Beruflich Dokumente
Kultur Dokumente
Agenda
Authentication at WI:
Explicit Authentication
Pass-through Authentication
Smart Card Authentication
Anonymous Authentication
Kerberos Authentication
Authentication in XenApp\XenDesktop
Support for several authentication methods
Smart cards, client certificates, RSA SecurID, etc.
Support for OS and non-OS credentials stores
OS: Active Directory and eDirectory
Non-OS: LDAP, RADIUS, 3rd party authentication methods.
Kerberos
Key Distribution Centre
(KDC)
1
2
3
AS
TGS
4
Kerberos Delegation
Kerberos in Windows
All you ever wanted to know about Kerberos:
http://technet.microsoft.com/en-us/library/cc772815.aspx
Client
pwd
DC
Authenticate
& get TGT
Winlogon
auth
XML Broker
SSOn
WI
pwd
pwd
IMA / DDC
IE
XenApp
Winlogon
WI ticket
ICA Client Engine
pwd WI ticket
WI ticket
TS / wsxica
Svc ticket
pwd
Explicit Auth in XD
Client
pwd
DC
Authenticate
& get TGT
Winlogon
auth
DDC
SSOn
WI
pwd
pwd
IMA / DDC
pwd
IE
WI ticket
WI ticket
VDA
Desktop Toolbar
Winlogon
WI ticket
ICA Client Engine
pwd
WI ticket
VDA
Svc ticket
pwd
Troubleshooting Explicit
Diagnostic/Tracing (CDF)
Debugging
Capture Network traffic
Study behaviour of any 3rd party authentication system, if exist
Additional info
Pass-through Authentication
Pass-Through?
Pass-Through Session:
Connecting from within one session to another session on another server
2 servers
2 clients
2 sessions
Pass-Through Authentication
Pass-through Authentication
Users can authenticate using the credentials they provided when they logged
on to their physical Windows desktop.
Users do not need to re-enter their credentials and their resource set appears
automatically.
Additionally, you can use Kerberos integrated Windows authentication to
connect to server farms
If you specify the Kerberos authentication option and Kerberos fails, passthrough authentication also fails and users cannot log on
Pass-Through Authentication
Windows Identity credentials
IWA browser to Web server
Pass-Through Authentication
9
10
10
8
2
1-3
6
7
10
4
6
7
9
Troubleshooting Pass-Through
Diagnostic/Tracing (CDF)
Debugging
Capture Network traffic
Verify SSONSVR is running
Additional info
SmartCard Authentication
Multiple factors
Something you know
Your PIN
Something you have
Your card
Proximity
Microsoft
User
Interface
Architecture
Smart card resource manager
User Applications
DLLs
Resource
Manager
Specific
Reader
driver
Specific
Reader
driver
Specific
Reader
driver
Reader
Reader
Reader
Drivers
Smart
Card
Smart
Card
Smart
Card
Hardware
Smart card
Subsystem
Reader
Reader
Reader
Reader
Smart
Card
Smart
Card
Smart
Card
Hardware
User
Interface
DLLs
Resource
Manager
Specific
Reader
driver
Specific
Reader
driver
Specific
Reader
driver
Drivers
Smart card
Subsystem
XD/XA Host
Wfica32.exe
(ICA Client Engine)
Winlogon.exe
PC/SC API
VDSCardN DLL
Winword.exe
SCardHook DLL
PC/SC API
PC/SC API
WinSCard DLL
(MS)
SCardHook DLL
CtxSvcHost.exe
(CtxSmartCardSvc DLL)
SCardSvc.exe (MS)
User Mode
Kernel Mode
SC Reader Driver
User Mode
Kernel Mode
ICA Stack
SC Reader
Debugging
Debug user process loading SCardHook.dll
Debug CtxSvcHost.exe (instance with CtxSmartCardSvc.dll loaded)
Debug Wfica32.exe and vdscardN.dll on client side
Additional info
Use Remote CDF tool
Verify Citrix Smart Card Service is running
Restart Citrix Smart Card Service
Anonymous Authentication
Anonymous Authentication
No credentials
XenApp only
Kerberos Authentication
Kerberos Authentication
Using Kerberos for Authentication
Users can use Kerberos for Explicit\Prompt or Pass-through Authentication.
More secure - No password crosses the wire even encrypted
Works with any client logon method
Password, smart card, biometrics, etc
Client
pwd
DC
Get svc ticket
Winlogon
XA
SSOn
WI
pwd
SIDs
IMA
IE
Launch ref
Svc ticket
Launch ref
Svc ticket
ICA Client Engine
TS / wsxica
Svc ticket
ok
Client
pwd
DC
Winlogon
Authenticat
e & get TGT
DDC
SSOn
pwd
WI
SID
IMA / DDC
IE
Launch ref
Svc ticket
Launch ref in .ica file
Desktop Toolbar
Get
Launch ref
pwd ICA Client Engine
Launch ref
VDA
Winlogon
pwd
VDA
pwd
Svc ticket
ok
Troubleshooting Kerberos
Diagnostic/Tracing (CDF)
MF_DLL_CtxAuth
MF_DLL_CtxKerbProvider
MF_DLL_Cutildll
MF_Library_CtxSSPI
Debugging
Debug Winlogon process
Debug Wfica32.exe on client side
Analysis Network trace for Kerberos related packets
Additional info
Use CDF Control
Verify Service Principal Name (SPN)
Verify Configuration CTX121918
Recap
Explicit\Prompt Authentication
Negotiate on Authentication protocol at MS layer.
Smartcard Authentication
XenDesktop and XenApp has similar architecture
New Citrix services for Cert Enumeration, SC removal policy, etc
Pass-through Authentication
Credential capturing (SSONSVR) or Kerberos Ticket
Kerberos Authentication
No Back-end NTLM support. Credential prompt
Authentication Function
http://msdn.microsoft.com/en-us/library/aa374731(v=VS.85).aspx