copy of the End User License Agreement is included on your product CD-ROM.
Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.
Citrix Password Manager replaces specific end users’ encryption keys each time their primary authentication method changes, such as a domain password change or issuance of a new smart card. Password Manager can be configured to perform this operation automatically by using the optional Key Management Module. Password Manager can also be configured to use the Microsoft Data Protection API (DPAPI). When using the optional Key Management Module and/or DPAPI, be advised that an administrator may be able to access user business or personal credentials stored in Password Manager if the administrator logs on as this end user. For additional security, end users can be asked to verify the user’s identity with unique user-provided information. This provides an additional layer of protection for the user’s secondary credentials.
Regional government user computing regulations may require that you notify your end users about the possible security and privacy implications of deploying the Key Management Module and DPAPI security configurations. Review your company policies and determine what kind of notification, if any, is required for your end users.
© 2003-2006 Citrix Systems, Inc. All rights reserved. v-GO code © 1998-2003 Passlogix, Inc. All rights reserved.
Citrix, ICA (Independent Computing Architecture), MetaFrame, MetaFrame XP, NFuse, and Program Neighborhood are registered trademarks, and SpeedScreen is a trademark of Citrix Systems, Inc. in the United States and other countries. RSA Encryption © 1996-1997 RSA Security Inc., All Rights Reserved.
This product includes software developed by The Apache Software Foundation (http://www.apache.org/) This product includes software developed by Salamander Software Ltd. © 2002 Salamander Software Ltd. Parts © 2003 Citrix Systems, Inc. All rights reserved.
Licensing: Portions of this documentation that relate to Globetrotter, Macrovision, and FLEXlm are copyright © 2003-2006 Macrovision Corporation and/or Macrovision Europe Ltd.. All rights reserved.
Trademark Acknowledgements
Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries.
Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Solaris is a registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc has not tested or approved this product. Portions of this software are based in part on the work of the Independent JPEG Group.
Portions of this software contain imaging code owned and copyrighted by Pegasus Imaging Corporation, Tampa, FL. All rights reserved.
Macromedia and Flash are trademarks or registered trademarks of Macromedia, Inc. in the United States and/or other countries. Microsoft, MS-DOS, Windows, Windows Media, Windows Server, Windows NT, Win32, Outlook, ActiveX, Active Directory, and DirectShow are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. in the U.S. and other countries. Novell Directory Services, NDS, and NetWare are registered trademarks of Novell, Inc. in the United States and other countries. Novell Client is a trademark of Novell, Inc.
RealOne is a trademark of RealNetworks, Inc.
Licensing: Globetrotter, Macrovision, and FLEXlm are trademarks and/or registered trademarks of Macrovision Corporation. All other trademarks and registered trademarks are the property of their respective owners.
Contents
Chapter 1
Welcome
Password Manager Components . . . .16
The Central Store. . . .16
Password Manager Console . . . .16
Password Manager Agent Software . . . .17
The Password Manager Service . . . .19
Password Manager Product Line . . . .20
Password Manager Advanced Edition . . . .20
Password Manager Enterprise Edition . . . .20
Password Manager Advanced versus Enterprise Editions . . . .21
New Features in the Advanced Edition . . . .22
Application Definition Extensions . . . .22
Internet Explorer 7 (32-bit and 64-bit) Support . . . .22
Enhanced SAPGUI Support . . . .22
Simplified Password Change Wizard . . . .23
Administration by Active Directory Groups. . . .23
New Features in the Enterprise Edition . . . .23
User Self-Service Integration with Presentation Server Web Interface . . . .23
Kerberos and Federated Environment Support . . . .23
Account Association . . . .23
Enhanced Support for Users Switching between Strong Authentication Methods . . . .24
About this Document . . . .24
Audience and Assumptions. . . .24
Providing Feedback about this Document . . . .24
Document Conventions. . . .25
Getting More Information and Help. . . .25
Product Documentation. . . .25
Pre-Installation Update Bulletin . . . .26
Readme file . . . .26
Citrix Password Manager Administrator’s Guide . . . .26
Installation Checklist . . . .26
Online Help for Administrators and Users . . . .27
Citrix Password Manager Evaluator’s Guide . . . .27
Getting Service and Support . . . .27
Subscription Advantage . . . .28
Education and Training . . . .28
Chapter 2
Planning Your Password Manager Environment
Planning Workflow Diagram . . . .30Getting Started . . . .31
Which Central Store Type Should I Choose? . . . .33
Choosing an Active Directory Central Store . . . .35
Advantages. . . .35
Considerations . . . .36
Choosing an NTFS Network Share. . . .37
Advantages. . . .37
Considerations . . . .38
Choosing a Novell Shared Folder . . . .38
Advantages. . . .38
Considerations . . . .38
Using Account Association with Multiple Central Stores and User Account Credentials in a Multiple Domain Enterprise . . . .40
Advantages. . . .40
Considerations . . . .41
What about Password Policies for Application Access? . . . .42
Default Password Policy . . . .42
Domain Password Policy . . . .42
Custom Password Policies . . . .43
Considerations . . . .43
Default Settings for the Default and Domain Password Policies. . . .45
Which Type of SSO-Enabled Applications Are Used in My Enterprise?. . . .48
What Do I Need to Know about Each Application? . . . .49
What Type of Smart Cards Are Used in My Enterprise? . . . .50
Smart Card Support . . . .50
Smart Card Software Requirements . . . .50
Do I Need to Use Identity Verification?. . . .51
Verifying User Identity by Using Security Questions (Question-based Authentication) . . . .52
Planning Your User Configurations . . . .54
Considerations . . . .55
Default User Configuration Properties . . . .56
Do I Share the Same Resources or a Workstation Among Many Users? (Hot Desktop) . . . .59
Controlling Applications . . . .60
The Hot Desktop User Experience . . . .60
Selecting Optional Password Manager Service Features. . . .61
Account Self-Service. . . .62
Data Integrity. . . .63
Key Management. . . .64
Provisioning. . . .65
Credential Synchronization (Account Association) . . . .66
Password Manager Agent Deployment Scenarios. . . .67
Presentation Server Considerations. . . .67
Access Gateway Considerations . . . .68
Guidelines for Multiple Primary Authentication and User Credential Protection Choices . . . .70
Data Protection Methods Page . . . .71
Secondary Data Protection Page . . . .71
Security Versus Usability . . . .71
User Impersonation . . . .72
User Name and Password . . . .73
Smart Cards with Certificates and User Authentication Data . . . .74
Smart Cards with PINs . . . .75
