Access

CTX-Blog

powered by Ecki's Place

July 12, 2008

AAC tuning, part 4

To adjust the look of an AAC LogonPoint at the CI of a company is not as easy as it is with a Citrix Web Interface deployment. In the following PDF i will show you a way to get there anyway.

The howto is written in german. A translation into english is not available at the moment. Since the pdf utilizes a lot of pictures, you might be able to understand it anyway. As soon as i find the time, i will provide a translated version. Until then, you can download the german version here: AAC4_5_CustomizeLogonPoint_Rev1.1_DE.pdf

This is, what your LogonPoint could look like after reading this document:
Angepasster LogonPoint - LoginAngepasster LogonPoint - Portal

Additional documentation about customizing an AAC LogonPoint can be found here:

  • Basic Customization of the Advanced Access Control 4.x Logon Point
  • How to Customize the Default View for Web Interface 4.6 When it is Embedded in Access Gateway Advanced Edition
  • And here you can find a currently very interesting article about AAC and FireFox 3.0:

  • Access Interface Appears Incorrectly with Firefox 3.0
  • Regards
    Ecki

    December 15, 2007

    AAC tuning, part 3

    Two Factor Authentication with RSA, SafeWord or any other third party RADIUS solution is a common way to authenticate in a secure manner to an AAC deployment. AAC however labels the input box for the OTP (One Time Password) fix with the text “SecurID-PASSCODE”, “SafeWord CODE:” oder generic with “RADIUS Password”.

    Endusers however know their OTP solution most of the time with other names, the name of the RADIUS solution provider for example. This can lead to confusion during the login process.

    This problem is easily solved for RSA SecureID and SafeWord. A solution for RADIUS is described further down. As in part 1 and 2, the solution can be found in the “web.config” file in the root of the respective LogonPoint directory.

    On a standard AAC server this is presumably:

    C:\Inetpub\wwwroot\CitrixLogonPoint\#LogonPointName#

    There is an other version of this file in the “C:\Inetpub\wwwroot\CitrixLogonPoint\” directory which should stay untouched !

    This file can be opened and edited with any editor like the Windows NotePad. In the last third of the file you can find a section <appSettings>, which gives you some interesting possibilities. Among other things you can configure the lables for the OTP field, so that it displays a text your users expect. All it needs, is to change the following line below the <appSettings> section:

    <add key=”SecondaryAuthenticationPromptOverride” value=”Password:” />
    and
    <add key=”SecondaryAuthenticationToolTipOverride” value=”Enter Password” />

    Where “Password:” stands for the text to be displayed as lable and “Enter Password” stands for the text, displayed as tool tip.

    The section should look like this afterwards:

    <appSettings>
    <add key="DebugConsoleTrace" value="False" />
    <add key="AdvancedGatewayClientDownloadUrl" value="http://www.citrix.com" />
    <add key="AdvancedGatewayClientActivationDelay" value="10" />
    <add key="MaxConnectionsToAuthenticationService" value="20" />
    <add key="LogonPointId" value="00000000-0000-0000-0000-000000000000" />
    <add key="DeployedBy" value="LACONFIG" />
    <add key="ExtendedSecurIdFunctionalityEnabled" value="true" />
    <add key="SecondaryAuthenticationPromptOverride" value="SafeWord PIN + Zahlencode:" />
    <add key="SecondaryAuthenticationToolTipOverride" value="PIN und Zahlencode eingeben" />
    <!- -

    After saving the changes, a user calling this manipulated LogonPoint should now see the new lable.

    This method unfortunately works only for RSA SecureID and SafeWord. The text displayed, when using a third party RADIUS solution is hard coded and not that easy to manipulate. There is a pending feature request at Citrix, but it isn’t clear, when a solution will be publicly available.

    At last I found a very good work-around in the Citrix AAC Forum, published by Joel Donaldson. A simple manipulation of the BasePage.aspx file of the respective LogonPoint solves the problem in an elegant way.

