1. Bruce Huber Citrix Systems, Inc. Citrix MetaFrame Password Manager 2.0 Installation and Configuration Lead Sales Engineer

2. Non Disclosure Agreement This presentation is confidential. By virtue of your relationship with Citrix, you are bound to retain in confidence all information in this presentation.

3. Agenda  Introduction slides15 mins.  Technical Detail slides30 mins.  Q & A5 mins.

4. Credentials, Credentials & more Credentials

5. Where do the credentials end up?

6. What is Single Sign-On?  User authenticates ONCE and gains access to multiple secured applications/resources  User needs to remember only ONE set of credentials  Application credentials automatically (and securely) handled by the system

7. Who Needs Single Sign-on? “I already have single sign-on. I use the same password everywhere!” - Anonymous

8. Introducing: Citrix MetaFrame Password Manager

9. What is MetaFrame Password Manager?  Single Sign-On solution for: –MetaFrame Presentation Server Deployment –Desktop Deployment –Mixed Deployment (MetaFrame Presentation Server + Desktop)  User only needs to remember primary credentials  Handles all secondary logons and password change requests automatically  End users and administrators can configure applications using an easy-to-use wizard  Central administration and control  Meets all traveling/mobile user needs

10. MetaFrame Password Manager Benefits  Simplification of end-user computing –Only need to remember a single set of credentials –Automatic password changes  Reduction of help-desk costs –Eliminating calls for password resets –Simplifying password management  Increase in network security –Helps enforce stricter password policies –Eliminates weak password selection –No more Post-It Notes !!! –No sharing of passwords “Each time an end-user calls the help desk, it costs the organization $25-$50.” - Giga Research “Each time an end-user calls the help desk, it costs the organization $25-$50.” - Giga Research “Majority of end users end up writing down their passwords.” “30 percent of all calls to the help desk are for password resets” - Gartner Group “30 percent of all calls to the help desk are for password resets” - Gartner Group

11. How does it work?

12. Features  MetaFrame Presentation Server XP  Web Interface for MetaFrame  MetaFrame Secure Access Manager  All ICA clients Designed to work seamlessly with:

13. Features  Provides password security and single sign-on access No application modification needed No programming or scripting required Predefined templates Create your own application definitions

14. Benefits  Enterprise-level Single Sign-on Rapidly SSO-enable Applications Centralized Configuration Access Security Reduced Help Desk Costs

15. Components The Management Console is used to administer the MetaFrame Password Manager environment  The ‘Agent’ resides with the applications that need credentials filled in

16. Authentication  Windows Authentication including Active Directory  Graphical Identification & Authentication (GINA) Chaining

17. Deployment Options  Workstation MetaFrame XP Presentation Server Mixed Mode

18. Types of Central Credential Stores MS File Share - CtxFileSyncPrep OR  MS Active Directory - CtxSchemaPrep - CtxDomainPrep

19. Technical Overview

20. MetaFrame Password Manager Functional Components

21. Administrative tool to centrally manage MetaFrame Password Manager deployment Configures applications and user settings Pushes settings into Central Credential Store for Agents to synchronize from

22. MetaFrame Password Manager Functional Components Stores all settings configured by administrators Based on Active Directory or Network File Share Agent synchronizes settings from credential store All credentials stored encrypted using Microsoft Crypto API

23. MetaFrame Password Manager Functional Components Stores all settings configured by administrator Client/Desktop component Synchronizes settings from Credential Store Has its own local credential store for offline/mobile use Detects logon and change password events Automatically fills in secondary credentials and changes passwords for end users

24. MetaFrame Password Manager Architectural Components

25. Architectural Benefits  Event-driven Client Side Intelligence –No scripts or connectors –No changes to applications –Automatically detects logon and password change events  Authentication –Support for strong authentication –No need for additional authentication servers

26. Architectural Benefits (cont.)  Synchronization –Centralized management –Integration with existing infrastructure  Active Directory  File System –Local credential store on agent for offline/mobile Single Sign On  Encryption –Credentials stored securely –Support for standard 3DES encryption

