Realtime Xendesktop Steps - Project Based

Authentication on
XenApp & XenDesktop

Lalit Kaushal
Escalation Engineer EMEA
Agenda
Authentication at WI:
Explicit Authentication
Pass-through Authentication
Smart Card Authentication
Anonymous Authentication
Kerberos Authentication
Authentication in XenApp\XenDesktop
Support for several authentication methods
Smart cards, client certificates, RSA SecurID, etc.
Support for OS and non-OS credentials stores
OS: Active Directory and eDirectory
Non-OS: LDAP, RADIUS, 3rd party authentication methods.
Leverage Authentication methods supported by Windows:
Smartcard support
Client certificates support
Custom 3rd party authentication mechanisms through GINA extensions.
Leverage Windows authentication to flow the OS identity tokens between Access
Infrastructure services
Example: flowing Kerberos tickets between ICA client and XA server.
Kerberos
Key Distribution Centre 1 Authentication Service (AS) - Authenticates a client
logon and issues a Ticket Granting Ticket (TGT) for
(KDC) future authentication.
Ticket Granting Service (TGS): It grants tickets to
2 TGT holding clients for a specific application server
or resource.
Ticket Granting Ticket (TGT): This ticket is received
3 from the Authentication Service (SA) that contains
AS TGS the clients Privilege Attribute Certificate (PAC).
Ticket: This ticket is received from the TGS that
4 provides authentication for a specific application
server or resource.
Heres my TGT Can you

give me Service Ticket
Heres your Service

Ticket
Heres my Service Ticket, Auth. me
Client\Server session
Kerberos Delegation
Kerberos in Windows
All you ever wanted to know about Kerberos:

http://technet.microsoft.com/en-us/library/cc772815.aspx
Explicit or Prompt Authentication
Explicit or Prompt Authentication
Username, password and domain

Optionally includes two-factor authentication such as RSA SecurID
Encoded credentials passed to XML service

Explicit Auth in XenApp Get svc ticket
Client DC
Authenticate
Winlogon
& get TGT
pwd
auth
SSOn XML Broker
pwd WI
pwd IMA / DDC
IE
XenApp
Winlogon
WI ticket
pwd WI ticket
ICA Client Engine WI ticket TS / wsxica
Svc ticket pwd

Servers (File Server,
Exchange, )
Explicit Auth in XD Get svc ticket
Client DC
Authenticate
Winlogon & get TGT
pwd
auth
SSOn DDC
pwd WI
pwd IMA / DDC
pwd
IE
WI ticket
WI ticket VDA
Desktop Toolbar Winlogon
WI ticket pwd
ICA Client Engine WI ticket VDA
Svc ticket pwd

Exchange, )
Troubleshooting Explicit
Diagnostic/Tracing (CDF)
MF_DLL_CtxGina (PortICA GINA) for smart card SSON

MF_DLL_Ctxauth
MF_DLL_Ctxnotif
MF_DLL_Wsxica
MF_Service_CtxXmlSS
MF_XMLRelay_Wpnbr
Debugging
Capture Network traffic

Study behaviour of any 3rd party authentication system, if exist
Additional info
Use CDF tool

Isolate XML
Event Logs messages
Pass-Through?
Pass-Through Session:
Connecting from within one session to another session on another server
2 servers
2 clients
2 sessions
Pass-Through Authentication\SSON (Single Sign On):

Passing the user credential into the session
Pass-Through Authentication
Users can authenticate using the credentials they provided when they logged
on to their physical Windows desktop.
Users do not need to re-enter their credentials and their resource set appears
automatically.
Additionally, you can use Kerberos integrated Windows authentication to
connect to server farms
If you specify the Kerberos authentication option and Kerberos fails, pass-
through authentication also fails and users cannot log on
Windows Identity credentials

IWA browser to Web server
Users SIDs sent to XML service
Client handles authentication to ICA server
10
10 8 9
2
5
4
1-3 4
6 6
7 7
10 9
Troubleshooting Pass-Through

MF_DLL_Ctxauth
MF_DLL_Ctxnotif
MF_DLL_Wsxica
MF_Service_CtxXmlSS
MF_XMLRelay_Wpnbr
Debugging
Capture Network traffic

