Product Documentation

Password Policies

May 11, 2015

This section describes the password policy settings and controls. All navigation hints provided in this section are made to an existing password policy when performing an edit function. To access the Edit Password Policy dialog box, navigate as follows:

Start > All Programs > Citrix > Management Consoles > Citrix AppCenter > Single Sign-on > Password Policies > [policy] > Edit password policy

Basic Password Rules

These controls set the rules that govern password length and character repetition.

Start > All Programs > Citrix > Management Consoles > Citrix AppCenter > Single Sign-on > Password Policies > [policy] > Edit password policy > Basic Password Rules

minimum password length

Specifies the minimum number of characters required in the password. Minimum allowed value = 0. Maximum allowed value = 128.

default setting: 8

maximum password length

Specifies the maximum number of characters allowed in the password. Minimum allowed value = 1. Maximum allowed value = 128.

default setting: 20

maximum number of times a character can occur

Specifies the maximum number of times a character can occur in a password. Minimum allowed value = 1. Maximum allowed value = 128.

default setting: 6

maximum number of times the same character can occur sequentially

Specifies the maximum number of times the same character can occur sequentially. Minimum allowed value = 1. Maximum allowed value = 128.

default setting: 4

Alphabetic Character Rules

These controls set the rules that govern alphabetic character use in passwords.

Start > All Programs > Citrix > Management Consoles > Citrix AppCenter > Single Sign-on > Password Policies > [policy] > Edit password policy > Alphabetic Character Rules

allow lowercase characters

Controls whether or not lowercase alphabetic characters can be used in passwords.

default setting: allow lowercase characters

password can begin with a lowercase character

Controls whether or not passwords can begin with a lowercase character.

default setting: allow passwords to begin with a lowercase character

password can end with a lowercase character

Controls whether or not passwords can end with a lowercase character.

default setting: allow passwords to end with a lowercase character

minimum number of lowercase characters required

Specifies the minimum number of lowercase alphabetic characters required in a password. Minimum allowed value = 0. Maximum allowed value = 128.

default setting: 0

allow uppercase characters

Controls whether or not uppercase alphabetic characters can be used in passwords.

default setting: allow uppercase characters

password can begin with an uppercase character

Controls whether or not passwords can begin with an uppercase character.

default setting: allow passwords to begin with an uppercase character

password can end with an uppercase character

Controls whether or not passwords can end with an uppercase character.

default setting: allow passwords to end with an uppercase character

minimum number of uppercase characters required

Specifies the minimum number of uppercase alphabetic characters required in a password. Minimum allowed value = 0. Maximum allowed value = 128.

default setting: 0

Numeric Character Rules

These controls set the rules that govern numeric character (0-9) use in passwords.

Start > All Programs > Citrix > Management Consoles > Citrix AppCenter > Single Sign-on > Password Policies > [policy] > Edit password policy > Numeric Character Rules

allow numeric characters

Controls whether or not numeric characters can be used in passwords.

default setting: allow numeric characters

password can begin with a numeric character

Controls whether or not passwords can begin with a numeric character.

default setting: allow passwords to begin with a numeric character

password can end with a numeric character

Controls whether or not passwords can end with a numeric character.

default setting: allow passwords to end with a numeric character

minimum number of numeric characters required

Specifies the minimum number of numeric characters required in a password. Minimum allowed value = 0. Maximum allowed value = 128.

default setting: 0

maximum number of numeric characters allowed

Specifies the maximum number of numeric characters allowed in a password. Minimum allowed value = 1. Maximum allowed value = 128.

default setting: 20

Special Character Rules

These controls set the rules that govern special (non-alphabetic and non-numeric) character use in passwords.

