Hotfix package name: SSOP480WX86007.zip
For: Single Sign-On Plug-in, Version 4.8
Replaces: All previous versions
Date: April, 2015
Languages supported: English (US), German (DE), Spanish (ES), French (FR), Japanese (JA)
Readme version: 1.00

Readme Revision History

Important Notes about This Release

• Caution! This release may require you to edit the registry. Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
• When you upgrade the plug-in software, the process.xml, applist.ini, and mfrmlist.ini files are backed up in their original folder location by the upgrade process. This preserves the plug-in settings; to revert to those settings, replace the process.xml, applist.ini, and mfrmlist.ini files created by the upgrade process with these backed up files.
• A full installation of the plug-in software deletes any previous installation files and information related to previous installations.
• Canceling the installation of the plug-in software may delete previous installation files and information related to previous installations. This might cause the client device to become unstable, requiring the plug-in software to be repaired or reinstalled.
• After installing this hotfix, the Repair option available from the support information link in the Add/Remove Programs Control Panel does not work as expected. Before running the Repair option, see Knowledge Center article CTX111036 for more information.

Where to Find Documentation

This document describes the issue(s) resolved by this release and includes installation instructions. For additional product information, see Citrix Product Documentation.

New Fixes in This Release

1. This fix addresses an issue in Single Sign-On Version 4.8 that requires user interaction in terminal emulator-based applications when multiple logon forms are specified and that need to be processed before the second logon.

   To enable the fix, create the following registry key:

   HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Extensions\AccessManager
   Name: TELoginDelay
   Type: DWORD
   Value: 0x00000064

   [From SSOP480WX86007][#LA2122]

2. If users enter their credentials for a selected application and then click "Finish," the description might not appear for the application.

   [From SSOP480WX86007][#LA3013]

3. When SendKeys are enabled, if an "OK" string is automatically entered in the user name or ID field, a new logon window appears.

   [From SSOP480WX86007][#LA3509]

4. After installing Hotfix SSOP480WX86006, users might not receive a prompt to enter their credentials when logging on to the terminal emulator-based applications.

   [From SSOP480WX86007][#LA3698]

5. This fix updates an internal component.

   [From SSOP480WX86007][#LC2440]

Fixes from Replaced Hotfixes

1. The plug-in appears to shut down unexpectedly after a system restart, a plug-in restart, or a logon.

   [From SSOP480WX86001][#230884]

2. This fix addresses handle leaks during regular synchronization intervals.

   [From SSOP480WX86001][#231253]

3. Upon detection, the plug-in manipulates the layout and positioning of certain Web page frames that contain user credentials text boxes. As a result, parts of those frames can become truncated or invisible to users. This fix introduces a registry key that adds scrollbars to such frames if necessary so that the entire contents of the affected frames become accessible to users. To enable this fix, must set the following registry key:

   HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Extensions\AccessManager
   Name: BHO
   Type: REG_DWORD
   Data: 0 (off; default); 1 (on)

   [From SSOP480WX86001][#231578]

4. The Enter Credentials dialog box does not have keyboard focus when it appears.

   [From SSOP480WX86001][#231580]

5. This fix addresses memory leaks in SSOSHELL.exe.

   [From SSOP480WX86001][#231878]

6. The plug-in stop synchronizing newly added credentials with the central store as a result of an Active Directory constraint violation.

   [From SSOP480WX86001][#231880]

7. Ssoshell.exe can experience an abnormal program termination.

   [From SSOP480WX86001][#232744]

8. When using a GPO to install the plug-in, the installer user interface appears in German. The issue applies only to the installer interface; once installed, the plug-in matches the language of the target operating system as designed.

   [From SSOP480WX86001][#233655]

9. On occasion, the plug-in fails to submit credentials for Web applications. The issue occurs when launching Web applications via scripts, the timing of which can conflict with application detection. This fix introduces support for the following registry key. When set, the setting ensures that application detection is delayed until Web application page loads complete.

   HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Extensions\AccessManager
   Name: UnstableWinTitleApps
   Type: REG_SZ
   Data: <application name 1>,<timeout 1, in ms >;<application name 2>,<timeout 2, in ms >

   [From SSOP480WX86002][#233645]

10. This fix removes the dependencies of the console installer on the Microsoft Visual C++ 2005 and the Microsoft Visual C++ 2008 Redistributable Packages. As a result, the Microsoft Visual C++ 2005 and the Microsoft Visual C++ 2008 Redistributable Packages are no longer prerequisites to installing the console.

    Note: This fix removes only the VC++ dependency of the console installer, not of the console itself. The console continues to require the presence of both packages on the target device. The packages are available on the XenApp 6 DVD and from the Microsoft Web site at http://www.microsoft.com.

    [From SSOP480WX86002][#235325]

11. This fix addresses a security vulnerability. For more information, see Knowledge Center article CTX123359.

    [From SSOP480WX86002][#236530]

12. This feature enhancement allows you to suppress the message, "Citrix Password Manager is unable to access your user data and will now close" that appears when a user without a Single sign-on configuration logs into a session. To suppress the message and allow the plug-in to exit silently, you must set the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Shell\Popups
    Name: SuppressMessages
    Type: REG_DWORD
    Data: 1 (suppress message), 0 (do not suppress message)

    [From SSOP480WX86002][#236857]

13. If you run a query within SAP and attempt to launch an additional instance of SAP while the query is running, the plug-in fails to submit your credentials until the query is complete.

    [From SSOP480WX86002][#237017]

14. This is an enhancement to the Application Definition and the Password Change wizards. The enhancement introduces support for the following registry key that, if set, allows you to mask user input in the Username/ID, Other 1, and Other 2 text input fields. These fields are located on the New Logon Page (Application Definition wizard) and on the Logon Properties (Password Change wizard) screens. You can mask any one of the fields as well as any combination thereof as follows:

    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Extensions\AccessManager
    Name: CredProtectMask
    Type: REG_DWORD
    Data:

    0x0000 - default/do not mask any additional fields
    0x0001 - mask field Username/ID
    0x0004 - mask field Other 1
    0x0008 - mask field Other 2

    [From SSOP480WX86002][#237214]

15. After applying Hotfix SSOP480WX64001 or SSOP480WX86001, the single sign-on plug-in fails to sync with the central store.

    [From SSOP480WX86003][#239458]

16. With the option "Automatically detect applications and prompt user to store credentials" disabled in the user configuration, clicking Submit credentials from the notification area icon fails to submit the user credentials.

    [From SSOP480WX86003][#240912]

17. With the option "Detect client-side application definitions" disabled in the user configuration, the option to enter a URL when specifying a new Web logon is continues to be present.

    [From SSOP480WX86003][#244173]

18. When using the Account Self-Service feature with the 10:1 concurrent user license model, the 11th and subsequent users receive the following, unnecessary internal license error message even though the software is fully functional:

    "Unable to acquire a CPM_ENT_RC license. All the licenses are in use. The Citrix Password Manager Agent is disabled."

    This fix introduces support for the following registry key that allows you to mask the error messages:

    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\ MetaFrame Password Manager\Shell\Popups
    Name: SuppressMessages
    Type: REG_DWORD
    Data: 0x00000010 (to mask internal license errors); 0x00000020 (to mask grace period license messages); 0x00000030 (to mask both types of messages)

    [From SSOP480WX86003][#255430]

19. The CPU consumption of the Ssoshell.exe process on the server can spike unexpectedly. The issue occurs when configuration information is refreshed when there are large number of users connected to the server and the plug-in handles a large number of application windows.

    To enable this fix, you must set the following registry key so that the configuration information is not refreshed:

    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\Metaframe Password Manager\Shell\AppListReloadDelay
    Name: AppListReloadDelay
    Type: REG_DWORD
    Data: 5 (seconds)

    [From SSOP480WX86003][#255809]

20. Version 4.8 of the Single sign-on plug-in fails to start if the list of revoked users (Question-based authentication > Other Tasks > Revoke Security question registration for a user) exceeds a certain number of characters.

