This article contains information about the usage of Windows Service account SIDs and Application Pool Identities to secure Receiver StoreFront.

Requirements

Review the system planning eDocs page listed in the following link:
Plan your StoreFront deployment

Use of Per Service SIDs

Receiver StoreFront uses per service SID’s to grant Windows services installed during initial configuration with fine grained resource permissions.

The following image illustrates the Citrix Configuration Replication Service installed during the StoreFront initial deployment.

• Creation, export, and import of certificates from the local store.

• Read/write access to the registry.

• Add and remove assembly’s to or from the GAC:
  http://msdn.microsoft.com/en-us/library/yf1d93sz(v=vs.71).aspx

• Access to “Program Files\Citrix\<StoreFrontLocation> ”.

• Add and remove IIS app pool identities, local user groups and firewall rules.

• Add and remove Windows services and PowerShell snap-ins.

To enable the service to perform these functions, the service identity is added to the necessary group (Administrators). It appears as “NT SERVICE\CitrixConfigurationReplication (SID-X-XXX-XX-X…..)”.

If a GPO restricts membership of the Administrators group, or permissions are reduced on the group then the Citrix Configuration Replication and Citrix Cluster Join services will not work and might require amendments to the policy to allow service identities to be added with the correct privileges.

The error reported in the local Event Viewer will usually indicate that the service is too busy in these circumstances.

In addition to NT SERVICE\CitrixConfigurationReplication, the service account NT SERVICE\CitrixClusterService adds itself to the local administrators group at join time with StoreFront 2.0 and must remain there to function correctly.

Use of Application Pool Identities

• Citrix Delivery Services Authentication is used for the Authentication web application.
• Citrix Delivery Services Resources is used for the Store(s), Roaming, AGServices, and PNAgent web applications.
• Receiver for Web creates an additional Application Pool: Citrix Receiver for Web used for all Receiver for Web websites.

The following Application Pool list identities as they appear in IIS after completing the initial StoreFront deployment.

The IIS process for each web application can be seen running in the Task Manager using the specified App Pool Identity.

To provide the permissions necessary for StoreFront web applications to access the services and resources, they require a unique account defined by the App Pool Identity. This is added to the appropriate Windows user group.

In the following example, the Citrix Delivery Services Resources and Citrix Delivery Services Authentication App Pool identities are added as members of the CitrixCWServiceReadUsers, granting them read only access to the Citrix Credential Wallet Windows service.

Additional Resources

• Receiver StoreFront

• Windows service hardening

• IIS process isolation and security

• Windows App Pool Identities