8/10/2019 XenApp and XenDesktop Authentication.ppt
1/40
Authentication on
XenApp & XenDesktopLalit KaushalEscalation Engineer EMEA
8/10/2019 XenApp and XenDesktop Authentication.ppt
2/40
Authentication at WI: Explicit Authentication
Pass-through Authentication
Smart Card Authentication
Anonymous Authentication
Kerberos Authentication
Agenda
8/10/2019 XenApp and XenDesktop Authentication.ppt
3/40
Support for several authentication methods Smart cards, client certificates, RSA SecurID, etc.
Support for OS and non-OS credentials stores OS: Active Directory and eDirectory
Non-OS: LDAP, RADIUS, 3rd party authentication methods.
Leverage Authentication methods supported by Windows:
Smartcard support Client certificates support
Custom 3rd party authentication mechanisms through GINA exten
Leverage Windows authentication to flow the OS identity tokens beInfrastructure services
Example: flowing Kerberos tickets between ICA client and XA serv
Authentication in XenApp\XenDesktop
8/10/2019 XenApp and XenDesktop Authentication.ppt
4/40
Key Distribution Centre
(KDC)
AS TGS
Heres my TGT
Can you
give me Serv
ice Ticket
Heres your Service
Ticket
Heres my Service Ticket, Auth. me
Client
\
Server session
Kerberos
1 Authentication Service (Alogon and issues a Ticket
future authentication.
2 Ticket Granting Service (TTGT holding clients for a
or resource.
3Ticket Granting Ticket (TGfrom the Authentication S
the clients Privilege Attrib
4Ticket: This ticket is recei
provides authentication fo
server or resource.
8/10/2019 XenApp and XenDesktop Authentication.ppt
5/40
Kerberos Delegation
8/10/2019 XenApp and XenDesktop Authentication.ppt
6/40
All you ever wanted to know about Kerberos:
http://technet.microsoft.com/en-us/library/cc772815
Kerberos in Windows
http://technet.microsoft.com/en-us/library/cc772815.aspxhttp://technet.microsoft.com/en-us/library/cc772815.aspxhttp://technet.microsoft.com/en-us/library/cc772815.aspxhttp://technet.microsoft.com/en-us/library/cc772815.aspx8/10/2019 XenApp and XenDesktop Authentication.ppt
7/40
Explicit or Prompt Authentica
8/10/2019 XenApp and XenDesktop Authentication.ppt
8/40
Username, password and domain Optionally includes two-factor authentication such as RSA SecurID
Encoded credentials passed to XML service
Explicit or Prompt Authentication
8/10/2019 XenApp and XenDesktop Authentication.ppt
9/40
XML Broker
XenApp
Explicit Auth in XenApp
Client
WI
Servers (File Server,
Exchange, )
DC
Winlogon
SSOn
IE
ICA Client Engine
Winlogon
IMA / DDC
pwd
pwdpwd
auth
WI ticket
WI ticketWI ticpwd
Svc ticket
TS / wsxica
8/10/2019 XenApp and XenDesktop Authentication.ppt
10/40
Explicit Auth in XD
Client
WIDDC
VDA
Servers (File Server,
Exchange, )
DC
Winlogon
SSOn
IE
Desktop Toolbar
ICA Client Engine
Winlogon
VDA
IMA / DDC
pwd
pwdpwd
auth
pwd
WI ticket
WI ticket
WI ticket
WI ticke
pwd
Svc ticket
8/10/2019 XenApp and XenDesktop Authentication.ppt
11/40
MF_DLL_CtxGina (PortICA GINA) for smart card SSON MF_DLL_Ctxauth
MF_DLL_Ctxnotif
MF_DLL_Wsxica
MF_Service_CtxXmlSS
MF_XMLRelay_Wpnbr
Diagnostic/Tracing (CDF)
Capture Network traffic
Study behaviour of any 3rdparty authentication system, if exist
Debugging
Use CDF tool
Isolate XML
Event Logs messages
Additional info
Troubleshooting Explicit
8/10/2019 XenApp and XenDesktop Authentication.ppt
12/40
Pass-through Authentication
8/10/2019 XenApp and XenDesktop Authentication.ppt
13/40
Pass-Through Session: Connecting from within one session to another session on another
2 servers
2 clients
2 sessions
Pass-Through Authentication\SSON (Single Sign O Passing the user credential into the session
Pass-Through?
8/10/2019 XenApp and XenDesktop Authentication.ppt
14/40
Pass-through Authentication Users can authenticate using the credentials they provided when t
on to their physical Windows desktop.
Users do not need to re-enter their credentials and their resource sautomatically.
