Configuring Authentication in Citrix XenDesktop 7.xc Using JaCarta PKI Smart Cards
This article describes the process of setting up two-factor authentication using JaCarta PKI smart cards developed by Aladdin RD in a virtual environment of Citrix XenDesktop version 7.x.
JaCarta PKI is a line of USB, MicroUSB tokens or smart cards for strict two-factor user authentication when accessing secured information resources of the enterprise, secure key storage, and key containers of software SKZI.
The advantages of using Aladdin RD solutions with Citrix products are:
Citrix virtual authentication using smart cards and JaCarta USB tokens from Aladdin RD is based on public key infrastructure (PKI) and X.509 digital certificates stored on these devices. Solutions comply with international standards; only a setup without complex software integrations is required.
')
All models of smart cards and JaCarta USB tokens are based on a smart card microcontroller with special built-in protection from cloning, hacking and other special attacks (secure by design).
Before creating a directory for virtual machines, you need to prepare a reference machine. In this test environment, this is a virtual machine with a Windows 7 (32-bit) operating system.
To prepare the reference machine, you need to install the Virtual Delivery Agent software (the distribution kit is located on the disk with the XenDesktop 7.0 software), JC Client 6.24.16 (installation and configuration of the JC Client 6.24.16 software are described in the JC-Client - Administrator's Guide) ), as well as other software that is necessary for the work of users of this group. After installation, the virtual machine must be turned off.
Creating a directory for virtual machines
On the server where the Citrix Studio component is installed (installation and configuration of the Citrix XenDesktop 7.x software is described at http://support.citrix.com/proddocs/topic/xendesktop-71/cds-install-config-intro.html ), Launch Citrix Studio (Start -> All Programs -> Citrix), connect to Citrix Delivery Controller and go to Machine Catalogs , run the Create Machine Catalog wizard (Figure 1).
Fig. 1 - “Create Machine Catalog” window
Click Next .
Select Windows Desktop OS or another item depending on the settings of your environment (Fig. 2).
Fig. 2 - The operating system selection window for the directory
Click Next .
Select Virtual Machines and Machine Creation Services (MCS) (Figure 3).
Fig. 3 - Virtual machine delivery method selection window
Click Next .
In the Desktop Experience window, configure the desktop settings for users and the method for storing user data as shown below (Figure 4). Other options may be selected depending on the settings of your environment and the tasks required.
Fig. 4 - Virtual machine settings window
Click Next .
From the list of available virtual machines, select the previously created reference machine (Fig. 5).
Fig. 5 - Reference machine selection window
Click Next .
Set the number of virtual machines in the directory and set their technical characteristics (Fig. 6).
Fig. 6 - Choosing user virtual machine options
Click Next .
Configure the scheme to automatically add the accounts of the created machines to the Active Directory (AD) directory service (Fig. 7).
For ease of administration, you can pre-create an organizational unit (OU) in the AD directory service, where the accounts of the created virtual machines will be added.
Fig. 7 - Window "Active Directory Computer Account"
Click Next .
Check the parameters of the created virtual machines and determine the name for the directory, as well as the name of the virtual machine to display to users (Fig. 8).
Fig. 8 - Summary window
Click Finish .
Catalog of virtual machines created (Fig. 9).
Fig. 9 - Created directory of virtual machines
To associate the created virtual machines with users, you must configure the user group of virtual machines ( Delivery Group ).
Open the Citrix Studio Management Console and go to the Delivery Group -> Create Delivery Group tab (Figure 10).
Fig. 10 - Delivery Group Window
Select the previously created directory of virtual machines and specify how many virtual machines will be available for users of this group (Fig. 11).
Fig. 11 - “Machines” window
Click Next .
Select the type of resources delivered: applications or virtual machines (Fig. 12).
Fig. 12 - Select "Delivery Type"
Click Next .
Assign users to which virtual machines will be associated (Figure 13).
Fig. 13 - User selection window
Click Next .
Citrix Receiver is configured later (see Section 2.5).
