Introduction
Self Service Password Reset (SSPR) is a technology that allows users to enroll and answer a series of questions, which then allows them to reset their password later on should they forget it.
Before setting up SSPR you need to have Citrix StoreFront setup and secured with an SSL Certificate, and an SSL certificate available to use for the SSPR server. You also need to have Platinum XenDesktop licensing to use this feature. I also have a small XenDesktop 7.11 environment setup so that I can test successful launching of applications after a password reset.
Environment Overview
Below is a diagram of the virtual environment I have created for this lab:
Not too much to setup for this – this lab was created in a virtual environment, utilising PFSense as the gateway. I also have a client machine, and a XenDesktop infrastructure setup which aren’t in the picture. All VMs are running Windows Server 2012R2, and are 1vCPU and 4GB RAM. All storage is across SDDs local to the VMware host.
SSPR Setup:
The installation media for Self Service Password Reset is included on the XenDesktop 7.11 Media:
Installation is fairly straightforward – the next few screenshots cover the install process:
Installation of SSPR is now completed – and we can start configuring everything.
IIS Changes
We need to configure a few basic IIS settings on the SSPR Server – these are detailed below:
Install an SSL Certificate:
Firstly, we need to open the IIS Management console, and open Server Certificates:
You will need to specify a certificate for use with the service, and then bind that to the default website. In my case I have used a self signed certificate, which I have installed on both the SSPR and StoreFront servers in this lab:
Bindings adjusted as per the below screenshot:
Adjust the Authentication Settings:
As per the Citrix article https://docs.citrix.com/en-us/self-service-password-reset/1-0/secure.html you will need to adjust the authentication settings for the MPMService website. Open the MPMService Website in the IIS Management Console:
Click on Authentication, then Windows Authentication, and then Advanced Settings:
Un-tick “Enable Kernel-mode authentication”:
Click “OK” and then click on “Providers”:
Add “Negotiate:Kerberos” and remove all other Providers:
Click OK. Then browse back to the MPMService Website in the IIS Management Console, and ensure that under SSL Settings, “Require SSL” is selected:
Click “Apply” and then close the IIS Management Console.
Setting up the Self Service Password Reset Server
Before running the setup of SSPR, you’ll need two service accounts ready for use. I’ll cover off the permissions needed for each account later on in this post:
| Account Name |
Usage |
Function |
| svc-ssprdataprox |
Data Proxy Account |
Reads and Writes data to the Store. |
| svc-ssprselfservice |
Self-Service Account |
Unlocks accounts and resets passwords on user AD Objects. |
To start the SSPR setup process, log onto the server running SSPR and click on “Citrix Self-Service Password Reset Configuration”:
The console then loads are you are presented with the following:
Before any configuration, we need to create a central store, as per the Citrix Article http://docs.citrix.com/en-us/self-service-password-reset/1-0/install-configure.html
To do this, use the Server Manager console, and then click on “File and Storage Services”, and then “Shares”:
Click on “Tasks” and then “New Share…”
Continue with the “SMB Share – Quick” option:
Select “Type a custom path”:
Then create a new folder – mines call “SSPRShare” below and click “Select Folder”:
Click Next, and then type the share name as “CITRIXSYNC$” and click Next:
Select “Access Based Enumeration”, uncheck “Allow caching of share”, and select “Encrypt data access”:
Click Next and then “Customise Permissions”, and then “Disable Inheritance”:
Select “Convert inherited…”, and then remove all users except for CREATOR OWNER, SYSTEM, and the Local Administrators Group:
We then need to modify the permissions assigned to creator owner, so that the permissions are as follows:
We also then need to add the Data Proxy Account we created earlier with Full Control of the Share. And Also the NETWORK SERVICE account with Read Permission:
Once this is done, we create two subfolders “CentralStoreRoot” and “People”. The Data Proxy Accounts requires full control of these folders:
Once this is done, we can go back to the SSPR Setup Console:
Click on “Service Configuration”, and then on “New Service Configuration” on the right hand side:
We have already setup the Central Store, and installed an SSL Certificate – so we can press next, and enter the UNC path to our Central Store:
Press “Next” and then tick the correct Domain, and select “Properties” – for this guide I will be configuring a single domain only for SSPR. Then we need to enter the details of the Service Accounts we created:
Enter the Account Details and press OK, and then press Next. The SSPR Password Reset service is then created:
Click on Finish, and then we are taken back to the Console. Next we need to create the user configuration, by selecting the User Configuration pane, and then clicking “New User Configuration” on the right hand side. We can now choose an LDAP Path or an AD Group for the users eligible for Self Service Password Reset – I’m choosing an AD group 🙂
Click on Next, and enter the License Server Name:
We can now configure the options users will have when using the service – either a password reset, and/or the ability to unlock their account. I’m going to allow them to use both. Also, we need to enter the URL to the SSPR Service, which in my case, is the server name:
Then we can click “Create” and the User Configuration is created. Next we move into Identity Verification – this is where the questions come in!
