Product Documentation

Installing and Configuring the Service Modules

Jul 29, 2016
The installation and configuration workflow is:
  1. Acquire and install the SSL certificate on the computers running the Single Sign-on service, console, and plug-in.
  2. Create the account type required by the service modules you will install
  3. Install the service modules.
  4. Configure the service modules.

The following procedures assume that the installation media is loaded on the computer that you chose to host the Single Sign-on Service modules and that the XenApp autorun screen appears.

To install the service modules

  1. Load the XenApp media.
  2. From the Autorun menu, select Manually install components > Server Components > Additional Features > Single Sign-on > Single Sign-on Service.
  3. Follow the instructions.

To configure the service modules

The Service Configuration wizard starts when the service module installation completes. You can start the wizard later by selecting Start > All Programs > Citrix > Password Manager > Service Configuration.

Follow the directions.
  • On the Configuration service page:

    Connection Setting

    Specify the port number for the service connection; the default is 443. You can use any other available port on the server running the service.

    If you install one or more service modules later, use the port number that you specified when you first installed the service.

    The service cannot run on multiple ports; if you specify the wrong port, Single Sign-on might later display “cannot communicate or connect with the Single Sign-on service” type error messages.

    Specify the correct service port number when using the Data Integrity Signing Tool at the command prompt.

    SSL Certificate

    Select the SSL certificate installed on the service computer to use for communication with client devices.

    Select the Display Long Name check box to show the LDAP informationConnection Setting contained in the certificate.

    Virtual host name

    Use default value is selected by default if the SSL certificate name and virtual host name match. The virtual host name must match the SSL certificate name.

    The virtual host is the machine name visible to users when the certificate was created and might not be the actual machine name. For example, the certificate name might include a wildcard (asterisk), or uppercase or lowercase domain name that does not match the certificate domain name case.

    This setting is useful in a load-balanced or clustered service environment.

    Account Credentials

    Select the local computer account to use for the service. Typically, you can select the Network Service account.

  • On the Configure domains page:
    1. Select the check box next to each domain to which you want to enable service support.
    2. Select one or more domains and click Properties to open the Edit Configuration dialog box.
    3. If you created an Active Directory central store, select Domain Controller and select the correct domain controller from the list.
    4. Select Data Proxy Account and type the user name, password, and domain of the data proxy account used to communicate with the central store.
    5. If you installed the Self Service module, select Self-Service Features Account and type the credentials for this feature. Select OK to close the Edit Configuration dialog box.
      Important: If the service is running in a Windows Server 2008 or Windows Server 2008 R2 environment with an NTFS central store, you must use CtxFileSyncPrep.exe to add the data proxy account as an administrator to the central store. Type:

      CtxFileSyncPrep [/Admin:accountname]

      If the service is running in a Windows Server 2008 or Windows Server 2008 R2 environment with an Active Directory central store, you also must add the data proxy account as an administrator to the central store.

Configuring the Service for Multidomain Use

Single Sign-on Service can process service requests among users in different trusted domains. An administrator can install the Citrix AppCenter with the Single Sign-on console component on computers in different domains and create one or more user configurations in each domain.

For example, with the Single Sign-on Service computer located in DomainA, users associated with a user configuration in DomainA can use the Account Self-Service features to unlock their accounts. Users associated with a user configuration in DomainB can also use this feature, as provided by the DomainA service computer. In this case, multiple user configurations exist in multiple domains and are using a single service computer for this feature.

Multi-Domain Service Feature Requirements

Before you implement the multi-domain service feature, ensure that you meet the following requirements:

Component Requirement
Domains Each domain sharing the service must be part of the same domain forest.

The domains within the forest must have a two-way transitive trust agreement.

Central store This feature is available for implementations using Active Directory or NTFS network share central stores.

All users sharing the same service computer must be implemented using the same central store type: Active Directory or NTFS shared folder. Multiple central store types are not supported.

One NTFS shared folder central store per domain is not supported in this case. However, you can use one NTFS shared folder central store per forest.

Data Integrity feature The Data Integrity feature must be used consistently across domains. That is, it is either enabled or disabled in the service and Single Sign-on Plug-in configurations for all domains. For example, you cannot enable this feature in the service configuration and disable it when installing the plug-in.
Single Sign-on console component of the Citrix AppCenter Each console can view one central store only, not multiple central stores.

The Single Sign-on administrator should install one console in each domain and install it by using a user account with administrative rights in that domain.

Alternatively, the administrator can install a console with the ability to access other domains and, as needed, switch to one of those domains by logging on with credentials for that specific domain.

Data Proxy and Self Service accounts You can configure one data proxy and self service account that has read and write access to the central store and sufficient privileges to reset user passwords and unlock user accounts.

Optionally, you can specify these accounts for each domain in the Service Configuration tool.

To configure the service for multidomain use

  1. Log on as an administrator to the computer where the service is installed.
  2. Start the Service Configuration tool by clicking Start > All Programs > Citrix > Password Manager > Service Configuration.
  3. When the Service Configuration tool appears, click Domain Configurations in the left pane.
  4. Select the check box next to each domain to enable service support on that domain.
  5. Select one or more domains and click Properties to open the Edit Configuration dialog box.
  6. In the Edit Configuration dialog box:
    1. If you created an Active Directory central store, click Domain Controllers and, from the list, select the domain controller you want Single Sign-on to bind to when writing to the central store or select Any writeable domain controller.
    2. Click Data Proxy Account and type the user name, password, and domain of the data proxy account used to communicate with the central store.
    3. If you installed the Self Service module, click Self-Service Features Account and type the credentials for this feature.