Authentication on

XenApp & XenDesktop

Lalit Kaushal
Escalation Engineer EMEA

Agenda
Authentication at WI:
Explicit Authentication
Pass-through Authentication
Smart Card Authentication
Anonymous Authentication

Kerberos Authentication

Authentication in XenApp\XenDesktop
Support for several authentication methods
Smart cards, client certificates, RSA SecurID, etc.
Support for OS and non-OS credentials stores
OS: Active Directory and eDirectory
Non-OS: LDAP, RADIUS, 3rd party authentication methods.

Leverage Authentication methods supported by Windows:

Smartcard support
Client certificates support
Custom 3rd party authentication mechanisms through GINA extensions.
Leverage Windows authentication to flow the OS identity tokens between Access
Infrastructure services
Example: flowing Kerberos tickets between ICA client and XA server.

Kerberos
Key Distribution Centre
(KDC)

1
2
3

AS

TGS
4

Heres my TGT Can you

give me Service Ticket
Heres your Service
Ticket
Heres my Service Ticket, Auth. me
Client\Server session

Authentication Service (AS) - Authenticates a client

logon and issues a Ticket Granting Ticket (TGT) for
future authentication.
Ticket Granting Service (TGS): It grants tickets to
TGT holding clients for a specific application server
or resource.
Ticket Granting Ticket (TGT): This ticket is received
from the Authentication Service (SA) that contains
the clients Privilege Attribute Certificate (PAC).
Ticket: This ticket is received from the TGS that
provides authentication for a specific application
server or resource.

Kerberos Delegation

Kerberos in Windows
All you ever wanted to know about Kerberos:
http://technet.microsoft.com/en-us/library/cc772815.aspx

Explicit or Prompt Authentication

Explicit or Prompt Authentication

Username, password and domain
Optionally includes two-factor authentication such as RSA SecurID

Encoded credentials passed to XML service

Explicit Auth in XenApp

Get svc ticket

Client
pwd

DC
Authenticate
& get TGT

Winlogon

auth

XML Broker

SSOn

WI

pwd

pwd

IMA / DDC

IE

XenApp
Winlogon

WI ticket
ICA Client Engine

pwd WI ticket

WI ticket

TS / wsxica

Svc ticket

Servers (File Server,

Exchange, )

pwd

Explicit Auth in XD

Get svc ticket

Client
pwd

DC
Authenticate
& get TGT

Winlogon

auth

DDC

SSOn

WI

pwd

pwd

IMA / DDC
pwd

IE

WI ticket
WI ticket

VDA

Desktop Toolbar

Winlogon

WI ticket
ICA Client Engine

pwd
WI ticket

VDA

Svc ticket

Servers (File Server,

Exchange, )

pwd

Troubleshooting Explicit
Diagnostic/Tracing (CDF)

MF_DLL_CtxGina (PortICA GINA) for smart card SSON

MF_DLL_Ctxauth
MF_DLL_Ctxnotif
MF_DLL_Wsxica
MF_Service_CtxXmlSS
MF_XMLRelay_Wpnbr

Debugging
Capture Network traffic
Study behaviour of any 3rd party authentication system, if exist
Additional info

Use CDF tool

Isolate XML
Event Logs messages

Pass-through Authentication

Pass-Through?
Pass-Through Session:
Connecting from within one session to another session on another server
2 servers
2 clients
2 sessions

Pass-Through Authentication\SSON (Single Sign On):

Passing the user credential into the session

Pass-Through Authentication
Pass-through Authentication
Users can authenticate using the credentials they provided when they logged
on to their physical Windows desktop.
Users do not need to re-enter their credentials and their resource set appears
automatically.
Additionally, you can use Kerberos integrated Windows authentication to
connect to server farms
If you specify the Kerberos authentication option and Kerberos fails, passthrough authentication also fails and users cannot log on

Pass-Through Authentication
Windows Identity credentials
IWA browser to Web server

