Authentication on XenApp & XenDesktop
-
Upload
georgina-vernon -
Category
Documents
-
view
107 -
download
0
description
Transcript of Authentication on XenApp & XenDesktop
![Page 1: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/1.jpg)
Authentication on XenApp & XenDesktopLalit KaushalEscalation Engineer EMEA
![Page 2: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/2.jpg)
• Authentication at WI:• Explicit Authentication• Pass-through Authentication• Smart Card Authentication• Anonymous Authentication
• Kerberos Authentication
Agenda
![Page 3: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/3.jpg)
• Support for several authentication methods• Smart cards, client certificates, RSA SecurID, etc.
• Support for OS and non-OS credentials stores• OS: Active Directory and eDirectory• Non-OS: LDAP, RADIUS, 3rd party authentication methods.
• Leverage Authentication methods supported by Windows:• Smartcard support• Client certificates support• Custom 3rd party authentication mechanisms through GINA extensions.
• Leverage Windows authentication to flow the OS identity tokens between Access Infrastructure services• Example: flowing Kerberos tickets between ICA client and XA server.
Authentication in XenApp\XenDesktop
![Page 4: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/4.jpg)
Key Distribution Centre (KDC)
AS TGS
Key Distribution Centre (KDC)
AS TGS
Kerberos1 Authentication Service (AS) - Authenticates a client
logon and issues a Ticket Granting Ticket (TGT) for future authentication.
2 Ticket Granting Service (TGS): It grants tickets to TGT holding clients for a specific application server or resource.
3Ticket Granting Ticket (TGT): This ticket is received from the Authentication Service (SA) that contains the client’s Privilege Attribute Certificate (PAC).
4Ticket: This ticket is received from the TGS that provides authentication for a specific application server or resource.
![Page 5: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/5.jpg)
Kerberos Delegation
![Page 6: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/6.jpg)
• All you ever wanted to know about Kerberos:http://technet.microsoft.com/en-us/library/cc772815.aspx
Kerberos in Windows
![Page 7: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/7.jpg)
Explicit or Prompt Authentication
![Page 8: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/8.jpg)
• Username, password and domain• Optionally includes two-factor authentication such as RSA SecurID
• Encoded credentials passed to XML service
Explicit or Prompt Authentication
![Page 9: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/9.jpg)
XML BrokerXML Broker
XenAppXenApp
Explicit Auth in XenApp
ClientClient
WIWI
Servers (File Server, Exchange, …)
Servers (File Server, Exchange, …)
DCDC
WinlogonWinlogon
SSOnSSOn
IEIE
ICA Client EngineICA Client Engine
WinlogonWinlogon
IMA / DDCIMA / DDC
pwd
pwd
pwd pwd
auth
WI ticket
WI ticket in .ica file
WI ticket
WI ticketWI ticket
pwd
pwd
Authenticate & get TGT
Get svc ticket
Svc ticket
TS / wsxicaTS / wsxica
![Page 10: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/10.jpg)
Explicit Auth in XD
ClientClient
WIWIDDCDDC
VDAVDA
Servers (File Server, Exchange, …)
Servers (File Server, Exchange, …)
DCDC
WinlogonWinlogon
SSOnSSOn
IEIE
Desktop ToolbarDesktop Toolbar
ICA Client EngineICA Client Engine
WinlogonWinlogon
VDAVDA
IMA / DDCIMA / DDC
pwd
pwd
pwdpwd
auth
pwdWI ticket
WI ticket in .ica fileWI ticket
WI ticketWI ticket
WI ticket
pwd
pwd
Authenticate & get TGT
Get svc ticket
Svc ticket
![Page 11: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/11.jpg)
Troubleshooting Explicit
![Page 12: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/12.jpg)
Pass-through Authentication
![Page 13: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/13.jpg)
• Pass-Through Session:• Connecting from within one session to another session on another server• 2 servers• 2 clients • 2 sessions
• Pass-Through Authentication\SSON (Single Sign On):• Passing the user credential into the session
Pass-Through?
