Product Documentation

Managing User Configurations

May 09, 2015

Single Sign-On allows you to manage user configurations. You can:

  • Reset user data
  • Delete user data
  • Prompt users to register again
  • Set the user configuration priority
  • Assign the user configuration to different users
  • Upgrade the user configuration for existing users

To reset user data

The Reset user data task requires that you install and configure the Provisioning Module.

Reset user data enables you to reset user information in your central store, which results in the selected user being returned to an initial state.
  • In Active Directory central stores, the user data (credentials, security questions and answers, and so on) is deleted and the user is flagged as having had their data reset.
  • In NTFS network share central stores, the user folders are retained, all user data is deleted, and the user is flagged as having had their data reset.

You can use Reset user data if users forget the answers to their security questions or to reset their credential data if the user’s data somehow is corrupted. When the user later uses the plug-in software to contact the central store, the user’s local credential store is cleared of all data, and the user must reenroll.

This task is also useful when a user cannot log on to the plug-in software.

Important: Password history is retained on a per-user basis. If you reset the data for a user, the password history is removed and password history cannot be enforced for the deleted passwords.
  1. Click Start > All Programs > Citrix > Management Consoles > Citrix AppCenter.
  2. Expand the Single Sign-on node and select User Configurations.
  3. From the Action menu, click Other Tasks > Reset user data. The Select User dialog box appears.
  4. Type a user name in the text field and click Check Names.
  5. If the user is found, click OK.
  6. Select a user in your central store and click Reset.
  7. Click OK. A warning message appears.
  8. Verify that any users who might be running Single Sign-on as an application hosted by Citrix XenApp are logged off and click Continue to flag the user’s data for reset.
    Note: If users are not logged off, click Cancel, reset their ICA session, and return to this procedure.
  9. Click OK in the Reset User Data dialog box when the user information is verified and reset. The user’s data is reset the next time the user logs on to Single Sign-on using the plug-in software.

To delete user data

The Delete user data from central store task deletes all user data and information from the central store. You can use Delete user data from central store when a user leaves your enterprise permanently.

The local credential store on the user computer remains intact until it is explicitly deleted by an administrator or operator.

If the plug-in software is run by the now-deleted user, the plug-in software synchronizes its local credential store with the central store unless the local credential store is explicitly deleted by an administrator or operator. To prevent this, delete this user from your enterprise (for example, disable or delete the user from Active Directory).

  1. Click Start > All Programs > Citrix > Management Consoles > Citrix AppCenter.
  2. Expand the Single Sign-on node and select User Configurations.
  3. From the Action menu, click Other Tasks > Delete user data from central store. The Select user dialog box appears.
  4. Type a user name in the text field and click Check Names.
  5. If the user is found, click OK. Click Yes to confirm. A confirmation message appears.
  6. Click OK. The user is now deleted from the central store.

To prompt users to reregister

You can prompt one user or all users to reregister answers to their security questions. You would use these features for security purposes or when user data becomes corrupted:

  • Revoke security question registration for a user

    Select this option to delete a user’s security question data. Any question-based authentication is unavailable until the user reregisters.

  • Prompt all users to reregister security questions

    Select this option to prompt all users to reregister their security questions and answers when they launch the plug-in software. Security question data is retained and any feature requiring question-based authentication is still available with the current answers. Users are prompted until they reregister.

If users choose not to reregister their answers by cancelling the Citrix Single Sign-on Registration dialog box when prompted, they will not be able to use features that use question-based authentication such as Account Self-Service until they choose to reregister their answers.

  1. Click Start > All Programs > Citrix > Management Consoles > Citrix AppCenter.
  2. Expand the Single Sign-on node and select User Configurations.
  3. From the Action menu, click Other Tasks and one of the following:
    • Revoke security question registration for a user

      The Select User dialog box appears. Type or select a user. Confirm that you want to revoke that user’s security question registration.

    • Prompt all users to reregister security questions

      Click Yes to prompt all users, then click OK.

To set a user configuration priority

When you create or edit a user configuration, you can associate users located in Active Directory groups with user configurations. It is possible that a user in a group can be associated with more than one user configuration. In this case, you can set the priority of the user configuration.

Important: How you organize your Single Sign-on user environment might affect how user configurations operate. That is, you associate user configurations in your Single Sign-on environment with an Active Directory hierarchy (OU or users) or an Active Directory group. If you use both (hierarchy and group) and a user is located in both containers, the user configuration associated with the hierarchy takes precedence and is the one used. This scheme is considered a mixed environment.
  1. Click Start > All Programs > Citrix > Management Consoles > Citrix AppCenter.
  2. Expand the Single Sign-on node and select User Configurations.
  3. From the Action menu, click Other Tasks > Set user configuration priority. The Set User Configuration Priority dialog box appears.
  4. Select a user configuration and click Move Up or Move Down, according to your preference.

Assigning a User Configuration to Different Users

When you edit an existing user configuration, note that you cannot edit the user configuration location. You can perform one of the following procedures:

  • Apply a user configuration to an additional set of users by duplicating it
  • Apply a user configuration to a different set of users by moving it

To duplicate a user configuration

  1. Click Start > All Programs > Citrix > Management Consoles > Citrix AppCenter.
  2. Expand the Single Sign-on node and select User Configurations.
  3. Select the user configuration.
  4. From the Action menu, click Duplicate user configuration.
  5. Type a name for the duplication configuration.
  6. Specify the OU, user, or group that contains the users to which the user configuration will apply.

To move a user configuration to different users

You cannot move a user configuration that is associated with an Active Directory group. To associate the user configuration with an Active Directory hierarchy (OU or user), duplicate the user configuration and specify the desired association.
  1. Click Start > All Programs > Citrix > Management Consoles > Citrix Citrix AppCenter.
  2. Expand the Single Sign-on node and select User Configurations.
  3. Select the user configuration.
  4. From the Action menu, click Move user configuration.
  5. Specify the OU, user, or group that contains the users to which the user configuration will apply.

Upgrading Existing User Configurations

In Password Manager Versions 4.0 and 4.1, you associated users to a user configuration by an Active Directory hierarchy (OU or user). In Password Manager 4.5 and 4.6 and Single Sign-on 4.8 and 5.0, you can choose to associate users by an Active Directory group.
  • If you use an existing user configuration organized by hierarchy and now create user configurations organized by group and a user is located in both containers, the user configuration associated with the hierarchy takes precedence and is the one used. This scheme is considered a mixed environment. In this case, your users might experience unintended plug-in software behavior. That is, they will have access to resources associated with the hierarchy-based user configuration instead of resources associated with the group-based user configuration.
  • If you want to preserve the settings in your existing hierarchy-based user configurations but change their association, move the user configuration to a different user. This procedure is applicable for Versions 4.1, 4.5, 4.6, 4.8 and 5.0 hierarchy-based user configurations.

Consider the following if you want to upgrade existing user configurations whose users are organized by OU or user:

If you upgrade the Single Sign-on Service and console but do not upgrade the plug-in software, the plug-in software will still provide basic functionality to users whose user configurations are associated with Active Directory hierarchies (organizational units or users). However, your users will not have access to the latest Single Sign-on features. Consider upgrading the plug-in software whenever possible to match the service and console versions.