Citrix Password Manager Administrator s Guide. Citrix Password Manager 4.6 Citrix Presentation Server 4.5 with Feature Pack 1, Platinum Edition

(1)

Citrix Password Manager™ 4.6

(2)

Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Citrix Systems, Inc.

Citrix Password Manager replaces specific end users’ encryption keys each time their primary authentication method changes, such as a domain password change or issuance of a new smart card. Password Manager can be configured to perform this operation automatically by using the optional Key Management Module. Password Manager can also be configured to use the Microsoft Data Protection API (DPAPI). When using the optional Key Management Module and/or DPAPI, be advised that an administrator may be able to access user business or personal credentials stored in Password Manager if the administrator logs on as this end user. For additional security, end users can be asked to verify the user’s identity with unique user-provided information. This provides an additional layer of protection for the user’s secondary credentials.

Regional government user computing regulations may require that you notify your end users about the possible security and privacy implications of deploying the Key Management Module and DPAPI security configurations. Review your company policies and determine what kind of notification, if any, is required for your end users.

Citrix, ICA (Independent Computing Architecture), and Program Neighborhood are registered trademarks, and Citrix Presentation Server, Citrix Password Manager, and SpeedScreen are trademarks of Citrix Systems, Inc. in the United States and other countries.

This product includes software developed by The Apache Software Foundation (http://www.apache.org/)

Trademark Acknowledgements

Adobe, Acrobat, and PostScript are trademarks or registered trademarks of Adobe Systems Incorporated in the U.S. and/or other countries.

Java, Sun, and SunOS are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. Solaris is a registered trademark of Sun Microsystems, Inc. Sun Microsystems, Inc. has not tested or approved this product.

Portions of this software are based in part on the work of the Independent JPEG Group.

Portions of this software contain imaging code owned and copyrighted by Pegasus Imaging Corporation, Tampa, FL. All rights reserved. Macromedia and Flash are trademarks or registered trademarks of Macromedia, Inc. in the United States and/or other countries. Microsoft, MS-DOS, Windows, Windows Vista, Windows Media, Windows Server, Windows NT, Win32, Outlook, ActiveX, Active Directory, and DirectShow are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

Netscape and Netscape Navigator are registered trademarks of Netscape Communications Corp. in the U.S. and other countries. Novell Directory Services, NDS, and NetWare are registered trademarks of Novell, Inc. in the United States and other countries. Novell Client is a trademark of Novell, Inc.

RealOne is a trademark of RealNetworks, Inc.

Licensing: Globetrotter, Macrovision, and FLEXlm are trademarks and/or registered trademarks of Macrovision Corporation. All other trademarks and registered trademarks are the property of their respective owners.

(3)

Welcome

Citrix Password Manager provides password security and single sign-on access to Windows, Web, and host-based applications running in the Citrix environment as well as local applications running on the desktop. Users authenticate once and Password Manager does the rest, automatically logging on to password-protected information systems, enforcing password policies, monitoring all password-related events, and even automating user tasks, including password changes. This chapter describes the following:

• “Password Manager Components” on page 11 • “Password Manager Product Line” on page 15 • “About this Document” on page 18

• “Getting More Information and Help” on page 20

Password Manager Components

The following sections briefly describe Password Manager’s components you need to install to start using Password Manager. For detailed information, see “Planning Your Password Manager Environment” in the Citrix Passwordd

Manager Installation Guide.

The main components of Password Manager are: • The Central Store

(12)

The Central Store

The central store is a centralized repository used by Password Manager to store and manage user and administrative data. User data includes user credentials, security question answers, and other user-focused data. Administrative data includes password policies, application definitions, security questions, and other wider-ranging data. When a user signs on, Password Manager compares that user’s credentials to those stored in the central store. As the user opens password-protected applications or Web pages, the appropriate credentials are drawn from the central store.

Password Manager Console

The Password Manager Console is the command center of Password Manager. From the console, you manage the users’ Password Manager experience. Here, you configure how Password Manager will work, which features will be deployed, which security measures will be used, and other important password-related settings.

The console has four main items, or nodes, in the left pane. By selecting a node, tasks specific to that node appear. These nodes are:

• User Configurations

These configurations allow you to tailor particular settings for your users based on their geographic locations or business roles. The settings of the other three nodes are used to create user configurations.

• Application Definitions

These definitions provide the information necessary for the Agent software to supply user credentials to applications, and to detect error conditions if they occur. You can use the application definition templates supplied with Password Manager to speed this process, or create your own customized definitions for applications that cannot use these templates. Additional templates are located at:

http://www.citrix.com/passwordmanager/gettingstarted

• Password Policies

(13)

• Identity Verification

The security questions you create provide an added layer of security to your agent software by protecting against user impersonation, unauthorized password changes, and unauthorized account unlocking. Users who enroll and answer your security questions can then verify their identity by providing the same answers when challenged. Once verified, the users can perform self-service tasks to their account, such as resetting their primary password or unlocking their user account. The security questions can also be used for key recovery.