![Page 14: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/14.jpg)
• Pass-through Authentication• Users can authenticate using the credentials they provided when they logged
on to their physical Windows desktop. • Users do not need to re-enter their credentials and their resource set appears
automatically.• Additionally, you can use Kerberos integrated Windows authentication to
connect to server farms• If you specify the Kerberos authentication option and Kerberos fails, pass-
through authentication also fails and users cannot log on
Pass-Through Authentication
![Page 15: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/15.jpg)
• Windows Identity credentials
• IWA browser to Web server
• User’s SIDs sent to XML service
• Client handles authentication to ICA server
Pass-Through Authentication
![Page 16: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/16.jpg)
Pass-Through Authentication
1-3
6710
10
10
2
4
9
8 9
5
4679
![Page 17: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/17.jpg)
Troubleshooting Pass-Through
![Page 18: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/18.jpg)
SmartCard Authentication
![Page 19: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/19.jpg)
• ATM card is the most common example• You wouldn’t use just one factor to protect your money
• Multiple factors• Something you know
•Your PIN• Something you have
•Your card
What is Multi-Factor Authentication?
![Page 20: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/20.jpg)
• Smart Cards
• 2 – Factor Authentication• Something you know• Something you have
• Biometrics• Fingerprint readers• Retinal Scan• Facial Recognition• Biopassword
•Keystroke dynamics
• Proximity
What is Multifactor Authentication?
![Page 21: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/21.jpg)
Smart Card-aware applications
Smart Card Infrastructure
Reader Reader Reader
Smart
Card
Smart
Card
Smart
Card
User Interface
Smart card serviceproviders
(COM interface model)
Smart card resource manager
Reader helper driver
SpecificReaderdriver
SpecificReaderdriver
SpecificReaderdriver
User Applications
Smart cardSubsystem
DLL’s
ResourceManager
Drivers
Hardware
• Microsoft Architecture
![Page 22: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/22.jpg)
• Cards• Credit card–sized devices
• Introduce to Windows by using a vendor-supplied installation program
• Installs service provider that registers its interfaces with the Resource Manager
•Reader• Attach to peripheral interfaces, e.g. PS/2, PCMCIA and USB
Hardware
Reader Reader Reader
Smart
Card
Smart
Card
Smart
Card
Smart Card Infrastructure
![Page 23: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/23.jpg)
User Interface
Smart card serviceproviders
(COM interface model)
Smart card resource manager
Reader helper driver
SpecificReaderdriver
SpecificReaderdriver
SpecificReaderdriver
Smart cardSubsystem
DLL’s
ResourceManager
Drivers
• Device Drivers• Maps functionality to native services that infrastructure provide
• Communicates card insertion\removal events to Resource Manager
• Provides data communications capabilities to and from the card
• Resource Manager• Manage & control all application access• Provide a virtual direct connection to the requested smart card
• Service Providers• Provide cryptographic services e.g. key generation, digital signature, bulk encryption—
through CryptoAPI
• Two categories: cryptographic (CSP) & non-cryptographic
• CSPs can be software-only (like MS Base CSP) or hardware-based - cryptographic engine resides on a smart card (SCCP)
Smart Card Infrastructure
![Page 24: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/24.jpg)
Windows logon – Smart Card
![Page 25: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/25.jpg)
• Client certificate and PIN credentials
• Certificate authentication browser to web server
• User’s SIDs sent to XML service
• Client handles authentication to ICA server
Smart Card Authentication
![Page 26: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/26.jpg)
User Mode
Kernel Mode
XD/XA Host
CtxSvcHost.exe(CtxSmartCardSvc DLL)
VC User Mode API (Pica/WTS)
Winlogon.exe
Winword.exeSCardHook DLL
SCardHook DLL
ICA Stack
End-Point (e.g. XP)
Kernel Mode
User Mode
SC Reader Driver
SCardSvc.exe (MS)
Wfica32.exe(ICA Client Engine)
SC Reader
VDSCardN DLL
WinSCard DLL (MS)
PC/SC APIPC/SC API
PC/SC API
PC/SC (WinSCard) APIRemoted over ICA protocol(ICA Smart Card VC Protocol)
Remote calls: SCardEstablishContext, SCardConnect, SCardTransmit…
Smart Card Core Subsystem Architecture
![Page 27: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/27.jpg)
Troubleshooting Smart Card
![Page 28: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/28.jpg)
Anonymous Authentication
![Page 29: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/29.jpg)
• No credentials
• XenApp only
• Published resources must be explicitly configured for Anonymous authentication
Anonymous Authentication
![Page 30: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/30.jpg)
Kerberos Authentication
![Page 31: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/31.jpg)
• Using Kerberos for Authentication• Users can use Kerberos for Explicit\Prompt or Pass-through Authentication.
