Citrix Authentication

Hello we're attempting to force users to log into Store Front using either their CAC or PKI Certs.  Reading the below article

Under Smart Cards, it says "you configure Citrix Receiver for Windows for pass-through authentication and enable domain pass-through authentication to StoreFront."  is there a way to centrally configure Citrix Receiver, or does this have to happen locally on users machines?  Our domain has only user accounts, the only machines are our servers.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zaheer IqbalTechnical Assurance & ImplementationCommented:
All Citrix Reciever configuration is done on the client side.

Once you have a working config you can possibly push the updated config via a GPO.
Brian MurphyIT ArchitectCommented:
So that I fully understand the Scope I need more information.

So, there is no Netscaler in the mix and these are all internal users?
All of the users reside in the same domain and/or forest relative to Active Directory?
All of the users are hitting a URL that corresponds to a StoreFront server direct? or is it a LB VIP?
Is this FQDN or by "ServerName" using the short name but FQDN for the works as well?
Is it a registered FQDN and a matching SSL Certificate bound to a VIP and or the local IIS instance?

Do you have an internal PKI managed solution that is in the same domain as all of the users?

These all come in to play.   One answer I might be looking for that leads to quicker resolution is:

All users same domain, Storefront same domain, Users use http://servername, internal PKI that allows user auth certs to be generated.  

Desired goal is user types in URL of StoreFront and automated logon but multifactor authentication?

That depends on the answers to the above questions as to how but the quick dirty answer is "doable"
ManieyaK_CSSPAuthor Commented:
Yes we use NetScaler, the user population is a mixture of internal /external users.  Yes all users reside in the same Domain/Forest, we have IIS hosting the website, which uses a SSL Cert from Symantec, Axway Desktop Validator to handle that portion of it.  URL is not http://servername
it has it's own URL.  Not sure if Axway would be considered an internal PKI managed solution?  Yes desired goal is for user to hit the storefront, but authenticated via CAC/PKI
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

Brian MurphyIT ArchitectCommented:
Good deal.  Netscaler is great relief to know.  What is our budget?  Do you want any style of two-factor authentication or just trusted device authentication like with Google, RSA, and so forth?

One example, recently implemented a solution that allows doctors and nurses to "badge" in using a known solution Imprivata.  Nothing top-secret, virtual appliance, point it to StoreFront, swipe your badge using the USB provided badge reader...

However, this changes the GINA, requires Radius server, and LDAP, and the appliances, and Netscaler, and badge, and badge reader.  However, it is quick and easy to configure and allows SSO on roaming cards (thin-clients) that do nothing but authenticate then pull Citrix icons to the desktop.

There are tertiary protocols in place that require additional authentication and not something I can share but one example might be electronic prescriptions after nurse enters their data, doctor enters their data, now prescription time.

A lot of this can be done simply with a combination of RADIUS (Server 2012R2 - free) and LDAP client certificates and simply creating the right policies on the Netscaler and adding the Root CA information on the Netscaler.

Storefront itself is generally configured to require or not require a logon and the end result after whatever solution is secure in of itself where
1. XML/Netlogon - user is member of this Group, this group is assigned to these catalogs/apps (whatever).  (hopefully Domain Local Groups)
2. Logon information back to the client is hashed by STA, user is sent to Secure Gateway, this is what prevents man(woman?)-attacks.
3. Add one more simple process to validate by LDAP the user resides in "DLG-Netscaler-Access" - assumes they logon

For users on the domain, you could just enable Unified Experience and latest client, Group Policy, and do Windows passthrough?

Looks identical to StoreFront and admx file is out there.

You can use keywords on the Site Controller side to mandate applications show up or let them browse and add to favorites?

This is a good option for machines and users on the domain.

Not external users with domain credentials.

Next, do both external and internal users go through Netscaler - my preference.

Some companies only use Netscaler for external Secure Gateway, no APPFLOW, no Insight VPX, no Director integration - lot of information lost and most of the components are free if you have proper licensing.

It takes some convincing but Netscaler Platinum is a firewall, a web cache/load balancer, and super long list of other stuff that we can leverage if you have Enterprise or Platinum edition.
Brian MurphyIT ArchitectCommented:
Oh, Axway, have not used or implemented.  Did you know the Netscaler can act as CA?  Yep.

It is probably a third-party solution offering to using Microsoft CA Server but for internal use.  That does not mean it can only be used to authenticate internal users.  It means you somehow have to get them their private key, safely, and requires minimum of VPN connection or exposing your subordinate CA's using something like.... "Netscaler".

I've participated in multiple PKI solutions, internal.  To the point where the root CA server was shutdown, locked in a safe.

Regardless, internal or external the key is "the keys".  Public and private and the verification of said public key.  

The "TLS handshake" must complete all the way or you get that message stating "do whatever you want but if you choose to continue, your session won't be encrypted at 2048 Bit and SHA256.....Using ?  TLS 1,2 3?

2 minimum, 3 preferred.

Find out if the vendor supports what I stated above.
Brian MurphyIT ArchitectCommented:
IMO, we need to fix this
All users same domain, Storefront same domain, Users use http://servername, internal PKI that allows user auth certs to be generated.  

If you have external users there must be an external domain that is registered?

We bind that to Secure Gateway and IIS servers (no less than 2).  Secure gateway points to Netscaler Load Balancer, that certificate bundle is bound to IIS on both servers so we can use an internal FQDN that has VIP IP and externally it is only known by the Netscaler Secure Gateway IP ...

Just a guess, is behind a firewall NAT to that IP so the Firewall, the Secure Gateway VIP (Netscaler), and both IIS servers get the keypair and keychain.

If we cannot have split-brain DNS, we use hosts files on both SF servers and host entries on both Netscalers (I assume HA)

When 10 users or 40000 doesn't matter.

The goal is building an Enterprise grade/ready solution that is fully redundant and changes user perception of IT.  

What might be 100 users now, will be the entire company - if you want that.

Otherwise, right now we are sending clear text across the internal wire by not using a valid third party certificate and that in of itself is a audit red flag.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.