Product Documentation

Evaluate

May 11, 2015

If you are using XenApp 6.5 for Windows Server 2008 R2 to publish applications and want to use Single Sign-on 5.0 to provide password security and single sign-on access to them, this topic helps you deploy Single Sign-on quickly. The Single Sign-on deployment described here can be used to evaluate Single Sign-on or as a pilot deployment that can be expanded to include more users and applications.

Note: To simplify the deployment process, the deployment described here excludes some components, features, and options that are available when using Single Sign-on 5.0 with XenApp 6.5.

The deployment described here includes these components of Single Sign-on:

  • Central store. The central store is a centralized repository used by Single Sign-on to store and manage user and administrative data. User data includes user credentials, security question answers, and other user-focused data. Administrative data includes password policies, application definitions, security questions, and other wider-ranging data. When a user signs on, Single Sign-on compares that user’s credentials to those stored in the central store. As the user opens password-protected applications or Web pages, the appropriate credentials are drawn from the central store.
  • Single Sign-on component of the Citrix AppCenter. For this deployment, you can use the Single Sign-on component of the Citrix AppCenter to define password policies, configure Single Sign-on to recognize applications, and create user configurations.
  • Application Definition Tool. The Application Definition Tool has the same features as the portion of the Single Sign-on component of the Citrix AppCenter that configures Single Sign-on to recognize applications.
  • Single Sign-on Plug-in. The Single Sign-on Plug-in is the component of Single Sign-on the users interact with. It submits the appropriate credentials to the applications running on the user’s client device, enforces password policies, and enables users to manage their credentials with the Manage Passwords window. For this deployment, it is installed on each user device.
This deployment does not include the Single Sign-on Service or any of these optional features it supports:
  • Self-Service, which allows users to reset their Windows passwords and unlock their Windows accounts.
  • Data Integrity, which protects data from being compromised while in transit from the central store to the Single Sign-on Plug-in.
  • Key Management, which provides users with the capability to recover their secondary credentials when their primary password changes, either with automatic key recovery or after answering security questions with question-based authentication.
  • Provisioning, which allows you to use the Single Sign-on component of the Citrix AppCenter to add, remove, or update Single Sign-on user data and credential information.
  • Credential Synchronization, which synchronizes user credentials among domains using a Web service.

Perform the tasks in this topic in the order the sections appear here.

Plan Your Deployment

  • Review the system requirements for the central store, the Single Sign-on component of the AppCenter, the Application Definition Tool, and the plug-in: System Requirements.
  • Review the licensing requirements for Single Sign-on and install and upgrade licenses if needed: System Requirements.
  • Identify the applications you want to include. For this deployment, choose only Windows and web applications published with XenApp:
    • For Windows applications, use 32-bit Windows applications (including Java applications) such as Microsoft Outlook, Lotus Notes, SAP, or any password-enabled Windows application. Single Sign-on categorizes any application launched by a file with an .exe extension as a Windows application.
    • For Web applications, use Web applications (including Java applets and SAP) accessed through Microsoft Internet Explorer. Typically, Single Sign-on categorizes any application that runs in a browser as a Web application. Single Sign-on supports Web applications running on Internet Explorer Versions 6.0, 7.0, 8.0, and 9.0.
  • Identify the users you want to include. Ensure that their user devices support the Single Sign-on Plug-in.
  • Decide where to install the central store. The cental store for this deployment is a NTFS network share.
  • Decide where to install the Single Sign-on component of the Citrix AppCenter. You can use an AppCenter that is already installed or install a new AppCenter.
  • Decide whether you will install the Application Definition Tool and where to install it. If the Citrix AppCenter is not installed on the computer running an application you want to include in your deployment, install the Application Definition Tool on that computer. When you configure Single Sign-on to recognize applications, you run the applications and allow wizards within the tool to capture information about the applications.
  • Plan your password policies. Password policies are rules that control how passwords are created, submitted, and managed; you apply password policies to all users or to specific groups of applications. Single Sign-on includes two standard password policies named Default and Domain. If the default values for these standard policies meet your needs for this deployment, you can use them without modification. Otherwise, you can create new policies based on them and modify these values.
    • For an overview of password policies, see Password Policies.
    • For guidelines on making your password policies secure and usable, see Password Policies.
    • To understand how Single Sign-on enforces password policies, see Enforcing Password Requirements.
    • To determine whether the default values of the password policy rules are appropriate for your applications and users, review the default values for each setting in the Password Policies reference topic and all its subtopics. The standard password policies (Default and Domain) have these default values.
  • Plan your user configurations. A user configuration is a unique collection of settings, password policies, and applications that you apply to users associated with an Active Directory hierarchy (OU or individual user) or Active Directory group. A user configuration enables you to control the behavior and appearance of the plug-in software for users.
    • For an overview of user configurations and to review user configuration settings used in this deployment and their default values, see Single Sign-on 5.0 Settings Reference. Keep in mind that some options and features discussed in that topic are not used in this deployment. The overview includes the following information:
      • Basic Plug-in Interaction
      • Plug-in User Interface
      • Synchronization
        Note: Do not select allow user credentials to be accessed through the Credential Synchronization Module. The user configuration deployment does not include the Credential Synchronization module.
      • Application Support
      • Licensing
    • To protect your users credentials, see Data Protection Methods.
      Note: Use the default values for the secondary data protection settings. Other values require the Key Management module, which is not included in this deployment.

