Using Windows profiles with Password Manager and single sign-on
This article does not contain any information specific to Profile Management. It tells you how to configure certain Windows options so that Citrix Single Sign-on operates optimally with local profiles, roaming profiles, mandatory profiles, or hybrid profiles. This topic applies to Citrix Single Sign-on 4.8 or 5.0.
Local profiles
Local profiles are stored on the local server to which the user has logged on. Password Manager and single sign-on save registry information in the HKEY_CURRENT_USER\SOFTWARE\Citrix\MetaFrame Password Manager
hive of the User Registry at:
%SystemDrive%\Documents and Settings\%username%\NTUSER.DAT.
Files are also saved in:
%SystemDrive%\Documents and Settings\%username%\Application Data\Citrix\MetaFrame Password Manager.
On Windows 7, single sign-on uses:
%APPDATA%\Roaming\Citrix\MetaFrame Password Manager
Important: It is critical that single sign-on has Full Control Access to the following files:
File Name | Description |
---|---|
%username%.mmf | User’s credential information file with pointers to aelist.ini. |
entlist.ini | Application definition file created at enterprise level in the synchronization point or Active Directory. |
aelist.ini | Application definition file created by merging user’s local application definition file (applist.ini) and the enterprise application definitions (entlist.ini). |
Roaming profiles
Roaming profiles are saved on a network share and synchronized to a local server copy each time the user logs on. Characteristics of a successful roaming profile deployment include high-speed network connectivity such as a SAN (System Area Network) or NAS (Network Area Storage). Other common deployments include clustering solutions where the profiles are stored on high-availability servers.
Two issues affect roaming and mandatory profile deployments:
- A single roaming profile can only be used with one file synchronization point. When multiple synchronization points are used, data in the Memory Mapped File (MMF) might become corrupted.
- When roaming profiles are used with multiple concurrent sessions, they share the back-end MMF. All active sessions share some common session data such as retry lock counters, last used data counters, and event log entries.
Mandatory or hybrid profiles
Mandatory profiles are by definition user read-only profiles. Single sign-on needs write permission to the profile folder under Application Data. With mandatory profiles, a user might make changes but the changes are not saved back to the profile at logoff. For single sign-on to work correctly with mandatory profiles, the Application Data Folder must be redirected.
The registry changes are written each time the user logs on. Credential information is synchronized with the synchronization point but the changes are not saved back to the profile.
Beginning with Windows 2000, Microsoft provides a mechanism for redirecting the Application Data folder. However, using Windows NT4 domains requires logon scripts capable of modifying the location of the Application Data folder. You can achieve this using tools such as Kix
or VBScript
to define a writeable location for the Application Data folder.
The following example uses Kix
to redirect the Application Data folder during user logon:
Important: This sample script is for informational purposes only. Do not use it in your environment before first testing it.
``` pre codeblock
$LogonServer = “%LOGONSERVER%” $HKCU = “HKEY_CURRENT_USER” $ShellFolders_Key = “$HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders” $UserShellFolders_Key = “$HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders” $UserProfFolder = “$LogonServer\profiles\@userID” $UserAppData = “$LogonServer\profiles\@userID\Application Data” $UserDesktop = “$LogonServer\profiles\@userID\Desktop” $UserFavorites = “$LogonServer\profiles\@userID\Favorites” $UserPersonal = “X:\My Documents” $UserRecent = “$LogonServer\profiles\@userID\Recent” if (exist(“$UserAppData”) = 0) shell ‘%ComSpec% /c md “$UserAppData”’ endif if (exist(“$UserDesktop”) = 0) shell ‘%ComSpec% /c md “$UserDesktop”’ endif if (exist(“$UserRecent”) = 0) shell ‘%ComSpec% /c md “$UserRecent”’ endif if (exist(“$UserFavorites”) = 0) shell ‘%ComSpec% /c md “$UserFavorites”’ endif ```
The hybrid profile is another solution for the mandatory profile issue. When the user logs on, the mandatory profile loads and a custom application loads and unloads user registry hives based on applications available to the user. As with mandatory profiles, the user can modify those parts of the registry during a session. The difference compared with mandatory profiles is that changes are saved when the user logs off and are reloaded when they log on again.
If a hybrid profile is used, the HKEY_CURRENT_USER\SOFTWARE\Citrix\MetaFrame Password
registry keys must be imported and exported as part of the logon and logoff process.
Folder redirection
Folder redirection is implemented using Group Policy Objects and Active Directory. It uses Group Policies to define a location for folders that are part of the user profile.
Four folders can be redirected:
- My Documents
- Application Data
- Desktop
- Start menu
Two modes of redirection can be configured using Group Policies: basic redirection and advanced redirection. Both are supported by single sign-on. In Windows 2000, you must reference the share that stores application data using the %username%
variable (for example \\servername\sharename\%username%).
Folder redirection is global for the user and it affects all of their applications. All applications that use the Application Data folder must support it.
Read the following Microsoft articles to learn more about folder redirection:
HOW TO: Dynamically Create Secure Redirected Folders By Using Folder Redirections
Folder Redirection Feature in Windows
Enabling the Administrator to Have Access to Redirected Folders
Best practices
- Redirect the Application Data folders where possible. This approach improves network performance, eliminating the need to copy the data in those folders each time users log on.
- When troubleshooting Password Manager Agent, always verify that the logged-on user has Full Control permission on their Application Data folder.