Presentation is loading. Please wait.

Presentation is loading. Please wait.

Citrix and ADFS Leverage Active Directory Federation Services in a Presentation Server Environment Jay Tomlin Sr. Technology Specialist Mgr NA Field Readiness.

Similar presentations


Presentation on theme: "Citrix and ADFS Leverage Active Directory Federation Services in a Presentation Server Environment Jay Tomlin Sr. Technology Specialist Mgr NA Field Readiness."— Presentation transcript:

1 Citrix and ADFS Leverage Active Directory Federation Services in a Presentation Server Environment Jay Tomlin Sr. Technology Specialist Mgr NA Field Readiness 08 December 2006

2 © 2005 Citrix Systems, Inc.—All rights reserved. 2 Copyright & Disclaimer Copyright © 2006, Citrix Unpublished work of Citrix. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary, and trade secret information of Citrix. Access to this work is restricted to Citrix employees who have a need to know to perform tasks within the scope of their assignments, or to authorized organizations under a Non-Disclosure Agreement. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Citrix makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Citrix, reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes.

3 © 2005 Citrix Systems, Inc.—All rights reserved. 3 Agenda 1.Introduction to Active Directory Federation Services 2.Web Interface ADFS Integration 3.Configuration Walk-through 4.Alternative Deployment Scenarios 5.Q&A

4 Part 1: Introduction to ADFS

5 © 2005 Citrix Systems, Inc.—All rights reserved. 5 What is Federation? A set of standards-based technology & IT processes to facilitate distributed identification, authentication & authorization across boundaries (security, departmental, organizational or platform). Users: Fewer passwords, more productivity IT: Centralized, automated, delegated user management Dev: Leveraged, outsourced service infrastructure

6 © 2005 Citrix Systems, Inc.—All rights reserved. 6 REMOTE and VIRTUAL EMPLOYEES CUSTOMERS Customer satisfaction & customer intimacy Cost competitiveness Reach, personalization Collaboration Outsourcing Faster business cycles Process automation Value chain M&A, joint venture Mobile/global workforce Flexible/temp workforce EMPLOYEES and your APPLICATIONS PARTNERS SUPPLIERS Motivations for Federation

7 © 2005 Citrix Systems, Inc.—All rights reserved. 7 Better Access Experience –Single sign-on across networks & organizational boundaries Increased Security & Simpler Administration –Heightened identity assurance –No passwords involved –Account de-activation is handled by the account partner –Account partner can easily be disabled at the organizational level –Strong authentication such as user certificates or OTP tokens can be layered on top of federation claim Federation Benefits

8 © 2005 Citrix Systems, Inc.—All rights reserved. 8 Federation Solution Components Separates authentication and authorization User is authenticated in their home domain Claims about the users identity are signed and sent to the web server The web server validates incoming claims against its list of account partners Web Server with ADFS Web Agent Federation Service Domain A (Account Partner) Client Domain B (Resource Partner)

9 © 2005 Citrix Systems, Inc.—All rights reserved. 9 Federation Libation Account Partner Resource Partner Bartender DMV Identity assertion Account Federation Service Resource Federation Service Resource User Principals

10 © 2005 Citrix Systems, Inc.—All rights reserved. 10 How ADFS works 1. 1.User points to web server 2. 2.User is redirected to the resource federation server 3. 3.User chooses their home realm 4. 4.User is redirected to their home account federation server for authentication 5. 5.User is redirected back to resource federation server with assertion set 6. 6.Assertion is validated and user is sent back to web server

11 © 2005 Citrix Systems, Inc.—All rights reserved. 11 Pseudo Identity Assertion F8/PoUcHh+rx/XfvC0vv0= Identity assertion generated and digitally signed by the account federation server Additional custom claims can be added easily Timestamp is important—clocks must be synchronized between organizations Resource federation consumes this claim and validates the signature

12 © 2005 Citrix Systems, Inc.—All rights reserved. 12 Federation Process in Detail Web Server with ADFS Web Agent Federation Service Domain A (Account Partner) Client Domain B (Resource Partner) 1. 1.User points to web server 2. 2.ADFS Web Agent redirects user to the Resource Partner Federation Service. User selects their home realm from a list of Account Partners 1 2 All connections are HTTPS

13 © 2005 Citrix Systems, Inc.—All rights reserved. 13 Home Realm Discovery The resource partner may have many account partners, so users need to identify which organization they belong to This page can be customized or bypassed altogether by giving users a special URL that includes their realm info User’s choice is remembered as a cookie; next time they would not see the home realm discovery page

