On the Configure data proxy page:

Connection Setting Specify the port number for the service connection. The default port is 443.

SSL Certificate Select the SSL certificate installed on the service computer to use for communication with client devices.Select the Display Long Name check box to show the LDAP information contained in the certificate.

Virtual host name Use default value is selected by default if the SSL certificate name and virtual host name match. The virtual host name must match the SSL certificate name.The virtual host is the machine name visible to users when the certificate was created and might not be the actual machine name. For example, the certificate name might include a wildcard (asterisk character) or upper- or lowercase domain name that does not match the certificate domain name case.This setting is useful in a load-balanced or clustered service environment.

Account Credentials Select the local computer account to use for the service. Typically, you can select the Network Service account.


• If you created an Active Directory central store, select Active Directory and click Next

• If you created an NTFS network share central store, select NTFS network share, type the UNC path to the central store you created, and click Next

6. If the Data Integrity Module is installed, select one of the following and click Next.

Note: If you decide to install the Data Integrity Module after installing the console and agent software, you must digitally sign your existing central store data by using the data signing tool CtxSignData.exe. This tool is available after you install the Data Integrity Module.

If you uninstall the Data Integrity Module, you must unsign your central store data.

The Configure domains page appears, displaying a list of domains capable of supporting Password Manager Service.

7. On the Configure domains page:

A. Select the check box next to each domain to which you want to enable service support.

B. Select one or more domains and click Properties to open the Edit Configuration dialog box.

C. If you created an Active Directory central store, click Domain Controller and select the correct domain controller from the list.

D. Click Data Proxy Account and type the user name, password, and domain of the data proxy account used to communicate with the central store.

I do not plan to use the Data Integrity module in this environment

Select this option if you do not require your central store data to be digitally signed and written securely.

I plan to use the Data Integrity module in this environment

Select this option if you do require your central store data to be digitally signed and written securely and you select this service module to be installed.• Type the name of the computer hosting the Data

Integrity Module.• Select a port for the service. The default port

number is 443.


E. If you installed the Self Service module, click Self-Service Features Account and type the credentials for this feature.

F. Click OK to close the Edit Configuration dialog box.

G. Click Next.

Important: If the service is running in a Windows Server 2008 environment with an NTFS central store, you must use CtxFileSyncPrep.exe to add the data proxy account as an administrator to the central store. Type:

CtxFileSyncPrep [/Admin:accountname]

If the service is running in a Windows Server 2008 environment with an Active Directory central store, you also must add the data proxy account as an administrator to the central store. Suggestions about how to do this are on the Citrix Web site (http://support.citrix.com/article/ctx107690)

The Confirm Settings page appears, showing the properties sheet for your service module configuration. Click Back to correct or change any information.

8. Click Finish to commit the service configuration information and Yes to confirm that you want to save the settings. Click Finish again to close the Applying Settings window.

Related topics:

“Security and Account Requirements for Password Manager Service” on page 53

“Service Account Requirements” on page 55

“Self-Service Requirements” on page 56

Password Manager Service Port NumberThe default Password Manager Service port number is 443. When you configure the Password Manager Service, you can use any other available port on the server running the service if port 443 is already in use.

This port number is used by Password Manager to access each service module you install.

• If you install one or more service modules later, make sure that you use the port number that you specified when you first installed the service.

http://support.citrix.com/article/ctx107690


• The service cannot run on multiple ports; if you specify the wrong port, Password Manager might later display “cannot communicate or connect with the Password Manager Service” type error messages.

• Also remember to specify the correct service port number when using the Data Integrity Signing Tool at the command prompt.

Installing and Configuring the Password Manager Console

You can install the console on any computer in your environment. If you want to use Password Manager in a multiple domain environment with multiple central stores, you can install the console on any computer in the domain.

Install the Application Definition Tool on any computer in your environment if you want to create application definitions in standalone mode without needing to install the console.

To install the Password Manager ConsoleThe following procedure assumes that the Password Manager installation media is loaded on the computer that you chose to host the central store and that the Autorun screen appears.

