Installation and Configuration | Self-Service Password Reset 1.1.x (2023)

installation checklist

Before starting the installation, complete the following checklist:

Installation and configuration sequence.

Citrix recommends installing self-service password reset in the following order:

1. Create a central store. lookCreate a central store。
2. Install self-service password reset. To install the service and run the service setup wizard, your logon account must be a domain user and a member of the local Administrators group on the server. For more information, seeInstall and configure self-service password reset。
3. Use the console to configure self-service password reset. lookInstall and configure self-service password reset。
4. Configure self-service password reset in StoreFront. lookconfigure storefront。
5. Make sure the Self-Service Password Reset setting is set to Secure. looksecurity configuration。

Create a central store

For security reasons, we recommend that you create the central store directly on the computer running the self-service password reset service. For deployments that require multiple self-service password reset servers, you can host the central store on a remote network share if both the self-service password reset server and the server hosting the share support SMB encryption.

This feature is only available on Windows Server 2012 R2 or Windows Server 2016.

Create a data proxy account

Create a normal domain user as the data proxy account. Do not configure users in the Domain Admins/Local Admins group as data proxy accounts.

Create a central repository for Windows Server 2012 R2 or Windows Server 2016

If you are using Windows Server 2012 R2 or Windows Server 2016 as your self-service password reset server and central store, you can use a remote network share (if configured as described in this section). ensure thisEncrypted access to dataselected and followed the instructions given insecurity configuration。

1. startnew actionWizard, open Server Manager. andFile and storage services.details page, selectBehaviorin the left pane, and clickTasks > New Share。

   

2. chooseselect profileIn the left pane selectShared SMB - Fastthen clickNext。

   

3. chooselocation sharingin the left pane. From the list, select the server on which to create the new share and the volume on which to create the new share, and clickNext。

   

4. chooseshare nameIn the left pane, enter a name for the new share, egCITRIXSYNC$then clickNext。

   

5. chooseother settingsIn the left pane selectencrypted data, uncheckAllow shared cachethen clickNext。

   

6. personalisebetpermissions, selectOKin the left panel, then selectAdjust permissions > Share。

   

7. To adjust NTFS permissions, click thedisable inheritanceand selectConverts inherited permissions to explicit permissions on this object。

   

   See Also

   Self-Service-Passwort-Reset für Windows-Geräte – Microsoft InsiderNutzen Sie die Self-Service-Passwortzurücksetzung

8. clickOKtab, remove theCreator,local administrator, IsystemAnd add the data proxy account created with full control permission.

   

9. chooseCreatorthen clickeditDeselect the following permissions:

   • total control

   • Delete subfolders and files

   • change permissions

   • possession

   

10. choosebetmark, deleteallAnd add the data proxy account with full control, local administrator and domain administrator.

    

11. chooseconfirmIn the left pane of the New Share Wizard, review the currently selected share settings, and clickcreateStart the process of creating a new folder, thenthe fence。

12. Create two subfolders in the archive.CITRIXSYNC$Shared folder:central tent rootIpeople。

important: Make sure your data proxy account hastotal controlfor these two subfolders.

You must configure EncryptData, RejectUnencryptedAccess, and RequireSecuritySignature for the self-service password reset central store. For more configuration information, see the following Microsoft articles:https://docs.microsoft.com/en-us/powershell/module/smbshare/set-smbserverconfigurationhttps://docs.microsoft.com/en-us/powershell/module/smbshare/set-smbshare

Install and configure self-service password reset

1. Install self-service password reset using the Citrix Virtual Apps and Desktops installer.

   

2. After installing Self-Service Password Reset, clickStart > All Programs > Citrix > Citrix Self-Service Password Reset SettingsConfigure the Citrix self-service password reset service.

3. After opening the console, follow three basic procedures to configure the service.

   

service configuration

Before configuring the service, make sure you have created a central store, a data broker account, and a self-service account.

1. chooseservice configurationin the center pane, and click thenew service configurationin the right pane.

2. ofcentral store locationscreen, specify the central store location, and clickNext。

   

3. ofdomain configurationSelect the domain for which you want to enable self-service password reset and clickreal estate。

   

4. definitionData Broker Accountusername and password andself-service accountusername and password, and clickOK。

   

5. clickNextto apply all settings.