In the next window, select Manually, using a StoreFront server address that I will provide later (Figure 14).
Fig. 14 - Citrix StoreFront Settings Window
Click Next .
Check the final settings and determine the name of the group (fig. 15).
Fig. 15 - Summary window
Click Finish .
A group of virtual machine users has been created (Fig. 16).
Fig. 16 - Created by the Delivery Group
Attention : Make sure that all virtual machines in the pool are registered (have Registered status (Fig. 17)).
Fig. 17 - Virtual Machine Status Window
Go to the workstation (PC) of the user. This is Windows 7 x64 with JC Client 6.24.16 preinstalled.
Open a browser and in the address bar specify the path to the Citrix XenDesktop web interface: http: //xd7.aladdin.local/Citrix/StoreWeb/ (Fig. 18).
If Citrix Receiver is not installed, the Citrix Receiver installation window will appear (Figure 19).
Click Install .
Fig. 18 - XenDesktop Software Web Interface
Fig. 19 - Installing Citrix Receiver
Enter the username and password of the user account in the directory service AD. This account must be a member of the virtual machine user group, which was created in section 1.2 (Figure 20).
Fig. 20 - User Authentication Window in the XenDesktop Software Web Interface
Make sure that the virtual machine is available, and then end the user session (Figure 21).
(Start -> Log Out)
Fig. 21 - User's Virtual Machine
On the server where XenDesktop 7 is installed, start the Internet Information Services (IIS) service management snap-in (Figure 22).
Fig. 22 - Path to IIS Service Management Snap-in
Open the Server Certificates tab (fig. 23).
Fig. 23 - IIS Service Management Tools
Select Create Domain Certificate (Figure 24).
Fig. 24 - Create Certificate Tab
Fill in the organization information for the issued certificate (fig. 25).
In the Common name field, enter the fully qualified domain name of the server with the XenDesktop software installed. In the present example: xd7.aladdin.local.
Fig. 25 - Information about the organization in the issued certificate
Select the organization's certification authority and in the Friendly name field, specify the fully qualified domain name of the server with the XenDesktop software installed. In the present example: xd7.aladdin.local (Figure 26).
Fig. 26 - Certificate issue for IIS service
Click Finish .
Verify that the certificate was successfully issued (Figure 27).
Fig. 27 - Certificate Issue Result
Click the Default Web Site tab and click Bindings ...
In the window that opens, click Add (fig. 28).
Fig. 28 - Site Bindings settings window
Select the connection type https , and in the SSL certificate list select the previously issued certificate for IIS (Figure 29).
In this example, the certificate name is xd7.aladdin.local.
Fig. 29 - Add Site Binding Window
Click OK .
Make sure that this type of connection is added to the list (Fig. 30).
Fig. 30 - The result of setting the type of connection
Close the “Site Bindings” window.
Attention! When working with StoreFront in multi-server installations, use only one server when making changes to the settings. Make sure that the Citrix StoreFront Management Console is not running on another server or servers of this server group. After completing the configuration, make sure that the changes were applied to all servers of the group.
Launch Citrix Studio. In the Citrix StoreFront tab, click the Authentication tab (Figure 31).
Fig. 31 - StoreFront Authentication Tab
Select Add / Remove Authentication Methods.
The Add / Remove Methods window opens (Figure 32).
Select the smart card authentication method.
Fig. 32 - Add / Remove Authentication Methods Window
Click OK .
Make sure that the Smart card authentication method has been added to the Authentication tab (Fig. 33).
Fig. 33 - Result of changing authentication methods
Open Default Web Site -> Citrix -> Authentication -> Certificate (Figure 34).
Fig. 34 - Certificate Home Tab
Select SSL Settings -> Require SSL. Check the Require parameter (fig. 35).
Fig. 35 - SSL Settings
To verify the SSL settings, you must perform the following steps:
Instead of xd7.aladdin.local, you must specify the fully qualified domain name of the server with Citrix XenDesktop.
The following window will appear in which you need to select a user certificate (Figure 36).
