In one of our past
articles, we showed how to implement two-factor authentication in a simple (local) script via StoreFront.
It looked like this.
The user with the electronic key JaCarta connects, the system requests a smart card and the public key on it, the user enters a PIN code. The card is unlocked, to verify the user, the service asks to sign the ChallengeResponse certificate, which is stored on the card. After checking the credentials, the user gets access or denial of service.
Recently, we and colleagues from Citrix and the Stars and C training center conducted a joint webinar on multifactor authentication in Citrix virtual infrastructure based on PKI infrastructure and Aladdin R.D solutions. It was the third technical webinar from the Citrix security hardening cycle. In the course of this series, colleagues not only talk about ways to increase security, but also show a technical setting in live mode. First of all, this series of webinars is of interest to administrators, engineers, technical specialists.
')
This time, we were invited to participate as an expert company in the field of multifactor authentication, with extensive experience, including working with Citrix products.
During the webinar, they showed how to configure two-factor in not-so-simple scripts on NetScaler. NetScaler and an external network with external devices were added to the scheme, in a fairly general form, the scheme looks like this:
The principle of interaction with a smart card for authentication is similar to the previous one. After JaCarta PKI (first factor) is presented and unlocked by entering a PIN code (second factor), the credentials are verified, after which the user gets access or denial of service.
During the webinar, for our part, we tried to reflect the trend of digitalization of jobs, the development of BYOD format and the use of various “untrusted” networks from the aspect of protecting virtual infrastructure from unauthorized access and other attacks, the importance of using several authentication factors. They also talked about the benefits of using PKI electronic keys. And in general, they revealed the topics for what it is needed, how to start using multifactor authentication in Citrix, and how it works.
We touched upon an interesting topic of authentication based on one-time passwords, perhaps a separate webinar will be held on the topic of OTP. If you are interested in this topic, or have other interesting questions, you can write to us about it.
Record of the webinar with our participation is on
Youtube channel Citrix_ru .
The subject of the next technical webinar from the series of enhanced security will be authentication in Citrix using GOST algorithms, using the “Gatekeeper” solution from Sovintegra. This solution works with JaCarta GOST as a protected private key carrier and GOST-certificate. This webinar will take place tomorrow, if you hurry, you can find an open link to register on facebook citrix_ru.
The channel also includes past interesting technical webinars of this series:
I will add that in a similar way, via ADFS, a bunch of local AD with cloud-based Citrix is ​​implemented, including certificate authentication. As shown in the diagram below.
It works like this.
There are a number of external devices and users with JaCarta dongles who try to access the resource pool through NetScaler. Next, the system redirects the user request to the proxy server for authentication. After successful authentication, the user is redirected to the EC for two-factor authentication. Using the JaCarta PKI key, with the certificate located on it, the user enters a PIN code. The system returns authentication data to ADFS, which in turn returns data to NetScaler. Next, the user gets access to the resource pool, or a denial of service message.