Beruflich Dokumente
Kultur Dokumente
1 Welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Password Manager Product Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Password Manager Advanced Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Password Manager Enterprise Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Finding Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Documentation Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Getting Support and Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
Welcome
Citrix Password Manager provides password security and single sign-on access to
Windows, Web, and terminal emulator applications running in the Citrix
environment as well as applications running on the desktop. Users authenticate
once and Password Manager does the rest, automatically logging on to password-
protected information systems, enforcing password policies, monitoring all
password-related events, and even automating user tasks, including password
changes.
This document, the Citrix Password Manager Installation Guide, presents the
information you need to plan and carry out the installation of Password Manager
4.6 with Service Pack 1 or the upgrade of your existing version of Password
Manager to Password Manager 4.6 with Service Pack 1.
Finding Documentation
Welcome to Citrix Password Manager, sometimes referred to as
Password_Manager_Read_Me_First.html, is included on the installation media
and contains links to documents that help get you started. It also contains links to
the most up-to-date product documentation, plus related technologies. You can
access this document by clicking, from Autorun, Step 1: View installation
checklist and other documentation.
The Citrix Knowledge Center Web site, http://support.citrix.com, contains links
to all product documentation, organized by product. Select the product you want
to access and then click the Documentation tab from the product information
page.
Known issues information is included in the product readme.
To provide feedback about the documentation, click the Article Feedback link
located on the right side of the product documentation page.
Documentation Conventions
For consistency, Windows Vista and Windows Server 2008 terminology is used
throughout the documentation set; for example, “Documents” rather than “My
Documents” and “Computer” rather than “My Computer” are used.
1 Welcome 9
Convention Meaning
Boldface Commands, names of interface items such as text boxes, option
buttons, and user input.
Italics Placeholders for information you provide. For example, filename
means you type the actual name of a file. Italics are also used for new
terms and titles of books.
Monospace Text displayed in a text file.
{braces} In a command, a series of items, one of which is required. For example,
{yes | no } means you must type yes or no. Do not type the braces
themselves.
[ brackets ] In a command, optional items. For example, [/ping] means you can
type /ping with the command. Do not type the brackets themselves.
| (vertical bar) In a command, a separator between items in braces or brackets. For
example, { /hold | /release | /delete } means you must type /hold or
/release or /delete.
... (ellipsis) The previous item(s) in the command can be repeated. For example,
/route:devicename[,…] means you can type additional devicenames
separated by commas.
This section contains information to help you plan your Password Manager
environment and help you decide how to implement Password Manager.
Related topics:
“Planning Your Password Manager Environment” on page 11
“Installing Password Manager” on page 49
Getting Started
A Password Manager environment can include the following:
• Shared network folders or Active Directory containing the central store
• One or more computers running the Password Manager Console
• User computers running the Password Manager agent software
• A dedicated server hosting the Password Manager Service with one or more
feature modules installed on it
• Citrix XenApp environment hosting the Password Manager agent software
• Authentication devices such as smart cards
• Password Manager features such as Hot Desktop and key management
After you have your Password Manager plan, you can start implementing it in
your environment. The following table shows what you need to do to get started
using Password Manager.
Password Manager uses a repository known as the central store to store and
retrieve information about your users and your environment. Password Manager
relies on the data in the central store to perform all default and configured single
sign-on functions.
The central store contains user data and administrative data:
• User data in the central store includes user secondary credentials, security
questions and answers, service-related data (for example, provisioned data,
question-based authentication data, key recovery enrollment, and so on),
and user Windows registry data associated with Password Manager
16 Citrix Password Manager Installation Guide
Note: Citrix Password Manager allows you to migrate users from one central
store type to another if you later decide that one type is more suitable than the
current one used in your environment. See “Moving Data to a Different Central
Store” in the Citrix Password Manager Administrator’s Guide.
Note: If your enterprise forest contains multiple domains, see “Using Account
Association with Multiple Central Stores and User Account Credentials in a
Multiple Domain Enterprise” on page 20.
Also see “Specifying Domain Controllers for User Configurations” in the Citrix
Password Manager Administrator’s Guide for information about user
configurations in multiple domain controller environments.
2 Planning Your Password Manager Environment 17
Class Description
citrix-SSOConfig Describes the object containing data for the agent software settings,
synchronization state, and the application definitions and the first-
time agent software use behavior.
This class includes the following attributes:
citrix-SSOConfigData - contains the actual data
citrix-SSOConfigType - specifies the data type
citrix-SSOSecret Describes the secret data object used to authenticate a Password
Manager user. This class includes the following attribute:
citrix-SSOSecretData - contains encrypted credential data for an
application and Account Self-Service password reset data
Note: See the CitrixMPMSchema.xml file in the \Tools folder on the Password
Manager installation media for more information about these classes and
attributes.
Choosing to use an NTFS network share as your central store enables you to
leverage the convenience of your existing Active Directory user authentication
and tree structure without having to extend the Active Directory schema. For
example, you can apply user-specific settings to any level in a domain—domain,
organizational unit, group, or user.
Password Manager creates a shared folder named CITRIXSYNC with two
subfolders named People and CentralStoreRoot.
The People folder contains a subfolder for each user and includes the appropriate
read and write permission properties for the user. The CentralStoreRoot folder
contains administrative data.
Choosing to use a Novell NetWare shared folder as your central store enables you
to leverage the convenience of your existing Novell NetWare directory services.
Using this central store type is similar to using an NTFS network share.
Configure a secured network folder in eDirectory to store all data associated with
your Password Manager environment. Applications and settings can be defined
and assigned at the domain level.
Related topics:
“Default Settings for the Default and Domain Password Policies” on page 24
You can create password policies as needed: you can apply one policy for your
domain sharing group, create individual policies to apply to individual groups of
applications to secure them further, and so on.