Roaming Profiles (Microsoft DPAPI) . . . .76
Blank Passwords . . . .77
Chapter 3
Installing Password Manager
Summary of Installation Steps . . . .80Hardware and Software Requirements. . . .81
Supporting System Software Requirements . . . .81
Password Manager Console and Agent Requirements. . . .82
Password Manager Service Requirements . . . .83
ASP.NET Requirements . . . .83
Security and Account Requirements for Password Manager Service . . . .84
Server Authentication Certificate Requirement . . . .84
Accounts Required for Service Modules . . . .86
Service Account Requirements . . . .86
Self-Service Requirements. . . .87
Account Requirements to Install and Use Password Manager . . . .88
Installing and Using Password Manager Service . . . .88
Installing and Using Password Manager Console and Application Definition Tool . . . .88
Installing and Using Password Manager Agent . . . .88
Installing the Microsoft .NET 2.0 Framework. . . .89
Installing .NET 2.0 Side By Side with .NET 1.1 . . . .89
Installing the Java Runtime Environment . . . .90
If You Install or Upgrade the JRE after Installing the Console, Application Definition Tool, or Agent Software . . . .91
Troubleshooting a Java-Related Error Message During Agent Software Installation or Uninstallation. . . .91
Licensing Requirements . . . .93
Disconnected Mode. . . .93
Managing a Mixed License Type Environment . . . .94
Before You Install Password Manager. . . .95
Installation Order. . . .95
Where Can I Install Each Password Manager Component?. . . .96
Creating a Central Store . . . .98
Optional—Creating a Central Store from a Command-Line. . . .101
Creating an Active Directory Central Store . . . .102
Step 1—Extend the Active Directory Schema . . . .102
Step 2—Update Domain Root Permissions . . . .102
Creating an NTFS Network Share Central Store . . . .104
Creating a Novell Shared Folder Central Store . . . .106
Considerations . . . .106
Installing and Configuring the Password Manager Service. . . .108
Password Manager Service Port Number . . . .111
Installing and Configuring the Password Manager Console . . . .112
Installing and Configuring the Password Manager Agent. . . .114
Installation Scenarios. . . .115
Considerations . . . .116
Preserving the GINA Chain When Installing the Agent . . . .116
Silent Installation of Password Manager Agent . . . .120
Chapter 4
Upgrading Password Manager
Supported Upgrade Paths . . . .123Summary of Upgrade Steps . . . .124
Using Autorun . . . .126
Upgrade Order . . . .126
If You Used the CtxMoveKeyRecoveryData Tool to Back Up Service Data.127 Back Up the process.xml File (Hot Desktop Environments Only) . . . .127
Back Up Your Existing Central Store. . . .127
Upgraded Policies, Application Definitions, Questions/Questionnaires, and User Configurations . . . .128
Microsoft Web Services Enhancements . . . .128
Microsoft .NET Versions 1.1 and 2.0 . . . .128
Step 1—Upgrading the Password Manager Service . . . .130
Step 2—Upgrading the Password Manager Console. . . .131
Step 3—Upgrading the Password Manager Agent . . . .133
Chapter 5
Using Password Policies to Enforce Password Requirements
Overview of Password Policies . . . .136Password Sharing Groups . . . .136
Domain Password Sharing Groups . . . .137
Creating Password Policies: the Password Policy Wizard . . . .138
To Start the Password Policy Wizard . . . .138
Set Basic Password Rules . . . .139
Set Alphabetic Character Rules. . . .139
Set Numeric Character Rules . . . .140
Set Special Character Rules . . . .140
Set Exclusion Rules (Excluding Specific Characters) . . . .141
Set Password History and Expiration . . . .142
Test Password Policy. . . .143
Establish Logon Preferences . . . .144
Customize Password Change Wizard . . . .144
Helping to Increase Password Strength and Security In Your Environment . . . .146
Chapter 6
Managing How Password Manager Works with Applications
Overview of Application Templates . . . .149Managing Application Definitions Using Templates. . . .149
Obtaining Application Templates from the Web . . . .150
Importing Application Templates from a Network Share . . . .150
Adding an Application Definition Using a Template . . . .150
Creating Application Templates . . . .152
How the Password Manager Agent Identifies Applications and User Credential
Management Events . . . .152
Identifying the Parts of the Application’s User Interface. . . .153
Application Definition Wizard Overview . . . .154
Identify Application. . . .155
Manage Forms . . . .155
Name Custom Fields . . . .155
Specify icon . . . .156
Configure advanced detection. . . .156
Credential submission loops . . . .156
Credential change loops. . . .157
Configure password expiration . . . .157
Confirm settings . . . .157
Form Definition Wizard Overview . . . .157
Windows Type Application Definitions. . . .159
Gathering the Information Required for Windows Application Definitions . .160 Form Definition Process . . . .160
Name form . . . .160
Identify form . . . .161
Define form actions . . . .163
Configure other settings. . . .165
Confirm settings. . . .165
Using Advanced Matching to Identify Windows Forms . . . .166
Class Information. . . .166
Control Matching . . . .167
SAP Session Information. . . .169
Window Identifier . . . .170
Identification Extensions . . . .170
Using the Action Editor to Define the Action Sequence for Forms. . . .171
Action Sequence Definition Process . . . .172
Action Descriptions . . . .173
Considerations for Windows Type Definitions . . . .174
Web Type Application Definitions . . . .176
Gathering the Information Required for Web Application Definitions . . . .177
Form Definition Process . . . .177
Name form . . . .177
Identify form . . . .179
Configure other settings. . . .179
Confirm settings. . . .180
Redirect to Windows Application Configuration. . . .180
Advanced Settings Dialog Box for Web Applications. . . .181
Host/Mainframe Type Application Definitions . . . .183
Gathering the Information Required for Host Application Definitions . . . .183
Form Definition Process . . . .184
Name form . . . .184
Identify form . . . .185
Set field description rules. . . .186
Configure other settings. . . .187
Confirm settings. . . .188
Advanced Settings for Host Applications. . . .188
Host Form Additional Settings . . . .188
Ignore Match . . . .189
Considerations for Host Type Definitions . . . .189
Terminal Emulation Support. . . .189
Mfrmlist.ini Field Definitions . . . .191
Chapter 7
Creating User Configurations
What Is a User Configuration? . . . .194Default User Configuration Properties . . . .195
Before You Begin . . . .198
Specifying Domain Controllers for User Configurations. . . .198
Creating a User Configuration: the User Configuration Wizard . . . .200
Name User Configuration . . . .201
Select Product Edition . . . .201
Choose Applications . . . .201
Configure Agent Interaction . . . .204
Advanced Settings . . . .206
Configure Licensing . . . .210
Select Data Protection Methods . . . .212
Select Secondary Data Protection . . . .215
Enable Self-Service Features . . . .216
Locate Service Modules . . . .216
Completing the User Configuration Wizard. . . .216
Synchronizing Credentials by Using Account Association. . . .217
Account Association Configuration Task Workflow . . . .217
