Presentation is loading. Please wait.

Presentation is loading. Please wait.

Smart Card Single Sign On with Access Gateway Enterprise Edition

Published byJulius Goodwin Modified over 8 years ago

Similar presentations

Presentation on theme: "Smart Card Single Sign On with Access Gateway Enterprise Edition"— Presentation transcript:

1 Smart Card Single Sign On with Access Gateway Enterprise Edition
Nicolas Ogor, Escalation Engineer. 06/10/10

2 Agenda Introduction of Access Gateway Enterprise Edition.
What's new in Web Interface 5.3 ? Configuration. Limitations and solutions. Troubleshooting.

3 Introduction to Access Gateway Enterprise Edition

4 Combine your traditional IPSec VPN and Secure Gateway into a single appliance.
Easy to configure with XenApp and XenDesktop. Support up to 10,000 concurrent connections. Physical and Virtual version available.

5 What's new in Web Interface 5.3 ?

6 New enhancements and features in this release
Pass-through with smart card from the Access Gateway. Support for 32-bit color. XenApp farm migration. Multiple launch prevention. Support for Windows Server 2008 R2.

7 How does the Pass-through work ?
Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user.

8 How does the Pass-through work ?
Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User Web Interface XenApp

9 How does the Pass-through work ?
Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User Web Interface XenApp

10 How does the Pass-through work ?
Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. Certificate validation User Web Interface XenApp

11 How does the Pass-through work ?
Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. Citrix AGBasic No password User Web Interface XenApp

12 How does the Pass-through work ?
Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User Local PTS service Web Interface XenApp

13 How does the Pass-through work ?
Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User Username and Domain name Web Interface XenApp

14 How does the Pass-through work ?
Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. S4U User Web Interface XenApp

15 How does the Pass-through work ?
Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User .NET WindowsIdentity class Web Interface XenApp

16 How does the Pass-through work ?
Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User .NET WindowsIdentity class Web Interface XenApp

17 How does the Pass-through work ?
Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User XML Web Interface XenApp

18 How does the Pass-through work ?
Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User Web Interface Application list XenApp

19 How does the Pass-through work ?
Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User HTTPS Web Interface XenApp

20 How does the Pass-through work ?
Domain Controller AGEE Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. HTTPS User Web Interface XenApp

21 Configuration

22 Certificate Authority
Install a Certificate Authority in the domain. Open MMC-select Certificate Authority and Certificate template. Duplicate the Smart card logon template. Select your CSP.

23 Certificate Authority
Issue the Certificate template created previously to be available for users.

24 Client computer Install your CSP software on your computer.
Logon to your Certificate Authority. Select the Certificate template and CSP vendor. The certificate will be installed into the smart card.

25 XenApp and Web Interface requirements
XenApp and Web Interface servers must be domain members. XenApp XML service must be running with IIS on servers chosen as XML brokers and STA servers XenApp version 4.5 and 5 are currently supported. Web Interface 5.3 or later must be used. Active Directory domain functional level must be 2003 or 2008.

26 Setup delegation on your domain
Delegation definition: Some server services require access to a second server. In order to establish a session with the second server, the primary server must be authenticated on behalf of the client's user account and authority level.

27 Setup delegation on your domain

28 Setup delegation on your domain
1 - Client provides credentials and domain controller returns a Kerberos TGT to the client.

29 Setup delegation on your domain
2 - Client uses TGT to request a service ticket to connect to Server 1.

30 Setup delegation on your domain
3 - Client connects to Server 1 and provides both TGT and service ticket.

31 Setup delegation on your domain
4 - Server 1 uses the clients TGT to request a service ticket so Server 1 can connect to Server 2 .

32 Setup delegation on your domain
5 - Server 1 connects to Server 2 using the client’s credentials.

33 Setup delegation on your domain
Web Interface must delegate http service to the XML broker.

34 Setup delegation on your domain
XML broker must delegate the http service to itself and host services to all XenApp servers in the farm.

35 Setup delegation on your domain
Each XenApp server must delegate cifs and ldap services to the Domain Controllers and host services to itself and http services to the XML broker.

36 Access Gateway configuration
Create a Virtual Server and associate a server certificate. Bind the root certificate as a Root Certificate Authority on the Virtual server.

37 Access Gateway configuration
Enable client authentication and client certificate to optional on the Virtual server properties.

38 Access Gateway configuration
Create an authentication profile of type certificate. Under the User Name field specify the certificate attribute to extract.

39 Access Gateway configuration
Create a session profile that will redirect users to the Web Interface after successful authentication. Specify the NetBIOS name of your domain for the Single Sign- on domain. Bind the session profile to your Virtual server.

40 Web Interface Site Install a server certificate on the Web Server.
Create a site and specify the path of the Web site.

41 Web Interface Site Set the Authentication to take place at the Access Gateway and select the option “Enable Smart Card- pass-through”.