•More secure - No password crosses the wire – even encrypted•Works with any client logon method
• Password, smart card, biometrics, etc…
Kerberos Authentication
![Page 32: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/32.jpg)
Kerberos Authentication SupportConfigure Delegation on Web Interface Server
Edit the Delegation properties of each WI computer object in Active Directory
Trust this computer for delegation using any authentication protocol
Add the http service for each XenApp XML Broker
![Page 33: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/33.jpg)
Kerberos Authentication SupportConfigure Delegation on XenApp (XML) Server
Edit the Delegation properties of each XenApp Server computer object in Active Directory
Trust this computer for delegation using Kerberos only
Add the HOST service for this computer running the XML service
![Page 34: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/34.jpg)
Kerberos Auth in XenApp
ClientClient
WIWIXAXA
Servers (File Server, Exchange, …)
Servers (File Server, Exchange, …)
DCDC
WinlogonWinlogon
SSOnSSOn
IEIE
ICA Client EngineICA Client Engine
WinlogonWinlogon
TS / wsxicaTS / wsxica
IMAIMA
pwdAuthenticate & get TGT
pwd
Get svc ticket
SIDs
Launch ref
Launch ref in .ica file
Launch ref & svc ticket (through Kerberos VC)
Launch ref
ok
Get svc ticket
Svc ticket
Svc ticket
Launch ref
Get svc ticket
Svc ticket
![Page 35: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/35.jpg)
Kerberos Auth in XenDesktop
ClientClient
WIWIDDCDDC
VDAVDA
Servers (File Server, Exchange, …)
Servers (File Server, Exchange, …)
DCDC
WinlogonWinlogon
SSOnSSOn
IEIE
ICA Client EngineICA Client Engine
WinlogonWinlogon
VDAVDA
IMA / DDCIMA / DDC
pwd
Authenticate & get TGT
pwd
Get svc ticket
SID
Launch ref
Launch ref in .ica file
Launch ref, pwd
Launch ref
ok
Authenticate & get TGT
Get svc ticket
Svc ticket
Svc ticket
Get pwd
pwd
pwd
Desktop ToolbarDesktop Toolbar
Launch ref
Launch ref
![Page 36: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/36.jpg)
Troubleshooting Kerberos
![Page 37: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/37.jpg)
Recap
• Explicit\Prompt Authentication
• Negotiate on Authentication protocol at MS layer.
• Smartcard Authentication
• XenDesktop and XenApp has similar architecture
• New Citrix services for Cert Enumeration, SC removal policy, etc
• Pass-through Authentication
• Credential capturing (SSONSVR) or Kerberos Ticket
• Kerberos Authentication
• No Back-end NTLM support. Credential prompt
![Page 38: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/38.jpg)
• Whitepapershttp://www.microsoft.com/windows/server/Technical/security/default.asp • Windows 2000 Kerberos Authentication Microsoft• Windows 2000 Kerberos Interoperability
•Authentication Functionhttp://msdn.microsoft.com/en-us/library/aa374731(v=VS.85).aspx
For More Information
![Page 39: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/39.jpg)
• Recommended related breakout sessions: • SUM509 - Integrating single sign-on and smart card authentication with Access
Gateway Enterprise Edition
• Session surveys are available online at www.citrixsummit.com starting Thursday, 7 October• Provide your feedback and pick up a complimentary gift card at the registration
desk
• Download presentations starting Friday, 15 October, from your My Organiser Tool located in your My Synergy Microsite event account
Before you leave…
![Page 40: Authentication on XenApp & XenDesktop](https://reader036.fdocuments.net/reader036/viewer/2022081419/56812e42550346895d93caae/html5/thumbnails/40.jpg)