Readme for Citrix Password Manager, Version 4.1
Introduction
Readme Version: 1.3
Notes: For the latest service packs and critical updates for Citrix products, see http://support.citrix.com/criticalupdates.
Contents
For information about new features and system requirements, see the product administration guides.
To view, search, and print the PDF documentation, you need Adobe Reader (supported versions: Acrobat Reader 5.0.5 with Search through Adobe Reader 7.0). You can download Adobe Reader for free from the Adobe Systems Web site. Documentation is available on the Citrix Knowledge Center Web site (select Product Documentation). Updates to Citrix technical manuals are posted on the Web site.
Administrator's Guide
Citrix Password Manager includes several documentation files to assist you in your use of the product. The English-language documentation files are available from the \Documentation folder of the Citrix Password Manager CD-ROM.
Documentation for other languages is on the Citrix Knowledge Center Web site (select Product Documentation).
Licensing Documentation
Licensing documentation is available from the Documentation folder on all product CD-ROMs. For Citrix Presentation Server, licensing documentation is also available from the Document Center. For licensing-related issues, see the Readme for Citrix Access Suite Licensing.
Documentation for other languages is on the Citrix Knowledge Center Web site (select Product Documentation).
Citrix provides technical support primarily through Citrix Solutions Advisor. Contact your supplier for first-line support or use Citrix Online Technical Support to find the nearest Citrix Solutions Advisor.
Citrix offers online technical support services on the Citrix Support Web site. The Support page includes links to downloads, the Citrix Knowledge Center, Citrix Consulting Services, and other useful support pages.
The following is a list of known issues in this release. READ IT CAREFULLY BEFORE INSTALLING THE PRODUCT.
Important: Before you install this product, make sure you consult the Installation Update Bulletin and the Installation Checklist.
The bulletin offers late-breaking information and links to critical updates to server operating systems and to Citrix installation files. Download and install the updates or you may not be able to properly install this product.
Supported Version of Microsoft .NET Framework
The Citrix Password Manager Console is supported in environments running the Microsoft .NET Framework, Version 1.1, Service Pack 1. If any later version of the Microsoft .NET Framework is installed on a computer that has the Citrix Password Manager Console installed, the console displays an error message and does not run. To continue using the Password Manager Console, you have two options:
• Uninstall the unsupported version of the Microsoft .NET Framework from the computer
—Or—
• Create (or modify, if it already exists) a configuration file in the System32 folder named mmc.exe.config, which contains a directive that forces all .NET MMC snap-ins to use the .NET Framework Version 1.1, Service Pack 1. The following is an example of the configuration file contents, specifying the supported version of the .NET Framework:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v1.1.4322"/>
</startup>
</configuration>
[#126456]
[back to installation issues contents]
This section includes information for the following items:
Citrix Password Manager Service
Citrix Password Manager Console
Citrix Password Manager Agent Software
Citrix Password Manager Central Store
Citrix Password Manager Service
Citrix Password Manager Service Performance Enhancements
In some cases, the Citrix Password Manager Service may process requests more slowly than expected. If this happens in your environment and you are running the service on Windows 2000 Server, you may be able to gain performance by upgrading your operating system to Windows Server 2003 and modifying the default Pooling & Recycling settings. The performance gains will be noticed only by increasing the default Application Pooling Size and Application Recycling Lifetime Limit settings for the Citrix Password Manager Data Proxy COM+ application, located in the Component Services MMC snap-in. [#126313]
Agent Software Cannot Connect to Citrix Password Manager Service After the Computer Running the Service Restarts
In environments that use the Citrix Password Manager Service, if the computer running the service uses DHCP, the agent software will fail to connect to the service when the computer running the service is restarted and obtains a new IP address. This issue can be avoided by assigning a static IP address to the computer that runs the Citrix Password Manager Service. If the issue does occur, it can be fixed by running the command ipconfig /flushdns from a command line on the computer running the agent software and then restarting the agent software. [#126501]
Data Proxy Account Permissions
When using a module of the Citrix Password Manager Service that requires a data proxy account, it is critical to ensure that the account has adequate rights and permissions to update the required information. When using an Active Directory central store and a non-administrative data proxy account, by default, your specified data proxy account does not have permissions to update members of the Domain Administrators group. This is because members of the Domain Administrators group by default do not "Allow Inheritable permissions from the parent to propagate to their objects." Therefore, you must either allow Inheritance or, alternatively, you can grant the data proxy account explicit permissions to the users' containers, allowing the data proxy account to perform the requested operations. [#126882]
[Back to known issues contents]
Citrix Password Manager Console
Supported Version of Microsoft .NET Framework
The Citrix Password Manager Console is supported in environments running the Microsoft .NET Framework, Version 1.1, Service Pack 1. If any later version of the Microsoft .NET Framework is installed on a computer that has the Citrix Password Manager Console installed, the console displays an error message and does not run. To continue using the Password Manager Console, you have two options:
• Uninstall the unsupported version of the Microsoft .NET Framework from the computer
—Or—
• Create (or modify, if it already exists) a configuration file in the System32 folder named mmc.exe.config, which contains a directive that forces all .NET MMC snap-ins to use the .NET Framework Version 1.1, Service Pack 1. The following is an example of the configuration file contents, specifying the supported version of the .NET Framework:
<?xml version="1.0" encoding="utf-8" ?>
<configuration>
<startup>
<supportedRuntime version="v1.1.4322"/>
</startup>
</configuration>
[#126456]
Removing the Console Software
To uninstall the Password Manager console, select Password Manager from the Add or Remove Programs wizard in the Control Panel of your server. Click Change to start the Citrix Password Manager Console Setup wizard. Select Remove, then click Next to begin the removal process. [#129011,# 125055]
[Back to known issues contents]
Citrix Password Manager Agent Software
Removing Data from Client Devices
When you uninstall the Password Manager agent software from a client device, some data remains on the client device; in some circumstances this data may cause a new installation of the agent software to direct a user to an incorrect central store in a multiple central store environment.
