You can configure the self-service features of Single Sign-on to allow
your users to reset their primary password or unlock their Windows domain
accounts without intervention by administrative or help desk staff. Depending
on your needs, you can implement the self-service password reset and account
unlock features securely in your Single Sign-on environment.
Note: To implement Account Self-Service with Citrix Web Interface, see
The Self-Service Module features are protected by question-based
authentication, which ensures that your users are authorized to reset their
passwords or unlock their accounts. During the first-time use of the Single
Sign-on Plug-in software or first-time use after the Account Self-Service
function is configured, users must register answers to security questions you
create and select during Single Sign-on setup.
These security questions are then presented to users when they need to
reset their password or unlock their account. When the questions are answered
correctly, users are allowed to reset their password or unlock their account,
avoiding the need to call the help desk or administrator.
Important: The self-service password reset and account unlock
features require that you implement question-based authentication. Users must
register answers to security questions to use these features. If you choose not
to use question-based authentication in your Single Sign-on environment, the
self-service password reset and account unlock features are not available to
Factors to consider:
- You can implement the
features of the Self-Service Module to allow your users to reset their primary
(domain account) password or unlock their Windows domain accounts in an Active
Directory environment only.
- When users change their
application password by using the Single Sign-on Plug-in software or primary
password by using the CTRL+ALT+DEL key combination on a device in which the
plug-in software is installed, Single Sign-on automatically captures the
- To prevent user lockout,
do not combine the self-service password reset with the
Prompt user to enter the previous password
option for confirming users’ identities exclusively. When the previous password
is the only method available to your users, users who forget their previous
primary password are locked out of the system. Their user data must be reset or
deleted from the central store and from all user devices on which it is stored,
and they must reenter their credentials for all of their applications.