Password Manager Installation Guide

Citrix® Password Manager Installation Guide
Citrix Password Manager™ 4.6 with Service Pack 1

Citrix XenApp™ 5.0, Platinum Edition
Copyright and Trademark Notice
Use of the product documented in this guide is subject to your prior acceptance of the End User License Agreement. A printable copy of
the End User License Agreement is included with the installation media.
Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious
unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or
mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.
Citrix Password Manager replaces specific end users’ encryption keys each time their primary authentication method changes, such as a
domain password change or issuance of a new smart card. Password Manager can be configured to perform this operation automatically
by using the optional Key Management Module. Password Manager can also be configured to use the Microsoft Data Protection API
(DPAPI). When using the optional Key Management Module and/or DPAPI, be advised that an administrator may be able to access user
business or personal credentials stored in Password Manager if the administrator logs on as this end user. For additional security, end users
can be asked to verify the user’s identity with unique user-provided information. This provides an additional layer of protection for the
user’s secondary credentials.
Regional government user computing regulations may require that you notify your end users about the possible security and privacy
implications of deploying the Key Management Module and DPAPI security configurations. Review your company policies and
determine what kind of notification, if any, is required for your end users.
© 2003-2008 Citrix Systems, Inc. All rights reserved.
v-GO code © 1998-2003 Passlogix, Inc. All rights reserved.
Citrix, ICA (Independent Computing Architecture), and Program Neighborhood are registered trademarks, and XenApp and SpeedScreen
are trademarks of Citrix Systems, Inc. in the United States and other countries.
RSA Encryption © 1996-1997 RSA Security Inc., All Rights Reserved.
This product includes software developed by The Apache Software Foundation (http://www.apache.org/)
This product includes software developed by Salamander Software Ltd. © 2002 Salamander Software Ltd. Parts © 2003 Citrix Systems,
Inc. All rights reserved.
Trademark Acknowledgements
Adobe, Acrobat, Flash, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other
countries.
Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Solaris is a
registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc has not tested or approved this product.
Portions of this software are based in part on the work of the Independent JPEG Group.
Portions of this software contain imaging code owned and copyrighted by Pegasus Imaging Corporation, Tampa, FL. All rights reserved.
Macromedia is a trademark or registered trademarks of Macromedia, Inc. in the United States and/or other countries.
Microsoft, MS-DOS, Windows, Windows Media, Windows Server, Windows NT, Win32, Outlook, ActiveX, Active Directory, and
DirectShow are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. in the U.S. and other countries.
Novell Directory Services, NDS, and NetWare are registered trademarks of Novell, Inc. in the United States and other countries. Novell
Client is a trademark of Novell, Inc.
RealOne is a trademark of RealNetworks, Inc.
Licensing: FLEXnet Operations and FLEXnet Publisher are trademarks and/or registered trademarks of Acresso Software Inc. and/or
InstallShield Co. Inc..
All other trademarks and registered trademarks are the property of their respective owners.
Document Code: August 22, 2008 (nwa)
Contents
1 Welcome. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Password Manager Product Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Password Manager Advanced Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Password Manager Enterprise Edition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Finding Documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Documentation Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Getting Support and Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
2 Planning Your Password Manager Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Password Manager Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Planning Workflow Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Which Central Store Type Should I Choose?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
Choosing an Active Directory Central Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Choosing an NTFS Network Share. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Choosing a Novell Shared Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Using Account Association with Multiple Central Stores
and User Account Credentials in a Multiple Domain Enterprise . . . . . . . . . . . . . . . . . . .20
What about Password Policies for Application Access? . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Default Password Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Domain Password Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Custom Password Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Password Policy Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Default Settings for the Default and Domain Password Policies . . . . . . . . . . . . . . . . . . .24
Which Type of SSO-Enabled Applications Are Used in My Enterprise?. . . . . . . . . . . . . . .26
What Do I Need to Know about Each Application?. . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
What Type of Smart Cards Are Used in My Enterprise?. . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Smart Card Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Smart Card Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
4 Citrix Password Manager Installation Guide
Do I Need to Use Identity Verification?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Verifying User Identity by Using Security Questions
(Question-Based Authentication) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Recovering or Unlocking User Credentials Automatically . . . . . . . . . . . . . . . . . . . . . . .31
Planning Your User Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Planning Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Do I Share the Same Resources or a Workstation
Among Many Users? (Hot Desktop) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Controlling Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
The Hot Desktop User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Licensing Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Disconnected Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Managing a Mixed License Type Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
To employ available concurrent user licenses to be used offline . . . . . . . . . . . . . . . . . . .37
Selecting Optional Password Manager Service Features. . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Account Self-Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Data Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Key Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39
Provisioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
Credential Synchronization (Account Association) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Password Manager Agent Software Deployment Scenarios . . . . . . . . . . . . . . . . . . . . . . . . .41
XenApp Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Guidelines for Multiple Primary Authentication and
User Credential Protection Choices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Data Protection Methods Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Secondary Data Protection Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Security Versus Usability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
User Impersonation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
User Name and Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44
Smart Cards with Certificates and User Authentication Data . . . . . . . . . . . . . . . . . . . . .44
Smart Cards with PINs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
Roaming Profiles (Microsoft DPAPI). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
Blank Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
3 Installing Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Summary of Installation Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Hardware and Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Supporting System Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Password Manager Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
ASP.NET Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Contents 5
Security and Account Requirements for Password

Manager Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Server Authentication Certificate Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Accounts Required for Service Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Account Requirements to Install and Use Password Manager . . . . . . . . . . . . . . . . . . . . . . .56
Installing and Using Password Manager Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Installing and Using Password Manager Console and
Application Definition Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56
Installing and Using the Password Manager Agent Software . . . . . . . . . . . . . . . . . . . . .57
Installing the Microsoft .NET 2.0 Framework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Installing .NET 2.0 Side By Side with .NET 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
To install Microsoft .NET 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Installing the Java Runtime Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
If You Install or Upgrade the JRE after Installing the
Console, Application Definition Tool, or Agent Software. . . . . . . . . . . . . . . . . . . . . . . .59
To associate the JRE with Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Troubleshooting a Java-Related Error Message When
Installing or Uninstalling the Agent Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Licensing Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Before You Install Password Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Installation Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Where Can I Install Each Password Manager Component?. . . . . . . . . . . . . . . . . . . . . . .61
Creating a Central Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
To create an NTFS network share central store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
To create a Novell shared folder central store. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
To create an Active Directory central store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Optional - Creating a Central Store from a Command Prompt . . . . . . . . . . . . . . . . . . . . . . .65
Creating an Active Directory Central Store from a
Command Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Creating an NTFS Network Share Central Store from a
Command Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
Creating a Novell Shared Folder Central Store from a
Command Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
Installing and Configuring the Password Manager Service. . . . . . . . . . . . . . . . . . . . . . . . . .69
To install the service modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
To configure the Password Manager Service(s) with the
Service Configuration wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Password Manager Service Port Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73
Installing and Configuring the Password Manager Console . . . . . . . . . . . . . . . . . . . . . . . . .74
To install the Password Manager Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .74
To configure the Password Manager Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Installing and Configuring the Password Manager Agent Software . . . . . . . . . . . . . . . . . . .76
Installation Scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Configuring and Using the Multi-Domain Service Feature. . . . . . . . . . . . . . . . . . . . . . . . . .84
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Task Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
To configure the service for multidomain use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
4 Upgrading Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Supported Upgrade Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Summary of Upgrade Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .87
Before You Upgrade Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Using Autorun . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Upgrade Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Backing Up Service Data Prior to Upgrading. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Backing Up the Process.xml File (Hot Desktop Environments Only). . . . . . . . . . . . . . .90
Backing Up Your Existing Central Store . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Upgraded Policies, Application Definitions,
Questions/Questionnaires, and User Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Microsoft .NET Versions 1.1 and 2.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Step 1 - Upgrading the Password Manager Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
To upgrade the Password Manager Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .92
Step 2 - Upgrading the Password Manager Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
To upgrade the Password Manager Console. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Step 3 - Upgrading the Password Manager Agent Software . . . . . . . . . . . . . . . . . . . . . . . . .95
To upgrade the Password Manager Agent Software on a local device . . . . . . . . . . . . . .96
1
Welcome
Citrix Password Manager provides password security and single sign-on access to
Windows, Web, and terminal emulator applications running in the Citrix
environment as well as applications running on the desktop. Users authenticate
once and Password Manager does the rest, automatically logging on to password-
protected information systems, enforcing password policies, monitoring all
password-related events, and even automating user tasks, including password
changes.
This document, the Citrix Password Manager Installation Guide, presents the
information you need to plan and carry out the installation of Password Manager
4.6 with Service Pack 1 or the upgrade of your existing version of Password
Manager to Password Manager 4.6 with Service Pack 1.
Password Manager Product Line

Password Manager is available in two editions:
• Password Manager Advanced Edition
• Password Manager Enterprise Edition
In addition, Citrix XenApp 5.0, Platinum Edition, includes a feature comparable
to Password Manager Enterprise Edition called Single Sign-on Powered by
Password Manager.
Password Manager Advanced Edition

The Advanced Edition of Password Manager increases your organization’s
security with:
• Strong password policy options
• Automated password generation
• Automatically started Password Change Wizard option
• Password encryption while in memory, storage, and transmission
• Password expiration options for applications lacking that capability

The Advanced Edition also interacts well with other programs, easing the user’s
logon information storage process as well as your maintenance of that process
and information.
Password Manager Enterprise Edition

The Enterprise Edition of Password Manager is designed for the most demanding
and complex enterprise environments. The Enterprise Edition:
• Provides additional security, user self-service, and on-site user mobility
features and performance
• Reduces calls to the help desk through user self-service features that enable
users to change their own Windows password and unlock their account
• Allows on-site mobile workers to quickly access information with Hot
Desktop, which facilitates fast user switching at shared workstations
• Includes enterprise security features such as integration with smart cards,
Kerberos, and Federated Environment Support (ADFS and SAML)
Finding Documentation
Welcome to Citrix Password Manager, sometimes referred to as
Password_Manager_Read_Me_First.html, is included on the installation media
and contains links to documents that help get you started. It also contains links to
the most up-to-date product documentation, plus related technologies. You can
access this document by clicking, from Autorun, Step 1: View installation
checklist and other documentation.
The Citrix Knowledge Center Web site, http://support.citrix.com, contains links
to all product documentation, organized by product. Select the product you want
to access and then click the Documentation tab from the product information
page.
Known issues information is included in the product readme.
To provide feedback about the documentation, click the Article Feedback link
located on the right side of the product documentation page.
Documentation Conventions
For consistency, Windows Vista and Windows Server 2008 terminology is used
throughout the documentation set; for example, “Documents” rather than “My
Documents” and “Computer” rather than “My Computer” are used.
1 Welcome 9
Password Manager documentation uses the following typographic conventions.
Convention Meaning
Boldface Commands, names of interface items such as text boxes, option
buttons, and user input.
Italics Placeholders for information you provide. For example, filename
means you type the actual name of a file. Italics are also used for new
terms and titles of books.
Monospace Text displayed in a text file.
{braces} In a command, a series of items, one of which is required. For example,
{yes | no } means you must type yes or no. Do not type the braces
themselves.
[ brackets ] In a command, optional items. For example, [/ping] means you can
type /ping with the command. Do not type the brackets themselves.
| (vertical bar) In a command, a separator between items in braces or brackets. For
example, { /hold | /release | /delete } means you must type /hold or
/release or /delete.
... (ellipsis) The previous item(s) in the command can be repeated. For example,
/route:devicename[,…] means you can type additional devicenames
separated by commas.
Getting Support and Training

The Citrix Knowledge Center (http://support.citrix.com) offers a variety of
technical support services, tools, and developer resources.
Information about Citrix training is available at http://www.citrix.com/edu/.
2
Planning Your Password Manager

Environment
This section contains information to help you plan your Password Manager
environment and help you decide how to implement Password Manager.
Password Manager Components

The following sections briefly describe the main components of Password
Manager.
• The central store. The central store is a centralized repository used by
Password Manager to store and manage user and administrative data. User
data includes user credentials, security question answers, and other user-
focused data. Administrative data includes password policies, application
definitions, security questions, and other wider-ranging data. When a user
signs on, Password Manager compares the user’s credentials to those stored
in the central store. As the user opens password-protected applications or
Web pages, the most up-to-date credentials are drawn from the central
store.
• Password Manager Console. The Password Manager Console is the
command center of Password Manager. From the console, you manage the
users’ Password Manager experience. Here, you configure how Password
Manager works, which features you deploy, which security measures you
use, and other important password-related settings.
The console has four main items, or nodes, in the left pane. By selecting a
node, tasks specific to that node appear. These nodes are:
• User Configurations, which allow you to tailor particular settings for
your users based on their geographic locations or business roles. The
settings of the other three nodes are used to create user
configurations.
• Application Definitions, which provide the information necessary to
supply user credentials to applications, and to detect error conditions
if they occur. You can use the application definition templates

supplied with Password Manager to speed this process, or create your
own customized definitions for applications that cannot use these
templates. Additional templates are located at http://www.citrix.com/
passwordmanager/gettingstarted.
• Password Policies, which control password length and the type and
variety of characters used in both user-defined and automatically-
generated passwords. Password policies also allow you to identify
characters to exclude from use in passwords and whether or not
previous passwords can be reused. Creating password policies
consistent with your company’s security policies ensures that
password security is appropriately managed by Password Manager.
• Identity Verification, which uses the security questions you create to
provide an added layer of security by protecting against user
impersonation, unauthorized password changes, and unauthorized
account unlocking. Users who enroll and answer your security
questions can then verify their identity by providing the same
answers when challenged. Once verified, the users can perform self-
service tasks to their account, such as resetting their primary
password or unlocking their user account. The security questions can
also be used for key recovery
A limited version of the console, the Application Definition Tool, is also
provided with Password Manager. Install this tool to enable others to create
application definitions without needing access to the full console and the
more sensitive features available there, such as password policies and
security questions.
• Password Manager agent software. The Password Manager agent
software submits the appropriate credentials to the applications running on
the user’s client device, enforces password policies, provides self-service
functionality, and enables users to manage their credentials with the Logon
Manager.
• The Password Manager Service. The Password Manager Service runs on
a Web server that provides the foundation for optional features included in
this release. Install the Password Manager Service if you plan to implement
at least one of the following modules:
• Self-Service, which allows users to reset their Windows passwords
and unlock their Windows accounts
• Data Integrity, which protects data from being compromised while in
transit from the central store to the agent software
2 Planning Your Password Manager Environment 13
• Key Management, which provides users with the capability to

recover their secondary credentials when their primary password
changes, either with automatic key recovery or after answering
security questions with question-based authentication
• Provisioning, which allows you to use the console to add, remove, or
update Password Manager user data and credential information
• Credential Synchronization, which synchronizes user credentials
among domains using a Web service
Related topics:
“Planning Your Password Manager Environment” on page 11
“Installing Password Manager” on page 49
Planning Workflow Diagram

Getting Started
A Password Manager environment can include the following:
• Shared network folders or Active Directory containing the central store
• One or more computers running the Password Manager Console
• User computers running the Password Manager agent software
• A dedicated server hosting the Password Manager Service with one or more
feature modules installed on it
• Citrix XenApp environment hosting the Password Manager agent software
• Authentication devices such as smart cards
• Password Manager features such as Hot Desktop and key management
After you have your Password Manager plan, you can start implementing it in
your environment. The following table shows what you need to do to get started
using Password Manager.
Task See this section

1. Research features that you might implement • Citrix Password Manager
in your environment. Administrator’s Guide
• “User Authentication and Identity
Verification” in the Citrix Password
Manager Administrator’s Guide
• “Managing Question-Based
Authentication” in the Citrix
Password Manager Administrator’s
Guide
• “Allowing Users to Manage Their
Primary Credentials with Account
Self-Service” in the Citrix Password
• “Using Provisioning to Automate
Credential Entry” in the Citrix
Guide
• “Hot Desktop: A Shared Desktop
Environment for Users” in the Citrix
Guide
2. Create a central store and install the Password • “Which Central Store Type Should I
Manager components with optional features. Choose?” on page 15
• “Installing Password Manager” on
or page 49
Upgrade an existing deployment of Password • “Upgrading Password Manager” on
Manager. page 87
Task See this section

3. Create, edit, or review your password policies. • “What about Password Policies for
Application Access?” on page 22
• Citrix Password Manager
Administrator’s Guide
4. Create or edit your application definitions. • “Which Type of SSO-Enabled
Applications Are Used in My
Enterprise?” on page 26
• “Using Password Policies to Enforce
Password Requirements” in the
Citrix Password Manager
5. Create user configurations based on your • “Planning Your User
enterprise requirements. Configurations” on page 32
• “Creating User Configurations” in
the Citrix Password Manager
6. Install the agent software on user desktops or a • “Password Manager Agent Software
computerXenApp server. Deployment Scenarios” on page 41
• “Installing and Configuring the
Password Manager Agent Software”
on page 76
7. Notify your users that Password Manager can Your enterprise’s standard operating
help securely store their application credentials. procedures or IT policy manual.
Which Central Store Type Should I Choose?

