Most federal customers have already moved or are planning a move to authentication based on the smart card as their authentication method principal for access to the network domain. Many customers ask whether their CAC or PIV card for authentication will work with Citrix products (Yes, they do!), And if so, how?
Although the majority of this information already exists on our support site KB, this blog entry is a single window for the resources that are most useful for federal clients. We also work on a fully integrated Smartcard integration step by step guide specifically targeted for federal clients.
Environment Assumptions for SmartCard authentication
- The Active Directory domain must be pre-configured for PKI authentication.
- Active Directory accounts must be created for card UPN credentials on the Smartcard.
- last middleware client must be installed on the image VDA or XenApp server (ActiveIdentity, Gemalto, etc.).
- middleware client must also be installed on the end device.
- Web Interface, XenApp and XenDesktop components must all be members of the PKI domain configured AD.
- for best results, use the latest version of the web interface (v5.4.x)
Smartcard authentication for XenApp / XenDesktop
This script is used by most customers deploying XenApp or XenDesktop internally on a secure network.
http://support.citrix.com/article/CTX096
All post-XA configuration steps can be used even in a XenDesktop environment. The key point in this article from a viewpoint of the XA configuration is the "trust requests sent to the XML Service." To configure this setting required in a XenDesktop environment please see the details in this article :. CTX132461
This article describes two methods of authentication Smartcard available in the Web interface:
- Smartcard . Users are prompted once for the selection certificate (Web-based) and PIN twice (once WI, once Windows GINA).
- Smartcard with Pass-Through. local user credentials are "passed-through" of the endpoint device on the WI site. Users are invited by the WI credentials, users are invited to a PIN the Windows GINA. the endpoint must be a member of the same domain as the web interface for this to work.
Smartcard "pass-thru" authentication from Win7 / Vista parameter
for scenarios that quality for pass-thru (see above) from a Vista endpoint or Win7 (physical or virtual) to access XenApp or XenDesktop
http: //support.citrix.com/article/CTX131223
Smartcard "pass-thru" authentication fROM ELDERLY / NetScaler
This script is used by customers deploying XenApp or XenDesktop external users on an unsecured network (Internet), or for users that require SSL encryption traffic ICA / HDX.
http://support.citrix.com/article/CTX128418
- Passes selection CAC / PIN point AGED Logon Web interface.
- 4.5+ Works with XenApp and XenDesktop 5.0 +.
- The user is prompted to select a cert times (AGED) and pin twice (once AGED second with Windows GINA screen).
- can be easily added to environments / existing XenDesktop XenApp.
Single Sign-on (Kerberos) from ELDERLY / NetScaler
This script is used by customers deploying a new XenApp environment to external users on an unsecured network (Internet), or for users that require SSL encryption traffic ICA / HDX.
http://support.citrix.com/article/CTX124603
- Combines true single sign-on with Kerberos authentication for optimized fast connection to a XenApp farm with a Smartcard degree.
- XenApp 4.5 and older only. Not available for XenDesktop (Kerberos Auth is not currently supported for XenDesktop).
- The user is prompted once for the certificate and pin by Access Gateway.
- configuration required Kerberos authentication on XenApp farm and Active Directory. (Can be difficult to add to existing holdings)
This is only three of our most popular deployment methods with SmartCards. There are several other methods and configurations; feel free to use this blog as a unique forum for Smartcard configurations, comments and feedback.
0 Komentar