MetaFrame Password Manager Administrator’s Guide

Administrator’s Guide

the \Documentation directory of the Citrix MetaFrame Password Manager CD-ROM. Trademark Acknowledgements

Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.

Copyright © 2002-2004 Citrix Systems, Inc. All rights reserved.

Citrix, ICA (Independent Computing Architecture), MetaFrame, MetaFrame XP, and Program

Neighborhood are registered trademarks, and Citrix Solutions Network, MetaFrame Presentation Server, Citrix Authorized Learning Centers, Citrix Certified Administrator (CCA), Citrix Certified Enterprise Administrator (CCEA), and Citrix Certified Integration Architect (CCIA) are trademarks of Citrix Systems, Inc. in the United States and other countries.

Contents

Chapter 1

Welcome

MetaFrame Password Manager Documentation. . . 7

Citrix Information, Support, and Resources Online . . . 8

Chapter 2

Introducing MetaFrame Password Manager

MetaFrame Password Manager Components . . . 13

MetaFrame Password Manager Agent . . . 13

MetaFrame Password Manager Console . . . 14

The Central Credential Store. . . 15

New Features in this Release. . . 16

Getting More Information and Help . . . 17

Accessing Product Documentation. . . 17

Getting Service and Support. . . 17

Chapter 3

Planning Your Deployment

Hardware and Software Requirements . . . 21

Collecting Application Information. . . 22

Licensing Requirements . . . 23

Preserving the GINA Chain. . . 24

The GINA and Authentication Methods . . . 25

Using Smart Cards with MetaFrame Password Manager. . . 25

Smart Card Software Requirements . . . 26

Configuring the Server . . . 26

Switching between Authenticators . . . 26

MetaFrame Password Manager Deployment Scenarios . . . 26

Where to Install the Agent and Console. . . 27

Integrating with MetaFrame Presentation Server . . . 29

Integrating with MetaFrame Secure Access Manager . . . 30

Planning for Synchronization . . . 33

Securing the File Synchronization Folder Manually . . . 36

Storing User Password Data . . . 38

Setting Share Permissions . . . 39

Planning for Synchronization Using a Novell NetWare Folder . . . 40

Securing the File Synchronization Folder for Novell Netware Manually 41 Using Novell ZENworks. . . 43

Planning for Active Directory Synchronization. . . 44

Assigning Permissions for Active Directory Security . . . 47

Chapter 4

Using the MetaFrame Password Manager Console

Upgrading from MetaFrame Password Manager 2.0 . . . 52

Installation Order Precautions. . . 52

Saving Existing Custom User Questions . . . 53

Licensing MetaFrame Password Manager . . . 54

Configuring the License Repository. . . 54

Adding a MetaFrame Password Manager License. . . 56

Activating a MetaFrame Password Manager License . . . 56

Configuring MetaFrame Password Manager Synchronization. . . 57

Setting Up a Shared Folder for Synchronization . . . 57

Specifying the Location of the Central Credential Store . . . 58

Setting Up Active Directory for Synchronization . . . 59

Connecting to Active Directory . . . 59

Introducing Application Definitions . . . 61

Drop-Down Logon Menu Support . . . 65

Using Windows Matching . . . 66

Using Windows Matching for a Change Password Wizard . . . 68

Using Wildcards . . . 69

Using SendKeys . . . 70

Using SendKeys for Java Applications . . . 72

Configuring Java Applications for MetaFrame Password Manager . . . 72

Configuring Java Applets for MetaFrame Password Manager . . . 74

Adding Web Application Definitions. . . 77

Using Web Matching . . . 81

Adding Host-Based Application Definitions . . . 82

How HLLAPI Works . . . 82

How MetaFrame Password Manager works with Host Emulators . . . 83

Error Detection Settings . . . 87

Change Password Wizard Behavior Settings . . . 87

Miscellaneous Settings . . . 87

Creating a First-Time-Use List . . . 87

Defining User Questions . . . 88

Creating Password Policies . . . 89

Configuring Password Sharing Groups. . . 91

Specifying Agent Settings . . . 93

Setting AccessManager Values . . . 95

Setting Authenticator Values . . . 99

Setting EventManager Values. . . 102

Setting Shell Values . . . 103

Setting SyncManager Values . . . 105

Saving Information to the Synchronization Point . . . 107

Configuring a Shared Folder Synchronization Point . . . 107

Configuring an Active Directory Synchronization Point . . . 109

Delivering Information to Agents . . . 111

MetaFrame Presentation Server and Installation Management . . . 112

Active Directory Group Policy Objects . . . 113

Chapter 5

Maintaining MetaFrame Password Manager

Importing and Exporting Settings . . . 117

Import and Export Options in the Console. . . 118

Changing Application Definitions. . . 119

Logging MetaFrame Password Manager Events . . . 120

Chapter 6

Troubleshooting MetaFrame Password Manager

Global Settings . . . 122

Windows Applications . . . 123

Web Applications . . . 124

Terminal Emulators. . . 125

Application Recognition Initialization (.ini) Files . . . 126

MetaFrame Password Manager Agent Does not Launch . . . 126

Software Upgrades and the GINA Chain . . . 127

Windows Registry GINA Chain Reference . . . 127

Supporting Terminal Emulators . . . 129

Configuring HLLAPI Support for Tested Emulators. . . 130

Telnet and MetaFrame Password Manager . . . 130

Creating Mfrmlist.ini Entries . . . 131

Mfrmlist.ini Field Definitions. . . 132

Troubleshooting Windows Applications. . . 134

Windows Applications with Changing Window Titles . . . 134

Windows Applications with Different Window Classes . . . 134

Migrating from Shared Folder to Active Directory Synchronization. . . 135

Specifying Multiple Synchronization Points. . . 136

Manual Setup for Multiple Synchronization Points. . . 137

Forgotten Passwords and Forgotten Identity Verification Phrases. . . 138

How the Agent Detects Windows Applications . . . 139

How the Agent Detects Web Applications . . . 140

How the Agent Detects Terminal Emulators . . . 141

Credential Retrieval and Submission . . . 142

Glossary . . . 143

Welcome

Citrix MetaFrame Password Manager provides password security and single sign-on access to Windows, Web, proprietary, and host-based applicatisign-ons. Password- related tasks handled by a user can be automated and handled by MetaFrame Password Manager, including logon, password selection, and change.

Users authenticate once with a single password and MetaFrame Password Manager authenticates the users to all other password-protected applications—providing one, easy-to-remember, secure way to log on everywhere.