Note: You can create a central store automatically as part of the Password
Manager installation process or manually by using the central store setup utilities.
See “Creating a Central Store” on page 62 and “Optional - Creating a Central
Store from a Command Prompt” on page 65.
Password Manager uses a repository known as the central store to store and
retrieve information about your users and your environment. Password Manager
relies on the data in the central store to perform all default and configured single
sign-on functions.
The central store contains user data and administrative data:
• User data in the central store includes user secondary credentials, security
questions and answers, service-related data (for example, provisioned data,
question-based authentication data, key recovery enrollment, and so on),
and user Windows registry data associated with Password Manager
• Administrative data in the central store includes application definitions,

password policies, security questions, and other settings made through the
console for Password Manager features and components
The central store basically enables the agent software running on a user computer
or computer running Citrix XenApp to communicate with the central store and
services, and to provide user credentials to applications to which the user is
granted access.
The agent software maintains a local store on the user computer. The local store
contains only the user’s secondary credentials, key recovery information, and
security questions and answers (if applicable). It synchronizes with the central
store to allow users to roam throughout the enterprise and always have access to
saved user credentials.
The central store can be one of the following types:
• Active Directory
The central store uses the Active Directory environment and objects to
store and update Password Manager data.
See “Choosing an Active Directory Central Store” on page 17.
• NTFS network share
The central store uses a Windows network file share to store the Password
Manager data. See “Choosing an NTFS Network Share” on page 18.
• Novell shared folder
The central store uses a Novell NetWare shared folder to store the Password
Manager data.
See “Choosing a Novell Shared Folder” on page 19.
Note: Citrix Password Manager allows you to migrate users from one central
store type to another if you later decide that one type is more suitable than the
current one used in your environment. See “Moving Data to a Different Central
Store” in the Citrix Password Manager Administrator’s Guide.
Note: If your enterprise forest contains multiple domains, see “Using Account
Association with Multiple Central Stores and User Account Credentials in a
Multiple Domain Enterprise” on page 20.
Also see “Specifying Domain Controllers for User Configurations” in the Citrix
Password Manager Administrator’s Guide for information about user
configurations in multiple domain controller environments.
Choosing an Active Directory Central Store

Choosing to use Active Directory as your central store enables you to leverage
the convenience of your existing Active Directory user authentication and object
administration. For example, you can apply user-specific settings to any level in a
domain—domain, organizational unit, group, or user.
Two new classes and two attributes are added to the Active Directory schema
when you create an Active Directory central store:
Class Description
citrix-SSOConfig Describes the object containing data for the agent software settings,
synchronization state, and the application definitions and the first-
time agent software use behavior.
This class includes the following attributes:
citrix-SSOConfigData - contains the actual data
citrix-SSOConfigType - specifies the data type
citrix-SSOSecret Describes the secret data object used to authenticate a Password
Manager user. This class includes the following attribute:
citrix-SSOSecretData - contains encrypted credential data for an
application and Account Self-Service password reset data
Note: See the CitrixMPMSchema.xml file in the \Tools folder on the Password
Manager installation media for more information about these classes and
attributes.
In general, choose Active Directory as your central store if you:

• Can successfully extend your Active Directory schema without affecting
your enterprise
• Already implement best practices for Active Directory backup and restore
as recommended by Microsoft (although this is not a requirement)
• Prefer the high availability that is built in to Active Directory to be
extended to the central store data
Advantages of an Active Directory Central Store

• Active Directory includes built-in failover and redundancy, so additional
measures for disaster recovery are not needed
• Active Directory replication helps to distribute central store administrative
and user data across your enterprise
• No additional hardware is needed when using an Active Directory central

store
Active Directory Central Store Considerations

• You must extend your schema when using an Active Directory central
store, which requires careful planning and implementation. Extending the
schema affects the entire forest.
• You might want to extend the schema and create your Active Directory
central store during non-peak usage hours. Your Active Directory
replication cycle latency affects how quickly these changes are copied to all
domain controllers in the forest.
• Inter-site replication of central store data across large enterprises using
WANs requires you to configure replication correctly to reduce latency.
(However, intra-site replication typically introduces less latency.)
Choosing an NTFS Network Share

Important: Use a hidden share for the central store in this case.
Choosing to use an NTFS network share as your central store enables you to
leverage the convenience of your existing Active Directory user authentication
and tree structure without having to extend the Active Directory schema. For
example, you can apply user-specific settings to any level in a domain—domain,
organizational unit, group, or user.
Password Manager creates a shared folder named CITRIXSYNC with two
subfolders named People and CentralStoreRoot.
The People folder contains a subfolder for each user and includes the appropriate
read and write permission properties for the user. The CentralStoreRoot folder
contains administrative data.
Advantages of an NTFS Network Share

• You can emulate the look and feel of an Active Directory central store
without having to extend your Active Directory schema. Yet you can take
advantage of your existing Active Directory hierarchy or groups.
Note: Associating user configurations to groups is supported only in

Active Directory domains that use Active Directory authentication.
• User data is always up-to-date, because it is stored in a central location and

avoids any data replication latency associated with Active Directory.
• You can load balance your shares among multiple computers that can each
host an NTFS network share for higher availability.
• NTFS network share helps reduce the authentication task workload from
your Active Directory environment.
• Password Manager enables you to migrate your NTFS shared folder central
store to an Active Directory central store if you decide later to implement
an Active Directory central store.
NTFS Network Share Considerations

• You might need additional hardware to host the central store.
• You need to back up central store files and folders (including their related
permissions) regularly. Ensure that you also maintain and implement
disaster recovery plans where you replicate files and folders for site
recovery.
• Your enterprise network topology might require users (and the Password
Manager agent software) to transfer user data across one or more WAN
links. In this case, consider implementing the Distributed File System
technology included as part of Microsoft Windows Server 2000, 2003, and
2008. The Microsoft Web site http://support.microsoft.com describes the
Distributed File System technology in more detail.
Choosing a Novell Shared Folder

Important: Password Manager services are not supported in Password
Manager environments using Novell NetWare shared folders.
Choosing to use a Novell NetWare shared folder as your central store enables you
to leverage the convenience of your existing Novell NetWare directory services.
Using this central store type is similar to using an NTFS network share.
Configure a secured network folder in eDirectory to store all data associated with
your Password Manager environment. Applications and settings can be defined
and assigned at the domain level.
Advantages of a Novell Shared Folder

• You are already implementing Novell NetWare directory services
• You can choose to use an existing secure shared folder as the central store
Novell Shared Folder Considerations

• This central store type does not support associating user configurations
with Active Directory groups.
• If you use a Novell NetWare shared folder, your users’ Novell password
must be identical to their Windows password. This requirement includes
environments running Novell ZENworks for Desktops with Windows
Dynamic Local User support configured on your Novell Directory Server
and with Novell Workstation Manager on each computer that runs the
Password Manager agent software.
• Because the agent uses a Windows password, the use of Novell NetWare
file synchronization requires that users’ Novell password be identical to
their Windows passwords.
• The central store must be located in the same tree as the computers on
which the agent software is installed. Users must log on to a Novell tree
where the shared folder is located. Users must also have accounts with read
access permissions to the Novell NetWare shared folder you designate as
the central store.
• Password Manager services are not supported in Password Manager
environments using Novell NetWare shared folders.
Using Account Association with Multiple Central

Stores and User Account Credentials in a Multiple
Domain Enterprise
Note: See “Synchronizing Credentials by Using Account Association” in the
Citrix Password Manager Administrator’s Guide to configure Account
Association.
Administrators can create multiple central stores in enterprises that contain

multiple domains. In fact, you can use more than one type of central store in these
environments. For example, you can associate user configurations with an NTFS
network share central store in one domain and an Active Directory central store in
another domain.
Because companies might maintain multiple Windows domains, users might also
have more than one Windows account. Password Manager includes a feature
known as Account Association to allow a user to log on to any application from
one or more Windows accounts. Because Password Manager typically binds user
credentials to a single account, the credential information is not synchronized
automatically among multiple accounts that a user owns.
However, administrators can configure Account Association to synchronize user

credentials by using the Credential Synchronization Module. Users with Account
Association configured have access to all applications from any of their accounts
in their Password Manager environment. When user credentials are changed,
added, or removed from one account, the credentials are synchronized
automatically with each of the user’s associated accounts.
Without Account Association, users with multiple Windows accounts are forced
to manually change their logon information separately from each Windows
account.
Advantages of Using Account Association

• Account Association can help increase productivity and reduce support
calls by synchronizing user credentials to help reduce logon maintenance or
failures.
• Accounts can be synchronized across different central store types. That is, a
user account configured to use Active Directory as the central store can
synchronize with an associated user account that is configured to use an
NTFS network share.
• Accounts can also be synchronized across different user configuration
associations. For example, a user configuration can be associated with an
Active Directory hierarchy (OU or user) in one domain and associated with
an Active Directory group in another domain.
• Accounts can also be synchronized across different user configuration
associations in the same domain and within the same central store.
• Trust relationships between domain controllers are not necessary to use
Account Association.
Account Association Considerations

Consider the following before configuring Account Association:
• Account Association is not compatible with smart cards when smart cards
are used as the primary authentication mechanism to log on to Windows.
Note: The user configuration in each domain might have different

password policies that might block access to a resource, but Account
Association synchronizes user credentials only, not user configuration
policies. Consider how you compose password policies in your enterprise.
• Each associated domain account must use Citrix Password Manager.

• Application definition names must be the same in each user configuration

for the Account Association feature to synchronize credentials.
• User credentials are shared only for applications specified in application
definitions created by the Password Manager administrator.
• As part of the Password Manager Service, the Credential Synchronization
Module is a Web service available through a secure HTTP connection, so
this module must be accessible from all computers in your enterprise using
Account Association.
What about Password Policies for Application Access?

Password policies are rules that control how passwords are created, submitted,
and managed. The Password Manager installation includes two standard
password policies named Default and Domain, which cannot be deleted. You can
copy these policies and make modifications to suit your enterprise policies and
regulations.
Related topics:
“Default Settings for the Default and Domain Password Policies” on page 24
Default Password Policy

Password Manager applies the Default policy to password-enabled applications
used in your enterprise (except for those that require user domain credentials).
This policy is applied to any application that is not defined by an administrator
(by using the application definition feature in the console) or any application that
is not part of an application group.
When a user adds credentials to the Logon Manager for an application that does
not have a corresponding application definition, Password Manager applies the
Default policy to manage that application.
Domain Password Policy

Typically, an administrator creates an application group and selects the Domain
policy to be applied to the applications in that group. Password Manager then
applies the Domain policy to those applications that require the user’s domain
credentials for access. The Domain policy can be modified or copied to reflect
your enterprise’s Active Directory or NT domain policies for user accounts.
If you want an application group to be treated as a domain password sharing
group, you must apply the Domain policy to that application group.
Note: An application group is a collection of defined applications associated

with one or more user configurations, including the policy to manage the
applications.
Custom Password Policies

Important: When creating a custom password policy or modifying existing
policies, ensure that your enterprise requirements and application requirements
match. For example, if you create a policy that does not at least match an
application’s requirements, your users might not be able to authenticate to that
application.
You can create password policies as needed: you can apply one policy for your
domain sharing group, create individual policies to apply to individual groups of
applications to secure them further, and so on.
In general, password policies can specify restrictions such as the following:
• A minimum and maximum number of characters for a password
• Alphabetical and numerical character usage
• Number of times a character can be repeated
• Excluding or requiring which characters or special characters can be used
• Whether or not users can view their stored passwords
• How many times users can try entering their password correctly
• Password expiration parameters
• Password history and password exceptions
Password Policy Considerations

• Consider your security requirements in the context of ease-of-use for your
users. Overly restrictive passwords might be hard for users to create,
implement, or recall.
• Because Password Manager is secure by design, the Default password
policy defines the minimum level of password security recommended by
Citrix for securing most single sign-on enabled applications. You can
modify these settings according to your enterprise policies and regulations.
• Because Password Manager applies the Default password policy to user-

added applications, ensure that you configure the Default policy to be as
broad as needed to accept passwords for those applications for which you
allow passwords to be stored.
• When users change their passwords, Password Manager can be configured
through a user configuration setting to check the old password against the
new password. This helps prevent users from reusing passwords for the
same application twice in a row.
• Users might have a single password that is used for multiple applications
(in a suite of products, for example). This scheme is known as password
sharing, where the same authentication authority is used for the
applications.
While the other credentials for those applications (such as user name and
custom fields) might be different, the user’s password is the same. In this
case, create an application group that is a password sharing group to ensure
that the agent software manages the password for all applications in the
group as a single entity. When the password is changed in one of the
applications, the agent software ensures that the password change is
reflected in the stored credentials for all applications in the group.
• Domain password sharing groups differ from other password sharing
groups because the user’s domain password is used as the master password
for the application group. When the user changes the domain password, the
agent software ensures that the change is reflected in the credentials for all
other applications in the group. Only the domain password can be changed;
users cannot initiate password changes on any of the other applications in
the group unless the administrator removes the application from the domain
password sharing group.
Default Settings for the Default and Domain

Password Policies
The following table describes the settings, as installed, for the Default and
Domain password policies.
Default Your Custom

Default and Domain Password Policy Options Setting Setting
Basic Password Rules
Minimum password length 8
Maximum password length 20
Maximum number of times a character can occur 6
Default Your Custom

Maximum number of times the same character can occur 4
sequentially
Alphabetic Character Rules
Allow lowercase characters Yes
Password can begin with a lowercase alphabetic character Yes
Password can end with a lowercase alphabetic character Yes
Minimum number of lowercase alphabetic characters 0
required
Allow uppercase characters Yes
Password can begin with an uppercase alphabetic character Yes
Password can end with an uppercase alphabetic character Yes
Minimum number of uppercase alphabetic characters 0
required
Numeric Character Rules
Allow numeric characters Yes
Password can begin with a numeric character Yes
Password can end with a numeric character Yes
Minimum number of numeric characters required 0
Maximum numbers of numeric characters allowed 20
Special Character Rules
Allow special characters No
Password can begin with a special character Yes
Password can end with a special character Yes
Minimum number of special characters required 0
Maximum number of special characters allowed 20
Allow special characters list !@#$^&*(
)_+= [ ] \
| ,?
Exclusion Rules
Exclude the following list of characters or character groups Optional
from passwords setting
Do not allow application user name in password No
Do not allow portions of application user name in password No
Default Your Custom

