Jump to content
Welcome to our new Citrix community!
  • Reducing multiple pin/certificate prompts when using smartcard authentication with NetScaler


    Subhojit Goswami
    • Validation Status: Validated
      Has Video?: No

    Author: Shruti Vijay Dhamale

     

    Smartcard authentication or client certificate authentication with NetScaler Gateway is a common deployment scenario that we come across-especially with government entities. 

    While this method of authentication enhances security, we do see users being prompted multiple times to choose a certificate or enter pin when trying to establish an ICA connection. 

    This article provides an overview of one of the methods to reduce multiple certificate or pin prompts.

    Before reviewing the method let's understand what generates the multiple cert prompts. 

    Consider a NetScaler Gateway vServer configured to perform certificate authentication followed by LDAP authentication using n-factor as mentioned below:

    Authentication Policy

    add authentication certAction certauth_act -twoFactor ON -userNameField Subject:CN

    add authentication Policy Certauth_pol -rule true -action certauth_act

    add authentication ldapAction AD1_SAM -serverIP 172.30.200.20 -ldapBase "dc=citrix,dc=lab" -ldapBindDn citrixservices@citrix.lab -ldapBindDnPassword XXXX -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2021_11_05_17_13_55 -ldapLoginName sAMAccountName

    add authentication Policy adv_ldap_sam -rule true -action AD1_SAM

     

    LoginSchema

    add authentication loginSchema ldap1 -authenticationSchema "/nsconfig/loginschema/LoginSchema/PrefilUserFromExpr.xml" -userCredentialIndex 11 -passwordCredentialIndex 12

    Policy Label

    add authentication policylabel ldapauth1 -loginSchema ldap1

    bind authentication policylabel ldapauth1 -policyName adv_ldap_sam -priority 100 -gotoPriorityExpression NEXT

     

    Authentication vServer

    add authentication vserver AAA_EPA_GW SSL 0.0.0.0

    bind authentication vserver AAA_EPA_GW -portaltheme RfWebUI

    bind ssl vserver AAA_EPA_GW -certkeyName CitrixDemoCenter-cert

    bind ssl vserver AAA_EPA_GW -certkeyName Defaultroot -CA -ocspCheck Optional

    bind authentication vserver AAA_EPA_GW -policy Certauth_pol -priority 100 -nextFactor ldapauth1 -gotoPriorityExpression NEXT

    set ssl vserver AAA_EPA_GW -clientAuth ENABLED -clientCert Mandatory 

     

    Authentication Profile

    add authentication authnProfile EPA_GW -authnVsName AAA_EPA_GW

    Traffic Policy

    add vpn trafficAction sso http -SSO ON -userExpression "AAA.USER.ATTRIBUTE(11)" -passwdExpression "AAA.USER.ATTRIBUTE(12)"

    add vpn trafficPolicy sso true sso

     

    Session Policy

    add vpn sessionAction AC_WB_172.30.200.112 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://xd1.citrix.lab/Citrix/StoreWeb" -ClientChoices OFF -ntDomain Citrix -clientlessVpnMode OFF -sfGatewayAuthType domain

    add vpn sessionPolicy PL_WB_172.30.200.112 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" 

     

    VPN vServer

    add vpn vserver EPA_Gateway SSL 172.30.200.112 443 -downStateFlush DISABLED -Listenpolicy NONE -authnProfile EPA_GW

    bind vpn vserver EPA_Gateway -staServer https://xd1.citrix.lab

    bind vpn vserver EPA_Gateway -portaltheme RfWebUI

    bind vpn vserver EPA_Gateway -policy PL_WB_172.30.200.112 -priority 100 -gotoPriorityExpression NEXT -type REQUEST

    bind vpn vserver EPA_Gateway -policy sso -priority 100 -gotoPriorityExpression END -type REQUEST

    bind ssl vserver EPA_Gateway -certkeyName CitrixDemoCenter-cert

    bind ssl vserver EPA_Gateway -certkeyName Defaultroot -CA -ocspCheck Optional

    set ssl vserver EPA_Gateway -clientAuth ENABLED -clientCert  mandatory 

     

    The traffic flow at high-level would be as follows:

    • Client performs an SSL handshake and is presented with a Citrix NetScaler login page. 
    • Client provides credentials, and NetScaler connects to an external authentication server for validation.
    • These credentials are presented to the Citrix StoreFront server to perform SSO.
    • Citrix StoreFront after verifying with Citrix DDC enumerates appropriate applications to the user.
    • Client clicks on the application and receives the ICA file. 
    • When client launches the ICA file received, a new non-browser session is initiated with NetScaler Gateway vServer. Due to this user receives a new prompt to provide a certificate or enter a pin. 
    • After validation is successful, client is connected to the application/desktop.

