Active Directory & Citrix XenApp

Hello we have an IIS hosted website, binded to Citrix XenApp Store Front.  We have an AD server, Web Server, Citrix Server.
Currently in order to access site users need a CAC/PKI once this have authenticated they must enter a username & password to get into store front to see their application(s).  What we would like to do is get rid of the username & password, have just CAC/PKI authentication.
ManieyaK_CSSPAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tom CieslikIT EngineerCommented:
Certificate-based authentication from registered devices provides the perfect model to address this challenge as well as to eliminate the use of passwords to core enterprise services.

Automating Certificate Management (Issuance, Renewal and Revocation)
Setting up certificate based authentication doesn’t have to be difficult, in fact it can be extremely simple once setup for automation. Microsoft provides a Certificate Authority (CA) as part of the Active Directory set of services, you just have to configure and turn on the service. The first CA that you configure will be your Enterprise Root CA and it needs to be configured to publish the public keys and certificates to Active Directory so that other applications and services can lookup and retrieve them.

Once the CA has been setup, you will need to configure certificate templates to be used for the auto-issuance of Certificates for both user certificates and computer certificates. A certificate can be used to identify either the user or the computer depending on how the certificate is to be used, for example you may use a computer certificate to authenticate a device to the network, but then use a user certificate to identify the user to a VPN or EAS Server. The certificate template must be configured for the identity data that is needed by the services that will use the certificate.

The final step is to configure the computers joined to AD to automatically request a certificate or certificate renewal through Group Policy settings. Microsoft provides the configuration required for Windows computers while Centrify provides full support for Mac (http://www.centrify.com/mac/active-directory-authentication-for-mac-os-x.asp) and Linux (http://www.centrify.com/standard-edition/grouppolicy.asp) as well as iOS and Android mobile devices (http://www.centrify.com/mobile/mobile-security-management.asp).

For step by step instructions, follow this quick how to guide to setup certificate auto-enrollment http://community.centrify.com/t5/Express-for-Mobile-Tips-and/Enabling-PKI-Enrollment-for-mobile-devices-with-Centrify-User/ba-p/16968

Source
https://blog.centrify.com/solving-account-lockout-by-eliminating-use-of-passwords-by-using-certificates/
2

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ManieyaK_CSSPAuthor Commented:
Thank You.
0
Tom CieslikIT EngineerCommented:
You are very welcome :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Citrix

From novice to tech pro — start learning today.