This chapter provides:

• A list of all MetaFrame Password Manager documentation included on the product CD-ROM with brief descriptions of each document

• Instructions about how to provide feedback regarding the documentation • A comprehensive list of online resources for MetaFrame Password Manager

and Citrix

MetaFrame Password Manager Documentation

The MetaFrame Password Manager documentation includes electronic manuals and online application help. This documentation set is designed to help users, administrators, and information and technology professionals who install, configure, and use MetaFrame Password Manager.

The following documentation is included with MetaFrame Password Manager: • The Readme file provides the latest information about MetaFrame Password

Manager functionality, known issues, and documentation changes. Be sure to read this document for important information before you install MetaFrame Password Manager.

• This manual, the MetaFrame Password Manager Administrator’s Guide, provides conceptual information and procedures for a specific deployment implementation for system administrators who install, configure, and test the components of MetaFrame Password Manager.

• Online, context-sensitive help is available for administrators and users of MetaFrame Password Manager. Administrators can get help for all of the settings and tools MetaFrame Password Manager provides. Users can get information about common tasks, including creating logons for applications, using the Logon Manager, and setting MetaFrame Password Manager automatic features.View this help by clicking the help buttons provided.

Note If you are new to MetaFrame Password Manager, read the MetaFrame Password Manager Evaluator’s Guide for instructions about setting up and running a small test scale deployment of the product. This guide provides you with a practical overview of MetaFrame Password Manager features and functionality.

Important To view, search, and print the PDF documentation, you need to have the Adobe Acrobat Reader 5.0.5 with Search or a later version with Search. You can download Adobe Acrobat Reader for free from Adobe Systems’ Web site at http:// www.adobe.com/

.

Citrix Information, Support, and Resources Online

The Citrix home page is at http://www.citrix.com/. You can find information and services for customers and users. You can access technical support services and locate more information to assist you with MetaFrame Password Manager, updated readme and hotfix information, along with other Citrix solutions.

The following are some of the resources available from the Citrix Web site:

Citrix Developer Network. The Citrix Developer Network (CDN) is an open-enrollment membership program that provides access to developer toolkits, technical information, and test programs for software and hardware vendors, system integrators, licensees, and corporate developers who incorporate Citrix computing solutions into their products. For more information, go to

http://www.citrix.com/cdn/.

Citrix product documentation library. The library contains the latest documentation for all Citrix products. You can download updated editions of the documentation that ships with Citrix products, as well as supplemental documentation that is available only on the Web site.

Citrix Clients. You can download Citrix clients for all supported platforms from the Downloads page of the Citrix Web site.

Support options. Program information about Citrix Preferred Support Services options is available from the Support area of the Citrix site.

Software downloads. A Downloads page provides access to the latest service packs, hotfixes, utilities, and product literature for download.

Online Knowledge Base. The online Knowledge Base contains an extensive collection of application notes, technical articles, troubleshooting tips, and white papers.

Discussion forums. The interactive online Support Forums provide outlets for discussion of technical issues with other Citrix users.

Education. Citrix offers a variety of instructor-led training (ILT) and Web-based training (WBT) solutions. ILT courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. These certification programs include Citrix Certified Administrator (CCA), Citrix Certified Enterprise Administrator (CCEA), and the new Citrix Certified Integration Architect (CCIA). Citrix certifications demonstrate the highest level of product knowledge and competency. Citrix WBT courses are available through CALCs, resellers, and at http://www.citrix.com/edu/. For more information about Citrix Education solutions, visit http://www.citrix.com/edu/.

Introducing MetaFrame

Password Manager

Designed to work seamlessly with Citrix MetaFrame Presentation Server, Citrix MetaFrame Secure Access Manager, and Citrix MetaFrame Conferencing Manager, Citrix MetaFrame Password Manager provides password security and single sign-on access to Windows, Web, proprietary, and host-based applications running in the MetaFrame environment as well as local applications on the desktop. Users authenticate once and MetaFrame Password Manager does the rest,

automatically logging on to password-protected information systems, enforcing password policies, monitoring all password-related events, and even automating user tasks, including password changes.

Specifically, MetaFrame Password Manager provides each of the component products in the MetaFrame Access Suite with added value:

MetaFrame Presentation Server. MetaFrame Password Manager provides single sign-on access to any number of password-protected applications published on servers running MetaFrame Presentation Server.

MetaFrame Secure Access Manager. Users authenticate once and MetaFrame Password Manager passes their credentials through to any information and application resource available in the secure, personalized computing environment that is delivered from access centers.

MetaFrame Conferencing Manager. With single sign-on access provided by MetaFrame Password Manager, users can collaborate using multiple password-protected applications through MetaFrame Conferencing Manager.

This chapter is an overview of the capabilities and components of MetaFrame Password Manager. It includes the following topics:

The Benefits of MetaFrame Password Manager

As security breaches become increasingly commonplace, companies are focusing on reducing their risk. Conducting business today presents enterprises with a security dilemma. On one hand, they must make access difficult to hackers, competitors, and others who may not have the enterprise’s best interests in mind. On the other hand, they must make access easy for their employees, customers, vendors, and partners.

Reducing network security or usability to match user requirements can introduce significant risks. Weak security allows unauthorized access. Excessive security drives customers, partners, and vendors away and diminishes employee

productivity. Security breaches continue to cost companies millions of dollars and even when they are addressed, trust is difficult to restore and damaged perceptions can remain.

Security is especially susceptible to poor password protection. Although password policies are aimed at reducing this vulnerability (for example, not using a spouse’s or child’s name, not writing or recording passwords anywhere, not using easily obtainable information), user limitations such as the need for simplicity, poor memory, and carelessness can virtually eliminate the value of security technology in the system.

MetaFrame Password Manager allows you to implement good security strategy without the trade-off between security and usability. With single sign-on, users authenticate once to access their applications and other resources, while in the background MetaFrame Password Manager enforces strong password policies. MetaFrame Password Manager provides your enterprise with the right balance of security and usability for the following reasons:

Simple user experience. Users authenticate once, then MetaFrame Password Manager authenticates users to their other password-protected applications, giving them a single easy-to-remember and secure logon method. Users no longer need to remember multiple IDs and passwords to access network resources. Eliminating multiple passwords reduces one of the most widespread sources of security breaches — users recording and storing their passwords under mouse pads or keyboards.

Reduced help desk costs. Through centralized administration and management, routine password-related events, such as generating new passwords, can be automated and even become invisible to the user, eliminating the problem of forgotten passwords and help desk calls.

MetaFrame Password Manager is the only single sign-on solution that works with Windows, Web, and host-based applications in your environment without a lengthy and complex deployment. MetaFrame Password Manager eliminates the burden of integration so you can start reaping the benefits of single sign-on in days, not months.

Enterprise users can enjoy the benefits of single sign-on while connected to or disconnected from the corporate network, while roaming between computers, or while sharing a computer with other users.

