• No results found

Citrix Password Manager Administrator s Guide. Citrix Password Manager Citrix Password Manager 4.5 Citrix Access Suite

N/A
N/A
Protected

Academic year: 2021

Share "Citrix Password Manager Administrator s Guide. Citrix Password Manager Citrix Password Manager 4.5 Citrix Access Suite"

Copied!
370
0
0

Loading.... (view fulltext now)

Full text

(1)
(2)

copy of the End User License Agreement is included on your product CD-ROM.

Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.

Citrix Password Manager replaces specific end users’ encryption keys each time their primary authentication method changes, such as a domain password change or issuance of a new smart card. Password Manager can be configured to perform this operation automatically by using the optional Key Management Module. Password Manager can also be configured to use the Microsoft Data Protection API (DPAPI). When using the optional Key Management Module and/or DPAPI, be advised that an administrator may be able to access user business or personal credentials stored in Password Manager if the administrator logs on as this end user. For additional security, end users can be asked to verify the user’s identity with unique user-provided information. This provides an additional layer of protection for the user’s secondary credentials.

Regional government user computing regulations may require that you notify your end users about the possible security and privacy implications of deploying the Key Management Module and DPAPI security configurations. Review your company policies and determine what kind of notification, if any, is required for your end users.

© 2003-2006 Citrix Systems, Inc. All rights reserved. v-GO code © 1998-2003 Passlogix, Inc. All rights reserved.

Citrix, ICA (Independent Computing Architecture), MetaFrame, MetaFrame XP, NFuse, and Program Neighborhood are registered trademarks, and SpeedScreen is a trademark of Citrix Systems, Inc. in the United States and other countries. RSA Encryption © 1996-1997 RSA Security Inc., All Rights Reserved.

This product includes software developed by The Apache Software Foundation (http://www.apache.org/) This product includes software developed by Salamander Software Ltd. © 2002 Salamander Software Ltd. Parts © 2003 Citrix Systems, Inc. All rights reserved.

Licensing: Portions of this documentation that relate to Globetrotter, Macrovision, and FLEXlm are copyright © 2003-2006 Macrovision Corporation and/or Macrovision Europe Ltd.. All rights reserved.

Trademark Acknowledgements

Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries.

Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Solaris is a registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc has not tested or approved this product. Portions of this software are based in part on the work of the Independent JPEG Group.

Portions of this software contain imaging code owned and copyrighted by Pegasus Imaging Corporation, Tampa, FL. All rights reserved.

Macromedia and Flash are trademarks or registered trademarks of Macromedia, Inc. in the United States and/or other countries. Microsoft, MS-DOS, Windows, Windows Media, Windows Server, Windows NT, Win32, Outlook, ActiveX, Active Directory, and DirectShow are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. in the U.S. and other countries. Novell Directory Services, NDS, and NetWare are registered trademarks of Novell, Inc. in the United States and other countries. Novell Client is a trademark of Novell, Inc.

RealOne is a trademark of RealNetworks, Inc.

Licensing: Globetrotter, Macrovision, and FLEXlm are trademarks and/or registered trademarks of Macrovision Corporation. All other trademarks and registered trademarks are the property of their respective owners.

(3)

Contents

Chapter 1

Welcome

Password Manager Components . . . .16

The Central Store. . . .16

Password Manager Console . . . .16

Password Manager Agent Software . . . .17

The Password Manager Service . . . .19

Password Manager Product Line . . . .20

Password Manager Advanced Edition . . . .20

Password Manager Enterprise Edition . . . .20

Password Manager Advanced versus Enterprise Editions . . . .21

New Features in the Advanced Edition . . . .22

Application Definition Extensions . . . .22

Internet Explorer 7 (32-bit and 64-bit) Support . . . .22

Enhanced SAPGUI Support . . . .22

Simplified Password Change Wizard . . . .23

Administration by Active Directory Groups. . . .23

New Features in the Enterprise Edition . . . .23

User Self-Service Integration with Presentation Server Web Interface . . . .23

Kerberos and Federated Environment Support . . . .23

Account Association . . . .23

Enhanced Support for Users Switching between Strong Authentication Methods . . . .24

About this Document . . . .24

Audience and Assumptions. . . .24

Providing Feedback about this Document . . . .24

Document Conventions. . . .25

Getting More Information and Help. . . .25

Product Documentation. . . .25

Pre-Installation Update Bulletin . . . .26

Readme file . . . .26

(4)

Citrix Password Manager Administrator’s Guide . . . .26

Installation Checklist . . . .26

Online Help for Administrators and Users . . . .27

Citrix Password Manager Evaluator’s Guide . . . .27

Getting Service and Support . . . .27

Subscription Advantage . . . .28

Education and Training . . . .28

Chapter 2

Planning Your Password Manager Environment

Planning Workflow Diagram . . . .30

Getting Started . . . .31

Which Central Store Type Should I Choose? . . . .33

Choosing an Active Directory Central Store . . . .35

Advantages. . . .35

Considerations . . . .36

Choosing an NTFS Network Share. . . .37

Advantages. . . .37

Considerations . . . .38

Choosing a Novell Shared Folder . . . .38

Advantages. . . .38

Considerations . . . .38

Using Account Association with Multiple Central Stores and User Account Credentials in a Multiple Domain Enterprise . . . .40

Advantages. . . .40

Considerations . . . .41

What about Password Policies for Application Access? . . . .42

Default Password Policy . . . .42

Domain Password Policy . . . .42

Custom Password Policies . . . .43

Considerations . . . .43

Default Settings for the Default and Domain Password Policies. . . .45

Which Type of SSO-Enabled Applications Are Used in My Enterprise?. . . .48

What Do I Need to Know about Each Application? . . . .49

What Type of Smart Cards Are Used in My Enterprise? . . . .50

Smart Card Support . . . .50

Smart Card Software Requirements . . . .50

Do I Need to Use Identity Verification?. . . .51

Verifying User Identity by Using Security Questions (Question-based Authentication) . . . .52

(5)

Planning Your User Configurations . . . .54

Considerations . . . .55

Default User Configuration Properties . . . .56

Do I Share the Same Resources or a Workstation Among Many Users? (Hot Desktop) . . . .59

Controlling Applications . . . .60

The Hot Desktop User Experience . . . .60

Selecting Optional Password Manager Service Features. . . .61

Account Self-Service. . . .62

Data Integrity. . . .63

Key Management. . . .64

Provisioning. . . .65

Credential Synchronization (Account Association) . . . .66

Password Manager Agent Deployment Scenarios. . . .67

Presentation Server Considerations. . . .67

Access Gateway Considerations . . . .68

Guidelines for Multiple Primary Authentication and User Credential Protection Choices . . . .70

