Product Documentation

Data Protection Methods

May 11, 2015

These settings are used to select the primary data protection methods to use to protect the credentials of your users. In some environments, users can use more than one method.

Start > All Programs > Management Consoles > Citrix AppCenter > Single Sign-on > User Configurations > [configuration] > Edit user configuration > Data Protection Methods

do you need to regulate account administrator access to user data?

Select Yes to disallow administrator access to user credentials. Selecting this option disables the Microsoft Data Protection API options (including the DPAPI with profile selection in the Smart Card key source drop-down menu) and the Do not prompt users; restore primary data protection automatically over the network option on the Secondary Data Protection settings. With this configuration, the account or other administrator does not have access to user passwords or data. This setting helps prevent an administrator from impersonating a user. The administrator cannot log on as the user with the default setting and possibly access data located in the user’s local credential store.

Select No to allow use of all the multiple authentication features here and the secondary data protection methods on the Secondary Data Protection configuration settings.

Default setting: Yes

for improved user experience upon logon events, please select all data protection methods that apply

Choose this selection to use the primary authentication features that are made available in the settings described in the following table.

Default setting: selected

Use data protection as in Password Manager 4.1 and previous versions

Control Description
Users authentication data A user secret is used to access and protect user data. The authentication secret can be a user password or PIN-based device used in your environment.

Default setting: selected

To further protect the user data, you can also select the following:

Allow Smart Card PINs

Select to allow the smart card PIN to be used as the user secret for protection. Use this only if your enterprise or environment has a “strong PIN” policy.

Default setting: not selected

Allow protection using blank passwords

Select this option only if your domain has low security requirements and allows users to have blank domain passwords. If you select this option and the plug-in software detects that the user has a blank password, a user secret is derived from the user ID.

If you do not select this option, the plug-in software does not derive a user secret or otherwise perform any data protection with the blank password.

If you select Users authentication data and do not select Allow Smart Card PINs and Allow protection using blank passwords, after the user logs on for the first-time enrollment and registration process with a blank password, an error message appears and the plug-in software is disabled.

Default setting: not selected

Microsoft Data Protection API Select this option if you are using roaming profiles implementing a Kerberos network authentication protocol for users. This option works only if roaming profiles are available.

For example, select Users authentication data and this option if users are using passwords to access their computers and a Kerberos network authentication protocol to access a farm of computers running Citrix XenApp. This method also allows the use of user credentials and smart cards to log on.

Default setting: not selected

Smart Card Certificate Select to allow users to use cryptographic cards that enable encryption and decryption of authentication data. Citrix recommends that, if possible, you select this option if you are using Hot Desktop in your environment.

Default setting: not selected

Select this option and select a method from the Smart Card key source drop-down menu to permit users to use a single primary authentication method and/or if you are using Password Manager Versions 4.0 or 4.1 plug-in software. If you upgraded your central store from Version 4.1 to Version 5.0, this option is selected automatically.

This option is availble only when the Triple DES encryption method is used.

The Smart Card key source choices are:

  • PIN as password
  • Smart Card Data Protect
  • DPAPI with profile (not available if No is selected for Do you need to regulate account administrator access to user data?

Default setting: not selected

Secondary Data Protection

These options allow you to specify secondary credential data protection features to use before unlocking user credentials when users change their primary authentication (for example, when a domain password is changed, or a smart card is replaced). Alternatively, it also enables you to specify that credentials are restored automatically when implementing the Key Management Module.

Start > All Programs > Management Consoles > Citrix AppCenter > Single Sign-on > User Configurations > [configuration] > Edit user configuration > Secondary Data Protection

prompt users to verify identity

Default setting: selected

Choose this button to select one of the following user reauthentication methods:

Control Description
Prompt user to enter the previous password If you select this option, note that users who forget their previous password will be locked out and must reenroll their secondary credentials. Do not select this option if your users employ smart cards for their primary authentication.

Default setting: selected

Prompt user to select the method: previous password or security questions If you select this option, users are prompted according to their choice of verification method. This option includes this suboption:

Use identity verification as in previous versions of Password Manager

Select this option if you upgraded from Password Manager Versions 4.0 or 4.1 and you enabled question-based authentication or identity verification questions. The 4.0 and 4.1 Versions of the plug-in software do not need access to the service in this case.

Default setting: not selected

do not prompt users; restore primary data protection automatically over the network

Select this option when implementing the Key Management Service Module to bypass identity verification and automatically unlock user credentials. This method is less secure than other data protection methods but increases ease-of-use for your users by retrieving credentials automatically.

Default setting: not selected

Self-Service Features

The options available in this section require installation of the Key Management service module. This module inserts a button on the Windows logon dialog box that is used to allow users to reset their passwords.

Start > All Programs > Management Consoles > Citrix AppCenter > Single Sign-on > User Configurations > [configuration] > Edit user configuration > Self-Service Features

allow users to reset their primary domain password

Select this setting to allow users to reset their primary domain password without administrative intervention.

Default setting: not selected

allow users to unlock their domain account

Select this setting to allow users to unlock their domain account.

Default setting: not selected

Key Management Module

These controls identify the service location and port for the Key Management Module.

Start > All Programs > Management Consoles > Citrix AppCenter > Single Sign-on > User Configurations > [configuration] > Edit user configuration > Key Management Module

service location (Key Management Module)

This setting is used to identify the service address and port for the Key Management Module. Use the Validate button to ensure the settings are valid.

Default setting: [blank]

service port: 443

Provisioning Module

The Provisioning Module allows the credentials associated with users in this user configuration to be imported, modified, and removed. This page requires you to specify the location and service port of the Provisioning Module.

Start > All Programs > Management Consoles > Citrix AppCenter > Single Sign-on > User Configurations > [configuration] > Edit user configuration > Provisioning Module

use provisioning

Select this setting to use provisioning.

Default setting: not selected

service location (Provisioning Module)

This setting is used to identify the service address and port for the Provisioning Module. Use the Validate button to ensure the settings are valid.

Default setting: [blank]

service port: 443