XenApp and XenDesktop Authentication.ppt

8/10/2019 XenApp and XenDesktop Authentication.ppt

1/40

Authentication on

XenApp & XenDesktopLalit KaushalEscalation Engineer EMEA


2/40

Authentication at WI: Explicit Authentication

Pass-through Authentication

Smart Card Authentication

Anonymous Authentication

Kerberos Authentication

Agenda


3/40

Support for several authentication methods Smart cards, client certificates, RSA SecurID, etc.

Support for OS and non-OS credentials stores OS: Active Directory and eDirectory

Non-OS: LDAP, RADIUS, 3rd party authentication methods.

Leverage Authentication methods supported by Windows:

Smartcard support Client certificates support

Custom 3rd party authentication mechanisms through GINA exten

Leverage Windows authentication to flow the OS identity tokens beInfrastructure services

Example: flowing Kerberos tickets between ICA client and XA serv

Authentication in XenApp\XenDesktop


4/40

Key Distribution Centre

(KDC)

AS TGS

Heres my TGT

Can you

give me Serv

ice Ticket

Heres your Service

Ticket

Heres my Service Ticket, Auth. me

Client

\

Server session

Kerberos

1 Authentication Service (Alogon and issues a Ticket

future authentication.

2 Ticket Granting Service (TTGT holding clients for a

or resource.

3Ticket Granting Ticket (TGfrom the Authentication S

the clients Privilege Attrib

4Ticket: This ticket is recei

provides authentication fo

server or resource.


5/40

Kerberos Delegation


6/40

All you ever wanted to know about Kerberos:

http://technet.microsoft.com/en-us/library/cc772815

Kerberos in Windows
http://technet.microsoft.com/en-us/library/cc772815.aspxhttp://technet.microsoft.com/en-us/library/cc772815.aspxhttp://technet.microsoft.com/en-us/library/cc772815.aspxhttp://technet.microsoft.com/en-us/library/cc772815.aspx


7/40

Explicit or Prompt Authentica


8/40

Username, password and domain Optionally includes two-factor authentication such as RSA SecurID

Encoded credentials passed to XML service

Explicit or Prompt Authentication


9/40

XML Broker

XenApp

Explicit Auth in XenApp

Client

WI

Servers (File Server,

Exchange, )

DC

Winlogon

SSOn

IE

ICA Client Engine

Winlogon

IMA / DDC

pwd

pwdpwd

auth

WI ticket

WI ticketWI ticpwd

Svc ticket

TS / wsxica


10/40

Explicit Auth in XD

Client

WIDDC

VDA


Exchange, )

DC

Winlogon

SSOn

IE

Desktop Toolbar

ICA Client Engine

Winlogon

VDA

IMA / DDC

pwd

pwdpwd

auth

pwd

WI ticket

WI ticket

WI ticket

WI ticke

pwd

Svc ticket


11/40

MF_DLL_CtxGina (PortICA GINA) for smart card SSON MF_DLL_Ctxauth

MF_DLL_Ctxnotif

MF_DLL_Wsxica

MF_Service_CtxXmlSS

MF_XMLRelay_Wpnbr

Diagnostic/Tracing (CDF)

Capture Network traffic

Study behaviour of any 3rdparty authentication system, if exist

Debugging

Use CDF tool

Isolate XML

Event Logs messages

Additional info

Troubleshooting Explicit


12/40



13/40

Pass-Through Session: Connecting from within one session to another session on another

2 servers

2 clients

2 sessions

Pass-Through Authentication\SSON (Single Sign O Passing the user credential into the session

Pass-Through?


14/40

Pass-through Authentication Users can authenticate using the credentials they provided when t

on to their physical Windows desktop.

Users do not need to re-enter their credentials and their resource sautomatically.