In general, password policies can specify restrictions such as the following:
• A minimum and maximum number of characters for a password
• Alphabetical and numerical character usage
• Number of times a character can be repeated
• Excluding or requiring which characters or special characters can be used
• Whether or not users can view their stored passwords
• How many times users can try entering their password correctly
• Password expiration parameters
• Password history and password exceptions
The agent software responds according to application definitions that you create
from scratch or copy from existing templates. An application definition:
• Enables the agent software to recognize and respond to applications and the
forms used by the applications to process user credentials
• Consists of a set of identifiers that establish parameters to accomplish this
recognition and response
Within each definition, you create logon and password-related forms required by
the application to enable access. The application definition wizards can help you
create a definition if you open the application; the wizards can detect the forms
and fields of most applications by using Password Manager’s window-matching
capabilities.
Related topics:
“Do I Need to Use Identity Verification?” on page 29
“Guidelines for Multiple Primary Authentication and User Credential Protection
Choices” on page 42
2 Planning Your Password Manager Environment 29
• Users change their authentication types; for example, a user might switch
between smart card and password authentication (you can create a user
configuration that requires initial verification only when switching between
authentication types
• An administrator changes a user’s primary password
• Users reset their primary password using Account Self-Service
• Users unlock their domain account using Account Self-Service
• Users change their primary password on a device that does not have the
agent software installed and then log on to a device where the agent
software is installed
Password Manager can be configured to verify the user's identity to ensure that
the user is authorized to use Password Manager. You can select one of two
identity verification methods:
Method Description
Previous Password In this case, users verify their identities by entering
their previous primary password.
Security questions (also known as In this case, you create a questionnaire that contains
question-based authentication) as many questions and question groups as you want
to make available to users. You can use the default
questions Password Manager provides or create your
own.
Related topics:
“Recovering or Unlocking User Credentials Automatically” on page 31
2 Planning Your Password Manager Environment 31
You can configure Password Manager to bypass identity verification and retrieve
user credentials (that is, encryption keys associated with the user data)
automatically by installing the Password Manager Service and using the Key
Management Module.
The basic workflow to use automatic key management is as follows:
1. Install the Citrix Password Manager Service with the Key Management
Module.
2. Create or edit user configurations and select the key recovery method that
allows automatic key management without identity verification. This
32 Citrix Password Manager Installation Guide
Related topics:
“What Type of Smart Cards Are Used in My Enterprise?” on page 28
“Do I Need to Use Identity Verification?” on page 29
Planning Considerations
• If you need to apply the same user configuration settings to a different
group of users, duplicate the user configuration in the console and modify
the settings accordingly.
• How you organize your Password Manager user environment might affect
how user configurations operate. That is, you associate user configurations
in your Password Manager environment with an Active Directory hierarchy
(OU or users) or an Active Directory group. If you use both (hierarchy and
group) and a user is located in both containers, the user configuration
associated with the hierarchy takes precedence and is the one used. This
scheme is considered a mixed environment.
• The user configuration information maintained in the central store takes
precedence over information stored in the local store (that is, user data
stored on a user’s computer). The local store user data is mostly used when
the central store is not available or offline.
34 Citrix Password Manager Installation Guide
The Hot Desktop feature allows users to share workstations efficiently and
securely. With Hot Desktop, you get the convenience of fast user switching in
addition to single sign-on capability through Password Manager.
Before you can implement Hot Desktop, however, you must:
• Create Hot Desktop-related user configurations
• Configure a Hot Desktop shared account
• Edit the scripts that define what applications run on Hot Desktop devices
and their start up and shut down behavior
Hot Desktop functionality is not installed by default; you can select it during the
initial installation of the agent software. You can also upgrade existing
deployments to use Hot Desktop.
Note: If you deploy Hot Desktop in an environment where users log on with
smart cards and your selected smart card key source is DPAPI with Profile, do not
select Prompt user to enter the previous password as the only key recovery
method for those users. Users in such an environment cannot enter the correct
previous password and, consequently, are irretrievably locked out of the system.
To avoid this problem, select the automatic key management option or make
question-based authentication available as an option.
Controlling Applications
With Hot Desktop, users can authenticate quickly using their Windows account
credentials or smart card strong authenticator. As the administrator, you can
configure Hot Desktop to launch applications in the Hot Desktop environment so
your users do not have to search for and wait for their applications to launch.
You can also configure Hot Desktop to help ensure that all applications terminate
properly, leaving behind a clean environment for the next user session.
2 Planning Your Password Manager Environment 35
Licensing Requirements
Install the license server and add licenses before installing Password Manager.
Important: To run this release, you must have the license server (Version 11.5)
that is available from the Licensing folder in the installation media. If you are
running an earlier version of the license server, you must upgrade your license
server to Version 11.5.
For details about licensing requirements, terms, and installation, see the Getting
Started with Citrix Licensing Guide, available at http://support.citrix.com/pages/
licensing/ under the “Top Licensing Resources” title on the page.
Disconnected Mode
Note: This mode is set as part of a user configuration. See “Configure
Licensing” in the Citrix Password Manager Administrator’s Guide.
36 Citrix Password Manager Installation Guide
If you have users who will be disconnected from the license server for extended
periods of time, such as mobile users with laptops, you must specify a
disconnected mode period for these users. The disconnected mode period is
specified as part of the licensing settings in the user configuration. The
disconnected mode period specifies two important aspects of licensing behavior:
• The amount of time the user can be disconnected from the license server
without entering the licensing grace period. When the disconnected mode
period expires, the users employing the associated user configuration lapse
into the licensing grace period, which is 30 days.
• The amount of time until a checked out license, which is being used in
disconnected mode, is returned to the pool of available licenses on the
license server regardless of whether or not the product reconnects to the
license server. If a license is checked out and the disconnected mode
associated with that license expires before the license is checked in, the
license server automatically checks the license back in so the license is
available again. For example, if a laptop running Password Manager is lost
and never reconnects with your organization’s network, the license server
automatically checks the license back in at the end of the disconnected
mode period.
When you set the disconnected mode, you are actually specifying how long you
want to wait until the license is returned to the pool of available licenses.
Consider setting long disconnected mode periods for users who do not connect to
your organization’s network regularly, such as Sales personnel who work
remotely. Set the period to be the longest amount of time you anticipate users in
this configuration could be away from your network. However, keep in mind you
cannot retrieve any checked out licenses, even from lost or broken equipment, for
the duration of this period.
