Product Documentation

Moving Data to a Different Central Store

May 11, 2015

There are several reasons why you may need to migrate password policies, application templates, application definitions, security questions, and other types of Single Sign-on administrative data:

  • The user moves to a new domain
  • A new server is added to the Single Sign-on environment
  • A new domain is added so users can use Single Sign-on’s Account Association feature
  • Users begin using Account Association across existing domains
  • Single Sign-on is moved from a test environment to a production environment

Migration is a two-step process performed through the Single Sign-on component of the Citrix AppCenter: Step 1. Export the existing administrative data; Step 2. Import the administrative data into the new environment. In most instances, you must also redirect users to the new central store.

The following table lists the data that does and does not migrate when you use the Export command:

Migrates Does not migrate
Password policies (except for the Default and Domain policies) User configurations
Application templates People folders
Application definitions Application groups
Security questions and security question groups used as part of question-based authentication User credentials
  Questionnaires
  Single Sign-on Service data

Single Sign-on Service does not migrate from one central store to another. To successfully complete the migration if you are using a service, you will need to install Single Sign-on Service in a new location and have both the existing and new Service available temporarily after the migration.

Caution: Additional steps are required to ensure successful migration if the Self Service or Data Integrity service modules are installed or if Delete user's data folder and registry keys when Single Sign-on Plug-in is shut down is enabled in a user configuration.

User configurations do not migrate from one central store to another automatically. Instead, you must recreate user configurations and redirect users to the new central store. When Single Sign-on Plug-in synchronizes its data with data in the original central store, it recognizes that the values changed; the plug-in then copies the credentials to the new central store.

Migrating Data to a New Central Store

The Export Admin Data Wizard allows you to export all application definitions, application templates, password policies, and security questions and groups in the central store. You can choose to export or leave entire types of data, but this wizard does not allow you to act on a subset of data: for example, you must export all password policies or leave them in the old central store.

Unlike the other types of administrative data, you can choose which application definitions to export by using the Export application definition command.

Caution: Manual steps are required to ensure successful migration if the Self Service or Data Integrity service modules are installed or if Delete user's data folder and registry keys when Single Sign-on Plug-in is shut down is enabled in a user configuration.

To export administrative data

  1. In the Citrix AppCenter, while connected to the original central store, click the Single Sign-on node and, from the Action menu, click Export administrative data.
  2. Follow the on-screen directions for the Export Admin Data Wizard.

To import administrative data

  1. On the new machine, install and start the Single Sign-on console component, completing the Configure and Run Discovery process.
    Note: The Configure and Run Discovery process allows you to identify the central store to which you want to connect.
  2. In the Citrix AppCenter, while connected to the new central store, click the Single Sign-on node and, from the Action menu, click Import administrative data.
  3. Follow the on-screen directions for the Import Admin Data Wizard.
  4. Create new user configurations.
  5. On the Citrix AppCenter, while connected to the original central store, select a migrated user configuration, from the Action menu, select Redirect users, and then identify the location of the new central store. Repeat as needed.
  6. Ensure all users log on to Single Sign-on at least once. It is now safe to shut down the original central store and service.

To migrate to a new central store if Delete user's data folder and registry keys when Single Sign-on Plug-in is shut down is enabled

If your enterprise enables Delete user's data folder and registry keys when Single Sign-on Plug-in is shut down in user configurations, complete the following steps to migrate your users' administrative data to a new central store. Failure to do so forces the migrated users to re-enroll, either through question-based authentication or automatic key recovery each time they log on to their computer. This is because the users' administrative data is deleted each time they log off or exit Single Sign-on Plug-in.

  1. Migrate the administrative data to the new central store.
  2. On the Citrix AppCenter, while connected to the new central store, create new user configurations. Do not enable Delete user's data folder and registry keys when Single Sign-on Plug-in is shut down.
  3. On the Citrix AppCenter, while connected to the original central store, select a migrated user configuration, from the Action menu, select Redirect users, and then identify the location of the new central store. Repeat as needed.
  4. Ensure all users log on to Single Sign-on at least once.
  5. Write and run a script to update the type and location of the central store in the registry of users' computers. The following table provides the registry settings based on central store type.
    Central Store Types Old Settings New Settings
    NTFS to NTFS HKEY_Local_Machine\SOFTWARE\Citrix\Metaframe Password Manager\Extensions\SyncManager\Syncs\DefaultSync\SSOSyncType = FileSyncPath