Data Protection Methods Page . . . .71

Secondary Data Protection Page . . . .71

Security Versus Usability . . . .71

User Impersonation . . . .72

User Name and Password . . . .73

Smart Cards with Certificates and User Authentication Data . . . .74

Smart Cards with PINs . . . .75

Roaming Profiles (Microsoft DPAPI) . . . .76

Blank Passwords . . . .77

Chapter 3

Installing Password Manager

Summary of Installation Steps . . . .80

Hardware and Software Requirements. . . .81

Supporting System Software Requirements . . . .81

Password Manager Console and Agent Requirements. . . .82

Password Manager Service Requirements . . . .83

ASP.NET Requirements . . . .83

Security and Account Requirements for Password Manager Service . . . .84

Server Authentication Certificate Requirement . . . .84

Accounts Required for Service Modules . . . .86

Service Account Requirements . . . .86

(6)

Self-Service Requirements. . . .87

Account Requirements to Install and Use Password Manager . . . .88

Installing and Using Password Manager Service . . . .88

Installing and Using Password Manager Console and Application Definition Tool . . . .88

Installing and Using Password Manager Agent . . . .88

Installing the Microsoft .NET 2.0 Framework. . . .89

Installing .NET 2.0 Side By Side with .NET 1.1 . . . .89

Installing the Java Runtime Environment . . . .90

If You Install or Upgrade the JRE after Installing the Console, Application Definition Tool, or Agent Software . . . .91

Troubleshooting a Java-Related Error Message During Agent Software Installation or Uninstallation. . . .91

Licensing Requirements . . . .93

Disconnected Mode. . . .93

Managing a Mixed License Type Environment . . . .94

Before You Install Password Manager. . . .95

Installation Order. . . .95

Where Can I Install Each Password Manager Component?. . . .96

Creating a Central Store . . . .98

Optional—Creating a Central Store from a Command-Line. . . .101

Creating an Active Directory Central Store . . . .102

Step 1—Extend the Active Directory Schema . . . .102

Step 2—Update Domain Root Permissions . . . .102

Creating an NTFS Network Share Central Store . . . .104

Creating a Novell Shared Folder Central Store . . . .106

Considerations . . . .106

Installing and Configuring the Password Manager Service. . . .108

Password Manager Service Port Number . . . .111

Installing and Configuring the Password Manager Console . . . .112

Installing and Configuring the Password Manager Agent. . . .114

Installation Scenarios. . . .115

Considerations . . . .116

Preserving the GINA Chain When Installing the Agent . . . .116

Silent Installation of Password Manager Agent . . . .120

Chapter 4

Upgrading Password Manager

Supported Upgrade Paths . . . .123

Summary of Upgrade Steps . . . .124

(7)

Using Autorun . . . .126

Upgrade Order . . . .126

If You Used the CtxMoveKeyRecoveryData Tool to Back Up Service Data.127 Back Up the process.xml File (Hot Desktop Environments Only) . . . .127

Back Up Your Existing Central Store. . . .127

Upgraded Policies, Application Definitions, Questions/Questionnaires, and User Configurations . . . .128

Microsoft Web Services Enhancements . . . .128

Microsoft .NET Versions 1.1 and 2.0 . . . .128

Step 1—Upgrading the Password Manager Service . . . .130

Step 2—Upgrading the Password Manager Console. . . .131

Step 3—Upgrading the Password Manager Agent . . . .133

Chapter 5

Using Password Policies to Enforce Password Requirements

Overview of Password Policies . . . .136

Password Sharing Groups . . . .136

Domain Password Sharing Groups . . . .137

Creating Password Policies: the Password Policy Wizard . . . .138

To Start the Password Policy Wizard . . . .138

Set Basic Password Rules . . . .139

Set Alphabetic Character Rules. . . .139

Set Numeric Character Rules . . . .140

Set Special Character Rules . . . .140

Set Exclusion Rules (Excluding Specific Characters) . . . .141

Set Password History and Expiration . . . .142

Test Password Policy. . . .143

Establish Logon Preferences . . . .144

Customize Password Change Wizard . . . .144

Helping to Increase Password Strength and Security In Your Environment . . . .146

Chapter 6

Managing How Password Manager Works with Applications

Overview of Application Templates . . . .149

Managing Application Definitions Using Templates. . . .149

Obtaining Application Templates from the Web . . . .150

Importing Application Templates from a Network Share . . . .150

Adding an Application Definition Using a Template . . . .150

Creating Application Templates . . . .152

(8)

How the Password Manager Agent Identifies Applications and User Credential

Management Events . . . .152

Identifying the Parts of the Application’s User Interface. . . .153

Application Definition Wizard Overview . . . .154

Identify Application. . . .155

Manage Forms . . . .155

Name Custom Fields . . . .155

Specify icon . . . .156

Configure advanced detection. . . .156

Credential submission loops . . . .156

Credential change loops. . . .157

Configure password expiration . . . .157

Confirm settings . . . .157

Form Definition Wizard Overview . . . .157

Windows Type Application Definitions. . . .159

Gathering the Information Required for Windows Application Definitions . .160 Form Definition Process . . . .160

Name form . . . .160

Identify form . . . .161

Define form actions . . . .163

Configure other settings. . . .165

Confirm settings. . . .165

Using Advanced Matching to Identify Windows Forms . . . .166

Class Information. . . .166

Control Matching . . . .167

SAP Session Information. . . .169

Window Identifier . . . .170

Identification Extensions . . . .170

Using the Action Editor to Define the Action Sequence for Forms. . . .171

Action Sequence Definition Process . . . .172

Action Descriptions . . . .173

Considerations for Windows Type Definitions . . . .174

Web Type Application Definitions . . . .176

Gathering the Information Required for Web Application Definitions . . . .177

Form Definition Process . . . .177

Name form . . . .177

Identify form . . . .179

Configure other settings. . . .179

Confirm settings. . . .180

(9)

Redirect to Windows Application Configuration. . . .180

Advanced Settings Dialog Box for Web Applications. . . .181

Host/Mainframe Type Application Definitions . . . .183

Gathering the Information Required for Host Application Definitions . . . .183

Form Definition Process . . . .184

Name form . . . .184

Identify form . . . .185

Set field description rules. . . .186

Configure other settings. . . .187

Confirm settings. . . .188

Advanced Settings for Host Applications. . . .188

Host Form Additional Settings . . . .188

Ignore Match . . . .189

Considerations for Host Type Definitions . . . .189

Terminal Emulation Support. . . .189

Mfrmlist.ini Field Definitions . . . .191

Chapter 7

Creating User Configurations

What Is a User Configuration? . . . .194

Default User Configuration Properties . . . .195

Before You Begin . . . .198

Specifying Domain Controllers for User Configurations. . . .198

Creating a User Configuration: the User Configuration Wizard . . . .200

Name User Configuration . . . .201

Select Product Edition . . . .201

Choose Applications . . . .201

Configure Agent Interaction . . . .204

Advanced Settings . . . .206

Configure Licensing . . . .210

Select Data Protection Methods . . . .212

Select Secondary Data Protection . . . .215

Enable Self-Service Features . . . .216

Locate Service Modules . . . .216

Completing the User Configuration Wizard. . . .216

Synchronizing Credentials by Using Account Association. . . .217

Account Association Configuration Task Workflow . . . .217

Choosing and Configuring a Domain to Host the Credential Synchronization Module. . . .218

