Product Documentation

Creating User Configurations

May 09, 2015

A user configuration enables you to control the behavior and appearance of the plug-in software for users. Creating one or more user configurations is the final step you take before distributing Single Sign-on Plug-in software to users in your environment. Note that you can add new or edit existing user configurations at any time.

A user configuration is a unique collection of settings, password policies, and applications that you apply to users associated with an Active Directory hierarchy (organizational unit [OU] or an individual user) or Active Directory group.

A user configuration consists of the following:

  • Users associated with an Active Directory domain hierarchy (OU or individual user) or Active Directory group
    Important: Distribution groups and Domain Local groups in Active Directory mixed mode are not supported.
  • License type and related settings associated with the users (concurrent or named user license model)
  • Data protection methods
  • Application definitions that you created, which you can combine into an application group when you create a user configuration
  • Password policies associated with any application groups
  • Self-service features (account unlock and password reset) and key management options (use of previous passwords, security questions, and automatic key management)
  • Settings for options such as credential provisioning and application support

Before you create your user configurations, ensure that you already created or defined the following:

  • Central store
  • Application definitions
  • Password policies
  • Security questions

You must create user configurations before you deploy the Single Sign-on Plug-in software to users. Among other settings, a user configuration contains the license server and licensing information required by the plug-in software for operation.

For user configuration setting defaults and details, see the topics under Single Sign-on Settings Reference > User Configurations.

To specify a domain controller for an existing user configuration

In environments where you use an Active Directory-based central store and have more than one domain controller, you can select the domain controller to bind user configurations to when writing to the central store.

This binding scheme helps to reduce synchronization delays caused by Active Directory replication. Such delays might occur in environments where users access Single Sign-on in multiple Active Directory sites simultaneously.

During the discovery process available through the console, Single Sign-on can discover every domain controller in your domain. You can then bind user configurations that you created to a specific domain controller by selecting that controller when you create a user configuration.

For example, you can require users to be bound to a domain controller within their local network. After you specify a domain controller, users are bound to that domain controller the next time they log on to Single Sign-on.

By default, users bind to any writeable domain controller until you select a domain controller they must bind to. You can change the domain controller setting at any time by updating the user configuration as needed without losing user data integrity.

Note: When choosing a domain controller for binding, verify that the resources available on the domain controller can accept the communication traffic users generate when connecting to the domain controller during peak operational times.

If the specified domain controller is unavailable or offline, the plug-in software uses the local store’s user data (that is, the user data located on the user’s computer). If the domain controller is offline for a long period of time (as defined by you), you can select the Edit User Configuration task from the console and choose another domain controller or the Any writeable domain controller option.

  1. Click Start > All Programs > Citrix > Management Consoles > Citrix AppCenter.
  2. Expand the Single Sign-on node and User Configurations.
  3. Select a user configuration.
  4. From the Action menu, select Edit user configuration.
  5. Select Domain Controller from the options on the left side of the Edit User Configuration wizard page.
  6. Select an available domain controller or select Any writeable domain controller.

To create a user configuration

  1. Click Start > All Programs > Citrix > Management Consoles >Citrix Deliver Services Console.
  2. Expand the Single Sign-on node and select User Configurations.
  3. From the Action menu, click Add new user configuration.

Naming Your User Configuration

The Name User Configuration page of the User Configuration Wizard allows you to name your user configuration as well as choose how you will associate the user configuration to the users.

  • Name

    Consider naming the user configuration according to how you plan to group your users and associate them with specific applications. For example, Marketing Users, Software Development Users, North American Users, and so on.

  • User configuration association

    You have two choices: associate users according to Active Directory hierarchy (OU or individual user) or Active Directory Group. If necessary, you can associate the user configuration with a different hierarchy or group later, by clicking Move user configuration in the Action menu.

    Important: How you organize your Active Directory environment might affect how user configurations operate. If you use both (Active Directory hierarchy and group) and a user is located in both containers, the user configuration associated with the hierarchy takes precedence and is the one used. This scheme is considered a mixed environment.

    Also, if a user belongs to two Active Directory groups and each group is associated with a user configuration, the user configuration with the highest priority takes precedence and is the one used.

    Associating user configurations to groups is supported only in Active Directory domains that use Active Directory authentication.

Specifying a Domain Controller

If you are using an Active Directory central store, the Specify Domain Controller page of the User Configuration Wizard enables you to select an available domain controller or select Any writeable domain controller.