14 © 2005 Citrix Systems, Inc.—All rights reserved. 14 Federation Process in Detail Web Server with ADFS Web Agent Federation Service Domain A (Account Partner) Client Domain B (Resource Partner) 1. 1.User points to web server 2. 2.ADFS Web Agent redirects user to the Resource Partner Federation Service. User selects their home realm from a list of Account Partners 3. 3.User is redirected to their local Federation Service, which authenticates the user and produces an identity claim 4. 4.Client is redirected back to the resource federation server with identity claim set as POST data. Resource Federation Server validates the account claim and then adds a new local identity claim All connections are HTTPS

15 © 2005 Citrix Systems, Inc.—All rights reserved. 15 Federation Process in Detail Web Server with ADFS Web Agent Federation Service Domain A (Account Partner) Client Domain B (Resource Partner) 5. 5.Client is redirected back to the web application Return URL with an identity claim now signed by the resource federation server 6. 6.Web server obtains public key from federation service if necessary and verifies digital signature on the claim 7. 7.ADFS Web Agent produces a valid Kerberos token able to access resources on the web server All connections are HTTPS 5 6 7

16 © 2005 Citrix Systems, Inc.—All rights reserved. 16 Federation Service Proxy (FS-P) Federation Service Proxy relays messages to the resource partner federation service Eliminates the need to expose the federation service to the Internet FS-P need not be a domain member FS-P contacts Federation Service via HTTPS with Client Certificate authentication Federation Service Domain A (Account Partner) Client Domain B (Resource Partner) Web ServerFederation Service Proxy DMZ

17 © 2005 Citrix Systems, Inc.—All rights reserved. 17 How to install ADFS on W2K3 R2 Add/Remove Windows Components:

18 © 2005 Citrix Systems, Inc.—All rights reserved. 18 Synchronicity Federation servers at the account partner and resource partner must have their clocks set within 5 minutes of each other For best results, use an Internet time server such as time.nist.gov Different time zones don’t matter

19 © 2005 Citrix Systems, Inc.—All rights reserved. 19 Account Partner SSL and token- signing certificate + private key Account Partner root certificate Web Server SSL certificate + private key Web Server root certificate Resource Partner SSL and token- signing certificate + private key Resource Partner root certificate FS-P client authentication certificate + private key FS-P client authentication certificate (w/o private key) Certificates Everywhere! Federation Service Account Partner Client Web Server Federation Service Proxy Resource Partner

20 Part 2: Web Interface and ADFS

21 © 2005 Citrix Systems, Inc.—All rights reserved. 21 Citrix Announces Federation Interoperability Citrix extends federation benefits –To rich applications (e.g. SAP R/3 client, mainframe emulator) –To file shares –To web apps inside the firewall Citrix increases federation security –Provides greater control over data usage –Allows for increased identity assurance –Facilitates access logging and auditing across organizations

22 © 2005 Citrix Systems, Inc.—All rights reserved. 22 Only Citrix can Federate to Windows Applications Identity federation was designed for web applications only The ADFS support in Web Interface bridges the gap between web applications and Windows or host- based applications Citrix uniquely enables federated SSO to Web, Windows and host-based applications

23 © 2005 Citrix Systems, Inc.—All rights reserved. 23 The User’s Experience Click on a link to the ADFS WI site Icons appear without prompting the user Applications launch without prompting the user

24 © 2005 Citrix Systems, Inc.—All rights reserved. 24 WI ADFS App Enumeration WI 4.5 w/ADFS Web Agent Federation Service Domain A (Account Partner) Client Domain B (CPS Domain) 1. 1.User points to WI 2. 2.ADFS Web Agent redirects user to the Resource Partner Federation Service. User selects their home realm from a list of Account Partners 3. 3.User is redirected to their local Federation Service, which authenticates the user and produces an identity claim 4. 4.Client is redirected back to the resource federation server with identity claim set as POST data. Resource Federation Server validates the account claim and then adds a new local identity claim. Presentation Servers Access Gateway

25 © 2005 Citrix Systems, Inc.—All rights reserved. 25 WI ADFS App Enumeration WI 4.5 w/ADFS Web Agent Federation Service Domain A (Account Partner) Client Domain B (CPS Domain) Presentation Servers Client is redirected back to the WI Return URL with an identity claim now signed by the resource federation server 6. 6.ADFS Web Agent on WI server obtains public key from federation service if necessary and verifies digital signature on the claim 7. 7.ADFS Web Agent produces a valid Kerberos token for the domain B user shadow account, for whom Presentation Server applications have been published 8. 8.WI uses the Kerberos token to authenticate to the CPS XML Service (requires delegation rights). CPS returns a list of applications to Web Interface Access Gateway