    With an english LogonPoint it is sufficient, to add the following paragraph before the </body> tag:

    <script type="text/javascript" language="JavaScript">
    document.body.innerHTML=document.body.innerHTML.replace("RADIUS Password:","Kobil Einmalpasswort:");
    </script>

    The result will look like this:
    Loginprompt nach der Manipulation

    If you want to support german LogonPoints also, you need another code block that respects the german notation:

    <script type="text/javascript" language="JavaScript">
    document.body.innerHTML=document.body.innerHTML.replace("RADIUS-Kennwort:","Kobil Einmalpasswort:");
    </script>

    Other languages can be added easily this way.

    If someone is asking itself why this works, this short explanation may help. The script code is looking for the string “RADIUS Password:” in the delivered web page and replaces it with the second parameter of the function “document.body.innerHTML.replace”, in our example “Kobil OTP:”.

    Attention, this works only, if JavaScript is enabled in the browser. If JavaScript is disabled, the original text “RADIUS Password:” is displayed. This modification shouldn’t have any other side effects.

    < < AAC tuning, part 2

    !!! Please read the first comment to this post !!!

    Regards
    Ecki

    July 17, 2007

    LANMANServer and LANMANWorkstation Tuning

    I recently stumbled across this realy good article about terminal server tuning. This article introduces and explains all the relevant LANMANServer and LANMANWorkstation parameters and registry keys.

    Following that, the article discusses the potential optimizing actions and their risks and provides even an ADM template that allows to tune your environment through GPOs.

    The complete article can be found here.

    Regards
    Ecki

    May 28, 2007

    AAC tuning, part 2

    AAC admins that deploy LogonPoints with RSA SecureID, SafeWord or any other Two Factor Authentication solution know the dilemma. The token realy boosts security, but if the token isn’t at hand, there is no way to access internal resources. Fortunately this is not imperativ. A LogonPoint configured with Two Factor Authentication must not always require a One Time Password.

    As in part 1, the solution can be found in the “web.config” file in the root of the respective LogonPoint directory.

    On a standard AAC server this is presumably:

    C:\Inetpub\wwwroot\CitrixLogonPoint\#LogonPointName#

    There is an other version of this file in the “C:\Inetpub\wwwroot\CitrixLogonPoint\” directory which should stay untouched !

    This file can be opened and edited with any editor like the Windows NotePad. In the last third of the file you can find a section <appSettings>, which gives you some interesting possibilities. Among other things you can configure Two Factor Authentication such, that a One Time Password is not mandatory. All it needs is to change the following line below the <appSettings> section:

    From
    <add key=”SecondaryAuthenticationIsOptional” value=“false” />
    to
    <add key=”SecondaryAuthenticationIsOptional” value=“true” />

    The section should look like this afterwards:

    <appSettings>
    <add key="DebugConsoleTrace" value="False" />
    <add key="AdvancedGatewayClientDownloadUrl" value="http://www.citrix.com" />
    <add key="AdvancedGatewayClientActivationDelay" value="10" />
    <add key="MaxConnectionsToAuthenticationService" value="20" />
    <add key="LogonPointId" value="00000000-0000-0000-0000-000000000000" />
    <add key="DeployedBy" value="LACONFIG" />
    <add key="ExtendedSecurIdFunctionalityEnabled" value="true" />
    <add key="SecondaryAuthenticationIsOptional" value="true" />
    <!- -

    After saving the changes, a user calling this manipulated LogonPoint will still see the prompt for RSA, SafeWord, or RADIUS passcode, but he is now able to leave this field empty and log in with just his username and password.

    This manipulation creates a big hole in your security configuration, but this hole can be easily closed again. All that is needed is to reconfigure your filters and policies.

    The filter for full access must require RSA, SafeWord, or RADIUS authentication. Therefore the filter generator allows to use the authentication strength as a criteria. Only users using strong authentication get access to all resources.

    Authentication Strength

    A user that has no access to his token is nevertheless able to authenticate without a One Time Password. But now an other filter is matched (you can create the same filter as for full acces, but without strong authentication) and an other, more restrictive policy becomes active. This way, the user is at least able to work in a restricted environment, then to stop working 🙂

    < < AAC tuning, part 1 AAC tuning, part 3 >>

    !!! Please read the first comment to this post !!!

    Regards
    Ecki

    May 23, 2007

    AAC tuning, part 1

    Is there any AAC admin happy with the way, EPA scans behave? Once you create just one EPA scan in the AMC (Access Management Console), the EPA scan gets started automatically on every LogonPoint, regardless whether this is wanted/needed or not.

