Profile Management

Enable credential-based access to user stores

By default, Citrix Profile Management impersonates the current user to access user stores. Therefore, it requires the current user to have permission to directly access the user stores. Enable this feature if you do not want Profile Management to impersonate the current user when accessing user stores. You can put user stores in storage repositories (for example, Azure Files) that the current user has no permission to access.

The Enable credential-based access to user stores policy in the Local Group Policy Editor

To ensure that Profile Management can access user stores, save the profile storage server’s credentials in Workspace Environment Management (WEM) or Windows Credential Manager. We recommend that you use Workspace Environment Management to eliminate the need of configuring the same credentials for each machine where Profile Management runs. If you use Windows Credential Manager, use the Local System account to securely save the credentials.

Note:

To ensure that NTFS permissions are retained, you must put the entire profile in a profile container.

  • To save your profile storage server’s credentials in WEM, complete the following steps:

    1. In the administration console, navigate to Policies and Profiles > Citrix Profile Management Settings > User Store Credentials.

    2. On the User Store Credentials tab, select the Enable credential-based access to user store check box.

      Selecting the Enable credential-based access to user store check box in WEM

    3. Click Add. The New Credential dialog box appears.

      The New Credential dialog box in WEM

    4. Type the FQDN or IP address of your profile storage server and its credentials.
    5. Click OK to save your settings.
  • To save your profile storage server’s credentials in Windows Credential Manager, complete the following steps on each machine where Profile Management runs:

    1. Download PsExec from the Sysinternals website and unzip files to C:\PSTools.
    2. Locate Command Prompt from the Start menu. Right-click the Command Prompt option and choose Run as administrator. A command shell starts.

      Run Command Prompt as an administrator

    3. Run the C:\PSTools\PsExec -s -i cmd command. Another command shell starts.

      New command shell after you run the C:\PSTools\PsExec -s -i cmd command

    4. In the new command shell, run the rundll32.exe keymgr.dll, KRShowKeyMgr command. The Stored User Names and Passwords dialog box appears.

      Run the rundll32.exe keymgr.dll, KRShowKeyMgr command

    5. In the Stored User Names and Passwords dialog box, click Add.

      The Stored User Names and Passwords dialog box

    6. Type the FQDN or IP address of your profile storage server and its credentials. Use the default credential type. Click OK.

      Type the FQDN or IP address of your profile storage server

Enable credential-based access to user stores