    [From SSOP480WX86003][#260567]

21. Windows Logon (Winlogon.exe) can exit unexpectedly when using a smart card to unlock a workstation with Versions 4.6 and 4.8 of the Single sign-on plug-in.

    [From SSOP480WX86003][#LA0016]

22. A timing issue can cause users to be prompted for their previous password. The problem occurs because the automatic recovery key is not properly stored to the central store in cases where an administrator resets a user's password immediately following that user’s first-time logon.

    [From SSOP480WX86004][#LA0280]

23. This fix addresses an issue in Version 4.8 of Single sign-on that requires user interaction in the case of a terminal emulator-based application for which multiple logon forms are specified and that need to be processed in quick succession.

    [From SSOP480WX86004][#LA0723]

24. When using the domain password sharing group for Version 6 of WebNow, the logon screen prompting users for credentials might fail to populate correctly.

    [From SSOP480WX86005][#LA1034]

25. This fix addresses an issue that requires user interaction in the case of a terminal emulator-based application for which multiple logon forms are specified and that need to be processed in quick succession (within one second), even after applying Fix #LA0723.

    [From SSOP480WX86005][#LA1474]

26. While creating a new logon that has not been saved yet, entering a password and then selecting Reveal Password causes the following error message to appear:

    "There was an error acquiring the group password."

    [From SSOP480WX86006][#LA2271]

27. This feature enhancement allows you to suppress the following offline notification message that appears when the user removes a device from the network:

    "Citrix Single Sign-On is working offline. Changes to user data will be stored on the server when the connection is reestablished."

    To suppress the message, set the following registry key:

    • On 32-bit systems:
      HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Shell\Popups
      Name: SuppressMessages
      Type: DWORD
      Data: 0x00000003
    • On 64-bit systems:
      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Citrix\MetaFrame Password Manager\Shell\Popups
      Name: SuppressMessages
      Type: DWORD
      Data: 0x00000003

    This fix suppresses the Offline notification dialog box. However, the same message will be logged in the Agent log.

    [From SSOP480WX86006][#LA2512]

28. When using the domain password sharing group for Version 6 of WebNow, the logon screen prompting users for credentials might fail to populate correctly.

    [From SSOP480WX86006][#LA2762]

29. When using the Account Self-Service feature with the 10:1 concurrent user license model, the 11th and subsequent users receive the following, unnecessary internal license error message even though the software is fully functional:

    "Unable to acquire a CPM_ENT_RC license. All the licenses are in use. The Citrix Password Manager Agent is disabled."

    This fix introduces support for the following registry key that allows you to mask the error messages:

    HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\MetaFrame Password Manager\Shell\Popups
    Name: SuppressMessages
    Type: REG_DWORD
    Data: 0x00000010 (to mask internal license errors); 0x00000020 (to mask grace period license messages); 0x00000030 (to mask both types of messages)

    [From SSOP480WX86006][#LA2929]

Installing and Uninstalling This Release

Notes:

• This hotfix is packaged with Microsoft Windows Installer 2.0 as a .msi file. For more information about deploying .msi files, see Microsoft article 884016 or visit the Microsoft Web site and search on keyword msiexec.
• To install this hotfix successfully, servers must not have registry modification restrictions in place.
• This hotfix might or might not prompt you to restart the server when the installation or uninstallation is complete. If you are using the Delivery Services Console, you must restart the server after installing or uninstalling this hotfix to ensure that the hotfix is added to or removed from the console's hotfix inventory list.
• If the need arises to restore the original settings and functionality provided by this hotfix, you must uninstall the hotfix before reinstalling it according to the installation instructions below.

To install this hotfix:

1. Copy the hotfix package to an empty folder on the hard drive of the server you want to update.
2. Close all applications.
3. Run the executable, Citrix Password Manager Plugin.msi.
4. Restart the server.

To uninstall this hotfix:

1. From the Start menu, select Settings > Control Panel.
2. In Control Panel, double-click Add/Remove Programs.
3. Highlight the hotfix you want to uninstall and click Remove.
4. Follow the directions on-screen.