Additionally, you can use Kerberos integrated Windows authenticaconnect to server farms
If you specify the Kerberos authentication option and Kerberos failthrough authentication also fails and users cannot log on
Pass-Through Authentication
8/10/2019 XenApp and XenDesktop Authentication.ppt
15/40
Windows Identity credentials
IWA browser to Web server
Users SIDs sent to XML service
Client handles authentication to ICA server
Pass-Through Authentication
8/10/2019 XenApp and XenDesktop Authentication.ppt
16/40
Pass-Through Authentication
1-3
6
7
10
10
10
2
4
9
5
4
67
9
8/10/2019 XenApp and XenDesktop Authentication.ppt
17/40
MF_DLL_CtxGina (PortICA GINA) for smart card SSON MF_DLL_Ctxauth
MF_DLL_Ctxnotif
MF_DLL_Wsxica
MF_Service_CtxXmlSS
MF_XMLRelay_Wpnbr
Diagnostic/Tracing (CDF)
Capture Network traffic
Verify SSONSVR is running
Debugging
Use CDF Control tool
Verify if Explicit\Prompt authentication works
Follow CTX368624
Additional info
Troubleshooting Pass-Through
8/10/2019 XenApp and XenDesktop Authentication.ppt
18/40
SmartCard Authentication
8/10/2019 XenApp and XenDesktop Authentication.ppt
19/40
ATM card is the most common example You wouldnt use just one factor to protect your money
Multiple factors Something you know
Your PIN
Something you have
Your card
What is Multi-Factor Authentication?
8/10/2019 XenApp and XenDesktop Authentication.ppt
20/40
Smart Cards
2Factor Authentication Something you know
Something you have
Biometrics Fingerprint readers
Retinal Scan Facial Recognition
Biopassword
Keystroke dynamics
Proximity
What is Multifactor Authentication?
http://www.digitalpersona.com/images/pressKit/4000%20Fingerprint%20Reader%20with%20finger.jpg8/10/2019 XenApp and XenDesktop Authentication.ppt
21/40
Smart Card-aware applications
Smart Card Infrastructure
Reader Reader Reader
Smart
Card
Smart
Card
Smart
Card
User
Interface
Smart card service
providers
(COM interface model)
Smart card resource manager
Reader helper driver
Specific
Readerdriver
Specific
Readerdriver
Specific
Readerdriver
User Applications
Smart car
Subsyste
DLLs
Resource
Manager
Drivers
Hardware
MicrosoftArchitecture
8/10/2019 XenApp and XenDesktop Authentication.ppt
22/40
Cards
Credit cardsized devices
Introduce to Windows by using a vendor-supplied installation program
Installs service provider that registers its interfaces with the Resource Manag
Reader Attach to peripheral interfaces, e.g. PS/2, PCMCIA and USB
Hardware
Reader Reader Reader
Smart
Card
Smart
Card
Smart
Card
Smart Card Infrastructure
8/10/2019 XenApp and XenDesktop Authentication.ppt
23/40
User
Interface
Smart card service
providers
(COM interface model)
Smart card resource manager
Reader helper driver
Specific
Reader
driver
Specific
Reader
driver
Specific
Reader
driver
Smart card
Subsystem
DLLs
ResourceManager
Drivers
Device Drivers
Maps functionality to native services that infrastructure provide Communicates card insertion\removal events to Resource Manager
Provides data communications capabilities to and from the card
Resource ManagerManage & control all application accessProvide a virtual direct connection to the requested smart card
Service Providers
Provide cryptographic services e.g. key generation, digital signature, bulk enthrough CryptoAPI
Two categories: cryptographic (CSP) & non-cryptographic
CSPs can be software-only (like MS Base CSP) or hardware-based - cryptoengine resides on a smart card (SCCP)
Smart Card Infrastructure
8/10/2019 XenApp and XenDesktop Authentication.ppt
24/40
Windows logonSmart Card
8/10/2019 XenApp and XenDesktop Authentication.ppt
25/40
Client certificate and PIN credentials
Certificate authentication browser to web server
Users SIDs sent to XML service
Client handles authentication to ICA server
Smart Card Authentication
8/10/2019 XenApp and XenDesktop Authentication.ppt
26/40
XD/XA
CtxSvcHost.exe
(CtxSmartCardSvc DL
VC User Mode API
(Pica/WTS)
Winlogon.exe
SCardHook DLL
ICA Sta
End-Point (e.g. XP)
Kernel Mode
User Mode
SC Reader Driver
SCardSvc.exe (MS)
Wfica32.exe
(ICA Client Engine)
SC Reader
VDSCardN DLL
WinSCard DLL(MS)
PC/SC API
PC/SC API
PC/SC (WinSCard) API
Remoted over ICA protocol
(ICA Smart Card VC Protocol)
Remote calls: SCardEstablishContext, SCardConnect, SCardTransmit
Smart Card Core Subsystem Architecture
8/10/2019 XenApp and XenDesktop Authentication.ppt
27/40
MF_DLL_CtxGina (PortICA GINA) for smart card SSON
MF_Hook_SmartCard PE_Service_CtxSmartCardSvc
PE_Service_CtxSvcHost (just load CtxSmartCardSvc.dll)
