410 likes | 666 Views
Authentication on XenApp & XenDesktop. Lalit Kaushal Escalation Engineer EMEA. Agenda. Authentication at WI: Explicit Authentication Pass-through Authentication Smart Card Authentication Anonymous Authentication Kerberos Authentication. Support for several authentication methods
E N D
Authentication on XenApp & XenDesktop Lalit Kaushal Escalation Engineer EMEA
Agenda • Authentication at WI: • Explicit Authentication • Pass-through Authentication • Smart Card Authentication • Anonymous Authentication • Kerberos Authentication
Support for several authentication methods Smart cards, client certificates, RSA SecurID, etc. Support for OS and non-OS credentials stores OS: Active Directory and eDirectory Non-OS: LDAP, RADIUS, 3rd party authentication methods. Leverage Authentication methods supported by Windows: Smartcard support Client certificates support Custom 3rd party authentication mechanisms through GINA extensions. Leverage Windows authentication to flow the OS identity tokens between Access Infrastructure services Example: flowing Kerberos tickets between ICA client and XA server. Authentication in XenApp\XenDesktop
3 4 1 2 Kerberos Authentication Service (AS) - Authenticates a client logon and issues a Ticket Granting Ticket (TGT) for future authentication. Key Distribution Centre (KDC) ASTGS Ticket Granting Service (TGS): It grants tickets to TGT holding clients for a specific application server or resource. Ticket Granting Ticket (TGT): This ticket is received from the Authentication Service (SA) that contains the client’s Privilege Attribute Certificate (PAC). Ticket: This ticket is received from the TGS that provides authentication for a specific application server or resource. I am Bob, I need Ticket to get Ticket (TGT) Here’s TGT – Can you decrypt it with your password hash Here’s my TGT – Can you give me Service Ticket Here’s your Service Ticket Here’s my Service Ticket, Auth. me Client\Server session
Kerberos in Windows • All you ever wanted to know about Kerberos:http://technet.microsoft.com/en-us/library/cc772815.aspx
Explicit or Prompt Authentication • Username, password and domain • Optionally includes two-factor authentication such as RSA SecurID • Encoded credentials passed to XML service
Get svc ticket Authenticate & get TGT WI ticket Explicit Auth in XenApp pwd auth Client DC Svc ticket pwd WI ticket pwd pwd Winlogon WI ticket pwd pwd WI ticket in .ica file XML Broker SSOn WI IMA / DDC IE XenApp Winlogon WI ticket ICA Client Engine TS / wsxica Servers (File Server, Exchange, …)
Get svc ticket Authenticate & get TGT WI ticket Explicit Auth in XD pwd auth Client DC pwd WI ticket WI ticket Svc ticket WI ticket pwd pwd Winlogon WI ticket pwd pwd WI ticket in .ica file DDC SSOn WI IMA / DDC pwd IE VDA Desktop Toolbar Winlogon ICA Client Engine VDA Servers (File Server, Exchange, …)
Pass-Through? • Pass-Through Session: • Connecting from within one session to another session on another server • 2 servers • 2 clients • 2 sessions • Pass-Through Authentication\SSON (Single Sign On): • Passing the user credential into the session
Pass-Through Authentication • Pass-through Authentication • Users can authenticate using the credentials they provided when they logged on to their physical Windows desktop. • Users do not need to re-enter their credentials and their resource set appears automatically. • Additionally, you can use Kerberos integrated Windows authentication to connect to server farms • If you specify the Kerberos authentication option and Kerberos fails, pass-through authentication also fails and users cannot log on
Pass-Through Authentication • Windows Identity credentials • IWA browser to Web server • User’s SIDs sent to XML service • Client handles authentication to ICA server
Pass-Through Authentication 9 10 9 10 8 2 5 4 4 1-3 6 6 7 7 9 10
ATM card is the most common example You wouldn’t use just one factor to protect your money Multiple factors Something you know Your PIN Something you have Your card What is Multi-Factor Authentication?
Smart Cards 2 – Factor Authentication Something you know Something you have Biometrics Fingerprint readers Retinal Scan Facial Recognition Biopassword Keystroke dynamics Proximity What is Multifactor Authentication?
