Access

CTX-Blog

powered by Ecki's Place

October 21, 2008

Smart Card Single Sign On with PNAgent

All available documentation regarding “Single Sign On” or “Credential pass-through” with Smart Card and Citrix clients is limited to the Program Neighborhood client only, as can be seen exemplarily at Brianmadden . I don’t use this client in customer projects for a couple of years now but use the PNAgent or the Web client instead.

With these clients, a pass-through of the Smart Card PIN didn’t work, because they do not read their settings from the APPSRV.INI, which would allow for the neccessary settings.

Since client version 10.0, an Active Directory Group Policy Template can be found in every client installation directory, named “icaclient.adm”. All clients, starting with 10.0 now read the policy settings first and make use of the APPSRV.INI only in case, no policy is defined. This new feature allows now for a “Single Sign On” with SmartCard and PNAgent.

Here is, what you need to do, to get it up and running:

1. On the Presentation Server /XenApp Server

  • Confirm proper operation by logging in to a full desktop on the Citrix server. Insert a Smart Card and it should begin reading it. Enable “Trust requests sent to the XML Service”. This is necessary if using smart card pass through logon.

2. On the Web Interface Server

  • SSL must be configured and active (a web server certificate has to be installed) and the “Directory Service Mapping” has to be activated. This option can be found in the IIS Manager below the properties of the “Web Sites” folder:
  • Web Sites propertiesDirectory Service Mapper

  • The Web Interface site itself must now be configured. Open the Citrix Access Suite Management Console on the Web Interface server and run discovery if necessary to find the Web Interface site you wish to work with.
    Under “Configure Authentication” select “Smart Card with Passthrough”.

3. Registry

  • Check HKLM\System\CurrentControlSet\Control\TerminalServer\WinStations\ICA-tcp the value for “UseDefaultGina” should be 0 (1 disables the CtxGina).

4. Active Directory Policy

  • Import the ADM template into a Policy
  • Go to the “User Configuration” of the policy, leave the Computer part set to “not configured”. The following settings have to be enabled:
  • Citrix Policy

  • <PolicyName>\User Configuration\Administrative Templates\Citrix Components\Presentation Server Client\User Authentication\Smart Card Authentication has to be “Enabled” and “Allow Smart Card Authentication” and “Use pass-through authentication for PIN” have to be activated.
  • Leave everything else to “Not Configured”, provided that you are testing just Smart Card and PIN pass-through.

Now “Single Sign On” with Smart Card and PNAgent should work 😀

Unfortunately these instructions only work for Windows XP and Server 2003. At the moment, no Citrix client, including 11.0, allows for PIN pass-through with Vista and 2008 Server 🙁

Here are some more interesting links:

Regards
Ecki

December 15, 2007

AAC tuning, part 3

Two Factor Authentication with RSA, SafeWord or any other third party RADIUS solution is a common way to authenticate in a secure manner to an AAC deployment. AAC however labels the input box for the OTP (One Time Password) fix with the text “SecurID-PASSCODE”, “SafeWord CODE:” oder generic with “RADIUS Password”.

Endusers however know their OTP solution most of the time with other names, the name of the RADIUS solution provider for example. This can lead to confusion during the login process.

This problem is easily solved for RSA SecureID and SafeWord. A solution for RADIUS is described further down. As in part 1 and 2, the solution can be found in the “web.config” file in the root of the respective LogonPoint directory.

On a standard AAC server this is presumably:

C:\Inetpub\wwwroot\CitrixLogonPoint\#LogonPointName#

There is an other version of this file in the “C:\Inetpub\wwwroot\CitrixLogonPoint\” directory which should stay untouched !

This file can be opened and edited with any editor like the Windows NotePad. In the last third of the file you can find a section <appSettings>, which gives you some interesting possibilities. Among other things you can configure the lables for the OTP field, so that it displays a text your users expect. All it needs, is to change the following line below the <appSettings> section:

<add key=”SecondaryAuthenticationPromptOverride” value=”Password:” />
and
<add key=”SecondaryAuthenticationToolTipOverride” value=”Enter Password” />

Where “Password:” stands for the text to be displayed as lable and “Enter Password” stands for the text, displayed as tool tip.

The section should look like this afterwards:

<appSettings>
<add key="DebugConsoleTrace" value="False" />
<add key="AdvancedGatewayClientDownloadUrl" value="http://www.citrix.com" />
<add key="AdvancedGatewayClientActivationDelay" value="10" />
<add key="MaxConnectionsToAuthenticationService" value="20" />
<add key="LogonPointId" value="00000000-0000-0000-0000-000000000000" />
<add key="DeployedBy" value="LACONFIG" />
<add key="ExtendedSecurIdFunctionalityEnabled" value="true" />
<add key="SecondaryAuthenticationPromptOverride" value="SafeWord PIN + Zahlencode:" />
<add key="SecondaryAuthenticationToolTipOverride" value="PIN und Zahlencode eingeben" />
<!- -

After saving the changes, a user calling this manipulated LogonPoint should now see the new lable.