1. Click Step 3: Install administrative components.

2. Click Step 3: Install Password Manager Console.


4. On the Install Type page. select one or more of the following components to install and click Next:

Console Select this option to install the console, required to create and manage policies, application definitions, user configurations, and so on.

Application Definition Tool

Select this option to install the tool that enables you to create application definitions without needing to start or use the full console. You can install this tool in standalone mode, on computers where the console is not or cannot be installed.

License Server Administration

Select this option to help manage your licensing from the console. This option enables you to add a shortcut to the license server.

Access Management Console - Diagnostics

Select this option to help Citrix Support troubleshoot console issues.


5. Click Next and then Finish when the installation is complete.

You can now configure the console.

To configure the Password Manager ConsoleNote: The first time you open the console after installation, it performs a discovery operation and enables you to configure the console settings. After this initial step is completed, you can perform a discovery operation and change the configuration settings at any time by clicking Start > Programs > Citrix > Management Consoles > Access Management Console and clicking Configure and run discovery in the Common Tasks area of the Task pane.

1. Click Start > All Programs > Citrix > Management Consoles > Access Management Console.

The Configure and run discovery wizard appears.

2. On the Welcome page, click Next.

The Select Products or Components page appears.

3. Click Citrix Resources to select Configuration Tools and Password Manager and then click Next.

4. On the Identify Central Store page, select the central store type that you previously created.

• If you created an Active Directory central store, from the list, select the domain controller you want Password Manager to bind to when writing to the central store or select Any writeable domain controller. Click Next.

• If you created an NTFS network share or Novell shared folder central store, type the UNC path to the share. Click Next.

5. On the Configure Data Integrity Options page:

• If you installed the Data Integrity Module and enabled it during the service configuration, select the Enable Data Integrity check box, type the server name and port number in the text fields, and click Next.

• If you installed the Data Integrity Module and do not want to enable it, leave the check box cleared and click Next. Make sure that you first disabled it through the Service Configuration wizard on the service computer.

• If you did not install the Data Integrity Module, click Next.


The Preview Discovery page with the configuration summary appears.

6. Click Next to start discovery.

7. When discovery is successfully completed, click Finish.

The console is now configured for use. You can now use the console to set up your Password Manager environment.

Installing and Configuring the Password Manager Agent Software

Note: For testing purposes, you can install the console and agent software on the same computer so that you can verify that changes you make at the console are reflected on the agent software.

Important: Ensure that you create user configurations before installing the agent software on user desktops. If you install the agent software without corresponding user configurations, users might see an error message when the agent software launches.

Also, agent software running on 64-bit computers cannot connect to Novell shared folder central stores.

The Password Manager agent software is designed to run on client devices: desktop and laptop computers, handheld computers, and other devices. The agent software in this case provides credentials and access to applications running locally on the client device.

You can also install the agent software on a computer running Citrix XenApp. The agent software in this case provides credentials and access to published applications.

Users can use the agent software to access local applications even when they are not connected to a network. User credentials are synchronized when users reconnect to your enterprise network.

When you install the agent software using the Autorun option provided on the Password Manager installation media, the installation software detects your operating system and installs the appropriate agent software.

Important: Password Manager Plugin is the new name for the Password Manager agent software.


Installation ScenariosThe following table shows some environments and schemes for installation:

On client devices, the notification area icon indicates how the agent software is deployed:

• An icon of a key on a blue background indicates the software is installed on a client device

• An icon of a key and computer on a blue background indicates the software is published on a computer running XenApp

Considerations• If you are performing a fresh installation of multiple Citrix products that

includes Password Manager, install the agent software last.

• When you configure or change the location of the license server or any other parameter related to licensing, the changes are not applied to any

Environment Scheme

Citrix XenApp and Citrix Access Gateway

XenApp and Access Gateway provide applications that users access through their Web browsers.Install Password Manager agent software on each server running XenApp.

Mixed Environment Users access published applications as well as other local applications.Install Password Manager agent software on each server running XenApp and on each desktop.

Local Installation Users access applications installed on their local devices. Install Password Manager agent software on a local client device.

Software Image for Network Installation

Create an installation image to be made available on your network.