Important: The server that hosts the Password Manager Service contains
highly sensitive user-related information. Citrix recommends that you use a
dedicated server and that you place the server in a physically secure location.
Account Self-Service
Note: You can use the Account Self-Service feature only in an Active Directory
environment to allow your users to reset their primary password or unlock their
Windows domain accounts.
You can configure the self-service features of Password Manager to allow your
users to reset their primary password or unlock their Windows domain accounts
without intervention by administrative or help desk staff. Depending on your
needs, you can implement one or both of the self-service password reset and
account unlock features securely in your Password Manager environment.
Self-Service Password Reset allows users who forgot their primary password to
reset their password and unlock their own accounts. Account Unlock allows your
users to unlock their domain accounts when a lockout event occurs.
These account features are protected by Question-Based Authentication to help
ensure that your users are authorized to reset their passwords or unlock their
accounts.
With Account Self-Service enabled, users must enroll, a process that requires
them to answer the security questions you create and select. These security
questions are then presented to users when they need to reset their password or
unlock their account. When the questions are answered correctly, users are
allowed to reset their password or unlock their account.
You can also use Account Self-Service with Web Interface. Web Interface is a
component of Citrix XenApp that allows users to access their published
applications by clicking links on a Web page.
Note: Account Self-Service does not support user principal name (UPN)
logons, such as username@domain.com.
2 Planning Your Password Manager Environment 39
Data Integrity
Note: If you already implement a security framework that protects data in
transit, such as IPsec (Internet Protocol Security) or SMB (Server Message
Block) signing, you do not need to install the Data Integrity Module.
Install the Data Integrity Module if you want to ensure that data transmitted
among the Password Manager components is provided by a trusted and
authorized source. This module is optional and is designed for users who have
non-trusted networks.
The Data Integrity Module contains the public and private key files used for
signing the data. It utilizes RSA public key cryptography to ensure that the agent
software obtains configuration data provided by an authorized source only.
Important: The Data Integrity Module never distributes its private key.
After the console signs the data, the console sends both the data and the signature
to the central store. The agent software receives the data and signature from the
central store during synchronization. The agent software then contacts the
Password Manager Service to obtain a copy of the public key it needs to verify
the signature it received from the central store.
If the agent software is configured to use the Data Integrity Module, it never
accepts configuration data that failed the data integrity check. If a check fails, the
agent software logs the event and displays an error message telling users to
contact their administrator directly. The agent software then defaults to previous
configurations or returns to an offline state.
Key Management
With Key Management, users log on to the network and have immediate access to
applications managed by Password Manager without using question-based
authentication (this scheme is also known as automatic key management). When
users change their primary passwords, the agent software detects these changes
and recovers the users’ encryption keys using the Password Manager Service.
This automatic key management provides users with the easiest and fastest access
to their applications. However, automatic key management does not protect
against access by an unauthorized user or administrator impersonating a user
because there is no “user secret” to protect the user’s network password. To help
prevent this potential problem, implement automatic key management in
combination with the Account Self-Service Module and question-based
authentication.
40 Citrix Password Manager Installation Guide
Automatic key management uses key splitting (the process of dividing a private
key into two parts) to help reduce security threats.
Provisioning
Provisioning (also known as credential provisioning) adds to the flexibility and
functionality of Password Manager within your organization’s environment by
allowing you to automate a number of time-consuming processes. Whether you
are rolling out a new installation of Password Manager, adding several hundred
new users and new applications, or clearing out unneeded information, credential
provisioning gives you the ability to complete these tasks quickly.
For example, you can use credential provisioning to add all the user names and
passwords for all of your applications to the central store. Doing so eliminates the
need for first-time users of the agent software to go through the process of Initial
Credential Setup. Additionally, if you plan to roll out new software to your users,
create an application definition for the application and use credential provisioning
to add the credentials for all users who will use the application.
Using credential provisioning, you can:
• Add, modify, and delete credentials in the central store
• Reset user credential information
• Remove users and their application credentials from Password Manager
Credential provisioning is achieved by using information about your environment
to create a template that you can use to add, remove, or change credential
information in your central store. Credential provisioning is processed as part of
the Password Manager Service.
2 Planning Your Password Manager Environment 41
XenApp Considerations
• When you use Password Manager in a XenApp environment, you must
install the agent software on each server that publishes applications that
require authentication. The agent software provides credentials for
published applications only.
• Install the console on a desktop or server that is not a member of the server
farm. This desktop or server should run the same operating system as each
server on which the applications are published or the same operating
system of each server where the agent software will be installed. Use this
console to create user configurations to control the agent software behavior.
• Users access the published applications in the server farm through ICA
connections using a client. When a user tries to connect to a published
application that requires credentials, the agent software recognizes the
request for authentication sent by the XenApp server. The agent software
determines the application type (Windows, Web, or terminal emulator) and
retrieves the appropriate credentials from the local credential store in the
user’s profile.
User Impersonation
If you want to disallow administrator access to user credentials, select Yes for the
following option. Credentials are protected against administrators seeking to
impersonate a user and to gain access to user information.
Yes is the default setting for the Data Protection Methods page. With this
configuration, the account or other administrator does not have access to user
passwords or user data. This setting helps prevent an administrator from
impersonating a user. The administrator cannot log on as the user with this default
setting and possibly access data located in the user local credential store.
The Yes setting disables the use of the Microsoft Data Protection API option on
this page and the Do not prompt users; restore primary data protection
automatically option on the following Secondary Data Protection page. Smart
cards and roaming profiles are not allowed in this case, and credentials are not
restored automatically upon a password change without authentication or
verification.
44 Citrix Password Manager Installation Guide
Select No if you want to allow use of all the multiple authentication features
available from this page and the Secondary Data Protection page (including the
ability to restore credentials automatically without reauthentication or identity
verification).
Important: The security of this setting choice depends on the relative strength
of your domain password policy. The stronger (or more complex) the password
requirement, the more secure this choice is.
Option Description
Do you need to regulate account See “User Impersonation” on page 43.
administrator access to user data?
Users authentication data Selected.