Choosing and Configuring a Domain to Host the Credential Synchronization Module. . . .218
Configuring Account Association in the Agent Software . . . .222
Reset User Data . . . .223
Delete User Data From Central Store . . . .225
Prompting Users to Reregister Answers to Security Questions . . . .226
Assigning Priority to User Configurations. . . .227
Assigning a User Configuration to Different Users. . . .227
Upgrading Existing User Configurations. . . .229
Chapter 8
User Authentication and Identity Verification
Overview of Password Manager Authentication . . . .232When Must Users Confirm Their Identities? . . . .233
Overview of Identity Verification Methods . . . .234
Previous Password. . . .234
Security Questions. . . .235
Bypassing Identity Verification . . . .235
If Users Switch Among Multiple Authentication Methods. . . .236
Chapter 9
Managing Question-Based Authentication
Confirming User Identity Using Question-Based Authentication. . . .238Considerations . . . .239
Question-Based Authentication Workflow . . . .240
Designing Security Questions: Security Versus Usability. . . .241
Considerations for Security Questions . . . .242
Managing Your Questions . . . .242
Setting a Default Language. . . .243
Creating New Security Questions . . . .243
Adding or Editing Text for Existing Questions (Including Translated Text) .245 Creating Security Question Groups . . . .247
Creating and Implementing Your Questionnaire . . . .249
Before You Begin . . . .249
Selecting Questions for Key Recovery . . . .251
Backward Compatibility with Previous Versions of Password Manager . . . .252
Allowing Users to Reregister Answers to Their Security Questions . . . .253
Chapter 10
Allowing Users to Manage Their Primary Credentials with Account
Self-Service
Overview of Self-Service . . . .256Considerations . . . .256
Using Automatic Key Management with Self-Service . . . .257
When Users Forget Their Security Questions . . . .257
User Experience . . . .259
Chapter 11
Using Provisioning to Automate Credential Entry
Summary of Provisioning Tasks . . . .262Generating a Credential Provisioning Template . . . .263
Editing the Provisioning Template. . . .264
The <cpm-provision> Tag. . . .264
Example Output. . . .265
The <user> Tag . . . .266
The <add> Command . . . .267
The <modify> Command . . . .268
The <delete> Command . . . .269
The <remove> Command . . . .270
The <reset> Command . . . .271
The <list-credentials> Command . . . .271
Provisioning Credentials. . . .272
Tuning Credential Provisioning Processing. . . .273
The Credential Provisioning SDK . . . .273
Chapter 12
Hot Desktop: A Shared Desktop Environment for Users
Summary of Hot Desktop Tasks. . . .277Hot Desktop Start Up and Shut Down Process Flow . . . .278
Hot Desktop Startup and Shutdown Events . . . .278
Troubleshooting Hot Desktop User Startup . . . .279
Creating a Hot Desktop Shared Account . . . .280
Guidelines for the Hot Desktop Shared Account . . . .280
Organizing Hot Desktop Users . . . .281
Restricting User Rights . . . .281
Hot Desktop, Smart Cards, and Key Recovery . . . .281
Requirements for Applications Used with Hot Desktop . . . .282
Controlling How Applications Behave for Hot Desktop Users. . . .283
Before You Begin . . . .284
The session.xml File . . . .285
Launching Applications Using session.xml . . . .285
session.xml Tags . . . .286
<startup_scripts> . . . .286
<shutdown_scripts> . . . .287
Example: Cleaning Up a Session with a Script . . . .288
The process.xml File . . . .289
process.xml Tags . . . .289
<persistent_processes> . . . .290
<transient_processes> . . . .291
<shellexecute_processes> . . . .292
User Configuration Settings for Hot Desktop . . . .293
Locating Hot Desktop Settings in a User Configuration . . . .293
Setting the Location of the session.xml File. . . .293
Specifying Hot Desktop Session Time-Out Options . . . .294
Enabling the Hot Desktop Session Indicator . . . .294
Specifying a Custom Bitmap Graphic as a Session Indicator . . . .295
Using the Hot Desktop Screen Saver . . . .295
Installing Hot Desktop . . . .296
Disabling Terminal Services for a Hot Desktop Administrative or Silent Install . 296 Uninstalling Hot Desktop . . . .298
Restoring Terminal Services after Uninstalling Hot Desktop . . . .299
Enabling Multiple Sessions after Uninstalling Hot Desktop . . . .299
Interacting with Citrix Presentation Server Clients . . . .301
Program Neighborhood Agent . . . .301
Citrix Web Interface . . . .301
Viewing Hot Desktop User Profiles. . . .302
Shutting Down a Hot Desktop Workstation. . . .302
Working without AutoAdminLogon Support . . . .302
Changing the Hot Desktop Shared Account Password . . . .304
Hot Desktop Information on the Web . . . .304
Chapter 13
Operations
Logging Password Manager Events. . . .306Enabling Event Logging . . . .307
Password Manager Agent Does not Submit Credentials . . . .308
All Formats (Windows, Web, Terminal Emulators) . . . .308
Windows-Based Applications. . . .309
Web-Based Applications. . . .310
Terminal Emulator-Based Applications . . . .311
Supporting Terminal Emulators . . . .312
Configuring HLLAPI Support for Tested Emulators. . . .313
Application Recognition Initialization (.ini) Files . . . .314
Software Upgrades and the GINA Chain . . . .315
Retrieving and Submitting Credentials . . . .316
Creating a New Signing Certificate . . . .316
Signing, Unsigning, Resigning, and Verifying Data . . . .317
Signing Data (-s) . . . .318
Resigning Data (-r) . . . .318
Unsigning Data (-u). . . .319
Verifying Data (-v) . . . .319
Enabling and Disabling the Data Integrity Service on Password Manager Agent Software . . . .320
Removing Deleted Objects from Your Central Store . . . .321
Moving Data to a Different Central Store . . . .321
Migrating Data to a New Central Store . . . .322
Backing Up Important Files . . . .323
Backing Up Password Manager Service Files . . . .324
Appendix A
Password Manager Settings List
Appendix B
Password Manager 4.5 Settings Reference
User Configurations. . . .331Basic Agent Interaction . . . .331
Agent User Interface . . . .333
Client Side Interaction . . . .334
Synchronization . . . .335
Account Association . . . .336
Application Support . . . .337
Hot Desktop . . . .339
Licensing . . . .340
Data Protection Methods . . . .341
Secondary Data Protection. . . .343
Self Service Features . . . .344
Key Management Module . . . .345
Provisioning Module . . . .345
Application Definitions . . . .346
Edit Application Forms . . . .346
Application Icon. . . .347
Advanced Detection. . . .347
Password Expiration . . . .347
Password Policies . . . .348
Alphabetic Character Rules . . . .349
Numeric Character Rules. . . .350
Special Character Rules . . . .351
Exclusion Rules . . . .352
Password History and Expiration . . . .353
Test Password Policy . . . .354
Logon Preferences . . . .355
Password Change Wizard . . . .356
Appendix C
Application Definition Extensions
Agent Software Operation . . . .359Identification Extensions. . . .360
Defining Identification Extensions . . . .361
Action Extensions . . . .363
Defining Action Extensions. . . .363
Implementer Requirements . . . .365
Enabling Logging . . . .366
Appendix D
Virtual Key Codes for Host and Windows Applications