Users SIDs sent to XML service

Client handles authentication to ICA server

Pass-Through Authentication
9

10

10

8
2

1-3
6
7
10

4
6
7
9

Troubleshooting Pass-Through
Diagnostic/Tracing (CDF)

MF_DLL_CtxGina (PortICA GINA) for smart card SSON

MF_DLL_Ctxauth
MF_DLL_Ctxnotif
MF_DLL_Wsxica
MF_Service_CtxXmlSS
MF_XMLRelay_Wpnbr

Debugging
Capture Network traffic
Verify SSONSVR is running
Additional info

Use CDF Control tool

Verify if Explicit\Prompt authentication works
Follow CTX368624

SmartCard Authentication

What is Multi-Factor Authentication?

ATM card is the most common example
You wouldnt use just one factor to protect your money

Multiple factors
Something you know
Your PIN
Something you have
Your card

What is Multifactor Authentication?

Smart Cards
2 Factor Authentication
Something you know
Something you have
Biometrics
Fingerprint readers
Retinal Scan
Facial Recognition
Biopassword
Keystroke dynamics

Proximity

Smart Card Infrastructure

Smart Card-aware applications

Microsoft

Smart card service

providers
(COM interface model)

User
Interface

Architecture
Smart card resource manager

User Applications

DLLs

Resource
Manager

Reader helper driver

Specific
Reader
driver

Specific
Reader
driver

Specific
Reader
driver

Reader

Reader

Reader

Drivers

Smart
Card

Smart
Card

Smart
Card

Hardware

Smart card
Subsystem

Smart Card Infrastructure

Cards
Credit cardsized devices
Introduce to Windows by using a vendor-supplied installation program
Installs service provider that registers its interfaces with the Resource Manager

Reader

Attach to peripheral interfaces, e.g. PS/2, PCMCIA and USB

Reader

Reader

Reader

Smart
Card

Smart
Card

Smart
Card

Hardware

Smart Card Infrastructure

Service
Device Drivers
Resource
Providers
Manager
Manage
& control all
access
Provide
Maps
functionality
cryptographic
to application
native
services
services
e.g.
key
that
generation,
infrastructure
digital
provide
signature, bulk encryption
Provide CryptoAPI
a virtualcard
direct
connection to the
requested
smart card
through
Communicates
insertion\removal
events
to Resource
Manager
Two
categories:
cryptographic (CSP)
& non-cryptographic
Provides
data communications
capabilities
to and from the card
CSPs can be software-only (like MS Base CSP) or hardware-based - cryptographic
engine resides on a smart card (SCCP)
Smart card service
providers
(COM interface model)

User
Interface

Smart card resource manager

DLLs

Resource
Manager

Reader helper driver

Specific
Reader
driver

Specific
Reader
driver

Specific
Reader
driver

Drivers

Smart card
Subsystem

Windows logon Smart Card

Smart Card Authentication

Client certificate and PIN credentials
Certificate authentication browser to web server

Users SIDs sent to XML service

Client handles authentication to ICA server

Smart Card Core Subsystem Architecture

End-Point (e.g. XP)

XD/XA Host

Wfica32.exe
(ICA Client Engine)

Winlogon.exe
PC/SC API

VDSCardN DLL

Winword.exe

SCardHook DLL

PC/SC API

PC/SC API

WinSCard DLL
(MS)

SCardHook DLL

CtxSvcHost.exe
(CtxSmartCardSvc DLL)
SCardSvc.exe (MS)
User Mode
Kernel Mode

VC User Mode API

(Pica/WTS)

SC Reader Driver

User Mode
Kernel Mode

ICA Stack

SC Reader

PC/SC (WinSCard) API

Remoted over ICA protocol
(ICA Smart Card VC Protocol)
Remote calls: SCardEstablishContext, SCardConnect, SCardTransmit

Troubleshooting Smart Card

Diagnostic/Tracing (CDF)
MF_DLL_CtxGina (PortICA GINA) for smart card SSON
MF_Hook_SmartCard
PE_Service_CtxSmartCardSvc
PE_Service_CtxSvcHost (just load CtxSmartCardSvc.dll)
PE_Library_GvchBase
PE_Library_CtxCppBase