27. Authentication  Functions –Gets credentials and passes them to get the user authenticated –Unlocks credential store –Passes credentials to the Shell on request  Primary authentication managed by the operating system  Password Manager GINA (SSOGINA) added for pre-processing –Captures credentials and passes them to shell in order to unlock credential databases (local and central credential store) –Passes credentials to existing GINA for authentication  Authentication performed by existing GINA –MSGINA for standard Windows 2000/2003 –Other custom GINA for smart card or biometric devices a.NOTE: Microsoft Password Policy settings should be used to enforce high standards for primary authentication (password length, age, complexity)

28. Multi-Factor Authentication  Something you know + something you have  Examples: Time-synchronous tokens, smart cards, biometric scanners, proximity badges  A variety of strong authenticators have been successfully tested for interoperability with Password Manager

29. Re-authentication  Timer after which end users have to re-authenticate to the Agent –Administratively controlled setting  Administrator can force reauthentication when users access certain applications  Helps administrators build tighter security –End users may forget to log-off or lock the system  End users still need to only remember one set of credentials

30. Primary Authentication Process Re-authentication Ships with Windows Authenticator Validates credentials using existing systems Conduit between Authentication Service and Shell

31. The Shell Intelligent Agent Response Authenticator API First-time use Shell Data Synchronization CryptoAPI Welcome! Logon Screen Local Credential Storage Credential Manager Primary credentialsEncryption Triggers synchronization Secondary Credentials for SSO

32. The Shell  Core component sitting in the middle  Encrypts and decrypts data from local and central credential storage –User’s password used to encrypt and decrypt data –Data includes secondary credentials –Provides secure way of storing credentials  Supplies secondary credentials to Intelligent Agent Response –Intelligent Agent Response uses secondary credentials for single sign-on  Triggers credential synchronization –Detects administratively configured timers and starts credential synchronization  First-Time-Use –End users can configure all their applications first time they use the Agent

33. Data Synchronization Local Credential Storage Microsoft Active Directory Domain OUOU OUOU OUOU OUOU OUOU OUOU File server Benefits Enables mobility for end users Eases deployment of application configurations and settings Centralizes administration

34. Data Synchronization (cont.)  Keeps local and central credential stores in sync  Latest version of the store overwrites settings –All changes have time-stamps –Similar to MS Profile  Always initiated by the Agent based on administrative configuration  Allows administrator to push application configuration and agent settings to end users

35. Data Synchronization (cont.)  Administrator controls frequency of synchronization  “Aggressive Sync” mode - Synchronization occurs whenever user performs an action that should use most current credentials or settings –Example – a new application launch, etc. –Aggressive Sync used in MetaFrame Presentation Server deployments since a user may have multiple MetaFrame Presentation Server session in progress

36. Central Credential Store Active Directory vs. File Share  File Share –Pros  Does not require any changes to existing infrastructure  Easier to setup and administer –Cons  Different settings cannot be configured for different users  Additional servers required  Active Directory –Pros  Does not require any additional infrastructure or servers  Allows configuration of different settings for different users or containers –Cons  Requires extending Active Directory schema No scalability limits for File share or Active Directory Both can support thousands of users Both are equally secure

37. Synchronization Process Annie User June 5, 2003 Password 9:14 AM XLB639 MAL929 New Password Local Credential Store Encrypted Central Credential Store Encrypted Annie User June 6, 2003 Password 6:43 AM MAL929 New Password Synchronizes with Central Credential Store 1 2 Other machines pull the data into their Local Stores

38. Encryption  Uses cryptography to confirm end user authentication  Secure storage of data to protect end user credentials  Uses Symmetric encryption (Secret Key Encryption) –Same key used to encrypt and decrypt data  3 DES encryption algorithm used to encrypt end user credentials –Secret key crypto algorithm used to create 56-bit keys –Used three times

39. Security SSO Encryption  Crypto API –Confirms end user authentication with Authenticator API –Generates unique primary authentication key that secures local and central credential store –Uses primary authentication key to decrypt individual credentials  Primary Authentication Key –Unlocked upon successful end user authentication –Created based on random number generation using MS CAPI –Self encrypted using 3 DES –Two different keys stored with MS CAPI  Encrypted with Windows password  Encrypted with user question information –Not stored anywhere in the raw form  Credential Data –Some data encrypted – Username, password, third and fourth fields –Remaining data encoded – windows title, application name, etc.