Number of characters in portions (the character groups that 3
can be taken from the application user name)
Do not allow Windows user name in password No
Do not allow portions of Windows user name in password No
Number of characters in portions (the character groups that 3
can be taken from the Windows user name)
Password History and Expiration
New password must not be the same as previous password No
Number of previous passwords remembered 1
Use the password expiration settings associated with the No
application definitions
Number of days until password expires 42
Number of days to warn user before password expires 14
Logon Preferences
Allow user to reveal password for applications No
Force user to re-authenticate before submitting application No
credentials
Number of logon retries 3
Time limit for number of retries (in seconds) 120 seconds
Password Change Wizard
Allow users to choose a system-generated password or Yes
create their own password
Only allow users to create their own password No
Only allow users to choose a system-generated password No
Generate a password and submit it to the application without No
displaying the Password Change Wizard
Which Type of SSO-Enabled Applications Are Used in My

Enterprise?
Note: Password Manager supports the 64-bit version of Internet Explorer. It
does not support 64-bit terminal emulator software.
As the Password Manager administrator, you can create an application definition

or modify an application definition template for each application that you want
Password Manager to manage for your users. You create application definitions
by using the console or the stand-alone Application Definition Tool that can be
installed on non-console workstations.
You can also allow users to add their credentials to Password Manager for any of
their client-side applications that it detects, according to settings in user
configurations. The agent software can detect and respond to logon changes for
most applications, including the following application types:
Application Types Description

Windows 32-bit Windows applications (including Java
applications) such as Microsoft Outlook, Lotus Notes,
SAP, or any password-enabled Windows application
Web Web applications (including Java applets and SAP)
accessed through Microsoft Internet Explorer
Terminal Emulator Applications that you access through a HLLAPI-
compliant terminal emulator
The agent software responds according to application definitions that you create
from scratch or copy from existing templates. An application definition:
• Enables the agent software to recognize and respond to applications and the
forms used by the applications to process user credentials
• Consists of a set of identifiers that establish parameters to accomplish this
recognition and response
Within each definition, you create logon and password-related forms required by
the application to enable access. The application definition wizards can help you
create a definition if you open the application; the wizards can detect the forms
and fields of most applications by using Password Manager’s window-matching
capabilities.
Note: Password Manager includes default application definition templates for a

variety of Citrix applications or application features. Click Application
Definitions in the console tree and click Manage templates in the Common
Tasks area to view them. These templates are also available in the Application
Definition Tool. Additional templates are available by searching the Citrix
Support Web site at http://www.citrix.com/passwordmanager/gettingstarted.
What Do I Need to Know about Each Application?

Before you create a definition, collect the following information about each
single sign-on (SSO) enabled application in your enterprise. You can also start the
application to allow the Application Definition wizard or tool to detect some of
this information.
• Application executable name and, optionally, its path.
You can supply a path for the application for added security, ensuring the
user is running the specific application qualified for your enterprise.
• Individual user credential fields required for each application, such as user
name, password, and other fields (for example, domain name or secondary
password).
• Other credential-related fields in the form, including these password change
fields: Logon, Change Password, Change Password Success (optional),
Change Password Failure (optional).
• Password sharing application requirements.
You might also need to know which applications share the same
authentication authority and might be part of a password sharing group.
Password sharing groups enable Password Manager to manage multiple
credentials for applications that use the same method of authentication.
Also, you can apply the same password policy to application groups.
• Information associated with terminal emulation applications.
Information such as terminal emulator session short names is required by
High-Level Language Application Programming Interface (HLLAPI)
compliant terminal emulators.
What Type of Smart Cards Are Used in My Enterprise?

You must consider the type of authentication used in your enterprise.
After you determine your authentication types and choose a data protection
method in your user configuration, you can implement user identity verification
to further secure credentials.
Related topics:
“Do I Need to Use Identity Verification?” on page 29
“Guidelines for Multiple Primary Authentication and User Credential Protection
Choices” on page 42
Smart Card Support

Citrix has tested smart cards that meet Standard 7816 of the International
Organization for Standardization (ISO) for cards with electrical contacts (known
as a contact card) that interface with a computer system through a device called a
smart card reader. The reader can be connected to the host computer by the serial,
USB, or PC Card (PCMCIA) port.
Citrix supports the use of PC/SC-based cryptographic smart cards. These cards
include support for cryptographic operations such as digital signatures and
encryption. Cryptographic cards are designed to allow secure storage of private
keys such as those used in Public Key Infrastructure (PKI) security systems.
These cards perform the actual cryptographic functions on the smart card itself,
meaning the private keys never leave the card. In addition, smart cards provide
two-factor authentication for increased security: the card and the user’s pin
number. When these items are used together, the cardholder can be proven to be
the rightful owner of the smart card.
Smart Card Software Requirements

Consult your smart card vendor or integrator to determine detailed configuration
requirements for your specific smart card implementation. The following
components are required on the server or client:
• PC/SC software
• Cryptographic Service Provider (CSP) software
• Smart card reader software drivers
Your Windows server and client operating systems might already include PC/SC,
CSP, or smart card reader drivers. See your smart card vendor for information
about whether these software components are supported or must be replaced with
vendor-specific software.
Important: To use smart cards in a Windows Server 2008 or Windows Vista

environment, your central store must be created with or updated by a Password
Manager 4.5 or later console and Microsoft Data Protection API (requires
roaming profiles) must be selected in your user configurations.
Do I Need to Use Identity Verification?

Depending on user configuration settings, you might require users to verify their
identities when the following events occur:
• Users change their authentication types; for example, a user might switch
between smart card and password authentication (you can create a user
configuration that requires initial verification only when switching between
authentication types
• An administrator changes a user’s primary password
• Users reset their primary password using Account Self-Service
• Users unlock their domain account using Account Self-Service
• Users change their primary password on a device that does not have the
agent software installed and then log on to a device where the agent
software is installed
Password Manager can be configured to verify the user's identity to ensure that
the user is authorized to use Password Manager. You can select one of two
identity verification methods:
Method Description
Previous Password In this case, users verify their identities by entering
their previous primary password.
Security questions (also known as In this case, you create a questionnaire that contains
question-based authentication) as many questions and question groups as you want
to make available to users. You can use the default
questions Password Manager provides or create your
own.
Caution: When previous password is the only identity verification method

available to your users, users who forget their previous primary password are
locked out. An administrator must then use the Password Manager Console task
Reset User Data to enable the users to reenroll. An administrator might also need
to reset the passwords in the user’s applications.
Related topics:
“Recovering or Unlocking User Credentials Automatically” on page 31
Verifying User Identity by Using Security

Questions (Question-Based Authentication)
Note: If you choose not to set up security questions, users are prompted for
their previous primary password when they first log on and when they change
their primary password. You can also allow users to choose the method they
prefer to use when authenticating (previous passwords or security questions).
Password Manager enables you to use question-based authentication to verify

user identity. Password Manager includes four questions (in English, French,
German, Japanese, and Spanish) that you can use for this purpose.
You can use question-based authentication:
• As part of a user’s Security Question Registration during the first-time
agent software enrollment
• After enrollment, if you configured Account Self-Service to allow users to
change their primary credentials or unlock their accounts
When users change their primary passwords, you can confirm your users’
identities by prompting them to answer security questions in the form of a
questionnaire you create. This questionnaire appears the first time your users
launch the agent software. Users answer the required number of security
questions and can be prompted to reenter this information at specific password
change events.
Recovering or Unlocking User Credentials

Automatically
Important: Automatic key management is not as secure as other key recovery
mechanisms such as security questions and previous password.
You can configure Password Manager to bypass identity verification and retrieve
user credentials (that is, encryption keys associated with the user data)
automatically by installing the Password Manager Service and using the Key
Management Module.
The basic workflow to use automatic key management is as follows:
1. Install the Citrix Password Manager Service with the Key Management
Module.
2. Create or edit user configurations and select the key recovery method that
allows automatic key management without identity verification. This
option is available as part of the Secondary Data Protection property in the

user configuration.
Planning Your User Configurations

Important: You must create user configurations before you deploy the
Password Manager agent software to users. A user configuration contains the
license server and licensing information required by the agent software for
operation.
Note: Associating user configurations to groups is supported only in Active

Directory domains that use Active Directory authentication.
A user configuration is a unique collection of settings, password policies, and

applications that you apply to users associated with an Active Directory hierarchy
(organizational unit or an individual user) or Active Directory group (except for
distribution groups and Domain Local groups in Active Directory mixed mode,
which are not supported). A user configuration enables you to control the
behavior and appearance of the agent software for users.
User configurations set your user information, application definitions, password
policies, and identity verification methods. You must also specify license
information (license server and license type) in each user configuration.
Therefore, your users cannot use the agent software until you establish their user
configuration settings.
Before you create your user configurations, ensure that you already created or
defined the following:
• Your central store
• Optional service modules
• Application definitions
• Password policies
• Security questions (optional)
User configurations consist of the following:
• Users associated with an Active Directory domain hierarchy
(organizational unit or individual user) or group.
• Data protection methods.
• Application definitions you created, which you can combine into an

application group when you create a user configuration.
• Password policies associated with any application groups. (While creating a
user configuration, you can create one or more application groups to
associate with a user configuration. You can also add an application group
to a user configuration after you create the user configuration.)
• Self-service features (account unlock and password reset) and key
management options (use of previous passwords, security questions you
create for your users, and automatic key management).
• Settings for options such as Hot Desktop, credential provisioning, and
application support.
Related topics:
“What Type of Smart Cards Are Used in My Enterprise?” on page 28
“Do I Need to Use Identity Verification?” on page 29
Planning Considerations
• If you need to apply the same user configuration settings to a different
group of users, duplicate the user configuration in the console and modify
the settings accordingly.
• How you organize your Password Manager user environment might affect
how user configurations operate. That is, you associate user configurations
in your Password Manager environment with an Active Directory hierarchy
(OU or users) or an Active Directory group. If you use both (hierarchy and
group) and a user is located in both containers, the user configuration
associated with the hierarchy takes precedence and is the one used. This
scheme is considered a mixed environment.
• The user configuration information maintained in the central store takes
precedence over information stored in the local store (that is, user data
stored on a user’s computer). The local store user data is mostly used when
the central store is not available or offline.
Do I Share the Same Resources or a Workstation Among

Many Users? (Hot Desktop)
Note: “Hot Desktop: A Shared Desktop Environment for Users” in the Citrix
Password Manager Administrator’s Guide describes how to configure Hot
Desktop.
The Hot Desktop feature allows users to share workstations efficiently and
securely. With Hot Desktop, you get the convenience of fast user switching in
addition to single sign-on capability through Password Manager.
Before you can implement Hot Desktop, however, you must:
• Create Hot Desktop-related user configurations
• Configure a Hot Desktop shared account
• Edit the scripts that define what applications run on Hot Desktop devices
and their start up and shut down behavior
Hot Desktop functionality is not installed by default; you can select it during the
initial installation of the agent software. You can also upgrade existing
deployments to use Hot Desktop.
Note: If you deploy Hot Desktop in an environment where users log on with
smart cards and your selected smart card key source is DPAPI with Profile, do not
select Prompt user to enter the previous password as the only key recovery
method for those users. Users in such an environment cannot enter the correct
previous password and, consequently, are irretrievably locked out of the system.
To avoid this problem, select the automatic key management option or make
question-based authentication available as an option.
Controlling Applications
With Hot Desktop, users can authenticate quickly using their Windows account
credentials or smart card strong authenticator. As the administrator, you can
configure Hot Desktop to launch applications in the Hot Desktop environment so
your users do not have to search for and wait for their applications to launch.
You can also configure Hot Desktop to help ensure that all applications terminate
properly, leaving behind a clean environment for the next user session.
The Hot Desktop User Experience

When the shared account logs on, it places the device into “fast user switch”
mode, which causes a standard Windows authentication prompt to appear on the
screen. The shared account remains logged on regardless of Hot Desktop user
activity.
When users authenticate, they do not log on to Hot Desktop in the traditional
sense. Instead, Hot Desktop uses their Windows credentials to start a Hot Desktop
session. Because users are not truly logging on but rather authenticating, time-
consuming events normally associated with logging on, such as applying group
policy, initializing printers, and so on, do not occur. This creates the “fast-switch”
users experience when running Hot Desktop. A user can start a session, perform
any job-related tasks, and end the session so the next user can enter the system
and do the same. The switch from user to user occurs quickly and efficiently.
The Password Manager agent software launches when the Hot Desktop session
starts. After the session is established, Hot Desktop accesses the user’s Windows
account credentials to launch applications using the standard shell interface.
Typically, these lightweight client applications prompt users for their credentials,
which can be supplied by the agent software using settings associated with their
Windows account.
Licensing Requirements
Install the license server and add licenses before installing Password Manager.
Important: To run this release, you must have the license server (Version 11.5)
that is available from the Licensing folder in the installation media. If you are
running an earlier version of the license server, you must upgrade your license
server to Version 11.5.
For details about licensing requirements, terms, and installation, see the Getting
Started with Citrix Licensing Guide, available at http://support.citrix.com/pages/
licensing/ under the “Top Licensing Resources” title on the page.
Disconnected Mode
Note: This mode is set as part of a user configuration. See “Configure
Licensing” in the Citrix Password Manager Administrator’s Guide.
If you have users who will be disconnected from the license server for extended
periods of time, such as mobile users with laptops, you must specify a
disconnected mode period for these users. The disconnected mode period is
specified as part of the licensing settings in the user configuration. The
disconnected mode period specifies two important aspects of licensing behavior:
• The amount of time the user can be disconnected from the license server
without entering the licensing grace period. When the disconnected mode
period expires, the users employing the associated user configuration lapse
into the licensing grace period, which is 30 days.
• The amount of time until a checked out license, which is being used in
disconnected mode, is returned to the pool of available licenses on the
license server regardless of whether or not the product reconnects to the
license server. If a license is checked out and the disconnected mode
associated with that license expires before the license is checked in, the
license server automatically checks the license back in so the license is
available again. For example, if a laptop running Password Manager is lost
and never reconnects with your organization’s network, the license server
automatically checks the license back in at the end of the disconnected
mode period.
When you set the disconnected mode, you are actually specifying how long you
want to wait until the license is returned to the pool of available licenses.
Consider setting long disconnected mode periods for users who do not connect to
your organization’s network regularly, such as Sales personnel who work
remotely. Set the period to be the longest amount of time you anticipate users in
this configuration could be away from your network. However, keep in mind you
cannot retrieve any checked out licenses, even from lost or broken equipment, for
the duration of this period.
Managing a Mixed License Type Environment

