Citrix and ADFS Leverage Active Directory Federation Services in a Presentation Server Environment Jay Tomlin Sr. Technology Specialist Mgr NA Field Readiness

Citrix and ADFS

Leverage Active Directory Federation Services in a Presentation Server Environment

Jay TomlinSr. Technology Specialist MgrNA Field Readiness

08 December 2006

2 © 2005 Citrix Systems, Inc.—All rights reserved.

Copyright & Disclaimer

Copyright © 2006, CitrixUnpublished work of Citrix. All Rights Reserved.

This work is an unpublished work and contains confidential, proprietary, and trade secret information of Citrix. Access to this work is restricted to Citrix employees who have a need

to know to perform tasks within the scope of their assignments, or to authorized organizations under a Non-Disclosure Agreement. Any use or exploitation of this work

without authorization could subject the perpetrator to criminal and civil liability.

General Disclaimer

This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Citrix makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Citrix, reserves the right to revise this document and to make changes to its content, at any time, without

obligation to notify any person or entity of such revisions or changes.


Agenda

1. Introduction to Active Directory Federation Services

2. Web Interface ADFS Integration

3. Configuration Walk-through

4. Alternative Deployment Scenarios

5. Q&A

Part 1:Introduction to ADFS


What is Federation?

A set of standards-based technology & IT processes to facilitate distributed identification,

authentication & authorization across boundaries (security, departmental,

organizational or platform).

• Users: Fewer passwords, more productivity• IT: Centralized, automated, delegated user management• Dev: Leveraged, outsourced service infrastructure


REMOTE andREMOTE andVIRTUAL EMPLOYEESVIRTUAL EMPLOYEES

CUSTOMERSCUSTOMERS

Customer satisfaction & customer intimacyCost competitivenessReach, personalization

CollaborationOutsourcingFaster business cyclesProcess automationValue chain

M&A, joint ventureMobile/global workforceFlexible/temp workforce

EMPLOYEES andEMPLOYEES andyour APPLICATIONSyour APPLICATIONS

PARTNERSPARTNERS

SUPPLIERSSUPPLIERS

Motivations for Federation


• Better Access Experience

– Single sign-on across networks & organizational boundaries

• Increased Security & Simpler Administration

– Heightened identity assurance

– No passwords involved

– Account de-activation is handled by the account partner

– Account partner can easily be disabled at the organizational level

– Strong authentication such as user certificates or OTP tokens can be layered on top of federation claim

Federation Benefits


Federation Solution Components

• Separates authentication and authorization

• User is authenticated in their home domain

• Claims about the users identity are signed and sent to the web server

• The web server validates incoming claims against its list of account partners

Web Serverwith ADFSWeb Agent

FederationService

FederationService

Domain A (Account Partner)

Client

Domain B (Resource Partner)


Federation Libation

Account Partner Resource Partner

BartenderDMV

Identity assertion

Account Federation

Service

Resource Federation

Service

Resource

User Principals


How ADFS works

1. User points to web server

2. User is redirected to the resource federation server

3. User chooses their home realm

4. User is redirected to their home account federation server for authentication

5. User is redirected back to resource federation server with assertion set

6. Assertion is validated and user is sent back to web server


Pseudo Identity Assertion

<SAML>

<TimeStamp value="2006-12-08 14:31:02GMT" ValidTo="2006-12-08 15:31:02"/>

<UserName>[email protected]</UserName>

<Issuer id="urn:federation:acmecorp">

<Signature>F8/PoUcHh+rx/XfvC0vv0=</Signature>

</Issuer>

</SAML>

• Identity assertion generated and digitally signed by the account federation server

• Additional custom claims can be added easily

• Timestamp is important—clocks must be synchronized between organizations

• Resource federation consumes this claim and validates the signature


Federation Process in Detail


FederationService

FederationService


Client



2. ADFS Web Agent redirects user to the Resource Partner Federation Service. User selects their home realm from a list of Account Partners

1

2

All connections are HTTPS


Home Realm Discovery

• The resource partner may have many account partners, so users need to identify which organization they belong to

• This page can be customized or bypassed altogether by giving users a special URL that includes their realm info

• User’s choice is remembered as a cookie; next time they would not see the home realm discovery page




FederationService

FederationService


Client




3. User is redirected to their local Federation Service, which authenticates the user and produces an identity claim

4. Client is redirected back to the resource federation server with identity claim set as POST data. Resource Federation Server validates the account claim and then adds a new local identity claim.