40. Credential Encryption  Credentials are encrypted with 3DES (Triple DES) Implemented through MS CAPI (Microsoft Cryptographic API) User Secrets SKEY User Q / A SKEY Windows Password Hash SKEY

41. Intelligent Agent Response Web Applications Windows Applications Host-based Applications Shell Windows Hook Component Mainframe Helper Object Web Browser SSO Helper Object Credential Manager

42. Intelligent Agent Response Benefits  Reduces the risk of credentials being supplied incorrectly or not supplied at all  System-level approach increases security –Keyboard-sniffing won’t compromise credentials  Better reliability than other solutions –Scripts easily broken by user actions Event-driven detection/response Looks for configured windows for logon and password change requests as they popup Automatically supplies secondary credentials for logon or change password Credentials supplied at OS level directly to the controls on the window when possible – otherwise sent with key strokes No complex scripts required No application changes required

43. MetaFrame Password Manager Deployments  Pure MetaFrame XP Presentation Server Deployment –All applications that require single sign-on accessed through MetaFrame XP Presentation Server over ICA  Desktop-only Deployment –All applications accessed directly from Windows 32-bit desktops –Using web browser for web applications and Mainframe emulator for host applications  Mixed Deployment –Some applications accessed through MetaFrame XP Presentation Server –Other applications accessed directly from Windows 32-bit desktops a.NOTE: Console can be installed anywhere with connectivity to central credential store

44. Deployment Example Console HTTPS SSL or TLS Central Credential Store ICA Client Local Credential Store Agent XP Server Farm Secure Gateway Server ICA Client

45. Server Deployment MetaFrame XP Presentation Servers ICA Client Central Credential Storage Agent runs in ICA sessions  Agent only required to be installed on MetaFrame XP Presentation Servers  Agents runs in ICA sessions and works automatically for all Published applications Published Applications

46. Desktop Deployment Desktop Central Credential Storage = Agent Local Applications  Agent installed only on Desktops  Agent can work in mobile mode by synchronizing settings and secondary credentials from central credential store

47. Mixed Deployment MetaFrame XP Server Desktop Central Credential Storage = Agent Published Applications Local Applications  Agent installed on MetaFrame XP Presentation Servers and Desktops  Agents run on Desktop and in ICA sessions without any problems  Agents share information through synchronization from Central Credential Store

48. Deployment with MSAM IE Browser CDA Access Center for MSAM DesktopMetaFrame XP Presentation Server = Agent  Uses MSAM Access Center  Published Apps that require credentials –Agent required on Presentation Server  CDAs –Agent required on Desktops if CDAs require credentials (Optional)

49. MetaFrame Password Manager Configuration & Deployment  Planning –Select deployment mode –Select Central Credential Store type  Prepare Central Credential Store  Add and activate license –Console automatically launches the wizard

50. MetaFrame Password Manager Configuration & Deployment (cont.)  Configure MetaFrame Password Manager deployment –Configure User Questions –Configure Application Definitions –Configure Password Policies and Password Sharing Groups –Configure Agent Settings –Configure First Time Use List  Save configurations in Central Credential Store

51. MetaFrame Password Manager Configuration & Deployment (cont.)  Create and install Agent with address of Central Credential Store –Use Custom MSI to create package –Use MSI deployment methods to install the Agent

52. Prepare Central Credential Store File share  Select a File Server accessible to the Agents  Run CTXFILESYNCPREP.EXE utility on the File Server from a command prompt  Creates a shared folder on the server

53. Prepare Central Credential Store File share (cont.)  Creates the required sub-folders –ENTLIST – stores all application configuration, password policies and password sharing groups –ADMINOVERRIDE – stores all Agent settings configured by administrators –FTU – stores all User questions and Bulk add applications for first time use of the Agent –SYNCSTATE – stores timestamp of the last change to global settings –People – stores settings for each user in individual folders

54. Prepare Central Credential Store File share (cont.)  Sets required security permissions –Only Authenticated users can access the network share –No user can access each others’ credential files in the People folder  Only CREATOR_OWNER has access to data in People folder

55. Prepare Central Credential Store Active Directory  A member of Schema Admin group needs to log on to a machine that resides in the Active Directory –Ensure Schema Master Role is configured to allow schema updates