Silent Agent Software Installation Use the Windows Installer options to install the agent software.


agent software that is in use within your environment. You must shut down and restart the agent software to apply the changes.

• This does not apply to computers using Windows Vista or Windows Server 2008: You must restart the device after you install the agent software so that the GINA DLL can be installed.

The agent software will not run until the workstation is restarted. However, if you prefer that the workstation not be restarted immediately, you can suppress the restart action. To suppress the restart action, use the optional parameter with the Microsoft installer package msiexec command. To run the installer package with the suppress option, use the command:

msiexec /norestart /i path to msi file including the filename

For the complete list of Windows Installer options, from a command prompt on a workstation where the Windows Installer is installed, type:

msiexec /?

Related topics:

“Preserving the GINA Chain When Installing the Agent Software” on page 83

To install the Password Manager agent software on a local device The following procedures assume that the Password Manager product media is loaded on the computer where you chose to install the agent software and that the Autorun screen appears.

1. Click Step 4: Install Password Manager Plugin.

2. Click Install Password Manager Plugin.

The Citrix Password Manager Plugin Installation wizard appears.


4. On the Feature Selection page, select one or more of the optional features to install and click Next:

• Data integrity (if you installed this service)

• Self-service (if you installed this service)

• Hot Desktop (this option requires an existing account to use as the Hot Desktop shared account)


Note: Hot Desktop is not supported on Windows Vista, any server operating system, any platform running terminal services, or any 64-bit operating system

• Java support (this option installs the Password Manager support for the Java Runtime Environment already installed on the client)

5. On the Central Store Configuration page:

A. Select the central store type.

B. If you selected NTFS Network Share or Novell Shared Folder, type the central store’s location.

C. Click Next.

6. On the Specify Server Address page, type the address and port number of the computer hosting the service and click Next.

In the address text field, use the fully-qualified domain name of the service computer. The default port number is 443.

If you selected Hot Desktop, the Hot Desktop Shared Account Configuration page appears.

Note: You cannot have Remote Desktop or Terminal Services running if you are using Hot Desktop. During a Hot Desktop installation, the installer resets the AllowMultipleSessions registry key value to 0.

7. Type the user credentials for the Hot Desktop shared account and click Next.

Specify the domain name to which the workstation belongs using the domain’s NetBIOS name, not the fully qualified domain name.

8. Click Install.


10. Windows Vista or Windows Server 2008: Log off and then log back on to your Windows account. You do not need to restart the client device.

A supported operating system other than Windows Vista or Windows Server 2008: Click Yes to restart the client device.


To create an agent software image for network installation

Important: If you create an image from a 32-bit computer, this image can be installed on 32-bit computers only. If you create an image from a 64-bit computer, this image can be installed on 64-bit computers only.

You can install an image of the agent software on a network share using a utility available from the installation media. The utility creates an installation image of the Password Manager agent software that contains your custom parameters. The following procedures assume that the Password Manager installation media is loaded on the computer where you chose to install the agent software and that the Autorun screen appears.

1. Click Step 4: Install the Password Manager Plugin.

2. Click Create Password Manager Plugin installation image.

The Password Manager Plugin Installation Wizard page appears.

3. Click Next.

4. In the Administrative Installation Package Creation page, type the network share location in which you want to save the installation package and click Next.

5. Select one or more of the optional features to install and click Next:

• Data integrity (if you installed this service)

• Self-service (if you installed this service)


Note: Hot Desktop is not supported on Windows Vista, any platform running terminal services, any server operating system, or any 64-bit operating system


The Central Store Configuration page appears.

6. In the Central Store Configuration page:


B. If you selected NTFS Network Share or Novell Shared Folder, type the central store’s location.


C. Click Next.

The Specify Server Address screen appears.

7. Type the address and port number of the computer hosting the service and click Next.


If you selected Hot Desktop, the Hot Desktop Shared Account Configuration screen appears.

Note: You cannot have Remote Desktop or Terminal Services running if you are using Hot Desktop. During a Hot Desktop installation, the installer resets the AllowMultipleSessions registry key value to 0.

8. Type the user credentials for the Hot Desktop shared account and click Next. Specify the domain name to which the workstation belongs using the domain’s NetBIOS name, not the fully qualified domain name.