    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Extensions\SyncManager\Syncs\DefaultSync\Servers\Server1 = <OLD UNC path>

    HKEY_Local_Machine\SOFTWARE\Citrix\Metaframe Password Manager\Extensions\SyncManager\Syncs\DefaultSync\SSOSyncType = FileSyncPath

    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Extensions\SyncManager\Syncs\DefaultSync\Servers\Server1 = <NEW UNC path>

    NTFS to Active Directory HKEY_Local_Machine\SOFTWARE\Citrix\Metaframe Password Manager\Extensions\SyncManager\Syncs\DefaultSync\SSOSyncType = FileSyncPath

    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Extensions\SyncManager\Syncs\DefaultSync\Servers\Server1 = <OLD UNC path>

    HKEY_Local_Machine\SOFTWARE\Citrix\Metaframe Password Manager\Extensions\SyncManager\Syncs\DefaultSync\SSOSyncType = ADSyncPath
    Active Directory to NTFS HKEY_Local_Machine\SOFTWARE\Citrix\Metaframe Password Manager\Extensions\SyncManager\Syncs\DefaultSync\SSOSyncType = ADSyncPath HKEY_Local_Machine\SOFTWARE\Citrix\Metaframe Password Manager\Extensions\SyncManager\Syncs\DefaultSync\SSOSyncType = FileSyncPath

    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Extensions\SyncManager\Syncs\DefaultSync\Servers\Server1 = <NEW UNC path>

    Caution: Editing the registry incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.
  6. On the Citrix AppCenter, while connected to the new central store, select the new user configurations and enable Delete user's data folder and registry keys when Single Sign-on Plug-in is shut down. It is now safe to shut down the original central store and service.

Exporting Application Definitions

You can export single application definitions or any number of application definitions to an .xml file.

To export a single definition application

  1. In the Citrix AppCenter, while connected to the original central store, expand the Single Sign-on node and then expand Application Definitions.
  2. Select the application definition to be exported and, from the Action menu, click Export application definition.
  3. In the Export application definition dialog box, save the application definition to a location you can access from the new console’s computer.

To export multiple application definitions

  1. In the Citrix AppCenter, while connected to the original central store, expand the Single Sign-on node and then click Application Definitions.
  2. From the Actions menu, click Export application definitions.
  3. Follow the on-screen directions for the Export Application Definitions Wizard.

To back up the service

When you back up important files, be sure to include the central store and its contents, certificates, and personal and private keys in your company’s regular backup procedures.

Important: You must modify the permissions for these files in Windows if your central store is in an NTFS network share for them to be accessible to your backup program.
  1. Take note of the settings you make when running the Service Configuration Tool to set up your service.
  2. Export the service data to a secure share or disk using CtxMoveServiceData.exe:
    1. From a command prompt, go to %ProgramFiles%\Citrix\Metaframe Password Manager\Service\Tools.
    2. Type CtxMoveServiceData.exe –export \\server\share\backupfile.
      Note: Do not use environment variables in your path.
    3. When asked, type a password of your choice. Make note of the password.
      Important: The service data you save to your backup file will be encrypted using this password. Do not lose your password.
    4. When asked to confirm your password, type it again.
    5. Verify your backup file was created.

To restore the service

  1. Install the service from the installation media.
  2. Configure the service with the proper settings, using the notes you made prior to back up.
    Note: If you are using data integrity, make sure you configure the data integrity server location properly, whether the data integrity server location has changed or stayed the same.
  3. Finish the configuration and allow the service to start. After the service starts, you can immediately stop the service if you choose.
  4. Import the service data from a secure share or disk, using CtxMoveServiceData.exe:
    1. At a command prompt, go to %Program Files%\Citrix\Metaframe Password Manager\Service\tools.
    2. Type CtxMoveServiceData.exe –import <\\server\share\backupfile>.
    3. Enter the correct password when prompted.
    4. When asked if you want to overwrite AKR.DAT, select Yes.
  5. Restart the service. The service is now ready for use.

Removing Deleted Objects from Your Central Store

Use the CtxFileSyncClean tool to delete orphaned configuration data files from NTFS Share central stores. These files became orphaned when the objects they pointed to were deleted. The CtxFileSyncClean tool does not delete user data files, even if that user was deleted. Run CtxFileSyncClean.exe from the \Tools directory of your installation media.