Codes for VTabKeyN (Windows) . . . .367Codes for VirtualKeyCode (Windows) and VKEY (Windows) . . . .368
Welcome
Citrix Password Manager provides password security and single sign-on access to Windows, Web, and host-based applications running in the Citrix environment as well as local applications on the desktop. Users authenticate once and Password Manager does the rest, automatically logging on to password-protected
information systems, enforcing password policies, monitoring all password-related events, and even automating user tasks, including password changes. Designed to work seamlessly with all products in the Citrix Access Suite, Password Manager adds value to each of the component products in the Access Suite:
• Citrix Presentation Server
Password Manager provides single sign-on access to any number of password-protected applications published on servers running Presentation Server.
• Citrix Access Gateway with Advanced Access Control
Users authenticate once and Password Manager passes their credentials through to any information and application resource available in the secure, personalized computing environment that is delivered from access centers. This chapter provides:
• An overview of the capabilities and components of Password Manager • A list of new features in this release
• Information about this document
Password Manager Components
The following sections briefly describe the components you need to install to start using Password Manager. For detailed information, see “Planning Your Password Manager Environment” on page 29.
The main components of Password Manager are: • The central store
• The Password Manager Console • Password Manager Agent software • Password Manager Service (optional)
The Central Store
The central store is a centralized repository used by Password Manager to store and manage user and administrative data. User data includes user credentials, security question answers, and other user-focused data. Administrative data includes password policies, application definitions, security questions, and other wider-ranging data. When a user signs on, Password Manager compares that user’s credentials to those stored in the central store. As the user opens password-protected applications or Web pages, the appropriate credentials are drawn from the central store.
Password Manager Console
The Password Manager Console is the command center of Password Manager. From the console, you manage the users’ Password Manager experience. Here, you configure how Password Manager will work, which features will be deployed, which security measures will be used, and other important password-related settings.
The console has four main items, or nodes, in the left pane. By selecting a node, tasks specific to that node appear. These nodes are:
• User Configurations
These configurations allow you to tailor particular settings for your users based on their geographic locations or business roles. The settings of the other three nodes are used to create user configurations.
• Application Definitions
Password Manager to speed this process, or create your own customized definitions for applications that cannot use these templates. Additional templates are located at http://www.citrix.com/passwordmanager/ gettingstarted.
• Password Policies
Password policies control password length and the type and variety of characters used in both user-defined and automatically-generated passwords. Password policies also allow you to identify characters to exclude from use in passwords and whether or not previous passwords can be reused. Creating password policies consistent with your company’s security policies ensures that password security is appropriately managed by Password Manager.
• Identity Verification
The security questions you create provide an added layer of security to your agent software by protecting against user impersonation, unauthorized password changes, and unauthorized account unlocking. Users who enroll and answer your security questions can answer those questions to verify their identity and perform self-service tasks to their account, such as resetting their primary password or unlocking their user account.
Password Manager Agent Software
The Password Manager Agent is the software users need on their client devices to act as an intermediary between users and their applications. The Password Manager Agent acts as an intermediary between users and applications that require authentication.
When a user tries to access an application that requires authentication, the agent software intercepts the application’s request for authentication, finds the correct credentials, and submits them to the application.
In addition, the Password Manager Agent can provide users with a wide array of features. Which features the users actually receive is determined by the
administrative settings you make in their user configurations. See “Password Manager 4.5 Settings Reference” on page 331 for the specific settings available to you.
Password Manager Agent features include: • Notification area icon
• Logon Manager
The Logon Manager provides a user interface where credentials can be created, viewed, edited, and deleted. Users can also conduct security question registration and access online Help from the Logon Manager. The File menu provides the user with much of the available access: • The New Logon command allows users to add new Windows-,
Web-, or host-based application credentials to Password Manager. • The Properties command gives the user access to properties
associated with the credentials for the specified application. From there, the user can change the password, user ID, and other logon information.
• The Delete command, when invoked, removes users’ credentials for the selected application from Logon Manager.
• The Copy command provides a duplicate set of the selected credentials that the user can then edit to create multiple sets of credentials for single applications.
Other commands you can give users access to include:
• The Reveal Passwords command, from the View menu, allows the user to display the passwords of the applications listed in Logon Manager
Note: Password policy settings for revealing passwords override
this command. If you do not want users to reveal the password for an application, be sure to set the password policy to prevent this. • The Security Question Registration command, from the Tools menu,
gives the user the option to restart the Security Question Registration wizard and provide new answers to the security questions.
• The Account Association command, from the Tools menu, allows the user to create an association between accounts on different domains. By using this feature, the user’s credentials are synchronized, with password changes carried across domains.
• Automated new logon setup
stored in Password Manager, the New Logon wizard automatically appears, offering to store them.
• User mobility
The Password Manager Agent supports remote and mobile users. By obtaining a license before disconnecting, remote users can access their credentials when they are disconnected from the corporate network. Mobile users can move from one computer to another and multiple users can securely share one workstation.