To prevent this from occurring, delete the .mmf files created for each user on the client device, as well as the HKey Current User information for each user from the client device. [#128293, #128929]
[Back to known issues contents]
Citrix Password Manager Central Store
Renaming Users in an NTFS Network Share Central Store
In Password Manager 2.5 and 4.0 environments that do not use the Citrix Password Manager Service, the agent software operates normally when a primary user name is changed. In Password Manager 4.0 environments that use the Citrix Password Manager Service and in Password Manager 4.1, however, the current primary user name is always required to match the user with the stored Password Manager data. In environments that use an NTFS network share central store, a user name change results in the primary user name being out of synchronization with the user's central store data folder. Consequently, when the user logs on, the agent software does not associate the existing user's data folder with the new user name; creates a new data folder; and prompts the user to register for Password Manager. To avoid this and to keep the agent operating normally when the user logs on for the first time with the new primary user name, change the user's data folder name in the central store to match the new primary user name.
Note: if Password Manager 2.5 and 4.0 agents remain deployed and active in your environment, those versions of the agent software do not recognize the new data folder name. When a user logs on to these versions of the agent software after a primary user name and data folder name change, the agent software registers the user for first time use. For best results, upgrade all deployed instances of the agent software to Version 4.1. [#126339]
Legacy Objects in an Active Directory Central Store
In Password Manager Versions 2.0, 2.5, and 4.0, the schema extension utility added Active Directory objects named citrix-SSOLicenseAttribute and citrix-SSOLicenseClass. Those objects were required to support product licensing for Password Manager Versions 2.0 and 2.5. If you upgraded your Password Manager environment from one of those versions, those objects remain in your schema; however, if all of the Password Manager software (both console and agent) deployed in your environment is Version 4.0 or 4.1, the objects are obsolete. [#132105]
[Back to known issues contents]
Hot Desktop, Smart Cards, and Key Recovery
If you deploy Hot Desktop in an environment where users log on with smart cards and your selected smart card key source is DPAPI with Profile, do not select Prompt user to enter the previous password as the only key recovery method for those users. If users in such an environment are required to enter their previous password for key recovery, they cannot enter the correct password and are irretrievably locked out of the system. To avoid this problem, select the key recovery option for automatic key recovery or make question-based authentication available as an option. [#124804]
Hot Desktop and Environment Variables
When running Hot Desktop session start/stop scripts; password expiration scripts; or any other scripts, executable files, or batch files from within a Hot Desktop user session, the following environment variables are not supported: APPDATA, HOMEDRIVE, HOMEPATH, HOMESHARE, and LOGONSERVER. If any of the unsupported variables are used, the script, application, or executable file may fail to run. To avoid this problem, applications should not access unsupported environment variables while running in a Hot Desktop user session. [#126161]
Hot Desktop User Receives Error Message During Registration
When a user in a Hot Desktop session takes longer than 30 seconds to complete Password Manager Registration, the agent software will return an error message stating that "A problem occurred during session startup. Details have been placed in the Event Log. Please contact your systems administrator." The corresponding event written to the event log is EventID 253 and the description reads "The current Hot Desktop session could not be started."
Caution: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
While these errors have no effect on either the workstation or the user's Hot Desktop session, these messages can be avoided by increasing the setting for the time allowed to complete Password Manager Registration. To adjust this setting, it is necessary to change a value in the system registry on the computer running the agent software. The registry setting, MPMLaunchWaitSecs, is found in HKEY LOCAL MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Hot Desktop\Gina\. If this setting does not exist, add it to this registry location with a DWORD value, measured in seconds, of the time you want to allow users to register their answers. If the setting does exist, adjust it as needed to meet the requirements of your environment. [#126492]
Hot Desktop and Fast User Switching
If Hot Desktop is installed on a client device running Windows XP that belongs to a workgroup, the option for fast-user switching is disabled.