Fig. 36 - User certificate request window
Select a user certificate and click OK .
The following window will be displayed (Fig. 37).
Fig. 37 - PIN code request window for a user's smart card
Enter the PIN code of the user's smart card and click OK .
If the SSL connection is established successfully, you will see on the opened page information about the user's certificate (Fig. 38).
Fig. 38 - User certificate verification window
Connect to a server with Citrix XenDesktop installed and configure the communication protocols for SSL .
Launch the Citrix Studio Management Console . To do this, open the Citrix StoreFront software and select the Server Group tab. Select the Change Base URL and change the http value to https (Fig. 39).
Fig. 39 - “Change Base URL” window
Click OK .
Click the Stores tab (fig. 40).
Fig. 40 - Stores Tab
Select Manage Delivery Controllers .
In the opened window, click Edit (fig. 41).
Fig. 41 - Manage Delivery Controllers window
In the Transport type field, replace HTTP with HTTPS (Fig. 42, Fig. 43).
Fig. 42 - “Edit Delivery Controller” window with HTTP value
Fig. 43 - “Edit Delivery Controller” window with HTTPS value
Click OK .
Make sure that the Service using HTTPS value appears in the Status field (Figure 44).
Attention : After applying the settings, you must restart the server with Citrix XenDesktop.
Fig. 44 - Status field value
You must allow XML requests to the server with Citrix XenDesktop installed. To do this, follow these steps.
On a server with Citrix XenDesktop installed, open the Windows PowerShell command prompt (Figure 45).
Fig. 45 - Path to the Windows PowerShell command line
In the command line that opens, execute the command:
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $ true (Figure 46)
Fig. 46 - Command Line "Windows PowerShell"
Connect to the user's PC. Open Citrix Receiver and add a server connection string, with published desktops and / or applications (Figure 47).
Fig. 47 - Adding Server Address to Citrix Receiver
To ensure correct operation, it is necessary that the address of the server with Citrix StoreFront software be added to trusted (Trusted) or local (Local Intranet) sites in your browser. In the security level settings for each of the options, you must ensure that the Automatic logon setting is enabled. It is recommended to use the browser - Internet Explorer 9.0 and higher.
If the server address is correct, and the smart card with the certificate is connected to the USB port of the user's PC, a window will open asking for the user's PIN code (Fig. 48).
Fig. 48 - Citrix Receiver Software: PIN Request for User Smart Card
Enter the user PIN (Fig. 49).
Fig. 49 - Enter user PIN
Connection to the application server (Fig. 50).
Fig. 50 - Connecting to an application server
Once connected, open the All Applications tab. The available applications and desktops are displayed.
In the present example, select Win7x32 (Fig. 51).
Fig. 51 - List of available applications
To log into Windows on a virtual machine, you must enter the PIN code on the user's key carrier (Fig. 52).
Fig. 52 - Smartcard authentication on remote desktop
Authentication was successful (Fig. 53).
Fig. 53 - Successful smart card authentication on remote desktop
Attention : For correct operation of pass-through smart card authentication, it is necessary that the user's end device (user PC) is added to the domain in which the infrastructure servers with Citrix XenDesktop 7 software installed (Delivery Controller, StoreFront, etc.) or, when using multiple domains, trusts have been configured between domains.
Configuring Single Sign-on (SSO) for smart card authentication using XenDesktop7 software consists of several steps.
Create a virtual machine directory.
Creating a group of users of virtual machines.
Installing Citrix Receiver 4.0 and higher on a user's PC.
Configure Citrix XenDesktop Software Authentication Policies.
Issue a certificate for IIS and configure SSL access to IIS.
Setting up XML requests to the server with XenDesktop 7 installed.
Configure Citrix StoreFront 2.1 software to enable SSO for smart card authentication.
Setting up a user's PC (p. 34).
