- Setting Security and Accounts Before Installing Single Sign-on
- Installing the Java Runtime Environment
- Creating a central store
- Installing the Console Component
- Installing and Configuring the Service Modules
- Installing the Single Sign-on Plug-in
The following procedures assume that the installation media is loaded on the computer that you chose to host the Single Sign-on Service modules and that the XenApp autorun screen appears.
The Service Configuration wizard starts when the service module installation completes. You can start the wizard later by selecting.
Specify the port number for the service connection; the default is 443. You can use any other available port on the server running the service.
If you install one or more service modules later, use the port number that you specified when you first installed the service.
The service cannot run on multiple ports; if you specify the wrong port, Single Sign-on might later display “cannot communicate or connect with the Single Sign-on service” type error messages.
Specify the correct service port number when using the Data Integrity Signing Tool at the command prompt.
Select the SSL certificate installed on the service computer to use for communication with client devices.
Select the Display Long Name check box to show the LDAP informationConnection Setting contained in the certificate.
Virtual host name
Use default value is selected by default if the SSL certificate name and virtual host name match. The virtual host name must match the SSL certificate name.
The virtual host is the machine name visible to users when the certificate was created and might not be the actual machine name. For example, the certificate name might include a wildcard (asterisk), or uppercase or lowercase domain name that does not match the certificate domain name case.
This setting is useful in a load-balanced or clustered service environment.
Select the local computer account to use for the service. Typically, you can select the Network Service account.
If the service is running in a Windows Server 2008 or Windows Server 2008 R2 environment with an Active Directory central store, you also must add the data proxy account as an administrator to the central store.
Single Sign-on Service can process service requests among users in different trusted domains. An administrator can install the Citrix AppCenter with the Single Sign-on console component on computers in different domains and create one or more user configurations in each domain.
For example, with the Single Sign-on Service computer located in DomainA, users associated with a user configuration in DomainA can use the Account Self-Service features to unlock their accounts. Users associated with a user configuration in DomainB can also use this feature, as provided by the DomainA service computer. In this case, multiple user configurations exist in multiple domains and are using a single service computer for this feature.
Before you implement the multi-domain service feature, ensure that you meet the following requirements:
|Domains||Each domain sharing the service must be
part of the same domain forest.
The domains within the forest must have a two-way transitive trust agreement.
|Central store||This feature is available for
implementations using Active Directory or NTFS network share central stores.
All users sharing the same service computer must be implemented using the same central store type: Active Directory or NTFS shared folder. Multiple central store types are not supported.
One NTFS shared folder central store per domain is not supported in this case. However, you can use one NTFS shared folder central store per forest.
|Data Integrity feature||The Data Integrity feature must be used consistently across domains. That is, it is either enabled or disabled in the service and Single Sign-on Plug-in configurations for all domains. For example, you cannot enable this feature in the service configuration and disable it when installing the plug-in.|
|Single Sign-on console component of the Citrix AppCenter||Each console can view one central store
only, not multiple central stores.
The Single Sign-on administrator should install one console in each domain and install it by using a user account with administrative rights in that domain.
Alternatively, the administrator can install a console with the ability to access other domains and, as needed, switch to one of those domains by logging on with credentials for that specific domain.
|Data Proxy and Self Service accounts||You can configure one data proxy and self
service account that has read and write access to the central store and
sufficient privileges to reset user passwords and unlock user accounts.
Optionally, you can specify these accounts for each domain in the Service Configuration tool.