Start > All Programs > Citrix > Management Consoles > Citrix AppCenter > Single Sign-on > Password Policies > [policy] > Edit password policy > Special Character Rules

allow special characters

Controls whether or not special (non-alphabetic and non-numeric) characters can be used in passwords.

default setting: allow numeric characters

password can begin with a special character

Controls whether or not passwords can begin with a special character.

default setting: allow passwords to begin with a special character

password can end with a special character

Controls whether or not passwords can end with a special character.

default setting: allow passwords to end with a special character

minimum number of special characters required

Specifies the minimum number of special characters required in a password. Minimum allowed value = 0, Maximum allowed value = 128.

default setting: 0

maximum number of special characters allowed

Specifies the maximum number of special characters allowed in a password. Minimum allowed value = 0, Maximum allowed value = 128.

default setting: 20

allowed special characters list

Specifies the special characters allowed in a password.

default setting: !@#$^&*()_-+=[]\|,?

Exclusion Rules

These controls specify the characters and character strings that are not allowed in passwords.

Start > All Programs > Citrix > Management Consoles > Citrix AppCenter > Single Sign-on > Password Policies > [policy] > Edit password policy > Exclusion Rules

exclude the following list of characters or character groups from passwords

Select the Edit List option to open the Edit Exclusion List dialog box that is used to specify up to 256 individual characters or groups of characters that are not allowed in passwords. Enter one character or group of characters per line. Each group can contain up to 32 characters. Individual characters or groups of characters are not case-sensitive.

default setting: [blank]

do not allow application user name in password

Controls whether or not the application user name is allowed in password. Select this check box if the application user name is allowed in the password.

default setting: not selected

do not allow portions of application user name in password

Controls whether or not portions of the application user name are allowed in a password. This includes all possible character groups that can be taken from the user name. This setting is closely coupled to the Number of characters in portions setting. For example, when this setting is selected and the Number of characters in portions setting is set to four a password that includes character groups of “citr,” “itri,” or “trix” would not be allowed for a user with a user name of “citrix.”

default setting: not selected

do not allow Windows user name in password

Controls whether or not the Windows user name is allowed in password. If not selected, the Windows user name is allowed in the password.This setting is closely coupled to the Number of characters in portions setting. For example, when this setting is selected and the Number of characters in portions setting is set to four a password that includes character groups of “citr,” "itri,” or “trix” would not be allowed for a user with a Windows user name of “citrix.”

default setting: not selected

Password History and Expiration

These controls specify whether or not a new password can be a repeat of a previous password, and the password expiration setting.

Password history is retained on a per-user basis. If you reset the user data for a user, the password history is removed and password history cannot be enforced for the deleted passwords.

The password expiration option notifies users only that a password will or has expired. Your users can use expired credentials, but are shown password change reminders or password change requests until the password is changed in Manage Passwords window (formerly known as Logon Manager).

Start > All Programs > Citrix > Management Consoles > Citrix AppCenter > Single Sign-on > Password Policies > [policy] > Edit password policy > Password History and Expiration

new password must not be the same as previous password

Controls whether or not the new password can be the same as a previous password. Previous passwords are kept in a password history.

default setting: new password can be the same as previous password (check box not selected)

number of previous passwords remembered

Specifies the number of previous passwords that are kept in the password history. Minimum allowed value is 1. Maximum allowed value is 24.

default setting: 1

use the password expiration settings associated with the application definitions

When selected, the settings (Number of days until password expires and Number of days to warn user before password expires) specified here are applied to application definitions associated with this policy. Single Sign-on policy operates independently of any existing password expiration policy built into the application.

default setting: password expiration not specified (check box not selected)

number of days until password expires

Specifies the maximum number of days that a password can remain unchanged. Minimum allowed value is 1. Maximum allowed value is 99999.

default setting: 42

number of days to warn user before password expires

Specifies the number of days before a password expires that a user starts to receive pending password expiration warnings. Minimum allowed value is 0. Maximum allowed value is 99998.

default setting: 14

Test Password Policy

These controls are used to test a manually generated password to verify compliance with the defined policy, automatically generate a compliant password, and verify that the defined constraints do not restrict the ability to generate enough passwords for your organization.