To configure pass-through smart card authentication on Citrix Receiver 4.0, you must install Citrix Receiver 4.0 with additional options. Install Citrix Receiver 4.0 from the command line:
Detailed information for configuring smart card authentication can be found on the online documentation website: http://support.citrix.com/proddocs/topic/receiver-windows-40/receiver-windows-smart-card-cfg.html . To configure pass-through authentication settings, you need to pay attention to the following sections: To enable single sign-on for smart card authentication, To use CSP PIN prompts .
It is recommended to configure policies through Active Directory Directory Services group policies. You can also configure from the local policy management snap-in.
To configure group policies, you must perform the following sequence of actions:
Detailed information is available on the website - http://support.citrix.com/proddocs/topic/ica-settings/ica-settings-wrapper.html
Fig. 54 - Configuring AD Group Policies for SSO
Fig. 55 - Configuring AD Directory Group Policy for SSO
Attention : When working with Citrix StoreFront in multi-server installations, use only one server when making changes to the settings. Make sure that the Citrix StoreFront Management Console is not running on another server (s) of this server group. After completing the configuration, make sure that the changes were applied to all servers of the group.
To configure Citrix StoreFront to operate SSO with smart card authentication, you must perform the following steps on a server with Citrix StoreFront installed:
As a result, I would like to point out once again the advantages of using strict two-factor
authentication in VDI using solutions "Aladdin RD":
JaCarta PKI is a line of USB, MicroUSB tokens or smart cards for strict two-factor user authentication when accessing secured information resources of the enterprise, secure key storage, and key containers of software SKZI.
The advantages of using Aladdin RD solutions with Citrix products are:
- Secure access to virtual desktops and applications, multi-factor authentication with XenApp / XenDesktop
- Netscaler Gateway support;
- the ability to work with smart cards and USB tokens after authenticating to a Citrix VDI session with any applications that support these devices;
- the ability to embed Citrix solutions into an existing public key infrastructure (PKI), and vice versa, embed PKI into an existing Citrix virtual environment.
Citrix virtual authentication using smart cards and JaCarta USB tokens from Aladdin RD is based on public key infrastructure (PKI) and X.509 digital certificates stored on these devices. Solutions comply with international standards; only a setup without complex software integrations is required.
')
All models of smart cards and JaCarta USB tokens are based on a smart card microcontroller with special built-in protection from cloning, hacking and other special attacks (secure by design).
Brief description of the infrastructure of the demo stand
- Microsoft Windows Server 2008 R2 - server with domain controller role (DC.aladdin.local)
- Microsoft Windows Server 2008 R2 - server with the role of the Microsoft Certification Authority (MS CA) (CA.aladdin.local)
- JC Client 6.24.16
- Microsoft Windows Server 2008 R2 - XenDesktop software components (software) (Citrix Director, Citrix License Server, Citrix Studio, Citrix StoreFront, Citrix Delivery Controller) (XD7.aladdin.local). These components can be installed on different servers.
- Citrix XenDesktop 7.0 Software
- Microsoft Windows 7 64-bit - user's test PC (Test2.aladdin.local)
- Citrix Receiver 4.0.0.45893
- JC Client 6.24.16
- Citrix Receiver 4.0.0.45893
- Microsoft Windows 7 32-bit - test reference machine - the “golden” image from which virtual machines will be deployed for users (win7x32.aladdin.local)
- Citrix Receiver 4.0.0.45893
- JC Client 6.24.16
- Virtual Delivery Agent
- Citrix Receiver 4.0.0.45893
Creating virtual machines
1. Creating a virtual machine directory
Before creating a directory for virtual machines, you need to prepare a reference machine. In this test environment, this is a virtual machine with a Windows 7 (32-bit) operating system.
To prepare the reference machine, you need to install the Virtual Delivery Agent software (the distribution kit is located on the disk with the XenDesktop 7.0 software), JC Client 6.24.16 (installation and configuration of the JC Client 6.24.16 software are described in the JC-Client - Administrator's Guide) ), as well as other software that is necessary for the work of users of this group. After installation, the virtual machine must be turned off.