9. A warning message appears reminding you that before installing the image being created onto a computer running Windows Vista or WIndows Server 2008, you must first install the C Run-Time Libraries. These files are provided with the installation software. See “Silent Installation of the Password Manager Agent Software” on page 81. Click OK.

10. On the Admin Installation Verify Ready screen, click Next.


The setup.msi and supporting files are now saved in the network share location you specified.

Important: Before installing the Password Manager agent software from a command prompt onto a Windows Vista computer, you must first install the updated C Run-Time Libraries available from the installation media. The installation will fail without the updated C Run-Time Libraries. See “Silent Installation of the Password Manager Agent Software” on page 81 for details.

Silent Installation of the Password Manager Agent SoftwareYou can install the Password Manager agent software silently from a command prompt by using the Windows Installer quiet mode option /quiet.


To install the Password Manager agent software silently from a command prompt

Important: Before installing the Password Manager agent software from a command prompt onto a Windows Vista computer, you must first install the updated C Run-Time Libraries available from the installation media. The installation will fail without the updated C Run-Time Libraries.

1. For Windows Vista computers only, install the C Run-Time Library:

• For 32-bit computers: From the installation media, run Support\vcredist\vcredist_x86.exe

• For 64-bit computers: From the installation media, run Support\vcredist\vcredist_x86.exe and Support\vcredist\vcredist_x64.exe

2. From a command prompt, navigate to the network share in which the Password Manager image (Citrix Password Manager Plugin.msi) is saved.

3. Type msiexec /i “Citrix Password Manager Plugin.msi” /quiet.

Other commands are available. For the complete list of Windows Installer options, from a command prompt on a workstation where the Windows Installer is installed, type:

msiexec /?

The following table lists the Password Manager-specific options to use when installing Password Manager from a command prompt. Each option requires an equals sign (=) to set the value (for example, SSPR_SELECT=1 enables the Self-Service features).

Option Description

SYNCPOINTTYPE Specifies the central store type. Specify FileSyncPath to use an NTFS network share central store.Specify ADSyncPath to use an Active Directory central store.Specify NovellSyncPath to use a Novell shared folder central store.


Preserving the GINA Chain When Installing the Agent Software

Important: If you create a Password Manager agent software installation image (.msi) from a 32-bit computer, this image can be installed on 32-bit computers only. If you create an image from a 64-bit computer, this image can be installed on 64-bit computers only.

SYNCPOINTLOC Specifies the UNC path for the NTFS network share central store.Specify \\servername\foldername$ where servername is the name of the computer hosting the central store and foldername is the name of the shared folder.This option is not required for an Active Directory central store.

DI_SELECT Specify 1 to enable the Data Integrity feature.

SSPR_SELECT Specify 1 to enable the Self-Service feature.

SERVICEURL Specifies the URL of the service computer. Specify \\FQDN\MPMService, where FQDN is the fully qualified domain name of the service computer.This option is required if DI_SELECT and/or SSPR_SELECT are specified.

SERVICEURLPORT Specifies the port of the server running the service. The default port is 443. This option is required if DI_SELECT and/or SSPR_SELECT are specified.

/forcerestart Specify /forcerestart to shut down and restart the workstation after installation. A restart is required for agent software installation. Type msiexec /? for more options.Alternatively, REBOOT=”” can be used.

Hot Desktop-Specific Options See also “Hot Desktop: A Shared Desktop Environment for Users” in the Citrix Password Manager Administrator’s Guide.

HD_SELECT Specify 1 to install Hot Desktop.

HD_USERNAME Specifies the Hot Desktop shared account user name.

HD_PASSWORD Specifies the Hot Desktop shared account password.

HD_DOMAIN Specifies the Hot Desktop shared account domain.

DISABLE_TERMINAL_SERVICE Specify 1 to disable Terminal Services, required for Hot Desktop operation.


Note: Windows Vista and Windows Server 2008 do not use GINA functionality. This section is not applicable to computers using these operating systems.

