New Features – Novell Support

(1)

Citrix MetaFrame

Password Manager 2.5

Codename – “Andros”

(2)

Citrix MetaFrame Password

Manager 2.5 - Release Theme

•

Theme: “Broadening Support”

•

Goals:

– Increase the addressable market

• Novell customers

• German/French/Spanish/Japanese languages

• Certificate based smart cards

– Maintain Market Momentum

• Timely release after MetaFrame Password Manager 2.0

(3)

New Features – Novell Support

•

MPM 2.5 can be used with Novell’s GINA

– Primary authentication against Novell eDirectory

– eDirectory is not supported as a credential store

•

Netware file share support

– Allows use of Netware file share for central credential store

– New CtxNWFilePrep.exe utility

(4)

New Features – Novell Support

•

Most Citrix/Novell customers use ZENworks’

Dynamic Local User (DLU) feature

– Windows Username and Password must match Novell

Username and password.

– Enable Volatile User – to remove user credential upon exit.

– Synchronizes user’s Novell and local NT user passwords,

(5)

New Features – Multi-factor

Authenticators

•

Enhanced support for smart cards, tokens,

biometrics, and proximity devices:

– Support for user certificate-based (X.509 PKI) network

authentication

– Re-authentication via workstation lock (secure attention

(6)

New Features – Multi-factor

Authenticators

•

Product testing with an ever-growing list of vendors

(14 announced on March 23)

– Smart cards: ActivCard, Axalto (Schlumberger), GemPlus,

LOGICO, Netmaker

– Biometrics: BioNet Systems, EKey, Identix, SAFLINK,

Integrated Biometrics

– Tokens: RSA, Secure Computing, VASCO,

CRYPTOCard, Aladdin, PassGo

– Proximity: Ensure

(7)

New Features – Extended

Application Support

•

Java and Active X based applications

– MPM 2.5 introduces support for ActiveX controls, Java

scripts and Java applets

– Based on difficulty level this may require services from

Citrix Consulting

• Must create both a Web app def and a Windows app def

• Must export INI file, edit to add new settings, re-import

•

Drop Down Menus

– Previously (MPM 2.0), drop-down menus could be handled

only via SendKeys or manual selection

• Send arrow keys or first letter of menu item

– MPM 2.5 provides automated drop-down menu selection

(8)

New Features – Extended

Application Support

•

Improved Terminal Emulation Support

– New configuration setting for terminal emulators that don’t

write the location of their HLLAPI DLL in the registry

• e.g. BOSaNOVA

•

Support for Long URLs

– Previously (in MPM 2.0), URLs in excess of 256 characters

could only be handled by substring matching

(9)

New Features – Extended

Application Support

•

Difficult Applications

– MPM 2.5 supports several unusual window characteristics

• No window title

• Dynamic (variable) window title

• Dynamic class name

– Examples:

• Cerner medical apps (no window title or variable title)

• McKesson PCView32 (dynamic class name)

(10)

New Features – Logging Tool

•

Can be enabled when required to collect data on

application detection and credential insertion

– Intended to help troubleshoot difficult applications

– For use by Technical Support or Citrix Consulting

•

Enabled by creating a “Log” registry entry

– HKLM\Software Citrix\Metaframe Password Manager\Log

– Provides agent logging

(11)

New Features – Improved End User

Interface

•

Confirmation of Agent Detection

– End users are now asked to confirm if the agent properly

recognized the login fields and submit button

– Prevents users from incorrectly configuring the agent

– Directs them to their administrator for more complex

(12)

New Features – Improved End User

Interface

•

Improved Identity Verification

– MPM 2.0

• Default question: Enter generic answer.

• Likely to cause user confusion

– MPM 2.5

• Default question: What is your identity verification phrase?

• Minimum length of response to default question increased from 8 to 12 characters for improved security

(13)

New Features – Improved End User

Interface

• Identity Verification UI

– Better end user description

– New default verification question.

(14)

(15)

New Features – Policy Enforcement

•

Enforcement of password policies now extended to

manual password change

– MPM 2.0 only allowed this for auto-generated passwords

(16)

New Features - New Agent Settings

•

Forced Credential Storage

– Disable ability for end user to opt out of submitting

credentials to Password Manager for applications with existing definitions

• Yes/No/Never dialog box is skipped, taking user directly to the credentials entry screen

•

Show Tray Icon

– Enable/Disable agent icon that appears in the taskbar

– Example usage:

(17)

Integration with MetaFrame

Presentation Server 3.0

•

Location of central store can be specified per user

– Note: Can also be specified in HKCU (for customers not

using MPS 3.0)

– Different groups of users can have different settings by

using multiple file shares

– Large organizations can distribute users across multiple

file shares

•

MPM can be enabled/disabled per user

– Allows for staged roll-out without having to publish each

(18)

Performance Improvements

Measurement MPM 2.0 MPM 2.5

Insertion impact (AD) Windows 2000 7.5% 2.6%

Insertion impact (FS) Windows 2000 7.5% 5.0%

Agent response – Win32 app (AD) 1.00s 0.11s

Agent response – Win32 app (FS) 0.64s 0.51s

Network Bandwidth Utilization (AD) 130 KB 96 KB

Network Bandwidth Utilization (FS) 50 KB 32 KB

Preliminary figures (March 2004), taken on a Presentation Server at 65%

(19)

Troubleshooting - General

• Check that the Agent is deployed and configured correctly.

• Check if the agent is synchronizing properly

– Check synchronization point

– Hit refresh in the agent and check the time stamp of the ini files to see if they changed.

• Agent’s sync point may have been changed using the console

– Check if you have an adminoverride.

• If you do, you will have to delete mmffile and the ini files.

• The agent will then read the sync point from the registry again.

• Go to the sync point and check for permissions and settings.

• Check for network problems that may be causing the agent

(20)

Troubleshooting – Windows

Applications

• Check whether the application is being detected

• Make sure you add multiple window title and class id for

transient windows.

• Check if Password Manager Agent is detecting the controls

on the window

• Others things to look for

– Check for dynamic control ids by running the app repeatedly.

– Check for null control ids

(21)

Troubleshooting – Web

Applications

•

Need to use forms

– Look for <FORM> tag in the source of the web page

– Change the web page or you will have to use SendKeys

(22)

Troubleshooting – Host

Applications

•

Check if SSOMHO is running

– SSOMHO runs when it detects the terminal emulator

configured

•

Following must be done in order for SSMHO to run:

– _{Mfrmlist.ini on the Agent must have an entry for the}

emulator

– _{Agent setting for host apps must be enabled}

– _{HLLAPI Short name must be defined for the emulator}

(23)

Competitors

•

Passlogix

•

Protocom

•

Sentillion

(24)

On the Horizon…

•

Next Release

– Codename: “Abaco”

– Release Timeframe: “Turnberry” Suite Release - 1H ‘05

•

Release Focus

– Hot Desktop (password and smart card authentication)

– Self Service Password Reset

– License Server

– Administration Console