Configuring Account Association in the Agent Software . . . .222

(10)

Reset User Data . . . .223

Delete User Data From Central Store . . . .225

Prompting Users to Reregister Answers to Security Questions . . . .226

Assigning Priority to User Configurations. . . .227

Assigning a User Configuration to Different Users. . . .227

Upgrading Existing User Configurations. . . .229

Chapter 8

User Authentication and Identity Verification

Overview of Password Manager Authentication . . . .232

When Must Users Confirm Their Identities? . . . .233

Overview of Identity Verification Methods . . . .234

Previous Password. . . .234

Security Questions. . . .235

Bypassing Identity Verification . . . .235

If Users Switch Among Multiple Authentication Methods. . . .236

Chapter 9

Managing Question-Based Authentication

Confirming User Identity Using Question-Based Authentication. . . .238

Considerations . . . .239

Question-Based Authentication Workflow . . . .240

Designing Security Questions: Security Versus Usability. . . .241

Considerations for Security Questions . . . .242

Managing Your Questions . . . .242

Setting a Default Language. . . .243

Creating New Security Questions . . . .243

Adding or Editing Text for Existing Questions (Including Translated Text) .245 Creating Security Question Groups . . . .247

Creating and Implementing Your Questionnaire . . . .249

Before You Begin . . . .249

Selecting Questions for Key Recovery . . . .251

Backward Compatibility with Previous Versions of Password Manager . . . .252

Allowing Users to Reregister Answers to Their Security Questions . . . .253

Chapter 10

Allowing Users to Manage Their Primary Credentials with Account

Self-Service

Overview of Self-Service . . . .256

Considerations . . . .256

Using Automatic Key Management with Self-Service . . . .257

(11)

When Users Forget Their Security Questions . . . .257

User Experience . . . .259

Chapter 11

Using Provisioning to Automate Credential Entry

Summary of Provisioning Tasks . . . .262

Generating a Credential Provisioning Template . . . .263

Editing the Provisioning Template. . . .264

The <cpm-provision> Tag. . . .264

Example Output. . . .265

The <user> Tag . . . .266

The <add> Command . . . .267

The <modify> Command . . . .268

The <delete> Command . . . .269

The <remove> Command . . . .270

The <reset> Command . . . .271

The <list-credentials> Command . . . .271

Provisioning Credentials. . . .272

Tuning Credential Provisioning Processing. . . .273

The Credential Provisioning SDK . . . .273

Chapter 12

Hot Desktop: A Shared Desktop Environment for Users

Summary of Hot Desktop Tasks. . . .277

Hot Desktop Start Up and Shut Down Process Flow . . . .278

Hot Desktop Startup and Shutdown Events . . . .278

Troubleshooting Hot Desktop User Startup . . . .279

Creating a Hot Desktop Shared Account . . . .280

Guidelines for the Hot Desktop Shared Account . . . .280

Organizing Hot Desktop Users . . . .281

Restricting User Rights . . . .281

Hot Desktop, Smart Cards, and Key Recovery . . . .281

Requirements for Applications Used with Hot Desktop . . . .282

Controlling How Applications Behave for Hot Desktop Users. . . .283

Before You Begin . . . .284

The session.xml File . . . .285

Launching Applications Using session.xml . . . .285

session.xml Tags . . . .286

<startup_scripts> . . . .286

<shutdown_scripts> . . . .287

(12)

Example: Cleaning Up a Session with a Script . . . .288

The process.xml File . . . .289

process.xml Tags . . . .289

<persistent_processes> . . . .290

<transient_processes> . . . .291

<shellexecute_processes> . . . .292

User Configuration Settings for Hot Desktop . . . .293

Locating Hot Desktop Settings in a User Configuration . . . .293

Setting the Location of the session.xml File. . . .293

Specifying Hot Desktop Session Time-Out Options . . . .294

Enabling the Hot Desktop Session Indicator . . . .294

Specifying a Custom Bitmap Graphic as a Session Indicator . . . .295

Using the Hot Desktop Screen Saver . . . .295

Installing Hot Desktop . . . .296

Disabling Terminal Services for a Hot Desktop Administrative or Silent Install . 296 Uninstalling Hot Desktop . . . .298

Restoring Terminal Services after Uninstalling Hot Desktop . . . .299

Enabling Multiple Sessions after Uninstalling Hot Desktop . . . .299

Interacting with Citrix Presentation Server Clients . . . .301

Program Neighborhood Agent . . . .301

Citrix Web Interface . . . .301

Viewing Hot Desktop User Profiles. . . .302

Shutting Down a Hot Desktop Workstation. . . .302

Working without AutoAdminLogon Support . . . .302

Changing the Hot Desktop Shared Account Password . . . .304

Hot Desktop Information on the Web . . . .304

Chapter 13

Operations

Logging Password Manager Events. . . .306

Enabling Event Logging . . . .307

Password Manager Agent Does not Submit Credentials . . . .308

All Formats (Windows, Web, Terminal Emulators) . . . .308

Windows-Based Applications. . . .309

Web-Based Applications. . . .310

Terminal Emulator-Based Applications . . . .311

Supporting Terminal Emulators . . . .312

Configuring HLLAPI Support for Tested Emulators. . . .313

Application Recognition Initialization (.ini) Files . . . .314

(13)

Software Upgrades and the GINA Chain . . . .315

Retrieving and Submitting Credentials . . . .316

Creating a New Signing Certificate . . . .316

Signing, Unsigning, Resigning, and Verifying Data . . . .317

Signing Data (-s) . . . .318

Resigning Data (-r) . . . .318

Unsigning Data (-u). . . .319

Verifying Data (-v) . . . .319

Enabling and Disabling the Data Integrity Service on Password Manager Agent Software . . . .320