      For this deployment, you can use the default user configuration settings (except for licensing settings) initially in most environments. If your requirements change once the deployment is in use, you can edit the user configuration values.

      Settings for features not used in this deployment are disabled by default.

Create the Central Store

The Single Sign-on central store can be one of two types: Active Directory or NTFS network share. For this deployment, you create a NTFS network share because it is requires fewer permissions to create than an Active Directory central store. For advantages and considerations of a NTFS network share central store, see Choosing an NTFS Network Share.

If necessary, you can migrate users to an Active Directory central store later.

To create the NTFS network central store:

  1. Load the XenApp media.
  2. From the Autorun menu, select Manually install components > Server Components > Additional Features > Single Sign-on.
  3. Select Central Store.
  4. Select NTFS network share.
The central store is created as %SystemDrive%\CITRIXSYNC$.

Install the Single Sign-on Component of the AppCenter

The AppCenter includes the Single Sign-on component by default when installed.

To use an existing AppCenter with Single Sign-on, configure and run discovery after the central store is created.

To install a new AppCenter for use with Single Sign-on, ensure that the required Microsoft Visual C++ Redistributable Packages and Microsoft Primary Interoperability Assembles are installed, as described in System Requirements.

To install the AppCenter:

  1. Load the XenApp media on the computer.
  2. From the Autorun menu, select Manually install components > Common Components > Management Console. Follow the instructions.
  3. Select Configure and run discovery and follow the instructions.
After configuration, the Single Sign-on component of the AppCenter is connected to the central store and you can use it to define password policies, configure Single Sign-on to recognize applications, and create user configurations.

Install the Application Definition Tool

If the Citrix AppCenter is not installed on the computer running an application you want to include in your deployment, install the Application Definition Tool to create application definitions for the application.

  1. Load the XenApp media on the computer.
  2. Locate the ASC_PasswordManager file in the Administration folder and run it.
  3. Select Application Definition Tool. Follow the instructions.

Define Password Policies

If you determined that the default values for the standard password policies meet your needs for this deployment, you do not have to define any additional policies. Otherwise, create new policies based on the standard policies.

To create a new password policy:

  1. Click Start > All Programs > Citrix > Management Consoles > Citrix AppCenter.
  2. Expand the Single Sign-On node and select Password Policies.
  3. From the Action menu, click Create new password policy.
  4. Follow the instructions in the Password Policy Wizard.

Configure Single Sign-on to Recognize Applications

Single Sign-on recognizes and responds to applications based on the settings identified in application definitions. Application definitions provide the information necessary for the Single Sign-on Plug-in to supply user credentials to applications, and detect error conditions if they occur.

Application definitions consist of form definitions. Form definitions allow the Single Sign-on Plug-in to analyze each application as it is started, recognize certain identifying features, and determine if the starting application requires the plug-in to perform some specific action, such as:
  • Submit user credentials at a logon prompt
  • Negotiate a credential changing interface
  • Process a credential confirmation interface

Although most applications and their corresponding application definitions use only two forms for managing user credentials, you can define as many forms as necessary in a single application definition.

You can create these types of user credential management forms:
  • Logon form

    Identifies the logon interface to an application and manages the actions required to gain access to the associated application.

  • Password change form

    Identifies the password change interface to an application and manages the actions required to change the user password to the associated application.

  • Successful password change form

    Identifies the password change interface to an application and manages the actions required to acknowledge the successful password change for the associated application.

  • Failed password change form

    Identifies the unsuccessful password change interface to an application and defines the actions to take when a credential change operation is unsuccessful.

You create application definitions by using the wizards available from the AppCenter or the Application Definition Tool. When the application you want to define is running or available in a browser window, these wizards help capture the information you need for the application definition. To create an application definition, you must be able to access the application from the computer where the application definition is created.

Because application signatures can vary depending on the underlying operating system, test application definitions on all operating systems on which they will run.