Password Manager Agent Software

The Password Manager Agent is the software users need on their client devices to act as an intermediary between users and their applications.

When a user tries to access an application that requires authentication, the agent software intercepts the application’s request for authentication, finds the correct credentials, and submits them to the application.

In addition, the Password Manager Agent can provide users with a wide array of features. Which features the users actually receive is determined by the

administrative settings you make in their user configurations. See “Password Manager Settings List” on page 199 for the specific settings available to you. Password Manager Agent features include:

• Notification area icon

The Password Manager Agent’s notification area icon provides access to the Logon Manager and other Password Manager functionality, such as security question registration, pausing, and online Help.

• Logon Manager

The Logon Manager provides a user interface where credentials can be created, viewed, edited, and deleted. Users can also conduct security question registration and access online Help from the Logon Manager. The File menu provides the user with much of the available access: • The New Logon command allows users to add new Windows-,

Web-, or host-based application credentials to Password Manager. • The Properties command gives the user access to properties

associated with the credentials for the specified application. From there, the user can change the password, user ID, and other logon information.

(14)

• The Copy command provides a duplicate set of the selected credentials that the user can then edit to create multiple sets of credentials for single applications.

Other commands you can give users access to include:

• The Reveal Passwords command, from the View menu, allows the user to display the passwords of the applications listed in Logon Manager

Note: Password policy settings for revealing passwords override this command. If you do not want users to reveal the password for an application, be sure to set the password policy to prevent this.

• The Security Question Registration command, from the Tools menu, gives the user the option to restart the Security Question Registration wizard and provide new answers to the security questions.

• The Account Association command, from the Tools menu, allows the user to create an association between accounts on different domains. By using this feature, the user’s credentials are synchronized, with password changes carried across domains.

• Automated new logon setup

Users can set up new logon credentials quickly using the New Logon wizard. The Password Manager Agent detects when an application or Web site requests logon information. If the user’s credentials are not already stored in Password Manager, the New Logon wizard automatically appears, offering to store them.

• User mobility

The Password Manager Agent supports remote and mobile users. By obtaining a license before disconnecting, remote users can access their credentials when they are disconnected from the corporate network. Mobile users can move from one computer to another and multiple users can securely share one workstation.

The Password Manager Service

The Password Manager Service runs on a Web server that provides the foundation for optional features included in this release. Install the Password Manager Service if you plan to implement at least one of the following modules: • Self-Service, which allows users to reset their Windows passwords and

(15)

• Data Integrity, which protects data from being compromised while in transit from the central store to the agent

• Key Management, which provides users with the capability to recover their secondary credentials when their primary password changes, either with automatic key recovery or after answering security questions with question-based authentication.

• Provisioning, which allows you to use the console to add, remove, or update Password Manager user data and credential information

• Credential Synchronization, which synchronizes user credentials among domains using a Web service

If you are not implementing the modules mentioned above, do not install the Password Manager Service. For more information about the Password Manager Service, see “Installing and Configuring the Password Manager Service” in the

Citrix Password Manager Installation Guide.

Password Manager Product Line

Password Manager is now available in two editions: • Password Manager Advanced Edition

• Password Manager Enterprise Edition

In addition, Citrix Presentation Server 4.5 with Feature Pack 1, Platinum Edition, includes a feature comparable to Password Manager Enterprise Edition called Single Sign-on Powered by Password Manager.

Password Manager Advanced Edition

The Advanced Edition of Password Manager increases your organization’s security with:

• Strong password policy options • Automated password generation

• Automatically started Password Change Wizard option

(16)

Password Manager Enterprise Edition

The Enterprise Edition of Password Manager is designed for the most demanding and complex enterprise environments. The Enterprise Edition:

• Provides additional security, user self-service, and on-site user mobility features and performance.

• Reduces calls to the help desk through user self-service features that enable users to change their own Windows password and unlock their account. • Allows on-site mobile workers to quickly access information with Hot

Desktop, which facilitates fast user switching at shared workstations. • Includes enterprise security features such as integration with smart cards,

Kerberos, and Federated Environment Support (ADFS and SAML).

