Citrix MetaFrame
Password Manager 2.5
Codename – “Andros”
Release Date – May 24, 2004 (projected)
Citrix MetaFrame Password
Manager 2.5 - Release Theme
• Theme: “Broadening Support”
• Goals:
– Increase the addressable market
• Novell customers
• German/French/Spanish/Japanese languages
• Certificate based smart cards
– Maintain Market Momentum
• Timely release after MetaFrame Password Manager 2.0
– Implement new Citrix branding
New Features – Novell Support
• MPM 2.5 can be used with Novell’s GINA
– Primary authentication against Novell eDirectory
– eDirectory is not supported as a credential store
• Netware file share support
– Allows use of Netware file share for central credential store
– New CtxNWFilePrep.exe utility
• Establishes directory structure and
privilege/trust set
New Features – Novell Support
• Most Citrix/Novell customers use ZENworks’
Dynamic Local User (DLU) feature
– Windows Username and Password must match Novell
Username and password.
– Enable Volatile User – to remove user credential upon exit.
– Synchronizes user’s Novell and local NT user passwords,
so user doesn’t have to enter two passwords
New Features – Multi-factor
Authenticators
• Enhanced support for smart cards, tokens,
biometrics, and proximity devices:
– Support for user certificate-based (X.509 PKI) network
authentication
– Re-authentication via workstation lock (secure attention
sequence Ctrl+Alt+Del) which reverts to the network
authentication GINA
New Features – Multi-factor
Authenticators
• Product testing with an ever-growing list of vendors
(14 announced on March 23)
– Smart cards: ActivCard, Axalto (Schlumberger), GemPlus,
LOGICO, Netmaker
– Biometrics: BioNet Systems, EKey, Identix, SAFLINK,
Integrated Biometrics
– Tokens: RSA, Secure Computing, VASCO, CRYPTOCard,
Aladdin, PassGo
– Proximity: Ensure
• Vendor participation via a Security Partner program
New Features – Extended
Application Support
• Java and Active X based applications
– MPM 2.5 introduces support for ActiveX controls, Java
scripts and Java applets
– Based on difficulty level this may require services from
Citrix Consulting
• Must create both a Web app def and a Windows app def
• Must export INI file, edit to add new settings, re-import
• Drop Down Menus
– Previously (MPM 2.0), drop-down menus could be handled
only via SendKeys or manual selection
• Send arrow keys or first letter of menu item
– MPM 2.5 provides automated drop-down menu selection
for Win32 (except .NET) and Web apps
New Features – Extended
Application Support
• Improved Terminal Emulation Support
– New configuration setting for terminal emulators that don’t
write the location of their HLLAPI DLL in the registry
• e.g. BOSaNOVA
• Support for Long URLs
– Previously (in MPM 2.0), URLs in excess of 256
characters could only be handled by substring matching
– MPM 2.5 supports strict matching of very long URLs
New Features – Extended
Application Support
• Difficult Applications
– MPM 2.5 supports several unusual window characteristics
• No window title
• Dynamic (variable) window title
• Dynamic class name
– Examples:
• Cerner medical apps (no window title or variable title)
• McKesson PCView32 (dynamic class name)
– Substring matching is now available for Win32 apps
New Features – Logging Tool
• Can be enabled when required to collect data on
application detection and credential insertion
– Intended to help troubleshoot difficult applications
– For use by Technical Support or Citrix Consulting
• Enabled by creating a “Log” registry entry
– HKLM\Software Citrix\Metaframe Password Manager\Log
– Provides agent logging
• No security-sensitive data is written to the log
New Features – Improved End User
Interface
• Confirmation of Agent Detection
– End users are now asked to confirm if the agent properly
recognized the login fields and submit button
– Prevents users from incorrectly configuring the agent
– Directs them to their administrator for more complex
applications
New Features – Improved End User
Interface
• Improved Identity Verification
– MPM 2.0
• Default question: Enter generic answer.
