1 / 66

Smart Card Single Sign On with Access Gateway Enterprise Edition

Smart Card Single Sign On with Access Gateway Enterprise Edition. Nicolas Ogor , Escalation Engineer. 06/10/10. Agenda. Introduction of Access Gateway Enterprise Edition. What's new in Web Interface 5.3 ? Configuration. Limitations and solutions. Troubleshooting. .

niveditha
Download Presentation

Smart Card Single Sign On with Access Gateway Enterprise Edition

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Smart Card Single Sign On with Access Gateway Enterprise Edition Nicolas Ogor, Escalation Engineer. 06/10/10

  2. Agenda • Introduction of Access Gateway Enterprise Edition. • What's new in Web Interface 5.3 ? • Configuration. • Limitations and solutions. • Troubleshooting.

  3. Introduction to Access Gateway Enterprise Edition

  4. Combine your traditional IPSec VPN and Secure Gateway into a single appliance. • Easy to configure with XenApp and XenDesktop. • Support up to 10,000 concurrent connections. • Physical and Virtual version available.

  5. What's new in Web Interface 5.3 ?

  6. New enhancements and features in this release Pass-through with smart card from the Access Gateway. Support for 32-bit color. XenApp farm migration. Multiple launch prevention. Support for Windows Server 2008 R2.

  7. How does the Pass-through work ? • Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. • This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user.

  8. How does the Pass-through work ? Domain Controller AGEE • Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. • This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User Web Interface XenApp

  9. How does the Pass-through work ? Domain Controller AGEE • Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. • This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User Web Interface XenApp

  10. How does the Pass-through work ? Domain Controller AGEE • Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. • This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. Certificate validation User Web Interface XenApp

  11. How does the Pass-through work ? Domain Controller AGEE • Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. • This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. Citrix AGBasic No password User Web Interface XenApp

  12. How does the Pass-through work ? Domain Controller AGEE • Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. • This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User Local PTS service Web Interface XenApp

  13. How does the Pass-through work ? Domain Controller AGEE • Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. • This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User Username and Domain name Web Interface XenApp

  14. How does the Pass-through work ? Domain Controller AGEE • Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. • This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. S4U User Web Interface XenApp

  15. How does the Pass-through work ? Domain Controller AGEE • Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. • This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User .NET WindowsIdentity class Web Interface XenApp

  16. How does the Pass-through work ? Domain Controller AGEE • Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. • This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User .NET WindowsIdentity class Web Interface XenApp

  17. How does the Pass-through work ? Domain Controller AGEE • Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. • This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User XML Web Interface XenApp

  18. How does the Pass-through work ? Domain Controller AGEE • Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. • This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User Web Interface Application list XenApp

  19. How does the Pass-through work ? Domain Controller AGEE • Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. • This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. User HTTPS Web Interface XenApp

  20. How does the Pass-through work ? Domain Controller AGEE • Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller. • This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user. HTTPS User Web Interface XenApp

  21. Configuration

  22. Certificate Authority • Install a Certificate Authority in the domain. • Open MMC-select Certificate Authority and Certificate template. • Duplicate the Smart card logon template. • Select your CSP.

  23. Certificate Authority • Issue the Certificate template created previously to be available for users.

  24. Client computer • Install your CSP software on your computer. • Logon to your Certificate Authority. • Select the Certificate template and CSP vendor. • The certificate will be installed into the smart card.

  25. XenApp and Web Interface requirements • XenApp and Web Interface servers must be domain members. • XenApp XML service must be running with IIS on servers chosen as XML brokers and STA servers • XenApp version 4.5 and 5 are currently supported. • Web Interface 5.3 or later must be used. • Active Directory domain functional level must be 2003 or 2008.

  26. Setup delegation on your domain • Delegation definition: Some server services require access to a second server.In order to establish a session with the second server, the primary server must be authenticated on behalf of the client's user account and authority level.

  27. Setup delegation on your domain

  28. Setup delegation on your domain 1 - Client provides credentials and domain controller returns a Kerberos TGT to the client.

  29. Setup delegation on your domain 2 - Client uses TGT to request a service ticket to connect to Server 1.

  30. Setup delegation on your domain 3 - Client connects to Server 1 and provides both TGT and service ticket.

  31. Setup delegation on your domain 4 - Server 1 uses the clients TGT to request a service ticket so Server 1 can connect to Server 2 .

  32. Setup delegation on your domain 5 - Server 1 connects to Server 2 using the client’s credentials.

  33. Setup delegation on your domain • Web Interface must delegate http service to the XML broker.

  34. Setup delegation on your domain • XML broker must delegate the http service to itself and host services to all XenApp servers in the farm.

  35. Setup delegation on your domain • Each XenApp server must delegate cifsand ldapservices to the Domain Controllers and host services to itself and http services to the XML broker.

  36. Access Gateway configuration • Create a Virtual Server and associate a server certificate. • Bind the root certificate as a Root Certificate Authority on the Virtual server.

  37. Access Gateway configuration • Enable client authentication and client certificate to optional on the Virtual server properties.

  38. Access Gateway configuration • Create an authentication profile of type certificate. • Under the User Name field specify the certificate attribute to extract.

  39. Access Gateway configuration • Create a session profile that will redirect users to the Web Interface after successful authentication. • Specify the NetBIOS name of your domain for the Single Sign- on domain. • Bind the session profile to your Virtual server.

  40. Web Interface Site • Install a server certificate on the Web Server. • Create a site and specify the path of the Web site.

  41. Web Interface Site • Set the Authentication to take place at the Access Gateway and select the option “Enable Smart Card-pass-through”.

  42. Web Interface Site • Once the site is created , you must restart your Web Interface server.

  43. Web Interface Site • Specify your XML broker.

  44. Web Interface Site • Finish the Web Interface site configuration and restart the Web Interface server.

  45. Web Interface Site • Check if the Protocol Transition Service is running.

  46. Web Interface Site • Configure the Secure Access to go through the Gateway.

  47. Web Interface Site • Specify the FQDN of your Access Gateway Virtual Server.

  48. Web Interface Site • Specify the Secure Ticket Authority servers on the Web Interface and AGEE.

  49. Limitations and solutions

  50. PIN prompt when launching a Published Application • Cause : User receives a Pin prompt when hitting the AGEE Virtual server with the ICA client because the option Client Certificate is On.

More Related