Depending on your Password Manager environment and enterprise needs, you
might have purchased named user and concurrent user Password Manager
licenses. For example, you might create user configurations based on the named
user license model for mobile users who use the agent software through a desktop
computer and laptop computer. You might also create user configurations based
on the concurrent user license model for Hot Desktop users, for example.
In some cases, all of your named user licenses might be in use, making Password
Manager unavailable for some users. If so, you can use any available concurrent
user licenses in your user configuration to be consumed offline.
To employ available concurrent user licenses to

be used offline
1. Create a user configuration as described in “Creating a User Configuration:
the User Configuration Wizard” in the Citrix Password Manager
Administrator’s Guide.
2. On the Configure Licensing page, select Concurrent User License
(Enterprise and Platinum Edition Only).
3. Select Allow license to be consumed for offline use and set the amount of
time the license can be checked out from the license server.
4. Finish setting the user configuration.
For users associated with this user configuration, the license model is the same as
a named user license—it can be consumed by users who might occasionally work
remotely and be offline for periods of time. Concurrent user licenses are then
consumed on a per-user basis.
Selecting Optional Password Manager Service Features

The Password Manager Service is a Web service that uses Secure Sockets Layers
(SSL) to encrypt the data shared by the Password Manager Service, the console,
and the agent software. It uses a dedicated Web server to host the optional
features included in Password Manager.
Install the Password Manager Service if you plan to implement one or more of the
following modules:
• Key Management, which allows users to log on to the network and have
immediate access to applications managed by Password Manager without
needing to verify their identities through question-based authentication
• Data Integrity, which digitally signs data before it is transmitted from the
central store to the agent software
• Provisioning, which allows you to use the console to add, remove, or
update credential information for your users
• Self-Service, which allows users to reset their Active Directory passwords
and unlock their accounts
• Credential Synchronization, which allows users to synchronize their
credentials among different accounts (also known as Account Association)
Important: The server that hosts the Password Manager Service contains
highly sensitive user-related information. Citrix recommends that you use a
dedicated server and that you place the server in a physically secure location.
Account Self-Service
Note: You can use the Account Self-Service feature only in an Active Directory
environment to allow your users to reset their primary password or unlock their
Windows domain accounts.
You can configure the self-service features of Password Manager to allow your
users to reset their primary password or unlock their Windows domain accounts
without intervention by administrative or help desk staff. Depending on your
needs, you can implement one or both of the self-service password reset and
account unlock features securely in your Password Manager environment.
Self-Service Password Reset allows users who forgot their primary password to
reset their password and unlock their own accounts. Account Unlock allows your
users to unlock their domain accounts when a lockout event occurs.
These account features are protected by Question-Based Authentication to help
ensure that your users are authorized to reset their passwords or unlock their
accounts.
With Account Self-Service enabled, users must enroll, a process that requires
them to answer the security questions you create and select. These security
questions are then presented to users when they need to reset their password or
unlock their account. When the questions are answered correctly, users are
allowed to reset their password or unlock their account.
You can also use Account Self-Service with Web Interface. Web Interface is a
component of Citrix XenApp that allows users to access their published
applications by clicking links on a Web page.
Note: Account Self-Service does not support user principal name (UPN)
logons, such as username@domain.com.
Data Integrity
Note: If you already implement a security framework that protects data in
transit, such as IPsec (Internet Protocol Security) or SMB (Server Message
Block) signing, you do not need to install the Data Integrity Module.
Install the Data Integrity Module if you want to ensure that data transmitted
among the Password Manager components is provided by a trusted and
authorized source. This module is optional and is designed for users who have
non-trusted networks.
The Data Integrity Module contains the public and private key files used for
signing the data. It utilizes RSA public key cryptography to ensure that the agent
software obtains configuration data provided by an authorized source only.
Important: The Data Integrity Module never distributes its private key.
After the console signs the data, the console sends both the data and the signature
to the central store. The agent software receives the data and signature from the
central store during synchronization. The agent software then contacts the
Password Manager Service to obtain a copy of the public key it needs to verify
the signature it received from the central store.
If the agent software is configured to use the Data Integrity Module, it never
accepts configuration data that failed the data integrity check. If a check fails, the
agent software logs the event and displays an error message telling users to
contact their administrator directly. The agent software then defaults to previous
configurations or returns to an offline state.
Key Management
With Key Management, users log on to the network and have immediate access to
applications managed by Password Manager without using question-based
authentication (this scheme is also known as automatic key management). When
users change their primary passwords, the agent software detects these changes
and recovers the users’ encryption keys using the Password Manager Service.
This automatic key management provides users with the easiest and fastest access
to their applications. However, automatic key management does not protect
against access by an unauthorized user or administrator impersonating a user
because there is no “user secret” to protect the user’s network password. To help
prevent this potential problem, implement automatic key management in
combination with the Account Self-Service Module and question-based
authentication.
Automatic key management uses key splitting (the process of dividing a private
key into two parts) to help reduce security threats.
Important: Depending on the security policy your organization implements,

system administrators might be able to access passwords for applications
managed by Password Manager. Check your organization’s security policy before
allowing Password Manager to handle passwords that users want to keep
completely private. Clearing automatic key management features in the Data
Protection Methods setting in the user configuration can also help prevent this
unauthorized access.
Provisioning
Provisioning (also known as credential provisioning) adds to the flexibility and
functionality of Password Manager within your organization’s environment by
allowing you to automate a number of time-consuming processes. Whether you
are rolling out a new installation of Password Manager, adding several hundred
new users and new applications, or clearing out unneeded information, credential
provisioning gives you the ability to complete these tasks quickly.
For example, you can use credential provisioning to add all the user names and
passwords for all of your applications to the central store. Doing so eliminates the
need for first-time users of the agent software to go through the process of Initial
Credential Setup. Additionally, if you plan to roll out new software to your users,
create an application definition for the application and use credential provisioning
to add the credentials for all users who will use the application.
Using credential provisioning, you can:
• Add, modify, and delete credentials in the central store
• Reset user credential information
• Remove users and their application credentials from Password Manager
Credential provisioning is achieved by using information about your environment
to create a template that you can use to add, remove, or change credential
information in your central store. Credential provisioning is processed as part of
the Password Manager Service.
Credential Synchronization (Account Association)

Account Association allows a user to log on to any application from one or more
Windows accounts. Because Password Manager typically binds user credentials
to a single account, the credential information is not automatically synchronized
among multiple accounts that a user owns. However, administrators can
configure Account Association to synchronize user credentials. Users with
Account Association configured have access to all applications from any of their
accounts in their Password Manager environment. When user credentials are
changed, added, or removed from one account, the credentials are automatically
synchronized with each of the user’s associated accounts.
Password Manager Agent Software Deployment

Scenarios
How you decide to implement Password Manager depends on how users access
applications in your enterprise. For example, if you are running a XenApp
environment, you can publish the Password Manager agent software on each
server in your farm that is currently hosting applications requiring authentication.
Users access these applications through their Citrix connections.
If users run applications locally on their workstations, laptops, handheld
computers, or other client devices, the agent software is installed on these
devices. The agent software in this case provides credentials and access to
applications running locally on the client device.
You can also implement the agent software in a mixed environment, with local
applications and applications published on computers running XenApp. The
locally-installed agent software provides credentials to the applications installed
on the client device and the XenApp-based agent software provides credentials to
the published applications.
If you are also running Access Gateway Advanced Edition, applications are
available from XenApp through a Web browser.
Password Manager can be used with the following:
• Access Gateway Advanced Edition
• Citrix XenApp features such as:
• Citrix XenApp Plugin for Hosted Apps
• Citrix XenApp Plugin for Streamed Apps
• Web Interface
XenApp Considerations
• When you use Password Manager in a XenApp environment, you must
install the agent software on each server that publishes applications that
require authentication. The agent software provides credentials for
published applications only.
• Install the console on a desktop or server that is not a member of the server
farm. This desktop or server should run the same operating system as each
server on which the applications are published or the same operating
system of each server where the agent software will be installed. Use this
console to create user configurations to control the agent software behavior.
• Users access the published applications in the server farm through ICA
connections using a client. When a user tries to connect to a published
application that requires credentials, the agent software recognizes the
request for authentication sent by the XenApp server. The agent software
determines the application type (Windows, Web, or terminal emulator) and
retrieves the appropriate credentials from the local credential store in the
user’s profile.
Guidelines for Multiple Primary Authentication and User

Credential Protection Choices
When you create a user configuration, you can select user credential protection
methods depending on the authentication schemes you use in your enterprise.
The following user configuration property pages enable you to tune the Password
Manager agent software behavior and credential data protection method used
when users implement one or more primary authentication methods.
Data Protection Methods Page

The user configuration Data Protection Methods properties page enables you to
select single or multiple primary authentication data protection methods.
Additionally, you can also regulate administrator access to user credential data to
help prevent administrators from impersonating a user and gaining unauthorized
access to user information.
Secondary Data Protection Page

For added security when users change their primary authentication (for example,
a domain password is changed or smart card is replaced), the user configuration
Secondary Data Protection properties page enables you to require users to
reauthenticate and verify their identities before unlocking their application
credentials.
Security Versus Usability

Two key questions to ask when deciding which options to choose on these two
user configuration property pages is:
• Which authentication types are used in my environment for the users I am
administering in this user configuration?
• How can I balance security requirements for the enterprise and usability for
all users?
Consider also that the following choices are not mutually exclusive and that you
can use a mix of them in your enterprise (that is, multiple primary authentication).
Your decision is ultimately based on your need for security versus ease-of-use for
your enterprise users.
User Impersonation
If you want to disallow administrator access to user credentials, select Yes for the
following option. Credentials are protected against administrators seeking to
impersonate a user and to gain access to user information.
Do you need to regulate account administrator access to user data?
Yes is the default setting for the Data Protection Methods page. With this
configuration, the account or other administrator does not have access to user
passwords or user data. This setting helps prevent an administrator from
impersonating a user. The administrator cannot log on as the user with this default
setting and possibly access data located in the user local credential store.
The Yes setting disables the use of the Microsoft Data Protection API option on
this page and the Do not prompt users; restore primary data protection
automatically option on the following Secondary Data Protection page. Smart
cards and roaming profiles are not allowed in this case, and credentials are not
restored automatically upon a password change without authentication or
verification.
Select No if you want to allow use of all the multiple authentication features
available from this page and the Secondary Data Protection page (including the
ability to restore credentials automatically without reauthentication or identity
verification).
User Name and Password

The simplest implementation is the default setting for the Data Protection
Methods page: a password-only environment. The default setting lets your users
employ their user name and password while protecting their credentials against
unauthorized access by administrators.
Important: The security of this setting choice depends on the relative strength
of your domain password policy. The stronger (or more complex) the password
requirement, the more secure this choice is.
Option Description
Do you need to regulate account See “User Impersonation” on page 43.
administrator access to user data?
Users authentication data Selected.
A user secret is used to access and help protect
user data. In this case, the user secret is a
password.
Password security can be derived from the
user’s typed domain password or a one-time
password from token, proximity, or biometric
devices.
Smart Cards with Certificates and User

Authentication Data
Important: This option is not supported by Version 4.1 of the Password
Manager Agent. Select Use data protection as in Password Manager 4.1 and
previous versions and Smart Card Data Protect if you plan to use these legacy
agents. See “Select Data Protection Methods” in the Citrix Password Manager

Use this option if you combine smart cards with embedded certificates or digital
signatures and user authentication data in your enterprise. Combining smart cards
with a user name and password for authentication is the most secure choice for
protecting user authentication data.
Note: Select the Smart Card Certificate option if you use smart cards with
Hot Desktop.
Option Description
A user secret is used to access and help
protect user data. In this case, the user secret
is a password.
Password security can be derived from the
user’s typed domain password or a one-time
password from token, proximity, or biometric
devices.
Smart Card Certificate Selected.
In this case, the user secret is protected by the
encryption and decryption provided by the
card’s security certificate.
Smart Cards with PINs

Note: This option is supported by Version 4.1 of the Password Manager Agent
if you select Use data protection as in Password Manager 4.1 and previous
versions and PIN as password, if you plan to use legacy agents.
If you use smart cards that do not support security certificates as the primary
authenticator in a Windows domain or you do not use roaming profiles, use the
Allow Smart Card PINs option. When you select this option, the encryption
keys used to protect secondary credentials are derived from the smart card PIN.
Consider enforcing the use of a strong PIN. In some enterprises, smart card PINs
are four-digit numbers that do not provide as strong a level of protection as, for
example, an eight-character password and might be more vulnerable to attack.
Use the PIN as password option only if your organization enforces a smart card
PIN policy that requires a mixture of letters and numbers, and requires a
minimum length of eight characters.
Option Description
A user secret is used to access and help
protect user data. In this case, the user secret
is a personal identification number (PIN).
Allow Smart Card PINs Selected.
Allow the Smart Card PIN to be used as the
user secret for protection. Use this only if
your enterprise or environment has a “strong
PIN” policy
Roaming Profiles (Microsoft DPAPI)

Note: This method is supported by Version 4.1 of the Password Manager Agent
and is supported on Windows XP, Windows 2000, and Windows 2003 Server
platforms. Select Use data protection as in Password Manager 4.1 and
previous versions and DPAPI with Profile if you plan to use legacy agents.
Select No in response to Do you need to regulate account administrator access

to user data? to enable the use of the roaming profiles and Microsoft Data
Protection API in your environment. This option is the next-most secure option
after smart cards with certificates and user authentication data.
Select this option if you are using roaming profiles implementing a Kerberos
network authentication protocol for users. This option works only if roaming
profiles are available. If you are storing roaming profiles on workstations, you
must select this option.
Password Manager derives the encryption keys that protect secondary credentials
from the user’s primary password. However, if a user uses a smart card for
primary authentication, a primary password does not exist and cannot be used. In
this case, the best agent option is Microsoft Data Protection API. This option uses
the Microsoft DPAPI to derive encryption keys and protect secondary credentials.
This encryption mechanism uses the user’s Windows or domain credentials to
derive the encryption keys.
If users employ passwords to access their computers and a Kerberos network
authentication protocol to access XenApp servers, select:
• No in response to Do you need to regulate account administrator access
to user data?
• Users authentication data
• Microsoft Data Protection API
This method also allows the use of user credentials and smart cards to log on.
Related topics:
“Smart Cards with Certificates and User Authentication Data” on page 44
Blank Passwords
Important: If you do not select this option and a blank password is allowed in
your environment, the agent software does not derive a user secret or otherwise
perform any data protection with the blank password.
Allowing the use of a blank password should be considered a special case and
should only be used in low security environments that require extreme ease of
use. One scenario is when a common workstation is placed on a factory floor and
is accessed by many users. You can still use Password Manager to control access
to applications but the user credentials to access the workstation include a blank
password.
Option Description
A user secret is used to access and help protect
user data. In this case, the user secret is a
password.
Option Description
Allow protection using blank passwords Selected.
When you select this option and the agent
software detects that the user has a blank
password, a user secret for data protection is
derived from the user ID.
3
Installing Password Manager
This section describes the pre-installation, installation, and configuration tasks

required to successfully install Citrix Password Manager.
Summary of Installation Steps

Task See this Section or Document
Pre-Installation
Choose the computers in your environment • “Planning Your Password Manager
where you will install the software. Environment” on page 11
• “Hardware and Software Requirements”
on page 50
Prepare the computers for installation. • “ASP.NET Requirements” on page 53
• “Security and Account Requirements for
Password Manager Service” on page 53
• “Installing the Microsoft .NET 2.0
Framework” on page 57
• “Installing the Java Runtime
Environment” on page 58
Install the license server and add licenses for • “Licensing Requirements” on page 60
Password Manager. • Getting Started with Citrix Licensing
Guide, available at http://
support.citrix.com/pages/licensing/
under the “Top Licensing Resources”
title on the page
Installation
Review the Autorun menu. “Before You Install Password Manager” on
page 60
Create a central store. • “Which Central Store Type Should I
Choose?” on page 15
• “Creating a Central Store” on page 62
Install the Password Manager Service. “Installing and Configuring the Password
Manager Service” on page 69
Install the Password Manager Console. “Installing and Configuring the Password
Manager Console” on page 74
Task See this Section or Document

Install the Password Manager Plugin/agent “Installing and Configuring the Password
software. Manager Agent Software” on page 76
Hardware and Software Requirements

Important: Do not install Password Manager on a domain controller.
Installation of Password Manager agent software, service, console, or NTFS
network share central store on a domain controller is not supported.
This section describes the hardware and software requirements for your
environment. This section assumes that each computer meets the minimum
hardware requirements for the installed operating system.
Supporting System Software Requirements

Computers in your Password Manager environment might require the following
supporting system software.
Software Component Required by Available from...