56. Prepare Central Credential Store Active Directory (cont.)  Run ‘cscript CTXSCHEMAPREP.VBS’ from a command prompt –Extends the schema of Active Directory –Adds three new classes  Citrix-SSOConfig – contains data for all administrative configurations  Update frequency – only when administrator makes configuration changes  Citrix-SSOLicenseClass – contains license information  Update frequency – Rarely (when license is added, removed)  Citrix-SSOSecret – contains secret data used to authenticate a user of Citrix MetaFrame Password Manager  Update frequency – only when a user stores new credentials for SSO

57. Prepare Central Credential Store Active Directory (cont.)  Run CTXDOMAINPREP.EXE from a command prompt –Updates permissions of the specified container –Enables users to create MetaFrame Password Manager objects under their Active Directory User objects based on schema extensions

58. User Question Configuration  Administrators configure questions that users have to answer first time they use the Agent  Answers from end users stored securely in both Local and Central Credential Store

59. User Question Configuration (cont.)  Later, if users forget their primary passwords, they can answer these questions to retrieve their secondary credentials  Questions can not be changed/deleted after initial deployment  New questions can be added later

60. Application Definition Configuration  Each application enabled for Single Sign On has ‘Application Definition’  Applications supported –Windows Applications –Web Applications –Host-based Applications

61. Application Definition Configuration (cont.)  Application Definition can be built using –Pre-configured Application Templates –Wizard based Application Definition configuration  Application Definition consists of –Actions for Logon –Actions for Change Password  Stored in ENTLIST file (File Share) or ENTLIST object (Active Directory)

62. Windows Application Definition  Each window consists of different controls (eg: text box, button, plain text/label, etc.) –Regardless of the language application is developed in  Each control has a unique identifier on a window  Control Id  Run the application until you get to its logon dialog  Application configuration wizard in the console automatically detects different controls on logon window based on their Control Ids

63. Windows Application Definition (cont.)

64. Window Title Label UserID TextBox Control ID=3 PWD TextBox Control ID=2 Button Control ID=1 Executable Name=LOGON.EXE

65. Windows Application Definition (cont.)  Select the required Controls for - –Username/UserID –Password –3 rd or 4 th controls, if required (e.g. domain) –Logon button –Cancel button  Configure other matching fields –Window Title –Other labels on the logon dialog –etc.

66. Windows Application Definition (cont.)  MetaFrame Password Manager cannot detect controls on some windows –Developed using non-standard windows controls –Developed using proprietary third party windows controls  Administrators can write SendKey functions for such applications NOTE: Most applications are developed using standard windows controls

67. Windows Application Definition (cont.)  Specify shortcut keys to get focus on required input fields –Username –Password –Other fields –Logon button  Enter special commands for entering username, password, other fields or pressing enter on logon button  Easy to use concise command language to develop flexible SendKey functions –e.g. &t for tab key

68. Web Application Definition  Web applications can be configured for –Pop-up dialogs –Forms  Administrators specify fields similar to Windows applications

69. Web Application Definition (cont.)

70. URL TEXT PASSWORD SUBMIT

71. Web Application Definition (cont.)  URL distinguishes different web applications  The URL can be defined to the appropriate level by the admin –http://salesforce.com, or –http://salesforce.com/intranet.marketing  Configuration options similar to Windows apps –Automatic detection –SendKey  Basic out-of-the-box support for logon to many popular web sites/applications without configuration

72. Host-Based Application Definition  MetaFrame Password Manager supports single sign-on to mainframe applications through terminal emulators –Emulators following HLLAPI (High Level Language API) standard –3270 –5250  Launch Application Definition Configuration wizard in MetaFrame Password Manager Console  Open the mainframe application using terminal emulator

73. Host-Based Application Definition (cont.)  Configure position for different functions –User Id –Password –Other fields  Position includes –Row –Column –Keys after  Configure other text matching criteria –Text –Position on the emulator (row, column)

74. Host-Based Application Definition (cont.)

75. HLLAPI “WALLRED” @(X 1,Y 1 )? PUSH ID & PASSWORD @(X 2,Y 2 ) Window Title Host-Based Application Definition (cont.)

77. Password Policies  Administrator can set policies that constrain automatic password generation  Per Application  Password Policies control –Password size –Types of characters allowed –Etc.

