smart card everywhere n.
Skip this Video
Loading SlideShow in 5 Seconds..
Smart Card Everywhere PowerPoint Presentation
Download Presentation
Smart Card Everywhere

Loading in 2 Seconds...

play fullscreen
1 / 58

Smart Card Everywhere - PowerPoint PPT Presentation

  • Uploaded on

Smart Card Everywhere. Lalit Kaushal Escalation Engineer EMEA 25 th October, 2011. Agenda. Business drivers for using smart card Configuring Smart Cards Smart card support architecture in XA/XD Smart Card Client Driver Smart card scenarios SSON Enhancements Tips-N-Tricks

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Smart Card Everywhere' - palmer-luna

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
smart card everywhere

Smart Card Everywhere

Lalit Kaushal

Escalation Engineer EMEA

25th October, 2011

  • Business drivers for using smart card
  • Configuring Smart Cards
  • Smart card support architecture in XA/XD
    • Smart Card Client Driver
  • Smart card scenarios
    • SSON Enhancements
  • Tips-N-Tricks
    • Troubleshooting tools & techniques
smart cards in our life
Credit\Debit CardsSmart Cards in our life
  • Control Access (physical and logicalresource)
  • Citizen ID Card
business drivers for using smart cards
Business Drivers for using Smart Cards
  • Strong authentication
    • Spectrum of requirements
  • Convenience / speed
  • Apps using smart card (Outlook, Word, bespoke)
  • Citizen ID card (in some regions)
  • Public sector employee ID cards
  • Legislation / regulation
  • User needs to login / reconnect using a smart card
    • May be running apps that need to use smart card as well
  • Often multiple points need authentication
    • Client Machine (if domain joined)
    • Access Gateway
    • Web Interface (in future Delivery Services)
    • XA or XD
  • User does not want to enter PIN more than necessary
    • Security Officer (often) does not like us to cache the PIN
  • Speed is frequently very important
configuration smartcard xenapp xendesktop
Configuration – Smartcard XenApp\XenDesktop
  • Four main components
      • Certificate Authority
          • Windows 2000 + Active Directory
          • Certificate enrolment changes in Windows 2008+
      • Web Interface
          • Latest Web Interface to support new features e.g. AGEE
      • XenApp Server (VDA for XD)
      • Client machines
          • WinXP – Smartcard SSOn possible
          • Windows 7\Vista - Kerberos require for SSOn
configuration contd
Configuration (Contd.)
  • Web Interface Server
    • IIS
      • Enable the Windows directory service mapper
      • Citrix Virtual Directory settings:
        • Require secure channel (SSL)
        • Accept client certificates (Ignore client certificates if using Pass-through)
        • Enable client certificate mapping
  • DSC/WI Console
    • “Authentication Methods” select “Pass-through with smart card” or “Smart card”
    • Pass-through only: “Use Kerberos”, if required (Windows 7\Vista Smart card SSON)
    • Smartcard removal policy settings
      • Can also be handled at GPO level
configuration cont d
Configuration (Cont’d)
  • XenApp/XenDesktop
    • Enable “Trust requests sent to the XML Service”
    • Kerberos
      • Enable “Trust for Delegation”
      • Enable “DNS address resolution”
  • Client Side settings
    • Use Icaclient ADM template and enable Smartcard Authentication
      • Allow Smart Card Authentication
      • Use pass-through for PIN
        • HKEY_CURRENT_USER\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon
    • Enable Kerberos Authentication for Windows 7\Vista
important points
Important Points...
  • SSL cert
  • Kerberos for Smart card Single Sign-on (SSON)
  • Trust XML
  • If Kerberos – DNS resolution
  • ADM template to apply client-side GPOs
smart card infrastructure

Personal Computer/Smart Card (PC/SC) subsystem:

Governed by the PC/SC workgroup formed in 1996

Operating System component

Enforces interoperability among cards and readers made by the different manufacturers.

