1 / 58

Smart Card Everywhere

Smart Card Everywhere. Lalit Kaushal Escalation Engineer EMEA 25 th October, 2011. Agenda. Business drivers for using smart card Configuring Smart Cards Smart card support architecture in XA/XD Smart Card Client Driver Smart card scenarios SSON Enhancements Tips-N-Tricks

palmer-luna
Download Presentation

Smart Card Everywhere

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Smart Card Everywhere Lalit Kaushal Escalation Engineer EMEA 25th October, 2011

  2. Agenda • Business drivers for using smart card • Configuring Smart Cards • Smart card support architecture in XA/XD • Smart Card Client Driver • Smart card scenarios • SSON Enhancements • Tips-N-Tricks • Troubleshooting tools & techniques

  3. Credit\Debit Cards Smart Cards in our life • Control Access (physical and logicalresource) • Citizen ID Card

  4. Business Drivers for using Smart Cards • Strong authentication • Spectrum of requirements • Convenience / speed • Apps using smart card (Outlook, Word, bespoke) • Citizen ID card (in some regions) • Public sector employee ID cards • Legislation / regulation

  5. Requirements • User needs to login / reconnect using a smart card • May be running apps that need to use smart card as well • Often multiple points need authentication • Client Machine (if domain joined) • Access Gateway • Web Interface (in future Delivery Services) • XA or XD • User does not want to enter PIN more than necessary • Security Officer (often) does not like us to cache the PIN • Speed is frequently very important

  6. Configuring Smartcard

  7. Configuration – Smartcard XenApp\XenDesktop • Four main components • Certificate Authority • Windows 2000 + Active Directory • Certificate enrolment changes in Windows 2008+ • Web Interface • Latest Web Interface to support new features e.g. AGEE • XenApp Server (VDA for XD) • Client machines • WinXP – Smartcard SSOn possible • Windows 7\Vista - Kerberos require for SSOn

  8. Configuration (Contd.) • Web Interface Server • IIS • Enable the Windows directory service mapper • Citrix Virtual Directory settings: • Require secure channel (SSL) • Accept client certificates (Ignore client certificates if using Pass-through) • Enable client certificate mapping • DSC/WI Console • “Authentication Methods” select “Pass-through with smart card” or “Smart card” • Pass-through only: “Use Kerberos”, if required (Windows 7\Vista Smart card SSON) • Smartcard removal policy settings • Can also be handled at GPO level

  9. Configuration (Cont’d) • XenApp/XenDesktop • Enable “Trust requests sent to the XML Service” • Kerberos • Enable “Trust for Delegation” • Enable “DNS address resolution” • Client Side settings • Use Icaclient ADM template and enable Smartcard Authentication • Allow Smart Card Authentication • Use pass-through for PIN • HKEY_CURRENT_USER\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon • Enable Kerberos Authentication for Windows 7\Vista

  10. Important Points... • SSL cert • Kerberos for Smart card Single Sign-on (SSON) • Trust XML • If Kerberos – DNS resolution • ADM template to apply client-side GPOs

  11. HDX Smart Card Remoting(Deep-Dive)

  12. Components Personal Computer/Smart Card (PC/SC) subsystem: Governed by the PC/SC workgroup formed in 1996 Operating System component Enforces interoperability among cards and readers made by the different manufacturers. Cryptographic Service Provider (CSP): Leverages Microsoft exposed API’s via the Microsoft Platform SDK for smart card use ActivCard Gemalto AET Smart Card Infrastructure

  13. Smart Card Infrastructure • The CSP provider • implements certain functions • registers itself in the registry • Smart card is inserted into the reader • Windows reads the ATR from the card to determine which CSP to use • Windows uses this information to acquire the appropriate CSP.dll. • CSP.dll file • Makes the PC/SC calls to get information from the smart card.

  14. Host Side (XA\XD) Citrix Hook (ScardHook.dll) Citrix Services (CtxSVCHost, CtxCertPropSvc, etc) CDM (in XA 5 or earlier) End-point (e,g, XP, W7) ICA Client engine – Wfica32 Smart card Client driver – VdScardN.dll Smart Card Components (XA\XD)

  15. Hooking – MfApHook (SCardHook)

  16. Citrix hooking • Final Stage in application launch process • Inject XenApp feature dlls into application processes • Overwrites existing MS functions with XenApp enhanced versions • Useful to implement additional functionality • TWAIN redirection • Virtual IP address • MultiMonitor • Plus many more

