certificate + LDAP based authentication provides an additional security through the authentication certificate for the mobile applications use and allows users seamless access to the HDX apps have . Client certificates By using, users must enter with single sign on access to WorxEnabled apps WorxPin login. Worx PIN also simplifies the user authentication information. Worx PIN is used to secure a client certificate or to store Active Directory credentials locally on the device.
conditions
1) a certification authority (CA settings) if your organization do not currently have a CA
2) IP address Requirements:
steps, configure the certificate + ldap-based authentication
1. Please follow only , the " configuration in MS CA server" section of the blog below and obtain the certificate. / Blogs / 10.12.2013 / xenmobile-configure certificate-based authentication /
2. Go to Settings and click Certificates and click Import.
Here we are, we import certificate obtained in Step 1. We need to convert file to.pem the PFX file. Open the .pem file in Notepad, and copy the private key and certificate in various files and save them separately.
3. Select "certificate" under Import and select "Server" for use as a field.
4. Search. For the certificate file we saved in Step 2 for the user certificate
5. Locate the private key file
6. Enter a description and click import
7. Once it is imported, we can see the user certificate as a server certificate imported, as highlighted below.
to configure 8. Go -> Settings and click PKI Certificate Management Units under
. 9 Click Add
10. Click Microsoft Certificate Services entity
11. Enter the details of the MS CA server as the certification URL and select authentication type as client certificate
here we have the Web registry service root URL entered as https: .. //
12. We can selected automatically, the SSL client certificate see. Click Next
13. Click Add to add the template
14th Enter the template name, and click Save and click Next. This template should have the same name as the template you created, while the blog follow in step 1.
15. Click Next
16. Select the CA certificate and click Save
17. Now we can see the status as valid as below
18 shown. Click Credential Provider under Certificate Management in the settings.
19. Click Add to add the Credential Provider
20th We can see all the fields selected automatically disengaged. These are the PKI entities and the template we created in the previous steps. Click on Continue.
21. Enter the details as below
22 shown. Click Add
23. Under Type, select userPrincipalName.
24. Enter $ user.userprincipalname as a value, click Save and then click Next.
25. Click Next
26. Click Next
27. Click Next
28. Click Save
29 . Goto settings -> NetScaler Gateway
30. Under Credential provider, select the Credential provider we created earlier.
31. Click supply and select on user certificate for authentication and click Save.
32. Make sure you have the type Logon for NetScaler Set the certificate and domain.
If it is not set, then edit and select the authentication type certificate and domain.
NetScaler for XenMobile configuration
If you have already configured NetScaler with XenMobile 10 Wizard, then ask ensure that you have attached to the VIPs, the correct CA certificate (see below steps if you need further information) and also make sure that you have set the authentication setting (Server login name attribute) that User Principal name in the authentication Policy, and then click the moving NetScaler Gateway authentication configuration section. If you configure the NetScaler by the wizard for the first time, then follow from please follow these steps.
1. Please start searching and enter the NetScaler management IP address and login to NetScaler GUI
2. Click the Configuration tab, and click XenMobile wizard on the left side
3. click Getting Started
. 4 Select access via access Gateway and balance device Manager server load and click Next. Here we are going to configure a load balancing VIP, which are used for enrollment purposes, and the Second NetScaler Gateway VIP for the safe provision of application of XMS by NetScaler.
5. Enter the IP address for the NetScaler Gateway.
6. Please see the products http://support.citrix.com/article/CTX109260 upload the SSL certificates on NetScaler.
7. Select the existing certificate.
8. Under Server certificate, we use the certificate in step 6 on NetScaler uploaded.
Click Next
9. Under Authentication Settings Include your LDAP server details such as IP address, LDAP port number, base DN, the the position of the user in Active Directory and service account for requests to the LDAP directory and the password is used.
Make sure that you enter safely userprincipalname under Server Logon attribute.
10. Here we need to add the Load Balancing FQDN for MAM. Enter the XMS server FQDN.
All accesses to the XMS are server are routed through this load MAM VIP Balancing (LB).
, the IP address for the LB Enter Next VIP (VIP2) and click.
11. Choose. The server certificate for the MAM LB Vserver Since we use a wildcard certificate here we select the same certificate we in step 6 above uploaded.
12. Click Add Server under XenMobile servers Here are the XMS server add that to be bound to the LB VIP.
13. Enter the IP address of the XMS server and click.
14. Click Next
15. Click Load Balance Device Manager server. Here we will configure the LB VIP, which are used for the Device Enrollment purpose. We will retain the same XMS server to this LB VIP.
16. Enter the IP address for load balancing MDM (VIP1).
17. Next as XMS Server Click we added appear earlier, as shown below.
18. Click Finish.
19. When the wizard is completed, we can check the status as "UP" for both MDM LB VIP and NetScaler Gateway.
to 20 see. Goto NetScaler Gateway -> Virtual Server and on the right, select the virtual server and click Edit
21. Click> Mark for "No-CA- certificate "
22. Click on select> select the CA certificate.
23. Select the CA certificate and click OK.
24. Click on 25. Bind
Click Finish.
26. Make sure that you bind the root certificate of the CA as CA certificate here (which issued the client certificate).
NetScaler Gateway Authentication Configuration
1. Please start searching and enter the NetScaler management IP address and login to NetScaler GUI
2. NetScaler Gateway to the left, jumping Policies -> authentication -> Cert and Select server on the right side and click Add
3. Type, select the profile name TwoFactor and select Subject: AltNamePrincipalName from the Username field
4. Goto Policies and click Add
5. Enter the policy name and select the Cert_Profile from the drop-down in the server field.
Set the expression ns_true as and click create
6. Select the Virtual Server and click Edit
7. Under authentication Click on any "+" symbol certificate authentication.
8. Select the type of authentication as a certificate
9. Select the type of authentication Primary. Here are binding we certificate authentication as one of the primary authentication with priority same as the LDAP authentication type.
10. Click "Select image" to we choose the certification guidelines created earlier.
11. Select the certificate policy that we created earlier and click OK.
12. Click Bind. Here the priority that we set is 100. Please note, we will use the same priority number in our next step, while the LDAP authentication edit policies.
13. Click> Mark for LDAP policy.
14. Select the policy and click the Edit drop- down list and click Edit bond.
you 15 can set the priority number you wish, and ensure that the priority that we set here, as the priority for the certification guidelines is equal. Click Bind.
16. Click Close.
18. Click SSL parameters on the right side.
19. Select Client Authentication and select Mandatory with client certificate and click OK.
17. Click Finish
enroll device now. Once registration is complete, the user is prompted to enter (which ensures the client certificate and stores the AD credentials) WorxPin which further simplifies the user experience.
0 Komentar