Additionally, you can use Kerberos integrated Windows authenticaconnect to server farms

If you specify the Kerberos authentication option and Kerberos failthrough authentication also fails and users cannot log on

Pass-Through Authentication


15/40

Windows Identity credentials

IWA browser to Web server

Users SIDs sent to XML service

Client handles authentication to ICA server



16/40


1-3

6

7

10

10

10

2

4

9

5

4

67

9


17/40

MF_DLL_CtxGina (PortICA GINA) for smart card SSON MF_DLL_Ctxauth

MF_DLL_Ctxnotif

MF_DLL_Wsxica

MF_Service_CtxXmlSS

MF_XMLRelay_Wpnbr


Capture Network traffic

Verify SSONSVR is running

Debugging

Use CDF Control tool

Verify if Explicit\Prompt authentication works

Follow CTX368624

Additional info

Troubleshooting Pass-Through


18/40

SmartCard Authentication


19/40

ATM card is the most common example You wouldnt use just one factor to protect your money

Multiple factors Something you know

Your PIN

Something you have

Your card

What is Multi-Factor Authentication?


20/40

Smart Cards

2Factor Authentication Something you know

Something you have

Biometrics Fingerprint readers

Retinal Scan Facial Recognition

Biopassword

Keystroke dynamics

Proximity

What is Multifactor Authentication?
http://www.digitalpersona.com/images/pressKit/4000%20Fingerprint%20Reader%20with%20finger.jpg


21/40

Smart Card-aware applications

Smart Card Infrastructure

Reader Reader Reader

Smart

Card

Smart

Card

Smart

Card

User

Interface

Smart card service

providers

(COM interface model)

Smart card resource manager

Reader helper driver

Specific

Readerdriver

Specific

Readerdriver

Specific

Readerdriver

User Applications

Smart car

Subsyste

DLLs

Resource

Manager

Drivers

Hardware

MicrosoftArchitecture


22/40

Cards

Credit cardsized devices

Introduce to Windows by using a vendor-supplied installation program

Installs service provider that registers its interfaces with the Resource Manag

Reader Attach to peripheral interfaces, e.g. PS/2, PCMCIA and USB

Hardware

Reader Reader Reader

Smart

Card

Smart

Card

Smart

Card



23/40

User

Interface

Smart card service

providers

(COM interface model)

Smart card resource manager

Reader helper driver

Specific

Reader

driver

Specific

Reader

driver

Specific

Reader

driver

Smart card

Subsystem

DLLs

ResourceManager

Drivers

Device Drivers

Maps functionality to native services that infrastructure provide Communicates card insertion\removal events to Resource Manager

Provides data communications capabilities to and from the card

Resource ManagerManage & control all application accessProvide a virtual direct connection to the requested smart card

Service Providers

Provide cryptographic services e.g. key generation, digital signature, bulk enthrough CryptoAPI

Two categories: cryptographic (CSP) & non-cryptographic

CSPs can be software-only (like MS Base CSP) or hardware-based - cryptoengine resides on a smart card (SCCP)



24/40

Windows logonSmart Card


25/40

Client certificate and PIN credentials

Certificate authentication browser to web server

Users SIDs sent to XML service

Client handles authentication to ICA server

Smart Card Authentication


26/40

XD/XA

CtxSvcHost.exe

(CtxSmartCardSvc DL

VC User Mode API

(Pica/WTS)

Winlogon.exe

SCardHook DLL

ICA Sta

End-Point (e.g. XP)

Kernel Mode

User Mode

SC Reader Driver

SCardSvc.exe (MS)

Wfica32.exe

(ICA Client Engine)

SC Reader

VDSCardN DLL

WinSCard DLL(MS)

PC/SC API

PC/SC API

PC/SC (WinSCard) API

Remoted over ICA protocol

(ICA Smart Card VC Protocol)

Remote calls: SCardEstablishContext, SCardConnect, SCardTransmit

Smart Card Core Subsystem Architecture


27/40

MF_DLL_CtxGina (PortICA GINA) for smart card SSON

MF_Hook_SmartCard PE_Service_CtxSmartCardSvc

PE_Service_CtxSvcHost (just load CtxSmartCardSvc.dll)