    5AOHIzRpKD0scQa4Cto5uUqs1GKUSmAt-JIy_Qr4Cly-D6XLZd3kySLgI2jSOzDJDH3J5lbSdPyXqdAwctKsWW2-TyB352dqfNkBubiNAYBeVpQxqcaaHiiwPyZm6S62P4eiSnNlbPHvZOnu6PSvTg

    As we can see browser/workspace app caches the information about client certificate/pin and uses it for subsequent SSL handshakes that are done with NetScaler Gateway’s AAA vServer. However, when the session switches from the web to ICA, client gets prompted again to select a certificate/pin to complete the connection.

    To avoid these multiple prompts, we can use the below-mentioned solution using SAML authentication.

    Consider a NetScaler Gateway vServer configured with SAML policy configured to redirect the client to another AAA vServer hosted on the same NetScaler instance using SAML IdP that performs certificate authentication followed by LDAP authentication configured as below:

    Authentication Policy 

    add authentication certAction certauth_act -twoFactor ON -userNameField Subject:CN

    add authentication Policy Certauth_pol -rule true -action certauth_act

    add authentication ldapAction AD1_SAM -serverIP 172.30.200.20 -ldapBase "dc=citrix,dc=lab" -ldapBindDn citrixservices@citrix.lab -ldapBindDnPassword XXXX -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2021_11_05_17_13_55 -ldapLoginName sAMAccountName

    add authentication Policy adv_ldap_sam -rule true -action AD1_SAM 

    add authentication samlAction saml_sp -samlIdPCertName CitrixDemoCenter-cert -samlSigningCertName CitrixDemoCenter-cert -samlRedirectUrl "https://108-168-156-36.mycitrixdemo.net/saml/login" -samlUserField UserID -samlRejectUnsignedAssertion OFF -samlIssuerName "https://108-168-156-37.mycitrixdemo.net"

    add authentication Policy saml_sp -rule TRUE -action saml_sp

    add authentication samlIdPProfile saml_idp -samlSPCertName mylabcert -samlIdPCertName mylabcert -assertionConsumerServiceURL "https://108-168-156-37.mycitrixdemo.net/cgi/samlauth" -samlIssuerName "https://108-168-156-36.mycitrixdemo.net" -signatureAlg RSA-SHA1 -digestMethod SHA1 -Attribute1 Userid -Attribute1Expr "AAA.USER.ATTRIBUTE(11)" -Attribute2 Password -Attribute2Expr "AAA.USER.ATTRIBUTE(12).B64ENCODE" -serviceProviderID "https://108-168-156-37.mycitrixdemo.net"

    add authentication samlIdPPolicy saml_idp -rule TRUE -action saml_idp

     

    LoginSchema

    add authentication loginSchema ldap1 -authenticationSchema "/nsconfig/loginschema/LoginSchema/PrefilUserFromExpr.xml" -userCredentialIndex 11 -passwordCredentialIndex 12

    Policy Label

    add authentication policylabel ldapauth1 -loginSchema ldap1

    bind authentication policylabel ldapauth1 -policyName adv_ldap_sam -priority 100 -gotoPriorityExpression NEXT

     

    Authentication vServer (SAML IdP)

    add authentication vserver SAML_IDP SSL 172.30.200.111 443

    bind authentication vserver AAA_EPA_GW -portaltheme RfWebUI

    bind ssl vserver SAML_IDP -certkeyName CitrixDemoCenter-cert

    bind ssl vserver SAML_IDP -certkeyName Defaultroot -CA -ocspCheck Optional

    bind authentication vserver SAML_IDP -policy saml_idp -priority 100 -gotoPriorityExpression NEXT

    bind authentication vserver SAML_IDP -policy Certauth_pol -priority 100 -nextFactor ldapauth1 -gotoPriorityExpression NEXT

    set ssl vserver SAML_IDP -clientAuth ENABLED -clientCert Mandatory 

     