Start > All Programs > Citrix > Management Consoles > Citrix AppCenter > Single Sign-on > Password Policies > [policy] > Edit password policy > Test Password Policy

test the compliance of a manually created password

This field is used to test the compliance of a manually created password. Enter the manually created password and click Test. The entered password is tested against all the defined criteria.

default setting: none

generate a random policy-compliant password

This control is used to generate a password that complies with the currently defined password criteria. Click Generate to generate a compliant password that can be copied from the field (Ctrl-C).

default setting: none

generate and test a number of unique policy-compliant passwords

It is possible to define a set of password constraints that support a limited number of total password possibilities. This control is used to generate a user-defined number of compliant passwords to determine if the defined policy is flexible enough to meet the password needs of the organization. Click Generate multiple passwords to open a dialog box that allows you to generate a user-defined number of passwords.

default setting: none

Logon Preferences

These controls are used to define if the Reveal option is available for application definitions that use this policy, mandate that the user reauthenticate before submitting application credentials, set the number of logon retries, and set the amount of time the user has to successfully authenticate after a failed authentication attempt.

Start > All Programs > Citrix > Management Consoles > Citrix AppCenter > Single Sign-on > Password Policies > [policy] > Edit password policy > Logon Preferences

allow user to reveal password for applications

This control is used to determine whether or not the Reveal button in the Manage Passwords window (formerly known as Logon Manager) is available for applications managed by this policy. When users select the Reveal button in Manage Passwords window they can see their password in clear text. If this setting is not selected, users cannot reveal their passwords.

default setting: Reveal button not displayed (check box not selected)

force user to re-authenticate before submitting application credentials

This control is used to determine if users must enter their primary logon credentials before the plug-in submits credentials to the application. When this setting is selected, the Single Sign-on Plug-in immediately locks the workstation when it recognizes an application that is managed by this setting. Users must enter their primary credentials to unlock the workstation. When the workstation is unlocked with the proper credentials, the plug-in submits the user credentials to the application. This setting is useful for applications that access confidential or sensitive information because it forces users to verify their identities before the plug-in submits the credentials to the application.

default setting: User not forced to reauthenticate (check box not selected)

number of logon retries

This control is used to set the number of additional times the plug-in can submit user credentials to the same application within the specified time limit. When set to the minimum value of 0, users get an error message immediately upon a second attempt to submit credentials to the application.

default setting: 0

time limit for number of retries

This control is used to specify the amount of time (in seconds) the user is allowed to submit user credentials to the same application after the initial credential submission failed.

default setting: 30 seconds

Password Change Wizard

This control is used to determine how the Password Change Wizard responds to Password Change Forms. One of four possible options must be configured:

  • Allow users to choose a system-generated password or create their own password
  • Only allow users to create their own password
  • Only allow users to choose a system-generated password
  • Generate a password and submit it to the application without displaying the Password Change Wizard

Start > All Programs > Citrix > Management Consoles > Citrix AppCenter > Single Sign-on > Password Policies > [policy] > Edit password policy > Password Change Wizard

allow users to choose a system-generated password or create their own password

Select this option to have the Password Change Wizard allow users to choose a system-generated password or create their own.

default setting: selected

only allow users to create their own password

Select this option to have the Password Change Wizard not allow users to choose a system-generated password, and require users to enter their own password.

default setting: not selected

only allow users to choose a system-generated password

Select this option to have the Password Change Wizard automatically use a system-generated password without allowing users to create their own password.

default setting: not selected

generate a password and submit it to the application without displaying the Password Change Wizard

Select this option to have the Single Sign-on Plug-in automatically submit a system-generated password without displaying the Password Change Wizard to the user. The user can see the fields on the password change screen being filled in and the resulting feedback from the application indicating whether or not the password was changed successfully.

default setting: not selected