Creating a directory for virtual machines
On the server where the Citrix Studio component is installed (installation and configuration of the Citrix XenDesktop 7.x software is described at http://support.citrix.com/proddocs/topic/xendesktop-71/cds-install-config-intro.html ), Launch Citrix Studio (Start -> All Programs -> Citrix), connect to Citrix Delivery Controller and go to Machine Catalogs , run the Create Machine Catalog wizard (Figure 1).
Fig. 1 - “Create Machine Catalog” window
Click Next .
Select Windows Desktop OS or another item depending on the settings of your environment (Fig. 2).
Fig. 2 - The operating system selection window for the directory
Click Next .
Select Virtual Machines and Machine Creation Services (MCS) (Figure 3).
Fig. 3 - Virtual machine delivery method selection window
Click Next .
In the Desktop Experience window, configure the desktop settings for users and the method for storing user data as shown below (Figure 4). Other options may be selected depending on the settings of your environment and the tasks required.
Fig. 4 - Virtual machine settings window
Click Next .
From the list of available virtual machines, select the previously created reference machine (Fig. 5).
Fig. 5 - Reference machine selection window
Click Next .
Set the number of virtual machines in the directory and set their technical characteristics (Fig. 6).
Fig. 6 - Choosing user virtual machine options
Click Next .
Configure the scheme to automatically add the accounts of the created machines to the Active Directory (AD) directory service (Fig. 7).
For ease of administration, you can pre-create an organizational unit (OU) in the AD directory service, where the accounts of the created virtual machines will be added.
Fig. 7 - Window "Active Directory Computer Account"
Click Next .
Check the parameters of the created virtual machines and determine the name for the directory, as well as the name of the virtual machine to display to users (Fig. 8).
Fig. 8 - Summary window
Click Finish .
Catalog of virtual machines created (Fig. 9).
Fig. 9 - Created directory of virtual machines
2. Creating a virtual machine user group - Delivery Group
To associate the created virtual machines with users, you must configure the user group of virtual machines ( Delivery Group ).
Open the Citrix Studio Management Console and go to the Delivery Group -> Create Delivery Group tab (Figure 10).
Fig. 10 - Delivery Group Window
Select the previously created directory of virtual machines and specify how many virtual machines will be available for users of this group (Fig. 11).
Fig. 11 - “Machines” window
Click Next .
Select the type of resources delivered: applications or virtual machines (Fig. 12).
Fig. 12 - Select "Delivery Type"
Click Next .
Assign users to which virtual machines will be associated (Figure 13).
Fig. 13 - User selection window
Click Next .
Citrix Receiver is configured later (see Section 2.5).
In the next window, select Manually, using a StoreFront server address that I will provide later (Figure 14).
Fig. 14 - Citrix StoreFront Settings Window
Click Next .
Check the final settings and determine the name of the group (fig. 15).
Fig. 15 - Summary window
Click Finish .
A group of virtual machine users has been created (Fig. 16).
Fig. 16 - Created by the Delivery Group
Attention : Make sure that all virtual machines in the pool are registered (have Registered status (Fig. 17)).
Fig. 17 - Virtual Machine Status Window
3. Check availability of virtual machines
Go to the workstation (PC) of the user. This is Windows 7 x64 with JC Client 6.24.16 preinstalled.
Open a browser and in the address bar specify the path to the Citrix XenDesktop web interface: http: //xd7.aladdin.local/Citrix/StoreWeb/ (Fig. 18).
If Citrix Receiver is not installed, the Citrix Receiver installation window will appear (Figure 19).
Click Install .
Fig. 18 - XenDesktop Software Web Interface
Fig. 19 - Installing Citrix Receiver
Enter the username and password of the user account in the directory service AD. This account must be a member of the virtual machine user group, which was created in section 1.2 (Figure 20).
Fig. 20 - User Authentication Window in the XenDesktop Software Web Interface
Make sure that the virtual machine is available, and then end the user session (Figure 21).
(Start -> Log Out)
Fig. 21 - User's Virtual Machine
Configuring Smart Card Authentication
1. Certificate Issue for IIS
On the server where XenDesktop 7 is installed, start the Internet Information Services (IIS) service management snap-in (Figure 22).
