XenApp & XenDesktop

collarlimabeansΑσφάλεια

23 Φεβ 2014 (πριν από 3 χρόνια και 8 μήνες)

165 εμφανίσεις

Authentication on
XenApp & XenDesktop

Lalit Kaushal

Escalation Engineer EMEA


Authentication at WI:


Explicit Authentication


Pass
-
through Authentication


Smart Card Authentication


Anonymous Authentication


Kerberos Authentication

Agenda


Support for several authentication methods


Smart cards, client certificates, RSA
SecurID
, etc.


Support for OS and non
-
OS credentials stores


OS: Active Directory and
eDirectory


Non
-
OS: LDAP, RADIUS, 3rd party authentication methods.


Leverage Authentication methods supported by Windows:


Smartcard support


Client certificates support


Custom 3rd party authentication mechanisms through GINA extensions.


Leverage Windows authentication to flow the OS identity tokens between Access
Infrastructure services


Example: flowing Kerberos tickets between ICA client and XA server.

Authentication in XenApp
\
XenDesktop

Key Distribution Centre


(KDC)




AS


TGS

Here’s my TGT


Can you
give me Service Ticket

Here’s your Service
Ticket

Here’s my Service Ticket, Auth. me

Client
\
Server session

Kerberos

1

Authentication Service (AS)
-

Authenticates a client
logon and issues a Ticket Granting Ticket (TGT) for
future authentication.

2

Ticket Granting Service (TGS): It grants tickets to
TGT holding clients for a specific application server
or resource.

3

Ticket Granting Ticket (TGT): This ticket is received
from the Authentication Service (SA) that contains
the client’s Privilege Attribute Certificate (PAC).

4

Ticket: This ticket is received from the TGS that
provides authentication for a specific application
server or resource.

Kerberos Delegation


All you ever wanted to know about Kerberos:

http://technet.microsoft.com/en
-
us/library/cc772815.aspx


Kerberos in Windows

Explicit or Prompt Authentication


Username, password and domain


Optionally includes two
-
factor authentication such as RSA SecurID


Encoded credentials passed to XML service


Explicit or Prompt Authentication

XML Broker

XenApp

Explicit Auth in XenApp

Client

WI

Servers (File Server,
Exchange, …)

DC

Winlogon

SSOn

IE

ICA Client Engine

Winlogon

IMA / DDC

pwd

pwd

pwd

auth

WI ticket

WI ticket

WI ticket

pwd

pwd

Authenticate
& get TGT

Get svc ticket

Svc ticket

TS /
wsxica

Explicit Auth in XD

Client

WI

DDC

VDA

Servers (File Server,
Exchange, …)

DC

Winlogon

SSOn

IE

Desktop Toolbar

ICA Client Engine

Winlogon

VDA

IMA / DDC

pwd

pwd

pwd

auth

pwd

WI ticket

WI ticket

WI ticket

WI ticket

pwd

pwd

Authenticate
& get TGT

Get svc ticket

Svc ticket


MF_DLL_CtxGina (PortICA GINA) for smart card SSON


MF_DLL_Ctxauth


MF_DLL_Ctxnotif


MF_DLL_Wsxica


MF_Service_CtxXmlSS


MF_XMLRelay_Wpnbr

Diagnostic/Tracing (CDF)


Capture Network traffic


Study
behaviour

of any 3
rd

party authentication system, if exist

Debugging


Use CDF tool


Isolate XML


Event Logs messages

Additional info

Troubleshooting Explicit

Pass
-
through Authentication


Pass
-
Through Session:


Connecting from within one session to another session on another server


2 servers


2 clients


2 sessions


Pass
-
Through Authentication
\
SSON (Single Sign On):


Passing the user credential into the session


Pass
-
Through?


Pass
-
through Authentication


Users can authenticate using the credentials they provided when they logged
on to their physical Windows desktop.


Users do not need to re
-
enter their credentials and their resource set appears
automatically.


