Smart Card Everywhere
description
Transcript of Smart Card Everywhere
![Page 1: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/1.jpg)
Smart Card EverywhereLalit KaushalEscalation Engineer EMEA25th October, 2011
![Page 2: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/2.jpg)
• Business drivers for using smart card
• Configuring Smart Cards
• Smart card support architecture in XA/XD• Smart Card Client Driver
• Smart card scenarios• SSON Enhancements
• Tips-N-Tricks• Troubleshooting tools & techniques
Agenda
![Page 3: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/3.jpg)
Smart Cards in our life
• Credit\Debit Cards
• Control Access (physical and logical resource)
• Citizen ID Card
![Page 4: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/4.jpg)
• Strong authentication• Spectrum of requirements
• Convenience / speed
• Apps using smart card (Outlook, Word, bespoke)
• Citizen ID card (in some regions)
• Public sector employee ID cards
• Legislation / regulation
Business Drivers for using Smart Cards
![Page 5: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/5.jpg)
• User needs to login / reconnect using a smart card• May be running apps that need to use smart card as well
• Often multiple points need authentication• Client Machine (if domain joined)• Access Gateway• Web Interface (in future Delivery Services)• XA or XD
• User does not want to enter PIN more than necessary• Security Officer (often) does not like us to cache the PIN
• Speed is frequently very important
Requirements
![Page 6: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/6.jpg)
Configuring Smartcard
![Page 7: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/7.jpg)
Configuration – Smartcard XenApp\XenDesktopFour main components
Certificate AuthorityWindows 2000 + Active Directory
Certificate enrolment changes in Windows 2008+
Web InterfaceLatest Web Interface to support new features e.g. AGEE
XenApp Server (VDA for XD)
Client machinesWinXP – Smartcard SSOn possible
Windows 7\Vista - Kerberos require for SSOn
![Page 8: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/8.jpg)
• Web Interface Server• IIS
• Enable the Windows directory service mapper• Citrix Virtual Directory settings:
• Require secure channel (SSL)• Accept client certificates (Ignore client certificates if using Pass-through)• Enable client certificate mapping
• DSC/WI Console• “Authentication Methods” select “Pass-through with smart card” or “Smart card”• Pass-through only: “Use Kerberos”, if required (Windows 7\Vista Smart card SSON)• Smartcard removal policy settings
• Can also be handled at GPO level
Configuration (Contd.)
![Page 9: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/9.jpg)
• XenApp/XenDesktop• Enable “Trust requests sent to the XML Service”• Kerberos
• Enable “Trust for Delegation”• Enable “DNS address resolution”
• Client Side settings• Use Icaclient ADM template and enable Smartcard Authentication
• Allow Smart Card Authentication • Use pass-through for PIN
• HKEY_CURRENT_USER\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon
• Enable Kerberos Authentication for Windows 7\Vista
Configuration (Cont’d)
![Page 10: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/10.jpg)
Important Points...
• SSL cert
• Kerberos for Smart card Single Sign-on (SSON)
• Trust XML
• If Kerberos – DNS resolution
• ADM template to apply client-side GPOs
![Page 11: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/11.jpg)
HDX Smart Card Remoting(Deep-Dive)
![Page 12: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/12.jpg)
Smart Card InfrastructureComponents
• Personal Computer/Smart Card (PC/SC) subsystem:• Governed by the PC/SC workgroup formed in 1996 • Operating System component• Enforces interoperability among cards and readers made by the different
manufacturers.
• Cryptographic Service Provider (CSP):• Leverages Microsoft exposed API’s via the Microsoft Platform SDK for smart
card use• ActivCard• Gemalto• AET
![Page 13: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/13.jpg)
• The CSP provider • implements certain functions• registers itself in the registry
• Smart card is inserted into the reader• Windows reads the ATR from the card to determine which CSP to use
• Windows uses this information to acquire the appropriate CSP.dll.
• CSP.dll file • Makes the PC/SC calls to get information from the smart card.