Password Manager Advanced versus Enterprise

Editions

User Features Advanced Edition Enterprise Edition

Single sign-on to Windows applications X X

Single sign-on to Web applications X X

Single sign-on to host-based terminal emulator applications X X

Citrix Access Client X X

Localized user interface X X

Support for SAPGUI, Internet Explorer 7 (32-bit, 64-bit) X X

Self-service password reset X

Self-service account unlock X

Self-service feature integration with Web Interface X

Hot Desktop fast user switching X

Hot Desktop/SmoothRoaming integration X

Account association X Security Features Advanced Edition Enterprise Edition

Automated password change X X

(17)

New Features in Citrix Password Manager 4.6

Citrix Password Manager 4.6 includes the following:

Encrypted passwords in memory, storage, during transmission X X

Password policy enforcement—automatic password changes X X

Password policy enforcement—manual password changes X X

Password expiration X X

Password token and biometric support X X

Smart card support X

Cryptographic data integrity assurance X X

Kerberos and Federated Environment Support (ADFS, SAML) X

Administrator Features

Advanced Edition

Enterprise Edition

Batch credential provisioning X X

Integration with user provisioning products X X

Windows NT file share support X X

Microsoft Active Directory support X X

Novell NetWare network share support X X

LDAP directory support X X

Administration by Active Directory groups X X

Citrix Streaming Server support X X

Citrix Access Management Console X X

Platinum-integrated licensing X X

Windows Server 2003 64-bit compatibility X X

Named user licensing X X

Concurrent user licensing [Citrix Password Manager for Presentation Server only]

(18)

Windows Vista Support for Password Manager Agent

Password Manager Agent now offers its full range of features in the Windows Vista environment. For the full list of environments supported by Password Manager, see “Password Manager Console and Agent Requirements” and “Password Manager Service Requirements” in the Citrix Password Manager

Installation Guide.

Improved Credential Provisioning

Application credentials can now be provisioned to users any time their Password Manager Agent is running. Previously, provisioning could be carried out only during the agent software startup process.

Multiple Domain Service Support

Password Manager now enables you to share the Password Manager Service among users in different domains. You can install the Password Manager Console on computers in different domains and then create one or more user

configurations in each domain.

Masked Security Answers for Question-Based Authentication

Password Manager now provides you the option to mask user answers to question-based authentication security questions. If enabled, users’ answers are protected during answer registration and when provided for identity verification.

Account Self-Service Available When the Computer is Locked

The Account Self-Service button, which has been available on the Windows logon dialog box, is now also available on the Unlock Computer dialog box. This feature enables users to reset their network password or unlock their Windows domain accounts.

Note: Account Self-Service is available with the Enterprise Edition only.

About this Document

The overall objectives of this guide are to provide you with:

• An understanding of the features and functionality of Password Manager • Instructions and tips to help you create and maintain the optimum password

(19)

Audience and Assumptions

This document is intended for use by system and security administrators who are implementing Password Manager. It is assumed that you, the reader, have a basic understanding of Windows Server administration. You must have a working knowledge of Novell NetWare if this is the platform you are using to install or maintain Password Manager.

Providing Feedback about this Document

To provide feedback about the documentation, go to http://www.citrix.com and click Support > Knowledge Center > Product Documentation. To access the feedback form, click the Submit Documentation Feedback link.

Document Conventions

Citrix product documentation uses the following typographic conventions for menus, commands, keyboard keys, and items in the program interface:

Convention Meaning

Boldface Commands, names of interface items such as text boxes, option buttons, and user input.

Italics Placeholders for information or parameters that you provide. For example, filename in a procedure means you type the actual name of a file. Italics are also used for new terms and the titles of books.

%SystemRoot% The Windows system directory, which can be WTSRV,

WINNT, WINDOWS, or any other name you specify when you install Windows.

Monospace _{Text displayed in a text file.}

{ braces } A series of items, one of which is required in command

statements. For example, { yes | no } means you must type

yes or no. Do not type the braces themselves.

[ brackets ] Optional items in command statements. For example,

[/ping] means that you can type /ping with the command.

Do not type the brackets themselves.

| (vertical bar) A separator between items in braces or brackets in command statements. For example, { /hold | /release | /

delete } means you type /hold or /release or /delete.

… (ellipsis) You can repeat the previous item or items in command

(20)

Getting More Information and Help

This section discusses the documentation for this release. It also describes how to get more information about Password Manager.

The following topics are explored: • Product Documentation • Getting Service and Support • Subscription Advantage • Education and Training

Product Documentation

Password Manager contains a robust library of documentation. Much of this documentation can be found on the Citrix Web site (http://www.Citrix.com). Direct links to the documentation are in the

Password_Manager_Read_Me_First.html file in the Documentation folder on the product CD.

Pre-Installation Update Bulletin

The Pre-Installation Update Bulletin contains installation-related information developed after the Readme file was completed. The bulletin is available at

http://support.citrix.com/article/CTX110783.

Password_Manager_Read_Me_First

Also known as Welcome to Citrix Password Manager, the

Password_Manager_Read_Me_First.html document is located in the

Documentation folder of the product CD. The document contains direct links to the library of Password Manager documentation on the Citrix Web site.

Readme file

The Readme file provides information about Password Manager functionality, known issues, changes, and other important information developed after the

Citrix Password Manager Administrator’s Guide was completed. Be sure to read

this before installing Password Manager. It is located on the Citrix Web site and can be accessed directly through Password_Manager_Read_Me_First.html.

