Reducing pin Prompts NetScaler Gateway and smart cards

Reducing pin Prompts NetScaler Gateway and smart cards

11:42 AM
Reducing pin Prompts NetScaler Gateway and smart cards -

Smartcards and NetScaler Gateway are a common XenApp / XenDesktop access scenario for many of our customers - especially in the US federal space where Smart -Card use is mandatory for most government agencies. One of the most common requests we get, when smart cards implementation is to reduce the number of PIN requests that a user receives before they get to their Windows applications or desktops. In this article I will explain configurations that have different PIN prompts result, the NetScaler Gateway access primarily related to Windows-based client devices via a Web browser.

Let us go through the different places where we expect a PIN code request in a non-optimized NetScaler Gateway + Smartcard configuration, see:

  1. authentication NetScaler we have users with their PIN + certificate before authenticating. everything else can do on the system. This is accomplished by requiring a client certificate to make the initial SSL connection to the NetScaler Gateway.
  2. ICA connection to NetScaler. After a user chooses to launch Citrix Receiver to connect them to the NetScaler gateway over SSL to start the ICA session a published application or desktop. If the gateway vServer asks for a client certificate, the user will receive a PIN request.
  3. Windows Authentication for desktop or XenApp server. If single sign-on is not configured, or is not available, the Windows computer would like to join the application or desktop hosting, we also ask for the user's PIN. Register

Some that's a lot of instructions, would say, and I would tend to agree. Most users expect them to only authenticate once with their PIN, as that is what they are used to their traditional local devices running Windows.

The good news is ... it can be done!

Based invited to the three PIN, through the speech of let about how each will be treated:

  1. Authentication NetScaler This call is usually required, because it allows users to authenticate to the NetScaler us. before allowing access to internal resources. At a minimum the user must choose its certificate if their smart card is configured with multiple Cert. If your PIN through a middleware application from their Windows client application (like Activ client) is cached, then they will not enter a PIN here. Otherwise we expect both a certificate selection and PIN entry here

    1 st Prompt -.! Removable

    If the client device has middleware that supports and is configured for the PIN caching, the user can bypass the PIN request for the first NetScaler gateway connection.

  2. ICA connection to NetScaler. This is to obtain the simplest prompt completely free and requires only that a second NetScaler Gateway vServer that handles setup only ICA proxy. This NetScaler Gateway is not prompted to configure for client certificate check to mean the SSL ICA connection, need not again ask for the user. In Web Interface, we would refer to Setup Secure Access of this VPS instead of the first authentication NetScaler Gateway. Information about in storefront to do with Optimal Gateway Routing as visits Bill Hackley blog post: How smart card PIN to reduce calls when using NetScaler Gateway with Storefront 2.5.If we we can create a third NetScaler Gateway vServer Web Interface guarantee and storefront have no problems with their HTTPS authentication call back, so that we check on client certificate to Mandatory on the front-end VPS. The Mandatory setting ensures that we enforce the need for smart cards does not recognize the SSL handshake, which does not contain a client certificate . Note: The reason why I'm going to separate, to separate the ICA proxy and authentication callback vServer for customers with requirements internal vs external NetScaler traffic through their firewalls. This facilitates communication between internal storefront or Web Interface server. This could be combined in a single technical vServer.Here what it looks like:

    2 nd Prompt - Removable

    By creating! Check a secondary external NetScaler Gateway vServer without for client certificates, we can bypass the second PIN request.

  3. Windows Authentication. This is a bit more complicated, so let's talk about a few different scenarios. domain joined clients. If the user's device is connected to the domain (and their smart cards with Windows authentication), we can simply pass their PIN in the ICA session with our Receiver PIN pass-through function. Our ssonsvr.exe process packs the PIN from the sign-up process of Windows and it is passed through in the ICA session, if it is configured to do so. Check out http://support.citrix.com/article/CTX130265 for information on this topic the icaclient.adm with the establishment and http://support.citrix.com/article/CTX131223for additional configuration on Vista / Win 7 . non-domain joined clients. This is where things are even more interesting. In this case, the user is either a device that is not in the corporate domain needs, or they log on to their Windows client anything but use their smart card. In a standard configuration, there is no way for us to pass PIN to the ICA Windows session. At this point you have a few options:
    1. The user must enter their PIN again. This results in a total of 2 calls for them to access their ICA session ... a NetScaler to gateway and on Windows.
    2. a middleware that supports our receiver FastConnect technology. Some smart card vendor support our FastConnect API, the PIN can be stored in the receiver and handed us use it to the Windows session API of our SDK, is located here.
    3. Use Kerberos Constrained Delegation via the web interface, the user's Windows identity for their application. This is described in more detail here: http://support.citrix.com/article/CTX124603. The advantage is that these get rid of Windows PIN received asks complete if the user will use instead authenticate a Kerberos ticket. The downside is that it only currently works with XenApp 6.5 and get the Kerberos delegation on the back-end complex, depending on what the user services must be imitated. This option is only recommended if reducing the PIN is prompted absolutely necessary, and none of the other options are possible.
    4. benefits "zero" Clients or Thin OS devices instead of full Windows-based devices. It varies depending on the manufacturer and operating system, but some are able to pass the user's PIN directly into the ICA session natively. Check with your client provider to support this capability

    3 rd Prompt -. Removable!

    When a domain connected Windows client installed with middleware and configure SSO or a zero client that supports PIN past, this call can be circumvented.

As seen above, calls for reducing PIN is much easier when the user uses a client device, which is either the AD connected domain, or a thin OS has that run natively in able to forward a PIN by ICA to the Windows authentication process. If you use smart card middleware PIN caching, a separate NetScaler gateway for ICA proxy, and a domain connected Windows client, you may be able to get to zero PIN prompted to access Citrix! But with each client device, your users should correct most 2 instructions, when you see Setup your NetScaler Gateway vServer.

Hopefully this has helped clear for XenApp / XenDesktop access no confusion about the use of smart card on. Feel free to post any questions in the comments and I'll respond as soon as possible.

Next
« Prev Post
Previous
Next Post »
0 Komentar

Subscribe to: Post Comments (Atom)