Password policies are
rules that control how passwords are created, submitted, and managed. The
Single Sign-on installation includes two standard password policies named
which cannot be deleted. You can copy these policies and make modifications to
suit your enterprise policies and regulations.
applies the Default policy to password-enabled applications used in your
enterprise (except for those that require user domain credentials). This policy
is applied to any application that is not defined by an administrator (by using
the application definition feature in the console) or any application that is
not part of an application group.
When a user adds
credentials to the Manage Passwords window (formerly known as Logon Manager)
for an application that does not have a corresponding application definition,
Single Sign-on applies the Default policy to manage that application.
administrator creates an application group and selects the Domain policy to be
applied to the applications in that group. Single Sign-on then applies the
Domain policy to those applications that require the user’s domain credentials
for access. The Domain policy can be modified or copied to reflect your
enterprise’s Active Directory or NT domain policies for user accounts.
If you want an
application group to be treated as a domain password sharing group, you must
apply the Domain policy to that application group. An application group is a
collection of defined applications associated with one or more user
configurations, including the policy to manage the applications.
You can create
password policies as needed: you can apply one policy for your domain sharing
group, create individual policies to apply to individual groups of applications
to secure them further, and so on.
When creating a
custom password policy or modifying existing policies, ensure that your
enterprise requirements and application requirements match. For example, if you
create a policy that does not at least match an application’s requirements,
your users might not be able to authenticate to that application.
In general, password
policies can specify restrictions such as the following:
- A minimum and maximum number
of characters for a password
- Alphabetical and numerical
- Number of times a character
can be repeated
- Excluding or requiring which
characters or special characters can be used
- Whether or not users can view
their stored passwords
- How many times users can try
entering their password correctly
- Password expiration
- Password history and password
Consider the following before establishing password policies:
- Consider your security
requirements in the context of ease-of-use for your users. Overly restrictive
passwords might be hard for users to create, implement, or recall.
- Because Single Sign-on is
secure by design, the Default password policy defines the minimum level of
password security recommended by Citrix for securing most Single Sign-on
enabled applications. You can modify these settings according to your
enterprise policies and regulations.
- Because Single Sign-on
applies the Default password policy to user-added applications, ensure that you
configure the Default policy to be as broad as needed to accept passwords for
those applications for which you allow passwords to be stored.
- When users change their
passwords, Single Sign-on can be configured through a user configuration
setting to check the old password against the new password. This helps prevent
users from reusing passwords for the same application twice in a row.
- Users might have a single
password that is used for multiple applications (in a suite of products, for
example). This scheme is known as password sharing, where the same
authentication authority is used for the applications.
While the other credentials for those applications (such as user
name and custom fields) might be different, the user’s password is the same. In
this case, create an application group that is a password sharing group to
ensure that the plug-in software manages the password for all applications in
the group as a single entity. When the password is changed in one of the
applications, the plug-in software ensures that the password change is
reflected in the stored credentials for all applications in the group.
- Domain password sharing
groups differ from other password sharing groups because the user’s domain
password is used as the master password for the application group. When the
user changes the domain password, the plug-in software ensures that the change
is reflected in the credentials for all other applications in the group. Only
the domain password can be changed; users cannot initiate password changes on
any of the other applications in the group unless the administrator removes the
application from the domain password sharing group.