MetaFrame Password Manager Components

The following sections briefly describe the components you need to install to start using MetaFrame Password Manager. For detailed deployment information, see

“Planning Your Deployment” on page 19.

MetaFrame Password Manager is comprised of three primary components: • MetaFrame Password Manager agent

• MetaFrame Password Manager console • The central credential store

MetaFrame Password Manager Agent

The agent is the client-side component of MetaFrame Password Manager. The agent acts as an intermediary between users and applications that require authentication. Multiple sets of user credentials can be created for an agent and stored on a local machine. When a user tries to access an application that requires authentication, the agent intercepts the application’s request for authentication. The agent finds the correct credentials in the local credential store and submits them to the application.

Credentials are also saved in a central store. This central store can be in a shared folder or Microsoft Active Directory. The agent synchronizes the local store with the central store, allowing users to maintain their credentials from any workstation. In addition, the agent provides users with the following features:

System tray menu. The agent’s system tray menu provides easy access to

Logon Manager. The agent’s Logon Manager provides users with a central location to create, view, edit, and delete logons.

New logon setup. Users can set up new logons quickly using the New Logon wizard. The agent detects each logon request and stores information entered in the New Logon wizard for retrieval the next time the user launches the application.

User mobility. The agent supports remote and mobile users. Remote users can access their credentials whether they are connected or disconnected from the corporate network. Mobile users can easily move from one machine to another and multiple users can securely share one workstation.

MetaFrame Password Manager Console

The console is the administrator’s management tool used to control all aspects of application password management. It is used to configure password definitions utilized by the agents and to control the passwords that open your organization’s secure applications. The console also enhances the functionality of the agent by creating a central store where all the configuration and agent settings are saved for retrieval and use by the agents. The agent has limited functionality when installed without console configuration; several key features, such as those listed below, are unavailable.

With the console, you can use wizards to create password policies, configure applications for single sign-on support (application definitions), and manage users’ credentials and agent settings. The console has five nodes in the left pane. You select a node to display specific options in the right pane. In the right pane, specify the parameters for the selected node.

The console includes the following features:

Application definitions. These definitions provide the information necessary for the agent to identify logon and change password events to supply credentials to applications, and to detect error conditions if they occur. MetaFrame Password Manager offers a large selection of templates from which you can create application definitions or you can create them yourself, usually in a few minutes.

Password policies. Password policies control password length and the type and variety of characters used in both user-defined and automatically-generated passwords. Creating password policies ensures that your company’s security policies are applied by MetaFrame Password Manager.

First-Time-Use or Bulk Add This is a feature that allows an administrator to create a list of applications in the console for which users can add credentials. When users launch the agent for the first time, they are prompted to add credentials for each application in the first-time-use list. This process is also referred to as bulk add because users are adding credentials in bulk.

The Central Credential Store

The credential store is a central repository for credentials and agent configurations. The local credential store is provided in a binary file located in the user’s profile. The central credential store can use either Microsoft Active Directory or a file share.

The agent synchronizes the local store with the central credential store, allowing users to keep up-to-date with new configurations and to maintain their credentials from different workstations. The central credential store is the synchronization point for credentials and agent configurations.

MetaFrame Password Manager supports using a Microsoft NTFS file share, Novell NetWare publicly accessible folder, or Microsoft Active Directory as a

New Features in this Release

MetaFrame Password Manager 2.5 includes the following new features:

Novell Authentication. MetaFrame Password Manager interoperates with Novell’s version of the Windows GINA (Graphical Identification and Authentication DLL) for primary authentication against Novell eDirectory (formerly NDS).

Support for Novell NetWare file shares. Credentials and user settings can be stored in a Novell NetWare file share.

Support for Certificate-based (PKI) smart cards. MetaFrame Password Manager supports an expanded list of smart cards and other multifactor authentication devices that are Microsoft certified.

Hot desktop through compatibility with Workspace Roaming. MetaFrame Password Manager allows users to log on and to log off from workstations that access published applications rapidly and securely. No primary authentication or logoff is required. This is available with MetaFrame Presentation Server 3.0 only.

Workstation lockout for reauthentication. MetaFrame Password Manager allows you to force reauthentication on a per-application basis. This locks the workstation, forcing the user to reauthenticate before accessing specific applications or after an inactivity time-out.

Localized agent. The MetaFrame Password Manager agent is now available in German, French, Spanish, and Japanese languages, in addition to English.

Drop-down logon menu support. This feature allows automated sign-on to Windows and Web applications that use drop-down controls on their logon or change-password dialog boxes.

Manual password change policy enforcement. Enforces network password policies for application-driven password change requests.

Support for ActiveX controls, Java scripts and Java applets. MetaFrame Password Manager supports Web sites and applications that use Active X controls, Java scripts, and Java applets for logons and password changes.

Faster agent response and improved scalability. MetaFrame Password Manager is optimized for fast response times and superior performance. Users benefit from faster sign-on to applications. Organizations using MetaFrame Presentation Server benefit from Password Manager’s scalability because more users can be supported on a single server.

Getting More Information and Help

This section describes how to get more information about MetaFrame Password Manager and how to contact Citrix.

Accessing Product Documentation

The documentation for MetaFrame Password Manager includes online

documentation, known issues information, integrated on-screen assistance, and application help.

• Online documentation, such as this guide, is provided as Adobe Portable Document Format (PDF) files.

• Be sure to read the Readme.htm file in the appropriate language folder of the \Documentation directory of the MetaFrame Password Manager CD-ROM before you begin your installation or when troubleshooting. This file contains important information that includes last-minute documentation updates and corrections.

• In many places in the MetaFrame Password Manager user interface, integrated on-screen assistance is available to help you complete tasks. For example, in the console, help text is displayed for the agent configuration options.

• Online help is available in many components. You can access the online help from the Help menu or Help button.

Important To view, search, and print the PDF documentation, you need to have the Adobe Reader 5.0.5 with Search or a later version with Search. You can download Adobe Reader for free from Adobe Systems’ Web site at

http://www.adobe.com/.

Getting Service and Support

In addition to the CSN channel program, Citrix offers a variety of self-service, Web-based technical support tools from its Knowledge Center at

http://support.citrix.com/. Knowledge Center features include:

• A knowledge base containing thousands of technical solutions to support your Citrix environment

• An online product documentation library

• Interactive support forums for every Citrix product • Access to the latest hotfixes and service packs • Security bulletins

• Online problem reporting and tracking (for customers with valid support contracts)

Another source of support, Citrix Preferred Support Services, provides a range of options that allows you to customize the level and type of support for your organization’s Citrix products.