Microsoft Windows Installer All • Support folder on the
3.0 or later Password Manager
installation media
• http://www.microsoft.com
Microsoft .NET Framework • Password Manager Support folder on the
2.0 Service Password Manager installation
• Password Manager media
Console
• Application Definition
Tool
Java Standard Edition • Password Manager http://www.java.com
Runtime Environment (JRE) Console
Versions 1.4.x, 5, and 6 • Application Definition
Tool
• Password Manager
agent software
Microsoft Internet Explorer Users accessing SSO- http://www.microsoft.com
Version 6.0 or 7.0 (non- enabled Web applications
protected mode)
Password Manager Software Requirements

This table shows the software and hardware requirements for Password Manager.
3 Installing Password Manager 51
Important: The server that hosts the Password Manager Service contains
highly sensitive user-related information. Citrix recommends that you use a
dedicated server and that you place the server in a physically secure location.
Password Manager Supported Environment or Microsoft Hardware

Component Windows Operating System Requirements
Central store • Active Directory 30KB disk space
• NTFS File Share per user
• Novell Shared Folder
Console • Microsoft Windows Vista (Business • 64MB RAM
Edition, Ultimate Edition, Enterprise • 60MB disk
Edition)—32-bit and 64-bit space
• Microsoft Windows XP Professional,
Service Pack 2—32-bit
• Microsoft Windows XP Professional x64
Edition—64-bit
• Microsoft Windows 2000 Professional,
Service Pack 4
• Microsoft Windows Server 2008 (Standard
Edition, Enterprise Edition, Datacenter
Edition )—32-bit and 64-bit
• Microsoft Windows Server 2003 R2
(Standard Edition, Enterprise Edition,
Datacenter Edition )—32-bit and 64-bit
• Microsoft Windows Server 2003 with
Service Pack 2 (Standard Edition,
Enterprise Edition, Datacenter Edition )—
32-bit and 64-bit
• Microsoft Windows 2000 Server, Service
Pack 4 (Windows 2000 Server, Advanced
Server, Datacenter Server)—32-bit
Password Manager Supported Environment or Microsoft Hardware

Component Windows Operating System Requirements
Agent software • Microsoft Windows Vista (Business • 10MB RAM
Edition, Ultimate Edition, Enterprise • 25MB disk
Edition)—32-bit and 64-bit space (if
• Microsoft Windows XP Professional, optional
Service Pack 2—32-bit features are
• Microsoft Windows XP Professional x64 not installed)
Edition—64-bit • 35MB disk
• Microsoft Windows XP Embedded space (if
• Microsoft Windows 2000 Professional, optional
Service Pack 4 features are
• Microsoft Windows Fundamentals for installed)
Legacy PCs
• Microsoft Windows Server 2008 (Standard
Edition, Enterprise Edition, Datacenter
Edition )—32-bit and 64-bit
Datacenter Edition )—32-bit and 64-bit
32-bit and 64-bit
• Microsoft Windows 2000 Server, Service
Pack 4 (Windows 2000 Server, Advanced
Server, Datacenter Server)—32-bit
Service • Microsoft Windows Server 2008 (Standard • 128MB RAM
Edition, Enterprise Edition, Datacenter • 30MB disk
Edition )—32-bit space
Datacenter Edition )—32-bit
32-bit
• ASP.NET (Application Server components
available)
Application Same as agent software Same as agent
Definition Tool software
Note: Password Manager is not supported on Microsoft Windows XP Home

Edition.
Hot Desktop is supported only on Microsoft Windows 2000 Professional,
Microsoft Windows XP Embedded, and Microsoft Windows XP Professional,
Service Pack 2—32-bit. It is not supported on 64-bit operating systems or any
server operating systems.
ASP.NET Requirements
Make sure the ASP.NET Windows component is installed on the computer
running the Password Manager Service.
Security and Account Requirements for Password

Manager Service
Before you install the Password Manager Service, ensure that the appropriate
accounts and components are available to support the service. Also, because the
service uses secure HTTP (HTTPS), the service requires a server authentication
certificate for Secure Sockets Layer (SSL) communication with the console and
agent software.
Server Authentication Certificate Requirement

Note: When you install the Password Manager Service, Password Manager
creates signing and validation certificates to authenticate the information in the
central store. These certificates are not related to the required SSL certificate.
Before you install the service, obtain a server authentication certificate for SSL
communication from a certificate authority (CA) or, if you have an existing
public key infrastructure (PKI), download your own certificate to the server
running the service.
An SSL certificate is necessary to ensure secure communication from the service
to the console and agent software, and to guarantee that the agent software and
console are communicating with the correct service server.
• Because this certificate is used for SSL communication, the certificate
common name must match the service server’s fully qualified domain name
(FQDN). Specify a minimum key size of 1024.
• You must install the certificate in your local computer certificate store and
establish the appropriate trust relationships for the console and the agent
software.
• You must install this certificate on the computers running the service,
console, and agent software.
• In a load balancing or clustered service environment, you can use one
certificate for multiple service servers if the common name of the SSL
certificate uses a wildcard (typically an asterisk character) in it. For
example, you can use an SSL certificate with a common name of
server*.mycompany.com for an environment with servers named

server1.mycompany.com, server2.mycompany.com, and
server3.mycompany.com. You could also use an SSL certificate with a
common name of *.mycompany.com in this case, where the common name
does not match the server FQDN.
Important: If you obtain your certificate from an authority that is not trusted
by default (such as a certificate authority installed in your company), you need to
install the root authority certificate to your local computer’s trusted root
certificate store to establish the trust relationship.
If users are experiencing SSL failures, it is most likely because the server
certificate is not trusted. Refer to the Microsoft Web site
http://www.microsoft.com for instructions about extracting and deploying CA
root certificates.
Related topics:
“To configure the Password Manager Service(s) with the Service Configuration
wizard” on page 71
Accounts Required for Service Modules

The Password Manager Service can require up to three system account types to
read and write data as it operates in your environment:
• Service account
• Data proxy account
• Self-service account
The number and type of accounts required depend on the service modules you
choose to use. The table shows the accounts required by each module of the
service. In cases where different modules require the same type of account, you
can use the same account for multiple modules or you can specify different
customized accounts for each module.
Module Accounts Required

Service Data Proxy Self-Service
Data Integrity Yes No No
Key Management Yes Yes No
Provisioning Yes Yes No
Self-Service Yes Yes Yes
Module Accounts Required

Service Data Proxy Self-Service
Credential Synchronization Yes No No
Service Account Requirements

On the server running the Password Manager Service, use the following accounts
to run the service.
Operating System Account Specification

Windows Server 2003 Use the existing Network Service or Local Service
Windows Server 2008 accounts.
Note: If you choose to create a domain account as the service account, you
must register a service principal name for this domain account and the service
computer in Active Directory by using the setspn.exe utility. See the Microsoft
Web site for more information about service principal names.
You cannot specify a local user account as the service account in this version of
Password Manager. You can specify the built-in Local Service account.
Data Proxy Account Requirements

On the server running the Password Manager Service, create an account with the
following settings, to be used for data proxy communication with the service.
The account requires read and write access to the central store. The account
requirements depend on the central store type you are implementing.
Central Store Type Account Description

NTFS Network Share The account:
• Requires read and write access to the central store.
• Is a member of the domain
After you create the central store:
• Grant the account Full Control sharing permissions to the
CITRIXSYNC$ share.
• Grant the account Full Control permissions to the
CITRIXSYNC folder and its subfolders:
CentralStoreRoot folder and People folder
• Grant the account Full Control permissions to all file
objects within the CITRIXSYNC folder and its
subfolders
• Ensure that the Authenticated Users group has the right to
create folders inside the People folder.
Central Store Type Account Description

Active Directory The account:
• Requires read and write access to the central store.
• Is a member of the domain administrator group.
Note: You cannot use the Password Manager Service if your central store type
is a Novell Shared Folder.
Self-Service Requirements
If you are using the Self-Service Password Reset or Self-Service Account Unlock
features of the Account Self-Service Module, use an account that is a member of
the domain administrators group.
Account Requirements to Install and Use Password

Manager
The following section describes the account requirements for those users
installing and using Password Manager components.
Installing and Using Password Manager Service

The user installing the service and running the Service Configuration wizard must
be a member of the domain (a Domain User) and a member of the local
Administrators group on the service computer (add a domain user account to the
local Administrators group). The domain user account does not need to be a
domain administrator.
Installing and Using Password Manager Console

and Application Definition Tool
The user installing the console, performing a console discovery and configuration
operation, and using the console must be a domain administrator and a member of
the local Administrators group on the console workstation. This user account
must have read and write access to the central store. A non-administrator user
account can be assigned the right to manage the console and its related functions
through Active Directory delegation or constrained delegation.
Installing and Using the Password Manager Agent

Software
The user installing the agent software must be a member of the domain (a domain
user) and a member of the local Administrators group on the service computer.
The domain user account does not need to be a domain administrator.
The user running the agent software must be a member of the domain (a domain
user).
Installing the Microsoft .NET 2.0 Framework

This section describes how to install the Microsoft .NET 2.0 framework from the
Password Manager installation media. You must install this framework on any
computer in your environment where you plan to install the following:
• Console
• Service
• Application Definition Tool.
Important: Citrix has included the .NET 2.0 framework version required for
Password Manager installation on the Password Manager installation media. Use
this version or .NET 3.0.
Always read the readme.htm file located on the Citrix Web site
(http://www.citrix.com) for updates and late-breaking information. (You can find
the readme and all other Password Manager documentation by opening
Password_Manager_Read_Me_First.html in the Documentation folder on the
installation media.)
Installing .NET 2.0 Side By Side with .NET 1.1

You can install .NET 2.0 on a workstation or server that also includes .NET 1.1.
This installation is known as a side by side installation of the framework. You do
not need to uninstall the .NET 1.1 framework from any computer where you plan
to install the following Password Manager features:
• Console
• Service
• Application Definition Tool
Related topics:
“Microsoft .NET Versions 1.1 and 2.0” on page 91
To install Microsoft .NET 2.0

1. Access the installation media from the computer where you plan to install
the console, service, or Application Definition Tool.
2. If Autorun is enabled: When the Citrix Password Manager installation
screen appears, click Browse CD to open Windows Explorer.
If Autorun is disabled: Open Windows Explorer and navigate to the
product files.
3. Open the Support folder and then open the DotNet20 folder.
4. For 32-bit systems: open the x86 folder and then click the dotnetfx.exe
file.
For 64-bit systems: open the x64 folder and then click the dotnet.exe file.
5. In the Security Warning window, click Run.
6. Click through the installation dialog windows to install the .NET 2.0
framework.
7. Click Finish to complete the installation.
Note: For non-English operating systems, set up .NET Framework language

support by installing the Microsoft .NET Framework Version 2.0 language pack.
This is available from the Microsoft Web site (http://www.microsoft.com).
Installing the Java Runtime Environment

Password Manager supports the Java Runtime Environment (JRE), Versions
1.4.x, 5 (1.5.x), and 6 (1.6.x). Download the current supported version from the
Sun Microsystems Web site (http://java.sun.com).
You can install it on computers where you install the following:
• Console
• Application Definition Tool
• Agent software
If You Install or Upgrade the JRE after Installing

the Console, Application Definition Tool, or Agent
Software
If you install or upgrade the JRE after installing the console, Application
Definition Tool, or agent software, use the Control Panel to update the Password
Manager software installed on that computer. This procedure associates the
current JRE with these Password Manager components.
To associate the JRE with Password Manager

1. In the Control Panel, go to the Programs area, select one of the following
and click Change.
• Citrix Password Manager Console 4.6 with Service Pack 1
• Citrix Password Manager Service 4.6 with Service Pack 1
• Citrix Password Manager 4.6 with Service Pack 1
2. In the setup dialog, select Repair and click Next twice.
3. Click Finish when the console is successfully repaired.
Troubleshooting a Java-Related Error Message

When Installing or Uninstalling the Agent
Software
You might see the following error message when you attempt to install or
uninstall the agent software:
Citrix Password Manager has detected that one or more Java software
programs or files are currently in use. Please close all programs
and stop all Java-related services before continuing.
Typically, this error occurs if you are installing the agent software on a computer
also running a Web server service such as Apache Tomcat, Apache HTTP server,
or others. Also, this error might be seen if you are installing the agent software on
a computer running Citrix XenApp with License Management Console installed.
In this case, perform the following steps:
1. Stop the service.
2. Install or uninstall the agent software.
3. Restart the service.
Licensing Requirements
Install the license server and add licenses before installing Password Manager.
Important: To run this release, you must have the license server (Version 11.5)
that is available from the Licensing folder in the installation media. If you are
running an earlier version of the license server, you must upgrade your license
server to Version 11.5.
For details about licensing requirements, terms, and installation, see the Getting
Started with Citrix Licensing Guide, available at http://support.citrix.com/pages/
licensing/ under the “Top Licensing Resources” title on the page. Information
about using named and concurrent user licenses with Password Manager is in the
Citrix Password Manager Administrator’s Guide.
Note: You can find Getting Started with Citrix Licensing Guide, Citrix
Password Manager Administrator’s Guide, and all other Password Manager
documentation by opening Password_Manager_Read_Me_First.html in the
Documentation folder on the installation media. You can find additional licensing
resources at http://support.citrix.com/pages/licensing/ under the “Top Licensing
Resources” title on the page.
Before You Install Password Manager

Use Autorun to perform Password Manager tasks such as creating a central store
or installing Password Manager components. After you access the installation
media, the Autorun installation options screen appears.
If it does not automatically appear:
1. Open Windows Explorer and navigate to the installation files.
2. Click Autorun.exe.
Installation Order
The suggested installation order of Password Manager is as follows:
• License Password Manager.
• Create your central store.
• Install the Password Manager Service if you want to use one or more of the
following modules:
• Key management
• Self-service
• Provisioning
• Credential synchronization
• Data integrity
Note: If you decide to install the Data Integrity Module at a later

date or after installing the console and agent software, you must
digitally sign your existing central store data by using the data
signing tool CtxSignData.exe. (This tool is available after you install
the Data Integrity Module.) Conversely, if you uninstall the Data
Integrity Module, you must unsign your central store data.
• Install the Password Manager Console on one or more computers in your

environment.
• Install the Application Definition Tool on one or more computers in your
environment when you need to create application definitions only.
• After configuring Password Manager features in the console, install the
Password Manager agent software on each user computer in your
environment. You can also deploy the agent software as a published
application in a Citrix XenApp environment.
Where Can I Install Each Password Manager

Component?
Important: Do not install the service and agent software on the same computer.
Do not install Password Manager on a domain controller. Installation of Password
Manager agent software, service, console, or NTFS network share central store
on a domain controller is not supported.
You can install the service, console, and agent software in any of the following
allowed combinations or scenarios:
• You can install the service and console on the same computer.
• You can install the console and agent software on the same computer.
• You can install the agent software on any computer or client device in your
environment for access to locally-installed SSO-enabled applications.
• You can install the console and Application Definition Tool on any
computer in your environment.
• For testing purposes, you can install the console and the agent software on
the same computer so that you can verify that changes you make at the
console are reflected on the agent software.
• You can deploy the agent software in a XenApp environment. In this case,
the agent software submits or provides credentials for XenApp-published
applications only (not applications installed locally on the user workstation
or client device).
Important: The server that hosts the Password Manager Service and central
store contains highly sensitive user-related information. Use a dedicated server
and place that server in a physically secure location.
Creating a Central Store

The following procedures assume that the Password Manager installation media
is loaded on the computer that you chose to host the central store and that the
Autorun screen appears.
Related topics:
“Which Central Store Type Should I Choose?” on page 15
“Using Account Association with Multiple Central Stores and User Account
Credentials in a Multiple Domain Enterprise” on page 20
“Before You Install Password Manager” on page 60
“Optional - Creating a Central Store from a Command Prompt” on page 65
To create an NTFS network share central store

1. Click Step 2: Create your central store.
2. Click Create your central store in an NTFS network share.
3. Click Yes in the confirmation dialog window.
A command window appears.
4. After the central store is created successfully, press any key to close the
command window.
An NTFS Network Share folder is now created as

%SystemDrive%\CITRIXSYNC.
Note: If you have users who are not administrators on the file servers but need
to manage Password Manager folders, you can add them to the root shared folder
and allow them full control. You must also add those users to the People folder
and the CentralStoreRoot folder because those folders do not inherit access rights
from the root shared folder.
Associating user configurations to groups is supported only in Active Directory
domains that use Active Directory authentication.
To create a Novell shared folder central store

Note: Ensure that you are creating this central store from a computer where the
Novell client is installed.
Also, agent software running on 64-bit computers cannot connect to Novell
shared folder central stores.