Getting Started with Citrix Licensing Guide

The licensing process for Password Manager changed since the release of Password Manager 4.1. See Getting Started with the Citrix Licensing Guide, available from the Citrix Web site and accessible through

(21)

Note: Guides are provided as Adobe Portable Document Format (PDF) files. To view, search, and print PDF documents, you need to have Adobe Acrobat Reader 5.0.5 with Search, or Adobe Reader 6.0 or later. You can download these products for free from Adobe Systems’ Web site at http://www.adobe.com/.

Citrix Password Manager Installation Guide

The Citrix Password Manager Installation Guide provides procedures for the installation and upgrade of Password Manager. It is located on the Citrix Web site and can be accessed directly through Password_Manager_Read_Me_First.html.

Citrix Password Manager Administrator’s Guide

The Administrator’s Guide, the document you are currently reading, provides conceptual information and instructions for system administrators who maintain, configure, and test the components of Password Manager. It is located on the Citrix Web site and can be accessed directly through

Password_Manager_Read_Me_First.html.

Installation Checklist

This document provides a quick, concise prompt for administrators experienced at installing Password Manager. It approaches the installation process from a broad perspective and is not meant as a substitute for this Installation Guide. It is located on the Citrix Web site and can be accessed directly through

Read_Me_First.html.

Online Help for Administrators and Users

Administrators now have a robust set of Help topics based on the Installation Guide and Administrator’s Guide. Administrators can now view information about common tasks, workflow, and settings on the screen.

Users can get information about common tasks, including adding logon information for applications, using the Logon Manager, and setting Password Manager automatic features. Users can access Help through Help menus or Help buttons.

Citrix Password Manager Evaluator’s Guide

(22)

Getting Service and Support

Citrix provides technical support primarily through the Citrix Solutions Advisors Program. Contact your supplier for first-line support or check for your nearest Solutions Advisor at http://www.citrix.com.

In addition to the Citrix Solutions Advisors Program, Citrix offers a variety of self-service, Web-based technical support tools from its Knowledge Center at

http://support.citrix.com/. Knowledge Center features include:

• A knowledge base containing thousands of technical solutions to support your Citrix environment.

• A Web-based product documentation library. • Interactive support forums for every Citrix product. • Access to the latest hotfixes and service packs. • Security bulletins.

• Web-based problem reporting and tracking (for users with valid support contracts).

• Citrix Live Remote Assistance. Using Citrix’s remote assistance product, GoToAssist, a member of our support team can view your desktop and share control of your mouse and keyboard to get you on your way to a solution.

Another source of support, Citrix Preferred Support Services, provides a range of options that allows you to customize the level and type of support for your organization’s Citrix products.

Subscription Advantage

Subscription Advantage gives you an easy way to stay current with the latest server-based software functionality and information. During your subscription period, you get automatic delivery of:

• Feature releases • Software upgrades • Enhancements • Maintenance releases

(23)

You can find more information about subscribing on the Citrix Web site at

http://www.citrix.com/services/ (click Subscription Advantage). You can also contact your Citrix sales representative or a member of the Citrix Solutions Advisors Program for more information.

Education and Training

Citrix offers a variety of instructor-led training and Web-based training solutions. Instructor-led courses are offered through Citrix Authorized Learning Centers (CALCs). CALCs provide high-quality classroom learning using professional courseware developed by Citrix. Many of these courses lead to certification. Web-based training courses are available through CALCs, resellers, and from the Citrix Web site.

(24)

(25)

Using Password Policies to Enforce

Password Requirements

Citrix Password Manager enables you to define rules to control the characteristics of the passwords stored by your users and required by single sign-on (SSO) enabled applications. These rules comprise password policies that you can apply to all users or to specific groups of applications as determined by your

organization’s needs.

This section describes how to create password policies within your Password Manager environment. See also “What about Password Policies for Application Access?” in the Citrix Password Manager Installation Guide.

• “Overview of Password Policies” on page 25

• “Creating Password Policies: the Password Policy Wizard” on page 27 • “Helping to Increase Password Strength and Security In Your

Environment” on page 34

Note: Citrix Presentation Server provides policy rules that allow you to configure and control which users can access Password Manager when they connect to servers and published applications in the server farm. See the

Presentation Server Administrator’s Guide for more information.

Overview of Password Policies

Password Manager includes two standard password policies named Default and Domain, which cannot be deleted. These policies can be used as is, copied, or modified to suit your enterprise policies and regulations.

(26)

Note: Because Password Manager applies the Default password policy to user-added applications, ensure that you configure the Default policy to be as broad as needed to accept passwords for those applications for which you allow passwords to be stored.

You can create as many policies as you need in your enterprise. For example, you can apply one policy for your domain sharing group, and create individual policies to apply to individual groups of applications to define the requirements further. A password policy allows you to:

• Automate password changes for applications

• Implement security schemes that include complex passwords and application-specific passwords not visible to the users

• Define password expiration for applications, even if the application does not have a password expiration feature

Note: When users change their passwords, Password Manager can check the old password against the new password. This option helps prevent users from reusing passwords for the same application twice in a row. See “Set Password History and Expiration” on page 31. Also see “Password Policies Enforcement” on page 27.

