Configuring Citrix Password Manager 4.x Administrative Access without being a Domain Administrator

Configuring Citrix Password Manager 4.x Administrative Access without being a Domain Administrator

This article discusses the process for delegating administration of a Citrix Password Manager central store to a group or user account that is not a domain administrator. By default, the Citrix Password Manager installation assumes the Password Manager Administrator is also a domain administrator. When that assumption is not true, this article can be used as a guide to setup the necessary permissions for the Password Manager Administrator account to operate as a delegate.

The reader is assumed to have created a Password Manager Administrator account or Password Manager Admins group that contains the user accounts with administrative permissions. That user or group is granted permissions to configure, maintain, and manage a Password Manager deployment. Since groups allow for easier management, the Password Manager Administrator user or group is collectively referred to as the Password Manager Admins group throughout the remainder of the document.

Configuring Access to the Central Store

The central store repository is divided into two areas. The synchronization area is a location that the agents contact to obtain agent settings and also store their encrypted credentials. By default, the synchronization location is secured such that only Password Manager Admins and the individual user can access the data. The administrative data area is a central location where the console stores the administrative configurations that are used to create the agent settings for the users, including application definitions, password policies, identity verification, and so on. By default, the administrative data location is secured such that only Password Manager Admins have access to the folder.

The set of delegation steps depend on where your central store resides. The configuration and setup for both types of central store hosts (NTFS file share or Microsoft Active Directory) are described below.

NTFS File Share

Storage Structure

With a file share host, up to three folders (found in the root of the central store share) are used to store the different areas of the central store repository. The synchronization location is kept in a folder called People in the root of the central store share. Under the People folder, each user has their own folder with appropriate permissions for reading and writing their credential data. The administrator’s have permissions to add and remove agent settings from the individual user’s folders.

The administrative data is kept in folder called CentralStoreRoot in the root of the central store share. By default, only administrators have permissions to read and write data within the CentralStoreRoot folder.

The domain hierarchy data are kept in a folder named using the NetBIOS name of the domain. This folder is only present when using NT or Active Directory domains for primary authentication with the file share and contains the user configuration settings when they are assigned to organizational units or individual users. The folder contains sub-folders that are named using the SID of the OU or user to which the settings should be applied. By default, only administrators have permissions to read and write data within the domain folder. Users have read permissions for this folder, so they can locate the settings that apply to them.

Depending on the type of file share host the types of permissions granted will be different.

By default, no permissions are allowed to propagate from root share to the child folders CentralStoreRoot and People. However, permissions assigned at the root folder are allowed to propagate to the domain folder. The CTXFILESYNCPREP tool automatically grants Full Control to the local Administrators group for both the CentralStoreRoot and People sub-folders and removes all permissions for Authenticated Users. No other folders are created by CTXFILESYNCPREP.

The MetaFrame Password Manager agent is responsible for creating all the sub-folders inside the People folder and upon creation sets the permissions of the folder to Modify for the Creator/Owner and enables inheritable permissions to propagate from the parent folder.

All remaining folders in the central store repository are created by the Console during use as necessary. The console creates the CentralStoreRoot/AdminConsole folder during discovery and if an NT or AD Domain is used, it will create a folder in the root of the central store share. The console automatically grants the current user Modify permissions for every folder created and leaves the propagation flag for inheritance enabled.

Delegation Setup

Although Local & Domain Administrators are configured by the Citrix prep tools to have write access to the appropriate folders, any additional accounts will need to have permissions explicitly granted to them. For the most part, granting the permissions at the appropriate level allows access to the Password Manager Admins account. To grant permissions, follow these steps:

1. Run CTXFILESYNCPREP to create the root share and the two sub-folders, People and CentralStoreRoot. If the folders are already created, proceed to the next step.

2. Grant the Password Manager Admins account Full Control of the root share folder and both the sub-folders inside the shared folder (CentralStoreRoot & People)

3. Log on as a Password Manager Admin and launch the console. This causes all subsequent folders and objects to be created with the appropriate Password Manager Admins permissions automatically.

4. Verify the appropriate permissions are added to the AdminConsole folder.

Further Delegation

You may wish to further delegate or control permissions by individually modifying the permissions on the appropriate folders with in the file folder hierarchy. Be aware that the access permissions do not take affect until the user logs off and logs back on again and then re-launches the console. In addition, each time the Password Manager Admins permissions change, the Password Manager Admin should re-run discovery to refresh the object cache and display only objects to which the user has access. Should the Password Manager Admin choose not to run discovery, the access permissions are still enforced, since the Console verifies permissions before each read or write from the Console.

NOTE: In a file share environment, the central store proxy account needs to be a member of the Local Administrators group on both the server hosting the central store and on the server hosting the Password Manager service. If not, the service may create objects, like TKR, that cannot be accessed at a later date.

Active Directory

Schema Preparation

The schema preparation tool, CTXSCHEMAPREP.EXE, must still be run by a member of the Schema Administrators group for the target forest. This tool adds several classes and attributes to the forest schema allowing Citrix Password Manager to store user configuration data and encrypted credential information as objects inside Active Directory.