Graphical Identification and Authentication (GINA) is the Windows component that controls the dialog box that users see when they press the key combination CTRL+ALT+DEL. The dialog box collects the data needed to perform authentication. XenApp, Password Manager, and the Novell NetWare client all interact with or require the replacement of the Microsoft GINA dynamic link library (DLL).

If you install any software that uses a custom GINA DLL, make sure that you do not disrupt the GINA chain. You might be required to install or uninstall software in a specific order to preserve proper GINA chaining. By installing the Password Manager agent software last, you ensure that the Password Manager GINA is called first by the Winlogon process.

Configuring and Using the Multi-Domain Service FeaturePassword Manager Service can process service requests among users in different trusted domains. An administrator can install the Password Manager Console on computers in different domains and create one or more user configurations in each domain.

For example, with the Password Manager Service computer located in DomainA, users associated with a user configuration in DomainA can use the Account Self-Service features to unlock their accounts. Users associated with a user configuration in DomainB can also use this feature, as provided by the DomainA service computer. In this case, multiple user configurations exist in multiple domains and are using a single service computer for this feature.

RequirementsBefore you implement the multi-domain service feature, ensure that you meet the following requirements:

Component Requirement

Domains Each domain sharing the service must be part of the same domain forest.The domains within the forest must have a two-way transitive trust agreement.


Task SummaryPerform the following tasks to implement the multi-domain service feature.

To configure the service for multidomain use1. Log on as an administrator to the computer where the service is installed.

Central store This feature is available for implementations using Active Directory or NTFS network share central stores. It is not available to Novell shared folder central stores.All users sharing the same service computer must be implemented using the same central store type: Active Directory or NTFS shared folder. Multiple central store types are not supported.One NTFS shared folder central store per domain is not supported in this case. However, you can use one NTFS shared folder central store per forest.

Data Integrity feature The Data Integrity feature must be used consistently across domains. That is, it is either enabled or disabled in the service and agent software configurations for all domains. For example, you cannot enable this feature in the service configuration and disable it when installing the agent software.

Password Manager Console Each console can view one central store only, not multiple central stores.The Password Manager administrator should install one console in each domain and install it by using a user account with administrative rights in that domain.Alternatively, the administrator can install a console with the ability to access other domains and, as needed, switch to one of those domains by logging on with credentials for that specific domain.

Data Proxy and Self Service accounts

You can configure one data proxy and self service account that has read and write access to the central store and sufficient privileges to reset user passwords and unlock user accounts.Optionally, you can specify these accounts for each domain in the Service Configuration tool.

Task Description/See this section

Install an instance of the console in each domain that will be using this feature and create user configurations.

“Installing and Using Password Manager Console and Application Definition Tool” on page 56

Configure the service. “To configure the service for multidomain use” on page 85

Component Requirement


2. Start the Service Configuration tool by clicking Start > All Programs > Citrix > Password Manager > Service Configuration.

3. When the Service Configuration tool appears, click Domain Configurations in the left pane.

A list of domains appears.

4. Select the check box next to each domain to enable service support on that domain.

5. Select one or more domains and click Properties to open the Edit Configuration dialog box.

6. In the Edit Configuration dialog box:

A. If you created an Active Directory central store, click Domain Controllers and, from the list, select the domain controller you want Password Manager to bind to when writing to the central store or select Any writeable domain controller.

B. Click Data Proxy Account and type the user name, password, and domain of the data proxy account used to communicate with the central store.

C. If you installed the Self Service module, click Self-Service Features Account and type the credentials for this feature. See “Self-Service Requirements” on page 56.

7. Click OK to close the Edit Configuration dialog box.

8. Click OK and then Yes to save the configuration.

4

Upgrading Password Manager

Important: Do not install Password Manager on a domain controller. Installation of Password Manager agent software, service, console, or NTFS network share central store on a domain controller is not supported.

This section describes the tasks required to successfully upgrade Citrix Password Manager from previous versions to Version 4.6 with Service Pack 1.

Supported Upgrade PathsYou can upgrade Password Manager to Version 4.6 with Service Pack 1 from these versions:

• Password Manager 4.1 (including any service packs or hotfixes)

• Password Manager 4.5 (including any hotfixes)

• Password Manager 4.6

Important: Direct upgrades from Versions 2.5 and 4.0 are not supported.