Back in the main console, click on “Identity Verification”, and then “Manage Questions” on the right hand side. We then need to select the Default Language, and choose whether to mask answers. I’m going to use English and choose not to mask answers for this Lab Setup:
After clicking “Next”, we can customise the questions and add more or create a new Group of questions. I’ve customised a couple of the default questions for demonstration purposes:
Once you are happy with the questions created, click “Next”, and the ordering of questions can be adjusted. Once happy – click Finish, and the configuration is completed.
Delegation of Active Directory Rights for the Self Service Account
Before we can setup StoreFront to use the SSPR Service, we need to delegate permissions to the AD Account used for Password resets and account unlocking – the Self Service Account. We will do this in Active Directory with the Delegation of Control Wizard. Note: you will need to delegate to control to all OUs where users of the SSPR system reside.
First, we select the Self Service account we have created:
And then click “Next”:
Select “Create a custom task to delegate”. Then select “Only the following objects in the folder” and select “User objects”:
In the next window select “General” and “Property Specific”:
Ensure that the following permissions are checked, and then press next:
- Read lockoutTime
- Write lockoutTime
- Reset Password
- Change Password
- Read userAccountControl
- Write userAccountControl
- ReadpwdLastSet
- WritepwdLastSet
Click “Finish” and then the delegation has been setup for the Self Service Account. We can now move on and configure Citrix StoreFront.
Configuring Citrix StoreFront for Password Self Service
To begin, open the StoreFront Console, and visit the Store you wish to add the SSPR Site to:
Then click on “Manage Authentication” on the right hand side:
Click on the settings option next to “User name and password”, and then select “Configure Account Self-Service”:
Next, choose “Citrix SSPR” from the drop down list:
And then press “Configure”. Then tick the boxes for “Enable password reset” and “Allow account unlock”, and then enter the URL to the SSPR Server:
Click OK 3 times, until you are back to the main StoreFront Console.
SSPR is now setup – and we can test with a user!
SSPR Signup Process and Testing
Now we have SSPR setup – we can begin the signup process and start testing. To do this, log into StoreFront with a user account that is a member of the AD Group we assigned in the SSPR Console (SSPR_Users in my case). You will then see the following extra “Tasks” option when you are logged in:
When we click on tasks, we can enroll in the Self Service Password Reset system:
Click on “Manage Security Questions” – before we can proceed we are required to authenticate again:
We will now see the security questions we defined earlier – and can provide answers:
Once these have been completed – we are presented with the following screen:
This means that the user is now enrolled and can use the Self Service Password Reset system.
Testing Self Service Password Reset:
Now that we have enrolled – we can make use of the SSPR System. If we visit the StoreFront website we also see an additional section of the login screen, labelled as “Account Self-Service”:
When a user who has forgotten their password visits the site, they can click on “Account Self-Service” to start the password reset process. For this test I will assume the role of a user who has forgotten their password. So I clicked on “Account Self-Service” then then selected the “Reset password” option:
After Clicking “Next” I am presented with the following screen, where I enter my username in the format domain\username, and then click “Next”:
After this, I am presented with the Questions that we previously setup, and answered for this test user:
After answering all 4 questions, I am presented with a change password dialogue:
A new password can be entered and “Reset” pressed:
The user’s password has now been changed, and we can login to our published resources – all without the need for any helpdesk calls.