Fig. 22 - Path to IIS Service Management Snap-in
Open the Server Certificates tab (fig. 23).
Fig. 23 - IIS Service Management Tools
Select Create Domain Certificate (Figure 24).
Fig. 24 - Create Certificate Tab
Fill in the organization information for the issued certificate (fig. 25).
In the Common name field, enter the fully qualified domain name of the server with the XenDesktop software installed. In the present example: xd7.aladdin.local.
Fig. 25 - Information about the organization in the issued certificate
Select the organization's certification authority and in the Friendly name field, specify the fully qualified domain name of the server with the XenDesktop software installed. In the present example: xd7.aladdin.local (Figure 26).
Fig. 26 - Certificate issue for IIS service
Click Finish .
Verify that the certificate was successfully issued (Figure 27).
Fig. 27 - Certificate Issue Result
2. Configure SSL access to IIS
Click the Default Web Site tab and click Bindings ...
In the window that opens, click Add (fig. 28).
Fig. 28 - Site Bindings settings window
Select the connection type https , and in the SSL certificate list select the previously issued certificate for IIS (Figure 29).
In this example, the certificate name is xd7.aladdin.local.
Fig. 29 - Add Site Binding Window
Click OK .
Make sure that this type of connection is added to the list (Fig. 30).
Fig. 30 - The result of setting the type of connection
Close the “Site Bindings” window.
3. Configure Citrix StoreFront
Attention! When working with StoreFront in multi-server installations, use only one server when making changes to the settings. Make sure that the Citrix StoreFront Management Console is not running on another server or servers of this server group. After completing the configuration, make sure that the changes were applied to all servers of the group.
Launch Citrix Studio. In the Citrix StoreFront tab, click the Authentication tab (Figure 31).
Fig. 31 - StoreFront Authentication Tab
Select Add / Remove Authentication Methods.
The Add / Remove Methods window opens (Figure 32).
Select the smart card authentication method.
Fig. 32 - Add / Remove Authentication Methods Window
Click OK .
Make sure that the Smart card authentication method has been added to the Authentication tab (Fig. 33).
Fig. 33 - Result of changing authentication methods
Open Default Web Site -> Citrix -> Authentication -> Certificate (Figure 34).
Fig. 34 - Certificate Home Tab
Select SSL Settings -> Require SSL. Check the Require parameter (fig. 35).
Fig. 35 - SSL Settings
To verify the SSL settings, you must perform the following steps:
- connect to the user's PC;
- connect the smart card with the user certificate to the user's PC;
- open browser;
- in the address bar, specify the path to the page with the test application. In this example, https: //xd7.aladdin.local/Citrix/Authentication/Certificate/test.aspx .
Instead of xd7.aladdin.local, you must specify the fully qualified domain name of the server with Citrix XenDesktop.
The following window will appear in which you need to select a user certificate (Figure 36).
Fig. 36 - User certificate request window
Select a user certificate and click OK .
The following window will be displayed (Fig. 37).
Fig. 37 - PIN code request window for a user's smart card
Enter the PIN code of the user's smart card and click OK .
If the SSL connection is established successfully, you will see on the opened page information about the user's certificate (Fig. 38).
Fig. 38 - User certificate verification window
Connect to a server with Citrix XenDesktop installed and configure the communication protocols for SSL .
Launch the Citrix Studio Management Console . To do this, open the Citrix StoreFront software and select the Server Group tab. Select the Change Base URL and change the http value to https (Fig. 39).
Fig. 39 - “Change Base URL” window
Click OK .
Click the Stores tab (fig. 40).
Fig. 40 - Stores Tab
Select Manage Delivery Controllers .
In the opened window, click Edit (fig. 41).
Fig. 41 - Manage Delivery Controllers window
In the Transport type field, replace HTTP with HTTPS (Fig. 42, Fig. 43).