Domain Preparation

The domain preparation tool, CTXDOMAINPREP.EXE, must still be run by a member of the Domain Administrators group for the target domain.

When run without specifying a location, CTXDOMAINPREP affects the entire domain. However, if necessary the tool can be run on a per OU basis. To only prepare an individual OU, provide the relative distinguished name of the OU on the command-line following the executable name. For example, to apply the permissions to the Users container, use the following command:

CTXDOMAINPREP CN=Users

Note the full distinguished name (CN=Users,DC=Example,DC=com) is not used, because the tool automatically appends the distinguished name for the domain. If you run this command for more than one OU within the domain, you may receive a message indicating a previous installation was found. This is normal behavior, as the tool expects to create the Central Store location each time it is executed.

Storage Structure

With an Active Directory host for the central store repository, the synchronization and domain hierarchy data are stored in the individual containers for users and organizational units. The administrative data is stored in an application data partition found under the domain root and can be viewed using ADSI Edit (available from www.microsoft.com), by opening the appropriate domain and navigating down the following containers: Program Data, Citrix, MetaFrame Password Manager, CentralStoreRoot.

For Password Manager Admin access, the administrator will need the appropriate permissions to the following containers:

• CN=CentralStoreRoot,CN=MetaFrame Password Manager,CN=Citrix,CN=Program Data

• Organizational Unit (OU) containers to be managed

• User containers to be managed

By default, “Allow inheritable permissions from parent to propagate to this object” is set for all objects in the Program Data, MetaFrame Password Manager, and CentralStoreRoot containers. Therefore, any permissions delegated at the root of the Program Data container flow down to the CentralStoreRoot container.

The CTXDOMAINPREP tool assigns Full Control to the Domain Admins group and SYSTEM account as well as restricting Authenticated Users to Read and allowing the SELF account to create and delete Citrix SSO objects. For more information on the exact permissions assigned, see the Password Manager Administrator’s Guide, Chapter 4.

NOTE: By design, the Domain Administrator account has “Allow inheritable permissions from parent to propagate to this object” disabled. This setting prevents the domain administrator from using Automatic Key recovery and Self-service Password Reset functionality.

Delegation Setup

All administrators accessing the central store need the same set of permissions. In an environment with multiple administrators, the recommended method is to create a Password Manager Admins group with permissions for the central store. After creating the Password Manager Admins group, assign the necessary central store permissions by following these steps:

1. Using ADSI Edit, navigate to the Citrix > Program Data > MetaFrame Password Manager > CentralStoreRoot container.

2. Right-click and choose Properties from the context menu.

3. Select the Security tab.

4. Click Advanced…

5. Click Add and enter the Password Manager Admins group in the Name field.

6. Set the Apply Onto field to: “This object and all Child Objects”

7. Select the Allow check box for each of the following permissions:

• List Contents

• Read All Properties

• Write All Properties

• Delete

• Delete Subtree

• All Validated Writes

• Create All Child Objects

• Delete All Child Objects

8. Click OK to close the Permission Entry dialog.

9. Click OK to close the Permission Entry dialog.

10. Click OK to close the Access Control Setting dialog.

11. Click OK to close the CentralStoreRoot properties dialog.

12. Add all user accounts that need to administer Citrix Password Manager to the Password Manager Admins group.

Delegated Permissions

For each user account that will be a Password Manager admin you must delegate control of the domain, OU's or user accounts the Password Manager administrator manages. Remember if the user account manages all user accounts or domain-level settings, they need to have control delegated at the root of the domain. To delegate permissions for a user or group account, follow these steps:

1. Using ADSI Edit, navigate to the OU or domain object for the delegated permissions

2. Right-click on the OU or domain name (for domain-level permissions) and select Properties.

3. Select the Security tab.

4. Click Advanced…

5. Click Add and enter the Password Manager Admins account in the Name field that will have administrator permissions for this OU or domain and then click OK.

6. Set the Apply Onto field to: “This object and all Child Objects”

7. Select the Allow check box for each of the following permissions:

• Create citrix-SSOConfig Objects

• Delete citrix-SSOConfig Objects

• Create citrix-SSOLicense Class Objects

• Delete citrix-SSOLicense Class Objects

8. Click OK.

9. Click Add and enter the Password Manager Admins account in the Name field that will have administrator permissions for this OU or domain and then click OK.

10. Set the Apply Onto field to: “User objects”

11. Select the Allow check box for Full Control

12. Click OK.

13. To grant Full Control for the citrix objects, repeat steps 9-12 changing the Apply Onto field from “User objects” to each of the following object types:

• citrix-SSOConfig objects

• citrix-SSOLicenseClass objects

• citrix-SSOSecret objects

14. Click OK to close the Access Control Setting dialog.

15. Click OK to close the OU Properties dialog.

NOTE: citrix-SSOLicense Class Objects are for MetaFrame Password Manager 2.x

NOTE: The Active Directory Users & Computers MMC Snap-in does not provide access to all of the Citrix class objects. The steps above need to be completed using ADSI Edit. Also, in testing we have found the Delegate Control wizard may not properly assign the correct permissions, so using ADSI Edit is recommended.