Verify SSONSVR is running
Additional info
Use CDF Control tool

Verify if Explicit\Prompt authentication works
Follow CTX368624
SmartCard Authentication
What is Multi-Factor Authentication?
ATM card is the most common example

You wouldnt use just one factor to protect your money
Multiple factors
Something you know
Your PIN
Something you have
Your card
What is Multifactor Authentication?
Smart Cards
2 Factor Authentication
Something you know
Something you have
Biometrics
Fingerprint readers
Retinal Scan
Facial Recognition
Biopassword
Keystroke dynamics
Proximity
Smart Card Infrastructure
Smart Card-aware applications User Applications
Smart card service
Microsoft
User providers
Interface (COM interface model) DLLs
Architecture
Smart card resource manager Resource
Manager Smart card
Reader helper driver
Subsystem
Specific Specific Specific
Reader Reader Reader Drivers
driver driver driver
Reader Reader
Smart Reader
Smart
Smart
Card
Card
Card
Hardware
Cards
Credit cardsized devices
Introduce to Windows by using a vendor-supplied installation program
Installs service provider that registers its interfaces with the Resource Manager
Reader
Attach to peripheral interfaces, e.g. PS/2, PCMCIA and USB
Reader Reader Reader

Smart
Smart
Smart
Card
Card
Card
Hardware
Service
Device Drivers
ResourceProviders
Manager
Provide
Manage
Maps & control all
functionality
cryptographicto application
native
services access
services
e.g. key
that
generation,
infrastructure
digital
provide
signature, bulk encryption
through
Provide CryptoAPI
a virtualcard
Communicates direct connection to the
insertion\removal requested
events smart card
to Resource Manager
Two categories:
Provides cryptographic (CSP)
data communications & non-cryptographic
capabilities to and from the card
CSPs can be software-only (like MS Base CSP) or hardware-based - cryptographic
engine resides on a smart card (SCCP)
Smart card service
User providers DLLs
Interface (COM interface model)
Smart card resource manager

Resource
Manager
Smart card
Reader helper driver
Subsystem
Specific
Reader
Specific
Reader
Specific
Reader
Drivers
driver driver driver
Windows logon Smart Card
Smart Card Authentication
Client certificate and PIN credentials

Certificate authentication browser to web server
Users SIDs sent to XML service
Client handles authentication to ICA server
Smart Card Core Subsystem Architecture
End-Point (e.g. XP) XD/XA Host

Wfica32.exe
(ICA Client Engine) Winlogon.exe
VDSCardN DLL PC/SC API
PC/SC API SCardHook DLL Winword.exe

WinSCard DLL PC/SC API
(MS) SCardHook DLL
CtxSvcHost.exe
(CtxSmartCardSvc DLL)
SCardSvc.exe (MS)
User Mode
Kernel Mode VC User Mode API

(Pica/WTS)
SC Reader Driver
User Mode
Kernel Mode
ICA Stack
PC/SC (WinSCard) API

SC Reader
Remoted over ICA protocol
(ICA Smart Card VC Protocol)
Remote calls: SCardEstablishContext, SCardConnect, SCardTransmit
Troubleshooting Smart Card

MF_Hook_SmartCard
PE_Service_CtxSmartCardSvc
PE_Service_CtxSvcHost (just load CtxSmartCardSvc.dll)
PE_Library_GvchBase
PE_Library_CtxCppBase
Debugging
Debug user process loading SCardHook.dll

Debug CtxSvcHost.exe (instance with CtxSmartCardSvc.dll loaded)
Debug Wfica32.exe and vdscardN.dll on client side
Additional info
Use Remote CDF tool

Verify Citrix Smart Card Service is running
Restart Citrix Smart Card Service
No credentials
XenApp only
Published resources must be explicitly configured for
Anonymous authentication
Using Kerberos for Authentication

