Configuring Citrix Password Manager Administrative Access Without Being a Domain Administrator

Added by Jennifer Lang , last edited by Jennifer Lang on May 14, 2008  (view change)
Tags: 

This section discusses the process for delegating administration of a Citrix Password Manager central store to a group or user account that is not a domain administrator. By default, Password Manager installation assumes the Password Manager Administrator is also a domain administrator. When that assumption is not true, this article can be used as a guide to setup the necessary permissions for the Password Manager Administrator account to operate as a delegate.

It is assumed that you have created a Password Manager Administrator account or Password Manager Administrators group that contains the user accounts with administrative permissions. That user or group will be granted permissions to configure, maintain, and manage a Password Manager deployment. Since groups allow for easier management, the Password Manager Administrator user or group will be collectively referred to as the Password Manager Administrators group throughout the remainder of this section.

Configuring Access to the Central Store

The central store repository is divided into two areas; the synchronization area and the administrative data area. The synchronization area is a location that the agents contact to obtain agent settings and also store their encrypted credentials. By default, the synchronization location is secured such that only Password Manager Administrators and the individual user can access the data. The administrative data area is a central location where the console stores the administrative configurations that are used to create the agent settings for the users, including application definitions, password policies, identity verification, etc. By default, the administrative data location is secured to allow only Password Manager Administrators access to the folder.

The set of delegation steps depend on where your central store resides. The configuration and setup for both types of central store hosts (NTFS file share or Microsoft Active Directory) are described below.

NTFS File Share


Storage Structure
With a file share host, up to three folders are used to store the different areas of the central store repository. These folders are found in the root of the central store share. The synchronization location is kept in a folder called People in the root of the central store share. Under the People folder, each user has their own folder with appropriate permissions for reading and writing their credential data. The administrators have permissions to add and remove agent settings from the individual users' folders.

The administrative data is kept in a folder called CentralStoreRoot in the root of the central store share. By default, only administrators have permissions to read and write data within the CentralStoreRoot folder.

The domain hierarchy data is kept in a folder named using the NetBIOS name of the domain. This folder is only present when using NT or Active Directory domains for primary authentication with the file share and contains the user configuration settings when they are assigned to organizational units or individual users. The folder contains sub-folders that are named using the SID of the OU or user to which the settings should be applied. By default, only administrators have permissions to read and write data within the domain folder. Users have read permissions for this folder, so they can locate the settings that apply to them.

Depending on the type of file share host the types of permissions granted will be different.

By default, no permissions are allowed to propagate from the root share to the child folders CentralStoreRoot and People. However, permissions assigned at the root folder are allowed to propagate to the domain folder. The CTXFILESYNCPREP tool automatically grants Full Control to the local Administrators group for both the CentralStoreRoot and People sub-folders and removes all permissions for Authenticated Users. No other folders are created by CTXFILESYNCPREP.

The Password Manager agent is responsible for creating all the sub-folders inside the People folder and upon creation sets the permissions of the folder to Modify for the Creator/Owner and enables inheritable permissions to propagate from the parent folder.

All remaining folders in the central store repository are created by the Password Manager Console during use as necessary. The console creates the CentralStoreRoot/AdminConsole folder during discovery and if an NT or AD Domain is used, it will create a folder in the root of the central store share. The console automatically grants the current user Modify permissions for every folder created and leaves the propagation flag for inheritance enabled.

Delegation Setup
Although Local and Domain Administrators are configured by the Citrix prep tools to have write access to the appropriate folders, any additional accounts will need to have permissions explicitly granted to them. For the most part, granting the permissions at the appropriate level will allow access to the Password Manager Administrator account. To grant permissions, follow these steps:

  1. Run CTXFILESYNCPREP to create the root share and the two sub-folders People and CentralStoreRoot. If the folders are already created, proceed to the next step.
  2. Grant the Password Manager Administrator account Full Control of the root share folder and both the sub-folders inside the shared folder (CentralStoreRoot and People)
  3. Login as a Password Manager Administrator and launch the console. This causes all subsequent folders and objects to be created with the appropriate Password Manager Administrator permissions automatically.
  4. Verify the appropriate permissions are added to the AdminConsole folder.

