Smart Card Troubleshooting SSO with Access Gateway Enterprise Edition - Part 2

Smart Card Troubleshooting SSO with Access Gateway Enterprise Edition - Part 2

12:44 PM
Smart Card Troubleshooting SSO with Access Gateway Enterprise Edition - Part 2 -

Minor updates: o 13 June 2013, 01.19 CET

This message is second part of a series of two.

  • so it took a while to write this second blog, and the reason is that I basically wanted to get a second chance to try my settings on a similar environment, such as I to first met. And with a Swiss and a Swedish customer / partner I have had the opportunity to re-check my recommended settings

  • Assumptions :.
  • it is assumed that you have read my original blog, Smart Card SSO Troubleshooting with Access Gateway Enterprise Edition - Part 1 and you have completed all the steps in CTX124603 and / or CTX126985 , and yet still can not get this working. If you think everything correctly, and Citrix XenApp can not just manage, I recommend that you read at least IMPORTANT NOTES section lower.

  • Background:

    • This scenario of real life includes the aggregation of applications from two different farms, a XenApp 5 and XenApp 6 battery, Windows 03 and Windows 08 R2. I also had the opportunity to check this with XenApp 6.5, and I can all the challenges are the same make.
    One thing to keep in mind is that the access is from Windows 7 via Netscaler / AGED, leveraging a XenApp Web site. I have not had the opportunity to try a different configuration.

    Please note that this is not a beginners guide, and it assumes you have some basic knowledge of smartcards, certificates, Netscaler / Access Gateway Enterprise Edition., The root certificates are installed correctly and that the smart card and CSP are compatible, functional and properly allocated among others


  • common errors and recommended settings:

    • The hints and tips below relate primarily XA 6.0 / 6.5 and Windows 08 / R2.


    Netscaler Access Gateway / Enterprise Edition.     It is assumed that the processes described in the following white papers have been followed :. CTX124603 and / or CTX126985

    • It is also assumed that the path used to point to the STA in AGED is an FQDN, following this standard "http://my.domain.xyz/Scripts/ ctxsta.dll "


    End customer item.

    • See CTX126985
    • also ensure proper CSP is installed (if required) the card reader drivers smart, etc.


    XML Broker Port / controller.     to keep things simple, I recommend you try to use the same XML port for all XML brokers in all farms.

    • My first case I basically created a political and configured the XML to listen on port 80 (XA6 farm) as was the port that farm XA5 also used well, instead of 8080.


    XenApp.     "Trust XML request sent to the broker" is a requirement and must be configured for all possible brokers in the farm that could be used in the configuration.

    • The simplest method is to create an XA policy and apply it to XenApp brokers / controllers.


    Web Interface     Check that the AC domain certificate is already present on the machine WI and create and install a certificate SSL Web Server on WI machine. IIS configuration to use https


    Web Interface - STA     A common mistake is to forget to specify the full path in the correct manner ..; do not forget to add the following :. "/scripts/ctxsta.dll".

    • In addition, it is always recommended to use the FQDN of the STA server


    IIS on Windows 08 / R2

    • Make sure that the Web server> security> IIS Client Authentication Certificate Mapping role service is not installed for the role Web server (IIS).
    • At the Web server level:
    • Authentication Authentication Certificate Directory active client "= Enable"
    • at the website
    • SSL Settings Client Certificates "= Ignore"
    • authentication anonymous authentication "= Enable "


    IIS / XML sharing.     If you install IIS after installing XenApp (like IIS and XML sharing is a requirement), you are more likely to ask for problems. You can try to solve this problem by following this article (CTX125107); alternatively keep it simple and start from scratch, installing IIS as part of the install XenApp not after.

    • In my case, IIS was installed later, and there were two (2) questions, one was that the ctxxmlss was always listening (it should not); the second question is that the XML Service for XA 6.0 Farm was listening on 8080, not port 80. Remember that if you use anything other than port 80, you might have to specify the paths in the following format: http (s): // FQDN :. 8080 /
    • you must also ensure that you follow the appropriate requirements; see "Requirements for XenApp 6 for Windows Server 08 R2" in the reference section below.


    IIS Anonymous (W & XML).     Ensure that anonymous authentication is On, on the WI and XML Broker servers (if they are not the same server) acting

    • This is to ensure that the XML Service can accept and respond to requests. otherwise the "Trusted request sent to the XML Service" option, which is a requirement, will fail.

    • In my case, IIS Anonymous unfortunately disabled. And the type of error codes that you get basically are:
      "Error 30014 Site path: C: inetpub wwwroot Citrix Smartcard
      An error has occurred on Citrix servers when demand analysis. This message was
      reported from the XML Service at http://my.domain.xyz/scripts/CtxIntegrated/wpnbr.dll
      [com.citrix.xml.NFuseProtocol.RequestAppData].
      the specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services [Unique Log ID: 6ax44xxx] "


    IIS / XML. -. WIA     You must also make sure that Integrated Windows authentication is enabled on the server that acts as XML (IIS) broker

    • Open IIS Manager, go to Sites> Default Web Site > Citrix>.

    • It might also be possible to set this permission on the "Default Web Site" instead Site WI used.


    PTS specific measures (NO PIN calls for the launch)
    created the WI site, set the following :.

    • Point authentication = access. bridge
    • authentication options = Smart Card / Smart Card Enable Pass-Through


    IMPORTANT NOTES:.