[#128930]
[Back to known issues contents]
Upgrading the Installed JRE
The Password Manager Console and Agent support Java application and applet detection in part by modifying some of the DLL files in the Java program installation. If, after installing the console or the agent, the Java installation is upgraded, Repair the console or agent software installation from the Windows Control Panel. Citrix Password Manager 4.1 supports JRE 1.4 and 1.5. [#125306]
Multiple Executable Files Can Launch a Single Java Application
The executable file java.exe or javaw.exe can be used to launch the same Java application. However, if the Java application definition identifies only one executable file name, the agent software will not respond when the other executable file is used to launch the application. To avoid this problem, add both executable file names to the Windows application definition for your Java application. [#126044]
[Back to known issues contents]
Key Recovery Method and Blank Primary Passwords
If your environment allows blank Windows passwords, do not use Previous Password as the only key recovery method. Doing so can result in user lockouts, rendering the user's secondary credentials stored in Password Manager unrecoverable. [#104473]
[Back to known issues contents]
Agent Submits Credentials to Host Application Unexpectedly
In some cases, the agent software may submit credentials to a host application form that was ignored in earlier versions of Password Manager. This may be caused by a change to the SSOMHO process that enhances the agent software's form recognition for host applications. If this occurs, edit the application definition in the Password Manager console. Add a form definition for the form to be ignored. In the Form Definition Advanced Settings, use the Ignore Match setting to identify a unique text string on the host application screen that is used to ensure that the agent does not submit credentials on that form. [#111460]
Nexus Terminal on Windows 2003 Server x64
When the Nexus Terminal is installed on a computer running Windows 2003 Server x64, the agent software does not submit credentials to the host application due to an outdated entry in the mfrmlist.ini file. To correct this issue, open the mfrmlist.ini file and find the entry that reads:
%ProgramFiles%\NMT\niapi.dll
Change the entry to match the absolute path to the location where the Nexus Terminal (and its niapi.dll file) is installed. (For example, C:\Program Files\NMT\niapi.dll.) [#126438]
[Back to known issues contents]
Removing Queued Provisioning Commands
Commands sent to the Provisioning module cannot be recalled. Once sent, commands remain queued until they are executed by the agent software. If you need to remove a command from the queue, send the opposite command for each user, application, and credential object that must be removed from the queue. [#126502]
Modify Request Fails to Change a Password for Credentials in a Password Sharing Group
When a modifyRequest command is used to change a password that belongs to a credential in a password sharing group, the password change does not propagate to all credentials in the group. To successfully modify the password, you have two options:
• Use an addRequest command instead of a modifyRequest. With the addRequest, add a placeholder application credential to the group. When the agent processes the addRequest with the new password, the new password propagates to all credentials in the password sharing group.
—Or—
• If the administrator knows all of the existing credentials in the password sharing group (user names, passwords, and custom fields), the administrator can use the deleteRequest command to delete all of the credentials from the group and then use the addRequest command to replace all of the deleted credentials.
[#127064]
[Back to known issues contents]
Ensuring Certificate Availability
The utility CtxCreateSigningCert writes certificate data to two files specified in the command line parameters. The resulting privatekey file must be copied to the Program Files\Citrix\MetaFrame Password Manager\Service\Certificates folder and then renamed PrivateKeyCert.cert. The copied file must be renamed before the data is signed or resigned using the CtxSignData utility. If the privatekey file is not copied and renamed, the CtxSignData utility returns an error message that reads "The certificate cannot be found in the certificate store." Important: Always make back up copies of the PrivateKeyCert.cert and PublicKeyCert.cert files before using the CtxSignData utility. [#126869]
[Back to known issues contents]
Password History Enforcement
The Self-Service Password Reset (SSPR) feature uses an account with administrative privileges to reset the domain password on behalf of the user. However, Windows domains do not subject such accounts to password history constraints; as a result, password history policies are not enforced.
[Back to known issues contents]
File not Found
Some of the online help files available with Citrix Password Manager are provided as compiled HTML files (with the extension .chm) in the \Documentation\en folder on the Citrix Password Manager CD-ROM. A change to the Microsoft Internet Explorer security settings in a recent Microsoft update may result in a File not Found error when displaying online help topics from a remote location. To avoid this problem, copy the file from the folder on your Citrix Password Manager CD-ROM to your local computer and open the file.
[Back to known issues contents]
Citrix Systems, Inc.
851 West Cypress Creek Road
Fort Lauderdale, Florida 33309 USA
954-267-3000
http://www.citrix.com/
Copyright © 2005 Citrix Systems, Inc.
