This article describes how to load balance the Citrix Password Manager Service using a virtual host name or wildcard certificate.

Background

Previously, in a load balanced or clustered environment, a wildcard SSL certificate was required to use the Citrix Password Manager Service. This might be undesirable in situations where the computer name is similar to other computers in the environment that do not need a wildcard certificate. To resolve this, the virtual host name entry can be used when configuring the Password Manager Service for a load-balanced configuration.

The information in this article provides a walkthrough on how to load balance the Citrix Password Manager Service using either a virtual host name or wildcard certificate.

Instructions

1. Choose a form of load balancing.
Determine the best third-party load-balancing solution for your environment. In the example throughout this article, round-robin Domain Name System (DNS) load balancing is used because of its simple setup and its similarity to other forms of load balancing and network redundancy.

Note: Round-robin DNS load balancing does not give a client (agent or console) the ability to recognize outages and correct the connection if the member server it connects to is down. Therefore, in round-robin DNS load balancing, if one of the computers that are load-balanced is down, the client might return a connection error if the round-robin connection is attempted on the unavailable computer.

2. Choose a virtual host name.
One virtual host name is used for several physical computers. For example, if you have physical computers Service1.myFQDN.com, Service2.myFQDN.com, and Service3.myFQDN.com, a virtual host name such as ServiceLB.myFQDN.com can be chosen to represent the three computers as a group.

For round-robin DNS load balancing, three static IPs are used for the three computers. Next, in the DNS configuration, a host (A) record is created associating ServiceLB.myFQDN.com to each of the three static IP addresses. Static IPs might not be needed for all load balancing situations.

3. Download an SSL certificate to each physical computer.

The Password Manager Service relies on SSL when communicating with client (agent/console) computers. In a load balanced setup that uses a virtual host name, an SSL server certificate with a common name that matches the virtual host name must be downloaded from the Certificate Authority (CA).

In our example, the physical machines are Service1.myFQDN.com, Service2.myFQDN.com, and Service3.myFQDN.com; however, because the virtual host name for the group is ServiceLB.myFQDN.com, you must download an SSL certificate with the common name ServiceLB.myFQDN.com or Service*.myFQDN.com to each of the three physical computers.

4. Create and configure the XTE Service account.

a. Using Active Directory Users & Computers, create a domain account as the XTE Service account. For our example, the name is ctx_CPMXTEUser and the Password never expires check box is selected after creating a strong password.

b. On each Password Manager Service computer, launch the local Security Settings console (go to Start > Programs > Administrative Tools > Local Security Policy).

c. Under Local Policies > User Rights Assignment, right-click Log on as a Service, click Properties, and add the domain account (ctx_CPMXTEUser) to the policy setting.

d. Obtain the setspn.exe utility from the Windows support tools (located on the Windows 2000 Server/Windows Server 2003 installation CD-ROM).

e. Register the virtual and physical service principal names (SPNs) for the domain account using the following commands (assuming the example environment mentioned above):

Setspn –A http/Service1.myFQDN.com myNetbiosDomain\ctx_CPMXTEUser
Setspn –A http/Service2.myFQDN.com myNetbiosDomain\ctx_CPMXTEUser
Setspn –A http/Service3.myFQDN.com myNetbiosDomain\ctx_CPMXTEUser
Setspn –A http/ServiceLB.myFQDN.com or Service*.myFQDN.com myNetbiosDomain\ctx_CPMXTEUser

5. Configure the Password Manager Service computers as Trusted for Delegation.

For domains with the functional level set at Windows 2000 Server mixed:

a. On Active Directory Users & Computers, right click each service computer name and click Properties.

b. Select the Trust computer for delegation check box for each physical service computer.

For domains with a functional level set at Windows Server 2003:

a. On Active Directory Users & Computers, right click each service computer name and click Properties.

b. Select the Delegation tab.

c. Select the Trust this computer for delegation to specified services only option button.

d. Select the Use any authentication protocol option button.

e. Click the Add button.

f. Click the Users or Computers.. button of the Add Services dialog.

g. Enter the NetBIOS name of all domain controllers that the service may contact.

h. Click OK.

i. Select http for the Service Type for all the domain controllers entered.

j. Click OK twice.

6. Run the Password Manager Service Configuration Tool.

a. On each service computer, launch the Service Configuration Tool.

b. On the first page, select the SSL certificate that was created for the load-balanced virtual host name. The SSL certificate name that shows up in the dialog for the environment mentioned above is ServiceLB.myFQDN.com or Service*.myFQDN.com.

c. Clear the Use default value check box and type the load-balanced virtual host name–this name must match the SSL certificate common name. For the environment mentioned, the name that entered is ServiceLB.myFQDN.com or Service*.myFQDN.com

d. For the XTE Service user account, select the Existing domain account option button. Enter the username and password for the XTE Service account that was previously created. For the example environment, the username myFQDN\ctx_CPMXTEUser was used.

e. Continue with the service configuration.

f. Repeat the above steps on each of the remaining physical Password Manager Service computers.

7. Export the service data from one service computer and import it to all the others.

a. On one of the physical Password Manager Service computers, open a command prompt and navigate to the Password Manager Service tools directory.

By default, the directory is \Program Files\Citrix\MetaFrame Password Manager\Service\Tools\.

b. Run the CtxMoveServiceData utility to export the service data to a file.

The following command creates a password protected-file (CPMServiceData.dat) in the Tools directory. The file contains AKR.dat, Prov.dat, PrivateKeyCert.cert, and PublicKeyCert.cert. This CPMServiceData.dat file is encrypted with a password but should be kept secure because the files contained within it are part of the encryption keys for use with the various service modules. Citrix recommends keeping this file because it can be used in recovery scenarios.

Type ctxmoveservicedata.exe –export CPMServiceData.dat and type a strong password.

c. On the remaining physical Password Manager Service machines, run the CtxMoveServiceData utility to import the service data to a file. Type ctxmoveservicedata.exe –import CPMServiceData.dat and type the password. When prompted to replace the AKR.dat, Prov.dat, and certificate files, click Yes.

8. Restart each of the Password Manager Service computers.