This article contains these sections:
Installation and configuration checklist
Installation and configuration order
Install and configure Self-Service Password Reset
Before you start the installation, complete this list:
![]() |
Step |
---|---|
Choose the computers in your environment where you will install the software and prepare them for installation. See System requirements. | |
Install the TLS certificate and the accounts required for the service. See Security and account requirements in System requirements. | |
Install the License Server. See License server documentation. |
|
Create a central store. See Create a central store. | |
Install Self-Service Password Reset. See Install and configure Self-Service Password Reset. | |
Configure Self-Service Password Reset using the console. See Install and configure Self-Service Password Reset. | |
Configure Self-Service Password Reset on StoreFront. See Configure StoreFront. | |
Ensure your Self-Service Password Reset configuration is securely configured. See Secure configuration. |
Install the SSL certificate and the accounts required for the service. See Security and account requirements. |
Install the SSL certificate and the accounts required for the service. See Security and account requirements. |
Configure Self-Service Password Reset on StoreFront. See Configure StoreFront. |
To install the service and run the Service Configuration wizard, your logon account must be a domain user and belong to the local administrator group on the server.
We suggest installing Self-Service Password Reset in this order:
For security reasons, we recommend you create the central store directly on the machine running the Self-Password Reset service. For deployments where more than one Self-Password Reset server is required, you can host the central store on a remote network share if the Self-Service Password Reset server and the server hosting the share both support SMB encryption.
This feature is available only on Windows Server 2012 R2 or Windows Server 2016; thus, we do not support Windows Server 2008 R2 when using a remote file share for the central store.
Create Data Proxy Account
Create a normal domain user to be used as the Data Proxy Account. Don't set a user from Domain Administrator/Local Administrator group as the Data Proxy Account.
Create a central store for Windows Server 2012 R2 or Windows Server 2016
When using Windows Server 2012 R2 or Windows Server 2016 for both the Self-Service Password Reset server and the central store, you can use a remote network share if configured as described in this section. Ensure that the Encrypt data access is selected and apply the guidance given in the Secure configuration.
![]() |
8. To remove all users except CREATOR OWNER/Local Administrators/SYSTEM, on Customize permissions > Permissions, click Remove.
9. To modify CREATOR OWNER > Advanced permissions, click Edit and uncheck the following:
o Full Control
o Delete subfolders and files
o Change permissions
o Take ownership
![]() |
10. Add a Data Proxy Account with Full Control.
11. Choose Confirmation in the left pane of the New Share wizard, review the currently selected settings for sharing, and click Create to begin the process of creating the new folder, and then Close.
12. Create two subfolders under the CITRIXSYNC$ share folder: CentralStoreRoot and People.
Important: Ensure the Data Proxy Account has Full Control for these two subfolders.
Create a central store for Windows Server 2008 R2
Ensure you create the central store on the same server with the Self-Service Password Reset service, and continue to configure the Windows firewall to prevent remote access.
1. Create a local folder (CITRIXSYNC1) as the root of the file share, and then create two subfolders: CentralStoreRoot and People.
2. Set up a file share and grant sharing permissions:
a. Right click the CITRIXSYNC1 folder, select Properties > Sharing > Advanced Sharing.
b. Check the Share this folder box, and set the Share name to CITRIXSYNC1$.
c. To grant sharing permissions, click Permissions, remove all default users, and add Data Proxy Account with Full Control permission, Local Administrators Group with Full Control permissions, and Domain Admin Group with Full Control permissions.
d. Click Caching and check No files or programs from the shared folder are available offline.
![]() |
3. To grant security permissions, right-click the CITRIXSYNC1 folder, and select Properties > Security.
4. To disable the inheritable permissions, click Advanced > Change Permissions, uncheck Include inheritable permissions from the object's parent, and then click Add in the warning window.
![]() |
5. Click Edit to modify CREATOR OWNER permissions and uncheck the following:
o Full Control
o Delete subfolders and files
o Change permissions
o Take ownership
![]() |
6. To remove the user group that's not required and add Data Proxy Account, click Edit on the Properties screen and delete all users except CREATOR OWNER/SYSTEM/Local Administrators, and add Data Proxy Account with Full Control permission.
![]() |
7. To enable the SMB signing feature click Start > Administrative Tools > Local Security Policy. In the left pane, choose Security Settings > Local Policies > Security Options.
8. Enable Microsoft network client: Digitally sign communications(if server agrees) and Microsoft network server: Digitally sign communications(if client agrees).
9. To prevent remote access to the local central store, finish the Windows firewall configuration. For more information, see Configure the firewall settings.
The installation package is on the XenApp and XenDesktop installation media.
![]() |
Before configuring the service, ensure you have created the central store, Data Proxy Account, and Self-Service account.
For more information about managing user configurations, see Manage user configurations.
For more information about managing identity verification questions, see Manage Identity Verification questions.
A user configuration enables you to control the behavior and appearance of the interface when users log on to Storefront. Creating a new configuration is the final step you take before distributing Self-Service Password Reset to users in your environment. Note that you can edit existing user configurations at any time.