Subscription Advantage

Subscription Advantage gives you an easy way to stay current with the latest server-based software functionality and information. Not only do you get automatic delivery of feature releases, software upgrades, enhancements, and maintenance releases that become available during the term of your subscription, you also get priority access to important Citrix technology information.

You can find more information on the Citrix Web site at

Planning Your Deployment

Before you install MetaFrame Password Manager, evaluate your enterprise environment and determine how users currently access applications. Depending on the scope of your deployment, consider the importance of running a test pilot. You can easily configure a small-scale pilot version of your deployment before rolling it out to users. Through ongoing maintenance, you can enhance the effectiveness of password management for your enterprise.

This chapter covers the following topics:

• Implementation overview, which includes the tasks you must complete to start using MetaFrame Password Manager

• Hardware and software requirements for the console and agent • Licensing requirements for MetaFrame Password Manager • Preserving the GINA chain

• Using smart cards with MetaFrame Password Manager • A comparison of three deployment scenarios

• How to plan and prepare for MetaFrame Password Manager synchronization • The application information required before deployment of MetaFrame

Implementation Overview

Hardware and Software Requirements

To install the MetaFrame Password Manager console, ensure that the system meets the hardware and software requirements as specified by the operating system. The console requires the following additional resources:

• Approximately 20MB RAM • Approximately 20MB disk space

• Approximately 30KB disk space per user on the file share or Active Directory partition

The console also requires Microsoft .NET Framework Version 1.1 (available on the MetaFrame Password Manager CD-ROM) and Microsoft Windows Installer 2.0. To install the MetaFrame Password Manager agent, ensure that the system meets the hardware and software requirements as specified by the operating system. The agent requires the following additional resources:

• Approximately 5MB RAM • Approximately 10MB disk space

The console and agent can be installed on machines using the following Microsoft Windows operating systems:

MetaFrame Password Manager supports Microsoft Internet Explorer 5.5 with Service Pack 2 or later.

Component Supported Windows Operating Systems

MetaFrame Password Manager Console Windows 2000 Professional with Service Pack 4

Windows 2000 Server with Service Pack 4 Windows 2000 Advanced Server with Service Pack 4

Windows Server 2003 - 32-bit

Windows XP Professional - 32-bit with Service Pack 1

MetaFrame Password Manager Agent Windows 2000 Professional with Service Pack 4

Windows 2000 Server with Service Pack 4 Windows 2000 Advanced Server with Service Pack 4

Windows Server 2003 - 32-bit

Windows XP Professional - 32-bit with Service Pack 1

Supported MetaFrame Presentation Server Platforms: • MetaFrame XP Presentation Server, Service Pack 3 • MetaFrame Presentation Server, 3.0

Supported .NET Framework Platforms: Microsoft .NET Framework Version 1.1

Collecting Application Information

The MetaFrame Password Manager agent can detect and respond to logon and password change events for a wide range of applications, including the following application types:

• 32-bit Windows applications

• Web applications accessed through Microsoft Internet Explorer

• Host-based applications accessed through an HLLAPI-compliant terminal emulator

For the agent to operate successfully, you must set up an application definition for each password-protected application. Application definitions specify identifiers including user name and password entry field locations, application executable names, URLs, and control IDs for credential fields. These identifiers enable MetaFrame Password Manager to monitor applications and supply password information automatically.

MetaFrame Password Manager includes many application templates that simplify the configuration process by enabling you to choose applications with

preconfigured settings from a drop-down list. For more information about adding application definitions, see “Minimize the number of other applications running during configuration.Adding Windows Application Definitions” on page 63,

“Adding Web Application Definitions” on page 77, and “Adding Host-Based Application Definitions” on page 82.

You can also configure options for each application definition, including settings for password changes and error detection. For more information, see “Configuring Application Definition Settings” on page 86.

Before deploying MetaFrame Password Manager:

1. Examine application access and usage in your enterprise environment. 2. Decide what password-protected applications are required by your users and

3. Identify a password policy and the scenarios that initiate a password change for each application.

4. Determine which applications can subscribe to the password policies you set up and if any applications share passwords.

Licensing Requirements

Using Citrix software requires that you follow the terms of Citrix license

agreements. For details about licensing requirements and licensing terms for your Citrix product, see the End-User License Agreement that is provided in Acrobat PDF format in the appropriate language folder of the \Documentation directory of your product CD-ROM.

For MetaFrame Password Manager, Citrix uses two types of licenses: concurrent connected user licenses and named user licenses. You may choose to purchase a combination of both license types.

A concurrent connected user license is a shareable license. It is allocated to a user only while that user is being served by a MetaFrame Password Manager agent (or multiple agents). After the user disconnects or logs off, the license is returned to the license pool so that it can be reallocated to another user. Concurrent connected user licenses allow sign-on both to applications published on MetaFrame Presentation Server and to applications installed locally on the user’s computer. These licenses require a connection to an organization’s data network for access to the central credential store and license repository. Consequently, they cannot be used when disconnected from the network. The value of concurrent connected user licenses is that they can be shared among different users at different times. In many

MetaFrame Presentation Server environments, the number of users who are concurrently connected even during peak periods is less than half of the total user population. In such environments, concurrent connected user licensing can result in a significant cost savings.

A named user license is, in effect, a permanent license for a specific user. Once a user has taken a named user license from the license pool, it remains allocated to that user even when there is no MetaFrame Password Manager agent running in the user’s behalf. Named user licenses allow sign-on both to applications published on MetaFrame Presentation Server and to applications installed locally on the user’s computer. Named user licenses can be used even when disconnected from an organization’s data network, for example to access Internet sites and applications or local password-protected documents.

Preserving the GINA Chain

Graphical Identification and Authentication (GINA) is the Windows component that controls the CTRL+ ALT+ DELETE dialog box that collects the data needed to perform authentication. MetaFrame Presentation Server, MetaFrame Password Manager, and the Novell NetWare client all interact with or require the replacement of the Microsoft GINA.

If you are performing a fresh installation of the MetaFrame Access Suite that includes MetaFrame Password Manager, install the MetaFrame Password Manager agent last.

If you install any software that uses a custom GINA, you need to make sure that you do not disrupt the GINA chain. This may mean installing or uninstalling software in a specific order to preserve proper GINA chaining. By installing the MetaFrame Password Manager agent last you ensure that the MetaFrame Password Manager GINA is called first by the Winlogon process. See “Upgrading from MetaFrame Password Manager 2.0” on page 52 for more information.

Important A broken GINA chain can prevent users from logging on or prevent the operating system from loading. If the GINA chain is broken, you must start in Windows Safe Mode, then repair the broken chain in the system registry. See

“Editing the Registry to Repair a Broken GINA Chain” on page 129.

