610 likes | 1.46k Views
Smart Card Everywhere. Lalit Kaushal Escalation Engineer EMEA 25 th October, 2011. Agenda. Business drivers for using smart card Configuring Smart Cards Smart card support architecture in XA/XD Smart Card Client Driver Smart card scenarios SSON Enhancements Tips-N-Tricks
E N D
Smart Card Everywhere Lalit Kaushal Escalation Engineer EMEA 25th October, 2011
Agenda • Business drivers for using smart card • Configuring Smart Cards • Smart card support architecture in XA/XD • Smart Card Client Driver • Smart card scenarios • SSON Enhancements • Tips-N-Tricks • Troubleshooting tools & techniques
Credit\Debit Cards Smart Cards in our life • Control Access (physical and logicalresource) • Citizen ID Card
Business Drivers for using Smart Cards • Strong authentication • Spectrum of requirements • Convenience / speed • Apps using smart card (Outlook, Word, bespoke) • Citizen ID card (in some regions) • Public sector employee ID cards • Legislation / regulation
Requirements • User needs to login / reconnect using a smart card • May be running apps that need to use smart card as well • Often multiple points need authentication • Client Machine (if domain joined) • Access Gateway • Web Interface (in future Delivery Services) • XA or XD • User does not want to enter PIN more than necessary • Security Officer (often) does not like us to cache the PIN • Speed is frequently very important
Configuration – Smartcard XenApp\XenDesktop • Four main components • Certificate Authority • Windows 2000 + Active Directory • Certificate enrolment changes in Windows 2008+ • Web Interface • Latest Web Interface to support new features e.g. AGEE • XenApp Server (VDA for XD) • Client machines • WinXP – Smartcard SSOn possible • Windows 7\Vista - Kerberos require for SSOn
Configuration (Contd.) • Web Interface Server • IIS • Enable the Windows directory service mapper • Citrix Virtual Directory settings: • Require secure channel (SSL) • Accept client certificates (Ignore client certificates if using Pass-through) • Enable client certificate mapping • DSC/WI Console • “Authentication Methods” select “Pass-through with smart card” or “Smart card” • Pass-through only: “Use Kerberos”, if required (Windows 7\Vista Smart card SSON) • Smartcard removal policy settings • Can also be handled at GPO level
Configuration (Cont’d) • XenApp/XenDesktop • Enable “Trust requests sent to the XML Service” • Kerberos • Enable “Trust for Delegation” • Enable “DNS address resolution” • Client Side settings • Use Icaclient ADM template and enable Smartcard Authentication • Allow Smart Card Authentication • Use pass-through for PIN • HKEY_CURRENT_USER\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon • Enable Kerberos Authentication for Windows 7\Vista
Important Points... • SSL cert • Kerberos for Smart card Single Sign-on (SSON) • Trust XML • If Kerberos – DNS resolution • ADM template to apply client-side GPOs
Components Personal Computer/Smart Card (PC/SC) subsystem: Governed by the PC/SC workgroup formed in 1996 Operating System component Enforces interoperability among cards and readers made by the different manufacturers. Cryptographic Service Provider (CSP): Leverages Microsoft exposed API’s via the Microsoft Platform SDK for smart card use ActivCard Gemalto AET Smart Card Infrastructure
Smart Card Infrastructure • The CSP provider • implements certain functions • registers itself in the registry • Smart card is inserted into the reader • Windows reads the ATR from the card to determine which CSP to use • Windows uses this information to acquire the appropriate CSP.dll. • CSP.dll file • Makes the PC/SC calls to get information from the smart card.