Summary of Upgrade StepsTask See This Section or Document

Before Upgrading

Choose the computers in your environment where you will upgrade the software.

• “Planning Your Password Manager Environment” on page 11

• “Installing Password Manager” on page 49


Before You Upgrade Password ManagerConsider the following before you begin to upgrade your Password Manager environment.

• “Upgrading Existing User Configurations” in the Citrix Password Manager Administrator’s Guide

Prepare the computers for upgrade and export any administrative data.

• “Before You Upgrade Password Manager” on page 88

• “Moving Data to a Different Central Store” in the Citrix Password Manager Administrator’s Guide

• “Backing Up Password Manager Service Files” in the Citrix Password Manager Administrator’s Guide

Back up your central store.Back up the process.xml file on each Hot Desktop workstation.

“Before You Upgrade Password Manager” on page 88

Install the license server and add licenses for Password Manager


Guide, available on the Citrix Web site (http://support.citrix.com/pages/licensing/)

Upgrading

Review the Autorun menu. “Before You Install Password Manager” on page 60

Upgrade the license server if necessar6y and add licenses for Password Manager


Guide, available on the Citrix Web site (http://support.citrix.com/pages/licensing/)

Upgrade the Password Manager Service. “Step 1 - Upgrading the Password Manager Service” on page 92

Upgrade the Password Manager Console. “Step 2 - Upgrading the Password Manager Console” on page 93

Upgrade your central store. • “Which Central Store Type Should I Choose?” on page 15

• “Step 2 - Upgrading the Password Manager Console” on page 93

Upgrade the Password Manager agent software.

• “Step 3 - Upgrading the Password Manager Agent Software” on page 95

• “Installing and Configuring the Password Manager Agent Software” on page 76

Task See This Section or Document



4 Upgrading Password Manager 89

• “Backing Up Important Files” in the Citrix Password Manager Administrator’s Guide

• “Backing Up Password Manager Service Files” in the Citrix Password Manager Administrator’s Guide

Using AutorunUse Autorun to perform Password Manager tasks such as creating a central store or upgrading Password Manager components. After you access the installation media, the Autorun screen appears.


If it does not start automatically:

1. Open Windows Explorer and navigate to the installation files.

2. Click Autorun.exe.

Upgrade OrderThe suggested upgrade order of Password Manager is as follows:

• Install your licenses


• Upgrade the Password Manager Service if you are using one or more of the following modules. You can also install additional modules at this time.

• Key management

• Self-service

• Provisioning

• Credential synchronization

• Data integrity


Note: If you decide to install the Data Integrity Module at a later date or after installing the console and agent software, you must digitally sign your existing central store data by using the data signing tool CtxSignData.exe. (This tool is available after you install the Data Integrity Module.) Conversely, if you uninstall the Data Integrity Module, you must unsign your central store data.

• Upgrade the Password Manager Console on one or more computers in your environment.

• Upgrade or install the Application Definition Tool on one or more computers in your environment when you need to create application definitions only.

• After configuring Password Manager features in the console, upgrade or install the Password Manager agent software on each user computer in your environment.

Backing Up Service Data Prior to UpgradingUse the CtxMoveServiceData.exe tool to back up your service data before upgrading.

Important: Password Manager 4.1 contains the ctxmovekeyrecoverydata.exe tool. If you use this tool to back up our service data, you must use the same tool to import the data into Version 4.6 with Service Pack 1. If you use one tool to back up your service data and the other to import it, data corruption will occur. See “Backing Up Password Manager Service Files” in the Citrix Password Manager Administrator’s Guide.

Backing Up the Process.xml File (Hot Desktop Environments Only)If you previously used the Hot Desktop feature, ensure that you back up the process.xml file, located in the %SystemDrive%\Citrix\Metaframe Password Manager\HotDesktop folder on each Hot Desktop workstation.

The existing process.xml file is retained during the upgrade, but it is a best practice to protect this information.

Backing Up Your Existing Central StoreAs a best practice, always back up your existing central store before upgrading.