The Password Manager Service
The Password Manager Service runs on a Web server that provides the foundation for optional features included in this release. Install the Password Manager Service if you plan to implement at least one of the following modules:
• Account Self-Service Module, which allows users to reset their Windows passwords and unlock their Windows accounts
• Data Integrity Module, which protects data from being compromised while in transit from the central store to the agent
• Key Management Module, which allows users to log on to the network and have immediate access to applications managed by Password Manager • Provisioning Module, which allows you to use the console to add, remove,
or update credential information for your users
• Credential Synchronization Module, which synchronizes user credentials using a Web service
Password Manager Product Line
Password Manager is now available in two editions: Advanced and Enterprise.
Password Manager Advanced Edition
The Advanced Edition of Password Manager increases your organization’s security with:
• Strong password policy options • Automated password generation
• Automatically started Password Change Wizard option
• Password encryption while in memory, storage, and transmission • Password expiration options for applications lacking that capability The Advanced Edition also interacts well with other programs, easing the user’s logon information storage process as well as your maintenance of that process and information.
Password Manager Enterprise Edition
The Enterprise Edition of Password Manager is designed for the most demanding and complex enterprise environments. The Enterprise Edition:
• Provides additional security, user self-service, and on-site user mobility features and performance.
• Reduces calls to the help desk through user self-service features that enable users to change their own Windows password and unlock their account. • Allows on-site mobile workers to quickly access information with Hot
Desktop, which facilitates fast user switching at shared workstations. • Includes enterprise security features such as integration with smart cards,
Password Manager Advanced versus Enterprise
Editions
User Features Advanced Edition Enterprise Edition
Single sign-on to Windows applications X X Single sign-on to Web applications X X Single sign-on to host-based terminal emulator applications X X Citrix Access Client X X Localized user interface X X Support for SAPGUI, Internet Explorer 7 (32-bit, 64-bit) X X Self-service password reset X Self-service account unlock X Self-service feature integration with Web Interface X Hot Desktop fast user switching X Hot Desktop/SmoothRoaming integration X
Account association X
Security Features Advanced Edition Enterprise Edition
Automated password change X X Transparent password change X X Encrypted passwords in memory, storage, during transmission X X Password policy enforcement—automatic password changes X X Password policy enforcement—manual password changes X X Password expiration X X Password token and biometric support X X Basic support for smart cards X X
Smart card support X
New Features in the Advanced Edition
The Advanced Edition includes the following new features:
Application Definition Extensions
The Application Definition Extensions enable greater extensibility through scripting support and the ability to invoke an executable for both application detection and password-related actions. This enhances the ability to configure an application for single sign-on use. See “Application Definition Extensions” on page 359 for details.
Internet Explorer 7 (32-bit and 64-bit) Support
Support for both the 32-bit and 64-bit versions of Internet Explorer 7 has been added. For example, if a user switches to an Internet Explorer tab containing a new application, Password Manager Agent prompts the user for credential storage.
Enhanced SAPGUI Support
SAPGUI scripting for the SAP Logon Pad has been added, giving Password Manager a fifth SAP integration option.
Administrator Features Advanced Edition Enterprise Edition Batch credential provisioning X X Integration with user provisioning products X X Windows NT file share support X X Microsoft Active Directory support X X Novell NetWare network share support X X LDAP directory support X X Administration by Active Directory groups X X Citrix Streaming Server support X X Citrix Access Management Console X X Suite-integrated licensing X X Windows Server 2003 64-bit compatibility X X Named user licensing X X Concurrent user licensing [Citrix Password Manager for
Simplified Password Change Wizard
This Password Change Wizard starts when Password Manager detects that an application requested a password change or the user started the password change process within the application. The wizard includes the administrative option to automatically determine whether or not the password change is successful.
Administration by Active Directory Groups
Password Manager now enables user settings to be deployed to Active Directory groups in environments with Active Directory or NTFS file shares using Active Directory authentication. Administrators also have the ability to prioritize the group membership list and retain the ability to administer by domain level, organizational unit, or the individual user level.
New Features in the Enterprise Edition
The Enterprise Edition includes all the new features of the Advanced Edition, plus the following:
User Self-Service Integration with Presentation Server
Web Interface
Users can now reset their primary network password or unlock their account from the Citrix Web Interface as well as the Windows logon screen.
Kerberos and Federated Environment Support
Password Manager now supports single sign-on to rich-client applications across Web domains. After users authenticate to their organization’s primary domain, their credentials are automatically supplied to the applications of a trusted partner company. Standard Federation solutions provide single sign-on to Web
applications only, but through the use of Password Manager with Presentation Server, Federation with single sign-on can be employed for all application types.
Account Association
Enhanced Support for Users Switching between Strong
Authentication Methods
Users are no longer required to answer security questions when switching between strong authentication methods even if automatic key management is not configured (previously, users were not required to authenticate again if automatic key management was configured). For example, users can access their accounts locally with a smart card and then remotely with a one-time password token and not be prompted to verify their identity.
About this Document
The overall objectives of this guide are:
• To provide you with a good understanding of the features and functionality of Password Manager
• To provide you with an understanding of the prerequisites and procedures necessary to successfully install Password Manager
• To provide you with guidelines for planning and implementing the deployment of Password Manager in your organization
• To provide you with instructions and tips to help you create and maintain the optimum password management environment for your users
Audience and Assumptions
This document is intended for use by system and security administrators who are implementing Password Manager. It is assumed that you, the reader, have a basic understanding of Windows Server administration. You must have working knowledge of Novell NetWare if this is the platform you are using to install or maintain Password Manager.
Providing Feedback about this Document
To provide feedback about the documentation, go to www.citrix.com and click
Support > Knowledge Center > Product Documentation. To access the
Document Conventions
Citrix product documentation uses the following typographic conventions for menus, commands, keyboard keys, and items in the program interface:
Getting More Information and Help
This section discusses the documentation for this release. It also describes how to get more information about Password Manager.
Product Documentation
Password Manager contains a robust library of documentation. With the exception of the Pre-Installation Update Bulletin, the following documents are available in the Documentation directory on the product CD. The bulletin is available at http://support.citrix.com/article/CTX110783.
Convention Meaning
Boldface Commands, names of interface items such as text boxes, option buttons, and user input.
Italics Placeholders for information or parameters that you provide. For example, filename in a procedure means you type the actual name of a file. Italics are also used for new terms and the titles of books.
%SystemRoot% The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or any other name you specify when you install Windows.
Monospace Text displayed in a text file.