A user secret is used to access and help protect
user data. In this case, the user secret is a
password.
Password security can be derived from the
user’s typed domain password or a one-time
password from token, proximity, or biometric
devices.
Manager 4.5 or later console and Microsoft Data Protection API (requires
roaming profiles) must be selected in your user configurations.
Use this option if you combine smart cards with embedded certificates or digital
signatures and user authentication data in your enterprise. Combining smart cards
with a user name and password for authentication is the most secure choice for
protecting user authentication data.
Note: Select the Smart Card Certificate option if you use smart cards with
Hot Desktop.
Option Description
Do you need to regulate account See “User Impersonation” on page 43.
administrator access to user data?
Users authentication data Selected.
A user secret is used to access and help
protect user data. In this case, the user secret
is a password.
Password security can be derived from the
user’s typed domain password or a one-time
password from token, proximity, or biometric
devices.
Smart Card Certificate Selected.
In this case, the user secret is protected by the
encryption and decryption provided by the
card’s security certificate.
If you use smart cards that do not support security certificates as the primary
authenticator in a Windows domain or you do not use roaming profiles, use the
Allow Smart Card PINs option. When you select this option, the encryption
keys used to protect secondary credentials are derived from the smart card PIN.
46 Citrix Password Manager Installation Guide
Consider enforcing the use of a strong PIN. In some enterprises, smart card PINs
are four-digit numbers that do not provide as strong a level of protection as, for
example, an eight-character password and might be more vulnerable to attack.
Use the PIN as password option only if your organization enforces a smart card
PIN policy that requires a mixture of letters and numbers, and requires a
minimum length of eight characters.
Option Description
Do you need to regulate account See “User Impersonation” on page 43.
administrator access to user data?
Users authentication data Selected.
A user secret is used to access and help
protect user data. In this case, the user secret
is a personal identification number (PIN).
Allow Smart Card PINs Selected.
Allow the Smart Card PIN to be used as the
user secret for protection. Use this only if
your enterprise or environment has a “strong
PIN” policy
Note: This method is supported by Version 4.1 of the Password Manager Agent
and is supported on Windows XP, Windows 2000, and Windows 2003 Server
platforms. Select Use data protection as in Password Manager 4.1 and
previous versions and DPAPI with Profile if you plan to use legacy agents.
Password Manager derives the encryption keys that protect secondary credentials
from the user’s primary password. However, if a user uses a smart card for
primary authentication, a primary password does not exist and cannot be used. In
this case, the best agent option is Microsoft Data Protection API. This option uses
the Microsoft DPAPI to derive encryption keys and protect secondary credentials.
This encryption mechanism uses the user’s Windows or domain credentials to
derive the encryption keys.
If users employ passwords to access their computers and a Kerberos network
authentication protocol to access XenApp servers, select:
• No in response to Do you need to regulate account administrator access
to user data?
• Users authentication data
• Microsoft Data Protection API
This method also allows the use of user credentials and smart cards to log on.
Related topics:
“Smart Cards with Certificates and User Authentication Data” on page 44
Blank Passwords
Important: If you do not select this option and a blank password is allowed in
your environment, the agent software does not derive a user secret or otherwise
perform any data protection with the blank password.
Allowing the use of a blank password should be considered a special case and
should only be used in low security environments that require extreme ease of
use. One scenario is when a common workstation is placed on a factory floor and
is accessed by many users. You can still use Password Manager to control access
to applications but the user credentials to access the workstation include a blank
password.
Option Description
Do you need to regulate account See “User Impersonation” on page 43.
administrator access to user data?
Users authentication data Selected.
A user secret is used to access and help protect
user data. In this case, the user secret is a
password.
48 Citrix Password Manager Installation Guide
Option Description
Allow protection using blank passwords Selected.
When you select this option and the agent
software detects that the user has a blank
password, a user secret for data protection is
derived from the user ID.
3
This section describes the hardware and software requirements for your
environment. This section assumes that each computer meets the minimum
hardware requirements for the installed operating system.
Important: The server that hosts the Password Manager Service contains
highly sensitive user-related information. Citrix recommends that you use a
dedicated server and that you place the server in a physically secure location.
ASP.NET Requirements
Make sure the ASP.NET Windows component is installed on the computer
running the Password Manager Service.
Before you install the service, obtain a server authentication certificate for SSL
communication from a certificate authority (CA) or, if you have an existing
public key infrastructure (PKI), download your own certificate to the server
running the service.
An SSL certificate is necessary to ensure secure communication from the service
to the console and agent software, and to guarantee that the agent software and
console are communicating with the correct service server.
• Because this certificate is used for SSL communication, the certificate
common name must match the service server’s fully qualified domain name
(FQDN). Specify a minimum key size of 1024.
• You must install the certificate in your local computer certificate store and
establish the appropriate trust relationships for the console and the agent
software.
• You must install this certificate on the computers running the service,
console, and agent software.
• In a load balancing or clustered service environment, you can use one
certificate for multiple service servers if the common name of the SSL
certificate uses a wildcard (typically an asterisk character) in it. For
example, you can use an SSL certificate with a common name of
54 Citrix Password Manager Installation Guide
Important: If you obtain your certificate from an authority that is not trusted
by default (such as a certificate authority installed in your company), you need to
install the root authority certificate to your local computer’s trusted root
certificate store to establish the trust relationship.
If users are experiencing SSL failures, it is most likely because the server
certificate is not trusted. Refer to the Microsoft Web site
http://www.microsoft.com for instructions about extracting and deploying CA
root certificates.
Related topics:
“To configure the Password Manager Service(s) with the Service Configuration
wizard” on page 71
Note: If you choose to create a domain account as the service account, you
must register a service principal name for this domain account and the service
computer in Active Directory by using the setspn.exe utility. See the Microsoft
Web site for more information about service principal names.
You cannot specify a local user account as the service account in this version of
Password Manager. You can specify the built-in Local Service account.
Note: You cannot use the Password Manager Service if your central store type
is a Novell Shared Folder.
Self-Service Requirements
If you are using the Self-Service Password Reset or Self-Service Account Unlock
features of the Account Self-Service Module, use an account that is a member of
the domain administrators group.