Cryptographic Service Provider (CSP):

Leverages Microsoft exposed API’s via the Microsoft Platform SDK for smart card use




Smart Card Infrastructure
smart card infrastructure1
Smart Card Infrastructure
  • The CSP provider
    • implements certain functions
    • registers itself in the registry
  • Smart card is inserted into the reader
    • Windows reads the ATR from the card to determine which CSP to use
  • Windows uses this information to acquire the appropriate CSP.dll.
  • CSP.dll file
    • Makes the PC/SC calls to get information from the smart card.
smart card components xa xd
Host Side (XA\XD)

Citrix Hook (ScardHook.dll)

Citrix Services (CtxSVCHost, CtxCertPropSvc, etc)

CDM (in XA 5 or earlier)

End-point (e,g, XP, W7)

ICA Client engine – Wfica32

Smart card Client driver – VdScardN.dll

Smart Card Components (XA\XD)
citrix hooking
Citrix hooking
  • Final Stage in application launch process
  • Inject XenApp feature dlls into application processes
    • Overwrites existing MS functions with XenApp enhanced versions
  • Useful to implement additional functionality
    • TWAIN redirection
    • Virtual IP address
    • MultiMonitor
    • Plus many more
citrix hooking mfaphook dll
Citrix hooking – mfaphook.dll
  • Windows injects dlls that are part of Appinit_dlls
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
    • User32.dll loads this key
    • On process startup
    • Citrix binary mfaphook.dll is in this added to this key
  • Consider mfaphook.dll the parent hook
    • It chooses which of the children hook to inject into each process
appinit dlls injects mfaphook dll
AppInit_dlls injects Mfaphook.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

per feature hooks
Per feature hooks
  • Mfaphook will check the registry for a list of feature dll to use
    • Depending on the flag value mfpahook will inject the dll or not
    • HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_Dlls
  • Flag values
    • 0x80000000 - All Processes
    • 0x00000000 - Disable Hook
    • 0x00000002 - Only for specific processes (subkeys)
    • 0x00000004 - Remote sessions only
smart card subsystem
Smart Card Subsystem
  • Hooking of Microsoft Windows smart card components
      • Mfaphook injects the defined hooking DLL’s into the published application process’s address space
      • Scardhook hooks many necessary SCard functions in WinScard.dll and redirects most* of these to client
      • SCardHook is loaded in RDP session as well
  • Old way (XA5 and older)
    • SCardhook.dll
    • CDM
  • New way (XA 6 and XD)
    • No dependency on CDM!!!
    • Introduced new services to keep hook code cleaner and simpler
smart card client driver
Smart Card Client Driver
  • Routes the host calls to corresponding WinScard API
  • Win32 and WinCE driver have subtle differences
    • Memory restrictions on WinCE box
  • Design optimization in WinCE client smart card driver
  • String encoding negotiation
    • Any string manipulation on the host side should be based on the string encoding negotiated with the client.
    • WinCE client uses Unicode strings while Win32 client uses ASCII strings.
single sign on sson
Single Sign-on (SSON)
  • Domain credentials are supported on all client OS
  • For Smart Card SSON
    • XP supports NP APIs
    • Windows 7\Vista Winlogon doesn’t call NP API, credentials are not feed to SSON
  • Launching application with SSON enabled:
    • For domain credentials, ICA file contains the LogonTicket
    • For Smart Card credentials, wfica32 uses credentials from SSON machinery

Smart Card Core Subsystem Architecture

End-Point (e.g. XP)

XD/XA Host

Remoted calls look like local smart card app


(ICA Client Engine)







SCardHook DLL

WinSCard DLL (MS)

SCardHook DLL

No smart card code in the kernel!


(CtxSmartCardSvc DLL)

SCardSvc.exe (MS)

User Mode

Kernel Mode

VC User Mode API (Pica/WTS)

Remoting industry standard API

SC Reader Driver

User Mode

Kernel Mode

ICA Stack

PC/SC (WinSCard) API

Remoted over ICA protocol

(ICA Smart Card VC Protocol)

