Citrix

How to Configure Setup to Allow Users to Change Passwords when Using Access Gateway Enterprise Edition and Web Interface

  • CTX122972
  • Created onMar 26, 2014
  • Updated onJun 12, 2014
Article Topic Authentication

Objective

This article describes how to allow users to change the password from Web Interface when using the Citrix Access Gateway Enterprise Edition and Web Interface. After the introduction of Access Gateway Enterprise 9.2, users are now allowed to change the expired passwords if the user has completed a proper setup. For environments that still use versions earlier than Access Gateway Enterprise 9.2, this change password feature is not available but you can apply the workaround explained in this article.

This article assumes that you are configuring Access Gateway Enterprise Edition in either ICA Proxy mode or that you have set Web Interface as the homepage. 

Caution! This customization affects the XenApp or XenDesktop SmartAccess functionalities of Access Gateway Enterprise such as:

  • Administrators cannot hide applications externally.

  • Administrators cannot disable or enable any XenApp or XenDesktop policies based on user access from Access Gateway.

This article is applicable for password change, assuming that the user can log on successfully. Currently, this article cannot be used if the user must change password on next logon selected in their profile (which is a common practice when new user accounts are created and the user must change password after logging in for the first time), unless you disable authentication on the VPN VIP.

Requirements

Access Gateway 9.2 or later:

Ensure that the LDAP server is properly set for secure LDAP (LDAPS) connections for this setup to work.

Access Gateway 9.1 or earlier:

To configure a setup to allow changing password, ensure that you specify the At Web Interface and not Citrix Access Gateway as the Point of Authentication when creating the Web Interface site.

Additionally, refer to the Knowledge Center article CTX106202 ‑ How to Forward Credentials from Access Gateway 4.x to Web Interface 3.x, 4.x, or 5.x  to replace the login file on the Web Interface site.

Instructions

To allow users change the expired password, when authenticating at Access Gateway, complete any of the following procedure:

Access Gateway 9.2 or Later

  1. Open the LDAP authentication profile and ensure that the following settings are enabled:

    1. Select Allow Password Change.

    2. Select TLS or SSL. If TLS is selected, use Port 389. For SSL, use port 636. For more information, refer to Citrix eDocs - http://support.citrix.com/proddocs/topic/access-gateway-92/agee-ldap-authen-configure-tsk.html

      User-added image
  2. If everything is set correctly, you are prompted to change the password at the next logon (if required). 

    User-added image

    User-added image

Access Gateway 9.1 or Earlier

To configure a setup to allow users to change password when using the Citrix Access Gateway Enterprise Edition and Web Interface, complete the following procedures:

Configuring the Web Interface Server to Allow Users to Change Password

To configure the Web interface server to allow changing a password, complete the following procedure:
  1. Create a Web Interface site and specify At Web Interface as a Point of Authentication, as shown in the following screen shot.
    Note: For the Web Interface release earlier than 4.5, you can ignore this step.

    User-added image
  2. Ensure that the Web Interface site launches applications successfully with the XenApp environment.

  3. Download the AGWISSO.zip file from the Knowledge Center article CTX106202 ‑ How to Forward Credentials from Access Gateway 4.x to Web Interface 3.x, 4.x, or 5.x.

  4. Extract the contents of the AGWISSO.zip file.

  5. Navigate to the folder for which the name matches to version of the Web Interface version installed on the server.

  6. Open the Readme.txt file and complete the instructions available in the file to replace the login file.

  7. Open the Citrix Access Management Console for Web Interface.

  8. Select Configure Authentication Methods from Common Tasks, as shown in the following screen shot.

    User-added image
  9. Ensure that the Explicit option is selected in the Available methods list, as shown in the following screen shot and then click Properties.

    User-added image
  10. Expand the Explicit node in the Properties dialog box.

  11. Select Authentication Type and then select Settings.

    User-added image
  12. Type the Domain information, in the Domain list, select the Pre-populated option.

  13. Select the Hide Domain box radio button.

  14. Click OK.

    User-added image

    Note: Entering multiple domains into the domain list is currently not supported when you select Hide Domain box. For additional details, refer to article CTX122972 ‑ How to Configure Setup to Allow Users to Change Passwords when Using Access Gateway Enterprise Edition and Web Interface.

  15. Select Password Settings and configure the options you want the users to allow changing the password, as shown in the following screen shot.

    User-added image
  16. Click OK in all the open dialog boxes.

  17. Test the Web Interface site without the Citrix Access Gateway Enterprise Edition and ensure that you can log on, start applications, and change the password.

Configuring the Citrix Access Gateway Enterprise Edition to Allow Users to Change Password

To configure the Web interface server to allow changing password, complete the following procedure:
  1. Ensure that you create an Access Gateway virtual server on which authentication is enabled, as shown in the following screen shot.

    User-added image

    Notice that the authentication is enabled on the virtual server and an LDAP authentication policy is bound to it.

  2. Create a session policy.

  3. Click New for the Requested Profile.

  4. In the Name field, specify the name for the profile.

  5. Activate the Client Experience tab.

  6. Select the Override Global options for Clientless Access and Single Sign-on to Web Applications, as shown in the following screen shot.

    User-added image
  7. Select the Single Sign-on to Web Applications option as shown in the preceding screen shot.
    The Single Sign-on to Web Applications option is enabled after you select the Override Global option.

  8. Activate the Published Applications tab.

  9. Select the Override Global option for ICA Proxy.

  10. From the ICA Proxy list, select ON.

  11. Select the Override Global option for Web Interface Address.

  12. Specify the Web Interface address in the Web Interface Address field.

  13. Select the Override Global option for Web Interface Portal Mode.

  14. Select the Override Global option for Single Sign-on Domain.

  15. Specify the domain name in the Single Sign-on Domain field.
    The following screen shot displays the sample setting mentioned in Step 8 through Step 15.

    User-added image
  16. Click OK. And close all the dialog boxes appropriately.

  17. Bind the policy to the Access Gateway virtual server.

  18. From a Web browser, log on to the Web site by using Citrix Access Gateway Enterprise.
    You are redirected to the Web Interface site, as shown in the following screen shot.

    User-added image

    Notice that the Change Password link is available on the Web Interface site. 

Applicable Products

Automatic translation

Important: This article was translated by an automatic translation system (also referred to as Machine Translation, or MT) and has not been translated or reviewed by people. Citrix offers a machine translated version of this article to allow for greater access to the support content. However, automatic translation is not always perfect and may contain errors of vocabulary, syntax or grammar. Citrix is not responsible for inconsistencies, errors or damage incurred as a result of the use of MT articles from our customers.Thank you.
Click here to see the English version of this article.
Languages
Was this helpful?
Thank you for your feedback

Share your comments or find out more about this topic

Citrix Forums