Host Side (XA\XD) Citrix Hook (ScardHook.dll) Citrix Services (CtxSVCHost, CtxCertPropSvc, etc) CDM (in XA 5 or earlier) End-point (e,g, XP, W7) ICA Client engine – Wfica32 Smart card Client driver – VdScardN.dll Smart Card Components (XA\XD)
Citrix hooking • Final Stage in application launch process • Inject XenApp feature dlls into application processes • Overwrites existing MS functions with XenApp enhanced versions • Useful to implement additional functionality • TWAIN redirection • Virtual IP address • MultiMonitor • Plus many more
Citrix hooking – mfaphook.dll • Windows injects dlls that are part of Appinit_dlls • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs • User32.dll loads this key • On process startup • Citrix binary mfaphook.dll is in this added to this key • Consider mfaphook.dll the parent hook • It chooses which of the children hook to inject into each process
AppInit_dlls injects Mfaphook.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Per feature hooks • Mfaphook will check the registry for a list of feature dll to use • Depending on the flag value mfpahook will inject the dll or not • HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_Dlls • Flag values • 0x80000000 - All Processes • 0x00000000 - Disable Hook • 0x00000002 - Only for specific processes (subkeys) • 0x00000004 - Remote sessions only
Smart Card Subsystem • Hooking of Microsoft Windows smart card components • Mfaphook injects the defined hooking DLL’s into the published application process’s address space • Scardhook hooks many necessary SCard functions in WinScard.dll and redirects most* of these to client • SCardHook is loaded in RDP session as well • Old way (XA5 and older) • SCardhook.dll • CDM • New way (XA 6 and XD) • No dependency on CDM!!! • Introduced new services to keep hook code cleaner and simpler
Smart Card Client Driver • Routes the host calls to corresponding WinScard API • Win32 and WinCE driver have subtle differences • Memory restrictions on WinCE box • Design optimization in WinCE client smart card driver • String encoding negotiation • Any string manipulation on the host side should be based on the string encoding negotiated with the client. • WinCE client uses Unicode strings while Win32 client uses ASCII strings.
Single Sign-on (SSON) • Domain credentials are supported on all client OS • For Smart Card SSON • XP supports NP APIs • Windows 7\Vista Winlogon doesn’t call NP API, credentials are not feed to SSON • Launching application with SSON enabled: • For domain credentials, ICA file contains the LogonTicket • For Smart Card credentials, wfica32 uses credentials from SSON machinery
Smart Card Core Subsystem Architecture End-Point (e.g. XP) XD/XA Host Remoted calls look like local smart card app Wfica32.exe (ICA Client Engine) Winlogon.exe VDSCardN DLL PC/SC API PC/SC API PC/SC API Winword.exe SCardHook DLL WinSCard DLL (MS) SCardHook DLL No smart card code in the kernel! CtxSvcHost.exe (CtxSmartCardSvc DLL) SCardSvc.exe (MS) User Mode Kernel Mode VC User Mode API (Pica/WTS) Remoting industry standard API SC Reader Driver User Mode Kernel Mode ICA Stack PC/SC (WinSCard) API Remoted over ICA protocol (ICA Smart Card VC Protocol) SC Reader Remote calls: SCardEstablishContext, SCardConnect, SCardTransmit…
Multiple approaches • Different Customers has different requirements • Military Never cache PIN. Don’t care if users must re-enter it • Medical User must never re-enter PIN. Don’t care if it is cached • Lots of technical options • Can trade off quality of login for some customers to reduce reliance on PIN • Password > Smartcard > Full Kerberos > Constrained Kerberos > Tagged Anon > Anonymous • Several well understood techniques, and several potential new techniques • Hardware/OS is an issue • Require different sorts of driver support for different cards on different platforms • Server-side limitations for non-windows machines or shared local/remote use
Authentication Paths • Authentication Steps: • (Optionally) authenticate user to local windows machine with smart card • (Optionally) authenticate user to gateway • Authenticate user to Delivery Services (or WI or WR or PNA) • Authenticate user to Windows Session (XA or XD) • Minimize pin prompts, but keep security officer happy • Can trade of ‘quality’ of ultimate windows login • Smartcard login has ‘full’ credentials • Kerberos Login or even Constrained Kerberos Login may be good enough for some customers/apps.
