Product Documentation

Account Self-Service

May 09, 2015

Single Sign-on customers have the option of deploying the Account Self-Service features—Self-Service Password Reset and Account Unlock—with no other Single Sign-on features available to users.

The Account Self-Service features of Single Sign-on help reduce calls to your computer help desk by allowing your employees to perform the following tasks on their own:

  • Change their Microsoft Windows domain password
  • Unlock their Windows domain account

The Account Self-Service features allow you to establish a set of security questions for identity verification. After the question-based authentication is enabled and the Account Self-Service features are made available to them, your users enroll, or register, with the service by answering the series of security questions. Once registered, your users can click Account Self-Service (A), found on the Log On to Windows dialog box, or for Microsoft Windows Vista users, the Welcome screen (B).



Administrators can require users to re-register by:
  • Revoking a single user's question data
  • Prompting all users to re-register
  • Changing the existing questionnaire

Enrolled users can also start the re-registration process whenever they want to change their answers to the security questions.

This document describes how to install and configure Single Sign-on to provide users with only the Account Self-Service features.

Note: Account Self-Service does not support user principal name (UPN) logons, such as username@domain.com.

Using Licenses

A Single Sign-on license is consumed during the re-enrollment process when users submit new responses for question-based authentication. Using concurrent user licenses ensures maximum license availability within your organization. A concurrent user license is returned to the license pool after the user completes the re-enrollment process. A named user license in the same situation remains with the user, even though it is not in use, for a minimum of two days.

Ratios are used to provide a greater number of Account Self-Service only licenses per Single Sign-on license. Concurrent user licenses use a 10:1 ratio, where 100 concurrent user licenses translates to 1,000 Account Self-Service licenses. Named user license use a 5:1 ratio, with 100 licenses translating to 500 Account Self-Service licenses.

To allow concurrent user licenses to be used offline

  1. Create a user configuration.
  2. On the Configure Licensing page of the User Configuration Wizard, select Concurrent User Licensing (Enterprise and Platinum Edition Only).
  3. Select Allow license to be consumed for offline use and set the amount of time the license can be checked out from the license server.
  4. Finish setting the user configuration.

For users associated with this user configuration, the license model is the same as a named user license—it can be consumed by users who might occasionally work remotely and be offline for periods of time. Concurrent user licenses are then consumed on a per-user basis.

Important: Locally installed instances of the Single Sign-on Plug-in do not require a separate license for users who have access to hosted applications in a Citrix XenApp, Platinum Edition environment.

To create an Account Self-Service-Only user configuration

Use the following steps to create a user configuration that allows Account Self-Service functionality without enabling Single Sign-on capability.

Note: Application definitions are not included in this user configuration because the feature does not include Single Sign-on functionality. If users need full Single Sign-on functionality, place them in a user configuration that does not include the Account Self-Service-Only modifications.
  1. Click Start > All Programs > Citrix > Management Consoles and select the Citrix AppCenter.
  2. To start the wizard, expand the Single Sign-on node and click User Configurations. In the Actions area, click Add new user configuration to open the User Configuration Wizard.
  3. On the Name user configuration page:
    1. In the Name field, type the user configuration name.
    2. In the User configuration association area, choose how the user configuration is associated to the users by identifying the Active Directory hierarchy (organizational unit or user) or Active Directory group.
  4. On the Select product edition page, select Single Sign-on Enterprise.
  5. On the Choose applications page, click Next.
  6. On the Configure plug-in interaction page, clear the following check boxes:
    • Automatically detect applications and prompt user to store credentials
    • Automatically process defined forms when Single Sign-on Plug-in detects them

    Click Advanced Settings.

  7. In Advanced Single Sign-on Plug-in Settings:
    • Select Application Support and clear the Detect client-side application definitions check box.
    Click OK to close Advanced Settings, and click Next.
  8. On the Configure licensing page, in the License server address area, type the name of your license server and its port number.

    In the Licensing Model area, select Named User Licensing or Concurrent User Licensing.

    Note: Using concurrent user licenses ensures maximum license availability within your organization. A concurrent user license is returned to the license pool when the user completes the re-enrollment process. A named user license in the same situation remains with the user, even though it is not in use, for a minimum of two days.
  9. On the Select data protection methods page, provide information as needed.
  10. On the Select secondary data protection page, select Prompt user to select the method: previous password or security questions.
  11. On the Enable self-service features page, select one or both of the following options:
    • Allow users to reset their primary domain password
    • Allow users to unlock their domain account
  12. On the Locate service modules > Key Management Module page, provide the service address.
  13. Finish the wizard without additional changes.