Fig. 42 - “Edit Delivery Controller” window with HTTP value
Fig. 43 - “Edit Delivery Controller” window with HTTPS value
Click OK .
Make sure that the Service using HTTPS value appears in the Status field (Figure 44).
Attention : After applying the settings, you must restart the server with Citrix XenDesktop.
Fig. 44 - Status field value
4. Customize XML Queries
You must allow XML requests to the server with Citrix XenDesktop installed. To do this, follow these steps.
On a server with Citrix XenDesktop installed, open the Windows PowerShell command prompt (Figure 45).
Fig. 45 - Path to the Windows PowerShell command line
In the command line that opens, execute the command:
Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $ true (Figure 46)
Fig. 46 - Command Line "Windows PowerShell"
5. Setting up a user's PC
Connect to the user's PC. Open Citrix Receiver and add a server connection string, with published desktops and / or applications (Figure 47).
Fig. 47 - Adding Server Address to Citrix Receiver
To ensure correct operation, it is necessary that the address of the server with Citrix StoreFront software be added to trusted (Trusted) or local (Local Intranet) sites in your browser. In the security level settings for each of the options, you must ensure that the Automatic logon setting is enabled. It is recommended to use the browser - Internet Explorer 9.0 and higher.
If the server address is correct, and the smart card with the certificate is connected to the USB port of the user's PC, a window will open asking for the user's PIN code (Fig. 48).
Fig. 48 - Citrix Receiver Software: PIN Request for User Smart Card
Enter the user PIN (Fig. 49).
Fig. 49 - Enter user PIN
Connection to the application server (Fig. 50).
Fig. 50 - Connecting to an application server
Once connected, open the All Applications tab. The available applications and desktops are displayed.
In the present example, select Win7x32 (Fig. 51).
Fig. 51 - List of available applications
To log into Windows on a virtual machine, you must enter the PIN code on the user's key carrier (Fig. 52).
Fig. 52 - Smartcard authentication on remote desktop
Authentication was successful (Fig. 53).
Fig. 53 - Successful smart card authentication on remote desktop
Configuring Pass-Through Smart Card Authentication
1. How to configure Single Sing-On when authenticating with a smart card when using XenDesktop 7 software
Attention : For correct operation of pass-through smart card authentication, it is necessary that the user's end device (user PC) is added to the domain in which the infrastructure servers with Citrix XenDesktop 7 software installed (Delivery Controller, StoreFront, etc.) or, when using multiple domains, trusts have been configured between domains.
Configuring Single Sign-on (SSO) for smart card authentication using XenDesktop7 software consists of several steps.
Create a virtual machine directory.
Creating a group of users of virtual machines.
Installing Citrix Receiver 4.0 and higher on a user's PC.
Configure Citrix XenDesktop Software Authentication Policies.
Issue a certificate for IIS and configure SSL access to IIS.
Setting up XML requests to the server with XenDesktop 7 installed.
Configure Citrix StoreFront 2.1 software to enable SSO for smart card authentication.
Setting up a user's PC (p. 34).
2. Install and configure Citrix Receiver 4.0 software to enable SSO for smart card authentication.
To configure pass-through smart card authentication on Citrix Receiver 4.0, you must install Citrix Receiver 4.0 with additional options. Install Citrix Receiver 4.0 from the command line:
- On the user's PC, launch the CMD command line utility with administrator rights;
- on the command line, specify the path to the installer file for Citrix Receiver 4.0 and optionally specify the parameters for enabling SSO: / includeSSON AM_SMARTCARDPINENTRY = CSP; Example: C: \ Distr \ CitrixReceiver.exe / includeSSON AM_SMARTCARDPINENTRY = CSP
- wait for the installation of Citrix Receiver 4.0 to finish and restart the user's PC;
- after rebooting the user's PC, check that the executable processes (Task Manager / Processes) have a ssonsrv.exe process present;
- Configure authentication policies for Citrix XenDesktop software that will be applied to Citrix servers and user devices, as described in Section 3.3.