• Likely to cause user confusion
– MPM 2.5
• Default question: What is your identity verification phrase?
• Minimum length of response to default question increased
from 8 to 12 characters for improved security
• New admin option to eliminate default question if one or more
other questions have been defined
New Features – Improved End User
Interface
• Identity Verification UI
– Better end user description
– New default verification
question.
– Default answer now 12
characters
Improved UI for Identity Verification
New Features – Policy Enforcement
• Enforcement of password policies now extended to
manual password change
– MPM 2.0 only allowed this for auto-generated passwords
– Invalid password results in error message:
New Features - New Agent Settings
• Forced Credential Storage
– Disable ability for end user to opt out of submitting
credentials to Password Manager for applications with
existing definitions
• Yes/No/Never dialog box is skipped, taking user directly to
the credentials entry screen
• Show Tray Icon
– Enable/Disable agent icon that appears in the taskbar
– Example usage:
• Admin decides to hide systray icon for agents deployed on
MetaFrame Presentation Server
• Result is that end user sees only one MPM icon, for the
agent running on his own local machine
Integration with MetaFrame
Presentation Server 3.0
• Location of central store can be specified per user
– Note: Can also be specified in HKCU (for customers not
using MPS 3.0)
– Different groups of users can have different settings by
using multiple file shares
– Large organizations can distribute users across multiple
file shares
• MPM can be enabled/disabled per user
– Allows for staged roll-out without having to publish each
application twice
Performance Improvements
Preliminary figures (March 2004), taken on a Presentation Server at 65%
utilization with std. synchronization and a roaming profile:
Measurement
MPM 2.0
MPM 2.5
Insertion impact (AD) Windows 2000
7.5%
2.6%
Insertion impact (FS) Windows 2000
7.5%
5.0%
Agent response – Win32 app (AD)
1.00s
0.11s
Agent response – Win32 app (FS)
0.64s
0.51s
Network Bandwidth Utilization (AD)
130 KB
96 KB
Network Bandwidth Utilization (FS)
50 KB
32 KB
Troubleshooting - General
• Check that the Agent is deployed and configured correctly.
• Check if the agent is synchronizing properly
– Check synchronization point
– Hit refresh in the agent and check the time stamp of the ini files
to see if they changed.
• Agent’s sync point may have been changed using the console
– Check if you have an adminoverride.
• If you do, you will have to delete mmffile and the ini files.
• The agent will then read the sync point from the registry again.
• Go to the sync point and check for permissions and settings.
• Check for network problems that may be causing the agent
not to sync properly.
Troubleshooting – Windows
Applications
• Check whether the application is being detected
• Make sure you add multiple window title and class id for
transient windows.
• Check if Password Manager Agent is detecting the controls on
the window
• Others things to look for
– Check for dynamic control ids by running the app repeatedly.
– Check for null control ids
– Check for same control ids for all controls – Send keys must be
used.
– Check exclusion list – maybe you have incorrectly configured the
exclusion list.
Troubleshooting – Web Applications
• Need to use forms
– Look for <FORM> tag in the source of the web page
– Change the web page or you will have to use SendKeys
• Look for java applets or client side scripting
Troubleshooting – Host
Applications
• Check if SSOMHO is running
– SSOMHO runs when it detects the terminal emulator
configured
• Following must be done in order for SSMHO to run:
– Mfrmlist.ini on the Agent must have an entry for the
emulator
– Agent setting for host apps must be enabled
– HLLAPI Short name must be defined for the emulator
• Debug tool will tell you why SSOMHO.EXE did not
launch.
• If SSOMHO is running, check the application
definition
Competitors
• Passlogix
• Protocom
• Sentillion
• Evidian
On the Horizon…
• Next Release
– Codename: “Abaco”
– Release Timeframe: “Turnberry” Suite Release - 1H ‘05
• Release Focus
– Hot Desktop (password and smart card authentication)
– Self Service Password Reset
– License Server
– Administration Console
– Enhanced/Alternate Credential store