Smart Card Single Sign On with Access Gateway Enterprise Edition

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
Module 5: Configuring Access to Internal Resources.
Module 5: Configuring Access for Remote Clients and Networks.
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..
App Streaming- Architecture & Troubleshooting Techniques Jesús González, Escalation Engineer Karen Sciberras, Escalation Engineer.
APACHE SERVER By Innovationframes.com »
Senior Technical Writer
Configuring Active Directory Certificate Services Lesson 13.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
TECH304: Integrating and Troubleshooting Citrix Access Gateway Enterprise Edition Nelson Esteves NPG Escalation.
Course 201 – Administration, Content Inspection and SSL VPN
Internet Information Server 6.0. Overview  What’s New in IIS 6.0?  Built-in Accounts and IIS 6.0  IIS Pass-Through Authentication  Securing Web Traffic.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
1 ISA Server 2004 Installation & Configuration Overview By Nicholas Quinn.
SYN407D: Image Management made easy with Provisioning Services 6.0
Session 11: Security with ASP.NET
Module 8: Managing Client Configuration and Connectivity.
Access Gateway Operation
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Threat Management Gateway 2010 Questo sconosciuto? …ancora per poco! Manuela Polcaro Security Advisor.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Chapter 13 – Network Security
Enabling Embedded Systems to access Internet Resources.
70-411: Administering Windows Server 2012
Troubleshooting Windows Vista Security Chapter 4.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
1 Chapter Overview Using the New Connection Wizard to configure network and Internet connections Using the New Connection Wizard to configure outbound.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
What’s New in Fireware v11.9.5
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Four Windows Server 2008 Remote Desktop Services,
Module 9: Fundamentals of Securing Network Communication.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Five Windows Server 2008 Remote Desktop Services,
Windows 2000 Certificate Authority By Saunders Roesser.
Module 6: Managing Client Access. Overview Implementing Client Access Servers Implementing Client Access Features Implementing Outlook Web Access Introduction.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
G CITRIXHACKIN. Citrix Presentation Server 4.5 New version is called XenApp/Server Common Deployments Nfuse classic CSG – Citrix Secure Gateway Citrix.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Integrating and Troubleshooting Citrix Access Gateway.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
Client Access – Published applications Control through TEMPLATE.ICA Use SSL Authentication level –Remove: EncRc5-0 EncRc5-40 EncRc5-56.
Introduction to Active Directory
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Endpoints Lesson 17. Skills Matrix Endpoints Endpoints provide a reliable, securable, scalable messaging system that enables SQL Server to communicate.
What’s New in Fireware v WatchGuard Training.
NX Documentation Using Windows IIS (Internet Information Services) as a http server for NX documentation.
Securing the Network Perimeter with ISA 2004
Implementing TMG Server Publishing
IIS.
Server-to-Client Remote Access and DirectAccess
Configuring Internet-related services
HACKIN G CITRIX.
Presentation transcript:

Smart Card Single Sign On with Access Gateway Enterprise Edition Nicolas Ogor, Escalation Engineer. 06/10/10

Agenda Introduction of Access Gateway Enterprise Edition. What's new in Web Interface 5.3 ? Configuration. Limitations and solutions. Troubleshooting.

Introduction to Access Gateway Enterprise Edition

Combine your traditional IPSec VPN and Secure Gateway into a single appliance. Easy to configure with XenApp and XenDesktop. Support up to 10,000 concurrent connections. Physical and Virtual version available.

What's new in Web Interface 5.3 ?

New enhancements and features in this release Pass-through with smart card from the Access Gateway. Support for 32-bit color. XenApp farm migration. Multiple launch prevention. Support for Windows Server 2008 R2.

How does the Pass-through work ? Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user.