Password Sharing Groups

Users might have a single password that is used for multiple applications (in a suite of products, for example). This scheme is known as password sharing, where the same authentication authority is used for the applications.

(27)

Domain Password Sharing Groups

Domain password sharing groups differ from other password sharing groups because the user's domain password is used as the master password for the application group. When the user changes the domain password, the agent software ensures that the change is reflected in the credentials for all other applications in the group. Only the domain password can be changed; users cannot initiate password changes on any of the other applications in the group unless the administrator removes the application from the domain password sharing group.

Password Policies Enforcement

Password Manager enforces password policies upon password change events, regardless of whether the password is user-defined or automatically generated by Password Manager.

A password policy is not enforced when:

• A user registers with Password Manager (during first-time use) • A user edits a password from the agent software Logon Manager • An administrator creates an application definition

Password Manager also does not enforce a password policy on existing

passwords (that is, those created before Password Manager is implemented in the enterprise) because users might be denied access to applications or resources that they are already using.

Creating Password Policies: the Password Policy Wizard

Important: When creating a custom password policy or modifying existing policies, ensure that your enterprise requirements and application requirements match. For example, if you create a policy that does not at least match an application’s requirements, your users might not be able to authenticate to that application.

“Default Settings for the Default and Domain Password Policies” in the Citrix

Password Installation Guide describes the default settings for these policies.

When you create a new password policy in the wizard described here, Password Manager uses the default settings for the Default policy. You can then change your settings as needed and apply the newly created policy to your desired application group.

(28)

• “Set Basic Password Rules” on page 28 • “Set Alphabetic Character Rules” on page 29 • “Set Numeric Character Rules” on page 29 • “Set Special Character Rules” on page 29

• “Set Exclusion Rules (Excluding Specific Characters)” on page 30 • “Set Password History and Expiration” on page 31

• “Test Password Policy” on page 32 • “Establish Logon Preferences” on page 33

• “Customize Password Change Wizard” on page 33

To start the Password Policy Wizard

1. Click Start > Programs > Citrix > Management Consoles > Access Management Console.

2. Expand the Password Manager node and select Password Policies. 3. In the Common Tasks area, click Create new password policy.

The Password Policy wizard appears.

4. Type a name and description for the password policy and click Next.

Set Basic Password Rules

This page enables you to set the basic rules for configuring minimum and maximum password length and allowable repeating characters in the password.

Password length

Specify the minimum number of characters required. The minimum allowed value is 0. The maximum allowed value is 128. Ensure that the values you set here match the SSO-enabled application requirements for password length.

Character occurrence in passwords

• Maximum number of times a character can occur

This setting can be a value between one and 128 (default value is six). • Maximum number of times the same character can occur sequentially

(29)

Set Alphabetic Character Rules

This page enables you to define the use of uppercase and lowercase alphabetic characters for user passwords. You can control the following settings:

• Allow lowercase characters

• Password can begin with a lowercase character • Password can end with a lowercase character

• Minimum number of lowercase characters required (default is zero, maximum value is 128)

• Allow uppercase characters

• Password can begin with an uppercase character • Password can end with an uppercase character

• Minimum number of uppercase characters required (default is zero, maximum value is 128)

Set Numeric Character Rules

This page enables you to define the use of numeric characters for user passwords. You can control the following settings:

• Allow numeric characters

• Password can begin with a numeric character • Password can end with a numeric character

• Minimum number of numeric characters required (default is zero, maximum value is 128)

• Maximum number of numeric characters allowed (default is 20, maximum value is 128)

Set Special Character Rules

This page enables you to define the use of special (alphabetic and non-numeric) characters for user passwords. You can control the following settings: • Allow special characters

(30)

• Minimum number of special characters required (default is zero, maximum value is 128)

• Maximum number of special characters allowed (default is 20, maximum value is 128)

• The allowed special characters list includes the following: ! @ # $ ^ & * ( ) _ - + = [ ] \ | ? ,

Set Exclusion Rules (Excluding Specific

Characters)

This page enables you to prevent specific characters or groups of characters from being used in passwords, such as common words or easily-guessed sequential groups of characters like abc123 or asdfjkl. You can also prevent the use of passwords that include all or part of Windows and individual application user names.

• You can specify up to 256 different groups of characters to be excluded • Each group of characters can be from one to 32 characters long

• The characters within the groups are not case-sensitive; an exclusion list that includes abcdefg also prevents the use of AbCDefG in a password • Additionally, an exclusion list that includes a group of characters such as

defg also prevents the group of characters abcdefg from use

To create an exclusion list

1. Click Edit List.

The Edit Exclusion List window appears.

