This article describes how to allow users to change the password from Web Interface when using the Citrix Access Gateway Enterprise Edition and Web Interface. After the introduction of Access Gateway Enterprise 9.2, users are now allowed to change the expired passwords if the user has completed a proper setup. For environments that still use versions earlier than Access Gateway Enterprise 9.2, this change password feature is not available but you can apply the workaround explained in this article.
This article assumes that you are configuring Access Gateway Enterprise Edition in either ICA Proxy mode or that you have set Web Interface as the homepage.
Caution! This customization affects the XenApp or XenDesktop SmartAccess functionalities of Access Gateway Enterprise such as:
Administrators cannot hide applications externally.
Administrators cannot disable or enable any XenApp or XenDesktop policies based on user access from Access Gateway.
Access Gateway 9.2 or later:Ensure that the LDAP server is properly set for secure LDAP (LDAPS) connections for this setup to work.
Access Gateway 9.1 or earlier:
To configure a setup to allow changing password, ensure that you specify the At Web Interface and not Citrix Access Gateway as the Point of Authentication when creating the Web Interface site.Additionally, refer to the Knowledge Center article CTX106202 ‑ How to Forward Credentials from Access Gateway 4.x to Web Interface 3.x, 4.x, or 5.x to replace the login file on the Web Interface site.
To allow users change the expired password, when authenticating at Access Gateway, complete any of the following procedure:
Open the LDAP authentication profile and ensure that the following settings are enabled:
Select Allow Password Change.
Select TLS or SSL. If TLS is selected, use Port 389. For SSL, use port 636. For more information, refer to Citrix eDocs - http://support.citrix.com/proddocs/topic/access-gateway-92/agee-ldap-authen-configure-tsk.html
If everything is set correctly, you are prompted to change the password at the next logon (if required).
Create a Web Interface site and specify At Web Interface as a Point of Authentication, as shown in the following screen shot.
Note: For the Web Interface release earlier than 4.5, you can ignore this step.
Ensure that the Web Interface site launches applications successfully with the XenApp environment.
Download the AGWISSO.zip file from the Knowledge Center article CTX106202 ‑ How to Forward Credentials from Access Gateway 4.x to Web Interface 3.x, 4.x, or 5.x.
Extract the contents of the AGWISSO.zip file.
Navigate to the folder for which the name matches to version of the Web Interface version installed on the server.
Open the Readme.txt file and complete the instructions available in the file to replace the login file.
Open the Citrix Access Management Console for Web Interface.
Select Configure Authentication Methods from Common Tasks, as shown in the following screen shot.
Ensure that the Explicit option is selected in the Available methods list, as shown in the following screen shot and then click Properties.
Expand the Explicit node in the Properties dialog box.
Select Authentication Type and then select Settings.
Type the Domain information, in the Domain list, select the Pre-populated option.
Select the Hide Domain box radio button.
Note: Entering multiple domains into the domain list is currently not supported when you select Hide Domain box. For additional details, refer to article CTX122972 ‑ How to Configure Setup to Allow Users to Change Passwords when Using Access Gateway Enterprise Edition and Web Interface.
Select Password Settings and configure the options you want the users to allow changing the password, as shown in the following screen shot.
Click OK in all the open dialog boxes.
Test the Web Interface site without the Citrix Access Gateway Enterprise Edition and ensure that you can log on, start applications, and change the password.
Notice that the authentication is enabled on the virtual server and an LDAP authentication policy is bound to it.
Create a session policy.
Click New for the Requested Profile.
In the Name field, specify the name for the profile.
Activate the Client Experience tab.
Select the Override Global options for Clientless Access and Single Sign-on to Web Applications, as shown in the following screen shot.
Select the Single Sign-on to Web Applications option as shown in the preceding screen shot.
The Single Sign-on to Web Applications option is enabled after you select the Override Global option.
Activate the Published Applications tab.
Select the Override Global option for ICA Proxy.
From the ICA Proxy list, select ON.
Select the Override Global option for Web Interface Address.
Specify the Web Interface address in the Web Interface Address field.
Select the Override Global option for Web Interface Portal Mode.
Select the Override Global option for Single Sign-on Domain.
Specify the domain name in the Single Sign-on Domain field.
The following screen shot displays the sample setting mentioned in Step 8 through Step 15.
Click OK. And close all the dialog boxes appropriately.
Bind the policy to the Access Gateway virtual server.
From a Web browser, log on to the Web site by using Citrix Access Gateway Enterprise.
You are redirected to the Web Interface site, as shown in the following screen shot.
Notice that the Change Password link is available on the Web Interface site.