The primary intent of this article is to provide steps to how to deploy Self-Service Password Reset (SSPR) environment for the first time.
Self-Service Password Reset functionality is End of LIfe and is not included in Citrix Virtual Apps and Desktops 2203 or later.
This article is created assuming the Storefront environment is already set up and all related machines are added to a domain. The domain used in this tutorial is sspr.local and FQDN of the prepared SSPR server machine is SSPRServer.sspr.local. SSPR server is a dedicated server and the central store is created on it.
As you deploy Self-Service Password Reset for the first time, please review the hardware and software requirements at System requirements .
General steps of deploying SSPR are as below:
Create service accounts for SSPR:
Data Proxy Account and Self-Service Account
Create central store:
Create central store manually or create central store with a tool
Install SSPR
Configure “SSPR Service Configuration”
Configure “SSPR User Configuration”
Enable and configure SSPR in StoreFront
You can follow below steps to complete your deployment.
Data Proxy Account
Create a normal domain user to be used as the Data Proxy Account of SSPR. Then delegate read and write access to this account while creating central store. For detailed information, please refer to below section create central store. Data proxy account created in this tutorial is sspr\DataProxyAccount.
Self-Service Account
Create a domain account which with sufficient privileges to unlock and reset the password of the relevant users. For detailed information, see Create a Self-Service Account . Self-Service account created in this tutorial is sspr\SelfServiceAccount.
There are two ways to create a central store: manually or with a tool. Both of them will be described below and you can choose either of them.
Open Server Manager on SSPR server, from the “File and Storage Services” page, select “Shares” in the left pane, and click “TASKS” > “New Share”.
In “Select Profile” page, select “SMB Share – Quick”, and click Next.
In “Share Location” page, select the server and volume on which to create the new shared folder, and then click Next.
In “Share Name” page, type the name of the new created share, for example CITRIXSYNC$, and click Next.
In “Other Settings” page, select “Encrypt data access”, deselect “Allow caching of share”, and click Next.
In “Permissions” page, select “Customize permissions”.
Click “Disable inheritance”, and select “Convert inherited permissions into explicit permissions on this object”.
Click “Permissions” tab, remove all users except “CREATOR OWNER”, ”Local Administrators” and “SYSTEM”, then, add the “Data Proxy Account” which was created before with “Full Control” permission.
Choose “CREATOR OWNER” and click Edit to uncheck permissions of “Full Control”, “Delete subfolders and files”, “Change permissions” and “Take ownership”
Click “Share” tab, remove “Everyone”, and add the “Data Proxy Account”, “Local Administrators” and “Domain Admins” with “Full Control” permission.
In “Confirmation” page, click Create.
Create two subfolders under the CITRIXSYNC$ share folder: CentralStoreRoot and People.
A central store for SSPR is created and ready for use now.
Download the central store creation tool from CTX217143 and extract it to a local disk of SSPR server.
Open PowerShell console and change directory to the folder which holds the tool.
Execute CreateCentralStore.ps1 and provide FolderPath, ShareName and Admin as parameters. In this tutorial, the command is: .\CreateCentralStore.ps1 –FolderPath C:\CITRIXSYNC$ -ShareName CITRIXSYNC$ -Admin sspr.local\DataProxyAccount.
See CTX217143 for more details about this central store creation tool.
Click “Self-Service Password Reset” on the XenDesktop installation interface.
Accept the license agreement, and click Next.
In “Core Components” page, click Next.
In “Firewall” page, click Next.
In “Summary” page, click Install.
Click Finish to complete the installation process
Before starting configuration, make sure that SSL certificate is installed on the IIS site of the SSPR server.
Open SSPR console, choose “Service Configuration” in the left pane and then click “New service Configuration”.
In “Welcome” page, click Next.
In “Central Store Location” page, configure the UNC path to the central store and click Next.
In “Domain Configurations” page, select the domain(s) where you want to enable SSPR service and then click Properties.
In the popped out “Domain Configuration” wizard, configure the “Data Proxy Account” and “Self-Service Account”, and click OK. In this tutorial, the “Data Proxy Account” and “Self-Service Account” are sspr\DataProxyAccount and sspr\SelfServiceAccount respectively.
Click Next to apply all the settings.
Click Finish to complete the configuration.
In SSPR console, choose “User Configuration” in the left pane and then click “New User Configuration”
In “Name User Configuration” page, click Browse to add OU or User (for example, OU1 and User1) and Add to add AD group (for example, group1), then click Next.
In “Configure Licensing” page, configure the “License Server Name”, then click Next.
In “Enable Self-Service Password Reset” page, select which SSPR functionality you want to enable, then input service address and click Create. Make sure TLS 1.0 is enabled on SSPR server. Otherwise this step may fail.
Open Citrix StoreFront management console, right click on the store and choose “Manage Authentication Methods”.
Choose “Manage Password Options” under settings of “User name and password”.
Select “Allow users to change passwords” and select “At any time”.
Choose “Configure Account Self-Service” under settings of “User name and password”.
Choose “Citrix SSPR” to enable “Account Self Service”.
Click Configure and select “Enable password reset” and “Allow account unlock”, configure the “SSPR Account Service URL” (https ://< FQDN of the SSPR server>/MPMService).
Click OK to apply all the settings.
Till now, SSPR deployment has been finished. You can now log onto Storefront with an account which has been added to the user configuration (For example, sspr\user1). “TASKS” button can be seen on the page. Click on TASKS button and user can start enrollment from “Manage Security Questions”.
“Account Self-Service” link can be seen on the logon page of Storefront for user to do password unlock and reset.