CloudEntication Authentication methods for the Citrix private cloud

Slides:



Advertisements
Similar presentations
Windows Server 2008 R2 IIS 7.5 Steve Evans
Advertisements

What’s New in Fireware XTM v11.3.4
IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
Mythbusters Debunking Common SharePoint Farm Misconceptions ITP361 Spencer Harbar.
Enabling Secure Internet Access with ISA Server
Smart Identity Protection That Works for You and Your Users 2 Petri Ala-Annala Senior Principal, CISSP-ISSAP, CISA, CISM.
Citrix Secure Gateway v1.1 Technical Presentation August 2002 Technical Presentation August 2002.
What’s New in Fireware XTM v11.9.1
Configuring Windows to run Dr.Web scanner remotely.
Intro to SharePoint 2013 Architecture Liam Cleary.
Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Dan Usher Joel Ward. Who we are… What we’ve seen… Security Concerns in today’s world Why SmartCards? Authentication & Authorization of SharePoint IIS.
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.
Introducing Windows Server 2012 R2 Work Folders:
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 10: Server Administration.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
Authentication on XenApp & XenDesktop
Senior Technical Writer
Windows 2000 Security Architecture Peter Brundrett Program Manager Windows 2000 Security Microsoft Corporation.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
HalFILE 3.0 Active Directory Integration. halFILE 3.0 AD – What is it? Centralized organization of network objects and security – servers, computers,
TECH304: Integrating and Troubleshooting Citrix Access Gateway Enterprise Edition Nelson Esteves NPG Escalation.
Course 201 – Administration, Content Inspection and SSL VPN
XenDesktop Design and Architecture
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Smart Card Single Sign On with Access Gateway Enterprise Edition
August 25, SSO with Microsoft Active Directory Presented by: Craig Larrabee.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body.
Migration XenDesktop 7. © 2013 Citrix | Confidential – Do Not Distribute Migration prerequisites Set up a XenDesktop 7 Site, including the site database.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Timothy Heeney| Microsoft Corporation. Discuss the purpose of Identity Federation Explain how to implement Identity Federation Explain how Identity Federation.
Access Gateway Operation
Aggregate, provision and manage your applications with CloudGateway Express Curtis Kegler Readiness Specialist May 7, 2012 Andrew Innes Sr Architect, Receivers.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.
Troubleshooting Windows Vista Security Chapter 4.
CCAT Troubleshooting Training XenApp April 2012 Citrix Consulting Architecture Team.
Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.
Deploying XenApp and XenDesktop with BIG-IP Brent Imhoff – Field Systems Engineer Gary Zaleski – Solutions Architect Michael Koyfman – Solutions Architect.
By Rashid Khan Lesson 10-From Here to There: Remote Installation of the Windows XP Professional Client.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Four Windows Server 2008 Remote Desktop Services,
Name Company A Day in the Life… A Demonstration of Application Delivery.
Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
Designing Secure SharePoint External Access Ondrej Sevecek | MCM: Directory | MVP: Security |
Q XenDesktop & Windows Server 2012 Value Add – RDS & VDI.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Integrating and Troubleshooting Citrix Access Gateway.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
Windows Server 2003 La migrazione da Windows NT 4.0 a Windows Server 2003 Relatore: MCSE - MCT.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Client Access – Published applications Control through TEMPLATE.ICA Use SSL Authentication level –Remove: EncRc5-0 EncRc5-40 EncRc5-56.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
©2010 Check Point Software Technologies Ltd. | [Unrestricted] For everyone Endpoint Security VPN R75 (SecureClient Next Generation)
XenApp & XenDesktop 7 Espen Berger & Owe Kvisler Senior Consultants Oslo, Wedel Lunch & Learn, Why upgrade?
Kerberos Miha Pihler MVP – Enterprise Security Microsoft Certified Master | Exchange 2010.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
Troubleshooting Windows Vista Lesson 11. Skills Matrix Technology SkillObjective DomainObjective # Troubleshooting Installation and Startup Issues Troubleshoot.
NetScaler Gateway and StoreFront
1Y0-301 Deploying Citrix XenDesktop 7.6 Solutions
1Y0-203 Dumps PDF Are You Worried About Citrix XenApp and XenDesktop 7.15 Administration 1y0-203 dumps1y0-203 braindumps1y0-203 study material1y0-203 dumps.
WI / XA Integration with NetScaler Gateway: How it works
Chapter 10: Advanced Cisco Adaptive Security Appliance
HACKIN G CITRIX.
Presentation transcript:

CloudEntication Authentication methods for the Citrix private cloud Michael Rüefli Senior Consultant MCSE, CCEA , CCIA, VCP May, 2012 © INSERTO AG www.inserto.ch

Agenda Authentication method walk trough Common pass-through issues Common Smart Card issues Considerations when using Kerberos Common StoreFront Services / Receiver issues Troubleshooting authentication failures Useful Links and Ressources Questions and maybe answers…