Important: Citrix has included the .NET 2.0 framework version required for
Password Manager installation on the Password Manager installation media. Use
this version or .NET 3.0.
Always read the readme.htm file located on the Citrix Web site
(http://www.citrix.com) for updates and late-breaking information. (You can find
the readme and all other Password Manager documentation by opening
Password_Manager_Read_Me_First.html in the Documentation folder on the
installation media.)
Related topics:
“Microsoft .NET Versions 1.1 and 2.0” on page 91
Typically, this error occurs if you are installing the agent software on a computer
also running a Web server service such as Apache Tomcat, Apache HTTP server,
or others. Also, this error might be seen if you are installing the agent software on
a computer running Citrix XenApp with License Management Console installed.
In this case, perform the following steps:
1. Stop the service.
2. Install or uninstall the agent software.
3. Restart the service.
60 Citrix Password Manager Installation Guide
Licensing Requirements
Install the license server and add licenses before installing Password Manager.
Important: To run this release, you must have the license server (Version 11.5)
that is available from the Licensing folder in the installation media. If you are
running an earlier version of the license server, you must upgrade your license
server to Version 11.5.
For details about licensing requirements, terms, and installation, see the Getting
Started with Citrix Licensing Guide, available at http://support.citrix.com/pages/
licensing/ under the “Top Licensing Resources” title on the page. Information
about using named and concurrent user licenses with Password Manager is in the
Citrix Password Manager Administrator’s Guide.
Note: You can find Getting Started with Citrix Licensing Guide, Citrix
Password Manager Administrator’s Guide, and all other Password Manager
documentation by opening Password_Manager_Read_Me_First.html in the
Documentation folder on the installation media. You can find additional licensing
resources at http://support.citrix.com/pages/licensing/ under the “Top Licensing
Resources” title on the page.
Installation Order
The suggested installation order of Password Manager is as follows:
• License Password Manager.
• Create your central store.
• Install the Password Manager Service if you want to use one or more of the
following modules:
3 Installing Password Manager 61
• Key management
• Self-service
• Provisioning
• Credential synchronization
• Data integrity
You can install the service, console, and agent software in any of the following
allowed combinations or scenarios:
• You can install the service and console on the same computer.
• You can install the console and agent software on the same computer.
62 Citrix Password Manager Installation Guide
• You can install the agent software on any computer or client device in your
environment for access to locally-installed SSO-enabled applications.
• You can install the console and Application Definition Tool on any
computer in your environment.
• For testing purposes, you can install the console and the agent software on
the same computer so that you can verify that changes you make at the
console are reflected on the agent software.
• You can deploy the agent software in a XenApp environment. In this case,
the agent software submits or provides credentials for XenApp-published
applications only (not applications installed locally on the user workstation
or client device).
Important: The server that hosts the Password Manager Service and central
store contains highly sensitive user-related information. Use a dedicated server
and place that server in a physically secure location.
Related topics:
“Which Central Store Type Should I Choose?” on page 15
“Using Account Association with Multiple Central Stores and User Account
Credentials in a Multiple Domain Enterprise” on page 20
“Before You Install Password Manager” on page 60
“Optional - Creating a Central Store from a Command Prompt” on page 65
Note: If you have users who are not administrators on the file servers but need
to manage Password Manager folders, you can add them to the root shared folder
and allow them full control. You must also add those users to the People folder
and the CentralStoreRoot folder because those folders do not inherit access rights
from the root shared folder.
Associating user configurations to groups is supported only in Active Directory
domains that use Active Directory authentication.
Important: If the server you are extending the Active Directory schema from
is not the domain controller, ensure the Microsoft Windows utility Ldifde.exe is
installed on it before beginning this step. The utility can be found on the
Windows installation media or at the Microsoft Web site (http://
www.microsoft.com). You will not be able to complete this process if Ldifde.exe
is not installed.
Note: Before you complete the next step, ensure that the schema
extension propagated to all domain controllers throughout your Active
Directory environment.
Related topics:
“Choosing an Active Directory Central Store” on page 17
3 Installing Password Manager 65
Note: Ensure that the Active Directory Schema Master is configured to allow
updates.
66 Citrix Password Manager Installation Guide
Note: If you have users who are not administrators on the file servers but need
to manage Password Manager folders, you can add them to the root shared folder
and allow them full control. You must also add those users to the People folder
and the CentralStoreRoot folder because those folders do not inherit access rights
from the root shared folder. Give these users full permission to share permissions,
files, and subfolders inside the people folder and central storeRoot folder.
Associating user configurations to groups is supported only in Active Directory
domains that use Active Directory authentication.
The CentralStoreRoot folder and the People folder are created with appropriate
sharing and security permissions. Your shared folder is now ready to be used for
synchronization.
Considerations
• Because the agent software uses a Windows password, the use of Novell
NetWare file synchronization requires that users’ Novell password be
identical to their Windows password.
• The central store must be located in the same tree as the computers where
the agent software is installed.
3 Installing Password Manager 69
• Users must log on to a Novell tree where the shared folder is located.
• Users must also have accounts with read access permissions to the Novell
NetWare shared folder you designate as the central store.
• Any users without supervisor rights who need to manage Password
Manager folders can be added to the root synchronization folder as a
Trustee with all rights. This addition grants them the required access to all
other folders and files under the root synchronization folder.
Important: Do not use the system volume to host the shared folder. The system
volume typically has a limited amount of space available. As data is written to the
central store, the system volume could possibly reach capacity, causing your
Password Manager environment (and possibly your Novell NetWare server) to
stop functioning.
The CentralStoreRoot folder and the People folder are now created with
appropriate sharing and security permissions. Your shared folder is ready to be
used for synchronization.
• Create the account type required by the service(s) you are going to install
• Install the service(s)
• Complete the Service Configuration wizard
Related topics:
“Selecting Optional Password Manager Service Features” on page 37
“Security and Account Requirements for Password Manager Service” on page 53
“Accounts Required for Service Modules” on page 54
“Before You Install Password Manager” on page 60
Connection Setting Specify the port number for the service connection. The
default port is 443.