  17. Citrix hooking – mfaphook.dll • Windows injects dlls that are part of Appinit_dlls • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs • User32.dll loads this key • On process startup • Citrix binary mfaphook.dll is in this added to this key • Consider mfaphook.dll the parent hook • It chooses which of the children hook to inject into each process

  18. AppInit_dlls injects Mfaphook.dll HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

  19. Per feature hooks • Mfaphook will check the registry for a list of feature dll to use • Depending on the flag value mfpahook will inject the dll or not • HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_Dlls • Flag values • 0x80000000 - All Processes • 0x00000000 - Disable Hook • 0x00000002 - Only for specific processes (subkeys) • 0x00000004 - Remote sessions only

  20. Smart Card Subsystem • Hooking of Microsoft Windows smart card components • Mfaphook injects the defined hooking DLL’s into the published application process’s address space • Scardhook hooks many necessary SCard functions in WinScard.dll and redirects most* of these to client • SCardHook is loaded in RDP session as well • Old way (XA5 and older) • SCardhook.dll • CDM • New way (XA 6 and XD) • No dependency on CDM!!! • Introduced new services to keep hook code cleaner and simpler

  21. Smart Card Client Driver • Routes the host calls to corresponding WinScard API • Win32 and WinCE driver have subtle differences • Memory restrictions on WinCE box • Design optimization in WinCE client smart card driver • String encoding negotiation • Any string manipulation on the host side should be based on the string encoding negotiated with the client. • WinCE client uses Unicode strings while Win32 client uses ASCII strings.

  22. Single Sign-on (SSON) • Domain credentials are supported on all client OS • For Smart Card SSON • XP supports NP APIs • Windows 7\Vista Winlogon doesn’t call NP API, credentials are not feed to SSON • Launching application with SSON enabled: • For domain credentials, ICA file contains the LogonTicket • For Smart Card credentials, wfica32 uses credentials from SSON machinery

  23. Smart Card Core Subsystem Architecture End-Point (e.g. XP) XD/XA Host Remoted calls look like local smart card app Wfica32.exe (ICA Client Engine) Winlogon.exe VDSCardN DLL PC/SC API PC/SC API PC/SC API Winword.exe SCardHook DLL WinSCard DLL (MS) SCardHook DLL No smart card code in the kernel! CtxSvcHost.exe (CtxSmartCardSvc DLL) SCardSvc.exe (MS) User Mode Kernel Mode VC User Mode API (Pica/WTS) Remoting industry standard API SC Reader Driver User Mode Kernel Mode ICA Stack PC/SC (WinSCard) API Remoted over ICA protocol (ICA Smart Card VC Protocol) SC Reader Remote calls: SCardEstablishContext, SCardConnect, SCardTransmit…

  24. Current Support Scenarios

  25. Multiple approaches • Different Customers has different requirements • Military  Never cache PIN. Don’t care if users must re-enter it • Medical  User must never re-enter PIN. Don’t care if it is cached • Lots of technical options • Can trade off quality of login for some customers to reduce reliance on PIN • Password > Smartcard > Full Kerberos > Constrained Kerberos > Tagged Anon > Anonymous • Several well understood techniques, and several potential new techniques • Hardware/OS is an issue • Require different sorts of driver support for different cards on different platforms • Server-side limitations for non-windows machines or shared local/remote use

  26. Authentication Paths • Authentication Steps: • (Optionally) authenticate user to local windows machine with smart card • (Optionally) authenticate user to gateway • Authenticate user to Delivery Services (or WI or WR or PNA) • Authenticate user to Windows Session (XA or XD) • Minimize pin prompts, but keep security officer happy • Can trade of ‘quality’ of ultimate windows login • Smartcard login has ‘full’ credentials • Kerberos Login or even Constrained Kerberos Login may be good enough for some customers/apps.

  27. Options at each step Smart card / Other Client Login PIN Smartcard SSL (SSL/CA) Gateway Login PIN Assertion by Gateway OR Smartcard SSL OR Kerberos WI Login PIN Assertion OR Kerberos OR Protocol Transition WI to XA/XD Ticket OR Kerberos OR Smartcard Login (PC/SC Redirect) Client to XA/XD PIN

  28. Smart Card Solution Summary Desktop Appliance Local Desktop with Apps Domain joined Non-domain joined Domain joined Non-domain joined Windows XP Windows 7 (Vista +) PIN capture not supported  Extra PIN prompt ActiveX updated for Windows 7 in next release • PIN capture not supported • Extra PIN prompts • (unless using Kerberos) Multiple PIN prompts (unless using Kerberos PT)