Removing Deleted Objects from Your Central Store . . . .321

Moving Data to a Different Central Store . . . .321

Migrating Data to a New Central Store . . . .322

Backing Up Important Files . . . .323

Backing Up Password Manager Service Files . . . .324

Appendix A

Password Manager Settings List

Appendix B

Password Manager 4.5 Settings Reference

User Configurations. . . .331

Basic Agent Interaction . . . .331

Agent User Interface . . . .333

Client Side Interaction . . . .334

Synchronization . . . .335

Account Association . . . .336

Application Support . . . .337

Hot Desktop . . . .339

Licensing . . . .340

Data Protection Methods . . . .341

Secondary Data Protection. . . .343

Self Service Features . . . .344

Key Management Module . . . .345

Provisioning Module . . . .345

Application Definitions . . . .346

Edit Application Forms . . . .346

Application Icon. . . .347

Advanced Detection. . . .347

Password Expiration . . . .347

Password Policies . . . .348

(14)

Alphabetic Character Rules . . . .349

Numeric Character Rules. . . .350

Special Character Rules . . . .351

Exclusion Rules . . . .352

Password History and Expiration . . . .353

Test Password Policy . . . .354

Logon Preferences . . . .355

Password Change Wizard . . . .356

Appendix C

Application Definition Extensions

Agent Software Operation . . . .359

Identification Extensions. . . .360

Defining Identification Extensions . . . .361

Action Extensions . . . .363

Defining Action Extensions. . . .363

Implementer Requirements . . . .365

Enabling Logging . . . .366

Appendix D

Virtual Key Codes for Host and Windows Applications

Codes for VTabKeyN (Windows) . . . .367

Codes for VirtualKeyCode (Windows) and VKEY (Windows) . . . .368

(15)

Welcome

Citrix Password Manager provides password security and single sign-on access to Windows, Web, and host-based applications running in the Citrix environment as well as local applications on the desktop. Users authenticate once and Password Manager does the rest, automatically logging on to password-protected

information systems, enforcing password policies, monitoring all password-related events, and even automating user tasks, including password changes. Designed to work seamlessly with all products in the Citrix Access Suite, Password Manager adds value to each of the component products in the Access Suite:

• Citrix Presentation Server

Password Manager provides single sign-on access to any number of password-protected applications published on servers running Presentation Server.

• Citrix Access Gateway with Advanced Access Control

Users authenticate once and Password Manager passes their credentials through to any information and application resource available in the secure, personalized computing environment that is delivered from access centers. This chapter provides:

• An overview of the capabilities and components of Password Manager • A list of new features in this release

• Information about this document

(16)

Password Manager Components

The following sections briefly describe the components you need to install to start using Password Manager. For detailed information, see “Planning Your Password Manager Environment” on page 29.

The main components of Password Manager are: • The central store

• The Password Manager Console • Password Manager Agent software • Password Manager Service (optional)

The Central Store

The central store is a centralized repository used by Password Manager to store and manage user and administrative data. User data includes user credentials, security question answers, and other user-focused data. Administrative data includes password policies, application definitions, security questions, and other wider-ranging data. When a user signs on, Password Manager compares that user’s credentials to those stored in the central store. As the user opens password-protected applications or Web pages, the appropriate credentials are drawn from the central store.

Password Manager Console

The Password Manager Console is the command center of Password Manager. From the console, you manage the users’ Password Manager experience. Here, you configure how Password Manager will work, which features will be deployed, which security measures will be used, and other important password-related settings.

The console has four main items, or nodes, in the left pane. By selecting a node, tasks specific to that node appear. These nodes are:

• User Configurations

These configurations allow you to tailor particular settings for your users based on their geographic locations or business roles. The settings of the other three nodes are used to create user configurations.

• Application Definitions

(17)

Password Manager to speed this process, or create your own customized definitions for applications that cannot use these templates. Additional templates are located at http://www.citrix.com/passwordmanager/ gettingstarted.

• Password Policies

Password policies control password length and the type and variety of characters used in both user-defined and automatically-generated passwords. Password policies also allow you to identify characters to exclude from use in passwords and whether or not previous passwords can be reused. Creating password policies consistent with your company’s security policies ensures that password security is appropriately managed by Password Manager.

• Identity Verification

The security questions you create provide an added layer of security to your agent software by protecting against user impersonation, unauthorized password changes, and unauthorized account unlocking. Users who enroll and answer your security questions can answer those questions to verify their identity and perform self-service tasks to their account, such as resetting their primary password or unlocking their user account.

Password Manager Agent Software

The Password Manager Agent is the software users need on their client devices to act as an intermediary between users and their applications. The Password Manager Agent acts as an intermediary between users and applications that require authentication.

When a user tries to access an application that requires authentication, the agent software intercepts the application’s request for authentication, finds the correct credentials, and submits them to the application.

In addition, the Password Manager Agent can provide users with a wide array of features. Which features the users actually receive is determined by the

administrative settings you make in their user configurations. See “Password Manager 4.5 Settings Reference” on page 331 for the specific settings available to you.

Password Manager Agent features include: • Notification area icon

(18)

• Logon Manager

The Logon Manager provides a user interface where credentials can be created, viewed, edited, and deleted. Users can also conduct security question registration and access online Help from the Logon Manager. The File menu provides the user with much of the available access: • The New Logon command allows users to add new Windows-,

Web-, or host-based application credentials to Password Manager. • The Properties command gives the user access to properties

associated with the credentials for the specified application. From there, the user can change the password, user ID, and other logon information.

• The Delete command, when invoked, removes users’ credentials for the selected application from Logon Manager.

• The Copy command provides a duplicate set of the selected credentials that the user can then edit to create multiple sets of credentials for single applications.

Other commands you can give users access to include:

• The Reveal Passwords command, from the View menu, allows the user to display the passwords of the applications listed in Logon Manager

Note: Password policy settings for revealing passwords override

this command. If you do not want users to reveal the password for an application, be sure to set the password policy to prevent this. • The Security Question Registration command, from the Tools menu,

gives the user the option to restart the Security Question Registration wizard and provide new answers to the security questions.

• The Account Association command, from the Tools menu, allows the user to create an association between accounts on different domains. By using this feature, the user’s credentials are synchronized, with password changes carried across domains.

• Automated new logon setup

(19)

stored in Password Manager, the New Logon wizard automatically appears, offering to store them.

• User mobility

The Password Manager Agent supports remote and mobile users. By obtaining a license before disconnecting, remote users can access their credentials when they are disconnected from the corporate network. Mobile users can move from one computer to another and multiple users can securely share one workstation.

The Password Manager Service

The Password Manager Service runs on a Web server that provides the foundation for optional features included in this release. Install the Password Manager Service if you plan to implement at least one of the following modules:

• Account Self-Service Module, which allows users to reset their Windows passwords and unlock their Windows accounts

• Data Integrity Module, which protects data from being compromised while in transit from the central store to the agent

• Key Management Module, which allows users to log on to the network and have immediate access to applications managed by Password Manager • Provisioning Module, which allows you to use the console to add, remove,

or update credential information for your users

• Credential Synchronization Module, which synchronizes user credentials using a Web service

(20)

Password Manager Product Line

Password Manager is now available in two editions: Advanced and Enterprise.