{ braces } A series of items, one of which is required in command statements. For example, { yes | no } means you must type yes or no. Do not type the braces themselves. [ brackets ] Optional items in command statements. For example,
[/ping] means that you can type /ping with the command. Do not type the brackets themselves. | (vertical bar) A separator between items in braces or brackets in
command statements. For example, { /hold | /release | / delete } means you type /hold or /release or /delete. … (ellipsis) You can repeat the previous item or items in command
Pre-Installation Update Bulletin
The Pre-Installation Update Bulletin contains installation-related information developed after the Readme file was completed.
Readme file
The Readme file provides information about Password Manager functionality, known issues, changes, and other important information developed after the
Citrix Password Manager Administrator’s Guide was completed. Be sure to read
this before installing Password Manager.
Getting Started with Citrix Licensing Guide
The licensing process for Password Manager changed since the release of Password Manager 4.1. See Getting Started with the Citrix Licensing Guide, included on your product CD, for instructions to license Password Manager.
Note: Guides are provided as Adobe Portable Document Format (PDF) files.
To view, search, and print PDF documents, you need to have Adobe Acrobat Reader 5.0.5 with Search, or Adobe Reader 6.0 through 7.0. You can download these products for free from Adobe Systems’ Web site at http://www.adobe.com/.
Citrix Password Manager Administrator’s Guide
The manual you are currently reading provides conceptual information, procedures for deployment, and implementation instructions for system administrators who install, configure, and test the components of Password Manager.
Installation Checklist
Online Help for Administrators and Users
Administrators now have a robust set of Help topics based on this guide. Adminstrators can now view information about common tasks, workflow, and settings on the screen.
Users can get information about common tasks, including adding logon information for applications, using the Logon Manager, and setting Password Manager automatic features. Users can access Help through Help menus or Help buttons.
Citrix Password Manager Evaluator’s Guide
This guide delivers a practical overview of Password Manager features and functionality by providing instructions for setting up and running a small-scale deployment of the product.
Getting Service and Support
Citrix provides technical support primarily through the Citrix Solutions Advisors Program. Contact your supplier for first-line support or check for your nearest Solutions Advisor at http://www.citrix.com/site/partners.
In addition to the Citrix Solutions Advisors Program, Citrix offers a variety of self-service, Web-based technical support tools from its Knowledge Center at http://support.citrix.com/. Knowledge Center features include:
• A knowledge base containing thousands of technical solutions to support your Citrix environment.
• A Web-based product documentation library. • Interactive support forums for every Citrix product. • Access to the latest hotfixes and service packs. • Security bulletins.
• Web-based problem reporting and tracking (for users with valid support contracts).
• Citrix Live Remote Assistance. Using Citrix's remote assistance product, GoToAssist, a member of our support team can view your desktop and share control of your mouse and keyboard to get you on your way to a solution.
Subscription Advantage
Subscription Advantage gives you an easy way to stay current with the latest server-based software functionality and information. During your subscription period, you get automatic delivery of:
• Feature releases • Software upgrades • Enhancements • Maintenance releases
• Priority access to important Citrix technology information.
You can find more information about subscribing on the Citrix Web site at http://www.citrix.com/services/ (click Subscription Advantage). You can also contact your Citrix sales representative or a member of the Citrix Solutions Advisors Program for more information.
Education and Training
Citrix offers a variety of instructor-led training and Web-based training solutions. Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. Web-based training courses are available through CALCs, resellers, and from the Citrix Web site.
Planning Your Password Manager
Environment
This section contains information to help you plan your Password Manager environment and to help you decide how to implement Password Manager. The following topics are described in this section:
• “Planning Workflow Diagram” on page 30 • “Getting Started” on page 31
• “Which Central Store Type Should I Choose?” on page 33
• “What about Password Policies for Application Access?” on page 42 • “Which Type of SSO-Enabled Applications Are Used in My Enterprise?”
on page 48
• “What Type of Smart Cards Are Used in My Enterprise?” on page 50 • “Do I Need to Use Identity Verification?” on page 51
• “Planning Your User Configurations” on page 54
• “Do I Share the Same Resources or a Workstation Among Many Users? (Hot Desktop)” on page 59
• “Selecting Optional Password Manager Service Features” on page 61 • “Password Manager Agent Deployment Scenarios” on page 67 • “Guidelines for Multiple Primary Authentication and User Credential
Getting Started
A Password Manager environment can include the following:
• Shared network folders or Active Directory containing the central store • One or more PCs running the Password Manager Console
• User PCs running the Password Manager Agent
• A dedicated server hosting the Password Manager Service with one or more feature modules installed on it
• Citrix Presentation Server environment hosting the Password Manager Agent
• Authentication devices such as smart cards
Task See this section 1. Research features that you might
implement in your environment. “Planning Your Password Manager Environment” on page 29 (that is, this section) “User Authentication and Identity Verification” on page 231
“Managing Question-Based Authentication” on page 237
“Allowing Users to Manage Their Primary Credentials with Account Self-Service” on page 255
“Using Provisioning to Automate Credential Entry” on page 261
“Hot Desktop: A Shared Desktop Environment for Users” on page 275
2. Create a central store and install the Password Manager components with optional features.
Upgrade an existing deployment of Password Manager.
“Which Central Store Type Should I Choose?” on page 33
“Installing Password Manager” on page 79 “Upgrading Password Manager” on page 123 3. Create, edit, or review your
password policies. “What about Password Policies for Application Access?” on page 42 “Using Password Policies to Enforce Password Requirements” on page 135
4. Create or edit your application
definitions. “Which Type of SSO-Enabled Applications Are Used in My Enterprise?” on page 48 “Managing How Password Manager Works with Applications” on page 147
5. Create user configurations based on
your enterprise requirements. “Planning Your User Configurations” on page 54 “Creating User Configurations” on page 193 6. Install the agent software on user
desktops or a computer running Presentation Server.
“Password Manager Agent Deployment Scenarios” on page 67
“Installing and Configuring the Password Manager Agent” on page 114
7. Notify your users that Password Manager can help securely store their application credentials.
Which Central Store Type Should I Choose?
Note: You can create a central store automatically as part of the Password
Manager installation process or manually by using the central store setup utilities. See “Creating a Central Store” on page 98 and “Optional—Creating a Central Store from a Command-Line” on page 101.
Password Manager uses a repository known as the central store to store and retrieve information about your users and your environment. Password Manager relies on the data in the central store to perform all default and configured single sign-on functions.