SC Reader

Remote calls: SCardEstablishContext, SCardConnect, SCardTransmit…

multiple approaches
Multiple approaches
  • Different Customers has different requirements
    • Military  Never cache PIN. Don’t care if users must re-enter it
    • Medical  User must never re-enter PIN. Don’t care if it is cached
  • Lots of technical options
    • Can trade off quality of login for some customers to reduce reliance on PIN
      • Password > Smartcard > Full Kerberos > Constrained Kerberos > Tagged Anon > Anonymous
    • Several well understood techniques, and several potential new techniques
  • Hardware/OS is an issue
    • Require different sorts of driver support for different cards on different platforms
    • Server-side limitations for non-windows machines or shared local/remote use
authentication paths
Authentication Paths
  • Authentication Steps:
    • (Optionally) authenticate user to local windows machine with smart card
    • (Optionally) authenticate user to gateway
    • Authenticate user to Delivery Services (or WI or WR or PNA)
    • Authenticate user to Windows Session (XA or XD)
  • Minimize pin prompts, but keep security officer happy
  • Can trade of ‘quality’ of ultimate windows login
    • Smartcard login has ‘full’ credentials
    • Kerberos Login or even Constrained Kerberos Login may be good enough for some customers/apps.
options at each step
Options at each step

Smart card / Other

Client Login


Smartcard SSL (SSL/CA)




Assertion by Gateway OR Smartcard SSL OR Kerberos




Assertion OR Kerberos OR Protocol Transition


to XA/XD

Ticket OR Kerberos OR Smartcard Login (PC/SC Redirect)


to XA/XD


smart card solution summary
Smart Card Solution Summary

Desktop Appliance

Local Desktop with Apps

Domain joined

Non-domain joined

Domain joined

Non-domain joined

Windows XP

Windows 7

(Vista +)

PIN capture not supported

 Extra PIN prompt

ActiveX updated for Windows 7 in next release

  • PIN capture not supported
  • Extra PIN prompts
  • (unless using Kerberos)

Multiple PIN prompts

(unless using Kerberos PT)

pna smart card existing options
PNA Smart Card – Existing Options

Can be domain joined or non-domain joined

  • Direct smart card
    • SSL with client auth to WI, smart card logon to ICA host
    • PIN prompt from OS for PNA
    • PIN prompt from OS on ICA host
  • Pass-through with smart card
    • Kerberos/NTLM auth to WI, smart card logon to ICA host
      • Windows XP: PIN capture during OS logon  one PIN prompt
      • Windows 7\Vista: no PIN capture during OS logon  extra PIN prompt on ICA logon
  • Pass-through with smart card, Kerberos option
    • Kerberos auth to WI, Kerberos logon to ICA host (XenApp only)
    • PIN prompt for OS logon, no PIN capture needed
    • Hidden XenApp setting can override “Smart card required for interactive logon” policy

Must be domain joined

Must be domain joined

sson enhancements1
SSON Enhancements
  • Fast Connect
    • For Healthcare organizations
    • Need Citrix Partners involvement to build the solution
  • At Web Server authentication point on Services Site
  • Out-of-Box Single Sign-On support
    • Already working for Windows XP client
    • Kerberos is pre-requisite for SSOn on Windows 7\Vista
fast connect for windows
Fast Connect for Windows
  • New feature to enable Single Sign-on to support Healthcare organizations
  • Partners can use Fast Connect APIs to quickly log users into sessions (logon) and just as quickly disconnect sessions (logout).
  • Available through Citrix Ready Partner
  • Based on 12.1 ICA Client currently
benefits of at web server authentication point
Benefits of At Web Server Authentication Point
  • Faster Logons
  • No Middleware*
  • Single Sign-on (even on NDJ clients!)
  • Access Gateway SSO Integration
at web server authentication point
At Web Server Authentication Point
  • Same basic requirements as AD FS
    • Constrained Delegation using Kerberos (explained in WI documentation)
kerberos authentication support
Kerberos Authentication Support

Configure Delegation on Web Interface Server

Edit the Delegation properties of each WI computer object in Active Directory

Trust this computer for delegation using any authentication protocol

Add the http service for each XenApp XML Broker

kerberos authentication support1
Kerberos Authentication Support

Configure Delegation on XenApp (XML) Server

Edit the Delegation properties of each XenApp Server computer object in Active Directory

Trust this computer for delegation using any authentication protocol

Add following: -

CIFS - each domain controller(s)

