Citrix Self-Service Password Reset

StoreFront self-service password reset was first introduced with XenApp/XenDesktop FMA version 7.8. This feature grants users the ability to reset their own Active Directory passwords from the Receiver for Web or Receiver client and/or unlock their account.

  1. Reduces the possibility of helpdesk calls being logged to unlock accounts or reset passwords
  2. Increases user productivity by enabling users to reset their own password, unlock their account and ultimately get logged on and where they want to be quicker
  3. Frees up IT time to concentrate on other things

As mentioned, this Platinum feature was introduced to FMA in v7.8 with StoreFront 3.5 but did basically require all the XenApp 6.5 components (apart from Web Interface) such as AppCenter, the SSPR Agent and Service. Since customers would have stayed on Web Interface to continue using this feature, introducing SSPR with StoreFront provides a reason for more customers to move away from Web Interface.

Now, StoreFront 3.7, released with XenApp/XenDesktop 7.11 provides SSPR fully integrated with no additional/legacy components required. Citrix have called this SSPR 1.0. SSPR 1.1 was released in December 2016.

SSPR with the 6.5 components can be used from Receiver for Web, Receiver for Mac, Linux, Chrome and Windows. Allowing users to reset their passwords in the move convenient way to them.

SSPR 1.0 and 1.1 with StoreFront 3.7+  can be used with Receiver for Web, Receiver for Linux and Windows. Receiver for Mac is supported with SSPR 1.1 and StoreFront 3.8+. Receiver for Chome is not supported. Using SSPR via NetScaler Gateway is currently not supported. Mobile Devices that use Receiver for Web are also unsupported.

What’s new in Self-Service Password Reset 1.1:

  • Ability to blacklist users and groups so that they cannot use any of the SSPR features.
  • Support for Simplified Chinese when defining security questions.

What do you need?

A user account for Data Proxy Access and a user account for Self Service (Active Directory accounts).

Note: The Self Service account needs to be able to reset passwords and unlock user accounts.

The SSPR software installed on a server. An SSPR server can hold thousands of enrollents quite easily as each user enrollment only consumes around 50KB disk space. This replaced AppCenter. This software provides a management console you use to configure SSPR. (2008R2, 2012 R2 and 2016 supported). This software also installs the SSPR Service which is used to communicate with StoreFront and the SSPR Management Console.

Hardware and Software Requirements

  • Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016.
  • .NET Framework 3.5.1 (2008 R2), .NET Framework 4.5.2 (2012 R2), .NET Framework 4.6.x (2016).
  • IIS
  • SSL certificate for communication between Self-Service and StoreFront.
  • Citrix License server 11.13.1.2 and above with Platinum license (SSPR periodically checks for Platinum licenses).
  • SMB share (for the Data Store) which holds user enrollment data and KBA information. Citrix recommend you place the share on the SSPR server.
  • StoreFront 3.7+ configured for HTTPS access.

First we must create a Data Store (Windows share). Citrix have published a script over at https://support.citrix.com/article/CTX217143 which can assist with the store creation. I’m going to use my existing StoreFront server however you can use a dedicated server unless you want to secure the implementation in which case Citrix also recommend using the StoreFront server. On a Windows 2012 R2 server, open Server Manager, navigate to File and Storage Services, right-click on your server name and click New Share…

1-min

Select SMB Share – Quick -> Next.3-min

Select a volume to host the share and click Next.4-min

Type in a share name. Use the $ sign to hide the share. Click Next.5-min

Uncheck Allow caching of share and check Encrypt data access. Click Next.6-min

Click Customize Permisions -> Share. Configure permissions as below. You will notice the DataProxyAcc account. This account is an Active Directory standard user we will be using to access the share and write information to the Data Store. Create a standard user for the Data Proxy Account in Active Directory then assign full control to this share.7-min

On the NTFS permissions tab the permissions show as follows. Click Disable inheritance.8-min

Click Convert inherited permissions into explicit permissions on this object.9-min

Remove any entry apart from the below three of SYSTEM, Administrators (local) and CREATOR OWNER. Double-click CREATOR OWNER.10-min

Click Show advanced permissions. Uncheck Full Control, Delete subfolders and file, Change permissions and Take ownership. Click OK.11-min

Add the Data Proxy Account with full control to this flder, subfolders and files.12-min

Add NETWORK SERVICE with Read permissions if using SSPR 1.0. (No longer a requirement in SSPR 1.1).13-min

Complete the wizard and the share will be created.15-min

The share has now been created16-min

Now navigate to the share and create two folders. CentralStoreRoot and People. It is important to check these folders have inherited permissions from the DataStore root folder. Doing so provides the Data Proxy Account with full control over the folders.