Smart Card Infrastructure
![Page 14: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/14.jpg)
Smart Card Components (XA\XD)
• Host Side (XA\XD)
•Citrix Hook (ScardHook.dll)
•Citrix Services (CtxSVCHost, CtxCertPropSvc, etc)
•CDM (in XA 5 or earlier)
• End-point (e,g, XP, W7)
• ICA Client engine – Wfica32
•Smart card Client driver – VdScardN.dll
![Page 15: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/15.jpg)
Hooking – MfApHook (SCardHook)
![Page 16: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/16.jpg)
Citrix hooking
• Final Stage in application launch process
• Inject XenApp feature dlls into application processes • Overwrites existing MS functions with XenApp enhanced versions
• Useful to implement additional functionality• TWAIN redirection• Virtual IP address• MultiMonitor• Plus many more
![Page 17: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/17.jpg)
Citrix hooking – mfaphook.dll
• Windows injects dlls that are part of Appinit_dlls• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\
AppInit_DLLs• User32.dll loads this key• On process startup• Citrix binary mfaphook.dll is in this added to this key
• Consider mfaphook.dll the parent hook• It chooses which of the children hook to inject into each process
![Page 18: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/18.jpg)
AppInit_dlls injects Mfaphook.dll
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
![Page 19: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/19.jpg)
Per feature hooks
• Mfaphook will check the registry for a list of feature dll to use• Depending on the flag value mfpahook will inject the dll or not• HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_Dlls
• Flag values• 0x80000000 - All Processes• 0x00000000 - Disable Hook• 0x00000002 - Only for specific processes (subkeys)• 0x00000004 - Remote sessions only
![Page 20: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/20.jpg)
![Page 21: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/21.jpg)
![Page 22: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/22.jpg)
• Hooking of Microsoft Windows smart card components• Mfaphook injects the defined hooking DLL’s into the published application process’s
address space• Scardhook hooks many necessary SCard functions in WinScard.dll and redirects most* of
these to client• SCardHook is loaded in RDP session as well
• Old way (XA5 and older)• SCardhook.dll• CDM
• New way (XA 6 and XD)• No dependency on CDM!!!• Introduced new services to keep hook code cleaner and simpler
Smart Card Subsystem
![Page 23: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/23.jpg)
• Routes the host calls to corresponding WinScard API
• Win32 and WinCE driver have subtle differences• Memory restrictions on WinCE box
• Design optimization in WinCE client smart card driver
• String encoding negotiation• Any string manipulation on the host side should be based on the string
encoding negotiated with the client.• WinCE client uses Unicode strings while Win32 client uses ASCII strings.
Smart Card Client Driver
![Page 24: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/24.jpg)
• Domain credentials are supported on all client OS
• For Smart Card SSON• XP supports NP APIs• Windows 7\Vista Winlogon doesn’t call NP API, credentials are not feed to
SSON
• Launching application with SSON enabled:• For domain credentials, ICA file contains the LogonTicket• For Smart Card credentials, wfica32 uses credentials from SSON machinery
Single Sign-on (SSON)
![Page 25: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/25.jpg)
User Mode
Kernel Mode
XD/XA Host
CtxSvcHost.exe(CtxSmartCardSvc DLL)
VC User Mode API (Pica/WTS)
Winlogon.exe
Winword.exeSCardHook DLL
SCardHook DLL
ICA Stack
End-Point (e.g. XP)
Kernel Mode
User Mode
SC Reader Driver
SCardSvc.exe (MS)
Wfica32.exe(ICA Client Engine)
SC Reader
VDSCardN DLL
WinSCard DLL (MS)
PC/SC APIPC/SC API
PC/SC API
PC/SC (WinSCard) APIRemoted over ICA protocol(ICA Smart Card VC Protocol)
Remote calls: SCardEstablishContext, SCardConnect, SCardTransmit…
Smart Card Core Subsystem Architecture
No smart card code in the
kernel!
Remoting industry standard API
Remoted calls look like local smart card
app
![Page 26: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/26.jpg)
Current Support Scenarios
![Page 27: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/27.jpg)
• Different Customers has different requirements• Military Never cache PIN. Don’t care if users must re-enter it• Medical User must never re-enter PIN. Don’t care if it is cached
• Lots of technical options• Can trade off quality of login for some customers to reduce reliance on PIN
• Password > Smartcard > Full Kerberos > Constrained Kerberos > Tagged Anon > Anonymous• Several well understood techniques, and several potential new techniques
• Hardware/OS is an issue• Require different sorts of driver support for different cards on different platforms• Server-side limitations for non-windows machines or shared local/remote use
Multiple approaches
![Page 28: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/28.jpg)
• Authentication Steps:• (Optionally) authenticate user to local windows machine with smart card• (Optionally) authenticate user to gateway• Authenticate user to Delivery Services (or WI or WR or PNA)• Authenticate user to Windows Session (XA or XD)
• Minimize pin prompts, but keep security officer happy
• Can trade of ‘quality’ of ultimate windows login• Smartcard login has ‘full’ credentials• Kerberos Login or even Constrained Kerberos Login may be good enough for
some customers/apps.