Application templates are available for some applications. These templates simplify the process of adding application definitions to your Single Sign-on deployment by supplying most of the information needed to create an application definition. For more information about application templates, see Application Templates.

To create a Windows application definition

To create application definitions for a Windows application, run the application on a computer on which you launch the Application Definition Wizard from the Citrix AppCenter of the Application Definition Tool. You navigate to the form within the application that requires a user credential management event (user logon, change password, successful password change, or failed password change) while running the wizard.

For an overview of considerations for Windows application definitions, see Windows Type Application Definitions.

  1. Start the application.
  2. Prepare to start the Application Definition Wizard:
    • From the AppCenter: Click Start > All Programs > Citrix > Management Consoles > Citrix AppCenter. Expand the Single Sign-On node and select Application Definitions.
    • From the Application Definition Tool: From the AppCenter: Click Start > All Programs > Citrix > Single Sign-On > Application Definition Tool.
  3. Select Create application definition.
  4. Ensure that Windows and Create new are selected and click Start Wizard.
  5. Enter the name of the application as you want it to appear in the central store. Optionally, enter a description. Click Next.
  6. Click Add Form. This launches the Form Definition Wizard.
  7. If you haven't already done so, navigate to the application's user logon, change password, successful password change, or failed password change form.
  8. From the Identify Form page of the Form Definition Wizard, click Select.
  9. In the Window selector that appears, select the application you are creating the definition for. A flashing border appears around the application's prompt.
  10. In the Name form page, enter a name for the form and select the form type. Click Next.
  11. In the Window selector, click OK.
  12. In the Identify form page, click Next.
  13. In the Define forms actions page, configure the credential fields and buttons that you want to appear in the form:
    1. Click the Set/Change hyperlink associated with a specific user credential. This action opens the Configure Control Text dialog box used to identify the control to receive the selected credential.
    2. Select the control type candidate to receive the credential. As the different candidates are selected, the associated control type is highlighted on the application with a flashing border.
    3. Repeat this action for all the user credentials required by the form and for the button required to submit the form.

      Some forms require domains or other user-configurable credentials that must be successfully submitted to process the form. To accommodate these requirements, two custom fields are available. Assign special-requirement credentials to these fields. The names associated with these fields are defined on the Name custom fields page of the Application Definition Wizard after the form is defined.

      Note: Not all the credentials identified in the top of the Define form actions page must be configured.
  14. If your application requires additional forms, use the wizards to create them.

To create a Web application definition

To create application definitions for a Web application, run the application on a computer on which you launch the Application Definition Wizard from the Citrix AppCenter of the Application Definition Tool. You navigate to the form within the application that requires a user credential management event (user logon, change password, successful password change, or failed password change) while running the wizard.

  1. Start the application.
  2. Prepare to start the Application Definition Wizard:
    • From the AppCenter: Click Start > All Programs > Citrix > Management Consoles > Citrix AppCenter. Expand the Single Sign-On node and select Application Definitions.
    • From the Application Definition Tool: From the AppCenter: Click Start > All Programs > Citrix > Single Sign-On > Application Definition Tool.
  3. Select Create application definition.
  4. Ensure that Web and Create new are selected and click Start Wizard.
  5. In the Identify application page that appears, enter the name of the application as you want it to appear in the central store. Optionally, enter a description. Click Next.
  6. Click Add Form. This launches the Form Definition Wizard.
  7. In the Name form page: Click Next.
    1. Enter a name for the form.
    2. Select the form type.
    3. Ensure that No special action is selected.
    4. Click Next.
  8. If you haven't already done so, navigate to the application's user logon, change password, successful password change, or failed password change form.
  9. From the Identify form page, click Select. This launches the Web Form Wizard.
  10. In the Web page selector that appears, select the application you are creating the definition for. Click OK. A flashing border appears around the web page displaying the application's credential form.
  11. Enter a name for the form and select the form type. Click Next.
  12. In the Identify form page, two check boxes are available to manage how to interpret identified URLs. Select the appropriate check boxes and click Next.
    • Strict URL matching

      Select this check box to recognize only user credential management events from Web applications that are started using the specified URL(s). Some URLs may contain dynamic data such as session management identifiers, application parameters, or other identifiers that can change for each instance. In these circumstances, using strict matching results in the URL not being recognized.

    • Case-sensitive URL

      Select this check box to use exact case matching URL(s).

  13. In the Define forms actions page, configure the credential fields and buttons that you want to appear in the form:.
    1. Click the Set/Change hyperlink associated with a specific user credential. This action opens the Configure Field Text dialog box used to identify the field to receive the selected credential. If the form is already open, this dialog box displays all the possible candidates for the field type associated with the selected user credential or submit option.
    2. If the application credential form is not currently open, start the application and navigate to the correct user credential form. Then select Refresh . After the application form is selected, this dialog box is populated with field type candidates that are appropriate for the selected user credential.
    3. Select the field type candidate to receive the credential. As the different candidates are selected, the associated field type is visibly highlighted on the application to make it easier to identify the field type that is to receive the identified user credential or submit button.
    4. Repeat this action for all the user credentials required by the form and for the button required to submit the form.