Detailed information for configuring smart card authentication can be found on the online documentation website: http://support.citrix.com/proddocs/topic/receiver-windows-40/receiver-windows-smart-card-cfg.html . To configure pass-through authentication settings, you need to pay attention to the following sections: To enable single sign-on for smart card authentication, To use CSP PIN prompts .
3. Configure Authentication Policies for Citrix XenDesktop
It is recommended to configure policies through Active Directory Directory Services group policies. You can also configure from the local policy management snap-in.
To configure group policies, you must perform the following sequence of actions:
- In the Active Directory Directory Services Group Policy Templates, import the Citrix ADM Template Policy Template ( Add Template in the Group Policy Management snap-in). The policy template can be found in the Citrix Receiver client installation folder: C: \ Program Files (x86) \ Citrix \ ICA Client \ Configuration \ icaclient.adm .
- create a policy (or edit an existing one) and enable pass-through smart card authentication;
- open the Computer Configuration section -> Policies -> Administrative templates -> Classic -> Citrix Components -> Citrix receiver -> User Authentication;
- select the Smart Card Authentication setting and enable the “Allow smart card authentication” and “Use pass-through authentication for PIN” options. Select the Local User Name and Password setting and enable the "Enable pass-through authentication" and "Allow pass-through authentication for all ICA connections" parameters (Fig. 54, Fig. 55).
Detailed information is available on the website - http://support.citrix.com/proddocs/topic/ica-settings/ica-settings-wrapper.html
Fig. 54 - Configuring AD Group Policies for SSO
Fig. 55 - Configuring AD Directory Group Policy for SSO
4. Configure Citrix StoreFront 2.1 to enable pass-through smart card authentication
Attention : When working with Citrix StoreFront in multi-server installations, use only one server when making changes to the settings. Make sure that the Citrix StoreFront Management Console is not running on another server (s) of this server group. After completing the configuration, make sure that the changes were applied to all servers of the group.
To configure Citrix StoreFront to operate SSO with smart card authentication, you must perform the following steps on a server with Citrix StoreFront installed:
- perform the initial setup of the Citrix StoreFront 2.1 software, according to the section “Citrix StoreFront Setup;
- in the Add / Remove Authentication Methods section, add the Domain pass-through authentication method (Figure 56);
Fig. 56 - Setting authentication method - To enable pass-through authentication using smart cards, you must make additional configuration changes. To do this, edit default.ica for each Citrix Store software that requires pass-through smart card authentication;
- using a text editor, open the file default.ica , which is located in the folder:
C: \ inetpub \ wwwroot \ Citrix \ storename \ App_Data \; - if the infrastructure does not use authentication via NetScaler Gateway, then add the following parameters
[Application]: DisableCtrlAltDel = Off.
This setting will apply to all users; - To enable pass-through smart card authentication using NetScaler Gateway, add the following parameter:
[Application]: UseLocalUserAndPassword = On; Detailed information is available at: http://support.citrix.com/proddocs/topic/dws-storefront-21/dws-configure-conf-smartcard.html . - Configure the user according to the section - Customizing the user's PC (see Section 2.5). Verify that the login to the user's virtual machine is successful. Check that after logging in to the user's PC (using a smart card or password), the window will no longer appear requesting credentials or a PIN code when accessing the StoreFront or / and the user's virtual machine.
As a result, I would like to point out once again the advantages of using strict two-factor
authentication in VDI using solutions "Aladdin RD":
- increasing the overall level of security, which is due to the abandonment of simple passwords and the transition to strong authentication using the second factor;
- Providing secure access to virtual desktops and applications;
- the ability to work with smart cards and USB tokens after authentication in a secure session;
- the possibility of using electronic signatures;
- support for RSA- and GOST-algorithms;
- additional benefits - the same card, in addition to the basic functions of authentication and electronic signature, can serve as a pass to the premises (presence of RFID tags), can also be a salary (payment application MasterCard or VISA) or a transport card;
- other customization options are available - logo application and use
corporate style of the customer.
Source: https://habr.com/ru/post/334322/
All Articles