Further Delegation
You may wish to further delegate or control permissions by individually modifying the permissions on the appropriate folders within the file folder hierarchy. Please be aware that the access permissions will not take affect until the user logs off , logs back on and then re-launches the console. In addition, each time the Password Manager Administrator's permissions change, the Password Manager Administrator should re-run discovery to refresh the object cache and display only objects to which the user has access. Should the Password Manager Administrator choose not to run discovery, the access permissions are still enforced, since the Password Manager Console will verify permissions before each read or write from the console.

Active Directory


Schema Preparation
The schema preparation tool, CTXSCHEMAPREP.EXE, must still be run by a member of the Schema Administrators group for the target forest. This tool adds several classes and attributes to the forest schema allowing Password Manager to store user configuration data and encrypted credential information as objects inside Active Directory.

Domain Preparation
The domain preparation tool, CTXDOMAINPREP.EXE, must still be run by a member of the Domain Administrators group for the target domain.

When run without specifying a location, CTXDOMAINPREP affects the entire domain. However, if necessary the tool can be run on a per OU basis. To only prepare an individual OU, provide the relative distinguished name of the OU on the command-line following the executable name. For example, to apply the permissions to the Users container, use the following command:

CTXDOMAINPREP CN=Users

Note the full distinguished name (CN=Users,DC=Example,DC=com) is not used, because the tool automatically appends the distinguished name for the domain. If you run this command for more than one OU within the domain, you may receive a message indicating a previous installation was found. This is normal behavior, as the tool expects to create the Central Store location each time it is executed.

Storage Structure
With an Active Directory host for the central store repository, the synchronization and domain hierarchy data are stored in the individual containers for users and organizational units. The administrative data is stored in an application data partition found under the domain root and can be viewed using ADSI Edit (available from http://www.microsoft.com/) by opening the appropriate domain and navigating down the following containers: Program Data, Citrix, MetaFrame Password Manager, CentralStoreRoot.

For Password Manager Administrator access, the administrator will need the appropriate permissions to the following containers:

  • CN=CentralStoreRoot,CN=MetaFrame Password Manager,CN=Citrix,CN=Program Data
  • Organizational Unit (OU) containers to be managed
  • User containers to be managed

By default, "Allow inheritable permissions from parent to propagate to this object" is set for all objects in the Program Data, MetaFrame Password Manager, and CentralStoreRoot containers. Therefore, any permissions delegated at the root of the Program Data container, will flow down to the CentralStoreRoot container.

The CTXDOMAINPREP tool assigns Full Control to the Domain Administrators group and SYSTEM account as well as restricting Authenticated Users to Read and allowing the SELF account to create and delete Citrix SSO objects. For more information on the exact permissions assigned, see the Password Manager Administrator's Guide.

Note: By design, the Domain Administrator account has "Allow inheritable permissions from parent to propagate to this object" disabled. This setting prevents the Domain Administrator from using Automatic Key recovery and Self-service Password Reset functionality.

Delegation Setup
All administrators accessing the central store will need the same set of permissions. In an environment with multiple administrators, the recommended method is to create a Password Manager Administrators group with permissions for the central store. After creating the Password Manager Administrators group, assign the necessary central store permissions by following these steps:

  1. Using ADSI Edit, navigate to the Program Data>Citrix>MetaFrame Password Manager>CentralStoreRoot container
  2. Right-click and choose Properties from the context menu
  3. Select the Security tab
  4. Click Advanced...
  5. Click Add and enter the Password Manager Administrators group in the Name field
  6. Set the Apply Onto field to: "This object and all Child Objects"
  7. Select the Allow checkbox for the following permission:
    Full
  8. Click OK to close the Permission Entry dialog
  9. Click OK to close the Access Control Setting dialog
  10. Click OK to close the CentralStoreRoot properties dialog
  11. Add all user accounts that need to administer Password Manager to the Password Manager Administrators group

Delegated Permissions
For each user account that will be a Password Manager Administrator you must delegate control of the domain, OU's or user accounts the Password Manager Administrator will manage. Remember if the user account will manage all user accounts or domain-level settings, they will need to have control delegated at the root of the domain. To delegate permissions for a user or group account, follow these steps:

  1. Using ADSI Edit, navigate to the OU or domain object for the delegated permissions
  2. Right-click on the OU or domain name (for domain-level permissions) and select Properties
  3. Select the Security tab
  4. Click Advanced...
  5. Click Add and enter the Password Manager Administrator's account in the Name field that will have administrator permissions for this OU or domain and then click OK
  6. Set the Apply Onto field to: "This object and all Child Objects"
  7. Select the Allow checkbox for each of the following permissions:
    Create citrix-SSOConfig Objects
    Delete citrix-SSOConfig Objects
    Create citrix-SSOLicense Class Objects
    Delete citrix-SSOLicense Class Objects
  8. Click OK
  9. Click Add and enter the Password Manager Administrator's account in the Name field that will have administrator permissions for this OU or domain and then click OK
  10. Set the Apply Onto field to: "citrix-SSOSecret objects"
  11. Select the Allow checkbox for Modify Owner
  12. Click OK
  13. Click Add and enter the Password Manager Administrator's account in the Name field that will have administrator permissions for this OU or domain and then click OK
  14. Set the Apply Onto field to: "User objects"
  15. Select the Allow checkbox for Full Control
  16. Click OK
  17. To grant Full Control for the Citrix objects, repeat steps 13-16 changing the Apply Onto field from "User objects" to each of the following object types:
    citrix-SSOConfig objects
    citrix-SSOSecret objects
  18. Click OK to close the Access Control Setting dialog
  19. Click OK to close the OU Properties dialog

NOTE: The Active Directory Users & Computers MMC Snap-in does not provide access to all of the Citrix class objects. The steps above need to be completed using ADSI Edit. Also, in testing it was discovered that the Delegate Control wizard may not properly assign the correct permissions, so using ADSI Edit is recommended.

Further Delegation
Further delegation can be accomplished by granting granular access to the individual objects within the central store and the individual OUs as necessary. When modifying permissions, remember the administrators should run discovery to obtain the latest list of objects in the central store along with their associated permissions.

Running the Console

Launching the console as the Password Manager Administrator's account for the first time will cause all objects to inherit the permissions from the original CentralStoreRoot folder. When running the console with a delegated administrator, remember the current user must have access to all the locations and containers where an object is stored or the update will fail. This means that delegated administrators cannot update global objects (like Identity Verification Question) unless they have access to all the user accounts and OUs where the global object is used.

WARNING: The Citrix Password Manager 4.0 console will only check permissions on the CentralStore object before performing the delete. If the administrative user does not have permissions to delete user objects in the OU, the object will be left in the OU and removed from the Central Store.

Using the ADT as a Password Manager Administrator

The console will automatically use the credentials of the logged in user for access to Active Directory. The same permissions for the full Access Suite Console are also required when accessing the Central Data Store through the ADT. If an application definition is used in Application groups that are deployed, the Password Manager Administrator will need permissions to write objects to those containers where the application definition is being used.

Configuration of the Password Manager Service

Depending on the modules installed in the Citrix Password Manager Service, you may need to complete different delegation steps. Each of the modules and the associated changes are discussed below.

Service machine

Put the "Password Manager Administrators" group in the local administrators group of the machine(s) running the Password Manager Service. This will allow Password Manager Administrators to administer the service settings, data signing, provisioning, etc.

Data Integrity

When using the Citrix Password Manager Service, you will need to grant access to the Password Manager Administrators group to authenticate to the service if the optional Data Integrity Assurance feature is enabled. To grant access for the Password Manager Administrators to sign data settings, complete the following steps:

  1. Launch Notepad
  2. Open the httpd.conf file found at %ProgramFiles%\Common Files\Citrix\XTE\conf
  3. Locate the XML section titled <Files AuthenticatedWS.asmx>
  4. Add another require group statement below the Domain Administrators statement specifying the domain name and the name of the Password Manager Administrators group: 
    require group "DOMAINNAME\\Password Manager Administrators"
  5. Save and close the httpd.conf file
  6. Launch notepad once again, and open the httpd.conf.template file found at %ProgramFiles%\Citrix\MetaFrame Password Manager\Service.
  7. Locate the XML section titled <Files AuthenticatedWS.asmx>
  8. Add another require group statement below the Domain Administrators statement specifying the domain name and the name of the Password Manager Administrators group, like this: 
    require group "DOMAINNAME\\Password Manager Administrators"
  9. Launch Windows Explorer.
  10. Navigate to %ProgramFiles%\Citrix\MetaFrame Password Manager\Service\Certificates
  11. Highlight both PrivateKeyCert.cert and PublicKeyCert.cert, right click, and choose Properties.
  12. Navigate to the Security tab, and give Full permissions to the "Password Manager Administrators" group.

WARNING: The ServiceConfigurationTool.exe automatically replaces the httpd.conf file each time it is used to make changes to the service configuration. Steps 6 through 8 above relieve this problem.