  29. PNA Smart Card – Existing Options Can be domain joined or non-domain joined • Direct smart card • SSL with client auth to WI, smart card logon to ICA host • PIN prompt from OS for PNA • PIN prompt from OS on ICA host • Pass-through with smart card • Kerberos/NTLM auth to WI, smart card logon to ICA host • Windows XP: PIN capture during OS logon  one PIN prompt • Windows 7\Vista: no PIN capture during OS logon  extra PIN prompt on ICA logon • Pass-through with smart card, Kerberos option • Kerberos auth to WI, Kerberos logon to ICA host (XenApp only) • PIN prompt for OS logon, no PIN capture needed • Hidden XenApp setting can override “Smart card required for interactive logon” policy Must be domain joined Must be domain joined

  30. SSON Enhancements

  31. SSON Enhancements • Fast Connect • For Healthcare organizations • Need Citrix Partners involvement to build the solution • At Web Server authentication point on Services Site • Out-of-Box Single Sign-On support • Already working for Windows XP client • Kerberos is pre-requisite for SSOn on Windows 7\Vista

  32. Fast Connect for Windows • New feature to enable Single Sign-on to support Healthcare organizations • Partners can use Fast Connect APIs to quickly log users into sessions (logon) and just as quickly disconnect sessions (logout). • Available through Citrix Ready Partner • Based on 12.1 ICA Client currently

  33. Benefits of At Web Server Authentication Point • Faster Logons • No Middleware* • Single Sign-on (even on NDJ clients!) • Access Gateway SSO Integration

  34. At Web Server Authentication Point • Same basic requirements as AD FS • Constrained Delegation using Kerberos (explained in WI documentation)

  35. Kerberos Authentication Support Configure Delegation on Web Interface Server Edit the Delegation properties of each WI computer object in Active Directory Trust this computer for delegation using any authentication protocol Add the http service for each XenApp XML Broker

  36. Kerberos Authentication Support Configure Delegation on XenApp (XML) Server Edit the Delegation properties of each XenApp Server computer object in Active Directory Trust this computer for delegation using any authentication protocol Add following: - CIFS - each domain controller(s) HOST - to XenApp server(s) hosting apps LDAP - each domain controller(s)

  37. At Web Server Authentication Point • Same basic requirements as AD FS • Constrained Delegation using Kerberos (explained in WI documentation) • Requires XML port to be shared with IIS • Fully supported on Web Interface site • Currently only supported with a private on Services Site (PNA)

  38. Smartcard SSOn for Windows 7\Vista • Currently not working for Windows 7\Vista • Multiple PIN prompts – multiple customers effected • Are you waiting for it? • Product use • Number of Users\Licenses • Use-case • Feedback will be provided to Product Management

  39. Tips-N-Tricks(Troubleshooting tools & techniques)

  40. Certificate Requirement

  41. Troubleshooting Questions to Ask - Environment • Type of Smartcard & Reader • USB Smartcard, USB Token, .NET Smartcard, etc • CSP used • MS-Base CSP, Vendor specific (ActivClient, SecMaker, etc) • Are you able to login into machine with smartcard? • Is SC cert accessible inside ICA session • Open ‘Certificates’ snap-ins in MMC • If IE, go to  Tools  Internet Options  Content  Certificates

  42. Troubleshooting Questions to Ask - Configuration • Type of authentication Method selected • Smartcard or Smartcard with Pass-through • If Smartcard with Pass-through • Check CTX117239 (Is Kerberos enabled? CTX123611) • If Kerberos is enabled then it will be used always (No fall-back) • Define ‘SmartCardPinPass’ Regkey for Passthru sessions • If XenDesktop - CTX130265 • Understand WinSCard API and their locking behavior

  43. Troubleshooting Questions to Ask - Configuration Ref: - http://msdn.microsoft.com/en-us/library/cc242596(v=PROT.10).aspx

  44. Troubleshooting Questions to Ask – Citizen-ID • Type of CSP use • Usually not use to authenticate to session • Inside ICA session use by application • Is Certificate available inside session • If specific application, understand application behavior • Is CSP has its own PC\SC re-direction mechanism • Belgium Citizen ID has • RDP behavior

  45. Troubleshooting Smart Card

  46. Troubleshooting Tools • Vendor-specific tools • GemSafe Toolbox, Mini-Manager, eID viewer, etc • CDFControl • Sys-Internal Tool – Process Explorer • Network Tracing

  47. Troubleshooting Tools – Vendor Specific • Vendor-specific tools • Helpful to see if card readable inside session

More Related