PE_Library_GvchBase

PE_Library_CtxCppBase


Debug user process loading SCardHook.dll

Debug CtxSvcHost.exe (instance with CtxSmartCardSvc.dll loaded)

Debug Wfica32.exe and vdscardN.dll on client side

Debugging

Use Remote CDF tool

Verify Citrix Smart Card Service is running

Restart Citrix Smart Card Service

Additional info

Troubleshooting Smart Card


28/40



29/40

No credentials

XenApp only

Published resources must be explicitly configured fAnonymous authentication



30/40



31/40

Using Kerberos for Authentication Users can use Kerberos for Explicit\Prompt or Pass-through Authe

More secure - No password crosses the wireeven encrypted

Works with any client logon method

Password, smart card, biometrics, etc



32/40

Kerberos Authentication SupportConfigure Delegation on Web Interface Server

Edit the Deleproperties of

computer objDirectory

Trust this comdelegation usauthenticati

Add the http

each XenApp


33/40

Kerberos Authentication SupportConfigure Delegation on XenApp (XML) Server

Edit the Deleg

properties of eXenApp Serveobject in Active

Trust this comdelegation usinKerberos only

Add the HOSTfor this computhe XML servic


34/40

Kerberos Auth in XenApp

Client

WIXA


Exchange, )

DC

Winlogon

SSOn

IE

ICA Client Engine

Winlogon

TS / wsxica

IMA

pwd

pwd

Get svc ticket

SIDs

Launch ref in .ica file

Launch ref & svc ticket (through Kerberos VC)

Launch ref

Svc ticket

Svc ticket

Launch ref

Get svc ticket

Svc ticket


35/40

Kerberos Auth in XenDesktop

Client

WIDDC

VDA


Exchange, )

DC

Winlogon

SSOn

IE

ICA Client Engine

Winlogon

VDA

IMA / DDC

pwd

pwd

Get svc ticket

SID

Launch ref in .ica file

Launch ref, pwd

Launch

Svc ticket

Svc ticket

Get

pwd

pwd

pwd

Desktop Toolbar

Launch ref

Launch ref


36/40

MF_DLL_CtxAuth MF_DLL_CtxKerbProvider

MF_DLL_Cutildll

MF_Library_CtxSSPI


Debug Winlogon process

Debug Wfica32.exe on client side Analysis Network trace for Kerberos related packets

Debugging

Use CDF Control

Verify Service Principal Name (SPN)

Verify Configuration CTX121918

Additional info

Troubleshooting Kerberos


37/40

Recap

Explicit\Prompt Authentication

Negotiate on Authentication protocol at MS layer.

Smartcard Authentication

XenDesktop and XenApp has similar architecture

New Citrix services for Cert Enumeration, SC removal policy, etc


Credential capturing (SSONSVR) or Kerberos Ticket


No Back-end NTLM support. Credential prompt


38/40

Whitepapers

http://www.microsoft.com/windows/server/Technicadefault.asp Windows 2000 Kerberos Authentication Microsoft

Windows 2000 Kerberos Interoperability

Authentication Functionhttp://msdn.microsoft.com/en-us/library/aa374731(v=VS.8

For More Information
http://www.microsoft.com/windows/server/Technical/security/default.asphttp://www.microsoft.com/windows/server/Technical/security/default.asphttp://msdn.microsoft.com/en-us/library/aa374731(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/aa374731(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/aa374731(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/aa374731(v=VS.85).aspxhttp://www.microsoft.com/windows/server/Technical/security/default.asphttp://www.microsoft.com/windows/server/Technical/security/default.asp


39/40

Recommended related breakout sessions:

SUM509 - Integrating single sign-on and smart card authenticationGateway Enterprise Edition

Session surveys are available online at www.citrixsummit.com start7 October Provide your feedback and pick up a complimentary gift card at the

desk

Download presentations starting Friday, 15 October, from your My OTool located in your My Synergy Microsite event account

Before you leave


40/40

XenApp and XenDesktop Authentication.ppt

Documents

Transcript of XenApp and XenDesktop Authentication.ppt