14-min

Next we need to install the Self-Service Password Reset software again either on a dedicated server or an existing StoreFront server. Launch the XenApp/XenDesktop 7.11 media and click Self-Service Password Reset.

17-min

Agree to the Licence Agreement, click Next.18-min

Specify the install path, click Next.19-min

Click Next to configure firewall rules automatically. By default Self-Service uses TCP 443 however this can be changed using IIS and the Self-Service console.20-min

Click Install.21-min

Self-Service Password Reset is installing.22-min

Now that the install is complete, click Finish.23-min

Open Start, search for and launch Citrix Self-Service Password Reset Configuration.24-min

There are three modules that we need to configure. Service Configuration, User Configuration and Identity Verification. Click on Service Configuration.25-min

Click New Service Configuration.26-min

Make sure you have an SSL certificate installed which will represent the Self-Service hostname URL. Click Next.27-min

Enter the SMB Data Store share as shown below. Click Next.28-min

If you missed a permissions or configuration step during share creation you will get an error. If you have got everything right, you will reach the below screen Domain Configurations. Tick your domain and click Properties.29-min

Enter the user account details for Data Proxy Account and the Self-Service Account. Click OK.30-min

Click Next.31-min

The Finish once you see the message Processing finished successfully.32-min

The Service Configuration will now look similar to below.33-min

Navigate to User Configuration -> New User Configuration.

Note: In SSPR 1.1, there is a Blacklist Configuration option in the right pane which allows you to define users or groups of users that are not allowed to use SSPR features.34-min

Here you can add Active Directory Groups, Users or OU’s to be used with Self Service. I am going to use an OU (the Users OU). Click Browse.35-min

Select the Users OU. Click OK. It is recommended that you do not include any OUs that contain privileged accounts i.e. Domain Admins.36-min

Now click Next.37-min

Enter your license server name and port. Remember the license server must have Platinum XenApp or XenDesktop licenses. Click Next.38-min

Tick the boxes below to allow users to reset their primary domain password and unlock their accounts. If you do not want one of these features to be available, simply untick it. Enter a service port (default 443) and the Self-Service URL. Click Create.39-min

The User Configuration should look similar to below.40-min

Finally navigate to Identity Verification. This is where you can add, remove, group Security Questions etc. Notice you can also export and import security questions and revoke registration to a user. By default SSPR comes with 4 pre-made questions. Click Manage Questions.41-min

You will be presented with the below screen.42-minTick to Mask answers for security questions if you want to do so. This is a good security practice. Click Next. 43-min

Here you can create a group of questions that users must answer, edit existing questions or create new questions. Click Add Question.44-min

Enter a question, specify the minimum number of characters, specify if the answer is case sensitive. Click OK. In this example, I will create two new questions. The first one being What is the name of your favourite school teacher?45-min

The second being What is your favourite holiday destination?46-min

Click Next.47-min

On the Questionnaire screen you can remove questions, add them and move questions up and down to dictate in which order questions are presented to enrolling users. Click Add.48-min

Tick the questions you want to add, click OK.49-min

Remove any unwanted questions by highlighting a question and clicking Remove.50-min

Click OK.51-min

Once you are happy with how the questionnaire looks, click Finish.52-min

Click OK.53-min

Notice Identity Verification now displays the new questions and which ones are in use (2).54-min

The next part is to tell configure StoreFront with SSPR. Remember you need atleast StoreFront 3.7. Within the StoreFront console, choose a store and click Manage Authenticatio Methods.55-min

You must also specify that password changes are allowed at any time on Receiver for Web. Click the settings icon ->  Manage Password Options.56-min