The central store contains user data and administrative data:
• User data in the central store includes user secondary credentials, security
questions and answers, service-related data (for example, provisioned data, question-based authentication data, key recovery enrollment, and so on), and user Windows registry data associated with Password Manager • Administrative data in the central store includes application definitions,
password policies, security questions, and other settings made through the console for Password Manager features and components
The central store basically enables the agent software running on a user PC or computer running Citrix Presentation Server to communicate with the central store and services, and to provide user credentials to applications to which the user has been granted access.
The agent maintains a local store on the user PC. The local store contains only the user’s secondary credentials, key recovery information, and security questions and answers (if applicable). It synchronizes with the central store to allow users to roam throughout the enterprise and always have access to saved user credentials. The central store can be one of the following:
• Active Directory
The central store uses the Active Directory environment and objects to store and update Password Manager data.
See “Choosing an Active Directory Central Store” on page 35. • NTFS network share
• Novell shared folder
The central store uses a Novell NetWare shared folder to store the Password Manager data.
See “Choosing a Novell Shared Folder” on page 38.
Note: Citrix Password Manager allows you to migrate users from one central
store type to another if you later decide that one type is more suitable than the current one used in your environment. See “Moving Data to a Different Central Store” on page 321.
Note: If your enterprise forest contains multiple domains, see “Using Account
Association with Multiple Central Stores and User Account Credentials in a Multiple Domain Enterprise” on page 40.
Also see “Specifying Domain Controllers for User Configurations” on page 198 for information about user configurations in multiple domain controller
Choosing an Active Directory Central Store
Choosing to use Active Directory as your central store enables you to leverage the convenience of your existing Active Directory user authentication and object administration. For example, you can apply user-specific settings to any level in a domain—domain, organizational unit, group, or user.
Two new classes and two attributes are added to the Active Directory schema when you create an Active Directory central store:
Note: See the CitrixMPMSchema.xml file in the \Tools folder of the Password
Manager product CD for more information about these classes and attributes. In general, choose Active Directory as your central store if you:
• Can successfully extend your Active Directory schema without affecting your enterprise
• Already implement Active Directory backup and restore best practices as recommended by Microsoft (although this is not a requirement)
• Prefer the high availability that is built in to Active Directory to be extended to the central store data
Advantages
• Active Directory includes built-in failover and redundancy, so additional measures for disaster recovery are not needed
• Active Directory replication helps to distribute central store administrative and user data across your enterprise
Class Description
citrix-SSOConfig Describes the object containing data for the agent settings, synchronization state, and the ENTLIST.INI application definition file and the FTULIST.INI first-time agent use behavior file. This class includes the following attributes:
• citrix-SSOConfigData - contains the actual data • citrix-SSOConfigType - specifies the data type
citrix-SSOSecret Describes the secret data object used to authenticate a Password Manager user. This class includes the following attribute: • citrix-SSOSecretData - contains encrypted credential data for
• No additional hardware is needed when using an Active Directory central store
Considerations
• You must extend your schema when using an Active Directory central store, which requires careful planning and implementation. Extending the schema affects the entire forest.
• You might want to extend the schema and create your Active Directory central store during non-peak usage hours. Your Active Directory
replication cycle latency affects how quickly these changes are copied to all domain controllers in the forest.
Choosing an NTFS Network Share
Important: Citrix recommends that you use a hidden share for the central store
in this case. Creating a central store as described in “Creating a Central Store” on page 98 or “Optional—Creating a Central Store from a Command-Line” on page 101 automatically creates a hidden share.
Choosing to use an NTFS network share as your central store enables you to leverage the convenience of your existing Active Directory user authentication and tree structure without having to extend the Active Directory schema. For example, you can apply user-specific settings to any level in a domain—domain, organizational unit, group, or user.
Password Manager creates a shared folder named CITRIXSYNC$ with two subfolders named People and CentralStoreRoot.
The People folder contains a subfolder for each user and includes the appropriate read and write permission properties for the user. The CentralStoreRoot folder contains administrative data.
Advantages
• You can emulate the look and feel of an Active Directory central store without having to extend your Active Directory schema. Yet you can take advantage of your existing Active Directory hierarchy or groups.
Note: Associating user configurations to groups is supported only in Active
Directory domains that use Active Directory authentication.
• User data is always up-to-date, because it is stored in a central location and avoids any data replication latency associated with Active Directory. • You can load balance your shares among multiple computers that can each
host an NTFS network share for higher availability.
• Helps reduce the authentication task workload from your Active Directory environment.
• If you decide later to implement an Active Directory central store,
Considerations
• You might need additional hardware to host the central store.
• You need to back up central store files and folders (including their related permissions) regularly. Ensure that you also maintain and implement disaster recovery plans where you replicate files and folders for site recovery.
• Your enterprise network topology might require users (and the Password Manager agent) to transfer user data across one or more WAN links. In this case, consider implementing implement the Distributed File System technology included as part of Microsoft Windows Server 2000 or 2003. The Microsoft Web site http://support.microsoft.com describes the Distributed File System technology in more detail.
Choosing a Novell Shared Folder
Important: Password Manager services are not supported in Password
Manager environments using Novell NetWare shared folders.
Choosing to use a Novell NetWare shared folder as your central store enables you to leverage the convenience of your existing Novell NetWare directory services. Using this central store type is similar to using an NTFS network share.
Configure a secured network folder in eDirectory to store all data associated with your Password Manager environment. Applications and settings can be defined and assigned at the domain level.
Advantages
• You are already implementing Novell NetWare directory services
• You can choose to use an existing secure shared folder as the central store
Considerations
• This central store type does not support associating user configurations with Active Directory groups.
• Because the agent uses a Windows password, the use of Novell NetWare file synchronization requires that users’ Novell password be identical to their Windows passwords.
• The central store must be located in the same tree as the computers on which the agents are installed. Users must log on to a Novell tree where the shared folder is located. Users must also have accounts with read access permissions to the Novell NetWare shared folder you designate as the central store.
Using Account Association with Multiple Central
Stores and User Account Credentials in a Multiple
Domain Enterprise
Note: See “Synchronizing Credentials by Using Account Association” on page
217 to configure Account Association.
Administrators can create multiple central stores in enterprises that contain multiple domains. In fact, you can use more than one central store type in these environments. For example, you can associate user configurations with an NTFS network share central store in one domain and an Active Directory central store in another domain.