      Some forms require domains or other user-configurable credentials that must be successfully submitted to process the form. To accommodate these requirements, two custom fields are available. Assign special-requirement credentials to these fields. The names associated with these fields are defined on the Name custom fields page of the Application Definition Wizard after the form is defined.

      Note: Not all the credentials identified in the top of the Define form actions page must be configured.
  14. If your application requires additional forms, use the wizards to create them.

To add an application definition for an application with an available template

The Application Definition Wizard helps you locate application templates and add them to your deployment.

  1. Prepare to start the Application Definition Wizard:
    • From the AppCenter: Click Start > All Programs > Citrix > Management Consoles > Citrix AppCenter. Expand the Single Sign-On node and select Application Definitions.
    • From the Application Definition Tool: From the AppCenter: Click Start > All Programs > Citrix > Single Sign-On > Application Definition Tool.
  2. Select Manage templates.
  3. View the list of templates to see if the application you want appears. You can also click the link to download more applications from the web and import them to the list.
  4. Select the application template you want to add and click Create Application Definition.
  5. Use the wizard to edit the forms for the application or accept the default values.

Create User Configurations

  1. Click Start > All Programs > Citrix > Management Consoles > Citrix AppCenter.
  2. Expand the Single Sign-on node and select User Configurations.
  3. Click Add new user configuration.
  4. Enter the name of the application as you want it to appear in the central store. Optionally, enter a description.
  5. Specify how you will associate this user configuration to users.

    You have two choices: associate users according to Active Directory hierarchy (OU or individual user) or Active Directory Group. If necessary, you can associate the user configuration with a different hierarchy or group later, by clicking Move user configuration in the Action menu.

    Important: How you organize your Active Directory environment might affect how user configurations operate. If you use both (Active Directory hierarchy and group) and a user is located in both containers, the user configuration associated with the hierarchy takes precedence and is the one used. This scheme is considered a mixed environment.

    Also, if a user belongs to two Active Directory groups and each group is associated with a user configuration, the user configuration with the highest priority takes precedence and is the one used.

    Associating user configurations to groups is supported only in Active Directory domains that use Active Directory authentication.

  6. From the Choose applications page, add the applications for the user configuration. When you click the Add button, a dialog box showing the application definitions you created previously appears.
  7. Use the Configure Single Sign-on Plug-in interaction page to determine the user experience for all plug-in software users in your environment.
  8. Select a license server and licensing model at the Configure licensing page.
  9. Use the Select data protection methods page to select the data protection methods to protect user credentials based on the various authentication methods your users are authorized to use.

Install the Single Sign-on Plug-in

The Single Sign-on Plug-in runs on the XenApp server and provides credentials and access to published applications. The plug-in also runs on each user device, submitting credentials to applications and enabling users to manage their credentials.

Installation considerations:
  • After installing the plug-in on a supported operating system that uses the Microsoft Graphical Identification and Authentication (GINA) Windows component, you must restart the device. Ths includes Windows XP, Microsoft Windows XP Embedded, Microsoft Windows Fundamentals for Legacy PCs, Microsoft Windows Server 2003 R2, and Microsoft Windows Server 2003 with Service Pack 2.

    WinLogon uses the GINA controls for the dialog box that users see when they press the key combination CTRL+ALT+DEL. The dialog box collects the data needed to perform authentication. XenApp, the Single Sign-on Plug-in, and the Novell NetWare client interact with or require the replacement of the GINA dynamic link library (DLL). You might be required to install or uninstall software in a specific order to preserve proper GINA chaining. By installing the Single Sign-on Plug-in last, you ensure that the Single Sign-on GINA is called first by the Winlogon process.

  • After the installation completes (and the device restarts, if needed), the Citrix Receiver icon appears in the system tray.
  • After installing the plug-in, if you configure or change Citrix licensing information, restart the plug-in to apply the changes.

To install the Single Sign-on Plug-in on a user device or on a server with XenApp installed:

  1. Load the XenApp media on the computer or server.
  2. From the Autorun menu, select Manually install components > Server Components > Additional Features > Single Sign-on > Single Sign-on Plug-in.
  3. Follow the instructions.

Get User Started Using Single Sign-on

Before end users begin using Single Sign-on, review the end user help available through the Single Sign-on interface. Inform your users how Single Sign-on works and which features are available to them in this deployment.