Platforms / Methods Case XenApp XenDesktop VDI in a box C1 Explicit (username / pw) C2 Simple Domain Pass-through C3 Two-Factor (token) C4 Smart Card C5 Smart Card with Pass-through C6 Kerberos C7 Smart Card with Kerberos Pass-through C8 LDAP WI SSON with AG/AGEE C9 Smart Card WI SSON with AGEE . Depending on used CSP, multiple PIN prompts, at least 3

Receiver / Working methods by today Case Receiver 3.x For Web with SF Receiver Ent. 3.x Mobile (iOS / Android) C1 Explicit (username / pw) C2 Simple Domain Pass-through C3 Two-Factor (token) C4 Smart Card C5 Smart Card with Pass-through C6 Kerberos C7 Smart Card with Kerberos Pass-through C8 LDAP WI SSON with AG/AGEE C9 Smart Card WI SSON with AGEE . Only WI, not supported by Storefront Services (Cloud Gateway Express)

C1 – Explicit Authentication Client device Domain Controller 1 1 5 7 WI Server ZDC 3 2 WI XML Service IMA IIS 4 User launches Receiver or web browser and authenticates on WI (IIS) with username and password WI passes the username and password (CTX encoded) to the XML Service XML Service forwards request to IMA (local host cache) to enumerate available resources WI receives a ticket from the XML Service, which is placed in the ICA files generated at launch WI sends ticket back to browser User launches published resource XA authenticates the credentials against AD 6 XA Winlogon wsxica

C2 – Domain pass-trough with double hopping Client device Domain Controller Winlogon 1 PNSSON MPnotify 2 3 9 WI Server ZDC 4 6 5 WI XML Service IMA 7 IIS User authenticates at client using his domain credentials PNSSON (SSONSVR.EXE) gets spawned as a credential provider and caches username / password in memory User launches Receiver or web browser WI (IIS) performs an Integrated Windows Authentication, windows identity is passed to WI WI passes the user's SIDs to the XML Service XML Service forwards request to IMA (local host cache) to enumerate available resources WI receives a ticket from the XML Service, which is placed in the ICA files generated at launch (ticket does contain "useLocalUserNameandPassword" flag instead of credentials User launches published resource. PNSSON forwards cached credentials to XA host for authentication XA authenticates the credentials against AD 8 XA Winlogon LSA MPnotify PNSSON

C4 – Smart Card Client device Domain Controller WI Server ZDC XA KDC 1 KDC 2 7 8 3 WI Server ZDC 4 5 WI XML Service IMA 6 IIS User launches Receiver or web browser Browser or Receiver call WI URL WI (IIS) performs an Integrated Windows Authentication (certificate mapping), Windows identity is passed to WI WI passes the user's SIDs to the XML Service XML Service forwards request to IMA (local host cache) to enumerate available resources WI receives a ticket from the XML Service, which is placed in the ICA files generated at launch (ticket does not contain any auth. Info, instead it contains the flag "DisableCtrlAltDelete = off" which forces the XA host to show the Logon UI User launches published resource XA / VDA initiates authentication UI prompt, user enters PIN, XA performs a Smart Card authentication XA Winlogon LSA Kerberos SSP SmartCardSvc

C5 – Smart Card with (PIN) pass-through Client device Domain Controller Kerberos SSP 1 Winlogon LSA 1 KDC PNSSON MPnotify 2 3 8 9 9 4 WI Server ZDC 5 6 WI XML Service IMA 7 IIS User logs on interactively using his Smart Card on the client PNSSON (SSONSVR.EXE) gets spawned as a credential provider and caches the PIN in memory Receiver or browser is launched, calling WI URL WI (IIS) performs an Integrated Windows Authentication (Kerberos), windows identity is passed to WI WI passes the user's SIDs to the XML Service XML Service forwards request to IMA (local host cache) to enumerate available resources WI receives a ticket from the XML Service, which is placed in the ICA files generated at launch (ticket does not contain any auth. Info, instead it contains the flags "DisableCtrlAltDelete = On" and "UserLocalUserNameAndPassword" User launches published resource, PNSSON forwards cached credentials to XA host for authentication XA / VDA initiates authentication UI prompt, user enters PIN. XA performs a Smart Card authentication 8 XA Winlogon LSA Kerberos SSP SmartCardSvc

C6 – Kerberos Client device Domain Controller WI Server ZDC XA Winlogon KDC 3 1 8 2 10 4 4 WI Server ZDC 6 5 WI XML Service IMA 7 IIS User authenticates at client using his domain credentials or Smart Card, User receives TGT after successful authentication User launches Receiver or web browser, requesting the WI URL Client requests a service ticket for IIS, KDC provides svc ticket Client uses IIS svc ticket to authenticate, WI (IIS) performs an Integrated Kerberos Authentication, windows identity is passed to WI WI passes the user's SIDs to the XML Service XML Service forwards request to IMA (local host cache) to enumerate available resources WI receives a ticket from the XML Service, which is placed in the ICA files generated at launch (ticket does contain "useLocalUserNameandPassword" flag instead of credentials Client (ica engine) requests a service ticket for XA host, KDC provides host svc ticket User launches published resource. XA host uses svc ticket to authenticate the user (KRB SSON) XA authenticates the credentials against AD 9 XA Winlogon LSA MPnotify PNSSON KRB svc only!

