citrix presentation server 4.0 passwords

We have a citrix presentation server 4.0 - users are using pna agent and xen app agent to access their applications - Each time a create a user i need to set it so that their passwords never expire - i want to be able to promp the user to change the password after so many days, but i do not get the prompt, i just get a message that "specified password is no longer valid" and the user has no way of changing their password. Does anyone know step by step what i need to do to get password changes to work
Who is Participating?

Improve company productivity with a Business Account.Sign Up

pfcjokerConnect With a Mentor Commented:
Ok now that makes sense, no the PNAgent does not change passwords (and as far as I know has zero code for prompting password changes). Because Citrix designed the PNagent to be used on internal clients it assumes that the user is already logged into a domain on the workstation running PNagent and as a result expects any password change / policy notices of impending password change to occur at the workstation OS level.

Here are the only real places where the user will be prompted to change their password in a Citrix enviornment:

A) On the client device (assuming login to Domain at client level - otherwise no prompt)
B) At the Web Interface level (if configured - Web Interface will notify the user that their password is expired or about to expire and allow them to change the password at the Web Interface level via their IE)
C) At the Server level when you connect to a published app (won't work if the password is already expired as the user won't be able to get published applications in the first place from PNa or PN due to the expired password.)

My suggestion to "workaround" what you are trying to do (pick one - don't have to do them both):

A) connect the client PCs to the domain and make sure the user logs into the domain. Also make sure your GPOs apply to these workstations in a way where password expire notifications are prompted starting a set # of days (7 days is usually good, some environments go as high as 14 days).

B) stop using the PN and PNa client on these systems and instead use Web Interface properly configured to allow password changes.
Checking "user must change password at next logon" in their Account will force them to change it at their first logon on their XP workstation- is there some reason you can't use that?

PNagent doesn't really give you a "password change" option. - your options are:

A) have the user change the password on their Desktops (Are the users not logging into the domain here? - PNagent is really designed for a workstation that logs into a domain)

B) Enable Password changes via Web Interface Site (not PNA)
1) Launch Access Manager Console on the Web Interface Server
2) Discover if it's not already done
3) MetaFrame Presentation Server > Suite Components > Configuration Tools > Web Interface > <your Web interface site>
Note if you only have your PNagent site here, you will need to right click Web Interface and Create Site and make a MetaFrame Presentation Server Site (web Interface)
4) in the Middle under Common Tasks, click Configure authentication methods
5) On this first screen select Allow user to change password: At Any Time
6) set up the rest of the authentication as you see fit for your environment - now users will be able to browse to your Web Interface site http://<servername> and there is a Padlock icon where they can change their password after they logon.

zingabAuthor Commented:
not sure if you answered my question
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

The simple answer is, if you create an account with "password never expire" - as you stated in your question, then it's working as intended, the user will ever get prompted to change their password. You have to uncheck this to allow domain/computer policies to take over and force the user to change the password.

To set the Domain Policy:
Use gpmc.msc (or dsa.msc for older domains)

In the Default Domain Policy at the root of AD

Security Settings > Account Policies > Password Policy

To set a local computer (note a domain policy will overwrite this in a AD environment if it's set):
Computer Settings > Security Settings > Account Policies > Password Policy.

If that doesn't cover it then I'll need some more clarity of what it is exactly you are trying to do.
zingabAuthor Commented:
That does not cover it. When setting the password to expire in policy the users do not get prompted to change their passwords when logging into their pna agent. I need the pna agent to have the chbange passwords field to allow the users to change them.
zingabAuthor Commented:
can someone answer this or not.
zingabAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.