2. Click Create your central store in a Novell shared folder.
4. At the PATH: prompt, type a UNC path to the NetWare server, volume, and
folder(s) you want to create.
For example: \\NW5SRV\DATA\CITRIXSYNC$.
5. After the central store is created successfully, press any key to close the
Windows command window.
A Novell shared folder is now created.
To create an Active Directory central store

Note: Ensure the current server is part of the Active Directory domain and that
the current user is a member of the Schema Administrators group and Domain
Administrators group. Ensure that the Active Directory Schema Master is
configured to allow updates.
Important: If the server you are extending the Active Directory schema from
is not the domain controller, ensure the Microsoft Windows utility Ldifde.exe is
installed on it before beginning this step. The utility can be found on the
Windows installation media or at the Microsoft Web site (http://
www.microsoft.com). You will not be able to complete this process if Ldifde.exe
is not installed.

2. Click Create your central store in your Active Directory domain.
3. Click Step 1: Extend your Active Directory schema for the new
directory objects.
5. After the schema is extended successfully, press any key to close the
command window.
Note: Before you complete the next step, ensure that the schema
extension propagated to all domain controllers throughout your Active
Directory environment.
6. Click Step 2: Create your central store in the extended schema.

8. After the schema is extended successfully, press any key to close the
command window.
The Active Directory central store is now created.
Related topics:
“Choosing an Active Directory Central Store” on page 17
Optional - Creating a Central Store from a Command

Prompt
The Password Manager installation process enables you to create a central store
from a command prompt. Creating a central store from a command prompt
enables you to use custom parameters instead of the default parameters available
from the Password Manager installation screen.
This table shows the central store types and the associated utilities. These utilities
are located in the Tools folder on the Password Manager installation media.
Utility File Name Use and Description

Active Directory Schema CtxSchemaPrep.exe Use to create an Active Directory
Extension Utility central store.
Extends your Active Directory
schema for use with Password
Manager.
Active Directory Domain CtxDomainPrep.exe Use to create an Active Directory
Preparation Utility central store.
Updates the permissions of the
Active Directory domain root to
allow users to create Password
Manager objects under their User
object.
File Synchronization Setup CtxFileSyncPrep.exe Use to create an NTFS network
Utility share central store.
File Synchronization Setup CtxNWFileSyncPrep.exe Use to create a Novell publicly-
Utility for Novell NetWare accessible shared folder central
store.
Creating an Active Directory Central Store from a

Command Prompt
Creating an Active Directory central store from a command prompt is a two-step
process:
• Extend your Active Directory schema for use with Password Manager.
• Update the permissions of the Active Directory domain root to allow users
to create Password Manager objects under their User object.
Note: Ensure that the Active Directory Schema Master is configured to allow
updates.
To create the Active Directory central store from a command

prompt—Step 1: Extending the Active Directory schema
Important: If the server you are extending the Active Directory schema from
is not the domain controller, ensure the Microsoft Windows utility Ldifde.exe is
installed on it before beginning this step. The utility can be found on the
Windows installation media or at the Microsoft Web site (http://
www.microsoft.com). You will not be able to complete this process if Ldifde.exe
is not installed.
1. Using an account with Schema Admins group credentials, log on to a server

in the Active Directory domain.
2. Verify that the computer that has the Schema Master role is configured to
allow schema updates.
3. From a command prompt, access the Tools folder from the installation
media.
4. Type CtxSchemaPrep.exe.
5. Ensure that schema changes are completely propagated to all domain
controllers in the enterprise before continuing to Step 2: Update domain
root permissions.
To create the Active Directory central store from a command

prompt—Step 2: Updating domain root permissions
1. Before continuing, ensure that the schema changes made in Step 1: Extend
the Active Directory Schema are completely propagated to all domain
controllers in the enterprise.
2. Using an account with Domain Admin group credentials, log on to a
computer that resides in the domain that you want to configure.
3. From a command prompt, access the Tools folder from the installation
media.
4. Type CtxDomainPrep.exe [distinguished name].
where:
distinguished name Relative distinguished name (DN) of the organizational

unit (OU) on which to set the permissions. This DN is
appended to the DN of the domain root.
By using this option, you can specify an OU to set
permissions at the OU level, rather than the domain root
level. This technique limits Password Manager use to the
OU specified.
For example:
CtxDomainPrep.exe OU=Employees
sets the permissions on OU=Employees, DC=your
domain, DC=com.
5. Follow the instructions on-screen to finish creating the central store.
Creating an NTFS Network Share Central Store

from a Command Prompt
The NTFS file synchronization setup utility CtxFileSyncPrep.exe automatically
creates the folders you need for your central store. It also creates the shared
folder, the CentralStoreRoot folder, and the People folder with the correct sharing
and security permissions.
Ensure the following:
• The central store must belong to the same domain as the workstations or
computers running XenApp where the agent software is installed
• Run CtxFileSyncPrep.exe on the server that hosts the NTFS network share
Note: If you have users who are not administrators on the file servers but need
to manage Password Manager folders, you can add them to the root shared folder
and allow them full control. You must also add those users to the People folder
and the CentralStoreRoot folder because those folders do not inherit access rights
from the root shared folder. Give these users full permission to share permissions,
files, and subfolders inside the people folder and central storeRoot folder.
Associating user configurations to groups is supported only in Active Directory
domains that use Active Directory authentication.
To create an NTFS network share central store from a command

prompt
1. From a command prompt on the server that will host the NTFS network
share, access the Tools folder on the product media.
2. Type CtxFileSyncPrep [/path:pathname]

[/share:sharename][/Admin:[+|-]accountname]
where:
/path:pathname Specifies the pathname for the NTFS network share on

the local server. If you use this parameter, the pathname
must be located on the local server.
If you do not specify /path:pathname, this command
creates the central store in
%SystemDrive%\CITRIXSYNC.
/share:sharename Specifies the sharename for the NTFS network share on
the local server.
If you do not specify /share:sharename, this command
creates the central store share parameter as
CITRIXSYNC$.
/Admin:[+ | -]accountname Adds or removes an account name to enable that
account to administer a shared folder. If the plus or
minus sign is not specified, the plus sign is the default
operation to add an account.
Use the plus sign (+) to add an account, where account
name is in the form domain\username or
username@domain.
Use the minus sign (-) to remove the account, or disable
the account administration rights.
The CentralStoreRoot folder and the People folder are created with appropriate
sharing and security permissions. Your shared folder is now ready to be used for
synchronization.
Creating a Novell Shared Folder Central Store

from a Command Prompt
The Novell Shared Folder setup utility CtxNWFileSyncPrep.exe automatically
creates the folders you need for your central store. It also creates the shared
folder, the CentralStoreRoot folder, and the People folder with the correct sharing
and security permissions.
Considerations
• Because the agent software uses a Windows password, the use of Novell
NetWare file synchronization requires that users’ Novell password be
identical to their Windows password.
• The central store must be located in the same tree as the computers where
the agent software is installed.
• Users must log on to a Novell tree where the shared folder is located.
• Users must also have accounts with read access permissions to the Novell
NetWare shared folder you designate as the central store.
• Any users without supervisor rights who need to manage Password
Manager folders can be added to the root synchronization folder as a
Trustee with all rights. This addition grants them the required access to all
other folders and files under the root synchronization folder.
Important: Do not use the system volume to host the shared folder. The system
volume typically has a limited amount of space available. As data is written to the
central store, the system volume could possibly reach capacity, causing your
Password Manager environment (and possibly your Novell NetWare server) to
stop functioning.
To create a Novell shared folder central store from a command prompt

1. From a command prompt on the server that will host the Novell shared
folder, access the Tools directory from the installation media.
2. Type CtxNWFileSyncPrep /path:\\NetWare server\volume\folder
where:
/path:\\NetWare server/volume/ Required parameter that specifies the UNC path

folder to the NetWare server, volume, and central store
folder to be created. Do not use an existing folder
because this utility creates the folder.
For example:
/path:\\NW5SRV\DATA\CITRIXSYNC
The CentralStoreRoot folder and the People folder are now created with
appropriate sharing and security permissions. Your shared folder is ready to be
used for synchronization.
Installing and Configuring the Password Manager

Service
After you install the service, the Service Configuration wizard runs so that you
can configure and enable the service.
The installation and configuration workflow is as follows:
• Acquire and install an SSL certificate on the computers running the service,
console, and agent software
• Create the account type required by the service(s) you are going to install
• Install the service(s)
• Complete the Service Configuration wizard
Related topics:
“Selecting Optional Password Manager Service Features” on page 37
“Security and Account Requirements for Password Manager Service” on page 53
“Accounts Required for Service Modules” on page 54
“Before You Install Password Manager” on page 60
To install the service modules

The following procedure assumes that the Password Manager installation media
1. Click Step 3: Install administrative components.
2. Click Step 2: Install Password Manager Service (if applicable).
3. Click Next, accept the license agreement, and click Next again.
4. In the Destination Folder window, accept the default destination folder or
identify a different one, and then click Next.
5. In the Select Modules window, select the modules you want to install:
• Key Management
• Data Integrity
• Provisioning
• Self-Service
• Credential Synchronization
6. Click Next.
You can click Back if you want to change your choice of modules.
7. Click Install.
8. Click Finish.
The Service Configuration wizard is launched.
To configure the Password Manager Service(s)

with the Service Configuration wizard
Note: The Service Configuration wizard is launched after successfully
installing one or more service modules. After initial configuration, you can run
the wizard at any time by clicking Start > All Programs > Citrix > Password
Manager > Service Configuration.
The Welcome page lists any service modules detected as installed.

1. On the Welcome page, click Next.
2. On the Configure service page, specify the following:
Connection Setting Specify the port number for the service connection. The
default port is 443.
SSL Certificate Select the SSL certificate installed on the service
computer to use for communication with client devices.
Select the Display Long Name check box to show the
LDAP information contained in the certificate.
Virtual host name Use default value is selected by default if the SSL
certificate name and virtual host name match. The
virtual host name must match the SSL certificate name.
The virtual host is the machine name visible to users
when the certificate was created and might not be the
actual machine name. For example, the certificate name
might include a wildcard (asterisk character) or upper-
or lowercase domain name that does not match the
certificate domain name case.
This setting is useful in a load-balanced or clustered
service environment.
Account Credentials Select the local computer account to use for the service.
Typically, you can select the Network Service account.
3. Click Next.
The Create signing certificate page appears.
4. If the wizard detects a signing certificate: Click Next.
If the signing certificate does not exist: Specify a signing certificate
expiration time, in months. The default expiration time is 12 months. Click
Next.
5. On the Configure data proxy page:
• If you created an Active Directory central store, select Active

Directory and click Next
• If you created an NTFS network share central store, select NTFS
network share, type the UNC path to the central store you created,
and click Next
6. If the Data Integrity Module is installed, select one of the following and
click Next.
I do not plan to use the Select this option if you do not require your central
Data Integrity module in store data to be digitally signed and written securely.
this environment
I plan to use the Data Select this option if you do require your central store
Integrity module in this data to be digitally signed and written securely and
environment you select this service module to be installed.
• Type the name of the computer hosting the Data
Integrity Module.
• Select a port for the service. The default port
number is 443.
Note: If you decide to install the Data Integrity Module after installing
the console and agent software, you must digitally sign your existing
central store data by using the data signing tool CtxSignData.exe. This tool
is available after you install the Data Integrity Module.
If you uninstall the Data Integrity Module, you must unsign your central
store data.
The Configure domains page appears, displaying a list of domains capable

of supporting Password Manager Service.
7. On the Configure domains page:
A. Select the check box next to each domain to which you want to
enable service support.
B. Select one or more domains and click Properties to open the Edit
Configuration dialog box.
C. If you created an Active Directory central store, click Domain
Controller and select the correct domain controller from the list.
D. Click Data Proxy Account and type the user name, password, and
domain of the data proxy account used to communicate with the
central store.
E. If you installed the Self Service module, click Self-Service Features

Account and type the credentials for this feature.
F. Click OK to close the Edit Configuration dialog box.
G. Click Next.
Important: If the service is running in a Windows Server 2008

environment with an NTFS central store, you must use
CtxFileSyncPrep.exe to add the data proxy account as an
administrator to the central store. Type:
CtxFileSyncPrep [/Admin:accountname]
If the service is running in a Windows Server 2008 environment with
an Active Directory central store, you also must add the data proxy
account as an administrator to the central store. Suggestions about
how to do this are on the Citrix Web site
(http://support.citrix.com/article/ctx107690)
The Confirm Settings page appears, showing the properties sheet for your
service module configuration. Click Back to correct or change any
information.
8. Click Finish to commit the service configuration information and Yes to
confirm that you want to save the settings. Click Finish again to close the
Applying Settings window.
Related topics:
“Security and Account Requirements for Password Manager Service” on page 53
“Service Account Requirements” on page 55
“Self-Service Requirements” on page 56
Password Manager Service Port Number

The default Password Manager Service port number is 443. When you configure
the Password Manager Service, you can use any other available port on the server
running the service if port 443 is already in use.
This port number is used by Password Manager to access each service module
you install.
• If you install one or more service modules later, make sure that you use the
port number that you specified when you first installed the service.
• The service cannot run on multiple ports; if you specify the wrong port,
Password Manager might later display “cannot communicate or connect
with the Password Manager Service” type error messages.
• Also remember to specify the correct service port number when using the
Data Integrity Signing Tool at the command prompt.
Installing and Configuring the Password Manager

Console
You can install the console on any computer in your environment. If you want to
use Password Manager in a multiple domain environment with multiple central
stores, you can install the console on any computer in the domain.
Install the Application Definition Tool on any computer in your environment if
you want to create application definitions in standalone mode without needing to
install the console.
To install the Password Manager Console

The following procedure assumes that the Password Manager installation media
2. Click Step 3: Install Password Manager Console.
4. On the Install Type page. select one or more of the following components
to install and click Next:
Console Select this option to install the console, required to create and
manage policies, application definitions, user configurations,
and so on.
Application Select this option to install the tool that enables you to create
Definition Tool application definitions without needing to start or use the full
console. You can install this tool in standalone mode, on
computers where the console is not or cannot be installed.
License Server Select this option to help manage your licensing from the
Administration console. This option enables you to add a shortcut to the
license server.
Access Select this option to help Citrix Support troubleshoot console
Management issues.
Console -
Diagnostics
5. Click Next and then Finish when the installation is complete.