Password Manager Advanced Edition

The Advanced Edition of Password Manager increases your organization’s security with:

• Strong password policy options • Automated password generation

• Automatically started Password Change Wizard option

• Password encryption while in memory, storage, and transmission • Password expiration options for applications lacking that capability The Advanced Edition also interacts well with other programs, easing the user’s logon information storage process as well as your maintenance of that process and information.

Password Manager Enterprise Edition

The Enterprise Edition of Password Manager is designed for the most demanding and complex enterprise environments. The Enterprise Edition:

• Provides additional security, user self-service, and on-site user mobility features and performance.

• Reduces calls to the help desk through user self-service features that enable users to change their own Windows password and unlock their account. • Allows on-site mobile workers to quickly access information with Hot

Desktop, which facilitates fast user switching at shared workstations. • Includes enterprise security features such as integration with smart cards,

(21)

Password Manager Advanced versus Enterprise

Editions

User Features Advanced Edition Enterprise Edition

Single sign-on to Windows applications X X Single sign-on to Web applications X X Single sign-on to host-based terminal emulator applications X X Citrix Access Client X X Localized user interface X X Support for SAPGUI, Internet Explorer 7 (32-bit, 64-bit) X X Self-service password reset X Self-service account unlock X Self-service feature integration with Web Interface X Hot Desktop fast user switching X Hot Desktop/SmoothRoaming integration X

Account association X

Security Features Advanced Edition Enterprise Edition

Automated password change X X Transparent password change X X Encrypted passwords in memory, storage, during transmission X X Password policy enforcement—automatic password changes X X Password policy enforcement—manual password changes X X Password expiration X X Password token and biometric support X X Basic support for smart cards X X

Smart card support X

(22)

New Features in the Advanced Edition

The Advanced Edition includes the following new features:

Application Definition Extensions

The Application Definition Extensions enable greater extensibility through scripting support and the ability to invoke an executable for both application detection and password-related actions. This enhances the ability to configure an application for single sign-on use. See “Application Definition Extensions” on page 359 for details.

Internet Explorer 7 (32-bit and 64-bit) Support

Support for both the 32-bit and 64-bit versions of Internet Explorer 7 has been added. For example, if a user switches to an Internet Explorer tab containing a new application, Password Manager Agent prompts the user for credential storage.

Enhanced SAPGUI Support

SAPGUI scripting for the SAP Logon Pad has been added, giving Password Manager a fifth SAP integration option.

Administrator Features Advanced Edition Enterprise Edition Batch credential provisioning X X Integration with user provisioning products X X Windows NT file share support X X Microsoft Active Directory support X X Novell NetWare network share support X X LDAP directory support X X Administration by Active Directory groups X X Citrix Streaming Server support X X Citrix Access Management Console X X Suite-integrated licensing X X Windows Server 2003 64-bit compatibility X X Named user licensing X X Concurrent user licensing [Citrix Password Manager for

(23)

Simplified Password Change Wizard

This Password Change Wizard starts when Password Manager detects that an application requested a password change or the user started the password change process within the application. The wizard includes the administrative option to automatically determine whether or not the password change is successful.

Administration by Active Directory Groups

Password Manager now enables user settings to be deployed to Active Directory groups in environments with Active Directory or NTFS file shares using Active Directory authentication. Administrators also have the ability to prioritize the group membership list and retain the ability to administer by domain level, organizational unit, or the individual user level.

New Features in the Enterprise Edition

The Enterprise Edition includes all the new features of the Advanced Edition, plus the following:

User Self-Service Integration with Presentation Server

Web Interface

Users can now reset their primary network password or unlock their account from the Citrix Web Interface as well as the Windows logon screen.

Kerberos and Federated Environment Support

Password Manager now supports single sign-on to rich-client applications across Web domains. After users authenticate to their organization’s primary domain, their credentials are automatically supplied to the applications of a trusted partner company. Standard Federation solutions provide single sign-on to Web

applications only, but through the use of Password Manager with Presentation Server, Federation with single sign-on can be employed for all application types.

Account Association

(24)

Enhanced Support for Users Switching between Strong

Authentication Methods

Users are no longer required to answer security questions when switching between strong authentication methods even if automatic key management is not configured (previously, users were not required to authenticate again if automatic key management was configured). For example, users can access their accounts locally with a smart card and then remotely with a one-time password token and not be prompted to verify their identity.

About this Document

The overall objectives of this guide are:

• To provide you with a good understanding of the features and functionality of Password Manager

• To provide you with an understanding of the prerequisites and procedures necessary to successfully install Password Manager

• To provide you with guidelines for planning and implementing the deployment of Password Manager in your organization

• To provide you with instructions and tips to help you create and maintain the optimum password management environment for your users

Audience and Assumptions

This document is intended for use by system and security administrators who are implementing Password Manager. It is assumed that you, the reader, have a basic understanding of Windows Server administration. You must have working knowledge of Novell NetWare if this is the platform you are using to install or maintain Password Manager.

Providing Feedback about this Document

To provide feedback about the documentation, go to www.citrix.com and click

Support > Knowledge Center > Product Documentation. To access the

(25)

Document Conventions

Citrix product documentation uses the following typographic conventions for menus, commands, keyboard keys, and items in the program interface:

Getting More Information and Help

This section discusses the documentation for this release. It also describes how to get more information about Password Manager.

Product Documentation

Password Manager contains a robust library of documentation. With the exception of the Pre-Installation Update Bulletin, the following documents are available in the Documentation directory on the product CD. The bulletin is available at http://support.citrix.com/article/CTX110783.

Convention Meaning

Boldface Commands, names of interface items such as text boxes, option buttons, and user input.

Italics Placeholders for information or parameters that you provide. For example, filename in a procedure means you type the actual name of a file. Italics are also used for new terms and the titles of books.

%SystemRoot% The Windows system directory, which can be WTSRV, WINNT, WINDOWS, or any other name you specify when you install Windows.

Monospace Text displayed in a text file.

{ braces } A series of items, one of which is required in command statements. For example, { yes | no } means you must type yes or no. Do not type the braces themselves. [ brackets ] Optional items in command statements. For example,

[/ping] means that you can type /ping with the command. Do not type the brackets themselves. | (vertical bar) A separator between items in braces or brackets in

command statements. For example, { /hold | /release | / delete } means you type /hold or /release or /delete. … (ellipsis) You can repeat the previous item or items in command

(26)

Pre-Installation Update Bulletin

The Pre-Installation Update Bulletin contains installation-related information developed after the Readme file was completed.