Further Delegation

Further delegation can be accomplished by granting granular access to the individual objects within the central store and the individual OU’s as necessary. When modifying permissions, remember the administrators should run discovery to obtain the latest list of objects in the central store along with their associated permissions.

Running the Console

Launching the console as the Password Manager Admins account for the first time causes all objects to inherit the permissions from the original CentralStoreRoot folder. When running the console with a delegated administrator, remember the current user must have access to all the locations and containers where an object is stored or the update will fail. This means that delegated administrators cannot update global objects (like IVQ) unless they have access to all the user accounts and OUs where the global object is used.

WARNING: Due to a known issue, the Citrix Password Manager 4.x console will only check permissions on the CentralStore object before performing the delete. If the administrative user does not have permissions to delete user objects in the OU, the object will be left in the OU and removed from the Central Store.

Using the ADT as a Password Manager Admin

The console automatically uses the credentials of the logged on user for access to Active Directory. The same permissions for the full ASC Console are also required when accessing the Central Data Store through the ADT. If an application definition is used in Application groups that are deployed, the Password Manager Admin needs permissions to write objects to those containers where the application definition is being used.

Configuration of the Password Manager Service

Depending on the modules installed in the Password Manager Service, you may need to complete different delegation steps. Each of the modules and the associated changes are discussed below.

Data Integrity

When using the Citrix Password Manager Service, you need to grant access to the Password Manager Admins group to authenticate to the service if the optional Data Integrity Assurance feature is enabled. To grant access for the Password Manager Admins to sign data settings, complete the following steps:

1. Launch Notepad.

2. Open the httpd.conf file found at %ProgramFiles%\Common Files\Citrix\XTE\conf.

3. Locate the XML section titled <Files AuthenticatedWS.asmx>.

4. Add another require group statement below the Domain Admins statement specifying the domain name and the name of the Password Manager Admins group, like this:

require group "DOMAINNAME\\Password Manager Admins"

5. Save and close the httpd.conf file.

WARNING: The ServiceConfigurationTool.exe automatically replaces the httpd.conf file each time it is used to make changes to the service configuration. Manually complete the steps above after using the ServiceConfigurationTool to make changes to the Password Manager service.

Automatic Key Recovery

If the deployment includes using the Password Manager Service for Automatic Key Recovery, you need to configure a data proxy account that has access to the central store and all the OUs that contain the Password Manager user accounts.

Adding the data proxy account to the Password Manager Admins group grants access to the central store. You then need to delegate control to the data proxy account at the appropriate domain-level, OU-level, or shared folder resource by completing the steps in the delegation section for appropriate central store type.

In the file share environment, the data proxy account should be a member of the Local Administrator’s group on the server hosting the file share. In the Active Directory environment, the data proxy account is granted the appropriate permissions by completing the steps outlined above in the “Delegated Permissions” section of this document for the data proxy account.

Self-Service Password Reset

If the deployment includes using the Password Manager Service for Self-service Password Reset, you will need to configure a data proxy account that has access to the central store and all the OUs that contain the Password Manager user accounts.

Adding the data proxy account to the Password Manager Admins group grants access to the central store. You then need to delegate control to the data proxy account at the appropriate domain-level, OU-level, or shared folder resource by completing the steps in the delegation section for appropriate central store type.

In the file share environment, the data proxy account should be a member of the Local Administrator’s group on the server hosting the file share. In the Active Directory environment, the data proxy account is granted the appropriate permissions by completing the steps outlined above in the “Delegated Permissions” section of this document for the data proxy account.

Password Reset Account

For most deployments, the data proxy account has full control of user objects, and can be used as the Password Reset account. However, if a separate, more restricted account is desired, the following steps may be followed to grant the minimum necessary permissions to the Password Reset Account in Active Directory.

1. Using ADSI Edit, navigate to the OU or domain object for the delegated permissions. (The domain object is recommended for password reset).

2. Right-click on the OU or domain name (for domain-level permissions) and select Properties.

3. Select the Security tab.

4. Click Advanced…

5. Click Add and enter the Password Reset account in the Name and then click OK.

6. Set the Apply Onto field to: “User objects”

7. Select the Allow check box for the following Permissions:

• Read All Properties

• Write All Properties

• Read Permissions

• Modify Permissions

• Reset Password

8. Click OK to close the Permissions dialog.

9. Click OK to close the Access Control Setting dialog.

10. Click OK to close the OU Properties dialog.

Use the ServiceConfigurationTool executable to modify the Password Reset account. Remember, if Data Integrity Assurance is enabled, the httpd.conf file needs to be modified again to add the Password Manager Admins group. When complete, restart the Citrix XTE Service.