Additionally, you can use Kerberos integrated Windows authentication to
connect to server farms


If you specify the Kerberos authentication option and Kerberos fails, pass
-
through authentication also fails and users cannot log on


Pass
-
Through Authentication


Windows Identity credentials


IWA browser to Web server


User’s SIDs sent to XML service


Client handles authentication to ICA server

Pass
-
Through Authentication

Pass
-
Through Authentication

1
-
3

6

7

10

10

10

2

4

9

8

9

5

4

6

7

9


MF_DLL_CtxGina

(
PortICA

GINA) for smart card SSON


MF_DLL_Ctxauth


MF_DLL_Ctxnotif


MF_DLL_Wsxica


MF_Service_CtxXmlSS


MF_XMLRelay_Wpnbr

Diagnostic/Tracing (CDF)


Capture Network traffic


Verify SSONSVR is running

Debugging


Use CDF Control tool


Verify if Explicit
\
Prompt authentication works


Follow
CTX368624

Additional info

Troubleshooting Pass
-
Through

SmartCard Authentication


ATM card is the most common example


You wouldn’t use just one factor to protect your money


Multiple factors


Something you know


Your PIN


Something you have


Your card

What is Multi
-
Factor Authentication?


Smart Cards


2


Factor Authentication


Something you know


Something you have


Biometrics


Fingerprint readers


Retinal Scan


Facial Recognition


Biopassword


Keystroke dynamics


Proximity

What is Multifactor Authentication?

Smart Card
-
aware applications
Smart Card Infrastructure

Reader
Reader
Reader
Smart
Card
Smart
Card
Smart
Card
User
Interface
Smart card service
providers
(
COM interface model
)
Smart card resource manager
Reader helper driver
Specific
Reader
driver
Specific
Reader
driver
Specific
Reader
driver
User Applications

Smart card

Subsystem

DLL’s

Resource

Manager

Drivers

Hardware


Microsoft

Architecture



Cards


Credit card

sized devices


Introduce to Windows by using a vendor
-
supplied installation program


Installs service provider that registers its interfaces with the Resource Manager



Reader


Attach to peripheral interfaces, e.g. PS/2, PCMCIA and USB




Hardware

Reader
Reader
Reader
Smart
Card
Smart
Card
Smart
Card
Smart Card Infrastructure

User
Interface
Smart card service
providers
(
COM interface model
)
Smart card resource manager
Reader helper driver
Specific
Reader
driver
Specific
Reader
driver
Specific
Reader
driver
Smart card

Subsystem

DLL’s

Resource

Manager

Drivers



Device Drivers


Maps functionality to native services that infrastructure provide


Communicates card insertion
\
removal events to Resource Manager


Provides data communications capabilities to and from the card




Resource Manager



Manage & control all application access



Provide a virtual direct connection to the requested smart card



Service Providers


Provide cryptographic services e.g. key generation, digital signature, bulk encryption

through CryptoAPI


Two categories: cryptographic (CSP) & non
-
cryptographic


CSPs can be software
-
only (like MS Base CSP) or hardware
-
based
-

cryptographic
engine resides on a smart card (SCCP)

Smart Card Infrastructure

Windows logon


Smart Card


Client certificate and PIN credentials


Certificate authentication browser to web server


User’s SIDs sent to XML service


Client handles authentication to ICA server

Smart Card Authentication

User Mode

Kernel Mode

XD/XA Host

CtxSvcHost.exe

(CtxSmartCardSvc DLL)

VC User Mode API
(Pica/WTS)

Winlogon.exe



Winword.exe



SCardHook DLL

SCardHook DLL

ICA Stack

End
-
Point (e.g. XP)

Kernel Mode

User Mode

SC Reader Driver

SCardSvc.exe (MS)

Wfica32.exe

(ICA Client Engine)









SC Reader

VDSCardN DLL

WinSCard DLL
(MS)

PC/SC API

PC/SC API

PC/SC API

PC/SC (WinSCard) API

Remoted over ICA protocol

(ICA Smart Card VC Protocol)

Remote calls: SCardEstablishContext, SCardConnect, SCardTransmit…

Smart Card Core Subsystem Architecture


MF_DLL_CtxGina (PortICA GINA) for smart card SSON


MF_Hook_SmartCard


PE_Service_CtxSmartCardSvc


PE_Service_CtxSvcHost (just load CtxSmartCardSvc.dll)


