Embed Size (px)
DESCRIPTION
Authentication on XenApp & XenDesktop. Lalit Kaushal Escalation Engineer EMEA. Agenda. Authentication at WI: Explicit Authentication Pass-through Authentication Smart Card Authentication Anonymous Authentication Kerberos Authentication. Support for several authentication methods - PowerPoint PPT Presentation
Citation preview
Authentication on XenApp & XenDesktopLalit KaushalEscalation Engineer EMEA
• Authentication at WI:• Explicit Authentication• Pass-through Authentication• Smart Card Authentication• Anonymous Authentication
• Kerberos Authentication
Agenda
• Support for several authentication methods• Smart cards, client certificates, RSA SecurID, etc.
• Support for OS and non-OS credentials stores• OS: Active Directory and eDirectory• Non-OS: LDAP, RADIUS, 3rd party authentication methods.
• Leverage Authentication methods supported by Windows:• Smartcard support• Client certificates support• Custom 3rd party authentication mechanisms through GINA extensions.
• Leverage Windows authentication to flow the OS identity tokens between Access Infrastructure services• Example: flowing Kerberos tickets between ICA client and XA server.
Authentication in XenApp\XenDesktop
Key Distribution Centre (KDC)
AS TGS
Key Distribution Centre (KDC)
AS TGS
Kerberos1 Authentication Service (AS) - Authenticates a client
logon and issues a Ticket Granting Ticket (TGT) for future authentication.
2 Ticket Granting Service (TGS): It grants tickets to TGT holding clients for a specific application server or resource.
3Ticket Granting Ticket (TGT): This ticket is received from the Authentication Service (SA) that contains the client’s Privilege Attribute Certificate (PAC).
4Ticket: This ticket is received from the TGS that provides authentication for a specific application server or resource.
Kerberos Delegation
• All you ever wanted to know about Kerberos:http://technet.microsoft.com/en-us/library/cc772815.aspx
Kerberos in Windows
Explicit or Prompt Authentication
• Username, password and domain• Optionally includes two-factor authentication such as RSA SecurID
• Encoded credentials passed to XML service
Explicit or Prompt Authentication
XML BrokerXML Broker
XenAppXenApp
Explicit Auth in XenApp
ClientClient
WIWI
Servers (File Server, Exchange, …)
Servers (File Server, Exchange, …)
DCDC
WinlogonWinlogon
SSOnSSOn
IEIE
ICA Client EngineICA Client Engine
WinlogonWinlogon
IMA / DDCIMA / DDC
pwd
pwd
pwd pwd
auth
WI ticket
WI ticket in .ica file
WI ticket
WI ticketWI ticket
pwd
pwd
Authenticate & get TGT
Get svc ticket
Svc ticket
TS / wsxicaTS / wsxica
Explicit Auth in XD
ClientClient
WIWIDDCDDC
VDAVDA
Servers (File Server, Exchange, …)
Servers (File Server, Exchange, …)
DCDC
WinlogonWinlogon
SSOnSSOn
IEIE
Desktop ToolbarDesktop Toolbar
ICA Client EngineICA Client Engine
WinlogonWinlogon
VDAVDA
IMA / DDCIMA / DDC
pwd
pwd
pwdpwd
auth
pwdWI ticket
WI ticket in .ica fileWI ticket
WI ticketWI ticket
WI ticket
pwd
pwd
Authenticate & get TGT
Get svc ticket
Svc ticket
Troubleshooting Explicit
Pass-through Authentication
• Pass-Through Session:• Connecting from within one session to another session on another server• 2 servers• 2 clients • 2 sessions
• Pass-Through Authentication\SSON (Single Sign On):• Passing the user credential into the session
Pass-Through?
• Pass-through Authentication• Users can authenticate using the credentials they provided when they logged
on to their physical Windows desktop. • Users do not need to re-enter their credentials and their resource set appears
automatically.• Additionally, you can use Kerberos integrated Windows authentication to
connect to server farms• If you specify the Kerberos authentication option and Kerberos fails, pass-
through authentication also fails and users cannot log on
Pass-Through Authentication
• Windows Identity credentials
• IWA browser to Web server
• User’s SIDs sent to XML service
• Client handles authentication to ICA server
Pass-Through Authentication
Pass-Through Authentication
1-3
6710
10
10
2
4
9
8 9
5
4679
Troubleshooting Pass-Through
SmartCard Authentication
• ATM card is the most common example• You wouldn’t use just one factor to protect your money
• Multiple factors• Something you know
•Your PIN• Something you have
•Your card
What is Multi-Factor Authentication?
• Smart Cards
• 2 – Factor Authentication• Something you know• Something you have
• Biometrics• Fingerprint readers• Retinal Scan• Facial Recognition• Biopassword
•Keystroke dynamics
• Proximity
What is Multifactor Authentication?