This method unfortunately works only for RSA SecureID and SafeWord. The text displayed, when using a third party RADIUS solution is hard coded and not that easy to manipulate. There is a pending feature request at Citrix, but it isn’t clear, when a solution will be publicly available.

At last I found a very good work-around in the Citrix AAC Forum, published by Joel Donaldson. A simple manipulation of the BasePage.aspx file of the respective LogonPoint solves the problem in an elegant way.

With an english LogonPoint it is sufficient, to add the following paragraph before the </body> tag:

<script type="text/javascript" language="JavaScript">
document.body.innerHTML=document.body.innerHTML.replace("RADIUS Password:","Kobil Einmalpasswort:");
</script>

The result will look like this:
Loginprompt nach der Manipulation

If you want to support german LogonPoints also, you need another code block that respects the german notation:

<script type="text/javascript" language="JavaScript">
document.body.innerHTML=document.body.innerHTML.replace("RADIUS-Kennwort:","Kobil Einmalpasswort:");
</script>

Other languages can be added easily this way.

If someone is asking itself why this works, this short explanation may help. The script code is looking for the string “RADIUS Password:” in the delivered web page and replaces it with the second parameter of the function “document.body.innerHTML.replace”, in our example “Kobil OTP:”.

Attention, this works only, if JavaScript is enabled in the browser. If JavaScript is disabled, the original text “RADIUS Password:” is displayed. This modification shouldn’t have any other side effects.

< < AAC tuning, part 2

!!! Please read the first comment to this post !!!

Regards
Ecki

May 28, 2007

AAC tuning, part 2

AAC admins that deploy LogonPoints with RSA SecureID, SafeWord or any other Two Factor Authentication solution know the dilemma. The token realy boosts security, but if the token isn’t at hand, there is no way to access internal resources. Fortunately this is not imperativ. A LogonPoint configured with Two Factor Authentication must not always require a One Time Password.

As in part 1, the solution can be found in the “web.config” file in the root of the respective LogonPoint directory.

On a standard AAC server this is presumably:

C:\Inetpub\wwwroot\CitrixLogonPoint\#LogonPointName#

There is an other version of this file in the “C:\Inetpub\wwwroot\CitrixLogonPoint\” directory which should stay untouched !

This file can be opened and edited with any editor like the Windows NotePad. In the last third of the file you can find a section <appSettings>, which gives you some interesting possibilities. Among other things you can configure Two Factor Authentication such, that a One Time Password is not mandatory. All it needs is to change the following line below the <appSettings> section:

From
<add key=”SecondaryAuthenticationIsOptional” value=“false” />
to
<add key=”SecondaryAuthenticationIsOptional” value=“true” />

The section should look like this afterwards:

<appSettings>
<add key="DebugConsoleTrace" value="False" />
<add key="AdvancedGatewayClientDownloadUrl" value="http://www.citrix.com" />
<add key="AdvancedGatewayClientActivationDelay" value="10" />
<add key="MaxConnectionsToAuthenticationService" value="20" />
<add key="LogonPointId" value="00000000-0000-0000-0000-000000000000" />
<add key="DeployedBy" value="LACONFIG" />
<add key="ExtendedSecurIdFunctionalityEnabled" value="true" />
<add key="SecondaryAuthenticationIsOptional" value="true" />
<!- -

After saving the changes, a user calling this manipulated LogonPoint will still see the prompt for RSA, SafeWord, or RADIUS passcode, but he is now able to leave this field empty and log in with just his username and password.

This manipulation creates a big hole in your security configuration, but this hole can be easily closed again. All that is needed is to reconfigure your filters and policies.

The filter for full access must require RSA, SafeWord, or RADIUS authentication. Therefore the filter generator allows to use the authentication strength as a criteria. Only users using strong authentication get access to all resources.

Authentication Strength

A user that has no access to his token is nevertheless able to authenticate without a One Time Password. But now an other filter is matched (you can create the same filter as for full acces, but without strong authentication) and an other, more restrictive policy becomes active. This way, the user is at least able to work in a restricted environment, then to stop working 🙂

< < AAC tuning, part 1 AAC tuning, part 3 >>

!!! Please read the first comment to this post !!!

Regards
Ecki

|