PE_Library_GvchBase


PE_Library_CtxCppBase

Diagnostic/Tracing (CDF)


Debug user process loading SCardHook.dll


Debug CtxSvcHost.exe (instance with CtxSmartCardSvc.dll loaded)


Debug Wfica32.exe and vdscardN.dll on client side

Debugging


Use Remote CDF tool


Verify Citrix Smart Card Service is running


Restart Citrix Smart Card Service

Additional info

Troubleshooting Smart Card

Anonymous Authentication


No credentials


XenApp only


Published resources must be explicitly configured for
Anonymous authentication

Anonymous Authentication

Kerberos Authentication


Using Kerberos for Authentication


Users can use Kerberos for Explicit
\
Prompt or Pass
-
through Authentication.


More secure
-

No password crosses the wire


even encrypted


Works with any client logon method


Password, smart card, biometrics, etc…

Kerberos Authentication





Kerberos Authentication Support

Configure Delegation on Web Interface Server

Edit the
Delegation

properties of each WI
computer object in Active
Directory


Trust this computer for
delegation using
any
authentication protocol


Add the
http

service for
each XenApp XML Broker





Kerberos Authentication Support

Configure Delegation on XenApp (XML) Server

Edit the
Delegation

properties of each
XenApp Server computer
object in Active Directory


Trust this computer for
delegation using
Kerberos only


Add the
HOST

service
for this computer running
the XML service

Kerberos Auth in XenApp

Client

WI

XA

Servers (File Server,
Exchange, …)

DC

Winlogon

SSOn

IE

ICA Client Engine

Winlogon

TS /
wsxica

IMA

pwd

pwd

Get svc ticket

SIDs

Launch ref in .ica file

Launch ref & svc ticket (through Kerberos VC)

Launch ref

ok

Get svc ticket

Svc ticket

Svc ticket

Launch ref

Get svc ticket

Svc ticket

Kerberos Auth in XenDesktop

Client

WI

DDC

VDA

Servers (File Server,
Exchange, …)

DC

Winlogon

SSOn

IE

ICA Client Engine

Winlogon

VDA

IMA / DDC

pwd

pwd

Get svc ticket

SID

Launch ref in .ica file

Launch ref, pwd

Launch ref

ok

Authenticat
e & get TGT

Get svc ticket

Svc ticket

Svc ticket

Get
pwd

pwd

pwd

Desktop Toolbar

Launch ref

Launch ref


MF_DLL_CtxAuth


MF_DLL_CtxKerbProvider


MF_DLL_Cutildll


MF_Library_CtxSSPI

Diagnostic/Tracing (CDF)


Debug
Winlogon

process


Debug Wfica32.exe on client side


Analysis Network trace for Kerberos related packets

Debugging


Use CDF Control


Verify Service Principal Name (SPN)


Verify Configuration
CTX121918

Additional info

Troubleshooting Kerberos

Recap


Explicit
\
Prompt Authentication


Negotiate on Authentication protocol at
MS layer.


Smartcard Authentication


XenDesktop and XenApp has similar architecture


New Citrix services for Cert Enumeration, SC removal policy, etc


Pass
-
through Authentication


Credential capturing (SSONSVR) or Kerberos Ticket


Kerberos Authentication


No Back
-
end NTLM support. Credential prompt


Whitepapers

http://www.microsoft.com/windows/server/Technical/security/
default.asp



Windows 2000 Kerberos Authentication Microsoft



Windows 2000 Kerberos Interoperability


Authentication Function

http://msdn.microsoft.com/en
-
us/library/aa374731(v=VS.85).aspx

For More Information


Recommended related breakout sessions:


SUM509
-

Integrating single sign
-
on and smart card authentication with Access
Gateway Enterprise Edition


Session surveys are available online at www.citrixsummit.com starting Thursday,
7 October


Provide your feedback and pick up a complimentary gift card at the registration
desk


Download presentations starting Friday, 15 October, from your My
Organiser

Tool located in your My Synergy Microsite event account

Before you leave…