   

6. clickfinComplete the setup.

   

user settings

1. In the left pane, selectuser settings, then clicknew user settingsin the right pane.

2. ofuser profile namescreen, define self-service password service target user groups, add users/groups/OUs from Active Directory, and clickNext。

   

3. ofconfigure licensescreen, specify the license server and clickNext。

   

4. ofEnable self-service password resetscreen, use the check boxes to specify whether users can reset their Windows passwords and unlock domain accounts without administrator intervention, specify the port and address for the service, and then clickcreate。

   

For more information on managing user settings , seeManage user settings。

Authentication

1. In the left panel, select an optionAuthenticationnode, and click themanagement issuesin the right pane.
2. ofQuestion-Based AuthenticationSelect the default language, use the checkboxes to enable or disable hiding security question answers, and clickNext。
3. ofSecurity Questionscreen clickadd question, enter your question in the text box, and clickOK, then clickNext。
4. ofQuestionnairescreen clickplusand select a question. With buttons you can reorganize your questions and groupsriseIfallbuttons. After completing this page, clickcreateIOK。

For more information on how to manage authentication issues , seeManage your authentication questions。

Manage user settings

User settings allow you to control the behavior and appearance of the interface when users log into Storefront. Creating a new configuration is the final step that must be performed before providing self-service password reset to users in your environment. You can edit existing user settings at any time.

A user setting is a unique set of settings that can be applied to a user associated with an Active Directory hierarchy (organizational unit [OU] or individual user) or an Active Directory group.

A user configuration consists of the following elements:

• Users associated with Active Directory domain hierarchies (organizational units or individuals) or Active Directory groups

important: Distribution groups and domain local groups are not supported in Active Directory mixed mode.

• license server
• Self-service features (account unlock and password reset)

Before creating a user configuration, make sure you have created or defined the following:

• central store
• service configuration

Create user profile:

1. clickstart>all programs>Citrix>Configure Citrix Self-Service Password Reset。
2. In the left panel, select an optionuser settingsnode.
3. zBehaviormenu clickAdd new user profile。

To add users, organizational units or groups:

heuser profile namepage ofuser settingsThe wizard allows you to associate a user profile with a user.

User settings link:

You have two options: associate users by Active Directory hierarchy (organizational unit or individual user) or by Active Directory group. If necessary, you can associate the user's settings with another hierarchy or group by clickingedit user settingswBehaviormenu.

Associating user settings with groups is supported only in Active Directory domains using Active Directory authentication.

Select an organizational unit, user or group belowuser profile name(from the Add New User Profile or Edit User Profile wizard).

use:We recommend that you do not include any privileged accounts (for example, local administrators or domain administrators) in the group of users whose self-service password reset account can reset passwords. Use a new dedicated pool.

To set up a license:

heconfigure licensepage ofuser settingsThe wizard allows you to configure the license server used by the self-service password reset service.

use:Unlock and reset is only available if you have Citrix Virtual Apps or Citrix Virtual Desktops Platinum Edition.

Enter the license server name and port number in the fileconfigure license(from the Add New User Profile or Edit User Profile wizard).

To enable unlock or reset:

Self-service password reset allows users to reset Windows passwords and unlock domain accounts without administrator intervention. andEnable self-service password resetpage, you can choose which features to enable.

Choose the features you want your users to use:unlocklubricantrecoverofEnable self-service password reset(from the Add New User Profile or Edit User Profile wizard).

Configure blacklist:

IT administrators can add users and groups to blacklists. Blacklisted users and groups cannot use any self-service password reset features, including registration, account unlock, and password reset. Also, blacklisted users cannot view the file.TaskIn Citrix Workspace app after logging in.

Configure blacklist:

1. clickStart > All Programs > Citrix > Citrix Self-Service Password Reset Settings。
2. In the left pane, selectuser settings, then clickBlacklist configurationin the right pane.
3. useplusIdeleteButtons for adding and removing users or groups from the blacklist.

Manage your authentication questions

Authentication in the Citrix Self-Service Password Reset configuration console provides a central location to manage all security related to authentication, self-service password reset, and account unlocking. You can customize your own security questions and create question groups based on the default list of questions.