    This behavior is for example very annoying at OWA (Outlook Web Access) LogonPoints, that are created only to allow restricted access to the personal mail from anywhere. To operate “client less” from anyplace, anywhere, no EPA scans may be required. On a standard LogonPoint the EPA scan appears anyway with his download and installation directions. If you click on the “Skip Scan” button, you can proceed without scanning your PC, but the download of the EPA scan client still takes place in the background, steeling you valuable bandwidth. In addition, less computer versed users in an internet cafe with restricted PCs might end up trying to install the EPA scan client over and over without a chance to succeed…

    Recently I stumbled upon an option that is able to stop this “misbehavior”. Well hidden and badly documented, the chances are good, that only few people discovered this option so far. The solution can be found in the “web.config” file in the root of the respective LogonPoint directory.

    On a standard AAC server this is presumably:

    C:\Inetpub\wwwroot\CitrixLogonPoint\#LogonPointName#

    There is an other version of this file in the “C:\Inetpub\wwwroot\CitrixLogonPoint\” directory which should stay untouched !

    This file can be opened and edited with any editor like the Windows NotePad. In the last third of the file you can find a section <appSettings>, which gives you some interesting possibilities. Among other things you can disable EPA scans here. All it needs is to add the following line below the <appSettings> section:

    <add key=”EndpointAnalysisDisabled” value=“true” />

    The section should look like this afterwards:

    <appSettings>
    <add key="DebugConsoleTrace" value="False" />
    <add key="AdvancedGatewayClientDownloadUrl" value="http://www.citrix.com" />
    <add key="AdvancedGatewayClientActivationDelay" value="10" />
    <add key="MaxConnectionsToAuthenticationService" value="20" />
    <add key="LogonPointId" value="00000000-0000-0000-0000-000000000000" />
    <add key="DeployedBy" value="LACONFIG" />
    <add key="ExtendedSecurIdFunctionalityEnabled" value="true" />
    <add key="SecondaryAuthenticationIsOptional" value="false" />
    <add key="EndpointAnalysisDisabled" value="True" />
    <!- -

    After saving the changes, a user calling this manipulated LogonPoint will now be forwarded immediately to the login prompt without seeing any EPA “nag screen” 🙂

    AAC tuning, part 2 >>

    !!! Please read the first comment to this post !!!

    Regards
    Ecki

    March 14, 2007

    Registry Scan (Watermark) for CAG 4.5.x Advanced

    Most people who know Citrix Access Gateway (CAG) with Advanced Access Control (AAC) for a while, especially version 4.2, know the “Citrix Watermark” End Point Analysis Scan (EPA Scan). A possibility to configure the security group membership of a PC withe a simple registry key. In contrast to MAC or Domain filters, this scan made it very easy to change the security context of a PC, very handy for product demonstrations, where you want to visualize different access scenarios.

    The update to AAC version 4.2.5, eg. version 4.5 introduced a massive change for EPA Scans. Since then, every EPA Scan has to be signed, which renders the unsigned “Watermark” scan worthless. Every EPA Scan delivered with AAC 4.5 is now already signed by Citrix and if you try to create your own EPA Scans, you have to sign them too and build your own specific EPA Scan MSI package. Lots of customers try to avoid this effort and the costs associated with signing certificates. For Citrix partners, trying to build just a demo site, the effort and the costs are too high as well. If you do not intend to spend money on Custom Scans for example from EPAFactory, you are stuck with the scans provided by Citrix:-(

    I will therefore show a way, how you can accomplish a working registry scan with the means provided by a standard setup of AAC. Most EPA Scans do in fact nothing else than reading predefined keys in the registry of the client PC. Therefore almost any EPA Scan can be used as registry scan. As an example i will use the “Citrix Scans for Windows Update” shipped with AAC. This scan reads on a client PC recursively all keys beneath:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\

    and reports back the KB-numbers found. It must be pointed out, that keys directly below the “Updates”-key are NOT delivered back to the AAC server. You should therefore use an existing key like “SP2” to create your own KB-number key. Knowing that, it is fairly simple to create your own registry scan. A detailed description with screen shots of this process can be found here (german only).

    Regards
    Ecki

    |