SSL Certificate Select the SSL certificate installed on the service
computer to use for communication with client devices.
Select the Display Long Name check box to show the
LDAP information contained in the certificate.
Virtual host name Use default value is selected by default if the SSL
certificate name and virtual host name match. The
virtual host name must match the SSL certificate name.
The virtual host is the machine name visible to users
when the certificate was created and might not be the
actual machine name. For example, the certificate name
might include a wildcard (asterisk character) or upper-
or lowercase domain name that does not match the
certificate domain name case.
This setting is useful in a load-balanced or clustered
service environment.
Account Credentials Select the local computer account to use for the service.
Typically, you can select the Network Service account.
3. Click Next.
The Create signing certificate page appears.
4. If the wizard detects a signing certificate: Click Next.
If the signing certificate does not exist: Specify a signing certificate
expiration time, in months. The default expiration time is 12 months. Click
Next.
5. On the Configure data proxy page:
72 Citrix Password Manager Installation Guide
I do not plan to use the Select this option if you do not require your central
Data Integrity module in store data to be digitally signed and written securely.
this environment
I plan to use the Data Select this option if you do require your central store
Integrity module in this data to be digitally signed and written securely and
environment you select this service module to be installed.
• Type the name of the computer hosting the Data
Integrity Module.
• Select a port for the service. The default port
number is 443.
Note: If you decide to install the Data Integrity Module after installing
the console and agent software, you must digitally sign your existing
central store data by using the data signing tool CtxSignData.exe. This tool
is available after you install the Data Integrity Module.
If you uninstall the Data Integrity Module, you must unsign your central
store data.
The Confirm Settings page appears, showing the properties sheet for your
service module configuration. Click Back to correct or change any
information.
8. Click Finish to commit the service configuration information and Yes to
confirm that you want to save the settings. Click Finish again to close the
Applying Settings window.
Related topics:
“Security and Account Requirements for Password Manager Service” on page 53
“Service Account Requirements” on page 55
“Self-Service Requirements” on page 56
• The service cannot run on multiple ports; if you specify the wrong port,
Password Manager might later display “cannot communicate or connect
with the Password Manager Service” type error messages.
• Also remember to specify the correct service port number when using the
Data Integrity Signing Tool at the command prompt.
Console Select this option to install the console, required to create and
manage policies, application definitions, user configurations,
and so on.
Application Select this option to install the tool that enables you to create
Definition Tool application definitions without needing to start or use the full
console. You can install this tool in standalone mode, on
computers where the console is not or cannot be installed.
License Server Select this option to help manage your licensing from the
Administration console. This option enables you to add a shortcut to the
license server.
Access Select this option to help Citrix Support troubleshoot console
Management issues.
Console -
Diagnostics
3 Installing Password Manager 75
1. Click Start > All Programs > Citrix > Management Consoles > Access
Management Console.
The Configure and run discovery wizard appears.
2. On the Welcome page, click Next.
The Select Products or Components page appears.
3. Click Citrix Resources to select Configuration Tools and Password
Manager and then click Next.
4. On the Identify Central Store page, select the central store type that you
previously created.
• If you created an Active Directory central store, from the list, select
the domain controller you want Password Manager to bind to when
writing to the central store or select Any writeable domain
controller. Click Next.
• If you created an NTFS network share or Novell shared folder central
store, type the UNC path to the share. Click Next.
5. On the Configure Data Integrity Options page:
• If you installed the Data Integrity Module and enabled it during the
service configuration, select the Enable Data Integrity check box,
type the server name and port number in the text fields, and click
Next.
• If you installed the Data Integrity Module and do not want to enable
it, leave the check box cleared and click Next. Make sure that you
first disabled it through the Service Configuration wizard on the
service computer.
• If you did not install the Data Integrity Module, click Next.
76 Citrix Password Manager Installation Guide
Important: Ensure that you create user configurations before installing the
agent software on user desktops. If you install the agent software without
corresponding user configurations, users might see an error message when the
agent software launches.
Also, agent software running on 64-bit computers cannot connect to Novell
shared folder central stores.
Important: Password Manager Plugin is the new name for the Password
Manager agent software.
3 Installing Password Manager 77
Installation Scenarios
The following table shows some environments and schemes for installation:
Environment Scheme
Citrix XenApp and Citrix Access XenApp and Access Gateway provide applications
Gateway that users access through their Web browsers.
Install Password Manager agent software on each
server running XenApp.
Mixed Environment Users access published applications as well as other
local applications.
Install Password Manager agent software on each
server running XenApp and on each desktop.
Local Installation Users access applications installed on their local
devices.
Install Password Manager agent software on a local
client device.
Software Image for Network Create an installation image to be made available on
Installation your network.
Silent Agent Software Installation Use the Windows Installer options to install the
agent software.
On client devices, the notification area icon indicates how the agent software is
deployed:
• An icon of a key on a blue background indicates the software is installed on
a client device
• An icon of a key and computer on a blue background indicates the software
is published on a computer running XenApp
Considerations
• If you are performing a fresh installation of multiple Citrix products that
includes Password Manager, install the agent software last.
• When you configure or change the location of the license server or any
other parameter related to licensing, the changes are not applied to any
78 Citrix Password Manager Installation Guide
agent software that is in use within your environment. You must shut down
and restart the agent software to apply the changes.
• This does not apply to computers using Windows Vista or Windows
Server 2008: You must restart the device after you install the agent
software so that the GINA DLL can be installed.
The agent software will not run until the workstation is restarted. However,
if you prefer that the workstation not be restarted immediately, you can
suppress the restart action. To suppress the restart action, use the optional
parameter with the Microsoft installer package msiexec command. To
run the installer package with the suppress option, use the command:
msiexec /norestart /i path to msi file including the filename
For the complete list of Windows Installer options, from a command
prompt on a workstation where the Windows Installer is installed, type:
msiexec /?
Related topics:
“Preserving the GINA Chain When Installing the Agent Software” on page 83
• Java support (this option installs the Password Manager support for
the Java Runtime Environment already installed on the client)
5. On the Central Store Configuration page:
A. Select the central store type.
B. If you selected NTFS Network Share or Novell Shared Folder,
type the central store’s location.
