Custom extensions for Citrix Password Manager

Whether installed as a standalone solution or as a feature of a Citrix XenApp farm, Citrix Password Manager (CPM) provides a secure and effective Single Sign On (SSO) solution. Users benefit from no longer having to remember (or worse jot down on scrap paper) the numerous credentials needed to access the systems they use. Organizations benefit from reduced Help Desk/Password Reset activities and greater control over user credentialing processes. Add in provisioning services, Windows account reset, and Smart Card integration and you have an solution that can rapidly fill many pressing security needs. Complexity associated with installation and configuration of the system is driven largely by the existing infrastructure and applications, but Citrix does a fairly good job of limiting the moving pieces and the installation process is straightforward. Basically you’ll need to get 4 things in place

***NOTE: As with all Tips and Tricks we provide on the IDMWorks blog, use the following AT YOUR OWN RISK.  We do not guarantee this will work in your environment and make no warranties***

Whether installed as a standalone solution or as a feature of a Citrix XenApp farm, Citrix Password Manager (CPM) provides a secure and effective Single Sign On (SSO) solution.  Users benefit from no longer having to remember (or worse jot down on scrap paper) the numerous credentials needed to access the systems they use.  Organizations benefit from reduced Help Desk/Password Reset activities and greater control over user credentialing processes. Add in provisioning services, Windows account reset, and Smart Card integration and you have an solution that can rapidly fill many pressing security needs.  Complexity associated with installation and configuration of the system is driven largely by the existing infrastructure and applications, but Citrix does a fairly good job of limiting the moving pieces and the installation process is straightforward.  Basically you’ll need to get 4 things in place:

  1. A Central Store to keep all those credentials.  Citrix supports Active Directory, NTFS File Share, and Novell shared folder repositories.
  2. A client side application to retrieve credentials from the Central Store, cache them to the local machine, and submit them to the application
  3. A License Server as Citrix has this crazy notion about getting paid for some reason
  4. Application definitions that define how CPM should identify and react to applications of interest

For Application Definitions, Citrix provides a tool cunningly call the Application Definition Tool that walks you through the process.  Definitions can be created to handle Logon events as well as Password change events.  The latter includes Password Format validation designed to help the user (or even CPM itself) create a password that meets each application’s strength, length, and complexity requirements.  CPM provides these wizards for typical Windows applications, Web based applications, as well as Host based applications presented to the user in a HLLAPI compliant emulator.  Each has its individual quirks, but most technical professionals, even managers, will find the process straightforward.

There are times, however, that even the best efforts of Citrix and the Application Definition Tool are not up to the task.  For those situations allows CPM to call external applications that can manage credential submission.  The external applications can be written in any Windows compliant language and once again Citrix provides a fairly straight forward path.  Again a quick look at the moving parts:

  1. An Application Definition is still required to identify the application of interest. The key difference, however, is that instead (or in addition to) having CPM take actions upon the application itself, CPM executes you custom extension.   Since the users local credential store is encrypted and in accessible to any other applications CPM can be instructed to pass credential information to the external application as command line parameters.
  2. Since the Application Definition is only told  the name of the executable, a registry key of the same name located at [HKEY_LOCAL_MACHINESOFTWARECitrixMetaFrame Password
    ManagerExtension{ExtensionName}] where {ExtensionName} is replaced with the name that you gave to the Application Defintion. Of the several values that need to be set in the key, there are two that are the most interesting. The ‘Excutable’ value must contain the path to the extension’s compiled binary. The ‘Arguments’ value would contain any commandline parameters that you like passed. For instance, a value of “/u $_USERNAME /p $_PASSWORD” will pass the UserName and Password for the extension’s use.
  3. The extension itself placed in the folder identified in the key above.

Each of these elements must be installed on each client machine that will use the extension, but once it is the possibilities are endless.  As compiled Windows applications, extensions have the ability to access any and all services available to any other application.  In addition, they could be used to access other systems that may be in place.  External auditing applications, usage tracking services, extended logging, real time centralized validation…. literally any application or service that you have, or want to create, can be accessed and integrated into your custom extension.

Questions? Feel free to ask away at IDMWorks.