1

23 4





FederationService

FederationService


Client


5. Client is redirected back to the web application Return URL with an identity claim now signed by the resource federation server

6. Web server obtains public key from federation service if necessary and verifies digital signature on the claim

7. ADFS Web Agent produces a valid Kerberos token able to access resources on the web server


5

6

77


Federation Service Proxy (FS-P)

• Federation Service Proxy relays messages to the resource partner federation service

• Eliminates the need to expose the federation service to the Internet

• FS-P need not be a domain member

• FS-P contacts Federation Service via HTTPS with Client Certificate authentication

FederationService

FederationService


Client


Web Server

FederationService Proxy

DMZ


How to install ADFS on W2K3 R2

• Add/Remove Windows Components:


Synchronicity

• Federation servers at the account partner and resource partner must have their clocks set within 5 minutes of each other

• For best results, use an Internet time server such as time.nist.gov

• Different time zones don’t matter


Account Partner SSL and token-signing certificate + private key

Account Partner root certificate

Web Server SSL certificate + private key

Web Server root certificate

Resource Partner SSL and token-signing certificate + private key

Resource Partner root certificate

FS-P client authentication certificate + private key

FS-P client authentication certificate (w/o private key)

Certificates Everywhere!

FederationService

FederationService

Account Partner

Client

Web ServerFederationService Proxy

Resource Partner

Part 2:Web Interface and ADFS


Citrix AnnouncesFederation Interoperability

Citrix extends federation benefits– To rich applications (e.g. SAP R/3 client, mainframe

emulator)

– To file shares

– To web apps inside the firewall

Citrix increases federation security– Provides greater control over data usage

– Allows for increased identity assurance

– Facilitates access logging and auditing across organizations


Only Citrix can Federate to Windows Applications

• Identity federation was designed for web applications only

• The ADFS support in Web Interface bridges the gap between web applications and Windows or host-based applications

Citrix uniquely enables federated SSO to Web, Windows and host-based applications


The User’s Experience

• Click on a link to the ADFS WI site

• Icons appear without prompting the user

• Applications launch without prompting the user


WI ADFS App Enumeration

WI 4.5 w/ADFSWeb Agent

FederationService

FederationService


Client

Domain B (CPS Domain)

1. User points to WI


3. User is redirected to their local Federation Service, which authenticates the user and produces an identity claim

4. Client is redirected back to the resource federation server with identity claim set as POST data. Resource Federation Server validates the account claim and then adds a new local identity claim.

PresentationServers

1

23 4

Access Gateway


WI ADFS App Enumeration


FederationService

FederationService


Client


PresentationServers

5

5. Client is redirected back to the WI Return URL with an identity claim now signed by the resource federation server

6. ADFS Web Agent on WI server obtains public key from federation service if necessary and verifies digital signature on the claim

7. ADFS Web Agent produces a valid Kerberos token for the domain B user shadow account, for whom Presentation Server applications have been published

8. WI uses the Kerberos token to authenticate to the CPS XML Service (requires delegation rights). CPS returns a list of applications to Web Interface

8

6

77

Access Gateway


WI ADFS App Launch


FederationService

FederationService


Client


PresentationServers

9

9. User clicks app icon, CPS Data Collector determines least-busy server

10. Kerberos ticket for shadow account forwarded to XML broker

11. Kerberos ticket forwarded from XML broker to least-busy server in exchange for WI logon ticket

12. WI generates ICA file with logon ticket; also negotiates AG ticket from STA if necessary. WI sends ICA file to user.

13. Client receives ICA file and connects to CPS (through CAG if necessary). WI logon ticket exchanged for Kerberos token at target server