C. Click Next.
6. On the Specify Server Address page, type the address and port number of
the computer hosting the service and click Next.
In the address text field, use the fully-qualified domain name of the service
computer. The default port number is 443.
If you selected Hot Desktop, the Hot Desktop Shared Account
Configuration page appears.
7. Type the user credentials for the Hot Desktop shared account and click
Next.
Specify the domain name to which the workstation belongs using the
domain’s NetBIOS name, not the fully qualified domain name.
8. Click Install.
9. Click Finish to complete the installation.
10. Windows Vista or Windows Server 2008: Log off and then log back on to
your Windows account. You do not need to restart the client device.
A supported operating system other than Windows Vista or Windows
Server 2008: Click Yes to restart the client device.
80 Citrix Password Manager Installation Guide
You can install an image of the agent software on a network share using a utility
available from the installation media. The utility creates an installation image of
the Password Manager agent software that contains your custom parameters. The
following procedures assume that the Password Manager installation media is
loaded on the computer where you chose to install the agent software and that the
Autorun screen appears.
1. Click Step 4: Install the Password Manager Plugin.
2. Click Create Password Manager Plugin installation image.
The Password Manager Plugin Installation Wizard page appears.
3. Click Next.
4. In the Administrative Installation Package Creation page, type the
network share location in which you want to save the installation package
and click Next.
5. Select one or more of the optional features to install and click Next:
• Data integrity (if you installed this service)
• Self-service (if you installed this service)
• Hot Desktop (this option requires an existing account to use as the
Hot Desktop shared account)
• Java support (this option installs the Password Manager support for
the Java Runtime Environment already installed on the client)
The Central Store Configuration page appears.
6. In the Central Store Configuration page:
A. Select the central store type.
B. If you selected NTFS Network Share or Novell Shared Folder,
type the central store’s location.
3 Installing Password Manager 81
C. Click Next.
The Specify Server Address screen appears.
7. Type the address and port number of the computer hosting the service and
click Next.
In the address text field, use the fully-qualified domain name of the service
computer. The default port number is 443.
If you selected Hot Desktop, the Hot Desktop Shared Account
Configuration screen appears.
8. Type the user credentials for the Hot Desktop shared account and click
Next. Specify the domain name to which the workstation belongs using the
domain’s NetBIOS name, not the fully qualified domain name.
9. A warning message appears reminding you that before installing the image
being created onto a computer running Windows Vista or WIndows Server
2008, you must first install the C Run-Time Libraries. These files are
provided with the installation software. See “Silent Installation of the
Password Manager Agent Software” on page 81. Click OK.
10. On the Admin Installation Verify Ready screen, click Next.
11. Click Finish to complete the installation.
The setup.msi and supporting files are now saved in the network share location
you specified.
To install the Password Manager agent software silently from a command prompt
Option Description
SYNCPOINTTYPE Specifies the central store type.
Specify FileSyncPath to use an NTFS network
share central store.
Specify ADSyncPath to use an Active Directory
central store.
Specify NovellSyncPath to use a Novell shared
folder central store.
3 Installing Password Manager 83
SYNCPOINTLOC Specifies the UNC path for the NTFS network share
central store.
Specify \\servername\foldername$ where
servername is the name of the computer hosting the
central store and foldername is the name of the
shared folder.
This option is not required for an Active Directory
central store.
DI_SELECT Specify 1 to enable the Data Integrity feature.
SSPR_SELECT Specify 1 to enable the Self-Service feature.
SERVICEURL Specifies the URL of the service computer. Specify
\\FQDN\MPMService, where FQDN is the fully
qualified domain name of the service computer.
This option is required if DI_SELECT and/or
SSPR_SELECT are specified.
SERVICEURLPORT Specifies the port of the server running the service.
The default port is 443.
This option is required if DI_SELECT and/or
SSPR_SELECT are specified.
/forcerestart Specify /forcerestart to shut down and restart the
workstation after installation. A restart is required
for agent software installation. Type msiexec /?
for more options.
Alternatively, REBOOT=”” can be used.
Hot Desktop-Specific Options See also “Hot Desktop: A Shared Desktop
Environment for Users” in the Citrix Password
Manager Administrator’s Guide.
HD_SELECT Specify 1 to install Hot Desktop.
HD_USERNAME Specifies the Hot Desktop shared account user
name.
HD_PASSWORD Specifies the Hot Desktop shared account password.
HD_DOMAIN Specifies the Hot Desktop shared account domain.
DISABLE_TERMINAL_SERVICE Specify 1 to disable Terminal Services, required for
Hot Desktop operation.
Note: Windows Vista and Windows Server 2008 do not use GINA
functionality. This section is not applicable to computers using these operating
systems.
Requirements
Before you implement the multi-domain service feature, ensure that you meet the
following requirements:
Component Requirement
Domains Each domain sharing the service must be part of the same
domain forest.
The domains within the forest must have a two-way
transitive trust agreement.
3 Installing Password Manager 85
Component Requirement
Central store This feature is available for implementations using Active
Directory or NTFS network share central stores. It is not
available to Novell shared folder central stores.
All users sharing the same service computer must be
implemented using the same central store type: Active
Directory or NTFS shared folder. Multiple central store
types are not supported.
One NTFS shared folder central store per domain is not
supported in this case. However, you can use one NTFS
shared folder central store per forest.
Data Integrity feature The Data Integrity feature must be used consistently across
domains. That is, it is either enabled or disabled in the
service and agent software configurations for all domains.
For example, you cannot enable this feature in the service
configuration and disable it when installing the agent
software.
Password Manager Console Each console can view one central store only, not multiple
central stores.
The Password Manager administrator should install one
console in each domain and install it by using a user
account with administrative rights in that domain.
Alternatively, the administrator can install a console with
the ability to access other domains and, as needed, switch to
one of those domains by logging on with credentials for that
specific domain.
Data Proxy and Self Service You can configure one data proxy and self service account
accounts that has read and write access to the central store and
sufficient privileges to reset user passwords and unlock user
accounts.