A user configuration is a unique collection of settings that you apply to users associated with an Active Directory hierarchy (Organizational Unit [OU] or an individual user) or an Active Directory group.
A user configuration consists of the following:
Important: Distribution groups and Domain Local groups in Active Directory mixed mode are not supported.
Before you create your user configurations, ensure that you already created or defined the following:
To add users, OU, or Group
The Name User Configuration page of the User Configuration wizard allows you to associate the user configuration to the users.
User configuration association:
You have two choices: associate users according to Active Directory hierarchy (OU or individual user) or Active Directory Group. If necessary, you can associate the user configuration with a different hierarchy or group later, by clicking Edit user configuration in the Actions menu.
Associating user configurations to groups is supported only in Active Directory domains that use Active Directory authentication.
Select the OU, or Users, or Group on the Name User Configuration page (from Add New User Configuration or Edit User Configuration wizard).
Note: We recommend you not include any privileged accounts (for example, Local Administrators or Domain Administrators) in the group of users for whom the Self-Service Password Reset account can reset passwords. Use a new dedicated group.
To configure licensing
The Configure Licensing page of the User Configuration wizard allows you to configure the License Server used by the Self-service Password Reset service.
Note: You can use the Unlock and Reset features only if you have XenApp or XenDesktop Platinum Edition.
Enter the License Server name and port number on the Configure Licensing page (from Add New User Configuration or Edit User Configuration wizard).
To enable Unlock or Reset features
Self-Service Password Reset allows users to reset their Windows password and unlock their domain accounts without administrator intervention. From the Enable Self-Service Password Reset page, you can select which feature to enable.
Select which feature you want to users to use: Unlock or Reset on the Enable Self-Service Password Reset page (from Add New User Configuration or Edit User Configuration wizard).
To configure a blacklist
IT administrators can add users and groups to the blacklist. Users and groups in the blacklist cannot use any of the Self-Service Password Reset features - including enrollment, account unlock, and password reset. Also, a user in the blacklist cannot see the TASK button on Citrix Receiver after logging on.
To configure the blacklist
The Identity Verification of the Citrix Self-Service Password Reset Configuration Console provides you with a central location for managing all security questions associated with identity verification, Self-Service Password Reset, and account unlock. You can customize your own security questions to the list of default questions and create question groups.
Use these steps to access the settings referenced in the following procedures:
To set the default language
In most instances, users see security questions displayed in the language associated with their current user profile. If the language is not available, Self-Service Password Reset displays the questions in the default language that you specify.
To enable security answer masking
Security answer masking provides an added level of security for your users when they register their security question answers or provide their answers during identity verification. When this feature is enabled, the users' answers are hidden. During the answer registration process, these users are asked to type their answers twice to avoid typing and spelling errors. Users type their answers only once during identity validation because they are prompted to retry if there is an error.
Select Mask answers for security questions on the Question-Based Authentication page.
To create new security questions
You can create many different questions and designate a language for each question. You can also provide multiple translations of a single question. The Enrollment in Receiver presents the user with the questionnaire in the language that corresponds to the language settings of the user's profile. If the language is not available, Self-Service Password Reset displays the questions in the default language.
Note: When you specify a language for a security question, the question appears to users whose operating system settings are configured for that designated language. If the selected operating system settings do not match any of the questions available, users are shown your selected default language.
Important: You must use the Edit button to include the translated text of existing questions. If you select Add Question, you are creating a new question that is not associated with the original.
To add or edit text for existing questions
Adding, deleting, and replacing security questions after users are enrolled means that all users who were previously enrolled using an older set of questions cannot authenticate and reset their password until they reenroll. Users must answer the new set of questions when they open the Tasks in Receiver. Editing a question does not force a user reenrollment.
Important: If you are editing an existing question, be careful not to change the meaning of a question. This might cause a mismatch in user answers during reauthentication. That is, a user might provide a different answer that might not match the stored answer.
To create a security question group
You can create a number of security questions that your users answer to confirm their identities. Each question you add to the questionnaire must be answered by your users. However, you can also group these questions together in a security question group.
For example, putting your questions in a group enables you to add a group of six questions to your questionnaire, and allows your users to choose from that group of questions, answering, for example, three of the six. This gives your users flexibility in selecting questions and providing answers to be used for identity verification.
To edit a security question group
Select the security group you want to edit and click Edit on the Security Questions page. The Security Question Group dialog box appears, with a list of security questions available to be part of the group. The questions currently in the group are indicated by a check mark. Here you can edit the name of the group, add questions to the group, and select the number of questions from this group that a user must answer.
To add or remove the existing questionnaire
Add or remove security questions and question groups from the questionnaire. Move the questions up and down in the order to be presented to the user. If the questionnaire has changed, the user needs to be notified to do re-enrollment task after logging on Storefront.
With Self-Service Password Reset you can:
To import or export the security questions
You can import or export the data of security questions and groups.