10

Access Gateway

13

13

11

12


Requirements

• WI and Federation servers must be W2K3 R2

• CPS 4.5 or 4.0 with hotfix rollup #2 or later– Enable “Trust requests sent to the XML Service”

• Domain functional level must be native Win2K3– Domain Controllers need not be upgraded to R2

• Alternate UPN suffix must be added to the resource domain, and shadow accounts must be created using the partner’s UPN suffix– Usernames and passwords are not known by the user


Constraints

• Web Interface server must be a domain member

• XML service must be delivered via IIS port sharing

• Revocation information for all certificates must be accessible by all parties– Best practice: Use a commercial CA

Part 3:Configuration Walk-through


Demo Environment

AdfsWI.company.comWI 4.5

ADFS Web AgentGemini.ctx Member

192.168.0.107

GemFSRFederation

Service192.168.0.21

CitrixFSAFederation

Service 172.16.0.20

CitrixTraining.com(Account Partner)

JOEUSERPC Win2K Client172.16.0.112

Gemini.ctx (Resource Partner)

CitrixDC1Domain

Controller172.16.0.10

COLORADOCPS 4.0

STA192.168.0.184

JAYTISADomain

Controller192.168.0.10

GemFSP.company.comFederation

Service Proxy192.168.0.115

DMZ

Access.company.comAccess Gateway 4.5

192.168.0.215


ADFS MMC Snap-in at the Account Partner (CitrixFSA)

Enable Active Directory as an Account Store

Define resource partner (Gemini.ctx)

Endpoint URL is the resource partner’s FS or FS-P server


ADFS MMC Snap-in at the Resource Partner (GemFSR)

Define CitrixTraining as an Account Partner by importing their Trust Policy file

Endpoint URL is the internal URL of the Account Partner’s federation service (CitrixFSA)

Enable Active Directory as an Account Store


ADFS MMC Snap-in at the Resource Partner (GemFSR)

Change to “Resource accounts exist for all users”


Raise Domain Functional Level

• Domain functional level at the resource partner must be native Windows 2003

• All domain controllers in the domain must be Windows Server 2003 or later


Configure Delegation on the Web Interface servers

Edit the Delegation properties of each WI computer object in Active Directory

Trust this computer for delegation using any authentication protocol

Add the http service for each CPS XML Broker


Configure Delegation on the Presentation servers

Edit the Delegation properties of each Presentation Server computer object in Active Directory

Trust this computer for delegation using Kerberos only

Add the HOST service for this computer;Add the cifs and ldap services for domain controllers;Add cifs for any file servers users will access


Add a UPN Suffix for each Account Partner

• In the Resource Domain, run the Active Directory Domains and Trusts snap-in

• Select “Active Directory Domains and Trusts” and view Properties

• Add the account partner’s UPN suffix as an alternate UPN suffix


Create Shadow Accounts for Partner Users

• For each account partner user, create a shadow account in the resource partner domain

• Use the account partner’s UPN suffix

• Set the password to anything—the user does not need to know it

• Publish CPS applications to the shadow accounts


Create an ADFS-enabled WI site

• During the Create Site task, choose to use ADFS integration

• The ADFS web service refers to the resource partner federation service on the same network as the Presentation Servers

• Use host names or FQDNs for the XML Broker addresses, no IP addresses


Define Web Interface Site as an Application at the Resource Partner

Define Web Interface as an Application

Application URL is the external URL of the WI ADFS Site


Troubleshooting:No applications enumerated

• Possible causes:– XML Broker is not integrated into IIS– Web Interface server is not trusted for delegation– XML Broker address is configured as an IP address in WI– ADFS Web Agent is installed on CPS, enabled for /Scripts