Citrix recommends that the MetaFrame Password Manager agent be the last GINA installed on the system. The agent’s ssoGINAL.dll does not implement all of the GINA functionality; if the agent is installed on a system before software that alters the Windows GINA chain, it will use the previously installed GINA to support all the mandatory functionality, such as network logons, logon user interface display, and the locked workstation user interface display.

MetaFrame Password Manager stores the name of the previous GINA in: HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Shell\OrigGINADLL

The GINA and Authentication Methods

MetaFrame Password Manager provides users with three primary authentication methods:

Primary Authentication using Windows User Name and Password. The user logs on the workstation or terminal server using the Ctrl-Alt-Delete key sequence and types a user name and password into the dialog box provided by the Microsoft GINA.

Primary Authentication using Novell User Name and Password. The user logs on the workstation or terminal server using the Novell logon dialog box provided by the Novell GINA replacement.

Primary Authentication using smart card. The user logs on the workstation or terminal server using a smart card recognized by the operating system (either natively or with the help of a GINA replacement and driver from the smart card manufacturer). The system then prompts the user to enter a pin code.

Using Smart Cards with MetaFrame Password Manager

You can use smart cards with MetaFrame Password Manager. Smart cards are small plastic cards with embedded computer chips. Smart cards can contain memory only, memory with security logic, or memory with CPU capabilities, depending on the intended application.

In a business computer network setting, smart cards are an effective implementation of public-key technology and are used to authenticate users to networks and computers and to secure channel communications over a network

If you are using smart cards for secure network authentication, your users can authenticate to applications.

Citrix has tested smart cards that meet Standard 7816 of the International

Organization for Standardization (ISO) for cards with electrical contacts (known as a contact card) that interface with a computer system through a device called a smart card reader. The reader can be connected to the host computer by the serial, USB, or PCMCIA port.

In addition, smart cards provide two-factor authentication for increased security: the card and the user’s pin number. These items, when used together, are used to prove that the cardholder is the rightful owner of the smart card.

Smart Card Software Requirements

Consult your smart card vendor or integrator to determine detailed configuration requirements for your specific smart card implementation.

The following components are required on the server or client: • PC/SC software

• Cryptographic Service Provider (CSP) software • Smart card reader software drivers

Your Windows server and client operating systems may come with PC/SC, CSP, or smart card reader drivers already available. See your smart card vendor for information about whether these software components are supported or must be replaced with vendor-specific software.

Configuring the Server

A complete and secure smart card solution can be difficult to implement. Citrix recommends that you consult your smart card vendor or integrator for details. Configuration of smart card implementations and configuration of third-party security systems such as certificate authorities are beyond the scope of this documentation.

Smart cards are supported for authenticating users with MetaFrame Password Manager or for use with other applications that offer smart card functionality.

Switching between Authenticators

When users switch from one type of authentication method to another, or when they change their primary password, they are prompted for their identity verification phrase.

MetaFrame Password Manager Deployment Scenarios

MetaFrame Password Manager supports the following versions of MetaFrame Presentation Server:

• MetaFrame Presentation Server 3.0 for Windows

• MetaFrame XP with Feature Release 3 and Service Pack 3 • MetaFrame XP Server with Feature Release 2 and Service Pack 3 • MetaFrame XP Server with Feature Release 1 and Service Pack 3 If you are also running MetaFrame Secure Access Manager, applications are available from MetaFrame Presentation Server and from MetaFrame Secure Access Manager. Users can access the applications through a Web browser.

MetaFrame Password Manager can be used in conjunction with the following: • MetaFrame Secure Access Manager, using the included CDAs or CDAs that

you download.

• MetaFrame Presentation Server features, such as: • Web Interface for MetaFrame

• Secure Gateway for MetaFrame • The Citrix Web console

• All Citrix Win 32 Clients

Where to Install the Agent and Console

To access local applications, users can install the agent on their desktops. Mobile users can also install the agent on their laptops so they can use the agent features even when they are not connected to the network. Synchronization of user credentials occurs when mobile users reconnect to the network.

The following table illustrates where the agent (or agents) can be installed:

Environment Implementation

MetaFrame Presentation Server and MetaFrame Secure Access Manager

MetaFrame Presentation Server and MetaFrame Secure Access Manager provide applications that users access through their Web browsers.

Install MetaFrame Password Manager agent on each server running MetaFrame Presentation Server.

Mixed Environment

Users access published applications as well as other secured applications.

Install MetaFrame Password Manager agent on each server running MetaFrame Presentation Server and on each desktop.

Desktop-only implementation

MetaFrame Password Manager agent is used on the user’s desktop with locally-installed applications.

Integrating with MetaFrame Presentation Server

With MetaFrame Presentation Server, the MetaFrame Password Manager agent is installed on each server that publishes applications that require authentication. Use the MetaFrame Password Manager agent to provide credentials for Citrix

connections to the published applications only.

Install the console on a desktop or server that is not a member of the server farm. The operating system should match the operating system of the server (or servers) on which the applications are published, or the operating system of the server or servers where the agent will be installed.

To control the behavior and appearance of the agents running in the MetaFrame Presentation server farm, you use the console to edit or create agent settings (see

“Specifying Agent Settings” on page 93). These settings can be exported to the agent or distributed as part of a custom Windows Installer Package (.msi) using Installation Manager or other deployment method. See the MetaFrame Installation Manager Administrator’s Guide for information about Installation Manager. A custom Windows installer package also can contain instructions about how synchronization between the console and agents occurs. This synchronization occurs between the agent and the central credential store, which can be a network file share, Active Directory, or Novell NetWare publicly accessible folder. See

“Planning for Synchronization” on page 33 for more information. Users access the published applications in the server farm through Citrix

connections using a client. When a user tries to connect to a published application, the agent recognizes the request for authentication sent by the server running MetaFrame Presentation Server. The agent determines the application type (Windows, Web, or host-based) and retrieves the appropriate credentials from the user’s local credential store.

Note MetaFrame Presentation Server provides policy rules that allow you to configure and control which users can access MetaFrame Password Manager when they connect to servers and published applications in the server farm. See the

MetaFrame Presentation Server Administrator’s Guide for more information.

Integrating with MetaFrame Secure Access Manager

In an enterprise deployment that includes MetaFrame Secure Access Manager, users can access applications hosted on the server farm running MetaFrame Presentation Server in the following ways:

• Using MetaFrame Secure Access Manager’s Program Neighborhood CDA • Using the Embedded Application CDA

• Using the Website Viewer CDA • Using the Add/Launch menus • Using content redirection

For more information about MetaFrame Secure Access Manager, see the

If users need to access applications on servers running MetaFrame Presentation Server and content (CDAs) in the access server farm, the agent must be installed on each client desktop. This implementation allows the agent on the server running MetaFrame Presentation Server to detect and submit logon and password change events for published applications, while the local agent handles applications from the access server farm, as well as locally installed applications.