Readme file

The Readme file provides information about Password Manager functionality, known issues, changes, and other important information developed after the

Citrix Password Manager Administrator’s Guide was completed. Be sure to read

this before installing Password Manager.

Getting Started with Citrix Licensing Guide

The licensing process for Password Manager changed since the release of Password Manager 4.1. See Getting Started with the Citrix Licensing Guide, included on your product CD, for instructions to license Password Manager.

Note: Guides are provided as Adobe Portable Document Format (PDF) files.

To view, search, and print PDF documents, you need to have Adobe Acrobat Reader 5.0.5 with Search, or Adobe Reader 6.0 through 7.0. You can download these products for free from Adobe Systems’ Web site at http://www.adobe.com/.

Citrix Password Manager Administrator’s Guide

The manual you are currently reading provides conceptual information, procedures for deployment, and implementation instructions for system administrators who install, configure, and test the components of Password Manager.

Installation Checklist

(27)

Online Help for Administrators and Users

Administrators now have a robust set of Help topics based on this guide. Adminstrators can now view information about common tasks, workflow, and settings on the screen.

Users can get information about common tasks, including adding logon information for applications, using the Logon Manager, and setting Password Manager automatic features. Users can access Help through Help menus or Help buttons.

Citrix Password Manager Evaluator’s Guide

This guide delivers a practical overview of Password Manager features and functionality by providing instructions for setting up and running a small-scale deployment of the product.

Getting Service and Support

Citrix provides technical support primarily through the Citrix Solutions Advisors Program. Contact your supplier for first-line support or check for your nearest Solutions Advisor at http://www.citrix.com/site/partners.

In addition to the Citrix Solutions Advisors Program, Citrix offers a variety of self-service, Web-based technical support tools from its Knowledge Center at http://support.citrix.com/. Knowledge Center features include:

• A knowledge base containing thousands of technical solutions to support your Citrix environment.

• A Web-based product documentation library. • Interactive support forums for every Citrix product. • Access to the latest hotfixes and service packs. • Security bulletins.

• Web-based problem reporting and tracking (for users with valid support contracts).

• Citrix Live Remote Assistance. Using Citrix's remote assistance product, GoToAssist, a member of our support team can view your desktop and share control of your mouse and keyboard to get you on your way to a solution.

(28)

Subscription Advantage

Subscription Advantage gives you an easy way to stay current with the latest server-based software functionality and information. During your subscription period, you get automatic delivery of:

• Feature releases • Software upgrades • Enhancements • Maintenance releases

• Priority access to important Citrix technology information.

You can find more information about subscribing on the Citrix Web site at http://www.citrix.com/services/ (click Subscription Advantage). You can also contact your Citrix sales representative or a member of the Citrix Solutions Advisors Program for more information.

Education and Training

Citrix offers a variety of instructor-led training and Web-based training solutions. Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. Web-based training courses are available through CALCs, resellers, and from the Citrix Web site.

(29)

Planning Your Password Manager

Environment

This section contains information to help you plan your Password Manager environment and to help you decide how to implement Password Manager. The following topics are described in this section:

• “Planning Workflow Diagram” on page 30 • “Getting Started” on page 31

• “Which Central Store Type Should I Choose?” on page 33

• “What about Password Policies for Application Access?” on page 42 • “Which Type of SSO-Enabled Applications Are Used in My Enterprise?”

on page 48

• “What Type of Smart Cards Are Used in My Enterprise?” on page 50 • “Do I Need to Use Identity Verification?” on page 51

• “Planning Your User Configurations” on page 54

• “Do I Share the Same Resources or a Workstation Among Many Users? (Hot Desktop)” on page 59

• “Selecting Optional Password Manager Service Features” on page 61 • “Password Manager Agent Deployment Scenarios” on page 67 • “Guidelines for Multiple Primary Authentication and User Credential

(30)
(31)

Getting Started

A Password Manager environment can include the following:

• Shared network folders or Active Directory containing the central store • One or more PCs running the Password Manager Console

• User PCs running the Password Manager Agent

• A dedicated server hosting the Password Manager Service with one or more feature modules installed on it

• Citrix Presentation Server environment hosting the Password Manager Agent

• Authentication devices such as smart cards

(32)

Task See this section 1. Research features that you might

implement in your environment. “Planning Your Password Manager Environment” on page 29 (that is, this section) “User Authentication and Identity Verification” on page 231

“Managing Question-Based Authentication” on page 237

“Allowing Users to Manage Their Primary Credentials with Account Self-Service” on page 255

“Using Provisioning to Automate Credential Entry” on page 261

“Hot Desktop: A Shared Desktop Environment for Users” on page 275

2. Create a central store and install the Password Manager components with optional features.

Upgrade an existing deployment of Password Manager.

“Which Central Store Type Should I Choose?” on page 33

“Installing Password Manager” on page 79 “Upgrading Password Manager” on page 123 3. Create, edit, or review your

password policies. “What about Password Policies for Application Access?” on page 42 “Using Password Policies to Enforce Password Requirements” on page 135

4. Create or edit your application

definitions. “Which Type of SSO-Enabled Applications Are Used in My Enterprise?” on page 48 “Managing How Password Manager Works with Applications” on page 147

5. Create user configurations based on

your enterprise requirements. “Planning Your User Configurations” on page 54 “Creating User Configurations” on page 193 6. Install the agent software on user

desktops or a computer running Presentation Server.

“Password Manager Agent Deployment Scenarios” on page 67

“Installing and Configuring the Password Manager Agent” on page 114

7. Notify your users that Password Manager can help securely store their application credentials.

(33)

Which Central Store Type Should I Choose?

Note: You can create a central store automatically as part of the Password

Manager installation process or manually by using the central store setup utilities. See “Creating a Central Store” on page 98 and “Optional—Creating a Central Store from a Command-Line” on page 101.

Password Manager uses a repository known as the central store to store and retrieve information about your users and your environment. Password Manager relies on the data in the central store to perform all default and configured single sign-on functions.

The central store contains user data and administrative data:

User data in the central store includes user secondary credentials, security

questions and answers, service-related data (for example, provisioned data, question-based authentication data, key recovery enrollment, and so on), and user Windows registry data associated with Password Manager • Administrative data in the central store includes application definitions,

password policies, security questions, and other settings made through the console for Password Manager features and components

The central store basically enables the agent software running on a user PC or computer running Citrix Presentation Server to communicate with the central store and services, and to provide user credentials to applications to which the user has been granted access.

The agent maintains a local store on the user PC. The local store contains only the user’s secondary credentials, key recovery information, and security questions and answers (if applicable). It synchronizes with the central store to allow users to roam throughout the enterprise and always have access to saved user credentials. The central store can be one of the following:

• Active Directory

The central store uses the Active Directory environment and objects to store and update Password Manager data.