Optionally, you can specify these accounts for each domain
in the Service Configuration tool.
Task Summary
Perform the following tasks to implement the multi-domain service feature.
2. Start the Service Configuration tool by clicking Start > All Programs >
Citrix > Password Manager > Service Configuration.
3. When the Service Configuration tool appears, click Domain
Configurations in the left pane.
A list of domains appears.
4. Select the check box next to each domain to enable service support on that
domain.
5. Select one or more domains and click Properties to open the Edit
Configuration dialog box.
6. In the Edit Configuration dialog box:
A. If you created an Active Directory central store, click Domain
Controllers and, from the list, select the domain controller you want
Password Manager to bind to when writing to the central store or
select Any writeable domain controller.
B. Click Data Proxy Account and type the user name, password, and
domain of the data proxy account used to communicate with the
central store.
C. If you installed the Self Service module, click Self-Service Features
Account and type the credentials for this feature. See “Self-Service
Requirements” on page 56.
7. Click OK to close the Edit Configuration dialog box.
8. Click OK and then Yes to save the configuration.
4
This section describes the tasks required to successfully upgrade Citrix Password
Manager from previous versions to Version 4.6 with Service Pack 1.
Important: Direct upgrades from Versions 2.5 and 4.0 are not supported.
Using Autorun
Use Autorun to perform Password Manager tasks such as creating a central store
or upgrading Password Manager components. After you access the installation
media, the Autorun screen appears.
Important: Password Manager Plugin is the new name for the Password
Manager agent software.
Upgrade Order
The suggested upgrade order of Password Manager is as follows:
• Install your licenses
Important: To run this release, you must have the license server (Version
11.5) that is available from the Licensing folder in the installation media. If
you are running an earlier version of the license server, you must upgrade
your license server to Version 11.5.
• Upgrade the Password Manager Service if you are using one or more of the
following modules. You can also install additional modules at this time.
• Key management
• Self-service
• Provisioning
• Credential synchronization
• Data integrity
90 Citrix Password Manager Installation Guide
Note: If you decide to install the Data Integrity Module at a later date or
after installing the console and agent software, you must digitally sign your
existing central store data by using the data signing tool CtxSignData.exe.
(This tool is available after you install the Data Integrity Module.)
Conversely, if you uninstall the Data Integrity Module, you must unsign
your central store data.
Note: The agent software for Password Manager 4.1 and 4.5 can work with a
Password Manager 4.6 central store. However, new features introduced in
Version 4.6 are not available to those earlier versions. Upgrade the agent software
whenever possible to match the service and console versions. An upgrade helps
ensure that users have access to the latest features and security enhancements.
Related topics:
“Installing the Microsoft .NET 2.0 Framework” on page 57
Note: If you are not using the Password Manager Service in your existing
Password Manager environment, you need to upgrade only the console, central
store, and agent software.
Important: You cannot specify a local user account as the service account in
this version of Password Manager. See “Service Account Requirements” on page
55
The following procedures assume that the Password Manager installation media
is loaded on the computer that you chose to host the central store and that the
Autorun screen appears.
Related topics:
“Service Account Requirements” on page 55
“To configure the Password Manager Service(s) with the Service Configuration
wizard” on page 71
4. For upgrading from Version 4.1 only: Click Yes in the confirmation
dialog box stating you must upgrade the Password Manager Console after
upgrading the service.
5. Click Next, accept the license agreement, and click Next again.
6. On the Destination Folder page, click Next.
7. In the Select Modules page, select the modules you want to install:
• Key Management
• Data Integrity
• Provisioning
• Self-Service
• Credential Synchronization
8. Click Next.
9. Click Install.
10. Click Finish.
When the installation wizard is finished, the Service Configuration wizard opens.
Provide the information needed to configure the service, such as connection
settings, certificate name, service user account name and password, and the
location of your central store.
Related topics:
“To configure the Password Manager Service(s) with the Service Configuration
wizard” on page 71
Important: The first time you configure and run discovery on the console after
upgrading from Password Manager 4.1 or 4.5, you are asked to upgrade your
central store and the data it contains. Upgraded central stores are not compatible
with older versions of the console.
94 Citrix Password Manager Installation Guide
Related topics:
“Backing Up Your Existing Central Store” on page 90
“Installing .NET 2.0 Side By Side with .NET 1.1” on page 57
Note: If you click Don’t Upgrade, you must configure and run discovery
from the console each time until you upgrade (that is, exit and restart the
console and click Upgrade). You cannot save any settings or results of the
discovery in the console that appears if you click Don’t Upgrade.
Note: For upgrading from Version 4.1 or 4.5 only: If you subsequently
configure and run discovery from the Version 4.6 with Service Pack 1 console as
part of the upgrade process and your central store type is an NTFS network share,
you will be prompted to upgrade the central store. Click OK to upgrade or
Cancel to exit. If you do not upgrade your central store at this time, you can use
only previous versions (4.1 and 4.5) of the console to work with the central store.
Related topics:
“To configure the Password Manager Console” on page 75
The existing agent software is removed when you install the agent software for
Password Manager 4.6 with Service Pack 1.
Important: Password Manager Plugin is the new name for the Password
Manager agent software.
96 Citrix Password Manager Installation Guide
The following procedures assume that the Password Manager installation media
is loaded on the computer where you chose to install the agent software and that
the Autorun screen appears.
1. Click Step 4: Install Password Manager Plugin.
2. Click Install Password Manager Plugin.
The Upgrade Detection dialog box appears.
3. Click Yes in the confirmation dialog box to remove the previous version of
the agent software and proceed with the installation.
The Citrix Password Manager Plugin Installation wizard appears.
4. Click Next, accept the license agreement, and click Next again.
The Feature Selection page appears.
5. Select one or more of the optional features to install and click Next:
• Data Integrity (if you installed this service)
• Self-Service (if you installed this service)
• Hot Desktop (this option requires an existing account to use as the
Hot Desktop shared account)
• Java support (this option installs the Password Manager support for
the Java Runtime Environment already installed on the client)
4 Upgrading Password Manager 97