Smart Card Infrastructure User Applications • Microsoft Architecture DLL’s Resource Manager Smart card Subsystem Drivers Hardware
Smart Card Infrastructure • Cards • Credit card–sized devices • Introduce to Windows by using a vendor-supplied installation program • Installs service provider that registers its interfaces with the Resource Manager • Reader • Attach to peripheral interfaces, e.g. PS/2, PCMCIA and USB Hardware
Smart Card Infrastructure • Device Drivers • Maps functionality to native services that infrastructure provide • Communicates card insertion\removal events to Resource Manager • Provides data communications capabilities to and from the card • Resource Manager • Manage & control all application access • Provide a virtual direct connection to the requested smart card • Service Providers • Provide cryptographic services e.g. key generation, digital signature, bulk encryption—through CryptoAPI • Two categories: cryptographic (CSP) & non-cryptographic • CSPs can be software-only (like MS Base CSP) or hardware-based - cryptographic engine resides on a smart card (SCCP) DLL’s Resource Manager Smart card Subsystem Drivers
Smart Card Authentication • Client certificate and PIN credentials • Certificate authentication browser to web server • User’s SIDs sent to XML service • Client handles authentication to ICA server
Smart Card Core Subsystem Architecture End-Point (e.g. XP) XD/XA Host Wfica32.exe (ICA Client Engine) Winlogon.exe VDSCardN DLL PC/SC API PC/SC API PC/SC API Winword.exe SCardHook DLL WinSCard DLL (MS) SCardHook DLL CtxSvcHost.exe (CtxSmartCardSvc DLL) SCardSvc.exe (MS) User Mode Kernel Mode VC User Mode API (Pica/WTS) SC Reader Driver User Mode Kernel Mode ICA Stack PC/SC (WinSCard) API Remoted over ICA protocol (ICA Smart Card VC Protocol) SC Reader Remote calls: SCardEstablishContext, SCardConnect, SCardTransmit…
Anonymous Authentication • No credentials • XenApp only • Published resources must be explicitly configured for Anonymous authentication
Using Kerberos for Authentication Users can use Kerberos for Explicit\Prompt or Pass-through Authentication. More secure - No password crosses the wire – even encrypted Works with any client logon method Password, smart card, biometrics, etc… Kerberos Authentication
Kerberos Authentication Support Configure Delegation on Web Interface Server Edit the Delegation properties of each WI computer object in Active Directory Trust this computer for delegation using any authentication protocol Add the http service for each XenApp XML Broker
Kerberos Authentication Support Configure Delegation on XenApp (XML) Server Edit the Delegation properties of each XenApp Server computer object in Active Directory Trust this computer for delegation using Kerberos only Add the HOST service for this computer running the XML service
Get svc ticket Get svc ticket Launch ref Get svc ticket Kerberos Auth in XenApp ok Client DC Launch ref in .ica file Svc ticket Svc ticket Launch ref & svc ticket (through Kerberos VC) Authenticate & get TGT SIDs Winlogon Launch ref Launch ref pwd Svc ticket pwd XA SSOn WI IMA IE Winlogon ICA Client Engine TS / wsxica Servers (File Server, Exchange, …)
Get svc ticket Authenticate & get TGT Launch ref Get svc ticket Kerberos Auth in XenDesktop Get pwd ok pwd Client DC Launch ref in .ica file Svc ticket Authenticate & get TGT Launch ref, pwd Launch ref Launch ref pwd SID Winlogon Launch ref pwd Svc ticket pwd DDC SSOn WI IMA / DDC IE VDA Desktop Toolbar Winlogon ICA Client Engine VDA Servers (File Server, Exchange, …)
Recap • Explicit\Prompt Authentication • Negotiate on Authentication protocol at MS layer. • Smartcard Authentication • XenDesktop and XenApp has similar architecture • New Citrix services for Cert Enumeration, SC removal policy, etc • Pass-through Authentication • Credential capturing (SSONSVR) or Kerberos Ticket • Kerberos Authentication • No Back-end NTLM support. Credential prompt
Whitepapershttp://www.microsoft.com/windows/server/Technical/security/default.aspWhitepapershttp://www.microsoft.com/windows/server/Technical/security/default.asp Windows 2000 Kerberos Authentication Microsoft Windows 2000 Kerberos Interoperability Authentication Function http://msdn.microsoft.com/en-us/library/aa374731(v=VS.85).aspx For More Information
Recommended related breakout sessions: SUM509 - Integrating single sign-on and smart card authentication with Access Gateway Enterprise Edition Session surveys are available online at www.citrixsummit.com starting Thursday, 7 October Provide your feedback and pick up a complimentary gift card at the registration desk Download presentations starting Friday, 15 October, from your My Organiser Tool located in your My Synergy Microsite event account Before you leave…