• If you edit an existing default question after users have registered their answers, consider the implications of the edited question. Editing a question does not force the user to re-register. However, the user who originally answered the question may not be able to provide the correct answer if the meaning of the question changes.
• Adding, removing and replacing security questions after user registration means that any user who previously registered with the previous set of questions will not be able to verify or reset their password until they register again. Users must answer a new set of questions when they open the task app in Citrix Workspace app.
• A single security question can belong to multiple security question groups. When you create a security question group, any questions you create can be used in any security question group.

Follow the steps below to access the settings mentioned in the procedure below:

1. clickstart>all programs>Citrix>Configure Citrix Self-Service Password Reset。
2. In the left panel, select an optionAuthenticationnode.
3. zBehaviormenu clickmanagement issues。

Set default language:

In most cases, users will see security questions in the language associated with their current user profile. If that language is not available, Self-Service Password Reset displays questions in the specified default language.

1. clickstart>all programs>Citrix>Configure Citrix Self-Service Password Resetnorth.
2. In the left pane, selectAuthenticationnode.
3. zBehaviormenu clickmanagement issues。
4. zdefault languagedrop down listQuestion-Based AuthenticationChoose a default language.

To enable secure response hiding:

Masking security answers provides users with an additional level of security when recording answers to security questions or providing answers during authentication. When this feature is enabled, user responses will be hidden. During the answer registration process, these users were asked to enter their answers twice to avoid typos and misspellings. Users only need to enter their answer once during the authentication process, as they will be prompted to try again if it fails.

chooseBlock answers to security questionsofQuestion-Based Authenticationside.

To create a new security question:

You can create many different questions and assign a language to each question. You can also provide multiple translations for a question. The Citrix Workspace registered app presents the quiz to the user in the language that matches the user's profile language setting. Self-Service Password Reset displays questions in the default language if that language is not available.

use: When you specify a language for your security question, the question will be displayed to users whose operating system settings are configured for the specified language. If the selected operating system setting does not match any of the available questions, the user will be presented with the default language you selected.

1. zlanguagedrop down listSecurity QuestionChoose your language and clickadd questionThe "Security Question" dialog box will appear.
2. Create a new question on the page.Security Questiondialog window.

important:useeditButton to include translated text for an existing question. if you chooseadd question, you created a new question unrelated to the original question.

Add or edit the text of an existing question:

Adding, removing and replacing security questions after user registration means that any user who previously registered with the previous set of questions will not be able to verify or reset their password until they register again. Users must answer a new set of questions when they open the task app in Citrix Workspace app. Editing a question does not force the user to re-register.

important: If you edit an existing question, be careful not to change its meaning. This can cause a mismatch in user responses during reauthentication. This means that the user can enter a different answer that may not match the saved answer.

1. Choose a language fromlanguageThe dropdown field is inSecurity Questionside.
2. Select a question and clickedit。
3. Edited the question in the file.Security Questiondialog window.

To create a set of security questions:

You can create security questions that users answer to prove their identity. Every question you add to a survey must be answered by a user. However, you can also group these questions into a set of security questions.

For example, by grouping questions, you can add a set of six questions to your quiz and allow users to choose from that set, such as answering three of the six questions. This gives users the flexibility to choose questions and answers for authentication.

1. clickadd groupofSecurity Questionside.
2. wA set of security questions.In the dialog, name the group, choose questions, and set the number of questions users must answer.

To edit a set of security questions:

Select the security group to be edited, clickeditofSecurity Questionside. The Security Question Group dialog box appears with a list of security questions that you can join the group. The question currently in the group is marked with a check mark. Here you can edit the name of the group, add questions to the group, and choose how many questions the user must answer for the group.

To add or delete existing questionnaires:

Add or remove security questions and question groups from questionnaires. Move the questions up and down in the order you want them presented to the user. If the quiz changes, notify the user to log in to Storefront and re-register.

1. clickplusofQuestionnaireThe page where you can add questions or groups to your quiz.
2. clickdeleteRemove question from survey.
3. clickriselubricantfallManage questions asked of you.

To import or export security questions:

You can import or export security questions and group data.

1. clickstart>all programs>Citrix>Configure Citrix Self-Service Password Reset。
2. In the left panel, select an optionAuthenticationnode.

3. zBehaviormenu, click one of the following options:

   import security questionsSpecifies the file location to import security question and group data.

   export security questionsSpecifies the location of the file to which security questions and group data should be exported.