Preparing the Computer Running the Plug-in Software

Note: Consider automating the following procedures by using scripts to help increase efficiency and improve accuracy.

After the Single Sign-on Plug-in software is installed on the users’ computers, you must modify the ssoShell.exe shortcut and the Start menu to provide user access to only the Account Self-Service features.

During the basic installation of the Single Sign-on Plug-in software, the ssoShell.exe shortcut contains the following command-line switch:

/background

Change this switch to:

/qbaenroll /noforceqbaenroll

Making this change causes the Single Sign-on Plug-in software on the user's computer, upon user logon, to synchronize with the central store and determine the status of the user's question-based authentication registration. If the registration process is complete and current, the user is not prompted to register. The user is prompted to register if one of the following conditions is discovered during synchronization:

  • The user did not complete the question-based authentication registration process
  • The administrator reset the user's question-based authentication questions
  • The administrator modified the question-based authentication questionnaire

After completing the synchronization and, if necessary, starting the registration process, ssoShell exits automatically.

To update the Single Sign-on ssoShell.exe shortcut

For a desktop installation:

  1. Windows Vista computers: Using Windows Explorer, navigate to %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.

    Non-Windows Vista computers: Using Windows Explorer, navigate to %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup.

  2. From the Startup folder, select Single Sign-on Background Process and select File > Properties.
  3. In the Single Sign-on Background Process Properties dialog box, click in the Target field, scroll to the end of the text in that field, and delete /background.
  4. In the Target field, following the remaining text, type /qbaenroll /noforceqbaenroll.
For a server installation:
Caution: Editing the Registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
  1. Open the registry and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\windows NT\CurrentVersion\Winlogon\AppSetup.
  2. In this subkey, double-click the default entry to open the Edit String dialog box.
  3. In the Value Data field:

    change: %SystemDrive%\Citrix\Metaframe Password Manager\WTS\SSOlauncher.exe /no ssoshutdown

    to: %SystemDrive%\Citrix\Metaframe Password Manager\ssoshell.exe /qbaenroll /noforceqbaenroll.

The ssoShell.exe file is modified for Account Self-Service functionality only.

To add a self-service registration shortcut to the Start menu

Add a shortcut to the Start menu to allow users to start the enrollment process on their own. This helps eliminate service calls if users do not provide answers during their initial logon or want to change answers they provided earlier.
  1. Windows Vista computers: Using Windows Explorer, navigate to %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\.

    Non-Windows Vista computers: Using Windows Explorer, navigate to %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Citrix\.

  2. From the File menu, select New > Shortcut. The Create Shortcut wizard appears.
  3. Click Browse.
  4. Navigate to %InstallationDirectory%\Program Files\Citrix\Metaframe Password Manager\, select ssoShell.exe, and click OK. The Browse for Folder dialog box closes and the path to ssoShell.exe appears in the Type the location of the item field.
  5. In the Type the location of the item field, place the insertion point after ssoShell.exe and type a space followed by /qbaenroll (J).

  6. Click Next.
  7. Type Citrix Account Self-Service Registration and click Finish.
The shortcut appears in Start > All Programs > Citrix.

To remove the Single Sign-on shortcut

During installation of the Single Sign-on Plug-in software, a shortcut is placed in the Start menu. If a user configured to use only the Account Self-Service features selects this command, ssoShell.exe launches and, unless there are changes to the user's Question-Based Authentication, exits. This may result in confusion to the user and cause support calls. To avoid this, remove the shortcut from the Start menu.
  1. Windows Vista computers: Using Windows Explorer, navigate to %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\.

    Non-Windows Vista computers: Using Windows Explorer, navigate to %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Citrix\.

  2. Delete the Single Sign-on shortcut.
The Single Sign-on shortcut is removed from the Start menu.

To remove the Single Sign-on Plug-in shortcut from the Startup folder

Remove the Single Sign-on Plug-in shortcut on the user device to prevent the plug-in software from starting each time the user logs on to the computer. This task prevents the user from unnecessarily consuming a license.
  1. Using Windows Explorer, navigate to %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup.
  2. From the Startup folder, delete Single Sign-on Plug-in Background Process.
    Note: If the plug-in software is installed on Citrix Presentation Server or a terminal server environment, the AppSetup registry subkey, located in HKLM\SOFTWARE\microsoft\Windows NT\CurrentVersion\Winlogon\AppSetup must be edited to remove the reference to Password Manager or Single Sign-on.
The Single Sign-on Plug-in shortcut no longer starts automatically upon user logon.