Synchronization point information is stored in the local registry of the client device. When the agent launches, it searches for the synchronization point and connects to it using the user’s current credentials.

Consider these points when using MetaFrame Password Manager with MetaFrame Secure Access Manager:

• Each CDA (on each MetaFrame Secure Access Manager page) that requires authentication must be defined as an individual Web application definition in the MetaFrame Password Manager console.

• Users can move CDAs around on a page and MetaFrame Password Manager recognizes them with no adverse effects. However, CDAs that are added to a page, copied, or moved from one page to another (or one folder to another) require the creation of a new Web application definition. If you export an access center to another server, the CDAs are recognized as the same CDAs in the original access center.

• If you want MetaFrame Password Manager to handle authentication to a CDA, you need to disable the auto-logon feature in that CDA’s Advanced

Configuration wizard.

• When generating application definitions for MetaFrame Secure Access Manager, define the Submit button.

• CDAs modified by CDAPad and redeployed with MetaFrame Secure Access Manager require the creation of new Web application definitions. See “Adding Web Application Definitions” on page 77.

• If you are using MetaFrame Secure Access Manager 2.0 and you define a Web application definition for the Login CDA, synchronize the setting to the agents. Users automatically are logged back on MetaFrame Secure Access Manager when they attempt to log off. To end this loop, users must close their browsers when they log off.

Planning for Synchronization

MetaFrame Password Manager synchronizes logon credentials, agent settings, and application definitions between local and central credential stores. This

synchronization ensures that credentials, agent settings, and application definitions remain up-to-date and secure. Synchronizing user credentials, for example, enables mobility, eases deployment, simplifies administration, and improves security. MetaFrame Password Manager provides local credential storage in an encrypted database and the agent settings are stored in the registry. You can set up MetaFrame Password Manager to synchronize with either a shared folder or Microsoft Active Directory.

Active Directory. Active Directory offers the benefits of using your company’s existing infrastructure (if it is already set up), providing faster, easier access to the synchronization point. Active Directory allows administrators to publish

MetaFrame Password Manager applications and agent settings for each

Organizational Unit (OU), container, or even down to per-user if necessary; it is easy to deploy enterprise-wide and does not require any additional Microsoft licensing for the file server.

If you choose Active Directory, you must extend the schema, which often requires lengthy organizational approvals. You can always start with a file share-based credential store and later migrate to Active Directory. See “Migrating from Shared Folder to Active Directory Synchronization” on page 135.

Note The schema extensions created by the CtxSchemaPrep.vbs tool adhere to Microsoft best practices. See “Planning for Active Directory Synchronization” on page 44.

With Active Directory synchronization, user password data is saved as a child of the User object in Active Directory. This ensures that users have their password data regardless of where they log on.

Shared Folder. Using a shared folder (either a Microsoft File Share or a Novell NetWare publicly accessible folder) for synchronization enables you to perform synchronization without having to extend the schema. File share is an excellent entry point for MetaFrame Password Manager implementations and you can migrate to Active Directory later. If you are using a shared folder, consider the following:

• Applications and agent settings may apply to all users, to select groups, or to individual users but require changes to the registry. See “Specifying Multiple Synchronization Points” on page 136 for more information.

• Access to the shared folder may require additional Microsoft connection licenses.

• Administrators must create and manage multiple file shares to deploy different settings for different users.

With file share synchronization, password data is saved in a folder under the People folder in your shared folder. This folder is secured so that users have access only to their data.

Configuration objects, such as applications and agent settings can be configured only at the root of the synchronization point. The settings at the root are shared by all users.

As you research these options, think about where you want to store MetaFrame Password Manager license information. Citrix recommends that if you use Active Directory for synchronization, also use Active Directory for the license repository. If you use a shared folder for synchronization, you can use the same shared folder for the license repository. No matter what method you select, be aware that both are equally scalable and secure.

Synchronization set up involves the following steps:

• Setting the correct security and sharing permissions for the shared folder or Active Directory

• Specifying shared folder or Active Directory as the synchronization type • Adding the specific folder or Active Directory location as the synchronization

point

• Saving your settings to the File Share or Active Directory to create the objects required by the agent for synchronization

• Configuring agent settings to point to the synchronization location

If you use Active Directory for MetaFrame Password Manager synchronization, you must extend the schema, and set the correct permissions in the domain for users who will be using MetaFrame Password Manager. These processes are described in

“Planning for Active Directory Synchronization” on page 44.

For more information about choosing and configuring synchronization for MetaFrame Password Manager, see “Delivering Information to Agents” on page 111.

The central store can be specified for different users using the policy settings on farms running MetaFrame Presentation Server 3.0. See the MetaFrame

Presentation Server Administrator’s Guide for more information.

Planning for Synchronization Using a Shared Folder

If you plan to use a shared folder for synchronization, you must create the shared folder and a People folder in the shared folder. Set access permissions on the folders to allow the agent and console to share and access MetaFrame Password Manager information securely.

You can create the required folders and set permissions automatically using the File Synchronization Setup for MetaFrame Password Manager utility. To set up a shared folder manually, see “Securing the File Synchronization Folder Manually” on page 36.

The File Synchronization Setup utility ensures that the shared folder and the People folder are created and shared with correct sharing and security permissions. Therefore, you are assured that as you use MetaFrame Password Manager with file synchronization, all of the data in this folder is appropriately secured and easy to manage.

The computer you use to host the shared folder and/or license repository is referred to as the synchronization point and must belong to the same domain as the

machines on which the agents are installed.

Important If you configure a network share as your synchronization point and the server hosting the share point does not have sufficient disk space, a permission error appears when the agents attempt to synchronize their data. Citrix recommends 30KB per user or 2KB per application.

To use File Synchronization Setup for MetaFrame Password Manager

At a command prompt, access the /Tools directory on the MetaFrame Password Manager CD-ROM, and type:

If you choose not to include the path parameter, the default,

%SystemDrive%\CITRIXSYNC, is used. If you choose not to include the share parameter, the default, CITRIXSYNC$, is used.

Important Citrix strongly recommends that you use a hidden share for the synchronization point.

When the program is finished, the shared folder and the People folder are created with appropriate sharing and security permissions set.

Your shared folder is now ready to be used for synchronization. For more information, see “Setting Up a Shared Folder for Synchronization” on page 57.

