Password Manager and Entrust Integration

Added by Jennifer Lang , last edited by Jennifer Lang on May 14, 2008
Tags: 

Citrix Password Manager and Entrust PKI can be successfully integrated deploying Entrust Authority in a Windows 2000 Active Directory Domain and leveraging Microsoft LDAP implementation with Entrust Certificates. Once the Entrust Authority has been deployed and the Entrust client packaged and configured on a per user base, Password Manager can be integrated into the environment. The following versions were used during the testing: Entrust Software Versions 6.01 for the Authority Server and 6.1 SP1 for the Entrust Client Entelligence - Desktop Solutions. This article will guide through the required steps.

Modify the AD Schema for Entrust

  1. On the Domain Controller that is the Schema Master logon with a user who is part of the Domain Admins and Schema Admins Groups and extend the schema.
  2. Insert the Entrust/PKI CD in the CDRom Drive, navigate to the \Utilities folder and run entadconfig.exe to start the Entrust Active Directory Configuration Wizard.
  3. Select Entrust /Authority checkbox.
  4. Select Configure the Active Directory Schema
  5. Create a CA Entry for Entrust/Authority and give it a name
  6. Publish the CA Certificate in the Certification Authorities Container
  7. Create a New Domain Account or Use an Existing one.
  8. Grant Access for Entrust Authority to Existing Users.
  9. Execute the changes and save the log.

Certification Authority Deployment

  1. The first step will be the deployment of the Informix Database, needed to create the Entrust/Authority Database.
  2. The server used for Entrust should be different from the Active Directory Domain Controller for Security Reasons.
  3. The Certification Authority will be installed after the Informix Database.
  4. The Authority will require licensing information such as Serial Number, Enterprise User Limit and Enterprise Licensing Code.
  5. The following Screen will ask for Directory Node and Port, the Using Microsoft Active Directory Checkbox should be selected.
  6. The next screen will require the fully qualified name of the Domain Controller.
  7. Next The Authority will require a distinguished name which may be customized if required by the deployment scenario.
  8. Confirm the CA Name.
  9. The Directory Attributes dialog box should be left as LDAP Version 3 with the default transfer mode dimmed.
  10. Enter the CA Name using the same name specified when configuring AD and use the same password
  11. On the Advanced Directory Attributes enter the First Officer DN
  12. Verify directory information.
  13. After a short wait the ENTDVT Log file dialog box appears and will show Directory Verification completed successfully.
  14. The current User's Windows Login Password is needed to start Entrust Services and is the Login and the password for the Entrust/Authority Service to Start when logging to Entrust/Authority Master Control.
  15. Select Yes for the Microsoft Crypto-API enabled application Interoperability Setup window.
  16. On the Entrust Authority Port Configuration review the default data and make sure that the node name is the one of the server that is running the Entrust Authority.
  17. In the Cryptographic Information Dialog Box choose the required parameters for the deployment.
  18. Select a lifetime for the CA and complete the CA Configuration.

Certification Authority Initialization

The Entrust/PKI Authority must be initialized before it can be used. During the Initialization Process the three Master Users and The First Officer should be present.

  1. In the Entrust/Authority Master Control Window choose Log In.
  2. A dialog box will appear stating that the initialization will take a few minutes.
  3. After an Initial Password Entry Dialog Box appears; each of the three users and the First Officer must privately choose, type and verify their passwords.
  4. The next screen will communicate that the installation was successful.
  5. Logon with one of the Master Users or First Officer Accounts and start the Entrust/Authority Service.

Client Configuration

  1. On the Authority Server Start the Authority/RA Console Administration Program and Enumerate the Users in the Active Directory Domain.
  2. Open the Properties Page of the User you would like to add to Entrust and Add it.
  3. Note the Reference Number and the Authorization Code.
  4. On a Workstation deploy the Entelligence Desktop Designer and create a deployment package. Deploy the package to the Client Workstation and change the entrust.ini initialization file to point to the correct Authority and Directory Server.
  5. Logon to the Client with the User you added to Entrust Authority.
  6. Create a new Entrust User Profile. Specify the Reference Number and the authorization code.
  7. Assign the user a password and logon to Entrust.

Citrix Password Manager Agent Deployment

Deploy the Agent and create a new application definition with the console for the Entrust Logon.

  1. Open the Access Management Console
  2. Select Applications Definitions Node
  3. Select Create Application Definition
  4. Select Create New and set the application type to windows.
  5. Select Start Wizard
  6. Enter Entrust Login as name
  7. Select Add Form
  8. On the form Identifiers clcik the select button
  9. Select Logon
  10. Right-click the Entrust Icon and select Log In to Entrust
  11. Refresh The Form Wizard and select Entrust Login Form
  12. Define UserID as Combo Box, Password and OK Button
  13. Confirm the default values.
  14. Save the application definition.
  15. Add the application Definition to the user configuration
  16. When a new user will need to logon to Entrust they should right click to the Citrix Password Manager Icon and select Logon Using Citrix Password Manager.

Note: The Logon Screen provided by Entrust is not detected automatically by Password Manager. This happens because Entrust doesn't use standard calls to the OS and the Agent is not able to detect the Login Screen Window.

  • Add to Bookmarks