Users can use Kerberos for Explicit\Prompt or Pass-through Authentication.
More secure - No password crosses the wire even encrypted
Works with any client logon method
Password, smart card, biometrics, etc
Kerberos Authentication Support
Configure Delegation on Web Interface Server
Edit the Delegation
properties of each WI
computer object in Active
Directory
Trust this computer for

delegation using any
authentication protocol
Add the http service for

each XenApp XML Broker
Kerberos Authentication Support
Configure Delegation on XenApp (XML) Server
Edit the Delegation

properties of each
XenApp Server computer
object in Active Directory
Trust this computer for

delegation using
Kerberos only
Add the HOST service

for this computer running
the XML service
Kerberos Auth in XenApp Get svc ticket
Get svc ticket
Client DC
Winlogon Get svc ticket

pwd
SSOn XA
pwd WI
SIDs IMA
IE Launch ref
Svc ticket
Launch ref in .ica file

Launch ref Winlogon
Svc ticket
ICA Client Engine Launch ref & svc ticket (through Kerberos VC) TS / wsxica
Svc ticket ok
Exchange, )
Kerberos Auth in XenDesktop Get svc ticket
Client DC
Authenticat
Get svc ticket e & get TGT
Winlogon
pwd
SSOn DDC
pwd WI SID IMA / DDC
IE
Svc ticket Launch ref
Launch ref Launch ref in .ica file VDA
Desktop Toolbar Winlogon
Get Launch ref

pwd
pwd ICA Client Engine Launch ref, pwd
VDA
pwd
Svc ticket ok
Exchange, )
Troubleshooting Kerberos
MF_DLL_CtxAuth
MF_DLL_CtxKerbProvider
MF_DLL_Cutildll
MF_Library_CtxSSPI
Debugging
Debug Winlogon process

Debug Wfica32.exe on client side
Analysis Network trace for Kerberos related packets
Additional info
Use CDF Control

Verify Service Principal Name (SPN)
Verify Configuration CTX121918
Recap
Explicit\Prompt Authentication
Negotiate on Authentication protocol at MS layer.
Smartcard Authentication
XenDesktop and XenApp has similar architecture
New Citrix services for Cert Enumeration, SC removal policy, etc
Credential capturing (SSONSVR) or Kerberos Ticket
No Back-end NTLM support. Credential prompt
For More Information
Whitepapers
http://www.microsoft.com/windows/server/Technical/security/
default.asp
Windows 2000 Kerberos Authentication Microsoft
Windows 2000 Kerberos Interoperability
Authentication Function
http://msdn.microsoft.com/en-us/library/aa374731(v=VS.85).aspx
Before you leave
Recommended related breakout sessions:

SUM509 - Integrating single sign-on and smart card authentication with Access
Gateway Enterprise Edition
Session surveys are available online at www.citrixsummit.com starting Thursday,
7 October
Provide your feedback and pick up a complimentary gift card at the registration
desk
Download presentations starting Friday, 15 October, from your My Organiser
Tool located in your My Synergy Microsite event account

Realtime Xendesktop Steps - Project Based

Uploaded by

Copyright:

Available Formats

Realtime Xendesktop Steps - Project Based

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Realtime Xendesktop Steps - Project Based

Uploaded by

Copyright:

Available Formats

Authentication on

XenApp & XenDesktop

Heres my TGT Can you

Heres your Service

Heres my Service Ticket, Auth. me

All you ever wanted to know about Kerberos:

Username, password and domain

Encoded credentials passed to XML service

Svc ticket pwd

Svc ticket pwd

MF_DLL_CtxGina (PortICA GINA) for smart card SSON

Capture Network traffic

Use CDF tool

Pass-Through Authentication\SSON (Single Sign On):

Windows Identity credentials

MF_DLL_CtxGina (PortICA GINA) for smart card SSON

Capture Network traffic

Use CDF Control tool

ATM card is the most common example

Smart card service

Reader Reader Reader

Smart card resource manager

Client certificate and PIN credentials

End-Point (e.g. XP) XD/XA Host

PC/SC API SCardHook DLL Winword.exe

Kernel Mode VC User Mode API

PC/SC (WinSCard) API

MF_DLL_CtxGina (PortICA GINA) for smart card SSON

Debug user process loading SCardHook.dll

Use Remote CDF tool

Using Kerberos for Authentication

Trust this computer for

Add the http service for

Edit the Delegation

Trust this computer for

Add the HOST service

Winlogon Get svc ticket

Launch ref in .ica file

Get Launch ref

Debug Winlogon process

Use CDF Control

Recommended related breakout sessions:

You might also like