Note Any group of users who are not administrators on the file servers, but need to manage MetaFrame Password Manager folders, can be added to the root shared folder with full control. The group also needs to be added to the People folder, because the People folder does not inherit access rights from the root shared folder. Adding the group to the People folder grants group members the required access to all other folders and files in the share.

Securing the File Synchronization Folder Manually

If you have an existing file share, you may want to secure it manually using the same procedures that the CtxFileSyncPrep utility uses to assign sharing and security permissions to a shared folder.

To secure a shared folder manually

1. Select the shared folder in Windows Explorer. 2. From the File menu, select Properties. 3. Select the Security tab and click Advanced.

4. On the Permissions tab, disable the option that allows permissions to be inherited from the parent folder. This ensures that any volume-wide change to NTFS permissions does not affect the security of MetaFrame Password Manager components.

• For Windows 2000, disable “Allow inheritable permission from parent to propagate to this object.”

Next, add permissions for the operating system. The local SYSTEM account allows the operating system, anti-virus, and backup programs to interact with the folder. 1. Click Add and choose SYSTEM. Give this account “Full Control for This

Folder, Subfolders, and Files.”

• For Windows 2000, click to Allow for all items listed • For Windows 2003, click Full Control at the top of the list 2. Click OK.

Now, add permissions for local administrators. This allows the local administrators to delete credentials stored in the synchronization point, if needed.

1. Select the shared folder in Windows Explorer. From the File menu, select

Properties. On the Security tab, click Advanced.

2. Click Add and choose <local machine>\Administrators. Give this account “Full Control for This Folder, Subfolders, and Files.”

• For Windows 2000, click to Allow for all items listed • For Windows 2003, click Full Control at the top of the list 3. Click OK.

Now you must add permissions for Authenticated Users. Using this group rather than the Everyone group ensures that users who try to access synchronization data are authenticated by the domain.

1. Click Add and choose <local machine>\Authenticated Users. Give this account the following permissions for “This Folder Only, Subfolders, and Files:”

• Traverse Folder/Execute File • List Folder/Read Data • Read Attributes

• Read Extended Attributes • Read Permissions 2. Click OK.

Finally, secure user access to data. This ensures that data created by a specific user is “owned” by that user. Keep in mind that the user is unable to modify file permissions.

1. Click Add and choose CREATOR OWNER. Give this account the following permissions for subfolders and files only:

• List Folder/Read Data • Read Attributes

• Read Extended Attributes • Create Files/Write Data • Create Folders/Append Data • Write Attributes

• Write Extended Attributes • Delete

• Read Permissions

2. From the Apply onto list, select Subfolders and files only. 3. Click OK.

4. Close the Advanced Settings dialog box. 5. Close the Properties page.

Storing User Password Data

After you create and set security permissions for the file synchronization folder, create a new folder called “People” inside the file synchronization folder. The People folder is used to store the password data for all users.

To secure the user password data manually

1. Select the People folder in Windows Explorer. 2. From the File menu, select Properties. 3. Select the Security tab, then click Advanced.

4. On the Permissions tab, disable the option that allows permissions to be inherited from the parent folder. This ensures that any change to the shared folder does not cause its less-restrictive Authenticated Users settings to propagate into the user password data folder.

• For Windows 2000, disable “Allow inheritable permission from parent to propagate to this object.”

• For Windows 2003, disable “Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with entries explicitly defined here.”

Follow the steps in “To secure a shared folder manually” to add permissions to this folder for the SYSTEM account, local administrators, and the CREATER OWNER account.

Finally, you must set special permissions for the Authenticate Users group: 1. Click Add and choose <local machine>\Authenticated Users. Give this

account the following permissions for “This Folder, Subfolders, and Files:” • Traverse Folder/Execute File

• List Folder/Read Data • Read Attributes

• Read Extended Attributes • Read Permissions

2. From the Apply onto list, select This folder only. 3. Click OK.

4. Close the Advanced Settings dialog box. 5. Close the Properties page.

Setting Share Permissions

Finally, the file synchronization folder must be shared so that MetaFrame Password Manager users and the Authenticated Users group are permitted to write data to the folders.

1. Select the shared folder in Windows Explorer. From the File menu, select

Sharing.

2. Share the folder and assign a share name.

Note If you type a dollar sign ($) after the share name, the name does not appear in a list of available shares on the server.

3. Click Permissions and add Authenticated Users.

Planning for Synchronization Using a Novell NetWare

Folder

If you plan to use a Novell NetWare folder for synchronization, you must create, while logged on with Supervisor rights, the shared folder a People folder in the shared folder. Set access permissions on the folders to allow the agent and console to share and access MetaFrame Password Manager information securely.

You can create the required folders and set permissions automatically using the File Synchronization Setup for MetaFrame Password Manager utility. To set up a shared folder manually, see “Securing the File Synchronization Folder for Novell Netware Manually” on page 41.

The File Synchronization Setup utility ensures that the publicly accessible folder and the People folder are created and shared with correct sharing and security permissions. Therefore, you are assured that as you use MetaFrame Password Manager with file synchronization, all of the data in this folder is appropriately secured and easy to manage.

The computer you use to host the shared folder and/or license repository is referred to as the synchronization point and must belong to the same domain as the

machines on which the agents are installed. If you are not using Windows domain controllers, users must log on to a Novell tree where the publicly accessible synchronization folder is located. Users must have accounts with read access permissions to the Novell NetWare publicly accessible folder you designate as the synchronization point.

Important The use of Novell NetWare file synchronization requires that users’ Novell password be identical to their Windows NT password.

To use NetWare File Synchronization Setup for MetaFrame Password Manager

1. At a command prompt, access the /Tools directory on the MetaFrame Password Manager CD-ROM, and type:

CtxNWFileSyncPrep /path:<UNCpath>

You must include the path parameter, and it must be specified using the following format:

\\<NetWare server>\<volume>\folder

2. When the program is finished running, the root synchronization folder is made publicly accessible for Reading and File scanning. A People folder is created under the root folder with security permissions set to full public access. Your publicly accessible folder is now ready to be used for synchronization. Any users without Supervisor rights who need to manage MetaFrame Password Manager folders can be added to the root synchronization folder as a Trustee with all rights. This grants them the required access to all other folders and files under the root synchronization folder.

Securing the File Synchronization Folder for Novell Netware

Manually

Follow the instructions below if you want to secure the file synchronization folder manually. You must be logged on to the NetWare server with an account that has supervisor rights to perform these tasks.

1. Create a folder and make it accessible to all NetWare users.

2. On the folder properties of the folder (in this example, the CITRIXSYNC folder) set the following permissions: Add the [Public] group as a trustee, with File Scan and Read permissions.

3. Create a folder named People inside the folder you just created.

4. On the People folder, add the [Public] group as a trustee and give all access rights.

This screenshot displays the permissions in the People folder.