As companies might maintain multiple Windows domains, users might also have more than one Windows account. Password Manager includes a feature known as Account Association to allow a user agent to log on to any application from one or more Windows accounts. Because Password Manager typically binds user credentials to a single account, the credential information is not automatically synchronized among multiple accounts that a user owns.
However, administrators can configure Account Association to synchronize user credentials by using the Credential Synchronization Module. Users with Account Association configured have access to all applications from any of their accounts in their Password Manager environment. When user credentials are changed, added, or removed from one account, the credentials are automatically synchronized with each of the user's associated accounts.
Without Account Association, users with multiple Windows accounts are forced to manually change their logon information separately from each Windows account.
Advantages
• Account Association can help increase productivity and reduce support calls by synchronizing user credentials to help reduce logon maintenance or failures.
• Accounts can be synchronized across different central store types. That is, a user account configured to use Active Directory as the central store can synchronize with an associated user account that is configured to use an NTFS network share.
Active Directory hierarchy (OU or user) in one domain and associated with an Active Directory group in another domain.
• Accounts can also be synchronized across different user configuration associations in the same domain and within the same central store. • Trust relationships between domain controllers are not necessary to use
Account Association.
Considerations
Consider the following before configuring Account Association:
• Account Association is not compatible with smart cards when smart cards are used as the primary authentication mechanism to log on to Windows.
Note: The user configuration in each domain might have different
password policies that might block access to a resource, but Account Association synchronizes user credentials only, not user configuration policies. Consider how you compose password policies in your enterprise. • Each associated domain account must use Citrix Password Manager. • Application definition names must be the same in each user configuration
for the Account Association feature to synchronize credentials.
• User credentials are shared only for applications specified in application definitions created by the Password Manager administrator.
What about Password Policies for Application Access?
Password policies are rules that control how passwords are created, submitted, and managed. The Password Manager installation includes two standard password policies named Default and Domain, which cannot be deleted. You can copy and modify these policies to suit your enterprise policies and regulations.
“Default Settings for the Default and Domain Password Policies” on page 45 lists the installed default settings for the Default and Domain password policies. You can use this table to help modify them or create your own policies.
Default Password Policy
Password Manager applies the Default policy to password-enabled applications used in your enterprise (except for those that require user domain credentials; see “Domain Password Policy” on page 42). This policy is applied to any application that is not defined by an administrator (by using the application definition feature in the console) or any application that is not part of an application group.
When a user adds credentials to the agent’s Logon Manager for an application that does not have a corresponding application definition, Password Manager applies the Default policy to manage that application.
Domain Password Policy
Typically, an administrator creates an application group and selects the Domain policy to be applied to the applications in that group. Password Manager then applies the Domain policy to those applications that require the user’s domain credentials for access. The Domain policy can be modified or copied to reflect your enterprise’s Active Directory or NT domain policies for user accounts. If you want an application group to be treated as a domain password sharing group, you must apply the Domain policy to that application group.
Note: An application group is a collection of defined applications associated
Custom Password Policies
Important: When creating a custom password policy or modifying existing
policies, ensure that your enterprise requirements and application requirements match. For example, if you create a policy that does not at least match an application’s requirements, your users might not be able to authenticate to that application.
You can create password policies as needed: you can apply one policy for your domain sharing group, create individual policies to apply to individual groups of applications to secure them further, and so on.
In general, password policies can specify restrictions such as the following: • A minimum and maximum number of characters for a password • Alphabetical and numerical character usage
• Number of times a character can be repeated
• Excluding or requiring which characters or special characters can be used • Whether or not users can view their stored passwords
• How many times users can try entering their password correctly • Password expiration parameters
• Password history and password exceptions
Considerations
• Consider your security requirements in the context of ease-of-use for your users. Overly restrictive passwords might be hard for users to create, implement, or recall.
• As Password Manager is secure by design, the Default password policy defines the minimum level of password security recommended by Citrix Systems, Inc. for securing most single sign-on enabled applications. You can modify these settings according to your enterprise policies and regulations.
• When users change their passwords, Password Manager can be configured through a user configuration setting to check the old password against the new password. This helps prevent users from reusing passwords for the same application twice in a row.
• Users might have a single password that is used for multiple applications (in a suite of products, for example). This scheme is known as password sharing, where the same authentication authority is used for the
applications.
While the other credentials for those applications (such as user name and custom fields) might be different, the user’s password is the same. In this case, create an application group that is a password sharing group to ensure that the agent software manages the password for all applications in the group as a single entity. When the password is changed in one of the applications, the agent software ensures that the password change is reflected in the stored credentials for all applications in the group. • Domain password sharing groups differ from other password sharing
Default Settings for the Default and Domain
Password Policies
The following table describes the settings, as installed, for the Default and Domain password policies.
Default and Domain Password Policy Options Default
Setting Your Custom Setting
Agent Password Wizard User
prompted for action Alphabetic Character Rules
Alphabet case usage Allow uppercase and lowercase Minimum number of lowercase alphabetic characters
required 0
Minimum number of uppercase alphabetic characters
required 0
Password can begin with lowercase alphabetic character Yes Password can begin with uppercase alphabetic character Yes Password can end with lowercase alphabetic character Yes Password can end with uppercase alphabetic character Yes Basic Password Rules
Maximum number of times a character can occur 6 Maximum number of times a character can occur
sequentially 4
Maximum password length 20 Minimum password length 8 Logon Preferences
Allow user to reveal password for applications No Force user to re-authenticate before submitting application
credentials No
Number of logon retries 3
Allow numeric characters in password Yes Maximum numbers of numeric characters allowed 20 Minimum number of numeric characters allowed 0 Password can begin with a numeric character Yes Password can end with a numeric character Yes Password Exclusion Rules
Characters and character groups excluded from a password Optional setting Do not allow application user name in password. No Do not allow portions of application user name in password. No Do not allow portions of Windows user name in password. No Do not allow Windows user name in password. No Number of characters in the character groups that can be taken from the application user name. 0 Number of characters in the character groups that can be taken from the Windows user name. 0 Password Expiration
Enable password expiration No Number of days to warn the user before the application
password expires 14 Number of days until the user’s application password expires 42 Password History
Enable password history No Number of previous passwords that are kept in the password
history 1
Special Character Rules
Allow special characters in password No
Allow special characters list !@#$%^&*( )_+= [ ] \ | ,? Maximum number of special characters allowed 20 Default and Domain Password Policy Options Default
Minimum number of special characters required 0 Password can begin with a special character Yes Password can end with a special character Yes Default and Domain Password Policy Options Default