2. Type the characters or groups of characters you want to exclude from passwords.

• You can copy and paste text from a text editor into the text field in the window

• You can type one character or group of characters per line (press Enter after each line to separate each entry)

• Each group can contain up to 32 characters • Characters are not case sensitive

(31)

• Do not allow application user name in password

Select this option to prevent the entire application user name from being used in the password.

Select Do not allow portions of application user name in password to disallow parts of the application user name from being used in the password. Number of characters in portion enables you to specify the number of characters from the user name that would prevent the password from being used.

For example, if set to four, a user password could not be formed that included the characters citr, trix, or itri with a user name of citrix.4 • Do not allow Windows user name in password

Select this option to prevent the entire Windows user name from being used in the password.

Select Do not allow portions of Windows user name in password to disallow parts of the Windows user name from being used in the password. Number of characters in portion enables you to specify the number of characters from the user name that would prevent the password from being used.

For example, if set to four, a user password could not be formed that included the characters citr, trix, or itri with a user name of citrix.4

Set Password History and Expiration

This page enables you to enforce the use of new passwords when older passwords expire. The password history is maintained for each application managed by Password Manager.

After this option is applied to an application or application group, any password changes made after the policy is active are retained in the user’s password history. Password changes made before the policy is active are not retained or used to prevent password reuse.

(32)

Password History

• New password must not be the same as previous passwords Select this option to require a new password when a user’s password expires. You can optionally prevent users from reusing up to 24 passwords previously used within your Password Manager environment.

Password Expiration

Note: The password expiration option notifies users only that a password will or has expired. Your users can use expired credentials, but are shown password change reminders or password change requests until the password is changed in Logon Manager.

Application definitions also enable you to run a script when passwords expire. You can also use the built-in Password Manager password expiration warning. Password expiration settings in Password Manager are independent of any password expiration settings built into software applications.

• Use the password expiration settings associated with the application definitions

Select this option to specify password expiration settings. These settings are associated with the application definition to which this password policy applies. You can select the number of days until the current password expires and the number of days to warn the user before the password expires.

Test Password Policy

This page enables you to test your policies before implementing them in your environment. It helps ensure that they work as intended and that a reasonable pool of passwords is available to your users.

Using the Test Password Policy page, you can: • Click Test to manually test a password

• Click Generate to have Password Manager create a single password policy-compliant password

(33)

Establish Logon Preferences

This page enables you to control agent settings related to credential submission and logon errors.

• Allow users to reveal passwords for applications

Select this option to allow users to see the password associated with the applications in the user configuration. This option controls whether the Reveal button in Logon Manager is available.

Note: To allow users to see their application passwords, you must also enable the Allow users to reveal all passwords in Logon Manager option in the the user configuration associated with this password policy. See “Configure Agent Interaction” on page 91.

• Force user to re-authenticate before submitting application credentials Select this option to force users to type their primary logon credentials before the Password Manager Agent submits their credentials to an application. This setting is useful for applications that access confidential or sensitive information because it forces users to verify their identities. • Number of logon retries

This setting enables you to limit the number of additional times the agent software can submit credentials to an application or resource. If you set the value to 0, an error message appears upon the second attempt to submit credentials.

• Time limit for number of retries

Specify the amount of time (in seconds) during which the agent software is allowed to continue to submit credentials after the initial submission to the application or resource. The Number of logon retries setting determines how many logon retries are allowed during this time period.

Customize Password Change Wizard

This page enables you to customize the behavior of the Password Change Wizard, which is launched when users need to change their password. The Password Change Wizard responds to Password Change forms and can guide users through the password change process.

You can select one of the following options:

(34)

• Only allow users to create their own password

When selected, the Password Change Wizard requires users to type a new password.

• Only allow users to choose a system-generated password

When selected, the Password Change wizard does not allow users to type a new password but automatically uses a system-generated password. • Generate a password and submit it to the application without

displaying the Password Change Wizard

When selected, the wizard automatically submits a system-generated password. Users might see password change form fields being

automatically filled in and any response from the application indicating if the password change succeeded or failed.

Helping to Increase Password Strength and Security In

Your Environment

As the Password Manager administrator, you can help increase the strength of user passwords by controlling them with intelligently-created password policies. As usual, only you can balance having stronger passwords with ease-of-use for all users in your enterprise.

Consider the following.

• Use the Provisioning Module to preset user passwords. Users do not need to know passwords in this case, and prevents them from accidentally revealing them. This technique requires coordination between the user configuration and the password policy that is associated with it.

• Require users to change their passwords at regular intervals. • Do not allow blank passwords.

• Do not allow users to reveal passwords.

• Make sure that passwords are not reused or repeated.

• Do not allow user or application names to be part of the password. • Force users who have regular access to confidential or sensitive

(35)

Using and Managing Application

Definitions

The Citrix Password Manager Agent recognizes and responds to applications based on the settings identified in application definitions.

