You can enable or disable user authentication methods set up when the authentication service was created by selecting an authentication method in the results pane of the Citrix StoreFront management console and, in the Actions pane, clicking Manage Authentication Methods.
To enable pass-through authentication for smart card users accessing stores through NetScaler Gateway, use the Configure Delegated Authentication task.
Use the Trusted Domains task to restrict access to stores for users logging on with explicit domain credentials, either directly or using pass-through authentication from NetScaler Gateway.
The way in which you specify the domain name determines the format in which users must enter their credentials. If you want users to enter their credentials in domain user name format, add the NetBIOS name to the list. To require that users enter their credentials in user principal name format, add the fully qualified domain name to the list. If you want to enable users to enter their credentials in both domain user name format and user principal name format, you must add both the NetBIOS name and the fully qualified domain name to the list.
Use the Manage Password Options task to enable desktop Receivers and Receiver for Web site users logging on with domain credentials to change their passwords. When you create the authentication service, the default configuration prevents Citrix Receiver and Citrix Receiver for Web site users from changing their passwords, even if the passwords have expired. If you decide to enable this feature, ensure that the policies for the domains containing your servers do not prevent users from changing their passwords. Enabling users to change their passwords exposes sensitive security functions to anyone who can access any of the stores that use the authentication service. If your organization has a security policy that reserves user password change functions for internal use only, ensure that none of the stores are accessible from outside your corporate network.
If you enable Citrix Receiver for Web site users to change their passwords at any time, ensure that there is sufficient disk space on your StoreFront servers to store profiles for all your users. To check whether a user's password is about to expire, StoreFront creates a local profile for that user on the server. StoreFront must be able to contact the domain controller to change users' passwords.
|Citrix Receivers||User can change an expired password if enabled on StoreFront||User is notified that password will expire||User can change password before it expires if enabled on StoreFront|
Self-Service Password Reset enables end users to have greater control over their user accounts. Once you configure Self-Service Password Reset, if end users have problems logging on to their systems, they can unlock their accounts or reset their passwords to something new by correctly answering several security questions.
When setting up Self-Service Password Reset, you specify which users are able to perform password resets and unlock their accounts using the management console. If you enable these features for the StoreFront, users might still be denied permission to perform these tasks based on the settings configured in the Self-Service Password Reset configuration console.
Self-Service Password Reset is available only to users accessing StoreFront using HTTPS connections. They cannot access StoreFront using an HTTP connection and have Self-Service Password Reset available. Self-Service Password Reset is available only when authenticating directly to StoreFront with a user name and password.
Self-Service Password Reset does not support UPN logons, such as firstname.lastname@example.org.
Before configuring Self-Service Password Reset for a store, you must ensure that:
Before being able to use Self-Service Password Reset, you must install and configure it. It is available on the XenApp and XenDesktop media. For information, see the Self-Service Password Reset documentation.
This option is available only when the StoreFront base URL is HTTPS (not HTTP) and the Enable password reset option is available only after you use Manage Password Options to allow users to change passwords at any time.
The next time the user logs on to Citrix Receiver or Citrix Receiver for Web, security enrollment is available. After clicking Start, questions are displayed to which the user must specify answers.
Once configured in StoreFront, users see the Account Self-Service link on the Citrix Receiver for Web logon screen (it displays as a button in other Citrix Receivers).
Clicking this link takes the user through a series of forms to first select between Unlock account and Reset password (if both are available).
After choosing a radio button and clicking Next, the next screen prompts for a domain and username (domain\user) if that information was not entered in the log on form. Note that account self-service does not support UPN log ons, such as email@example.com
They are required to answer the security question. If all the answers match those supplied by the user, the requested operation (unlock or reset) is performed and the user is notified that it succeeded.
Use the Shared Authentication Service Settings task to specify stores that will share the authentication service enabling single sign on between them.
Note: There is no functional difference between a shared and dedicated authentication service. An authentication service shared by more than two stores is treated as a shared authentication service and any configuration changes affect the access to all the stores using the shared authentication service.
Use the Configure Delegated Authentication task to enable pass-through authentication for smart card users accessing stores through NetScaler Gateway. This task is only available when Pass-through from NetScaler Gateway is enabled and selected in the results pane.
When credential validation is delegated to NetScaler Gateway, users authenticate to NetScaler Gateway with their smart cards and are automatically logged on when they access their stores. This setting is disabled by default when you enable pass-through authentication from NetScaler Gateway, so that pass-through authentication only occurs when users log on to NetScaler Gateway with a password.