Product Documentation

Setting Security and Accounts Before Installing Single Sign-on

Mar 24, 2011

Before you install the Single Sign-on Service, ensure that the appropriate accounts and components are available to support the service. Also, because the service uses secure HTTP (HTTPS), the service requires a server authentication certificate for Secure Sockets Layer (SSL) communication with the console and plug-in.

Obtaining and Installing a Server Authentication Certificate

Obtain a server authentication certificate for SSL communication from a certificate authority (CA) or, if you have an existing public key infrastructure (PKI), download your own certificate to the server running the service.

An SSL certificate is necessary to ensure secure communication from the service to the console and plug-in, and to guarantee that the plug-in and console are communicating with the correct service server.
  • Because this certificate is used for SSL communication, the certificate common name must match the service server’s fully qualified domain name (FQDN). Specify a minimum key size of 1024.
  • Install the certificate in your local computer certificate store and establish the appropriate trust relationships for the Single Sign-on component of the Citrix AppCenter and the plug-in.
  • Install this certificate on the computers running the Single Sign-on component of the Citrix AppCenter, the Single Sign-on Service, and the plug-in.
  • In a load balancing or clustered service environment, you can use one certificate for multiple service servers if the common name of the SSL certificate uses a wildcard (typically an asterisk character) in it. For example, you can use an SSL certificate with a common name of server*.mycompanysname.com for an environment with servers named server1.mycompanysname.com, server2.mycompanysname.com, and server3.mycompanysname.com. You could also use an SSL certificate with a common name of *.mycompanysname.com in this case, where the common name does not match the server FQDN.
Important: If you obtain your certificate from an authority that is not trusted by default (such as a certificate authority installed in your company), install the root authority certificate to your local computer’s trusted root certificate store to establish the trust relationship.

If users are experiencing SSL failures, it is most likely because the server certificate is not trusted. Refer to the Microsoft Web site for instructions about extracting and deploying CA root certificates.

The signing and validation certificates created during Single Sign-on installation are not related to the SSL certificate.

Accounts Required for Service Modules

The Single Sign-on Service can require up to three system account types to read and write data as it operates in your environment. The number and type of accounts required depend on the service modules you use. The table shows the accounts required by each module of the service. In cases where different modules require the same type of account, you can use the same account for multiple modules or you can specify different customized accounts for each module.

Module Accounts Required
Service Data Proxy Self-Service
Data Integrity Yes No No
Key Management Yes Yes No
Provisioning Yes Yes No
Self-Service Yes Yes Yes
Credential Synchronization Yes No No

Service Account Requirements

On the server running the Single Sign-on Service, use the existing Network Service or Local Service accounts

You cannot specify a local user account as the service account in this version of Single Sign-on. You can specify the built-in Local Service account.

If you choose to create a domain account as the service account, you must register a service principal name for this domain account and the service computer in Active Directory by using the setspn.exe utility. if using a domain user account, the account should be assigned "Logon as services" rights. The computer running the service needs to be trusted for delegation.

See the Microsoft Web site for more information about service principal names.

Data Proxy Account Requirements

On the server running the Single Sign-on Service, create a domain administrator account with the following settings, to be used for data proxy communication with the service.

The account requires read and write access to the central store. The account requirements depend on the central store type you are implementing.

Central Store Type Account Description
NTFS Network Share The account:
  • Requires read and write access to the central store.
  • Is a member of the domain.
After you create the central store:
  • Grant the account Full Control sharing permissions to the CITRIXSYNC$ share.
  • Grant the account Full Control permissions to the CITRIXSYNC folder and its subfolders: CentralStoreRoot folder and People folder
  • Grant the account Full Control permissions to all file objects within the CITRIXSYNC folder and its subfolders
  • Ensure that the Authenticated Users group has the right to create folders inside the People folder.
Active Directory The account:
  • Requires read and write access to the central store.
  • Is a member of the domain administrator group.

Self-Service Requirements

If you are using the Self-Service Password Reset or Self-Service Account Unlock features of the Account Self-Service Module, use an account that is a member of the domain administrators group.

Accounts Required to Install and Use Single Sign-on

The user installing the Single Sign-on Service and running the Service Configuration wizard must be a member of the domain (a Domain User) and a member of the local Administrators group on the service computer (add a domain user account to the local Administrators group).

The user installing the Single Sign-on console component, performing a discovery and configuration operation, and using the console component must be a domain administrator and a member of the local Administrators group on the console computer. This user account must have read and write access to the central store. A non-administrator user account can be assigned the right to manage the console component and its related functions through Active Directory delegation or constrained delegation.

The user installing the Single Sign-on Plug-in must be a member of the domain (a domain user) and a member of the local Administrators group on the user device. The user installing the plug-in must be a member of the domain (a domain user) and a member of the local Administrators group on the user device. The user running the plug-in must be a member of the domain (a domain user).