Using Novell ZENworks

The use of Novell NetWare file synchronization requires that users’ Novell password be identical to their Windows NT password. One way to accomplish this is to use Novell ZENworks for Desktops with Windows Dynamic Local User (DLU) support configured on your NDS server. If you use ZENworks with Novell NetWare file synchronization, each machine that runs the MetaFrame Password Manager agent also needs to run the Novell Workstation Manager component. The following steps describe how to set up Novell ZENworks and MetaFrame Password Manager to work with a Novell NetWare file synchronization point.

To install ZENworks for desktops with Dynamic Local User enabled

1. Install Novell ZENworks for Desktops, Version 3.2 or higher.

2. Using the Novell ConsoleOne tool, create a new policy package using the following settings:

Under the WinNT-2000 selection of the Policies tab, enable the Dynamic Local User policy.

In the Properties of the Dynamic Local User policy: • Click Enable Dynamic Local User.

• Click Manage existing NT account (if any) • Click Use NetWare credentials

(Optional) You may choose to enable Volatile user (Remove NT user after log out), depending on the way that you want the Dynamic Local User feature to behave on your client devices. Refer to the Novell documentation for more information about Volatile users.

• Add the Windows Users account in the Members of: list box. You may also want to add additional Windows accounts, depending on the privileges you want users to have on the client devices that are using the Dynamic Local User feature.

Under the Associations tab of your new policy package, Add all of the NDS accounts that will use the Dynamic Local User feature and the MetaFrame Password Manager agent with Novell NetWare file synchronization.

To enable the Novell Workstation Manager component on each Novell client device

This component supports the Dynamic Local User policy that is set up on your NDS server.

1. During the Novell client installation, select Custom Installation. 2. Select the Novell Workstation Manager component for installation. 3. Specify the NDS tree to be used by the Workstation Manager

To configure Agent Settings for Novell NetWare file synchronization

1. Run the console and load the configuration associated with your Novell NetWare deployment.

2. Select an agent setting in the Agent Settings node and click Shell.

3. Enable DeleteOnShutdown. This removes the user’s encrypted credential files from local Windows accounts that may not be secure.

4. Save your configuration and deploy it to the Novell Netware synchronization point.

Planning for Active Directory Synchronization

Active Directory is a tree-structured hierarchy designed to organize information in your enterprise. The Active Directory schema defines the objects and attributes that can be added to the Active Directory.

When you use Active Directory to synchronize data between the MetaFrame Password Manager console and agents, the following Citrix classes and attributes must be added to your schema:

citrix-SSOConfig class. Describes the object containing data for agent settings, synchronization state, and the entlist and ftulist files.

The entlist.ini file contains application definitions you create to allow the agent to automatically recognize and respond to logon and password-change requests from applications specific to your organization.

The ftulist.ini file determines the agent’s behavior when a user first uses the agent. • citrix-SSOConfigData attribute: Contains the actual data

• citrix-SSOConfigType attribute: Specifies the type of data

citrix-SSOSecret class. Describes the secret data object used to authenticate a MetaFrame Password Manager user.

citrix-SSOLicense class. Describes the object that handles license information. citrix-SSOLicenseAttribute: Contains actual license data.

Important Because the process of extending your Active Directory schema is enterprise-wide and not reversible, Citrix recommends that your schema administrator give careful consideration and review to the classes and attributes listed above. Detailed information about the Citrix classes and attributes is available from the CitrixMPMSchema.xml file in the /Tools directory on the Citrix

MetaFrame Password Manager CD-ROM.

After you decide to use Active Directory for MetaFrame Password Manager synchronization, the schema administrator must extend the schema using the command line and the LDIFDE utility or using the Schema Extension for MetaFrame Password Managerutility provided by Citrix.

Important Before you extend your schema, you must enable write access to the schema. For more information, refer to the Microsoft documentation for Active Directory or Microsoft Knowledge Base article 285172.

To use the schema extension for MetaFrame Password Manager

1. Log on to a server in the Active Directory with credentials that belong to the

Schema Admins group.

2. Verify that the machine that has the Schema Master role is configured to allow schema updates.

Important Before you run CtxSchemaPrep.vbs, you must switch to the directory that contains the CtxSchemaPrep.vbs and CitrixMPMSchema.ldf files. MetaFrame Password Manager returns an error message if you run CtxSchemaPrep.vbs from a different directory.

3. At a command prompt, access the /Tools directory on the MetaFrame Password Manager CD-ROM and run:

cscript CtxSchemaPrep.vbs

The cscript command displays success or failure messages.

4. Use the Microsoft Active Directory Schema MMC Snap-In to investigate the schema and confirm that the Citrix attributes and object classes were added successfully.

5. Ensure that the automatic replication of the schema to all of the domain controllers in the enterprise is completely propagated before continuing. Next, you must set the correct permissions in the domains that contain users who will use MetaFrame Password Manager. The permissions apply to a MetaFrame Password Manager agent so that it can create, modify, read from, and delete objects. These permissions are enabled under each user’s own Active Directory User object. The MetaFrame Password Manager agent must be able to work with the following objects that are instances of the classes described previously:

• SecretObject - contains authentication credentials for applications used by people in the domain. Each user can have many SecretObjects.

• SyncState - contains data regarding the most recent synchronization between the MetaFrame Password Manager and the agent. There is only one SyncState object for each user.

• SSORegistry - contains agent settings. There is only one SSORegistry object for each user.

A domain administrator can use the Active Directory Setup for MetaFrame Password Manager utility to set the correct permissions for these objects. This tool is a utility, run from a command line, that sets the correct permissions for these objects on a domain level.

To use Active Directory Setup for MetaFrame Password Manager

1. Using credentials that belong to the Domain Admins group, log on to a computer that resides in the domain that you want to configure.

2. At the command prompt, access the /Tools directory on the MetaFrame Password Manager CD-ROM and run:

CtxDomainPrep

After the utility is complete, the permissions for the Citrix agent objects are set to read, write, and modify.

3. Verify the resulting security settings using the Active Directory Users and Computers utility.

Assigning Permissions for Active Directory Security

You can assign permissions manually if you do not want to use the ctxdomainprep utility. The utility follows the same procedure described below to assign

permissions to a domain, organizational unit, or container.

To assign permissions at the OU, CN, or Domain Root level manually

1. Launch Active Directory Users and Computers. 2. Click View and select Advanced Features.

3. Right-click the Domain Root and select Properties. Alternatively, if you want to restrict some of the user objects for the domain from using MetaFrame Password Manager, choose an OU or CN.

4. On the Security tab, click Advanced. 5. Add the SELF account to the OU.

6. Select Al