Part 4:Deployment Scenarios


Minimal CPS Deployment

Web Interface 4.5ADFS Web Agent

FederationService

PresentationServers

FederationService


Client



Internet Deployment

FederationService

PresentationServers

FederationService


Client

Domain B(Resource Partner)

DMZ


Access Gateway

Internet WI 4.5 Domain Controller


Ports needed by WI and ADFS

FederationService

PresentationServers

IntranetDMZ


Access Gateway

Internet

WI 4.5Domain

Controller

HTTPS :443

HTTPS :443

ICA+SSL :443

HTTPS :443

LDAP :389Kerberos :88 UDPKerberos :88 TCP

STA :80 or :443ICA :1494CGP :2598

CRL

CertificateAuthority

HTTP :80

Other ports are needed

for NetLogon, GPOs, etc


Partner/Employee shared farm

Web Interface 4.5

FederationService

PresentationServers

Partner A (Account Partner)

FederationService

Client

Employee Domain(Account Partner)

DMZ Domain(Resource partner)

Access Gateway

FederationService

Client

Partner B (Account Partner)

FederationService

Client

Partner C(Account Partner)

FederationService

Client


WebBrowser

A Password

Review: Explicit Authentication

CPSICA Client

User

XMLService

WI

ccticket

CtxGina

1 password

B STA &Logon tickets

4 Logon ticket

5 Logon ticket

C STA & Logon tickets

2 password

3 Logon ticket

D STA ticket

AccessGateway


Kerberos

Kerberos

WebBrowser

WI ADFS sites leverage Kerberos

CPSICA Client

User

Kerberos

XMLService

WI

ccticket

CtxGina


4 Logon ticket

5 Logon ticket


3 Logon ticket

1 Kerberos data

2 Kerberos data

A ADFSassertion A

DF

S

D STA ticket

AccessGateway


Kerberos

Kerberos

WebBrowser

Other ways to get a Kerberos token

CPSICA Client

User

Kerberos

XMLService

WI

ccticket

CtxGina


4 Logon ticket

5 Logon ticket


3 Logon ticket

1 Kerberos data

2 Kerberos data

A IIS IntegratedWindows Authentication

D STA ticket

AccessGateway

NT

LM


Kerberos

Kerberos

WebBrowser

Other ways to get a Kerberos token

CPSICA Client

User

Kerberos

XMLService

WI

ccticket

CtxGina


4 Logon ticket

5 Logon ticket


3 Logon ticket

1 Kerberos data

2 Kerberos data

A IIS CertificateMapping C

ertifica

teM

ap

pin

g

D STA ticket

AccessGateway


Kerberos

Kerberos

WebBrowser

RSA Access Manager with Protocol Transition

CPSICA Client

User

Kerberos

XMLService

WI

ccticket

CtxGina


4 Logon ticket

5 Logon ticket


3 Logon ticket

1 Kerberos data

2 Kerberos data

A RSAPasscode

RS

A

Cle

arT

rust

D STA ticket

AccessGateway


Kerberos

Kerberos

WebBrowser

Ping Identity PingFederate with Protocol Transition

CPSICA Client

User

Kerberos

XMLService

WI

ccticket

CtxGina


4 Logon ticket

5 Logon ticket


3 Logon ticket

1 Kerberos data

2 Kerberos data

A PINGAssertion

Pin

gF

ed

era

te

D STA ticket

AccessGateway


Internal Employee SSO Deployment

Web Interface 4.5Federated Site

PresentationServers

Client

Employee Domain (Resource Partner)• 100% Pure Kerberos

• Federation servers not required

• Appsrv.ini changes not required

• Full ICA client not required

• Desktop credentials pass-through not required

sitemgr -c "WIDest=1:/Citrix/Federated,Config=Local, XMLService=COLORADO,XMLSPort=80,Federated=Yes"