26 © 2005 Citrix Systems, Inc.—All rights reserved. 26 WI ADFS App Launch WI 4.5 w/ADFS Web Agent Federation Service Domain A (Account Partner) Client Domain B (CPS Domain) Presentation Servers User clicks app icon, CPS Data Collector determines least-busy server Kerberos ticket for shadow account forwarded to XML broker Kerberos ticket forwarded from XML broker to least-busy server in exchange for WI logon ticket WI generates ICA file with logon ticket; also negotiates AG ticket from STA if necessary. WI sends ICA file to user Client receives ICA file and connects to CPS (through CAG if necessary). WI logon ticket exchanged for Kerberos token at target server 10 Access Gateway

27 © 2005 Citrix Systems, Inc.—All rights reserved. 27 Requirements WI and Federation servers must be W2K3 R2 CPS 4.5 or 4.0 with hotfix rollup #2 or later –Enable “Trust requests sent to the XML Service” Domain functional level must be native Win2K3 –Domain Controllers need not be upgraded to R2 Alternate UPN suffix must be added to the resource domain, and shadow accounts must be created using the partner’s UPN suffix –Usernames and passwords are not known by the user

28 © 2005 Citrix Systems, Inc.—All rights reserved. 28 Constraints Web Interface server must be a domain member XML service must be delivered via IIS port sharing Revocation information for all certificates must be accessible by all parties –Best practice: Use a commercial CA

29 Part 3: Configuration Walk- through

30 © 2005 Citrix Systems, Inc.—All rights reserved. 30 Demo Environment AdfsWI.company.com WI 4.5 ADFS Web Agent Gemini.ctx Member GemFSR Federation Service CitrixFSA Federation Service CitrixTraining.com (Account Partner) JOEUSERPC Win2K Client Gemini.ctx (Resource Partner) CitrixDC1 Domain Controller COLORADO CPS 4.0 STA JAYTISA Domain Controller GemFSP.company.com Federation Service Proxy DMZ Access.company.com Access Gateway

31 © 2005 Citrix Systems, Inc.—All rights reserved. 31 ADFS MMC Snap-in at the Account Partner (CitrixFSA) Enable Active Directory as an Account Store Define resource partner (Gemini.ctx) Endpoint URL is the resource partner’s FS or FS-P server

32 © 2005 Citrix Systems, Inc.—All rights reserved. 32 ADFS MMC Snap-in at the Resource Partner (GemFSR) Define CitrixTraining as an Account Partner by importing their Trust Policy file Endpoint URL is the internal URL of the Account Partner’s federation service (CitrixFSA) Enable Active Directory as an Account Store

33 © 2005 Citrix Systems, Inc.—All rights reserved. 33 ADFS MMC Snap-in at the Resource Partner (GemFSR) Change to “Resource accounts exist for all users”

34 © 2005 Citrix Systems, Inc.—All rights reserved. 34 Raise Domain Functional Level Domain functional level at the resource partner must be native Windows 2003 All domain controllers in the domain must be Windows Server 2003 or later

35 © 2005 Citrix Systems, Inc.—All rights reserved. 35 Configure Delegation on the Web Interface servers Edit the Delegation properties of each WI computer object in Active Directory Trust this computer for delegation using any authentication protocol Add the http service for each CPS XML Broker

36 © 2005 Citrix Systems, Inc.—All rights reserved. 36 Configure Delegation on the Presentation servers Edit the Delegation properties of each Presentation Server computer object in Active Directory Trust this computer for delegation using Kerberos only Add the HOST service for this computer; Add the cifs and ldap services for domain controllers; Add cifs for any file servers users will access

37 © 2005 Citrix Systems, Inc.—All rights reserved. 37 Add a UPN Suffix for each Account Partner In the Resource Domain, run the Active Directory Domains and Trusts snap-in Select “Active Directory Domains and Trusts” and view Properties Add the account partner’s UPN suffix as an alternate UPN suffix

38 © 2005 Citrix Systems, Inc.—All rights reserved. 38 Create Shadow Accounts for Partner Users For each account partner user, create a shadow account in the resource partner domain Use the account partner’s UPN suffix Set the password to anything—the user does not need to know it Publish CPS applications to the shadow accounts

