Product Documentation

Synchronizing Credentials by Using Account Association

Apr 13, 2011

In companies that maintain multiple Windows domains, users might also have more than one Windows account. Single Sign-on includes a service known as Credential Synchronization to enable Account Association.

Account Association allows a user to log on to any application from one or more Windows accounts. Because Single Sign-on typically binds user credentials to a single account, the credential information is not automatically synchronized among multiple accounts that a user owns. However, administrators can configure Account Association to synchronize user credentials. Users with Account Association configured have access to all applications from any of their accounts in their Single Sign-on environment. When user credentials are changed, added, or removed from one account, the credentials are synchronized automatically with each of the user’s associated accounts.

Without Account Association, an individual with multiple Windows accounts is forced to manually change their logon information separately from each Windows account.

To configure Account Association, the enterprise Windows domain administrators must perform the following steps in order:

  1. Choose a domain in which to install and run the Credential Synchronization Module, which is part of the Single Sign-on Service.
  2. Deploy the trusted root certificate to all computers in the enterprise that will use Account Association.
  3. Manually synchronize application definitions among domains.
  4. Configure the Account Association user settings in other domains to connect to the Credential Synchronization Module.
  5. Make the Account Association tool available to users as a published application.

Each user must enable Account Association in the Single Sign-on Plug-in.

Choosing and Configuring a Domain to Host the Credential Synchronization Module

Choose the domain that contains the accounts for all users in your enterprise who will use Account Association. The Credential Synchronization Module acts as the hub for all user credential information in the enterprise. Install this module in this domain as you would any other Single Sign-on Service.

Important: Contact your network administrator to determine if any firewall changes are necessary and if the changes are compliant with your company’s policies.

After you install the Credential Synchronization Module, create or edit user configurations from the Citrix AppCenter to authorize individual user accounts to use the Credential Synchronization Module, as follows.

To configure the credential synchronization features in the host domain

Open the console from the domain that is hosting the Credential Synchronization Module. Some domains can access multiple central stores. Ensure that the console you are using is configured to connect to the same central store as the Credential Synchronization Module service.

  1. Click Start > All Programs > Citrix > Management Consoles > Citrix AppCenter.
  2. Expand the Single Sign-on node and select User Configurations.
  3. Select an existing user configuration or create a new one.
    • If you are creating a new user configuration, the following options are available from the Advanced Settings button on the Configure plug-in Interaction page of the User Configuration Wizard.
    • If you are editing an existing user configuration, the following options are available from the Edit User Configuration properties page.
  4. Click Synchronization and select Allow user credentials to be accessed through the Credential Synchronization Module.
  5. Click OK and repeat Steps 3 and 4 for each existing and new user configuration.

To manually synchronize application definitions among domains

Accounts can also synchronize across different user configuration associations. That is, a user configuration can be associated with an Active Directory hierarchy (OU or user) in one domain and associated with an Active Directory group in another domain. As long as the application definition names are the same in each user configuration, the Account Association feature will synchronize credentials.

User credentials are shared only for applications defined by the Single Sign-on administrator. Administrators must ensure that each application definition on each domain has the same name in each central store.

For example, if the application definition for SAP is named SAP Logon on one domain, SAP on another, and SAP Launch Pad on another, user credentials for these applications will not be synchronized across accounts for these domains.

A best practice when creating a new application definition across domains is to use the Export application definitions and Import administrative data tasks in the console. Use these tasks to export newly-created application definitions to import into each central store. Existing, previously-defined applications must be manually renamed.

To configure Account Association user settings in other domains

Install and open the console from a workstation in each domain that is not hosting the Credential Synchronization Module. Some domains have multiple central stores; therefore, ensure that you configure each central store.

All domain administrators must allow the domain users to associate their accounts with their host domain account. Edit the Account Association section of the appropriate user configurations in the console.

  1. Click Start > All Programs > Citrix > Management Consoles > Citrix AppCenter.
  2. Expand the Single Sign-on node and select User Configurations.
  3. Select an existing user configuration or create a new one.
    • If you are creating a new user configuration, the following options are available from the Advanced Settings button on the Configure plug-in interaction page of the User Configuration Wizard.
    • If you are editing an existing user configuration, the following options are available from the Edit User Configuration properties page.
  4. Click Account Association.
  5. Select Allow users to associate accounts.

    The following options are not required but help provide a seamless user experience.

  6. Select Provide default service address and type the Single Sign-on Service address and port for the domain hosting the Credential Synchronization Module.
  7. Clear Allow users to edit service address.
  8. Select Provide default domain and type the name for the domain hosting the Credential Synchronization Module. If you do not provide the domain, users might be confused as to which domain account user credentials they should provide.
  9. Clear Allow users to edit domain.
  10. Depending on your company’s security policies, select Allow users to remember password.
  11. Click OK and repeat for each user configuration.

Publishing the Account Association Tool

Because this version of the Single Sign-on Plug-in does not provide a menu option that allows users to enable Account Association, you provide users with a tool for enabling Account Association as a published application:

  1. Install the Single Sign-on Plug-in on a XenApp server.
  2. Locate the AccAssoc.exe file on the XenApp sever.
  3. Publish the AccAssoc.exe file and make it available to users.
  4. Inform users how to access and use the Account Association tool.
Note: Users running Single Sign-on Plug-in Versions 4.8 and earlier can use a plug-in menu option to enable Account Association. These users do not require access to the Account Association tool as a published application.