Soft Certificate Authentication

Client

Internet

• User has only a browser certificate

• Web Interface IIS maps certificate to an AD account, generates Kerberos token

• WI Federated site consumes Kerberos token

PresentationServers

LANDMZ

Access Gateway

Web Interface 4.5Federated Site

with client certificate mapping enabled


Third-party strong authentication

PresentationServers

LANDMZ

Access Gateway

Web Interface 4.5 Federated Site with

RSA Access Manager Agent (née ClearTrust)

Client

Internet

• User has only an RSA keyfob—they do not know their AD password

• RSA Access Manager generates Kerberos token for user (protocol transition)

• WI ADFS consumes Kerberos token

• RSA has documented this deployment here

http://rsasecurity.agora.com/rsasecured/guides/cleartrust/Citrix_Web_Interface_4_CT553.pdf


Other product integrations

• Secure Gateway or Access Gateway can be used to proxy ICA traffic– But don’t proxy HTTPS into the LAN

• Password Manager 4.5 CPS agent functions properly with Kerberos logons (blank password; uses Data Protection API instead)

• NetScaler can load-balance multiple WI servers, Federation servers, or Federation Proxy servers


High Availability

• Use Netscaler to load-balance multiple WI servers, Federation Service Proxies, and Federation Services

• Web Interface is stateful, so persistence is required

• Federation Service and Federation Service Proxy servers are stateless

• Endpoint URLs and application URLs can be FQDNs that map to a virtual IP


NetScaler LB VIPs

Web Interface 4.5 Servers

FederationServiceServers

Client


Servers

Internet 11

22

33

11 WI

Virtual IP Persistence

SSL Session ID

22 FS-P None required

33 FS None required

Also known as

End user URL, Application URL, Return URL

Federation Service Endpoint URL

Federation Service URL


Current Issues and pain points

• Web Interface must be a member of the resource domain

• No ADFS-enabled reverse proxy in Access Gateway, so Web Interface must reside in the DMZ

• Applications which should be filtered out due to Access Control filters are not filtered out.– CPS 4.0 XML Service issue; will be fixed in CPS 4.5– Users are correctly refused access if they try to connect,

but the icon should not appear in the application list

• Delegation must be configured for every Web Interface and Presentation Server, a chore for large farms


Any Questions?

FederationService

PresentationServers

FederationService


Client

Domain B(Resource Partner)

DMZ


Access Gateway

Internet WI 4.5 Domain Controller


Good Reading/Viewing

• ADFS TechCenterhttp://technet2.microsoft.com/windowsserver/en/technologies/featured/adfs/default.mspx

• Troubleshooting Kerberos Delegationhttp://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx

• Don Schmidt ADFS seminarhttp://www.microsoft.com/emea/itsshowtime/sessionl.aspx?videoid=78

• Web Interface with ADFS Support Admin Guidehttp://support.citrix.com/article/CTX109702

• Web Interface with ADFS Support FAQhttp://support.citrix.com/article/CTX110118

• RSA Secured Implementation Guide For Portal Servers and Web-Based Applicationshttp://rsasecurity.agora.com/rsasecured/guides/cleartrust/Citrix_Web_Interface_4_CT553.pdf

• ADFS Forum on support.citrix.comhttp://support.citrix.com/forums/forum.jspa?forumID=112

• How to Install Web Interface 4.0 for ADFS on Servers without ADFS (Advanced Kerberos support only)http://support.citrix.com/article/CTX110392

http://technet2.microsoft.com/windowsserver/en/technologies/featured/adfs/default.mspx

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx

http://www.microsoft.com/emea/itsshowtime/sessionl.aspx?videoid=78

http://support.citrix.com/article/CTX109702


http://rsasecurity.agora.com/rsasecured/guides/cleartrust/Citrix_Web_Interface_4_CT553.pdf

http://support.citrix.com/forums/forum.jspa?forumID=112


Documents

Citrix and ADFS Leverage Active Directory Federation Services in a Presentation Server Environment Jay Tomlin Sr. Technology Specialist Mgr NA Field Readiness