How does the Pass-through work ? Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User Web Interface XenApp

How does the Pass-through work ? Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User Web Interface XenApp

How does the Pass-through work ? Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. Certificate validation User Web Interface XenApp

How does the Pass-through work ? Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. Citrix AGBasic No password User Web Interface XenApp

How does the Pass-through work ? Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User Local PTS service Web Interface XenApp

How does the Pass-through work ? Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User Username and Domain name Web Interface XenApp

How does the Pass-through work ? Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. S4U User Web Interface XenApp

How does the Pass-through work ? Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User .NET WindowsIdentity class Web Interface XenApp

How does the Pass-through work ? Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User .NET WindowsIdentity class Web Interface XenApp

How does the Pass-through work ? Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User XML Web Interface XenApp

How does the Pass-through work ? Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User Web Interface Application list XenApp

How does the Pass-through work ? Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User HTTPS Web Interface XenApp

How does the Pass-through work ? Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. HTTPS User Web Interface XenApp

Configuration

Certificate Authority Install a Certificate Authority in the domain. Open MMC-select Certificate Authority and Certificate template. Duplicate the Smart card logon template. Select your CSP.

Certificate Authority Issue the Certificate template created previously to be available for users.

Client computer Install your CSP software on your computer. Logon to your Certificate Authority. Select the Certificate template and CSP vendor. The certificate will be installed into the smart card.

XenApp and Web Interface requirements XenApp and Web Interface servers must be domain members. XenApp XML service must be running with IIS on servers chosen as XML brokers and STA servers XenApp version 4.5 and 5 are currently supported. Web Interface 5.3 or later must be used. Active Directory domain functional level must be 2003 or 2008.

Setup delegation on your domain Delegation definition: Some server services require access to a second server. In order to establish a session with the second server, the primary server must be authenticated on behalf of the client's user account and authority level.

Setup delegation on your domain

Setup delegation on your domain 1 - Client provides credentials and domain controller returns a Kerberos TGT to the client.

Setup delegation on your domain 2 - Client uses TGT to request a service ticket to connect to Server 1.

Setup delegation on your domain 3 - Client connects to Server 1 and provides both TGT and service ticket.

Setup delegation on your domain 4 - Server 1 uses the clients TGT to request a service ticket so Server 1 can connect to Server 2 .

Setup delegation on your domain 5 - Server 1 connects to Server 2 using the client’s credentials.

Setup delegation on your domain Web Interface must delegate http service to the XML broker.

Setup delegation on your domain XML broker must delegate the http service to itself and host services to all XenApp servers in the farm.

Setup delegation on your domain Each XenApp server must delegate cifs and ldap services to the Domain Controllers and host services to itself and http services to the XML broker.

Access Gateway configuration Create a Virtual Server and associate a server certificate. Bind the root certificate as a Root Certificate Authority on the Virtual server.

Access Gateway configuration Enable client authentication and client certificate to optional on the Virtual server properties.

Access Gateway configuration Create an authentication profile of type certificate. Under the User Name field specify the certificate attribute to extract.

Access Gateway configuration Create a session profile that will redirect users to the Web Interface after successful authentication. Specify the NetBIOS name of your domain for the Single Sign- on domain. Bind the session profile to your Virtual server.

Web Interface Site Install a server certificate on the Web Server. Create a site and specify the path of the Web site.

Web Interface Site Set the Authentication to take place at the Access Gateway and select the option “Enable Smart Card- pass-through”.

Web Interface Site Once the site is created , you must restart your Web Interface server.

Web Interface Site Specify your XML broker.

Web Interface Site Finish the Web Interface site configuration and restart the Web Interface server.

Web Interface Site Check if the Protocol Transition Service is running.

Web Interface Site Configure the Secure Access to go through the Gateway.

Web Interface Site Specify the FQDN of your Access Gateway Virtual Server.

Web Interface Site Specify the Secure Ticket Authority servers on the Web Interface and AGEE.

Limitations and solutions

PIN prompt when launching a Published Application Cause : User receives a Pin prompt when hitting the AGEE Virtual server with the ICA client because the option Client Certificate is On.