PE_Library_GvchBase
PE_Library_CtxCppBase
Diagnostic/Tracing (CDF)
Debug user process loading SCardHook.dll
Debug CtxSvcHost.exe (instance with CtxSmartCardSvc.dll loaded)
Debug Wfica32.exe and vdscardN.dll on client side
Debugging
Use Remote CDF tool
Verify Citrix Smart Card Service is running
Restart Citrix Smart Card Service
Additional info
Troubleshooting Smart Card
8/10/2019 XenApp and XenDesktop Authentication.ppt
28/40
Anonymous Authentication
8/10/2019 XenApp and XenDesktop Authentication.ppt
29/40
No credentials
XenApp only
Published resources must be explicitly configured fAnonymous authentication
Anonymous Authentication
8/10/2019 XenApp and XenDesktop Authentication.ppt
30/40
Kerberos Authentication
8/10/2019 XenApp and XenDesktop Authentication.ppt
31/40
Using Kerberos for Authentication Users can use Kerberos for Explicit\Prompt or Pass-through Authe
More secure - No password crosses the wireeven encrypted
Works with any client logon method
Password, smart card, biometrics, etc
Kerberos Authentication
8/10/2019 XenApp and XenDesktop Authentication.ppt
32/40
Kerberos Authentication SupportConfigure Delegation on Web Interface Server
Edit the Deleproperties of
computer objDirectory
Trust this comdelegation usauthenticati
Add the http
each XenApp
8/10/2019 XenApp and XenDesktop Authentication.ppt
33/40
Kerberos Authentication SupportConfigure Delegation on XenApp (XML) Server
Edit the Deleg
properties of eXenApp Serveobject in Active
Trust this comdelegation usinKerberos only
Add the HOSTfor this computhe XML servic
8/10/2019 XenApp and XenDesktop Authentication.ppt
34/40
Kerberos Auth in XenApp
Client
WIXA
Servers (File Server,
Exchange, )
DC
Winlogon
SSOn
IE
ICA Client Engine
Winlogon
TS / wsxica
IMA
pwd
pwd
Get svc ticket
SIDs
Launch ref in .ica file
Launch ref & svc ticket (through Kerberos VC)
Launch ref
Svc ticket
Svc ticket
Launch ref
Get svc ticket
Svc ticket
8/10/2019 XenApp and XenDesktop Authentication.ppt
35/40
Kerberos Auth in XenDesktop
Client
WIDDC
VDA
Servers (File Server,
Exchange, )
DC
Winlogon
SSOn
IE
ICA Client Engine
Winlogon
VDA
IMA / DDC
pwd
pwd
Get svc ticket
SID
Launch ref in .ica file
Launch ref, pwd
Launch
Svc ticket
Svc ticket
Get
pwd
pwd
pwd
Desktop Toolbar
Launch ref
Launch ref
8/10/2019 XenApp and XenDesktop Authentication.ppt
36/40
MF_DLL_CtxAuth MF_DLL_CtxKerbProvider
MF_DLL_Cutildll
MF_Library_CtxSSPI
Diagnostic/Tracing (CDF)
Debug Winlogon process
Debug Wfica32.exe on client side Analysis Network trace for Kerberos related packets
Debugging
Use CDF Control
Verify Service Principal Name (SPN)
Verify Configuration CTX121918
Additional info
Troubleshooting Kerberos
8/10/2019 XenApp and XenDesktop Authentication.ppt
37/40
Recap
Explicit\Prompt Authentication
Negotiate on Authentication protocol at MS layer.
Smartcard Authentication
XenDesktop and XenApp has similar architecture
New Citrix services for Cert Enumeration, SC removal policy, etc
Pass-through Authentication
Credential capturing (SSONSVR) or Kerberos Ticket
Kerberos Authentication
No Back-end NTLM support. Credential prompt
8/10/2019 XenApp and XenDesktop Authentication.ppt
38/40
Whitepapers
http://www.microsoft.com/windows/server/Technicadefault.asp Windows 2000 Kerberos Authentication Microsoft
Windows 2000 Kerberos Interoperability
Authentication Functionhttp://msdn.microsoft.com/en-us/library/aa374731(v=VS.8
For More Information
http://www.microsoft.com/windows/server/Technical/security/default.asphttp://www.microsoft.com/windows/server/Technical/security/default.asphttp://msdn.microsoft.com/en-us/library/aa374731(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/aa374731(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/aa374731(v=VS.85).aspxhttp://msdn.microsoft.com/en-us/library/aa374731(v=VS.85).aspxhttp://www.microsoft.com/windows/server/Technical/security/default.asphttp://www.microsoft.com/windows/server/Technical/security/default.asp8/10/2019 XenApp and XenDesktop Authentication.ppt
39/40
Recommended related breakout sessions:
SUM509 - Integrating single sign-on and smart card authenticationGateway Enterprise Edition
Session surveys are available online at www.citrixsummit.com start7 October Provide your feedback and pick up a complimentary gift card at the
desk
Download presentations starting Friday, 15 October, from your My OTool located in your My Synergy Microsite event account
Before you leave
8/10/2019 XenApp and XenDesktop Authentication.ppt
40/40
Top Related