HOST - to XenApp server(s) hosting apps

LDAP - each domain controller(s)

at web server authentication point1
At Web Server Authentication Point
  • Same basic requirements as AD FS
    • Constrained Delegation using Kerberos (explained in WI documentation)
  • Requires XML port to be shared with IIS
  • Fully supported on Web Interface site
    • Currently only supported with a private on Services Site (PNA)
smartcard sson for windows 7 vista
Smartcard SSOn for Windows 7\Vista
  • Currently not working for Windows 7\Vista
  • Multiple PIN prompts – multiple customers effected
  • Are you waiting for it?
    • Product use
    • Number of Users\Licenses
    • Use-case
  • Feedback will be provided to Product Management
troubleshooting questions to ask environment
Troubleshooting Questions to Ask - Environment
  • Type of Smartcard & Reader
    • USB Smartcard, USB Token, .NET Smartcard, etc
  • CSP used
    • MS-Base CSP, Vendor specific (ActivClient, SecMaker, etc)
  • Are you able to login into machine with smartcard?
  • Is SC cert accessible inside ICA session
    • Open ‘Certificates’ snap-ins in MMC
    • If IE, go to  Tools  Internet Options  Content  Certificates
troubleshooting questions to ask configuration
Troubleshooting Questions to Ask - Configuration
  • Type of authentication Method selected
    • Smartcard or Smartcard with Pass-through
  • If Smartcard with Pass-through
    • Check CTX117239 (Is Kerberos enabled? CTX123611)
  • If Kerberos is enabled then it will be used always (No fall-back)
  • Define ‘SmartCardPinPass’ Regkey for Passthru sessions
  • If XenDesktop - CTX130265
  • Understand WinSCard API and their locking behavior

Troubleshooting Questions to Ask - Configuration

Ref: -

troubleshooting questions to ask citizen id
Troubleshooting Questions to Ask – Citizen-ID
  • Type of CSP use
  • Usually not use to authenticate to session
      • Inside ICA session use by application
  • Is Certificate available inside session
  • If specific application, understand application behavior
  • Is CSP has its own PC\SC re-direction mechanism
      • Belgium Citizen ID has
  • RDP behavior
troubleshooting tools
Troubleshooting Tools
  • Vendor-specific tools
      • GemSafe Toolbox, Mini-Manager, eID viewer, etc
  • CDFControl
  • Sys-Internal Tool – Process Explorer
  • Network Tracing
troubleshooting tools vendor specific
Troubleshooting Tools – Vendor Specific
  • Vendor-specific tools
  • Helpful to see if card readable inside session

Certificate Propagation

  • CtxSCardCertPropSvc - propagates certificates to User Store

SCardCertPropSvc:SCardCertPropSession::MonitoringThread::CertPropViaContEnumGetCertificate:[1]: succeeded to retrieve key with CryptGetUserKey...   

SCardCertPropSvc:SCardCertPropSession::MonitoringThread::CertPropViaContEnumGetCertificate:[1]: succeeded to retrieve certificate...             

SCardCertPropSvc:SCardCertPropSession::MonitoringThread::CertPropViaContEnumAddCertToStore:[1]: executing for container: "435105F49F340F2CC23F850E31939C232C170163 (1)" CSP: "Net iD - CSP" keySpec: "AT_SIGNATURE" store: "My"                   

SCardCertPropSvc:SCardCertPropSession::MonitoringThread::CertPropViaContEnumAddCertToStore:[1]: succeeded to propagate certificate to user store...    

process explorer
Process Explorer
  • Process Explorer shows handles and DLLs processes
  • Helpful to troubleshoot:
    • Memory Optimization issues
    • Application Streaming
    • Access issues
  • Process Explorer is available from SysInternals
network tracing
Network Tracing
  • Very helpful for Authentication issue
  • Network Monitor or WireShark
  • Handy WireShark Filter for looking at Kerberos ticket requests/responses

kerberos.msg.type == 12 || kerberos.msg.type == 13 || kerberos.msg.type == 30 || kerberos.msg.type == 10 || kerberos.msg.type == 11

before you leave
Session surveys are available online at starting Thursday, 27 October

Provide your feedback and pick up a complimentary gift at the registration desk

Download presentations starting Monday, 7 November, from your My Organiser tool located in your My Account

Before you leave…