Smart Card-aware applications
Smart Card Infrastructure
Reader Reader Reader
Smart
Card
Smart
Card
Smart
Card
User Interface
Smart card serviceproviders
(COM interface model)
Smart card resource manager
Reader helper driver
SpecificReaderdriver
SpecificReaderdriver
SpecificReaderdriver
User Applications
Smart cardSubsystem
DLL’s
ResourceManager
Drivers
Hardware
• Microsoft Architecture
• Cards• Credit card–sized devices
• Introduce to Windows by using a vendor-supplied installation program
• Installs service provider that registers its interfaces with the Resource Manager
•Reader• Attach to peripheral interfaces, e.g. PS/2, PCMCIA and USB
Hardware
Reader Reader Reader
Smart
Card
Smart
Card
Smart
Card
Smart Card Infrastructure
User Interface
Smart card serviceproviders
(COM interface model)
Smart card resource manager
Reader helper driver
SpecificReaderdriver
SpecificReaderdriver
SpecificReaderdriver
Smart cardSubsystem
DLL’s
ResourceManager
Drivers
• Device Drivers• Maps functionality to native services that infrastructure provide
• Communicates card insertion\removal events to Resource Manager
• Provides data communications capabilities to and from the card
• Resource Manager• Manage & control all application access• Provide a virtual direct connection to the requested smart card
• Service Providers• Provide cryptographic services e.g. key generation, digital signature, bulk encryption—
through CryptoAPI
• Two categories: cryptographic (CSP) & non-cryptographic
• CSPs can be software-only (like MS Base CSP) or hardware-based - cryptographic engine resides on a smart card (SCCP)
Smart Card Infrastructure
Windows logon – Smart Card
• Client certificate and PIN credentials
• Certificate authentication browser to web server
• User’s SIDs sent to XML service
• Client handles authentication to ICA server
Smart Card Authentication
User Mode
Kernel Mode
XD/XA Host
CtxSvcHost.exe(CtxSmartCardSvc DLL)
VC User Mode API (Pica/WTS)
Winlogon.exe
Winword.exeSCardHook DLL
SCardHook DLL
ICA Stack
End-Point (e.g. XP)
Kernel Mode
User Mode
SC Reader Driver
SCardSvc.exe (MS)
Wfica32.exe(ICA Client Engine)
SC Reader
VDSCardN DLL
WinSCard DLL (MS)
PC/SC APIPC/SC API
PC/SC API
PC/SC (WinSCard) APIRemoted over ICA protocol(ICA Smart Card VC Protocol)
Remote calls: SCardEstablishContext, SCardConnect, SCardTransmit…
Smart Card Core Subsystem Architecture
Troubleshooting Smart Card
Anonymous Authentication
• No credentials
• XenApp only
• Published resources must be explicitly configured for Anonymous authentication
Anonymous Authentication
Kerberos Authentication
• Using Kerberos for Authentication• Users can use Kerberos for Explicit\Prompt or Pass-through Authentication.
•More secure - No password crosses the wire – even encrypted•Works with any client logon method
• Password, smart card, biometrics, etc…
Kerberos Authentication
Kerberos Authentication SupportConfigure Delegation on Web Interface Server
Edit the Delegation properties of each WI computer object in Active Directory
Trust this computer for delegation using any authentication protocol
Add the http service for each XenApp XML Broker
Kerberos Authentication SupportConfigure Delegation on XenApp (XML) Server
Edit the Delegation properties of each XenApp Server computer object in Active Directory
Trust this computer for delegation using Kerberos only
Add the HOST service for this computer running the XML service
Kerberos Auth in XenApp
ClientClient
WIWIXAXA
Servers (File Server, Exchange, …)
Servers (File Server, Exchange, …)
DCDC
WinlogonWinlogon
SSOnSSOn
IEIE
ICA Client EngineICA Client Engine
WinlogonWinlogon
TS / wsxicaTS / wsxica
IMAIMA
pwdAuthenticate & get TGT
pwd
Get svc ticket
SIDs
Launch ref
Launch ref in .ica file
Launch ref & svc ticket (through Kerberos VC)
Launch ref
ok
Get svc ticket
Svc ticket
Svc ticket
Launch ref
Get svc ticket
Svc ticket
Kerberos Auth in XenDesktop
ClientClient
WIWIDDCDDC
VDAVDA
Servers (File Server, Exchange, …)
Servers (File Server, Exchange, …)
DCDC
WinlogonWinlogon
SSOnSSOn
IEIE
ICA Client EngineICA Client Engine
WinlogonWinlogon
VDAVDA
IMA / DDCIMA / DDC
pwd
Authenticate & get TGT
pwd
Get svc ticket
SID
Launch ref
Launch ref in .ica file
Launch ref, pwd
Launch ref
ok
Authenticate & get TGT
Get svc ticket
Svc ticket
Svc ticket
Get pwd
pwd
pwd
Desktop ToolbarDesktop Toolbar
Launch ref
Launch ref
Troubleshooting Kerberos
Recap
• Explicit\Prompt Authentication
• Negotiate on Authentication protocol at MS layer.
• Smartcard Authentication
• XenDesktop and XenApp has similar architecture
• New Citrix services for Cert Enumeration, SC removal policy, etc
• Pass-through Authentication
• Credential capturing (SSONSVR) or Kerberos Ticket
• Kerberos Authentication
• No Back-end NTLM support. Credential prompt
• Whitepapershttp://www.microsoft.com/windows/server/Technical/security/default.asp • Windows 2000 Kerberos Authentication Microsoft• Windows 2000 Kerberos Interoperability
•Authentication Functionhttp://msdn.microsoft.com/en-us/library/aa374731(v=VS.85).aspx
For More Information
• Recommended related breakout sessions: • SUM509 - Integrating single sign-on and smart card authentication with Access
Gateway Enterprise Edition
• Session surveys are available online at www.citrixsummit.com starting Thursday, 7 October• Provide your feedback and pick up a complimentary gift card at the registration
desk
• Download presentations starting Friday, 15 October, from your My Organiser Tool located in your My Synergy Microsite event account
Before you leave…