Debugging
Debug user process loading SCardHook.dll
Debug CtxSvcHost.exe (instance with CtxSmartCardSvc.dll loaded)
Debug Wfica32.exe and vdscardN.dll on client side
Additional info
Use Remote CDF tool
Verify Citrix Smart Card Service is running
Restart Citrix Smart Card Service

Anonymous Authentication

Anonymous Authentication
No credentials
XenApp only

Published resources must be explicitly configured for

Anonymous authentication

Kerberos Authentication

Kerberos Authentication
Using Kerberos for Authentication
Users can use Kerberos for Explicit\Prompt or Pass-through Authentication.
More secure - No password crosses the wire even encrypted
Works with any client logon method
Password, smart card, biometrics, etc

Kerberos Authentication Support

Configure Delegation on Web Interface Server

Edit the Delegation

properties of each WI
computer object in Active
Directory
Trust this computer for
delegation using any
authentication protocol
Add the http service for
each XenApp XML Broker

Kerberos Authentication Support

Configure Delegation on XenApp (XML) Server
Edit the Delegation
properties of each
XenApp Server computer
object in Active Directory
Trust this computer for
delegation using
Kerberos only
Add the HOST service
for this computer running
the XML service

Kerberos Auth in XenApp

Get svc ticket

Get svc ticket

Client
pwd

DC
Get svc ticket

Winlogon

XA

SSOn

WI

pwd

SIDs

IMA

IE

Launch ref
Svc ticket

Launch ref in .ica file

Winlogon

Launch ref

Svc ticket
ICA Client Engine

Launch ref & svc ticket (through Kerberos VC)

TS / wsxica

Svc ticket

Servers (File Server,

Exchange, )

ok

Kerberos Auth in XenDesktop

Get svc ticket

Client
pwd

DC

Winlogon

Authenticat
e & get TGT

Get svc ticket

DDC

SSOn
pwd

WI

SID

IMA / DDC

IE
Launch ref

Svc ticket
Launch ref in .ica file

Desktop Toolbar

Get
Launch ref
pwd ICA Client Engine

Launch ref

VDA
Winlogon

Launch ref, pwd

pwd

VDA

pwd
Svc ticket

Servers (File Server,

Exchange, )

ok

Troubleshooting Kerberos
Diagnostic/Tracing (CDF)

MF_DLL_CtxAuth
MF_DLL_CtxKerbProvider
MF_DLL_Cutildll
MF_Library_CtxSSPI

Debugging
Debug Winlogon process
Debug Wfica32.exe on client side
Analysis Network trace for Kerberos related packets
Additional info
Use CDF Control
Verify Service Principal Name (SPN)
Verify Configuration CTX121918

Recap
Explicit\Prompt Authentication
Negotiate on Authentication protocol at MS layer.
Smartcard Authentication
XenDesktop and XenApp has similar architecture
New Citrix services for Cert Enumeration, SC removal policy, etc
Pass-through Authentication
Credential capturing (SSONSVR) or Kerberos Ticket
Kerberos Authentication
No Back-end NTLM support. Credential prompt

For More Information

Whitepapers
http://www.microsoft.com/windows/server/Technical/security/
default.asp
Windows 2000 Kerberos Authentication Microsoft
Windows 2000 Kerberos Interoperability

Authentication Function
http://msdn.microsoft.com/en-us/library/aa374731(v=VS.85).aspx

Before you leave

Recommended related breakout sessions:
SUM509 - Integrating single sign-on and smart card authentication with Access
Gateway Enterprise Edition

Session surveys are available online at www.citrixsummit.com starting Thursday,

7 October
Provide your feedback and pick up a complimentary gift card at the registration
desk
Download presentations starting Friday, 15 October, from your My Organiser
Tool located in your My Synergy Microsite event account