78. Password Policies (cont.)  Helps administrator enforce tighter security –Complex passwords –More frequent password changes –Less password sharing across users  Must be at least as restrictive as the native application Password Policies –Else, password changes may fail

79. Password Sharing Groups  Applications sharing same credentials can be grouped together  Single backend authentication system across multiple applications – single set of credentials –Example – Multiple web applications require credentials from same DOMAIN  Third party Password Synchronization setup between different authentication systems ensuring same credentials between them

80. Agent Settings  Administrator configures Agent functionality available to end users –All settings stored centrally and can be changed anytime  Examples –Turn off Tray Icon –Clean up Local Credential Store on shutdown –Etc.

81. First Time Use List - Bulk Add  Administrators configure applications presented to end users when the Agent launched for the first time  Allows end users to enter their secondary credentials during first time use of the agent  Benefit –End users only have to go through configuration of secondary credentials once

82. Saving Configurations  File Share –Connect to File Share Central Credential Store –Read existing configuration –Make changes to configuration (as described earlier) –Save configuration back to the Credential Store  Active Directory –Connect to Active Directory –Read existing configuration –Make changes to configuration –Save configuration back to any container (OU or user) in Active Directory  Allows having different settings for different users

83. MetaFrame Password Manager Agent Deployment  Create a new Custom MSI file using the Console  Configure the address of Central Credential Store (Synchronizer)  Optionally, add other settings, application definitions, etc. to custom MSI  Use MSI deployment tools to install the Agent –Active Directory –Third party tools –Installation Manager for deployments on MetaFrame XP Presentation Server Enterprise Edition

84. MetaFrame Password Manager Agent Synchronization Workflow  Automatically launched when a user logs on  Gets users credentials from the GINA  Uses password to decrypt data in Local and Central Credential Stores  Synchronizes Local or Central Credential Stores with more recent settings –File Share  Synchronizes Local Credential Store with global folders  ENTLIST – Application configuration, password policies  ADMINOVERRIDE –Agent settings  FTU –User questions and Bulk add applications  Updates People folder on network share –Active Directory  Starts finding the configured settings in the User object  Walks up the OU tree until first container with configured settings is found  Synchronizes Active Directory with Local Credential Store  Synchronizes Local and Central Store at configured interval

85. MetaFrame Password Manager Agent Configuration Files  APPLIST.INI –Stores pre-configured, password-protected application definitions installed with the agent  ENTLIST.INI –Stores all application definitions configured by the administrator –Synchronized from Central Credential Store  AELIST.INI –Merged version from APPLIST.INI and ENTLIST.INI –Stores all application definitions to be used by the agent  FTULIST.INI –Defines users first time use experience –Installed when the agent is installed –Modified during synchronization to accommodate administratively configured bulk-add items

86. MetaFrame Password Manager Agent Single Sign-On to Windows Applications  Intelligent Agent Response monitors all window activity without any impact on performance  Detects the application matching criteria specified by the administrator  Decrypts credentials from the credential store  Automatically enters credentials for the application –Credentials sent directly to the configured controls at operating system level for applications with standard controls –Credentials sent to other applications via key strokes configured in SendKey functions

87. MetaFrame Password Manager Agent Single Sign-On to Web Applications  Actively monitors all web browser events without impacting those processes  Agent uniquely recognizes web logons using the URL and associated matching fields  Automatically fills in the credentials for the end user  Uses the existing web application security rather than substitute modules or custom integration  Access to all Web applications, not just intranet applications.

88. MetaFrame Password Manager Agent Single Sign-On to Host-Based Apps  Agent actively monitors all emulator session events without impacting those processes –HLLAPI session monitor  Natively supportive of multiple simultaneous emulators  Mainframe Helper Object securely sends the configured credentials to the configured position once a configured host application is detected  Also supports some emulators with scripting language capable of presenting a hidden pop-up dialog box

89. MetaFrame Password Manager Agent Event Logging  Password Manager Agent logs all SSO events to the Windows Event Log: –Credential use –Credential changes –Global credential events –MetaFrame Password Manager events –MetaFrame Password Manager feature use  Administrators can easily configure the level of event logging capability for the agent

90. Business Depends On… …Depends On Citrix