Enable credential-based access to user stores
By default, Citrix Profile Management impersonates the current user to access the user store. This behavior requires the current user to have permission to directly access the user store. By contrast, the Enable credential-based access to user stores policy lets Profile Management access the user store using the store’s own credentials.
This policy gives you more flexibility in deploying and accessing the user store. For example, this policy lets you deploy the user store on a file share that the current user doesn’t have permission to access, such as Azure Files. Or, you can enable this policy if you don’t want Profile Management to impersonate the current user when accessing user stores.
Profile Management provides two types of profile solutions, and the user store can serve as the storage location for both of them:
- File-based solution. User profiles are fetched from the remote user store to the local computer on logon and written back on logoff.
- Container-based solution. User profiles are stored in VHDX files (known as profile containers). Those VHDX files are attached on logon and detached on logoff.
This policy is available both for the file-based and container-based solutions. For Profile Management versions earlier than 2212, this policy is available only for the container-based solution.
For more information about creating secure user stores, see Create a file share for roaming user profiles on the Microsoft TechNet website.
To let Profile Management access the user store by using the store’s own credentials, you must perform both of the following actions:
- Enable the Enable credential-based access to user stores policy on each machine where Profile Management runs.
- Add the store’s credentials to those machines.
With the container-based solution enabled, NTFS permissions are retained for the user store.
Enable credential-based access using the WEM service
Using WEM eliminates the need to enter the same credentials for each machine where Profile Management runs. You enable the policy and enter the credentials for the user store only once in the WEM service console. The WEM service then applies these settings to each machine.
Detailed steps are as follows:
In the administration console, go to Policies and Profiles > Citrix Profile Management Settings > User Store Credentials.
On the User Store Credentials tab, select the Enable credential-based access to user store check box.
Click Add. The New Credential dialog box appears.
Type the FQDN or IP address of your profile storage server and its credentials.
Enable credential-based access using GPOs
When you choose to enable the policy using GPOs, you must manually add the credentials on each machine where Profile Management runs.
Detailed steps are as follows:
- Open the Group Policy Management Editor.
- Access Policies > Administrative Templates: Policy definitions (ADMX files) > Citrix Components > Profile Management > Advanced settings, and then double-click Enable credential-based access to user stores.
- Select Enabled.
- Click OK.
Profile Management uses the credentials saved on the machine to access the user store. Add the credentials for the user store to Windows Credential Manager on each machine where Profile Management runs. Detailed steps are as follows:
Download PsExec from the Sysinternals website and unzip files to
From the Start menu, right-click Command Prompt and select Run as administrator. A command shell starts.
C:\PSTools\PsExec -s -i cmdcommand. Another command shell starts.
-sparameter indicates you’re running the tool using the Local System account. As a result, the credentials can be securely saved.
In the new command shell, run the
rundll32.exe keymgr.dll, KRShowKeyMgrcommand. The Stored User Names and Passwords dialog box appears.
In the Stored User Names and Passwords dialog box, click Add.
Type the FQDN or IP address of your profile storage server and its credentials, leave the default credential type as is, and then click OK.