1 / 40

Authentication on XenApp & XenDesktop

Authentication on XenApp & XenDesktop. Lalit Kaushal Escalation Engineer EMEA. Agenda. Authentication at WI: Explicit Authentication Pass-through Authentication Smart Card Authentication Anonymous Authentication Kerberos Authentication. Support for several authentication methods

georgina-vernon
Download Presentation

Authentication on XenApp & XenDesktop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication on XenApp & XenDesktop Lalit Kaushal Escalation Engineer EMEA

  2. Agenda • Authentication at WI: • Explicit Authentication • Pass-through Authentication • Smart Card Authentication • Anonymous Authentication • Kerberos Authentication

  3. Support for several authentication methods Smart cards, client certificates, RSA SecurID, etc. Support for OS and non-OS credentials stores OS: Active Directory and eDirectory Non-OS: LDAP, RADIUS, 3rd party authentication methods. Leverage Authentication methods supported by Windows: Smartcard support Client certificates support Custom 3rd party authentication mechanisms through GINA extensions. Leverage Windows authentication to flow the OS identity tokens between Access Infrastructure services Example: flowing Kerberos tickets between ICA client and XA server. Authentication in XenApp\XenDesktop

  4. 3 4 1 2 Kerberos Authentication Service (AS) - Authenticates a client logon and issues a Ticket Granting Ticket (TGT) for future authentication. Key Distribution Centre (KDC) ASTGS Ticket Granting Service (TGS): It grants tickets to TGT holding clients for a specific application server or resource. Ticket Granting Ticket (TGT): This ticket is received from the Authentication Service (SA) that contains the client’s Privilege Attribute Certificate (PAC). Ticket: This ticket is received from the TGS that provides authentication for a specific application server or resource. I am Bob, I need Ticket to get Ticket (TGT) Here’s TGT – Can you decrypt it with your password hash Here’s my TGT – Can you give me Service Ticket Here’s your Service Ticket Here’s my Service Ticket, Auth. me Client\Server session

  5. Kerberos Delegation

  6. Kerberos in Windows • All you ever wanted to know about Kerberos:http://technet.microsoft.com/en-us/library/cc772815.aspx

  7. Explicit or Prompt Authentication

  8. Explicit or Prompt Authentication • Username, password and domain • Optionally includes two-factor authentication such as RSA SecurID • Encoded credentials passed to XML service

  9. Get svc ticket Authenticate & get TGT WI ticket Explicit Auth in XenApp pwd auth Client DC Svc ticket pwd WI ticket pwd pwd Winlogon WI ticket pwd pwd WI ticket in .ica file XML Broker SSOn WI IMA / DDC IE XenApp Winlogon WI ticket ICA Client Engine TS / wsxica Servers (File Server, Exchange, …)

  10. Get svc ticket Authenticate & get TGT WI ticket Explicit Auth in XD pwd auth Client DC pwd WI ticket WI ticket Svc ticket WI ticket pwd pwd Winlogon WI ticket pwd pwd WI ticket in .ica file DDC SSOn WI IMA / DDC pwd IE VDA Desktop Toolbar Winlogon ICA Client Engine VDA Servers (File Server, Exchange, …)

  11. Troubleshooting Explicit

  12. Pass-through Authentication

  13. Pass-Through? • Pass-Through Session: • Connecting from within one session to another session on another server • 2 servers • 2 clients • 2 sessions • Pass-Through Authentication\SSON (Single Sign On): • Passing the user credential into the session

  14. Pass-Through Authentication • Pass-through Authentication • Users can authenticate using the credentials they provided when they logged on to their physical Windows desktop. • Users do not need to re-enter their credentials and their resource set appears automatically. • Additionally, you can use Kerberos integrated Windows authentication to connect to server farms • If you specify the Kerberos authentication option and Kerberos fails, pass-through authentication also fails and users cannot log on

  15. Pass-Through Authentication • Windows Identity credentials • IWA browser to Web server • User’s SIDs sent to XML service • Client handles authentication to ICA server

  16. Pass-Through Authentication 9 10 9 10 8 2 5 4 4 1-3 6 6 7 7 9 10

  17. Troubleshooting Pass-Through

  18. SmartCard Authentication

  19. ATM card is the most common example You wouldn’t use just one factor to protect your money Multiple factors Something you know Your PIN Something you have Your card What is Multi-Factor Authentication?

  20. Smart Cards 2 – Factor Authentication Something you know Something you have Biometrics Fingerprint readers Retinal Scan Facial Recognition Biopassword Keystroke dynamics Proximity What is Multifactor Authentication?