Options at each step Smart card / Other Client Login PIN Smartcard SSL (SSL/CA) Gateway Login PIN Assertion by Gateway OR Smartcard SSL OR Kerberos WI Login PIN Assertion OR Kerberos OR Protocol Transition WI to XA/XD Ticket OR Kerberos OR Smartcard Login (PC/SC Redirect) Client to XA/XD PIN
Smart Card Solution Summary Desktop Appliance Local Desktop with Apps Domain joined Non-domain joined Domain joined Non-domain joined Windows XP Windows 7 (Vista +) PIN capture not supported Extra PIN prompt ActiveX updated for Windows 7 in next release • PIN capture not supported • Extra PIN prompts • (unless using Kerberos) Multiple PIN prompts (unless using Kerberos PT)
PNA Smart Card – Existing Options Can be domain joined or non-domain joined • Direct smart card • SSL with client auth to WI, smart card logon to ICA host • PIN prompt from OS for PNA • PIN prompt from OS on ICA host • Pass-through with smart card • Kerberos/NTLM auth to WI, smart card logon to ICA host • Windows XP: PIN capture during OS logon one PIN prompt • Windows 7\Vista: no PIN capture during OS logon extra PIN prompt on ICA logon • Pass-through with smart card, Kerberos option • Kerberos auth to WI, Kerberos logon to ICA host (XenApp only) • PIN prompt for OS logon, no PIN capture needed • Hidden XenApp setting can override “Smart card required for interactive logon” policy Must be domain joined Must be domain joined
SSON Enhancements • Fast Connect • For Healthcare organizations • Need Citrix Partners involvement to build the solution • At Web Server authentication point on Services Site • Out-of-Box Single Sign-On support • Already working for Windows XP client • Kerberos is pre-requisite for SSOn on Windows 7\Vista
Fast Connect for Windows • New feature to enable Single Sign-on to support Healthcare organizations • Partners can use Fast Connect APIs to quickly log users into sessions (logon) and just as quickly disconnect sessions (logout). • Available through Citrix Ready Partner • Based on 12.1 ICA Client currently
Benefits of At Web Server Authentication Point • Faster Logons • No Middleware* • Single Sign-on (even on NDJ clients!) • Access Gateway SSO Integration
At Web Server Authentication Point • Same basic requirements as AD FS • Constrained Delegation using Kerberos (explained in WI documentation)
Kerberos Authentication Support Configure Delegation on Web Interface Server Edit the Delegation properties of each WI computer object in Active Directory Trust this computer for delegation using any authentication protocol Add the http service for each XenApp XML Broker
Kerberos Authentication Support Configure Delegation on XenApp (XML) Server Edit the Delegation properties of each XenApp Server computer object in Active Directory Trust this computer for delegation using any authentication protocol Add following: - CIFS - each domain controller(s) HOST - to XenApp server(s) hosting apps LDAP - each domain controller(s)
At Web Server Authentication Point • Same basic requirements as AD FS • Constrained Delegation using Kerberos (explained in WI documentation) • Requires XML port to be shared with IIS • Fully supported on Web Interface site • Currently only supported with a private on Services Site (PNA)
Smartcard SSOn for Windows 7\Vista • Currently not working for Windows 7\Vista • Multiple PIN prompts – multiple customers effected • Are you waiting for it? • Product use • Number of Users\Licenses • Use-case • Feedback will be provided to Product Management
Troubleshooting Questions to Ask - Environment • Type of Smartcard & Reader • USB Smartcard, USB Token, .NET Smartcard, etc • CSP used • MS-Base CSP, Vendor specific (ActivClient, SecMaker, etc) • Are you able to login into machine with smartcard? • Is SC cert accessible inside ICA session • Open ‘Certificates’ snap-ins in MMC • If IE, go to Tools Internet Options Content Certificates
Troubleshooting Questions to Ask - Configuration • Type of authentication Method selected • Smartcard or Smartcard with Pass-through • If Smartcard with Pass-through • Check CTX117239 (Is Kerberos enabled? CTX123611) • If Kerberos is enabled then it will be used always (No fall-back) • Define ‘SmartCardPinPass’ Regkey for Passthru sessions • If XenDesktop - CTX130265 • Understand WinSCard API and their locking behavior
Troubleshooting Questions to Ask - Configuration Ref: - http://msdn.microsoft.com/en-us/library/cc242596(v=PROT.10).aspx
Troubleshooting Questions to Ask – Citizen-ID • Type of CSP use • Usually not use to authenticate to session • Inside ICA session use by application • Is Certificate available inside session • If specific application, understand application behavior • Is CSP has its own PC\SC re-direction mechanism • Belgium Citizen ID has • RDP behavior
Troubleshooting Tools • Vendor-specific tools • GemSafe Toolbox, Mini-Manager, eID viewer, etc • CDFControl • Sys-Internal Tool – Process Explorer • Network Tracing
Troubleshooting Tools – Vendor Specific • Vendor-specific tools • Helpful to see if card readable inside session