See “Choosing an Active Directory Central Store” on page 35. • NTFS network share

(34)

• Novell shared folder

The central store uses a Novell NetWare shared folder to store the Password Manager data.

See “Choosing a Novell Shared Folder” on page 38.

Note: Citrix Password Manager allows you to migrate users from one central

store type to another if you later decide that one type is more suitable than the current one used in your environment. See “Moving Data to a Different Central Store” on page 321.

Note: If your enterprise forest contains multiple domains, see “Using Account

Association with Multiple Central Stores and User Account Credentials in a Multiple Domain Enterprise” on page 40.

Also see “Specifying Domain Controllers for User Configurations” on page 198 for information about user configurations in multiple domain controller

(35)

Choosing an Active Directory Central Store

Choosing to use Active Directory as your central store enables you to leverage the convenience of your existing Active Directory user authentication and object administration. For example, you can apply user-specific settings to any level in a domain—domain, organizational unit, group, or user.

Two new classes and two attributes are added to the Active Directory schema when you create an Active Directory central store:

Note: See the CitrixMPMSchema.xml file in the \Tools folder of the Password

Manager product CD for more information about these classes and attributes. In general, choose Active Directory as your central store if you:

• Can successfully extend your Active Directory schema without affecting your enterprise

• Already implement Active Directory backup and restore best practices as recommended by Microsoft (although this is not a requirement)

• Prefer the high availability that is built in to Active Directory to be extended to the central store data

Advantages

• Active Directory includes built-in failover and redundancy, so additional measures for disaster recovery are not needed

• Active Directory replication helps to distribute central store administrative and user data across your enterprise

Class Description

citrix-SSOConfig Describes the object containing data for the agent settings, synchronization state, and the ENTLIST.INI application definition file and the FTULIST.INI first-time agent use behavior file. This class includes the following attributes:

• citrix-SSOConfigData - contains the actual data • citrix-SSOConfigType - specifies the data type

citrix-SSOSecret Describes the secret data object used to authenticate a Password Manager user. This class includes the following attribute: • citrix-SSOSecretData - contains encrypted credential data for

(36)

• No additional hardware is needed when using an Active Directory central store

Considerations

• You must extend your schema when using an Active Directory central store, which requires careful planning and implementation. Extending the schema affects the entire forest.

• You might want to extend the schema and create your Active Directory central store during non-peak usage hours. Your Active Directory

replication cycle latency affects how quickly these changes are copied to all domain controllers in the forest.

(37)

Choosing an NTFS Network Share

Important: Citrix recommends that you use a hidden share for the central store

in this case. Creating a central store as described in “Creating a Central Store” on page 98 or “Optional—Creating a Central Store from a Command-Line” on page 101 automatically creates a hidden share.

Choosing to use an NTFS network share as your central store enables you to leverage the convenience of your existing Active Directory user authentication and tree structure without having to extend the Active Directory schema. For example, you can apply user-specific settings to any level in a domain—domain, organizational unit, group, or user.

Password Manager creates a shared folder named CITRIXSYNC$ with two subfolders named People and CentralStoreRoot.

The People folder contains a subfolder for each user and includes the appropriate read and write permission properties for the user. The CentralStoreRoot folder contains administrative data.

Advantages

• You can emulate the look and feel of an Active Directory central store without having to extend your Active Directory schema. Yet you can take advantage of your existing Active Directory hierarchy or groups.

Note: Associating user configurations to groups is supported only in Active

Directory domains that use Active Directory authentication.

• User data is always up-to-date, because it is stored in a central location and avoids any data replication latency associated with Active Directory. • You can load balance your shares among multiple computers that can each

host an NTFS network share for higher availability.

• Helps reduce the authentication task workload from your Active Directory environment.

• If you decide later to implement an Active Directory central store,

(38)

Considerations

• You might need additional hardware to host the central store.

• You need to back up central store files and folders (including their related permissions) regularly. Ensure that you also maintain and implement disaster recovery plans where you replicate files and folders for site recovery.

• Your enterprise network topology might require users (and the Password Manager agent) to transfer user data across one or more WAN links. In this case, consider implementing implement the Distributed File System technology included as part of Microsoft Windows Server 2000 or 2003. The Microsoft Web site http://support.microsoft.com describes the Distributed File System technology in more detail.

Choosing a Novell Shared Folder

Important: Password Manager services are not supported in Password

Manager environments using Novell NetWare shared folders.

Choosing to use a Novell NetWare shared folder as your central store enables you to leverage the convenience of your existing Novell NetWare directory services. Using this central store type is similar to using an NTFS network share.

Configure a secured network folder in eDirectory to store all data associated with your Password Manager environment. Applications and settings can be defined and assigned at the domain level.

Advantages

• You are already implementing Novell NetWare directory services

• You can choose to use an existing secure shared folder as the central store

Considerations

• This central store type does not support associating user configurations with Active Directory groups.

(39)

• Because the agent uses a Windows password, the use of Novell NetWare file synchronization requires that users’ Novell password be identical to their Windows passwords.

• The central store must be located in the same tree as the computers on which the agents are installed. Users must log on to a Novell tree where the shared folder is located. Users must also have accounts with read access permissions to the Novell NetWare shared folder you designate as the central store.

(40)

Using Account Association with Multiple Central

Stores and User Account Credentials in a Multiple

Domain Enterprise

Note: See “Synchronizing Credentials by Using Account Association” on page

217 to configure Account Association.

Administrators can create multiple central stores in enterprises that contain multiple domains. In fact, you can use more than one central store type in these environments. For example, you can associate user configurations with an NTFS network share central store in one domain and an Active Directory central store in another domain.

As companies might maintain multiple Windows domains, users might also have more than one Windows account. Password Manager includes a feature known as Account Association to allow a user agent to log on to any application from one or more Windows accounts. Because Password Manager typically binds user credentials to a single account, the credential information is not automatically synchronized among multiple accounts that a user owns.

However, administrators can configure Account Association to synchronize user credentials by using the Credential Synchronization Module. Users with Account Association configured have access to all applications from any of their accounts in their Password Manager environment. When user credentials are changed, added, or removed from one account, the credentials are automatically synchronized with each of the user's associated accounts.

Without Account Association, users with multiple Windows accounts are forced to manually change their logon information separately from each Windows account.

Advantages

• Account Association can help increase productivity and reduce support calls by synchronizing user credentials to help reduce logon maintenance or failures.

• Accounts can be synchronized across different central store types. That is, a user account configured to use Active Directory as the central store can synchronize with an associated user account that is configured to use an NTFS network share.

(41)

Active Directory hierarchy (OU or user) in one domain and associated with an Active Directory group in another domain.

