Profile Management

Enable credential-based access to user stores

By default, Citrix Profile Management impersonates the current user to access the user store. This behavior requires the current user to have permission to directly access the user store. By contrast, the Enable credential-based access to user stores policy lets Profile Management access the user store using the store’s own credentials.

This policy gives you more flexibility in deploying and accessing the user store. For example, this policy lets you deploy the user store on a file share that the current user doesn’t have permission to access, such as Azure Files. Or, you can enable this policy if you don’t want Profile Management to impersonate the current user when accessing user stores.

Note:

User stores come in two types in terms of how profiles are handled:

  • File-based. User profiles are fetched from the remote user store to the local computer on logon and written back on logoff.
  • VHDX-based. User profiles are stored in VHDX files (known as profile containers). Those VHDX files are attached on logon and detached on logoff.

This policy is available both for file-based and VHDX-based user stores. For Profile Management versions earlier than 2212, this policy is available only for VHDX-based user stores.

For more information about creating secure user stores, see Create a file share for roaming user profiles on the Microsoft TechNet website.

To let Profile Management access the user store by using the store’s own credentials, you must perform both of the following actions:

  • Enable the Enable credential-based access to user stores policy on each machine where Profile Management runs.
  • Add the store’s credentials to those machines.

You can use one of the following ways to achieve that goal: Workspace Environment Management (WEM) service and GPOs.

Note:

To ensure that NTFS permissions are retained for the VHDX-based user stores, you must put the entire profile in a profile container. For more information, see Enable the profile container for the entire user profile.

Enable credential-based access using the WEM service

Using WEM eliminates the need to enter the same credentials for each machine where Profile Management runs. You enable the policy and enter the credentials for the user store only once in the WEM service console. The WEM service then applies these settings to each machine.

Detailed steps are as follows:

  1. In the administration console, go to Policies and Profiles > Citrix Profile Management Settings > User Store Credentials.

  2. On the User Store Credentials tab, select the Enable credential-based access to user store check box.

    Selecting the Enable credential-based access to user stores check box in WEM

  3. Click Add. The New Credential dialog box appears.

    The New Credential dialog box in WEM

  4. Type the FQDN or IP address of your profile storage server and its credentials.

  5. Click OK.

Enable credential-based access using GPOs

When you choose to enable the policy using GPOs, you must manually add the credentials on each machine where Profile Management runs.

Enable the policy

Detailed steps are as follows:

  1. Open the Group Policy Management Editor.
  2. Access Policies > Administrative Templates: Policy definitions (ADMX files) > Citrix Components > Profile Management > Advanced settings, and then double-click Enable credential-based access to user stores.
  3. Select Enabled.
  4. Click OK.

Add the credentials to Windows Credential Manager

Profile Management uses the credentials saved on the machine to access the user store. Add the credentials for the user store to Windows Credential Manager on each machine where Profile Management runs. Detailed steps are as follows:

  1. Download PsExec from the Sysinternals website and unzip files to C:\PSTools.

  2. From the Start menu, right-click Command Prompt and select Run as administrator. A command shell starts.

  3. Run the C:\PSTools\PsExec -s -i cmd command. Another command shell starts.

    Note:

    The -s parameter indicates you’re running the tool using the Local System account. As a result, the credentials can be securely saved.

  4. In the new command shell, run the rundll32.exe keymgr.dll, KRShowKeyMgr command. The Stored User Names and Passwords dialog box appears.

  5. In the Stored User Names and Passwords dialog box, click Add.

  6. Type the FQDN or IP address of your profile storage server and its credentials, leave the default credential type as is, and then click OK.

Enable credential-based access to user stores