Authentication Paths
![Page 29: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/29.jpg)
Smart card / Other
Smartcard SSL (SSL/CA)
Assertion by Gateway OR Smartcard SSL OR Kerberos
Assertion OR Kerberos OR Protocol Transition
Ticket OR Kerberos OR Smartcard Login (PC/SC Redirect)
Options at each stepClient Login
GatewayLogin
WILogin
WIto XA/XD
Client to XA/XD
PIN
PIN
PIN
PIN
![Page 30: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/30.jpg)
OS logon+ PIN capture+ PNA pass-thru
WI logon using s/c ActiveX
OS logon+ PNA pass-thru
WI logon using s/c ActiveX
Smart Card Solution Summary
Windows XP
Windows 7(Vista +)
Desktop Appliance
OS logon+ PIN capture+ PNA pass-thru or WI pass-thru
WI logon orPNA logon
OS logon+ PNA pass-thru or WI pass-thru
WI logon orPNA logon
Local Desktop with Apps
Domain joined
Non-domain joined Domain joined
Non-domain joined
PIN capture not supported Extra PIN prompt
ActiveX updated for Windows 7 in next release
PIN capture not supportedExtra PIN prompts
(unless using Kerberos)
Multiple PIN prompts(unless using Kerberos PT)
![Page 31: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/31.jpg)
• Direct smart card• SSL with client auth to WI, smart card logon to ICA host PIN prompt from OS for PNAPIN prompt from OS on ICA host
• Pass-through with smart card• Kerberos/NTLM auth to WI, smart card logon to ICA host
• Windows XP: PIN capture during OS logon one PIN prompt• Windows 7\Vista: no PIN capture during OS logon extra PIN prompt on ICA logon
• Pass-through with smart card, Kerberos option• Kerberos auth to WI, Kerberos logon to ICA host (XenApp only)PIN prompt for OS logon, no PIN capture neededHidden XenApp setting can override “Smart card required for interactive logon” policy
PNA Smart Card – Existing OptionsCan be domain joined or
non-domain joined
Must be domain joined
Must be domain joined
![Page 32: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/32.jpg)
SSON Enhancements
![Page 33: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/33.jpg)
SSON Enhancements
• Fast Connect
• For Healthcare organizations
• Need Citrix Partners involvement to build the solution
• At Web Server authentication point on Services Site
• Out-of-Box Single Sign-On support
• Already working for Windows XP client
• Kerberos is pre-requisite for SSOn on Windows 7\Vista
![Page 34: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/34.jpg)
Fast Connect for Windows• New feature to enable Single Sign-on to support Healthcare
organizations• Partners can use Fast Connect APIs to quickly log users
into sessions (logon) and just as quickly disconnect sessions (logout).
• Available through Citrix Ready Partner• Based on 12.1 ICA Client currently
![Page 35: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/35.jpg)
• Faster Logons
• No Middleware*
• Single Sign-on (even on NDJ clients!)
• Access Gateway SSO Integration
Benefits of At Web Server Authentication Point
![Page 36: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/36.jpg)
• Same basic requirements as AD FS• Constrained Delegation using Kerberos (explained in WI documentation)
At Web Server Authentication Point
![Page 37: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/37.jpg)
Kerberos Authentication SupportConfigure Delegation on Web Interface Server
Edit the Delegation properties of each WI computer object in Active Directory
Trust this computer for delegation using any authentication protocol
Add the http service for each XenApp XML Broker
![Page 38: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/38.jpg)
Kerberos Authentication SupportConfigure Delegation on XenApp (XML) Server
Edit the Delegation properties of each XenApp Server computer object in Active Directory
Trust this computer for delegation using any authentication protocol
Add following: -CIFS - each domain controller(s)HOST - to XenApp server(s) hosting appsLDAP - each domain controller(s)
![Page 39: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/39.jpg)
• Same basic requirements as AD FS• Constrained Delegation using Kerberos (explained in WI documentation)
• Requires XML port to be shared with IIS
• Fully supported on Web Interface site• Currently only supported with a private on Services Site (PNA)
At Web Server Authentication Point
![Page 40: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/40.jpg)
Smartcard SSOn for Windows 7\Vista• Currently not working for Windows 7\Vista• Multiple PIN prompts – multiple customers effected• Are you waiting for it?