You can now configure the console.
To configure the Password Manager Console

Note: The first time you open the console after installation, it performs a
discovery operation and enables you to configure the console settings. After this
initial step is completed, you can perform a discovery operation and change the
configuration settings at any time by clicking Start > Programs > Citrix >
Management Consoles > Access Management Console and clicking
Configure and run discovery in the Common Tasks area of the Task pane.
1. Click Start > All Programs > Citrix > Management Consoles > Access
Management Console.
The Configure and run discovery wizard appears.
2. On the Welcome page, click Next.
The Select Products or Components page appears.
3. Click Citrix Resources to select Configuration Tools and Password
Manager and then click Next.
4. On the Identify Central Store page, select the central store type that you
previously created.
• If you created an Active Directory central store, from the list, select
the domain controller you want Password Manager to bind to when
writing to the central store or select Any writeable domain
controller. Click Next.
• If you created an NTFS network share or Novell shared folder central
store, type the UNC path to the share. Click Next.
5. On the Configure Data Integrity Options page:
• If you installed the Data Integrity Module and enabled it during the
service configuration, select the Enable Data Integrity check box,
type the server name and port number in the text fields, and click
Next.
• If you installed the Data Integrity Module and do not want to enable
it, leave the check box cleared and click Next. Make sure that you
first disabled it through the Service Configuration wizard on the
service computer.
• If you did not install the Data Integrity Module, click Next.
The Preview Discovery page with the configuration summary appears.

6. Click Next to start discovery.
7. When discovery is successfully completed, click Finish.
The console is now configured for use. You can now use the console to set up
your Password Manager environment.
Installing and Configuring the Password Manager Agent

Software
Note: For testing purposes, you can install the console and agent software on
the same computer so that you can verify that changes you make at the console
are reflected on the agent software.
Important: Ensure that you create user configurations before installing the
agent software on user desktops. If you install the agent software without
corresponding user configurations, users might see an error message when the
agent software launches.
Also, agent software running on 64-bit computers cannot connect to Novell
shared folder central stores.
The Password Manager agent software is designed to run on client devices:

desktop and laptop computers, handheld computers, and other devices. The agent
software in this case provides credentials and access to applications running
locally on the client device.
You can also install the agent software on a computer running Citrix XenApp.
The agent software in this case provides credentials and access to published
applications.
Users can use the agent software to access local applications even when they are
not connected to a network. User credentials are synchronized when users
reconnect to your enterprise network.
When you install the agent software using the Autorun option provided on the
Password Manager installation media, the installation software detects your
operating system and installs the appropriate agent software.
Important: Password Manager Plugin is the new name for the Password
Manager agent software.
Installation Scenarios
The following table shows some environments and schemes for installation:
Environment Scheme
Citrix XenApp and Citrix Access XenApp and Access Gateway provide applications
Gateway that users access through their Web browsers.
Install Password Manager agent software on each
server running XenApp.
Mixed Environment Users access published applications as well as other
local applications.
Install Password Manager agent software on each
server running XenApp and on each desktop.
Local Installation Users access applications installed on their local
devices.
Install Password Manager agent software on a local
client device.
Software Image for Network Create an installation image to be made available on
Installation your network.
Silent Agent Software Installation Use the Windows Installer options to install the
agent software.
On client devices, the notification area icon indicates how the agent software is
deployed:
• An icon of a key on a blue background indicates the software is installed on
a client device
• An icon of a key and computer on a blue background indicates the software
is published on a computer running XenApp
Considerations
• If you are performing a fresh installation of multiple Citrix products that
includes Password Manager, install the agent software last.
• When you configure or change the location of the license server or any
other parameter related to licensing, the changes are not applied to any
agent software that is in use within your environment. You must shut down
and restart the agent software to apply the changes.
• This does not apply to computers using Windows Vista or Windows
Server 2008: You must restart the device after you install the agent
software so that the GINA DLL can be installed.
The agent software will not run until the workstation is restarted. However,
if you prefer that the workstation not be restarted immediately, you can
suppress the restart action. To suppress the restart action, use the optional
parameter with the Microsoft installer package msiexec command. To
run the installer package with the suppress option, use the command:
msiexec /norestart /i path to msi file including the filename
For the complete list of Windows Installer options, from a command
prompt on a workstation where the Windows Installer is installed, type:
msiexec /?
Related topics:
“Preserving the GINA Chain When Installing the Agent Software” on page 83
To install the Password Manager agent software on a local

device
The following procedures assume that the Password Manager product media is
loaded on the computer where you chose to install the agent software and that the
1. Click Step 4: Install Password Manager Plugin.
2. Click Install Password Manager Plugin.
The Citrix Password Manager Plugin Installation wizard appears.
4. On the Feature Selection page, select one or more of the optional features
to install and click Next:
• Data integrity (if you installed this service)
• Self-service (if you installed this service)
• Hot Desktop (this option requires an existing account to use as the
Hot Desktop shared account)
Note: Hot Desktop is not supported on Windows Vista, any server

operating system, any platform running terminal services, or any 64-
bit operating system
• Java support (this option installs the Password Manager support for
the Java Runtime Environment already installed on the client)
5. On the Central Store Configuration page:
A. Select the central store type.
B. If you selected NTFS Network Share or Novell Shared Folder,
type the central store’s location.
C. Click Next.
6. On the Specify Server Address page, type the address and port number of
the computer hosting the service and click Next.
In the address text field, use the fully-qualified domain name of the service
computer. The default port number is 443.
If you selected Hot Desktop, the Hot Desktop Shared Account
Configuration page appears.
Note: You cannot have Remote Desktop or Terminal Services running if

you are using Hot Desktop. During a Hot Desktop installation, the installer
resets the AllowMultipleSessions registry key value to 0.
7. Type the user credentials for the Hot Desktop shared account and click
Next.
Specify the domain name to which the workstation belongs using the
domain’s NetBIOS name, not the fully qualified domain name.
8. Click Install.
10. Windows Vista or Windows Server 2008: Log off and then log back on to
your Windows account. You do not need to restart the client device.
A supported operating system other than Windows Vista or Windows
Server 2008: Click Yes to restart the client device.
To create an agent software image for network installation

Important: If you create an image from a 32-bit computer, this image can be
installed on 32-bit computers only. If you create an image from a 64-bit computer,
this image can be installed on 64-bit computers only.
You can install an image of the agent software on a network share using a utility
available from the installation media. The utility creates an installation image of
the Password Manager agent software that contains your custom parameters. The
following procedures assume that the Password Manager installation media is
loaded on the computer where you chose to install the agent software and that the
1. Click Step 4: Install the Password Manager Plugin.
2. Click Create Password Manager Plugin installation image.
The Password Manager Plugin Installation Wizard page appears.
3. Click Next.
4. In the Administrative Installation Package Creation page, type the
network share location in which you want to save the installation package
and click Next.
5. Select one or more of the optional features to install and click Next:
• Data integrity (if you installed this service)
• Self-service (if you installed this service)
Note: Hot Desktop is not supported on Windows Vista, any

platform running terminal services, any server operating system, or
any 64-bit operating system
The Central Store Configuration page appears.
6. In the Central Store Configuration page:
type the central store’s location.
C. Click Next.
The Specify Server Address screen appears.
7. Type the address and port number of the computer hosting the service and
click Next.
Configuration screen appears.
Note: You cannot have Remote Desktop or Terminal Services running if

you are using Hot Desktop. During a Hot Desktop installation, the installer
resets the AllowMultipleSessions registry key value to 0.
Next. Specify the domain name to which the workstation belongs using the
9. A warning message appears reminding you that before installing the image
being created onto a computer running Windows Vista or WIndows Server
2008, you must first install the C Run-Time Libraries. These files are
provided with the installation software. See “Silent Installation of the
Password Manager Agent Software” on page 81. Click OK.
10. On the Admin Installation Verify Ready screen, click Next.
The setup.msi and supporting files are now saved in the network share location
you specified.
Important: Before installing the Password Manager agent software from a

command prompt onto a Windows Vista computer, you must first install the
updated C Run-Time Libraries available from the installation media. The
installation will fail without the updated C Run-Time Libraries. See “Silent
Installation of the Password Manager Agent Software” on page 81 for details.
Silent Installation of the Password Manager Agent Software

You can install the Password Manager agent software silently from a command
prompt by using the Windows Installer quiet mode option /quiet.
To install the Password Manager agent software silently from a command prompt
Important: Before installing the Password Manager agent software from a

command prompt onto a Windows Vista computer, you must first install the
updated C Run-Time Libraries available from the installation media. The
installation will fail without the updated C Run-Time Libraries.
1. For Windows Vista computers only, install the C Run-Time Library:

• For 32-bit computers: From the installation media, run
Support\vcredist\vcredist_x86.exe
• For 64-bit computers: From the installation media, run
Support\vcredist\vcredist_x86.exe and
Support\vcredist\vcredist_x64.exe
2. From a command prompt, navigate to the network share in which the
Password Manager image (Citrix Password Manager Plugin.msi) is saved.
3. Type msiexec /i “Citrix Password Manager Plugin.msi”
/quiet.
Other commands are available. For the complete list of Windows Installer
options, from a command prompt on a workstation where the Windows Installer
is installed, type:
msiexec /?
The following table lists the Password Manager-specific options to use when
installing Password Manager from a command prompt. Each option requires an
equals sign (=) to set the value (for example, SSPR_SELECT=1 enables the Self-
Service features).
Option Description
SYNCPOINTTYPE Specifies the central store type.
Specify FileSyncPath to use an NTFS network
share central store.
Specify ADSyncPath to use an Active Directory
central store.
Specify NovellSyncPath to use a Novell shared
folder central store.
SYNCPOINTLOC Specifies the UNC path for the NTFS network share
central store.
Specify \\servername\foldername$ where
servername is the name of the computer hosting the
central store and foldername is the name of the
shared folder.
This option is not required for an Active Directory
central store.
DI_SELECT Specify 1 to enable the Data Integrity feature.
SSPR_SELECT Specify 1 to enable the Self-Service feature.
SERVICEURL Specifies the URL of the service computer. Specify
\\FQDN\MPMService, where FQDN is the fully
qualified domain name of the service computer.
This option is required if DI_SELECT and/or
SSPR_SELECT are specified.
SERVICEURLPORT Specifies the port of the server running the service.
The default port is 443.
This option is required if DI_SELECT and/or
SSPR_SELECT are specified.
/forcerestart Specify /forcerestart to shut down and restart the
workstation after installation. A restart is required
for agent software installation. Type msiexec /?
for more options.
Alternatively, REBOOT=”” can be used.
Hot Desktop-Specific Options See also “Hot Desktop: A Shared Desktop
Environment for Users” in the Citrix Password
Manager Administrator’s Guide.
HD_SELECT Specify 1 to install Hot Desktop.
HD_USERNAME Specifies the Hot Desktop shared account user
name.
HD_PASSWORD Specifies the Hot Desktop shared account password.
HD_DOMAIN Specifies the Hot Desktop shared account domain.
DISABLE_TERMINAL_SERVICE Specify 1 to disable Terminal Services, required for
Hot Desktop operation.
Preserving the GINA Chain When Installing the Agent Software

Important: If you create a Password Manager agent software installation
image (.msi) from a 32-bit computer, this image can be installed on 32-bit
computers only. If you create an image from a 64-bit computer, this image can be
installed on 64-bit computers only.
Note: Windows Vista and Windows Server 2008 do not use GINA
functionality. This section is not applicable to computers using these operating
systems.
Graphical Identification and Authentication (GINA) is the Windows component

that controls the dialog box that users see when they press the key combination
CTRL+ALT+DEL. The dialog box collects the data needed to perform
authentication. XenApp, Password Manager, and the Novell NetWare client all
interact with or require the replacement of the Microsoft GINA dynamic link
library (DLL).
If you install any software that uses a custom GINA DLL, make sure that you do
not disrupt the GINA chain. You might be required to install or uninstall software
in a specific order to preserve proper GINA chaining. By installing the Password
Manager agent software last, you ensure that the Password Manager GINA is
called first by the Winlogon process.
Configuring and Using the Multi-Domain Service Feature

Password Manager Service can process service requests among users in different
trusted domains. An administrator can install the Password Manager Console on
computers in different domains and create one or more user configurations in
each domain.
For example, with the Password Manager Service computer located in DomainA,
users associated with a user configuration in DomainA can use the Account Self-
Service features to unlock their accounts. Users associated with a user
configuration in DomainB can also use this feature, as provided by the DomainA
service computer. In this case, multiple user configurations exist in multiple
domains and are using a single service computer for this feature.
Requirements
Before you implement the multi-domain service feature, ensure that you meet the
following requirements:
Component Requirement
Domains Each domain sharing the service must be part of the same
domain forest.
The domains within the forest must have a two-way
transitive trust agreement.
Component Requirement
Central store This feature is available for implementations using Active
Directory or NTFS network share central stores. It is not
available to Novell shared folder central stores.
All users sharing the same service computer must be
implemented using the same central store type: Active
Directory or NTFS shared folder. Multiple central store
types are not supported.
One NTFS shared folder central store per domain is not
supported in this case. However, you can use one NTFS
shared folder central store per forest.
Data Integrity feature The Data Integrity feature must be used consistently across
domains. That is, it is either enabled or disabled in the
service and agent software configurations for all domains.
For example, you cannot enable this feature in the service
configuration and disable it when installing the agent
software.
Password Manager Console Each console can view one central store only, not multiple
central stores.
The Password Manager administrator should install one
console in each domain and install it by using a user
account with administrative rights in that domain.
Alternatively, the administrator can install a console with
the ability to access other domains and, as needed, switch to
one of those domains by logging on with credentials for that
specific domain.
Data Proxy and Self Service You can configure one data proxy and self service account
accounts that has read and write access to the central store and
sufficient privileges to reset user passwords and unlock user
accounts.
Optionally, you can specify these accounts for each domain
in the Service Configuration tool.
Task Summary
Perform the following tasks to implement the multi-domain service feature.
Task Description/See this section

Install an instance of the console in “Installing and Using Password Manager Console
each domain that will be using this and Application Definition Tool” on page 56
feature and create user configurations.
Configure the service. “To configure the service for multidomain use”
on page 85
To configure the service for multidomain use

1. Log on as an administrator to the computer where the service is installed.
2. Start the Service Configuration tool by clicking Start > All Programs >
Citrix > Password Manager > Service Configuration.
3. When the Service Configuration tool appears, click Domain
Configurations in the left pane.
A list of domains appears.
4. Select the check box next to each domain to enable service support on that
domain.
5. Select one or more domains and click Properties to open the Edit
Configuration dialog box.
6. In the Edit Configuration dialog box:
A. If you created an Active Directory central store, click Domain
Controllers and, from the list, select the domain controller you want
Password Manager to bind to when writing to the central store or
select Any writeable domain controller.
B. Click Data Proxy Account and type the user name, password, and
domain of the data proxy account used to communicate with the
central store.
C. If you installed the Self Service module, click Self-Service Features
Account and type the credentials for this feature. See “Self-Service
Requirements” on page 56.
7. Click OK to close the Edit Configuration dialog box.
8. Click OK and then Yes to save the configuration.
4
Upgrading Password Manager
Important: Do not install Password Manager on a domain controller.

