Product Documentation

Allowing Users to Manage Their Primary Credentials with Account Self-Service

May 09, 2015
You can configure the self-service features of Single Sign-on to allow your users to reset their primary password or unlock their Windows domain accounts without intervention by administrative or help desk staff. Depending on your needs, you can implement the self-service password reset and account unlock features securely in your Single Sign-on environment.
Note: To implement Account Self-Service with Citrix Web Interface, see Web Interface.

The Self-Service Module features are protected by question-based authentication, which ensures that your users are authorized to reset their passwords or unlock their accounts. During the first-time use of the Single Sign-on Plug-in software or first-time use after the Account Self-Service function is configured, users must register answers to security questions you create and select during Single Sign-on setup.

These security questions are then presented to users when they need to reset their password or unlock their account. When the questions are answered correctly, users are allowed to reset their password or unlock their account, avoiding the need to call the help desk or administrator.

Important: The self-service password reset and account unlock features require that you implement question-based authentication. Users must register answers to security questions to use these features. If you choose not to use question-based authentication in your Single Sign-on environment, the self-service password reset and account unlock features are not available to your users.

Factors to consider:

  • You can implement the features of the Self-Service Module to allow your users to reset their primary (domain account) password or unlock their Windows domain accounts in an Active Directory environment only.
  • When users change their application password by using the Single Sign-on Plug-in software or primary password by using the CTRL+ALT+DEL key combination on a device in which the plug-in software is installed, Single Sign-on automatically captures the password change.
  • To prevent user lockout, do not combine the self-service password reset with the Prompt user to enter the previous password option for confirming users’ identities exclusively. When the previous password is the only method available to your users, users who forget their previous primary password are locked out of the system. Their user data must be reset or deleted from the central store and from all user devices on which it is stored, and they must reenter their credentials for all of their applications.

Summary of Self-Service Implementation Tasks

To use Account Self-Service functionality, perform the following steps:
  1. Install the Self-Service Module and the Key Management Module.
  2. Configure your question-based authentication.
  3. Create a user configuration with one or both of the self-service password reset or account unlock features enabled.
  4. Install and configure the plug-in software.

Using Automatic Key Management with Self-Service

Combining automatic key management with self-service provides greater ease-of-use to users needing access to password-protected applications handled by the Single Sign-on Plug-in software. For example, if users reset their primary passwords, they do not need to answer security questions after successfully resetting their passwords. (However, they do need to answer security questions during the self-service password reset process.)

With automatic key management, users do not have to verify their identities after unlocking their accounts or resetting their domain passwords.

To reset self-service user registration

If users are locked out of their Windows account and cannot remember the answers to their security questions, you must use the Single Sign-on component of the Citrix AppCenter to reset self-service registration for users. After you reset users, the Self-Service Registration wizard appears the next time the users open the plug-on software. Your users can then register answers to their security questions.

  1. Click Start > All Programs > Citrix > Management Consoles > Citrix AppCenter.
  2. Expand the Single Sign-on node, expand the Identity Verification node and select Question Based Authentication.
  3. In the Action menu, click Other Tasks > Revoke security question registration for a user.
  4. In the Select User dialog box, type the user or user group name.

User Experience

After the service and plug-in software are installed and configured, the Self-Service Module modifies the user’s Windows logon dialog box and the Unlock Computer dialog box, or the Welcome screen for Windows Vista. Windows 7, Windows Server 2008, and Windows Server 2008 R2 users, (available when users lock their computers with the CTRL-ALT-DELETE key combination) by including an Account Self-Service button.

Before users can access the self-service features, they must log on to their primary domain account and register answers to security features. After successfully enrolling, they can use the self-service password reset and account unlock features.

With automatic key management, users do not have to verify their identities after unlocking their accounts or resetting their domain passwords.