StoreFront self-service password reset was first introduced with XenApp/XenDesktop FMA version 7.8. This feature grants users the ability to reset their own Active Directory passwords from the Receiver for Web or Receiver client and/or unlock their account.
- Reduces the possibility of helpdesk calls being logged to unlock accounts or reset passwords
- Increases user productivity by enabling users to reset their own password, unlock their account and ultimately get logged on and where they want to be quicker
- Frees up IT time to concentrate on other things
As mentioned, this Platinum feature was introduced to FMA in v7.8 with StoreFront 3.5 but did basically require all the XenApp 6.5 components (apart from Web Interface) such as AppCenter, the SSPR Agent and Service. Since customers would have stayed on Web Interface to continue using this feature, introducing SSPR with StoreFront provides a reason for more customers to move away from Web Interface.
Now, StoreFront 3.7, released with XenApp/XenDesktop 7.11 provides SSPR fully integrated with no additional/legacy components required. Citrix have called this SSPR 1.0. SSPR 1.1 was released in December 2016.
SSPR with the 6.5 components can be used from Receiver for Web, Receiver for Mac, Linux, Chrome and Windows. Allowing users to reset their passwords in the move convenient way to them.
SSPR 1.0 and 1.1 with StoreFront 3.7+ can be used with Receiver for Web, Receiver for Linux and Windows. Receiver for Mac is supported with SSPR 1.1 and StoreFront 3.8+. Receiver for Chome is not supported. Using SSPR via NetScaler Gateway is currently not supported. Mobile Devices that use Receiver for Web are also unsupported.
What’s new in Self-Service Password Reset 1.1:
- Ability to blacklist users and groups so that they cannot use any of the SSPR features.
- Support for Simplified Chinese when defining security questions.
What do you need?
A user account for Data Proxy Access and a user account for Self Service (Active Directory accounts).
Note: The Self Service account needs to be able to reset passwords and unlock user accounts.
The SSPR software installed on a server. An SSPR server can hold thousands of enrollents quite easily as each user enrollment only consumes around 50KB disk space. This replaced AppCenter. This software provides a management console you use to configure SSPR. (2008R2, 2012 R2 and 2016 supported). This software also installs the SSPR Service which is used to communicate with StoreFront and the SSPR Management Console.
Hardware and Software Requirements
- Windows Server 2008 R2, Windows Server 2012 R2, Windows Server 2016.
- .NET Framework 3.5.1 (2008 R2), .NET Framework 4.5.2 (2012 R2), .NET Framework 4.6.x (2016).
- SSL certificate for communication between Self-Service and StoreFront.
- Citrix License server 184.108.40.206 and above with Platinum license (SSPR periodically checks for Platinum licenses).
- SMB share (for the Data Store) which holds user enrollment data and KBA information. Citrix recommend you place the share on the SSPR server.
- StoreFront 3.7+ configured for HTTPS access.
First we must create a Data Store (Windows share). Citrix have published a script over at https://support.citrix.com/article/CTX217143 which can assist with the store creation. I’m going to use my existing StoreFront server however you can use a dedicated server unless you want to secure the implementation in which case Citrix also recommend using the StoreFront server. On a Windows 2012 R2 server, open Server Manager, navigate to File and Storage Services, right-click on your server name and click New Share…
Select SMB Share – Quick -> Next.
Select a volume to host the share and click Next.
Type in a share name. Use the $ sign to hide the share. Click Next.
Uncheck Allow caching of share and check Encrypt data access. Click Next.
Click Customize Permisions -> Share. Configure permissions as below. You will notice the DataProxyAcc account. This account is an Active Directory standard user we will be using to access the share and write information to the Data Store. Create a standard user for the Data Proxy Account in Active Directory then assign full control to this share.
On the NTFS permissions tab the permissions show as follows. Click Disable inheritance.
Click Convert inherited permissions into explicit permissions on this object.
Remove any entry apart from the below three of SYSTEM, Administrators (local) and CREATOR OWNER. Double-click CREATOR OWNER.
Click Show advanced permissions. Uncheck Full Control, Delete subfolders and file, Change permissions and Take ownership. Click OK.
Add the Data Proxy Account with full control to this flder, subfolders and files.
Add NETWORK SERVICE with Read permissions if using SSPR 1.0. (No longer a requirement in SSPR 1.1).
Complete the wizard and the share will be created.
The share has now been created
Now navigate to the share and create two folders. CentralStoreRoot and People. It is important to check these folders have inherited permissions from the DataStore root folder. Doing so provides the Data Proxy Account with full control over the folders.
Next we need to install the Self-Service Password Reset software again either on a dedicated server or an existing StoreFront server. Launch the XenApp/XenDesktop 7.11 media and click Self-Service Password Reset.
Agree to the Licence Agreement, click Next.
Specify the install path, click Next.
Click Next to configure firewall rules automatically. By default Self-Service uses TCP 443 however this can be changed using IIS and the Self-Service console.
Self-Service Password Reset is installing.
Now that the install is complete, click Finish.
Open Start, search for and launch Citrix Self-Service Password Reset Configuration.
There are three modules that we need to configure. Service Configuration, User Configuration and Identity Verification. Click on Service Configuration.
Click New Service Configuration.
Make sure you have an SSL certificate installed which will represent the Self-Service hostname URL. Click Next.
Enter the SMB Data Store share as shown below. Click Next.
If you missed a permissions or configuration step during share creation you will get an error. If you have got everything right, you will reach the below screen Domain Configurations. Tick your domain and click Properties.
Enter the user account details for Data Proxy Account and the Self-Service Account. Click OK.
The Finish once you see the message Processing finished successfully.
The Service Configuration will now look similar to below.
