Product Documentation

Password Policies

May 09, 2015

Password policies are rules that control how passwords are created, submitted, and managed. The Single Sign-on installation includes two standard password policies named Default and Domain, which cannot be deleted. You can copy these policies and make modifications to suit your enterprise policies and regulations.

Default Password Policy

Single Sign-on applies the Default policy to password-enabled applications used in your enterprise (except for those that require user domain credentials). This policy is applied to any application that is not defined by an administrator (by using the application definition feature in the console) or any application that is not part of an application group.

When a user adds credentials to the Manage Passwords window (formerly known as Logon Manager) for an application that does not have a corresponding application definition, Single Sign-on applies the Default policy to manage that application.

Domain Password Policy

Typically, an administrator creates an application group and selects the Domain policy to be applied to the applications in that group. Single Sign-on then applies the Domain policy to those applications that require the user’s domain credentials for access. The Domain policy can be modified or copied to reflect your enterprise’s Active Directory or NT domain policies for user accounts.

If you want an application group to be treated as a domain password sharing group, you must apply the Domain policy to that application group. An application group is a collection of defined applications associated with one or more user configurations, including the policy to manage the applications.

Custom Password Policies

You can create password policies as needed: you can apply one policy for your domain sharing group, create individual policies to apply to individual groups of applications to secure them further, and so on.

When creating a custom password policy or modifying existing policies, ensure that your enterprise requirements and application requirements match. For example, if you create a policy that does not at least match an application’s requirements, your users might not be able to authenticate to that application.

In general, password policies can specify restrictions such as the following:
  • A minimum and maximum number of characters for a password
  • Alphabetical and numerical character usage
  • Number of times a character can be repeated
  • Excluding or requiring which characters or special characters can be used
  • Whether or not users can view their stored passwords
  • How many times users can try entering their password correctly
  • Password expiration parameters
  • Password history and password exceptions

Password Policy Considerations

Consider the following before establishing password policies:

  • Consider your security requirements in the context of ease-of-use for your users. Overly restrictive passwords might be hard for users to create, implement, or recall.
  • Because Single Sign-on is secure by design, the Default password policy defines the minimum level of password security recommended by Citrix for securing most Single Sign-on enabled applications. You can modify these settings according to your enterprise policies and regulations.
  • Because Single Sign-on applies the Default password policy to user-added applications, ensure that you configure the Default policy to be as broad as needed to accept passwords for those applications for which you allow passwords to be stored.
  • When users change their passwords, Single Sign-on can be configured through a user configuration setting to check the old password against the new password. This helps prevent users from reusing passwords for the same application twice in a row.
  • Users might have a single password that is used for multiple applications (in a suite of products, for example). This scheme is known as password sharing, where the same authentication authority is used for the applications.

    While the other credentials for those applications (such as user name and custom fields) might be different, the user’s password is the same. In this case, create an application group that is a password sharing group to ensure that the plug-in software manages the password for all applications in the group as a single entity. When the password is changed in one of the applications, the plug-in software ensures that the password change is reflected in the stored credentials for all applications in the group.

  • Domain password sharing groups differ from other password sharing groups because the user’s domain password is used as the master password for the application group. When the user changes the domain password, the plug-in software ensures that the change is reflected in the credentials for all other applications in the group. Only the domain password can be changed; users cannot initiate password changes on any of the other applications in the group unless the administrator removes the application from the domain password sharing group.