39 © 2005 Citrix Systems, Inc.—All rights reserved. 39 Create an ADFS-enabled WI site During the Create Site task, choose to use ADFS integration The ADFS web service refers to the resource partner federation service on the same network as the Presentation Servers Use host names or FQDNs for the XML Broker addresses, no IP addresses

40 © 2005 Citrix Systems, Inc.—All rights reserved. 40 Define Web Interface Site as an Application at the Resource Partner Define Web Interface as an Application Application URL is the external URL of the WI ADFS Site

41 © 2005 Citrix Systems, Inc.—All rights reserved. 41 Troubleshooting: No applications enumerated Possible causes: –XML Broker is not integrated into IIS –Web Interface server is not trusted for delegation –XML Broker address is configured as an IP address in WI –ADFS Web Agent is installed on CPS, enabled for /Scripts

42 Part 4: Deployment Scenarios

43 © 2005 Citrix Systems, Inc.—All rights reserved. 43 Minimal CPS Deployment Web Interface 4.5 ADFS Web Agent Federation Service Presentation Servers Federation Service Domain A (Account Partner) Client Domain B (Resource Partner)

44 © 2005 Citrix Systems, Inc.—All rights reserved. 44 Internet Deployment Federation Service Presentation Servers Federation Service Domain A (Account Partner) Client Domain B (Resource Partner) DMZ Federation Service Proxy Access Gateway Internet WI 4.5 Domain Controller

45 © 2005 Citrix Systems, Inc.—All rights reserved. 45 Ports needed by WI and ADFS Federation Service Presentation Servers Intranet DMZ Federation Service Proxy Access Gateway Internet WI 4.5 Domain Controller HTTPS :443 ICA+SSL :443 HTTPS :443 LDAP :389 Kerberos :88 UDP Kerberos :88 TCP STA :80 or :443 ICA :1494 CGP :2598 CRL Certificate Authority HTTP :80 Other ports are needed for NetLogon, GPOs, etc

46 © 2005 Citrix Systems, Inc.—All rights reserved. 46 Partner/Employee shared farm Web Interface 4.5 Federation Service Presentation Servers Partner A (Account Partner) Federation Service Client Employee Domain (Account Partner) DMZ Domain (Resource partner) Access Gateway Federation Service Client Partner B (Account Partner) Federation Service Client Partner C (Account Partner) Federation Service Client

47 © 2005 Citrix Systems, Inc.—All rights reserved. 47 Web Browser A Password Review: Explicit Authentication CPS ICA Client User XML Service WI ccticket CtxGina 1 password B STA & Logon tickets 4 Logon ticket 5 Logon ticket C STA & Logon tickets 2 password 3 Logon ticket D STA ticket Access Gateway

48 © 2005 Citrix Systems, Inc.—All rights reserved. 48 Kerberos Web Browser WI ADFS sites leverage Kerberos CPS ICA Client User Kerberos XML Service WI ccticket CtxGina B STA & Logon tickets 4 Logon ticket 5 Logon ticket C STA & Logon tickets 3 Logon ticket 1 Kerberos data 2 Kerberos data A ADFS assertion ADFS D STA ticket Access Gateway

49 © 2005 Citrix Systems, Inc.—All rights reserved. 49 Kerberos Web Browser Other ways to get a Kerberos token CPS ICA Client User Kerberos XML Service WI ccticket CtxGina B STA & Logon tickets 4 Logon ticket 5 Logon ticket C STA & Logon tickets 3 Logon ticket 1 Kerberos data 2 Kerberos data A IIS Integrated Windows Authentication D STA ticket Access Gateway NTLM

50 © 2005 Citrix Systems, Inc.—All rights reserved. 50 Kerberos Web Browser Other ways to get a Kerberos token CPS ICA Client User Kerberos XML Service WI ccticket CtxGina B STA & Logon tickets 4 Logon ticket 5 Logon ticket C STA & Logon tickets 3 Logon ticket 1 Kerberos data 2 Kerberos data A IIS Certificate Mapping Certificate Mapping D STA ticket Access Gateway

51 © 2005 Citrix Systems, Inc.—All rights reserved. 51 Kerberos Web Browser RSA Access Manager with Protocol Transition CPS ICA Client User Kerberos XML Service WI ccticket CtxGina B STA & Logon tickets 4 Logon ticket 5 Logon ticket C STA & Logon tickets 3 Logon ticket 1 Kerberos data 2 Kerberos data A RSA Passcode RSA ClearTrust D STA ticket Access Gateway