The application definitions contain forms that allow the agent software to analyze each application as it is started, recognize certain identifying features, and determine if the starting application requires the agent software to perform some specific action such as:

• Submit user credentials at a logon prompt • Negotiate a credential changing interface • Process a credential confirmation interface

Application definitions consist of sets of specific user credential form recognition and action characteristics referred to as form definitions, and the set of

configuration options that apply to all the forms in the configuration. The form definition settings are defined to recognize when an application requests a specific user credential action, and further defines the actions that must be performed to process those credentials.

An application definition is a collection of all the user credential management forms associated with a single application.

Although most applications and their corresponding application definitions use only two forms for managing user credentials, as many forms as an application requires for managing user credentials can be defined and contained in a single application definition.

(36)

To simplify the application definition process, a variety of predefined application definition templates can be imported into the Password Manager from the Citrix Web site (http://www.citrix.com/passwordmanager/gettingstarted). This site provides an interactive exchange where Citrix Consultants, Sales Engineers, System Integrators, and Password Manager administrators share application definitions.

By sharing application definitions, single sign-on enabling application definitions can be implemented with less effort and more confidence. Using predefined application definition templates should always be the first choice for administrators as they define application definitions for their environment. To create application definitions for applications that do not have predefined application templates, the application definition support interface has an Application Definition wizard used to configure the characteristics associated with all the forms included in the definition, and a Form Definition wizard that leads administrators through a step-by-step procedure to define support for Windows, Web, and host-based applications.

Password Manager also provides the ability to perform external application discovery and action processing support. This feature allows third-party

implementers to extend the application detection and credential submission tasks associated with a form by providing access to external processes during the application detection and action submission processing phases in the Password Manager Agent.

All these features combine to provide Password Manager administrators a flexible and adaptable application definition development environment to support their user community with secure and flexible single sign-on access to critical applications.

Topics described in this chapter include the following: • “Overview of Application Templates” on page 37

• “How the Password Manager Agent Identifies Applications and User Credential Management Events” on page 40

• “Windows Type Application Definitions” on page 46 • “Web Type Application Definitions” on page 63

(37)

Overview of Application Templates

Application templates are XML files that are used to share application definitions between different Citrix Password Manager environments. Application templates save time and effort because they are converted to application definitions with minimal administrator intervention or configuration. Templates require the administrator to supply some information to complete the application definition, but the information required is usually limited to a URL or executable file name, password expiration, and any advanced detection settings.

Application templates are installed using the Password Manager Console or the Application Definition Tool. Both of these tools include application templates for commonly-used Windows and Web applications.

Additional templates are located on the Citrix Web site

(http://www.citrix.com/passwordmanager/gettingstarted). You can also create application templates and share them with other Citrix administrators by uploading them to the Web site.

When an application template cannot be found for an application, an application definition can be created using the Password Manager Console or the Application Definition Tool (see “How the Password Manager Agent Identifies Applications and User Credential Management Events” on page 40 for additional information).

Managing Application Definitions Using

Templates

To add an application definition with a template, you must first make sure the template is available in your Password Manager environment. As previously stated, administrators can obtain application templates from the Web or, if you’ve created your own application templates and saved them to a network share, you can import them from the network share.

After an application template is imported to your environment, use it to create an application definition. Templates can also be created from application definitions. These templates can be used to archive application definitions, or share

application definitions with other Password Manager administrators.

Use the following procedures to manage application definitions using templates: • “Obtaining Application Templates from the Web” on page 38

• “Importing Application Templates from a Network Share” on page 38 • “Adding an Application Definition Using a Template” on page 38 • “Creating Application Templates” on page 39

(38)

Obtaining Application Templates from the Web

Use the following procedure to download application templates from the Citrix Web site (http://www.citrix.com/passwordmanager/gettingstarted):

1. With the Application Definition node highlighted in the left panel of the Application Definition Tool or the Password Manager Console, select Manage templates from the Common Tasks options to open the Manage Templates dialog box.

2. Select the Application templates on the web hyperlink to open the Password Manager Applications Definitions Web page.

3. Select the application template to import.

4. Save the template XML file to a location that is accessible from your Password Manager Console.

5. Click Close when the download is complete.

6. Follow the steps in “Importing Application Templates from a Network Share” on page 38

Importing Application Templates from a Network Share

Use this procedure to import an application template from a network share: 1. With the Application Definition node highlighted in the left panel of the

Application Definition Tool or the Password Manager Console, select Manage templates from the Common Tasks options to open the Manage Templates dialog box.

2. Click Import Template.

3. Locate the template XML file and click Open. The template you just imported now appears on the list in the Manage Templates dialog box. 4. Follow the steps in “Adding an Application Definition Using a Template”

on page 38.

Adding an Application Definition Using a Template

Use this procedure to add an application definition using a template: 1. Launch the application you want to define.

2. Open the console or the Application Definition Tool on the device where the application you want to define is running.