42 Web Interface Site Once the site is created , you must restart your Web Interface server.

43 Web Interface Site Specify your XML broker.

44 Web Interface Site Finish the Web Interface site configuration and restart the Web Interface server.

45 Web Interface Site Check if the Protocol Transition Service is running.

46 Web Interface Site Configure the Secure Access to go through the Gateway.

47 Web Interface Site Specify the FQDN of your Access Gateway Virtual Server.

48 Web Interface Site Specify the Secure Ticket Authority servers on the Web Interface and AGEE.

49 Limitations and solutions

50 PIN prompt when launching a Published Application
Cause : User receives a Pin prompt when hitting the AGEE Virtual server with the ICA client because the option Client Certificate is On.

51 PIN prompt when launching a Published Application
Solution : Create another Virtual server with same IP address, certificate but a different port and with the option Client certificate set to off. On Vserver binds the STA server specified on the Web Interface site. Create a dummy authentication policy and bind it to the Vserver to avoid users to logon directly to that Virtual server.

52 PIN prompt when launching a Published Application
Solution : On the Secure Access Settings of the Web Interface specify the new Virtual Server. All HTTP traffic will now go through the VIP on port 443 and ICA proxy traffic through port 444.

53 Limitations of Kerberos Pass-through Authentication
Issue: Applications running on XenApp that depend on the NTLM protocol for authentication generate explicit user authentication prompts or fail because the password is never sent over the network. Workaround: Configure delegation on the targeted servers to use Kerberos instead of NTLM authentication.

54 Limitations of Kerberos Pass-through Authentication
Issue: Kerberos pass-through authentication for applications expires if the XenApp session is left running for a very long time (typically one week) without being disconnected and reconnected. Workaround: You have to force user to disconnect after the Kerberos ticket expired.

55 Troubleshooting

56 Decrypt traffic between the Web Interface and AGEE
Install Wireshark tool or other networking sniffer on the Web Interface server. Retrieve private keys for the Web Interface certificate and the AGEE virtual server certificate. Configure Wireshark SSL preferences to use the Private keys to decrypt traffic. ( ) Start a trace on the Web Interface server.

57 Authentication process
The client opens a Web browser and enters a URL. 2. The user presents the client certificate to the portal page and clicks Logon. 3. AGEE extracts the username from the certificate. 4. Client sends a GET request to the home page defined on the global SSL VPN settings, or a session profile. This communication is client to VIP. 5. AGEE sends the same GET to the Web Interface page called login.aspx. 6. Web Interface issue a 302 Found message with a redirect to agesso.aspx.

58 Authentication process
7. Client sends a GET for agesso.aspx to the VIP and the appliance then forward it to Web Interface. 8. Web Interface responds with a 401 Unauthorized message including a header named WWW-Authenticate which should have CitrixAGBasic password_required="No" as its value as well as a ticket ID.

59 Authentication process
9. After the 401 unauthorized message, the appliance sends another GET for agesso.aspx including an authorization. This header includes a hash value of the user name, domain and session ID. Web Interface responds by a 302 and set the cookie WIAuthID.

60 Authentication process
10. This now causes the Web Interface to POST to the authentication service URL on its configuration.   11. If everything succeed the appliance responds with a HTTP 200 message and a SOAP envelope containing the smart access farm name, client IP address, and a success status code.

61 Authentication process
12. GET request is sent for default.aspx from the client (client to VIP). GET request contains the cookie WIAuthID and the Authorization header which is a Hash of the username and domain.

62 Authentication process
13. The Web Interface will contact the XML broker to get the application list by sending a Post request to the CtxIntegrated/wpnbr.dll

63 Authentication process
14. The XML broker will return the published application list for user to the Web Interface. 15. The Web Interface will respond to the GET request in step 12 by a 200 response and the application will be enumerated into the client’s browser.

64 Check list Take a Network trace on the Web Interface.
Check application Eventviewer on the Web Interface. Check your delegation settings on your Active Directory. Ensure that the trust XML request option on the XML broker is selected. Ensure that the root certificate used to sign the AGEE Virtual server is stored on the Trusted root Certificate store of the Web Interface server. Ensure that the Web Interface can resolve the FQDN name of the Virtual server.

65 Before you leave… Recommended related breakout sessions:
SUM502 - XenApp and XenDesktop authentication (Lalit Kaushal) Session surveys are available online at starting Thursday, 7 October Provide your feedback and pick up a complimentary gift card at the registration desk Download presentations starting Friday, 15 October, from your My Organiser Tool located in your My Synergy Microsite event account

66

Download ppt "Smart Card Single Sign On with Access Gateway Enterprise Edition"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 13: Administering Web Resources.
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.

Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.

Access Control in IIS 6.0 Windows 2003 Server Prepared by- Shamima Rahman School of Science and Computer Engineering University of Houston - Clear Lake.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
App Streaming- Architecture & Troubleshooting Techniques Jesús González, Escalation Engineer Karen Sciberras, Escalation Engineer.

App Streaming- Architecture & Troubleshooting Techniques Jesús González, Escalation Engineer Karen Sciberras, Escalation Engineer.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
Senior Technical Writer

Senior Technical Writer
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Similar presentations

Ads by Google