52 © 2005 Citrix Systems, Inc.—All rights reserved. 52 Kerberos Web Browser Ping Identity PingFederate with Protocol Transition CPS ICA Client User Kerberos XML Service WI ccticket CtxGina B STA & Logon tickets 4 Logon ticket 5 Logon ticket C STA & Logon tickets 3 Logon ticket 1 Kerberos data 2 Kerberos data A PING Assertion Ping Federate D STA ticket Access Gateway

53 © 2005 Citrix Systems, Inc.—All rights reserved. 53 Internal Employee SSO Deployment Web Interface 4.5 Federated Site Presentation Servers Client Employee Domain (Resource Partner) 100% Pure Kerberos Federation servers not required Appsrv.ini changes not required Full ICA client not required Desktop credentials pass- through not required sitemgr -c "WIDest=1:/Citrix/Federated,Config=Local, XMLService=COLORADO,XMLSPort=80,Federated=Yes"

54 © 2005 Citrix Systems, Inc.—All rights reserved. 54 Soft Certificate Authentication Client Internet User has only a browser certificate Web Interface IIS maps certificate to an AD account, generates Kerberos token WI Federated site consumes Kerberos token Presentation Servers LAN DMZ Access Gateway Web Interface 4.5 Federated Site with client certificate mapping enabled

55 © 2005 Citrix Systems, Inc.—All rights reserved. 55 Third-party strong authentication Presentation Servers LAN DMZ Access Gateway Web Interface 4.5 Federated Site with RSA Access Manager Agent (née ClearTrust) Client Internet User has only an RSA keyfob—they do not know their AD password RSA Access Manager generates Kerberos token for user (protocol transition) WI ADFS consumes Kerberos token RSA has documented this deployment herehere

56 © 2005 Citrix Systems, Inc.—All rights reserved. 56 Other product integrations Secure Gateway or Access Gateway can be used to proxy ICA traffic –But don’t proxy HTTPS into the LAN Password Manager 4.5 CPS agent functions properly with Kerberos logons (blank password; uses Data Protection API instead) NetScaler can load-balance multiple WI servers, Federation servers, or Federation Proxy servers

57 © 2005 Citrix Systems, Inc.—All rights reserved. 57 High Availability Use Netscaler to load-balance multiple WI servers, Federation Service Proxies, and Federation Services Web Interface is stateful, so persistence is required Federation Service and Federation Service Proxy servers are stateless Endpoint URLs and application URLs can be FQDNs that map to a virtual IP

58 © 2005 Citrix Systems, Inc.—All rights reserved. 58 NetScaler LB VIPs Web Interface 4.5 Servers Federation Service Servers Client Federation Service Proxy Servers Internet WI Virtual IP Persistence SSL Session ID 2 FS-P None required 3 FS None required Also known as End user URL, Application URL, Return URL Federation Service Endpoint URL Federation Service URL

59 © 2005 Citrix Systems, Inc.—All rights reserved. 59 Current Issues and pain points Web Interface must be a member of the resource domain No ADFS-enabled reverse proxy in Access Gateway, so Web Interface must reside in the DMZ Applications which should be filtered out due to Access Control filters are not filtered out. –CPS 4.0 XML Service issue; will be fixed in CPS 4.5 –Users are correctly refused access if they try to connect, but the icon should not appear in the application list Delegation must be configured for every Web Interface and Presentation Server, a chore for large farms

60 © 2005 Citrix Systems, Inc.—All rights reserved. 60 Any Questions? Federation Service Presentation Servers Federation Service Domain A (Account Partner) Client Domain B (Resource Partner) DMZ Federation Service Proxy Access Gateway Internet WI 4.5 Domain Controller

61 © 2005 Citrix Systems, Inc.—All rights reserved. 61 Good Reading/Viewing ADFS TechCenter Troubleshooting Kerberos Delegation Don Schmidt ADFS seminar Web Interface with ADFS Support Admin Guide Web Interface with ADFS Support FAQ RSA Secured Implementation Guide For Portal Servers and Web-Based Applications ADFS Forum on support.citrix.com How to Install Web Interface 4.0 for ADFS on Servers without ADFS (Advanced Kerberos support only)

62


Download ppt "Citrix and ADFS Leverage Active Directory Federation Services in a Presentation Server Environment Jay Tomlin Sr. Technology Specialist Mgr NA Field Readiness."

Similar presentations


Ads by Google