Note: The agent software for Password Manager 4.1 and 4.5 can work with a Password Manager 4.6 central store. However, new features introduced in Version 4.6 are not available to those earlier versions. Upgrade the agent software whenever possible to match the service and console versions. An upgrade helps ensure that users have access to the latest features and security enhancements.

Upgraded Policies, Application Definitions, Questions/Questionnaires, and User ConfigurationsThe first time you configure and run discovery in the upgraded console for Password Manager, you have the option to upgrade your central store (and the data in it). Existing policies, questions, questionnaires, application definitions, and user configurations are preserved.

Upgrade all agent software to the latest version to provide users with access to updated features and enhanced security. Also consider modifying your policies, application definitions, and user configurations for the same reason.

Microsoft .NET Versions 1.1 and 2.0You can install .NET 2.0 on a workstation or server that also includes .NET 1.1. This installation is known as a side-by-side installation of the framework. You do not need to uninstall the .NET 1.1 framework from any computer in your environment.

Important: Previous releases of the Access Management Console required Version 1.1 of Microsoft’s .NET Framework. Where later versions of the .NET Framework were also present, Citrix provided a workaround in the form of a file named mmc.exe.config that ensured Version 1.1 was loaded.

This workaround is no longer required and must be removed. If you do not remove the workaround, the console does not start and displays an error message such as Snap-in failed to initialize. To prevent this issue, remove the file \Windows\system32\mmc.exe.config (if it is present).

These operations prevent previous releases of the console from working (because they rely on Version 1.1 of .NET Framework). If you have earlier releases and do not want to upgrade them, contact Citrix Technical Support for an alternative workaround.


Related topics:

“Installing the Microsoft .NET 2.0 Framework” on page 57

Step 1 - Upgrading the Password Manager ServiceIf your environment uses the Password Manager Service, you must upgrade all modules of the service in use at the same time. Your existing service modules are removed during the upgrade process and replaced by those of Password Manager 4.6 with Service Pack 1.

Note: If you are not using the Password Manager Service in your existing Password Manager environment, you need to upgrade only the console, central store, and agent software.

You must provide service configuration information, such as settings, service account user name and password, and the location of your central store as part of the upgrade process.

If you are upgrading from Password Manager 4.1 and installed the service and the console on the same computer, you must upgrade both.

Important: You cannot specify a local user account as the service account in this version of Password Manager. See “Service Account Requirements” on page 55

The following procedures assume that the Password Manager installation media is loaded on the computer that you chose to host the central store and that the Autorun screen appears.

Related topics:

“Service Account Requirements” on page 55


To upgrade the Password Manager Service1. Click Step 3: Install administrative components.

2. Click Step 2: Install Password Manager Service (if applicable).

3. Click Yes in the confirmation dialog box to remove the previous version of the service and proceed with the installation.


4. For upgrading from Version 4.1 only: Click Yes in the confirmation dialog box stating you must upgrade the Password Manager Console after upgrading the service.


6. On the Destination Folder page, click Next.

7. In the Select Modules page, select the modules you want to install:

• Key Management

• Data Integrity

• Provisioning

• Self-Service

• Credential Synchronization

8. Click Next.

9. Click Install.

10. Click Finish.

When the installation wizard is finished, the Service Configuration wizard opens. Provide the information needed to configure the service, such as connection settings, certificate name, service user account name and password, and the location of your central store.

Related topics:


Step 2 - Upgrading the Password Manager ConsoleThe console you use to manage your Password Manager existing environment is removed when you install the console for Password Manager 4.6 with Service Pack 1. For best results, upgrade all installed consoles and the Application Definition Tool.

Important: The first time you configure and run discovery on the console after upgrading from Password Manager 4.1 or 4.5, you are asked to upgrade your central store and the data it contains. Upgraded central stores are not compatible with older versions of the console.


Related topics:

“Backing Up Your Existing Central Store” on page 90

“Installing .NET 2.0 Side By Side with .NET 1.1” on page 57

To upgrade the Password Manager Console1. Click Step 3: Install administrative components.

2. Click Step 3: Install Password Manager Console.


The Upgrade Citrix Password Manager Console page appears.