Provisioning

When using the Citrix Password Manager Service, you will need to grant access to the Password Manager Administrators group to authenticate to the service if the optional Provisioning Service feature is enabled. To grant access for the Password Manager Administrators to provision credentials, complete the following steps:

  1. Launch Notepad
  2. Open the httpd.conf file found at %ProgramFiles%\Common Files\Citrix\XTE\conf
  3. Locate the XML section titled <Files ProvisionSvc.asmx>
  4. Add another require group statement below the Domain Administrators statement specifying the domain name and the name of the Password Manager Administrators group, like this: 
    require group "DOMAINNAME\\Password Manager Administrators"
  5. Save and close the httpd.conf file
  6. Launch notepad once again, and open the httpd.conf.template file found at %ProgramFiles%\Citrix\MetaFrame Password Manager\Service.
  7. Locate the XML section titled <Files ProvisionSvc.asmx>
  8. Add another require group statement below the Domain Administrators statement specifying the domain name and the name of the Password Manager Administrators group, like this: 
    require group "DOMAINNAME\\CPM Password Manager Administrators"

WARNING: The ServiceConfigurationTool.exe automatically replaces the httpd.conf file each time it is used to make changes to the service configuration. Steps 6 through 8 above relieve this problem.

Automatic Key Recovery

If the deployment includes using the Password Manager Service for Automatic Key Recovery, you will need to configure a data proxy account that has access to the central store and all the OUs that contain the Password Manager user accounts.
Adding the data proxy account to the Password Manager Administrators group will grant access to the central store. You will then need to delegate control to the data proxy account at the appropriate domain-level, OU-level, or shared folder resource by completing the steps in the delegation section for appropriate central store type.

In the file share environment, the data proxy account should have the following permissions.

  • Configure the data proxy account to be a regular Domain User.
  • Give the user Full Control permissions to the Central Sore as follows:
  • For the CitrixSync$ folder (root) give Full Control for Share permissions to this user.
  • For the CitrixSync folder (root) give Full Control for NTFS permissions to this user.
  • For the CentralStoreRoot give Full Control for NTFS permissions to this user.
  • For the <Domain Name> folder, this inherits Full Control from Parent folder so no changes needed here.
  • For the People folder give Full Control for NTFS permissions to this user.

In the Active Directory environment, the data proxy account is granted the appropriate permissions by completing the steps outlined above in the "Delegated Permissions" section of this document for the data proxy account.

Self-Service Password Reset

If the deployment includes using the Password Manager Service for Self-service Password Reset, you will need to configure a data proxy account that has access to the central store and all the OUs that contain the Password Manager user accounts.

Adding the data proxy account to the Password Manager Administrators group will grant access to the central store. You will then need to delegate control to the data proxy account at the appropriate domain-level, OU-level, or shared folder resource by completing the steps in the delegation section for appropriate central store type.

In the file share environment, the data proxy account should be a member of the Local Administrator's group on the server hosting the file share. In the Active Directory environment, the data proxy account is granted the appropriate permissions by completing the steps outlined above in the "Delegated Permissions" section of this document for the data proxy account.

Password Reset Account

For most deployments, the data proxy account will have full control of user objects, and can be used as the Password Reset account. However, if a separate, more restricted account is desired, the following steps may be followed to grant the minimum necessary permissions to the Password Reset Account in Active Directory.

  1. Using ADSI Edit, navigate to the OU or domain object for the delegated permissions (The domain object is recommended for password reset)
  2. Right-click on the OU or domain name (for domain-level permissions) and select Properties
  3. Select the Security tab
  4. Click Advanced...
  5. Click Add and enter the Password Reset account in the Name and then click OK
  6. Click Properties tab
  7. Set the Apply Onto field to: "User objects"
  8. Select the Allow checkbox for the following Permissions
    Reset Password
    Read PwdLastSet
    Write PwdLastSet
    Read Lockout Time
    Write Lockout Time
    Read ntPwdHistory
    Write ntPwdHistory
  9. Click OK to close the Permissions dialog
  10. Click OK to close the Access Control Setting dialog
  11. Click OK to close the OU Properties dialog

Use the ServiceConfigurationTool executable to modify the Password Reset account. Remember, if Data Integrity Assurance is enabled, the httpd.conf file will need to be modified again to add the Password Manager Administrators group. When complete, restart the Citrix XTE Service.

  • Add to Bookmarks