    Authentication vServer (SAML SP)

    add authentication vserver AAA_EPA_GW SSL 0.0.0.0

    bind authentication vserver AAA_EPA_GW -portaltheme RfWebUI

    bind ssl vserver AAA_EPA_GW -certkeyName CitrixDemoCenter-cert

    bind authentication vserver AAA_EPA_GW -policy saml_sp -priority 100 -gotoPriorityExpression NEXT

     

    Authentication Profile

    add authentication authnProfile EPA_GW -authnVsName AAA_EPA_GW

    Traffic Policy

    add vpn trafficAction sso http -SSO ON -userExpression "AAA.USER.ATTRIBUTE(1)" -passwdExpression "AAA.USER.ATTRIBUTE(2)"

    add vpn trafficPolicy sso true sso

     

    Session Policy

    add vpn sessionAction AC_WB_172.30.200.112 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://xd1.citrix.lab/Citrix/StoreWeb" -ClientChoices OFF -ntDomain Citrix -clientlessVpnMode OFF -sfGatewayAuthType domain

    add vpn sessionPolicy PL_WB_172.30.200.112 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT" 

     

    VPN vServer

    add vpn vserver EPA_Gateway SSL 172.30.200.112 443 -downStateFlush DISABLED -Listenpolicy NONE -authnProfile EPA_GW

    bind vpn vserver EPA_Gateway -staServer https://xd1.citrix.lab

    bind vpn vserver EPA_Gateway -portaltheme RfWebUIbind vpn vserver EPA_Gateway -policy PL_WB_172.30.200.112 -priority 100 -gotoPriorityExpression NEXT -type REQUEST

    bind vpn vserver EPA_Gateway -policy sso -priority 100 -gotoPriorityExpression END -type REQUEST

    bind ssl vserver EPA_Gateway -certkeyName CitrixDemoCenter-cert

    bind ssl vserver EPA_Gateway -certkeyName Defaultroot -CA -ocspCheck Optional

     

    In this method, the certificate or smart card check is offloaded to AAA vServer acting as an Idp server. So once client is authenticated, their credentials are returned using the SAML attribute to the AAA vServer bound to NetScaler Gateway vServer, which can be then used for SSO with CVAD infrastructure. Notice the difference in authentication policy bindings, client cert setting in SSL parameters for AAA vServer, and SSO credential index used in traffic profile in both scenarios. 

    The traffic flow at high-level would be as follows:

    • The Client performs an SSL handshake with NetScaler Gateway vServer and is redirected to a SAML IdP vServer configured on the same NetScaler. 
    • Client performs SSL handshake with AAA vServer that acts as IdP vServer and presents Client certificate.
    • Upon certificate validation, client is presented with the Citrix NetScaler login page.
    • Client provides credentials, and NetScaler connects to an external authentication server to validate the user.
    • Once authenticated, client connects back to NetScaler Gateway vServer, with credentials returned as a part of SAML attributes.
    • These credentials are presented to the Citrix StoreFront server to perform SSO.
    • Citrix StoreFront after verifying with Citrix DDC enumerates appropriate applications to the user.
    • Client clicks on the application and receives the ICA file. 
    • NetScaler requests the IP address from the STA server for the resource requested, post that the ICA connection is established.

     

    JK8tTiy9KGnM-kyGH69cptoEJBIw9xEsUG1txzJgBARPfeBvoQZ-k7gvbGL1VZuY_7VcfoBsO08MOg8qGC3TEgLFkhPP2tOUiMlNbUvj99BZWv7SEdla_vueTB5dvuCIrsI4ZTmUdOogbaOd-hxwAQ

    To obscure the credentials further, you can also base64 encode the credentials when configuring the SAML attribute.
    For an alternative method to reduce multiple prompts, a separate NetScaler Gateway vServer for call-back can also be used as described in this blog

    The trace files from the demo environment are available here.


    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...