When the XenApp farm is configured for Kerberos authentication and the user also uses a username and password to logon to a local PC, key recovery is performed every time a user switches between using username and password to access the local PC and using Kerberos authentication to access XenApp.
When a user accesses a XenApp farm with Kerberos authentication over ICA, since the user is authenticated using a Kerberos ticket, the Password Manager agent cannot retrieve the user's actual password from the GINA and a blank password is retrieved. The SSOGina mistakenly believes the blank password is correct and assumes that the user's password has changed. In previous Password Manager releases (Password Manager versions 4.0 and 4.1) a key recovery will be performed at this point to obtain the AuthenticatorKey. To resolve this, Password Manager 4.5 and later allow multiple primary authentication methods to be concurrently configured. Existing protected copies of the AuthenticatorKey will not be deleted when a new one is added. By retaining multiple copies, the key recovery can be avoided when the user switches back to the previously used primary authentication method.
An additional data protection method, Microsoft Data Protection API (DPAPI) is created for users using username and password logon. In previous releases of Password Manager this was only supported when using smart cards to authenticate.
To enable the DPAPI data protection method
- Create a user configuration.
- At the step "Data Protection Methods," select NO in response to "Do you need to regulate account administrator access to user data?"
- "For improved user experience upon logon events, please select all data protection methods that apply", select "Microsoft Data Protection API" and any other desired data protection methods.
- "Microsoft Data Protection API" also allows the use of user credentials and smart cards to log on.
- At Secondary Data Protection, choose either "Prompt user to select the method: Previous password or security questions" or "Do not prompt users" as the secondary data protection method.
- Enable roaming profiles for the users. Microsoft Data Protection API works only if roaming profiles are available.