Navigate to User Configuration -> New User Configuration.
Note: In SSPR 1.1, there is a Blacklist Configuration option in the right pane which allows you to define users or groups of users that are not allowed to use SSPR features.
Here you can add Active Directory Groups, Users or OU’s to be used with Self Service. I am going to use an OU (the Users OU). Click Browse.
Select the Users OU. Click OK. It is recommended that you do not include any OUs that contain privileged accounts i.e. Domain Admins.
Now click Next.
Enter your license server name and port. Remember the license server must have Platinum XenApp or XenDesktop licenses. Click Next.
Tick the boxes below to allow users to reset their primary domain password and unlock their accounts. If you do not want one of these features to be available, simply untick it. Enter a service port (default 443) and the Self-Service URL. Click Create.
The User Configuration should look similar to below.
Finally navigate to Identity Verification. This is where you can add, remove, group Security Questions etc. Notice you can also export and import security questions and revoke registration to a user. By default SSPR comes with 4 pre-made questions. Click Manage Questions.
You will be presented with the below screen.Tick to Mask answers for security questions if you want to do so. This is a good security practice. Click Next.
Here you can create a group of questions that users must answer, edit existing questions or create new questions. Click Add Question.
Enter a question, specify the minimum number of characters, specify if the answer is case sensitive. Click OK. In this example, I will create two new questions. The first one being What is the name of your favourite school teacher?
The second being What is your favourite holiday destination?
On the Questionnaire screen you can remove questions, add them and move questions up and down to dictate in which order questions are presented to enrolling users. Click Add.
Tick the questions you want to add, click OK.
Remove any unwanted questions by highlighting a question and clicking Remove.
Once you are happy with how the questionnaire looks, click Finish.
Notice Identity Verification now displays the new questions and which ones are in use (2).
The next part is to tell configure StoreFront with SSPR. Remember you need atleast StoreFront 3.7. Within the StoreFront console, choose a store and click Manage Authenticatio Methods.
You must also specify that password changes are allowed at any time on Receiver for Web. Click the settings icon -> Manage Password Options.
Tick Allow users to change passwords and select At any time. Click OK.
Click the settings icon again followed by Configure Account Self-Service.
Click on the drop-down beside Account Self Service and choose Citrix SSPR. Click Configure.
Specify to enable password reset and account unlock. Enter the SSPR Account Service URL which you had configured using the SSPR Console. Click OK.
Log on to Receiver for Web using an account residing in the Users OU. Click Tasks.
Click Start beside Manage Security Questions. This is how a user enrolls for self-service.
For security reasons, you must enter your domain credentials. Click Next.
As shown, you will see the first security question that I had added to the questionnaire using the SSPR console. Enter an answer (which is masked) and click Next. Because answers are masked, you are required to confirm your answer.
Enter your answer for question two and click Next.
You will then be presented with a message that your answers to the security questions are registered. Click OK.
When we navigate back to Receiver for Web, notice the Account Self-Service text below Log On. This is the link you use to reset or unlock your account. Click this.
Specify a unlock your account. Click Next.
Enter the answer to the first question, the answer is the one you specified during enrollment. Click Next.
Enter the second answer. Click Next.
Success! Your account has now been unlocked. Click OK.
And here is a snip from the reset password function, showing that the password has been reset.
Here you can see Citrix Receiver for Windows client with the self-service section.When logging on with Receiver client, the Account Self-Service link appears. Click it.
Select Unlock Account just like you did using Receiver for Web.
After entering the security questions, your account will become unlocked.
Now what if we want to revoke the security questions for a user in a scenario where they cannot remember their password or you suspect an account has been compromised. Within the SSPR console, navigate to Identity Verification -> Revoke security question registration to a user.
Click Select User and find the user using Active Directory.
Click OK to continue with the revoke. Now the affected user will have to reregister before they are able to use the self-service functions again.
Using Securiy Question Groups allows you to group together a mixture of questions and give the end-user the ability to answer only a select few of their choice. Within Identity Verification -> Manage questions create a selection of questions of your choice then click on Create Group.
Enter a name, tick the questions you want to be part of the group and the important part is to specify the number of questions from the group that users must answer. In this scenario, the SQGroup will contain four questions but users will only need to select two. Click OK.
You cannot add a Group if there are group question members added individually to the Questions And Question Groups section. If there are any members explicitly added, remove them first. I am keeping two individual questions in the list, these questions are not part of my questions group. This means these two questions will be asked first followed by the group questions. Click Add.
Select the Group and click Add then complete the wizard.
First up is the first question I left in the list. Enter an answer and click Next.
The second answer appears. Again, enter and answer and click Next.
Now the Group questions appear. Users will notice a drop-down box allowing you to select one of the four questions to answer for their third question.
On the fourth question, the final group required question must be answered. Again this is pickable by the user. Notice there are only three left to choose from after already answering one in the previous step. If you only had a group defined within the Manage Questions wizard, only the group answers would appear. I had also left some specific mandatory single questions in the list to show you the sort options available for presenting questions to end-users.
- Editing a question after users have registered their answers does not force re-enrollment. However it may (depending on the edit) cause confusion to users and cause users to enter the wrong answers.
- Adding, replacing and deleting security questions does mean users are required to re-enroll before they can make use of self-service functions.
- To secure the SSPR environment communications, including Self-Service account delegation for password reset/unlock, see https://docs.citrix.com/en-us/self-service-password-reset/1-1/secure.html
- Installing SSPR 1.0 on Director (7.11) seems to break director. See https://discussions.citrix.com/topic/381184-installing-sspr-10-appears-to-have-broken-director-711-on-same-server/#entry1942081 for a workaround.