3. From the Action menu of the console or File menu of the Application Definition Tool, select Create Application Definition.

(39)

5. Designate the Starting format by selecting Create from application template.

6. Choose the template from the drop-down list. The drop-down list displays templates for the selected application type.

7. Click Start Wizard.

8. Provide the information required to complete the application definition (see “Application Definition Wizard Overview” on page 42 for additional information).

9. Verify that the new application definition is listed in the Application Definitions node of the console.

Alternatively, you can start an application definition from the Manage Templates dialog box using the following procedure.

Creating an Application Definition From an Imported Template

1. With the Application Definition node highlighted in the left panel of the Application Definition Tool or the Password Manager Console, select Manage templates from the Common Tasks options to open the Manage Templates dialog box.

2. Highlight an application template name and click Create Application Definition. This action starts the Application Definition wizard for the application type associated with the template.

3. Provide the information required to complete the application definition (see “Application Definition Wizard Overview” on page 42 for additional information).

4. Verify that the new application definition is listed in the Application Definitions node of the console.

If you are running an application that does not have a template, use the Password Manager Console or the Application Definition Tool to create application definitions for that application (see “How the Password Manager Agent Identifies Applications and User Credential Management Events” on page 40 for additional information). After creating an application definition, create a template that can be exported for archival purposes or for use by other Password Manager administrators by uploading it to the Citrix Web site

(http://www.citrix.com/passwordmanager/gettingstarted).

Creating Application Templates

Use this procedure to create a template from an existing application definition: 1. With the Application Definition node expanded in the left panel of the

(40)

2. Select the Save as template option to open the Save as Template dialog box.

3. To archive the template or share it with other Password Manager

administrators, export the template into an XML format. Follow the steps described in “Exporting Application Templates” on page 40.

Exporting Application Templates

Use this procedure to export a template from an exiting application definition: 1. With the Application Definition node highlighted in the left panel of the

Application Definition Tool or the Password Manager Console, select Manage templates from the Common Tasks options to open the Manage Templates dialog box.

2. Highlight the template in the list of available templates and click Export. 3. Define the name and the location to store the exported template definition

and click OK. The exported template is saved in the designated location. This template can be archived to preserve the data and/or made available to other Password Manager administrators

(http://www.citrix.com/passwordmanager/gettingstarted).

How the Password Manager Agent Identifies

Applications and User Credential Management Events

Application definitions are created using the Password Manager Console or the Application Definition Tool.

A single application definition supports all user credential management events associated with a single application including:

• Authenticating the user • Changing user credentials • Confirming credential changes

When creating an application definition, the type of application is identified after the Application Definition wizard starts. The selected application type determines the information that is collected.

Application definitions are categorized into three main types:

• Windows applications (including Java applications and the SAP LogonPad) • Web applications (including Java applets)

(41)

An application definition consists of:

• Application characteristics that apply to all forms included in the definition. These are defined using the Application Definition wizard.

• Form-specific data used to recognize each different credential management event associated with the application. These are defined using the Form Definition wizard that is started during the Application Definition wizard operation.

The application characteristics for all types of applications contain similar configuration information. However form-specific data contained in the application definition varies greatly based on the type of application being defined.

To create an application definition, the application must be accessible to the administrator from the computer where the application definition is created. Because some application signatures can vary depending on the underlying operating system, administrators must be careful to test application definitions in all the operating system environments that occur in their organization.

Any changes or upgrades to an application after an application definition is developed and deployed should be tested to ensure that there are no changes to the application signatures that would require a change to the application definition.

Identifying the Parts of the Application’s User

Interface

The user interface to an application includes different forms that are used to manage user credential management events associated with the application. For example, one form can be used to enter the logon credentials, another form can be used to change an application password, and yet another form can be used to confirm or acknowledge a successful change to user credentials.

Depending on the type of application being defined (Windows, Web, or Host), Password Manager uses a variety of different kinds of identifiers to uniquely respond to and identify the forms. These include but are not limited to the application type, window title, and the executable file name.

(42)

Application Definition Wizard Overview

All application definitions are initially created using the Application Definition wizard and the integrated Form Definition wizard.

The Application Definition wizard is started by selecting the Application Definitions node in the Citrix Access Management Console, and selecting the Create application definition task from the Common Tasks area.

The following information is collected for each type of application (Windows, Web, and Host) using the Application Definition wizard.

Identify Application

This page is used to define the application definition name and provide a description to the application definition. Any name you prefer can be defined as the application name.

Consider that:

• The name can be used to distinguish among multiple versions of the same application

• This is the name to look for in your central store

• Your agent software users will see this name and this description in the Logon Manager

Manage Forms

Most applications have separate forms for logon and password changes. Some applications also have separate forms that notify users of a successful password change or a failed password change.

Data Collected Windows Web Host

Identify application X X X

Manage forms X X X

Name custom fields X X X