Any known issues / pitfalls? Smart Card with Kerberos Pass-through Issues Kerberos Smart Card with Pass-through Smart Card Domain Pass-through Explicit Complexity As always it depends on the architect(ure)

Common Pass-through issues and pitfalls ReceiverEnterprise installed without SSON_ENABLE=yes ICA client policy not configured properly PNSSON provider gets interfered by other providers HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder WI default logon method is not set to "Passthrough" if multiple methods are activated WI site URL is not listed in "Local Intranet Zone" PNAgent pass-through on XenApp 6.5 required hotfix XA650W2K8R2X64001 If kerberos pass-through is used for XenApp, SSONSVR does not get spawned (by design) If Smart Card pass-through is used on VDA / XenApp Receiver shows error: «Smartcard support is not allowed on pass through servers” CTX115521 If user logs on to Vista / Windows 7 / 2008 R2 using Smart Card, SSONSVR is not invoked by Winlogon. Add the following reg key… HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify SmartCardLogonNofity = 1 (REG_DWORD)

Common Smart Card authentication issues and pitfalls Trust XML requests is not enabled Smart Card middleware not installed on WI and XenApp boxes Client certificate authentication option not installed on IIS WI site not set to enforce SSL Citrix Smart Card Service is not running Running multiple remote sessions including mix of XA and XD can freeze CSP on client while re-inserting card on local client (by today only seen with ActivIdentity CSP and ATOS CardOS API) Smart Card pass-through not working on Windows 7 / 2008 r2 Add the key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SmartCardLogonNotify Reg_Dword = 1

Considerations when using kerberos XML service must be shared with IIS Smart Card with KRB pass-through is not supported for XenDesktop environments Apps on XenApp that use explicit NTLM auth might prompt for credentials or fail (no NTLM fallback) DNS Resolution must be enabled in HDX policy, reverse lookup zones are mandatory! Kerberos delegation to be set for each XA,DDC,VDA , XML / WI box -> huge effort on XD environments HOT! Using Kerberos pass-through breaks Appsense EM and SSONSVR on XenApp (refer to case: SR60727501) Kerberos uses udp by default, consider switching to tcp for WAN connections with lots of routing hops / customized MTU Kerberos can fail because of large token size (nested groups, Smart Card), increase the MaxTokenSize Auth. with XD in multiforest deployments falls back to NTLM (so KRB is not an option here)

Common Storefront Services / Receiver issues and FAQ Pass-through not supported for legacy PNA mode? …it works indeed Add the line <LogonMethod>sson</LogonMethod> to the logon section of C:\inetpub\wwwroot\Citrix\<Store>\Views\PnaConfig\Config.xml Domain Pass-through with Receiver for Web? …no, not supported Multifactor authentication with AGEE / SF / Receiver? …Windows Receiver expects the token as the secondary auth method while Receiver for iOS / Android expect it to be the primary What about Smart Card support? …currently not supported in version 1.1 AGEE 9.x known pass-through issue with SF SF expects the SNIP as source address, solved with 10.0

Troubleshooting authentication failures Kerberos Use network traces to gather any KRB_XX errors Refer to MS KB for KRB error reference http://www.microsoft.com/en-us/download/details.aspx?id=21820 Ensure proper DNS functionality Ensure KRB delegation on all required hosts Ensure Receiver ADM settings are correct Domain pass-through Install Receiver with /INCLUDESSON switch Install ReceiverEnterprise with ENABLE_SSON=yes Ensure that SSONSVR.exe is running Ensure WI / SF URL are listed in Local Intranet Zone Generally Use CDFControl to capture and analyze traces CTX111961  Trace provider list for Receiver: C:\Program Files\Citrix\ICA Client\IcaClientTraceProviders.ctl

Ressources How to Configure Smart Card Single Sign-On with Access Gateway Enterprise Edition CTX124603 Troubleshooting Smart Card SSO with Access Gateway Enterprise Edition http://blogs.citrix.com/2012/03/05/troubleshooting-smart-card-sso-with-access-gateway-enterprise-edition-%E2%80%93-part-2/ How to Configure Smart Cards with the Latest Version of Web Interface and XenApp CTX29096 How to Implement Kerberos Authentication in a Citrix XenApp Environment CTX121918 An XML error 30102 occurs when Launching Applications on a XenApp Kerberos-based Environment CTX130480 How to Configure Smartcard Pass-through with Kerberos CTX123611 How to force Kerberos to use TCP instead of UDP KB244474 How to calculate / increase the Kerberos Max Token Size KB327825 Troubleshooting Citrix Pass-through Authentication CTX368624 How Pass-through Authentication works http://blogs.sepago.de/d/nicholas/2012/05/07/citrix-passthrough-authentication-explained Smart Card Authentication Architecture in Windows Vista and above http://msdn.microsoft.com/en-us/library/bb905527.aspx How to Configure Access to Citrix Receiver Storefront 1.x through Access Gateway Enterprise Edition CTX131908

Thanks for your attention! michael.rueefli@inserto.ch Twitter: @drmiru Blog: www.miru.ch

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.