• Product use• Number of Users\Licenses• Use-case
• Feedback will be provided to Product Management
![Page 41: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/41.jpg)
Tips-N-Tricks(Troubleshooting tools & techniques)
![Page 42: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/42.jpg)
Certificate Requirement
![Page 43: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/43.jpg)
Troubleshooting Questions to Ask - Environment
• Type of Smartcard & Reader• USB Smartcard, USB Token, .NET Smartcard, etc
• CSP used
• MS-Base CSP, Vendor specific (ActivClient, SecMaker, etc)
• Are you able to login into machine with smartcard?
• Is SC cert accessible inside ICA session • Open ‘Certificates’ snap-ins in MMC
• If IE, go to Tools Internet Options Content Certificates
![Page 44: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/44.jpg)
Troubleshooting Questions to Ask - Configuration
• Type of authentication Method selected• Smartcard or Smartcard with Pass-through
• If Smartcard with Pass-through• Check CTX117239 (Is Kerberos enabled? CTX123611)
• If Kerberos is enabled then it will be used always (No fall-back)
• Define ‘SmartCardPinPass’ Regkey for Passthru sessions
• If XenDesktop - CTX130265
• Understand WinSCard API and their locking behavior
![Page 45: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/45.jpg)
Troubleshooting Questions to Ask - Configuration
Ref
: - h
ttp://
msd
n.m
icro
soft.
com
/en-
us/li
brar
y/cc
2425
96(v
=PR
OT.
10).a
spx
![Page 46: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/46.jpg)
Troubleshooting Questions to Ask – Citizen-ID
• Type of CSP use
• Usually not use to authenticate to session
• Inside ICA session use by application
• Is Certificate available inside session
• If specific application, understand application behavior
• Is CSP has its own PC\SC re-direction mechanism
• Belgium Citizen ID has
• RDP behavior
![Page 47: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/47.jpg)
Troubleshooting Smart Card
![Page 48: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/48.jpg)
Troubleshooting Tools
• Vendor-specific tools• GemSafe Toolbox, Mini-Manager, eID viewer, etc
• CDFControl
• Sys-Internal Tool – Process Explorer
• Network Tracing
![Page 49: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/49.jpg)
Troubleshooting Tools – Vendor Specific
• Vendor-specific tools
• Helpful to see if card readable inside session
![Page 50: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/50.jpg)
![Page 51: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/51.jpg)
CDFControl
![Page 52: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/52.jpg)
SCardCertPropSvc:SCardCertPropSession::MonitoringThread::CertPropViaContEnumGetCertificate:[1]: succeeded to retrieve key with CryptGetUserKey...
SCardCertPropSvc:SCardCertPropSession::MonitoringThread::CertPropViaContEnumGetCertificate:[1]: succeeded to retrieve certificate...
SCardCertPropSvc:SCardCertPropSession::MonitoringThread::CertPropViaContEnumAddCertToStore:[1]: executing for container: "435105F49F340F2CC23F850E31939C232C170163 (1)" CSP: "Net iD - CSP" keySpec: "AT_SIGNATURE" store: "My"
SCardCertPropSvc:SCardCertPropSession::MonitoringThread::CertPropViaContEnumAddCertToStore:[1]: succeeded to propagate certificate to user store...
• CtxSCardCertPropSvc - propagates certificates to User Store
Certificate Propagation
![Page 53: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/53.jpg)
• Process Explorer shows handles and DLLs processes
• Helpful to troubleshoot: • Memory Optimization issues• Application Streaming• Access issues
• Process Explorer is available from SysInternals
Process Explorer
![Page 54: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/54.jpg)
![Page 55: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/55.jpg)
• Very helpful for Authentication issue
• Network Monitor or WireShark
• Handy WireShark Filter for looking at Kerberos ticket requests/responseskerberos.msg.type == 12 || kerberos.msg.type == 13 || kerberos.msg.type == 30 || kerberos.msg.type == 10 || kerberos.msg.type == 11
Network Tracing
![Page 56: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/56.jpg)
We see that it supports MS KRB5, KRB5,
and NTLMSSP
![Page 57: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/57.jpg)
Before you leave…
• Session surveys are available online at www.citrixsummit.com starting Thursday, 27 October• Provide your feedback and pick up a complimentary gift at the registration desk
• Download presentations starting Monday, 7 November, from your My Organiser tool located in your My Account
![Page 58: Smart Card Everywhere](https://reader036.fdocuments.in/reader036/viewer/2022081419/56815db4550346895dcbe2ce/html5/thumbnails/58.jpg)