PIN prompt when launching a Published Application Solution : Create another Virtual server with same IP address, certificate but a different port and with the option Client certificate set to off. On Vserver binds the STA server specified on the Web Interface site. Create a dummy authentication policy and bind it to the Vserver to avoid users to logon directly to that Virtual server.

PIN prompt when launching a Published Application Solution : On the Secure Access Settings of the Web Interface specify the new Virtual Server. All HTTP traffic will now go through the VIP on port 443 and ICA proxy traffic through port 444.

Limitations of Kerberos Pass-through Authentication Issue: Applications running on XenApp that depend on the NTLM protocol for authentication generate explicit user authentication prompts or fail because the password is never sent over the network. Workaround: Configure delegation on the targeted servers to use Kerberos instead of NTLM authentication.

Limitations of Kerberos Pass-through Authentication Issue: Kerberos pass-through authentication for applications expires if the XenApp session is left running for a very long time (typically one week) without being disconnected and reconnected. Workaround: You have to force user to disconnect after the Kerberos ticket expired.

Troubleshooting

Decrypt traffic between the Web Interface and AGEE Install Wireshark tool or other networking sniffer on the Web Interface server. Retrieve private keys for the Web Interface certificate and the AGEE virtual server certificate. Configure Wireshark SSL preferences to use the Private keys to decrypt traffic. ( http://support.citrix.com/article/CTX116557 ) Start a trace on the Web Interface server.

Authentication process The client opens a Web browser and enters a URL. 2. The user presents the client certificate to the portal page and clicks Logon. 3. AGEE extracts the username from the certificate. 4. Client sends a GET request to the home page defined on the global SSL VPN settings, or a session profile. This communication is client to VIP. 5. AGEE sends the same GET to the Web Interface page called login.aspx. 6. Web Interface issue a 302 Found message with a redirect to agesso.aspx.

Authentication process 7. Client sends a GET for agesso.aspx to the VIP and the appliance then forward it to Web Interface. 8. Web Interface responds with a 401 Unauthorized message including a header named WWW-Authenticate which should have CitrixAGBasic password_required="No" as its value as well as a ticket ID.  

Authentication process   9. After the 401 unauthorized message, the appliance sends another GET for agesso.aspx including an authorization. This header includes a hash value of the user name, domain and session ID. Web Interface responds by a 302 and set the cookie WIAuthID.

Authentication process 10. This now causes the Web Interface to POST to the authentication service URL on its configuration.   11. If everything succeed the appliance responds with a HTTP 200 message and a SOAP envelope containing the smart access farm name, client IP address, and a success status code.

Authentication process 12. GET request is sent for default.aspx from the client (client to VIP). GET request contains the cookie WIAuthID and the Authorization header which is a Hash of the username and domain.

Authentication process 13. The Web Interface will contact the XML broker to get the application list by sending a Post request to the CtxIntegrated/wpnbr.dll

Authentication process 14. The XML broker will return the published application list for user to the Web Interface. 15. The Web Interface will respond to the GET request in step 12 by a 200 response and the application will be enumerated into the client’s browser.

Check list Take a Network trace on the Web Interface. Check application Eventviewer on the Web Interface. Check your delegation settings on your Active Directory. Ensure that the trust XML request option on the XML broker is selected. Ensure that the root certificate used to sign the AGEE Virtual server is stored on the Trusted root Certificate store of the Web Interface server. Ensure that the Web Interface can resolve the FQDN name of the Virtual server.

Before you leave… Recommended related breakout sessions: SUM502 - XenApp and XenDesktop authentication (Lalit Kaushal) Session surveys are available online at www.citrixsynergy.com starting Thursday, 7 October Provide your feedback and pick up a complimentary gift card at the registration desk Download presentations starting Friday, 15 October, from your My Organiser Tool located in your My Synergy Microsite event account

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.