How Do I Deploy Self-Service Password Reset For the First Time

How Do I Deploy Self-Service Password Reset For the First Time

book

Article ID: CTX224244

calendar_today

Updated On:

Description

The primary intent of this article is to provide steps to how to deploy Self-Service Password Reset (SSPR) environment for the first time.


Instructions

Important

Self-Service Password Reset functionality is End of LIfe and is not included in Citrix Virtual Apps and Desktops 2203 or later.

Plan your Self-Service Password Reset deployment

This article is created assuming the Storefront environment is already set up and all related machines are added to a domain. The domain used in this tutorial is sspr.local and FQDN of the prepared SSPR server machine is SSPRServer.sspr.local. SSPR server is a dedicated server and the central store is created on it.

As you deploy Self-Service Password Reset for the first time, please review the hardware and software requirements at System requirements .

General steps of deploying SSPR are as below:

  • Create service accounts for SSPR:
    Data Proxy Account and Self-Service Account

  • Create central store:
    Create central store manually or create central store with a tool

  • Install SSPR

  • Configure “SSPR Service Configuration”

  • Configure “SSPR User Configuration”

  • Enable and configure SSPR in StoreFront

You can follow below steps to complete your deployment.

Create service accounts for SSPR

  • Data Proxy Account
    Create a normal domain user to be used as the Data Proxy Account of SSPR. Then delegate read and write access to this account while creating central store.  For detailed information, please refer to below section create central store. Data proxy account created in this tutorial is sspr\DataProxyAccount.

  • Self-Service Account
    Create a domain account which with sufficient privileges to unlock and reset the password of the relevant users. For detailed information, see Create a Self-Service Account . Self-Service account created in this tutorial is sspr\SelfServiceAccount.

Create central store

There are two ways to create a central store: manually or with a tool. Both of them will be described below and you can choose either of them.

A: Create central store manually

  1. Open Server Manager on SSPR server, from the “File and Storage Services” page, select “Shares” in the left pane, and click “TASKS” > “New Share”.
    User-added image

  2. In “Select Profile” page, select “SMB Share – Quick”, and click Next.
    User-added image

  3. In “Share Location” page, select the server and volume on which to create the new shared folder, and then click Next.
    User-added image

  4. In “Share Name” page, type the name of the new created share, for example CITRIXSYNC$, and click Next.
    User-added image

  5. In “Other Settings” page, select “Encrypt data access”, deselect “Allow caching of share”, and click Next.
    User-added image

  6. In “Permissions” page, select “Customize permissions”.
    User-added image

  7. Click “Disable inheritance”, and select “Convert inherited permissions into explicit permissions on this object”.
    User-added image

  8. Click “Permissions” tab, remove all users except “CREATOR OWNER”, ”Local Administrators” and “SYSTEM”, then, add the “Data Proxy Account” which was created before with “Full Control” permission.
    User-added image

  9. Choose “CREATOR OWNER” and click Edit to uncheck permissions of “Full Control”, “Delete subfolders and files”, “Change permissions” and “Take ownership”
    User-added image

  10. Click “Share” tab, remove “Everyone”, and add the “Data Proxy Account”, “Local Administrators” and “Domain Admins” with “Full Control” permission.
    User-added image

  11. In “Confirmation” page, click Create.
    User-added image

  12. Create two subfolders under the CITRIXSYNC$ share folder: CentralStoreRoot and People. 

A central store for SSPR is created and ready for use now.

User-added image

B: Create central store with a tool

  1. Download the central store creation tool from CTX217143 and extract it to a local disk of SSPR server.

  2. Open PowerShell console and change directory to the folder which holds the tool.
    User-added image

  3. Execute CreateCentralStore.ps1 and provide FolderPath, ShareName and Admin as parameters. In this tutorial, the command is: .\CreateCentralStore.ps1 –FolderPath C:\CITRIXSYNC$ -ShareName CITRIXSYNC$ -Admin sspr.local\DataProxyAccount. 

See CTX217143 for more details about this central store creation tool.

User-added image

Install SSPR

  1. Click “Self-Service Password Reset” on the XenDesktop installation interface.
    User-added image

  2. Accept the license agreement, and click Next.
    User-added image

  3. In “Core Components” page, click Next.
    User-added image

  4. In “Firewall” page, click Next.
    User-added image

  5. In “Summary” page, click Install.
    User-added image

  6. Click Finish to complete the installation process
    User-added image

Configure “SSPR Service Configuration”

  1. Before starting configuration, make sure that SSL certificate is installed on the IIS site of the SSPR server.

  2. Open SSPR console, choose “Service Configuration” in the left pane and then click “New service Configuration”. 
    User-added image

  3. In “Welcome” page, click Next.
    User-added image

  4. In “Central Store Location” page, configure the UNC path to the central store and click Next.
    User-added image

  5. In “Domain Configurations” page, select the domain(s) where you want to enable SSPR service and then click Properties.
    User-added image

  6. In the popped out “Domain Configuration” wizard, configure the “Data Proxy Account” and “Self-Service Account”, and click OK. In this tutorial, the “Data Proxy Account” and “Self-Service Account” are sspr\DataProxyAccount and sspr\SelfServiceAccount respectively.
    User-added image

  7. Click Next to apply all the settings.
    User-added image

  8. Click Finish to complete the configuration.
    User-added image

Configure “SSPR User Configuration”

  1. In SSPR console, choose “User Configuration” in the left pane and then click “New User Configuration”
    User-added image

  2. In “Name User Configuration” page, click Browse to add OU or User (for example, OU1 and User1) and Add to add AD group (for example, group1), then click Next.
    User-added image

  3. In “Configure Licensing” page, configure the “License Server Name”, then click Next.
    User-added image

  4. In “Enable Self-Service Password Reset” page, select which SSPR functionality you want to enable, then input service address and click Create. Make sure TLS 1.0 is enabled on SSPR server. Otherwise this step may fail.
    User-added image

Enable and configure SSPR in StoreFront

  1. Open Citrix StoreFront management console, right click on the store and choose “Manage Authentication Methods”.
    User-added image

  2. Choose “Manage Password Options” under settings of “User name and password”.
    User-added image

  3. Select “Allow users to change passwords” and select “At any time”.
    User-added image

  4. Choose “Configure Account Self-Service” under settings of “User name and password”.
    User-added image

  5. Choose “Citrix SSPR” to enable “Account Self Service”.
    User-added image

  6. Click Configure and select “Enable password reset” and “Allow account unlock”, configure the “SSPR Account Service URL” (https ://< FQDN of the SSPR server>/MPMService).
    User-added image

  7. Click OK to apply all the settings.

Till now, SSPR deployment has been finished. You can now log onto Storefront with an account which has been added to the user configuration (For example, sspr\user1). “TASKS” button can be seen on the page. Click on TASKS button and user can start enrollment from “Manage Security Questions”.

User-added image

“Account Self-Service” link can be seen on the logon page of Storefront for user to do password unlock and reset.

User-added image

Additional Resources

  1. Self-Service Password Reset System requirements .

  2. Self-Service Password Reset Central Store Creation Tool.

 

 

Issue/Introduction

The primary intent of this article is to provide steps to how to deploy Self-Service Password Reset (SSPR) environment for the first time.