Installation of Password Manager agent software, service, console, or NTFS
network share central store on a domain controller is not supported.
This section describes the tasks required to successfully upgrade Citrix Password
Manager from previous versions to Version 4.6 with Service Pack 1.
Supported Upgrade Paths

You can upgrade Password Manager to Version 4.6 with Service Pack 1 from
these versions:
• Password Manager 4.1 (including any service packs or hotfixes)
• Password Manager 4.5 (including any hotfixes)
• Password Manager 4.6
Important: Direct upgrades from Versions 2.5 and 4.0 are not supported.
Summary of Upgrade Steps

Task See This Section or Document
Before Upgrading
Choose the computers in your • “Planning Your Password Manager
environment where you will upgrade the Environment” on page 11
software. • “Installing Password Manager” on page 49
Task See This Section or Document

Prepare the computers for upgrade and • “Before You Upgrade Password Manager”
export any administrative data. on page 88
• “Moving Data to a Different Central Store”
in the Citrix Password Manager
• “Backing Up Password Manager Service
Files” in the Citrix Password Manager
Back up your central store. “Before You Upgrade Password Manager” on
page 88
Back up the process.xml file on each Hot
Desktop workstation.
Install the license server and add licenses • “Licensing Requirements” on page 60
for Password Manager • Getting Started with Citrix Licensing
Guide, available on the Citrix Web site
(http://support.citrix.com/pages/licensing/)
Upgrading
Review the Autorun menu. “Before You Install Password Manager” on
page 60
Upgrade the license server if necessar6y • “Licensing Requirements” on page 35
and add licenses for Password Manager • Getting Started with Citrix Licensing
Guide, available on the Citrix Web site
(http://support.citrix.com/pages/licensing/)
Upgrade the Password Manager Service. “Step 1 - Upgrading the Password Manager
Service” on page 92
Upgrade the Password Manager Console. “Step 2 - Upgrading the Password Manager
Console” on page 93
Upgrade your central store. • “Which Central Store Type Should I
Choose?” on page 15
• “Step 2 - Upgrading the Password Manager
Console” on page 93
Upgrade the Password Manager agent • “Step 3 - Upgrading the Password Manager
software. Agent Software” on page 95
• “Installing and Configuring the Password
Manager Agent Software” on page 76
Before You Upgrade Password Manager

Consider the following before you begin to upgrade your Password Manager
environment.
• “Upgrading Existing User Configurations” in the Citrix Password Manager
4 Upgrading Password Manager 89
• “Backing Up Important Files” in the Citrix Password Manager

• “Backing Up Password Manager Service Files” in the Citrix Password
Using Autorun
Use Autorun to perform Password Manager tasks such as creating a central store
or upgrading Password Manager components. After you access the installation
media, the Autorun screen appears.
If it does not start automatically:

1. Open Windows Explorer and navigate to the installation files.
2. Click Autorun.exe.
Upgrade Order
The suggested upgrade order of Password Manager is as follows:
• Install your licenses
Important: To run this release, you must have the license server (Version
11.5) that is available from the Licensing folder in the installation media. If
you are running an earlier version of the license server, you must upgrade
your license server to Version 11.5.
• Upgrade the Password Manager Service if you are using one or more of the
following modules. You can also install additional modules at this time.
• Key management
• Self-service
• Provisioning
• Credential synchronization
• Data integrity
Note: If you decide to install the Data Integrity Module at a later date or
after installing the console and agent software, you must digitally sign your
existing central store data by using the data signing tool CtxSignData.exe.
(This tool is available after you install the Data Integrity Module.)
Conversely, if you uninstall the Data Integrity Module, you must unsign
your central store data.
• Upgrade the Password Manager Console on one or more computers in your

environment.
• Upgrade or install the Application Definition Tool on one or more
computers in your environment when you need to create application
definitions only.
• After configuring Password Manager features in the console, upgrade or
install the Password Manager agent software on each user computer in your
environment.
Backing Up Service Data Prior to Upgrading

Use the CtxMoveServiceData.exe tool to back up your service data before
upgrading.
Important: Password Manager 4.1 contains the ctxmovekeyrecoverydata.exe

tool. If you use this tool to back up our service data, you must use the same tool to
import the data into Version 4.6 with Service Pack 1. If you use one tool to back
up your service data and the other to import it, data corruption will occur. See
“Backing Up Password Manager Service Files” in the Citrix Password Manager
Backing Up the Process.xml File (Hot Desktop

Environments Only)
If you previously used the Hot Desktop feature, ensure that you back up the
process.xml file, located in the %SystemDrive%\Citrix\Metaframe Password
Manager\HotDesktop folder on each Hot Desktop workstation.
The existing process.xml file is retained during the upgrade, but it is a best
practice to protect this information.
Backing Up Your Existing Central Store

As a best practice, always back up your existing central store before upgrading.
Note: The agent software for Password Manager 4.1 and 4.5 can work with a
Password Manager 4.6 central store. However, new features introduced in
Version 4.6 are not available to those earlier versions. Upgrade the agent software
whenever possible to match the service and console versions. An upgrade helps
ensure that users have access to the latest features and security enhancements.
Upgraded Policies, Application Definitions,

Questions/Questionnaires, and User
Configurations
The first time you configure and run discovery in the upgraded console for
Password Manager, you have the option to upgrade your central store (and the
data in it). Existing policies, questions, questionnaires, application definitions,
and user configurations are preserved.
Upgrade all agent software to the latest version to provide users with access to
updated features and enhanced security. Also consider modifying your policies,
application definitions, and user configurations for the same reason.
Microsoft .NET Versions 1.1 and 2.0

You can install .NET 2.0 on a workstation or server that also includes .NET 1.1.
This installation is known as a side-by-side installation of the framework. You do
not need to uninstall the .NET 1.1 framework from any computer in your
environment.
Important: Previous releases of the Access Management Console required

Version 1.1 of Microsoft’s .NET Framework. Where later versions of the .NET
Framework were also present, Citrix provided a workaround in the form of a file
named mmc.exe.config that ensured Version 1.1 was loaded.
This workaround is no longer required and must be removed. If you do not
remove the workaround, the console does not start and displays an error message
such as Snap-in failed to initialize. To prevent this issue, remove the file
\Windows\system32\mmc.exe.config (if it is present).
These operations prevent previous releases of the console from working (because
they rely on Version 1.1 of .NET Framework). If you have earlier releases and do
not want to upgrade them, contact Citrix Technical Support for an alternative
workaround.
Related topics:
“Installing the Microsoft .NET 2.0 Framework” on page 57
Step 1 - Upgrading the Password Manager Service

If your environment uses the Password Manager Service, you must upgrade all
modules of the service in use at the same time. Your existing service modules are
removed during the upgrade process and replaced by those of Password Manager
4.6 with Service Pack 1.
Note: If you are not using the Password Manager Service in your existing
Password Manager environment, you need to upgrade only the console, central
store, and agent software.
You must provide service configuration information, such as settings, service

account user name and password, and the location of your central store as part of
the upgrade process.
If you are upgrading from Password Manager 4.1 and installed the service and the
console on the same computer, you must upgrade both.
Important: You cannot specify a local user account as the service account in
this version of Password Manager. See “Service Account Requirements” on page
55
Related topics:
“Service Account Requirements” on page 55
To upgrade the Password Manager Service

2. Click Step 2: Install Password Manager Service (if applicable).
3. Click Yes in the confirmation dialog box to remove the previous version of
the service and proceed with the installation.
4. For upgrading from Version 4.1 only: Click Yes in the confirmation
dialog box stating you must upgrade the Password Manager Console after
upgrading the service.
6. On the Destination Folder page, click Next.
7. In the Select Modules page, select the modules you want to install:
• Key Management
• Data Integrity
• Provisioning
• Self-Service
• Credential Synchronization
8. Click Next.
9. Click Install.
10. Click Finish.
When the installation wizard is finished, the Service Configuration wizard opens.
Provide the information needed to configure the service, such as connection
settings, certificate name, service user account name and password, and the
location of your central store.
Related topics:
Step 2 - Upgrading the Password Manager Console

The console you use to manage your Password Manager existing environment is
removed when you install the console for Password Manager 4.6 with Service
Pack 1. For best results, upgrade all installed consoles and the Application
Definition Tool.
Important: The first time you configure and run discovery on the console after
upgrading from Password Manager 4.1 or 4.5, you are asked to upgrade your
central store and the data it contains. Upgraded central stores are not compatible
with older versions of the console.
Related topics:
“Backing Up Your Existing Central Store” on page 90
“Installing .NET 2.0 Side By Side with .NET 1.1” on page 57
To upgrade the Password Manager Console

2. Click Step 3: Install Password Manager Console.
The Upgrade Citrix Password Manager Console page appears.
4. Click Next to confirm the removal of the existing version of the console
and the continuation of the installation.
The Install Type page appears.
5. Select one or more of the following components to install and click Next:
Console Select this option to install the console, required to

create and manage policies, application definitions,
user configurations, and so on.
Application Definition Tool Select this option to install the tool that enables you
to create application definitions without needing to
start or use the full console. You can install this tool
in standalone mode, on computers where the
console is not or cannot be installed.
License Server Select this option to help manage your licensing
Administration from the console. This option enables you to add a
shortcut to the license server.
Access Management Select this option to help Citrix Support
Console - Diagnostics troubleshoot console issues.
6. Click Next and click Finish when the installation is complete.

7. Click Start > All Programs > Citrix > Management Consoles > Access
Management Console.
8. For upgrades from Version 4.1 or 4.5 only: When asked if you want to
upgrade the central store at this time, click Yes.
9. For upgrading from Version 4.1 only: Click Upgrade.
Note: If you click Don’t Upgrade, you must configure and run discovery
from the console each time until you upgrade (that is, exit and restart the
console and click Upgrade). You cannot save any settings or results of the
discovery in the console that appears if you click Don’t Upgrade.
10. Configure the console.
Note: For upgrading from Version 4.1 or 4.5 only: If you subsequently
configure and run discovery from the Version 4.6 with Service Pack 1 console as
part of the upgrade process and your central store type is an NTFS network share,
you will be prompted to upgrade the central store. Click OK to upgrade or
Cancel to exit. If you do not upgrade your central store at this time, you can use
only previous versions (4.1 and 4.5) of the console to work with the central store.
Related topics:
“To configure the Password Manager Console” on page 75
Step 3 - Upgrading the Password Manager Agent

Software
Note: If you upgrade the Password Manager Service and console but do not
upgrade the agent software, Password Manager will still provide basic
functionality to users whose user configurations are associated with Active
Directory hierarchies (organizational units or users). However, your users will not
have access to the latest Password Manager features. Consider upgrading the
agent software whenever possible to match the service and console versions.
The existing agent software is removed when you install the agent software for
Password Manager 4.6 with Service Pack 1.
To upgrade the Password Manager Agent

Software on a local device
Note: If you plan to use Hot Desktop in your environment as part of your agent
software installation, see “The Hot Desktop User Experience” on page 35.
is loaded on the computer where you chose to install the agent software and that
the Autorun screen appears.
1. Click Step 4: Install Password Manager Plugin.
2. Click Install Password Manager Plugin.
The Upgrade Detection dialog box appears.
3. Click Yes in the confirmation dialog box to remove the previous version of
the agent software and proceed with the installation.
The Citrix Password Manager Plugin Installation wizard appears.
The Feature Selection page appears.
5. Select one or more of the optional features to install and click Next:
• Data Integrity (if you installed this service)
• Self-Service (if you installed this service)
Note: Hot Desktop is not supported on Windows Vista, any

platform running terminal services, any server operating system, or
any 64-bit operating system
Note: You cannot have Remote Desktop, Terminal Services, or

Windows XP Fast User Switching enabled if you are using Hot
Desktop. If these are enabled, you will be prompted to disable them if
you select Hot Desktop.
6. On the Central Store Configuration page, do the following:

verify the central store’s location.
C. Click Next.
The Specify Server Address page appears.
7. Verify the address and port number of the computer hosting the service and
click Next.
Configuration screen appears.
Next.
Specify the domain name to which the workstation belongs using the
9. Click Install.
11. Perform one of the following:
• If you are using a supported operating system other than Windows
Vista or Windows Server 2008, click Yes to restart the client device.
You must restart the client device.
• If you are using Windows Vista or Server 2008, log off and then log
back on to your Windows Vista account. You do not need to restart
the client device.

Password Manager Installation Guide

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Password Manager Installation Guide

Hochgeladen von

Copyright:

Verfügbare Formate

Citrix® Password Manager Installation Guide

Citrix Password Manager™ 4.6 with Service Pack 1

2 Planning Your Password Manager Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Do I Need to Use Identity Verification?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

3 Installing Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Security and Account Requirements for Password

To configure the Password Manager Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

4 Upgrading Password Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Password Manager Product Line

Password Manager Advanced Edition

• Password expiration options for applications lacking that capability

Password Manager Enterprise Edition

Password Manager documentation uses the following typographic conventions.

Getting Support and Training

Planning Your Password Manager

Password Manager Components

if they occur. You can use the application definition templates

• Key Management, which provides users with the capability to

Planning Workflow Diagram

Task See this section

Task See this section

Which Central Store Type Should I Choose?

• Administrative data in the central store includes application definitions,

Choosing an Active Directory Central Store

In general, choose Active Directory as your central store if you:

Advantages of an Active Directory Central Store

• No additional hardware is needed when using an Active Directory central

Active Directory Central Store Considerations

Choosing an NTFS Network Share

Advantages of an NTFS Network Share

Note: Associating user configurations to groups is supported only in

• User data is always up-to-date, because it is stored in a central location and

NTFS Network Share Considerations

Choosing a Novell Shared Folder

Advantages of a Novell Shared Folder

Novell Shared Folder Considerations

Using Account Association with Multiple Central

Administrators can create multiple central stores in enterprises that contain

However, administrators can configure Account Association to synchronize user

Advantages of Using Account Association

Account Association Considerations

Note: The user configuration in each domain might have different

• Each associated domain account must use Citrix Password Manager.

• Application definition names must be the same in each user configuration

What about Password Policies for Application Access?

Default Password Policy

Domain Password Policy

Note: An application group is a collection of defined applications associated

Custom Password Policies

Password Policy Considerations

• Because Password Manager applies the Default password policy to user-

Default Settings for the Default and Domain

Default Your Custom

Default Your Custom

Default Your Custom

Which Type of SSO-Enabled Applications Are Used in My

As the Password Manager administrator, you can create an application definition

Application Types Description

Note: Password Manager includes default application definition templates for a

What Do I Need to Know about Each Application?

What Type of Smart Cards Are Used in My Enterprise?

Smart Card Support

Smart Card Software Requirements