Tick Allow users to change passwords and select At any time. Click OK.57-min

Click the settings icon again followed by Configure Account Self-Service.58-min

Click on the drop-down beside Account Self Service and choose Citrix SSPR. Click Configure.59-min

Specify to enable password reset and account unlock. Enter the SSPR Account Service URL which you had configured using the SSPR Console. Click OK.60-min

Click OK.61-min

Click OK.62-min

Log on to Receiver for Web using an account residing in the Users OU. Click Tasks.63-min

Click Start beside Manage Security Questions. This is how a user enrolls for self-service.64-min

For security reasons, you must enter your domain credentials. Click Next.65-min

As shown, you will see the first security question that I had added to the questionnaire using the SSPR console. Enter an answer (which is masked) and click Next. Because answers are masked, you are required to confirm your answer.66-min

Enter your answer for question two and click Next.67-min

You will then be presented with a message that your answers to the security questions are registered. Click OK.68-min

When we navigate back to Receiver for Web, notice the Account Self-Service text below Log On. This is the link you use to reset or unlock your account. Click this.69-min

Specify a unlock your account. Click Next.70-min

Enter the answer to the first question, the answer is the one you specified during enrollment. Click Next.71-min

Enter the second answer. Click Next.72-min

Success! Your account has now been unlocked. Click OK.73-min

And here is a snip from the reset password function, showing that the password has been reset.74-min

Here you can see Citrix Receiver for Windows client with the self-service section.75-minWhen logging on with Receiver client, the Account Self-Service link appears. Click it. 76-min

Select Unlock Account just like you did using Receiver for Web.77-min

After entering the security questions, your account will become unlocked.78-min

Now what if we want to revoke the security questions for a user in a scenario where they cannot remember their password or you suspect an account has been compromised. Within the SSPR console, navigate to Identity Verification -> Revoke security question registration to a user.79-min

Click Select User and find the user using Active Directory.80-min

Click OK to continue with the revoke. Now the affected user will have to reregister before they are able to use the self-service functions again.81-min

Using Securiy Question Groups allows you to group together a mixture of questions and give the end-user the ability to answer only a select few of their choice. Within Identity Verification -> Manage questions create a selection of questions of your choice then click on Create Group.82-min

Enter a name, tick the questions you want to be part of the group and the important part is to specify the number of questions from the group that users must answer. In this scenario, the SQGroup will contain four questions but users will only need to select two. Click OK.83-min

Click Next.84-min

You cannot add a Group if there are group question members added individually to the Questions And Question Groups section. If there are any members explicitly added, remove them first. I am keeping two individual questions in the list, these questions are not part of my questions group. This means these two questions will be asked first followed by the group questions. Click Add.85-min

Select the Group and click Add then complete the wizard.90-min

First up is the first question I left in the list. Enter an answer and click Next.86-min

The second answer appears. Again, enter and answer and click Next.87-min

Now the Group questions appear. Users will notice a drop-down box allowing you to select one of the four questions to answer for their third question.88-min

On the fourth question, the final group required question must be answered. Again this is pickable by the user. Notice there are only three left to choose from after already answering one in the previous step. If you only had a group defined within the Manage Questions wizard, only the group answers would appear. I had also left some specific mandatory single questions in the list to show you the sort options available for presenting questions to end-users.89-min

Additional notes:

 


6 Comments

  • Matt

    October 22, 2016

    I noticed SSPR does not work with UPN names. Even though it is v1.0 I am disappointed such things are not encountered by Citrix from the initial design.

    Following error occurred while logging into domain :
    No credentials exist to logon to ” domain.
    Please check the credential provided for this domain and make sure logon user has sufficient permissions.

    Reply
    • George Spiers

      October 23, 2016

      Correct UPN names are not supported at this time.

      Reply
  • Pingback: Director 7.12 – Carl Stalhood

  • Shane Sorensen

    December 7, 2016

    Excellent article, great detail. Thanks for sharing this knowledge.

    Reply
  • Pingback: Director 7.13 – Carl Stalhood

  • Pingback: Director 7.14 – Carl Stalhood

Leave a Reply