Product Documentation

Using Windows profiles with Password Manager and Single Sign-on

Dec 07, 2016

This topic does not contain any information specific to Profile management. It tells you how to configure certain Windows options so that Citrix Single Sign-on operates optimally with local profiles, roaming profiles, mandatory profiles, or hybrid profiles. This topic applies to Citrix Single Sign-on 4.8 or 5.0.

Local profiles

Local profiles are stored on the local server to which the user has logged on. Password Manager and Single Sign-on save registry information in the HKCU\Software\Citrix\MetaFrame Password Manager hive of the User Registry located at:

%SystemDrive%\Documents and Settings\%username%\NTUSER.DAT.

Files are also saved in:

%SystemDrive%\Documents and Settings\%username%\Application Data\Citrix\MetaFrame Password Manager.

On Windows 7, Single Sign-on uses:

%APPDATA%\Roaming\Citrix\MetaFrame Password Manager

Important: It is critical that Single Sign-on has Full Control Access to the following files:

File Name

Description

%username%.mmf

User's credential information file with pointers to aelist.ini.

entlist.ini

Application definition file created at enterprise level in the synchronization point or Active Directory.

aelist.ini

Application definition file created by merging user's local application definition file (applist.ini) and the enterprise application definitions (entlist.ini).

Roaming profiles

Roaming profiles are saved on a network share and synchronized to a local server copy each time the user logs on. Characteristics of a successful roaming profile deployment include high-speed network connectivity such as a SAN (System Area Network) or NAS (Network Area Storage). Other common deployments include clustering solutions where the profiles are stored on high-availability servers.

Two issues affect roaming and mandatory profile deployments:
  • A single roaming profile can only be used with one file synchronization point. When multiple synchronization points are used, data in the Memory Mapped File (MMF) may become corrupted.
  • When roaming profiles are used with multiple concurrent sessions, they share the same backend MMF. This means that all active sessions share some common session data such as retry lock counters, last used data counters, and event log entries.

Mandatory or hybrid profiles

Mandatory profiles are by definition user read-only profiles. Single Sign-on needs write permission to the profile folder under Application Data. With mandatory profiles, a user may make changes but the changes are not saved back to the profile at logoff. For Single Sign-on to work correctly with mandatory profiles, the Application Data Folder must be redirected.

The registry changes are written each time the user logs on. Credential information is synchronized with the synchronization point but the changes are not saved back to the profile.

Beginning with Windows 2000, Microsoft provides a mechanism for redirecting the Application Data folder. However, using Windows NT4 domains requires logon scripts capable of modifying the location of the Application Data folder. You can achieve this using tools such as Kix or VBScript to define a writeable location for the Application Data folder.

The following example uses Kix to redirect the Application Data folder during user logon:

Important: This sample script is for informational purposes only and should not be used in your environment without first testing it.
 
$LogonServer = "%LOGONSERVER%" 
$HKCU = "HKEY_CURRENT_USER" 
$ShellFolders_Key = 
"$HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell 
Folders" 
$UserShellFolders_Key = 
"$HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User 
Shell Folders" 
$UserProfFolder = 
"$LogonServer\profiles\@userID" 
$UserAppData = 
"$LogonServer\profiles\@userID\Application Data" 
$UserDesktop = 
"$LogonServer\profiles\@userID\Desktop" 
$UserFavorites = 
"$LogonServer\profiles\@userID\Favorites" 
$UserPersonal = "X:\My Documents" 
$UserRecent = 
"$LogonServer\profiles\@userID\Recent" 
if (exist("$UserAppData") = 0) 
shell '%ComSpec% /c md "$UserAppData"' 
endif 
if (exist("$UserDesktop") = 0) 
shell '%ComSpec% /c md "$UserDesktop"' 
endif 
if (exist("$UserRecent") = 0) 
shell '%ComSpec% /c md "$UserRecent"' 
endif 
if (exist("$UserFavorites") = 0) 
shell '%ComSpec% /c md "$UserFavorites"' 
endif 

The hybrid profile is another solution for the mandatory profile issue. When the user logs on, the mandatory profile loads and a custom application loads and unloads user registry hives based on applications available to the user. As with mandatory profiles, the user can modify those parts of the registry during a session. The difference compared with mandatory profiles is that changes are saved when the user logs off and are reloaded when they log on again.

If a hybrid profile is used, the HKEY_CURRENT_USER\Software\Citrix\MetaFrame Password registry keys must be imported and exported as part of the logon and logoff process.

Folder redirection

Folder redirection is implemented using Group Policy Objects and Active Directory. It uses Group Policies to define a location for folders that are part of the user profile.

Four folders can be redirected:
  • My Documents
  • Application Data
  • Desktop
  • Start Menu

Two modes of redirection can be configured using Group Policies: basic redirection and advanced redirection. Both are supported by Single Sign-on. In Windows 2000, you must reference the share that stores application data using the username variable, (for example \\servername\sharename\%username%).

Folder redirection is global for the user and it affects all of their applications. This means all applications that use the Application Data folder must support it.

Read the following Microsoft articles to learn more about folder redirection:

HOW TO: Dynamically Create Secure Redirected Folders By Using Folder Redirections

Folder Redirection Feature in Windows

Enabling the Administrator to Have Access to Redirected Folders

Best practices

  • Redirect the Application Data folders where possible. This improves network performance, eliminating the need to copy the data in those folders each time users log on.
  • When troubleshooting Password Manager Agent, always verify that the logged-on user has Full Control permission on their Application Data folder.