4. Click Next to confirm the removal of the existing version of the console and the continuation of the installation.

The Install Type page appears.

5. Select one or more of the following components to install and click Next:

6. Click Next and click Finish when the installation is complete.

7. Click Start > All Programs > Citrix > Management Consoles > Access Management Console.

8. For upgrades from Version 4.1 or 4.5 only: When asked if you want to upgrade the central store at this time, click Yes.

9. For upgrading from Version 4.1 only: Click Upgrade.

Console Select this option to install the console, required to create and manage policies, application definitions, user configurations, and so on.

Application Definition Tool Select this option to install the tool that enables you to create application definitions without needing to start or use the full console. You can install this tool in standalone mode, on computers where the console is not or cannot be installed.

License Server Administration

Select this option to help manage your licensing from the console. This option enables you to add a shortcut to the license server.

Access Management Console - Diagnostics

Select this option to help Citrix Support troubleshoot console issues.


Note: If you click Don’t Upgrade, you must configure and run discovery from the console each time until you upgrade (that is, exit and restart the console and click Upgrade). You cannot save any settings or results of the discovery in the console that appears if you click Don’t Upgrade.

10. Configure the console.

Note: For upgrading from Version 4.1 or 4.5 only: If you subsequently configure and run discovery from the Version 4.6 with Service Pack 1 console as part of the upgrade process and your central store type is an NTFS network share, you will be prompted to upgrade the central store. Click OK to upgrade or Cancel to exit. If you do not upgrade your central store at this time, you can use only previous versions (4.1 and 4.5) of the console to work with the central store.

Related topics:

“To configure the Password Manager Console” on page 75

Step 3 - Upgrading the Password Manager Agent Software

Note: If you upgrade the Password Manager Service and console but do not upgrade the agent software, Password Manager will still provide basic functionality to users whose user configurations are associated with Active Directory hierarchies (organizational units or users). However, your users will not have access to the latest Password Manager features. Consider upgrading the agent software whenever possible to match the service and console versions.

The existing agent software is removed when you install the agent software for Password Manager 4.6 with Service Pack 1.



To upgrade the Password Manager Agent Software on a local device Note: If you plan to use Hot Desktop in your environment as part of your agent software installation, see “The Hot Desktop User Experience” on page 35.

The following procedures assume that the Password Manager installation media is loaded on the computer where you chose to install the agent software and that the Autorun screen appears.

1. Click Step 4: Install Password Manager Plugin.

2. Click Install Password Manager Plugin.

The Upgrade Detection dialog box appears.

3. Click Yes in the confirmation dialog box to remove the previous version of the agent software and proceed with the installation.

The Citrix Password Manager Plugin Installation wizard appears.


The Feature Selection page appears.

5. Select one or more of the optional features to install and click Next:

• Data Integrity (if you installed this service)

• Self-Service (if you installed this service)


Note: Hot Desktop is not supported on Windows Vista, any platform running terminal services, any server operating system, or any 64-bit operating system

Note: You cannot have Remote Desktop, Terminal Services, or Windows XP Fast User Switching enabled if you are using Hot Desktop. If these are enabled, you will be prompted to disable them if you select Hot Desktop.



6. On the Central Store Configuration page, do the following:


B. If you selected NTFS Network Share or Novell Shared Folder, verify the central store’s location.

C. Click Next.

The Specify Server Address page appears.

7. Verify the address and port number of the computer hosting the service and click Next.


If you selected Hot Desktop, the Hot Desktop Shared Account Configuration screen appears.

8. Type the user credentials for the Hot Desktop shared account and click Next.

Specify the domain name to which the workstation belongs using the domain’s NetBIOS name, not the fully qualified domain name.

9. Click Install.


11. Perform one of the following:

• If you are using a supported operating system other than Windows Vista or Windows Server 2008, click Yes to restart the client device. You must restart the client device.

• If you are using Windows Vista or Server 2008, log off and then log back on to your Windows Vista account. You do not need to restart the client device.

password manager installation guide

Documents

password manager components

password manager environment

trademarks of citrix

password manager product

domain password policies

domain password change

default password policy

citrix xenapp