  21. Smart Card Infrastructure User Applications • Microsoft Architecture DLL’s Resource Manager Smart card Subsystem Drivers Hardware

  22. Smart Card Infrastructure • Cards • Credit card–sized devices • Introduce to Windows by using a vendor-supplied installation program • Installs service provider that registers its interfaces with the Resource Manager • Reader • Attach to peripheral interfaces, e.g. PS/2, PCMCIA and USB Hardware

  23. Smart Card Infrastructure • Device Drivers • Maps functionality to native services that infrastructure provide • Communicates card insertion\removal events to Resource Manager • Provides data communications capabilities to and from the card • Resource Manager • Manage & control all application access • Provide a virtual direct connection to the requested smart card • Service Providers • Provide cryptographic services e.g. key generation, digital signature, bulk encryption—through CryptoAPI • Two categories: cryptographic (CSP) & non-cryptographic • CSPs can be software-only (like MS Base CSP) or hardware-based - cryptographic engine resides on a smart card (SCCP) DLL’s Resource Manager Smart card Subsystem Drivers

  24. Windows logon – Smart Card

  25. Smart Card Authentication • Client certificate and PIN credentials • Certificate authentication browser to web server • User’s SIDs sent to XML service • Client handles authentication to ICA server

  26. Smart Card Core Subsystem Architecture End-Point (e.g. XP) XD/XA Host Wfica32.exe (ICA Client Engine) Winlogon.exe VDSCardN DLL PC/SC API PC/SC API PC/SC API Winword.exe SCardHook DLL WinSCard DLL (MS) SCardHook DLL CtxSvcHost.exe (CtxSmartCardSvc DLL) SCardSvc.exe (MS) User Mode Kernel Mode VC User Mode API (Pica/WTS) SC Reader Driver User Mode Kernel Mode ICA Stack PC/SC (WinSCard) API Remoted over ICA protocol (ICA Smart Card VC Protocol) SC Reader Remote calls: SCardEstablishContext, SCardConnect, SCardTransmit…

  27. Troubleshooting Smart Card

  28. Anonymous Authentication

  29. Anonymous Authentication • No credentials • XenApp only • Published resources must be explicitly configured for Anonymous authentication

  30. Kerberos Authentication

  31. Using Kerberos for Authentication Users can use Kerberos for Explicit\Prompt or Pass-through Authentication. More secure - No password crosses the wire – even encrypted Works with any client logon method Password, smart card, biometrics, etc… Kerberos Authentication

  32. Kerberos Authentication Support Configure Delegation on Web Interface Server Edit the Delegation properties of each WI computer object in Active Directory Trust this computer for delegation using any authentication protocol Add the http service for each XenApp XML Broker

  33. Kerberos Authentication Support Configure Delegation on XenApp (XML) Server Edit the Delegation properties of each XenApp Server computer object in Active Directory Trust this computer for delegation using Kerberos only Add the HOST service for this computer running the XML service

  34. Get svc ticket Get svc ticket Launch ref Get svc ticket Kerberos Auth in XenApp ok Client DC Launch ref in .ica file Svc ticket Svc ticket Launch ref & svc ticket (through Kerberos VC) Authenticate & get TGT SIDs Winlogon Launch ref Launch ref pwd Svc ticket pwd XA SSOn WI IMA IE Winlogon ICA Client Engine TS / wsxica Servers (File Server, Exchange, …)

  35. Get svc ticket Authenticate & get TGT Launch ref Get svc ticket Kerberos Auth in XenDesktop Get pwd ok pwd Client DC Launch ref in .ica file Svc ticket Authenticate & get TGT Launch ref, pwd Launch ref Launch ref pwd SID Winlogon Launch ref pwd Svc ticket pwd DDC SSOn WI IMA / DDC IE VDA Desktop Toolbar Winlogon ICA Client Engine VDA Servers (File Server, Exchange, …)

  36. Troubleshooting Kerberos

  37. Recap • Explicit\Prompt Authentication • Negotiate on Authentication protocol at MS layer. • Smartcard Authentication • XenDesktop and XenApp has similar architecture • New Citrix services for Cert Enumeration, SC removal policy, etc • Pass-through Authentication • Credential capturing (SSONSVR) or Kerberos Ticket • Kerberos Authentication • No Back-end NTLM support. Credential prompt

  38. Whitepapershttp://www.microsoft.com/windows/server/Technical/security/default.aspWhitepapershttp://www.microsoft.com/windows/server/Technical/security/default.asp Windows 2000 Kerberos Authentication Microsoft Windows 2000 Kerberos Interoperability Authentication Function http://msdn.microsoft.com/en-us/library/aa374731(v=VS.85).aspx For More Information

  39. Recommended related breakout sessions: SUM509 - Integrating single sign-on and smart card authentication with Access Gateway Enterprise Edition Session surveys are available online at www.citrixsummit.com starting Thursday, 7 October Provide your feedback and pick up a complimentary gift card at the registration desk Download presentations starting Friday, 15 October, from your My Organiser Tool located in your My Synergy Microsite event account Before you leave…

More Related