• Accounts can also be synchronized across different user configuration associations in the same domain and within the same central store. • Trust relationships between domain controllers are not necessary to use

Account Association.

Considerations

Consider the following before configuring Account Association:

• Account Association is not compatible with smart cards when smart cards are used as the primary authentication mechanism to log on to Windows.

Note: The user configuration in each domain might have different

password policies that might block access to a resource, but Account Association synchronizes user credentials only, not user configuration policies. Consider how you compose password policies in your enterprise. • Each associated domain account must use Citrix Password Manager. • Application definition names must be the same in each user configuration

for the Account Association feature to synchronize credentials.

• User credentials are shared only for applications specified in application definitions created by the Password Manager administrator.

(42)

What about Password Policies for Application Access?

Password policies are rules that control how passwords are created, submitted, and managed. The Password Manager installation includes two standard password policies named Default and Domain, which cannot be deleted. You can copy and modify these policies to suit your enterprise policies and regulations.

“Default Settings for the Default and Domain Password Policies” on page 45 lists the installed default settings for the Default and Domain password policies. You can use this table to help modify them or create your own policies.

Default Password Policy

Password Manager applies the Default policy to password-enabled applications used in your enterprise (except for those that require user domain credentials; see “Domain Password Policy” on page 42). This policy is applied to any application that is not defined by an administrator (by using the application definition feature in the console) or any application that is not part of an application group.

When a user adds credentials to the agent’s Logon Manager for an application that does not have a corresponding application definition, Password Manager applies the Default policy to manage that application.

Domain Password Policy

Typically, an administrator creates an application group and selects the Domain policy to be applied to the applications in that group. Password Manager then applies the Domain policy to those applications that require the user’s domain credentials for access. The Domain policy can be modified or copied to reflect your enterprise’s Active Directory or NT domain policies for user accounts. If you want an application group to be treated as a domain password sharing group, you must apply the Domain policy to that application group.

Note: An application group is a collection of defined applications associated

(43)

Custom Password Policies

Important: When creating a custom password policy or modifying existing

policies, ensure that your enterprise requirements and application requirements match. For example, if you create a policy that does not at least match an application’s requirements, your users might not be able to authenticate to that application.

You can create password policies as needed: you can apply one policy for your domain sharing group, create individual policies to apply to individual groups of applications to secure them further, and so on.

In general, password policies can specify restrictions such as the following: • A minimum and maximum number of characters for a password • Alphabetical and numerical character usage

• Number of times a character can be repeated

• Excluding or requiring which characters or special characters can be used • Whether or not users can view their stored passwords

• How many times users can try entering their password correctly • Password expiration parameters

• Password history and password exceptions

Considerations

• Consider your security requirements in the context of ease-of-use for your users. Overly restrictive passwords might be hard for users to create, implement, or recall.

• As Password Manager is secure by design, the Default password policy defines the minimum level of password security recommended by Citrix Systems, Inc. for securing most single sign-on enabled applications. You can modify these settings according to your enterprise policies and regulations.

(44)

• When users change their passwords, Password Manager can be configured through a user configuration setting to check the old password against the new password. This helps prevent users from reusing passwords for the same application twice in a row.

• Users might have a single password that is used for multiple applications (in a suite of products, for example). This scheme is known as password sharing, where the same authentication authority is used for the

applications.

While the other credentials for those applications (such as user name and custom fields) might be different, the user’s password is the same. In this case, create an application group that is a password sharing group to ensure that the agent software manages the password for all applications in the group as a single entity. When the password is changed in one of the applications, the agent software ensures that the password change is reflected in the stored credentials for all applications in the group. • Domain password sharing groups differ from other password sharing

(45)

Default Settings for the Default and Domain

Password Policies

The following table describes the settings, as installed, for the Default and Domain password policies.

Default and Domain Password Policy Options Default

Setting Your Custom Setting

Agent Password Wizard User

prompted for action Alphabetic Character Rules

Alphabet case usage Allow uppercase and lowercase Minimum number of lowercase alphabetic characters

required 0

Minimum number of uppercase alphabetic characters

required 0

Password can begin with lowercase alphabetic character Yes Password can begin with uppercase alphabetic character Yes Password can end with lowercase alphabetic character Yes Password can end with uppercase alphabetic character Yes Basic Password Rules

Maximum number of times a character can occur 6 Maximum number of times a character can occur

sequentially 4

Maximum password length 20 Minimum password length 8 Logon Preferences

Allow user to reveal password for applications No Force user to re-authenticate before submitting application

credentials No

Number of logon retries 3

(46)

Allow numeric characters in password Yes Maximum numbers of numeric characters allowed 20 Minimum number of numeric characters allowed 0 Password can begin with a numeric character Yes Password can end with a numeric character Yes Password Exclusion Rules

Characters and character groups excluded from a password Optional setting Do not allow application user name in password. No Do not allow portions of application user name in password. No Do not allow portions of Windows user name in password. No Do not allow Windows user name in password. No Number of characters in the character groups that can be taken from the application user name. 0 Number of characters in the character groups that can be taken from the Windows user name. 0 Password Expiration

Enable password expiration No Number of days to warn the user before the application

password expires 14 Number of days until the user’s application password expires 42 Password History

Enable password history No Number of previous passwords that are kept in the password

history 1

Special Character Rules

Allow special characters in password No

Allow special characters list !@#$%^&*( )_+= [ ] \ | ,? Maximum number of special characters allowed 20 Default and Domain Password Policy Options Default

(47)

Minimum number of special characters required 0 Password can begin with a special character Yes Password can end with a special character Yes Default and Domain Password Policy Options Default

References

Related documents

The major Non Points racing program is the Entry Level which the regulations and criteria are uniform across Canada with their own set of rules and criteria for children ages

[r]

CRYPTOCard’s Citrix Access Suite (protecting Presentation Server, Web Interface, Access Gateway, MetaFrame Secure Access Manager, MetaFrame Password Manager) provides

This Certification Report states the outcome of the Common Criteria security evaluation of Citrix Password Manager, Enterprise Edition, Version 4.5, to the Sponsor, Citrix

6666 To map user accounts in Cloud Manager to Citrix ShareFile user accounts, select a Role (the ones in Cloud Manager) and a Destination group (the ones in Citrix ShareFile).

Notes on Citrix: Use SAML to avoid password prompt Notes on Citrix: Use SAML to avoid password prompt to start Notes to start Notes ID Files ID vault Active Directory

In the Mediterranean region, goat milk production is an important economic activity. In the present study, 4 casein genes were genotyped in 5 Sicilian goat breeds to 1)

8. On the Specify Server Address page, type the address of the computer running Password Manager Service, which, in this scenario, is the administrator's computer. A warning