    SPN record     one of the most common problems is that a specific SPN registration is missing on the XML (IIS) server / s. According to Microsoft, an SPN is a unique identifier for a service on a network that uses Kerberos authentication.

    • In my case, I had to run "setspn -L server" on each XML (IIS) server to check for any SPN records. If the Server parameter is essentially the NetBIOS computer name of the XML (IIS) Server. The interim XML Server (IIS) 6.0 for the new XenApp farm was actually missing SPN his record and I had to create it. The thing to look out for is if you have a folder that looks something like this:
    • http / my.domain.xyz
    • If you only see WSMAN, TERMSRV, RestrictedKrbHost and HOST records, you must create the SPN record; see the control section below


    Controls :.

    • SPN records list: setspn -L server
    • Create SPN: setspn -a http / FQDN NetBIOSName
    • Report SPN all duplicate records in the field: setspn -T -T * foo -X


    lessons learned:     Make sure to use the FQDN SPN when you create the recording, otherwise you might not get this to work correctly. Furthermore the SPN records are used for Kerberos and they are not a requirement for IIS; as such, they are not created when installing XML (IIS)


    Delegation Active Directory Kerberos - Constrained Delegation ..     Delegations may be possible optimize more, but the following works for me. It is also assumed that the WI is hosted on a dedicated server WI (if not simply combine the requirements of WI and XML broker delegation as it was 1 server).

    • Web Interface should delegate:
    • HTTP service to all XML brokers (perhaps itself to some models)
    • XML Broker should delegate:
    • CIFS and LDAP (all domain controllers)
    • HOST (all XenApp servers in the same farm)
    • HOST is
    • HTTP is
    • XenApp should delegate:
    • CIFS and LDAP (all domain controllers)
    • HOST is
    • HTTP service all XML brokers


    Kerberos delegation active Directory -. several farms Scenario     If you are going to extend this solution and include more XenApp farms, and / or more XML brokers, do not forget to add a HTTP delegation (Computers and AD objects) to these dealers, on the WI Server.

    • Trust this computer for delegation to specified services
    • Use any authentication protocol
    • Add :. HTTP - XML ​​(IIS) to use FQDN
    • In my case, there was a new XenApp 6.0 farm added to the already existing firm XenApp5.0 but HTTP delegation to XML new Farm XA6.0 (IIS) was absent.


    Kerberos delegation Active Directory - .. kind of delegation     The most interesting parameter is less documented than the XA servers, you can not use the services delegates, with "use Kerberos only"
    The above essentially does not work you must put all the delegations of XenApp with the following parameters:

    • Trust this computer for delegation to specified services, Use any authentication protocol


    Wireshark.     Using Wireshark if you are stuck is always smart, and I recommend installing it on the XML (IIS), and filtering on Kerberos. You will notice that Windows has many different types of Kerberos entries, but regarding the SPN errors, you should look out for KRB5, and in the information field "KRB Error: NT Status :. KRB5KDC_ERR_BADOPTION STATUS_NO_MATCH"
    If the SPN record is not created, it will not find it and provide the error code above, if you only use the NetBIOS name when creating the SPN folder instead of the FQDN, you also get an error code similar to that above.


    application launch failure.     For XenApp 6 and XenApp 6.5, there have been some problems with the launch of the application. Basically, when everything is still properly configured, users are presented with a request to connect to the application, the user name and password, instead of a pin / pin pass-through (see image below ).

    • This is solved now XA6.0 (part of HRP01), and a similar patch will soon be released for XA6.5. There are also other fixes for XA6.5 that might be needed, as XA650W2K8R2X64015.


    IIS Troubleshooting.     If you do not have control over the IIS installation, it might be good to review the supplier's order regarding Windows authentication.

    • Negotiate needs to be the first in the order, if NTLM is used.


    Credits:     I would like to thank the following people for providing valuable feedback while creating this blog and check my settings, with different configurations.

    • Daniel Feller (Architect Lead - WWC) Holger Fuessler (Architect - EMEA) Mark Strange (Senior Consultant - EMEA)
    • Stephan K. (Swiss government) Johan G. -. (IT Architect - ATEA, Sweden) to try. my recommended settings
    • And an extra big thank you to James Gordon (Senior Consultant - EMEA), to dig into some more information. Without James, this blog would have taken much more time to create


    References :.

    • Simple Authentication Integration Sign-On and Smart Card with Access Gateway Enterprise Edition
      http://support.citrix.com/article/CTX126985
    • How to configure Smart Card single Sign-On with Access Gateway Enterprise Edition
      http://support.citrix.com/article/CTX124603
    • Single Sign-on with ICA client certificate compulsory Causes Web Proxy in Connection Interface to fail with HTTP 401 error
      http://support.citrix.com/article/CTX128002
    • Configuration XML Service to share a port with IIS on 32 and 64 bit versions of Windows Server 08
      http://support.citrix.com/article/CTX125107
    • explaining and Changing the Citrix XML Service port
      http: //support.citrix .com / article / CTX104063
    • Requirements XenApp 6 for Windows Server 08 R2 http: / /support.citrix.com/proddocs/topic/xenapp6-w2k8/ps-system- requirements-w2k8-xa6.html
    • Readme for Web Interface 5.4 ([#169269])
      http://support.citrix.com/proddocs/topic/web-interface- # wi-readme-5-4__kerberos-adfs Impington / wi-readme-5-4.html
    Next
    « Prev Post
    Previous
    Next Post »

    1 comment

    Subscribe to: Post Comments (Atom)