Author: Shruti Vijay Dhamale
Smartcard authentication or client certificate authentication with NetScaler Gateway is a common deployment scenario that we come across-especially with government entities.
While this method of authentication enhances security, we do see users being prompted multiple times to choose a certificate or enter pin when trying to establish an ICA connection.
This article provides an overview of one of the methods to reduce multiple certificate or pin prompts.
Before reviewing the method let's understand what generates the multiple cert prompts.
Consider a NetScaler Gateway vServer configured to perform certificate authentication followed by LDAP authentication using n-factor as mentioned below:
Authentication Policy
add authentication certAction certauth_act -twoFactor ON -userNameField Subject:CN
add authentication Policy Certauth_pol -rule true -action certauth_act
add authentication ldapAction AD1_SAM -serverIP 172.30.200.20 -ldapBase "dc=citrix,dc=lab" -ldapBindDn citrixservices@citrix.lab -ldapBindDnPassword XXXX -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2021_11_05_17_13_55 -ldapLoginName sAMAccountName
add authentication Policy adv_ldap_sam -rule true -action AD1_SAM
LoginSchema
add authentication loginSchema ldap1 -authenticationSchema "/nsconfig/loginschema/LoginSchema/PrefilUserFromExpr.xml" -userCredentialIndex 11 -passwordCredentialIndex 12
Policy Label
add authentication policylabel ldapauth1 -loginSchema ldap1
bind authentication policylabel ldapauth1 -policyName adv_ldap_sam -priority 100 -gotoPriorityExpression NEXT
Authentication vServer
add authentication vserver AAA_EPA_GW SSL 0.0.0.0
bind authentication vserver AAA_EPA_GW -portaltheme RfWebUI
bind ssl vserver AAA_EPA_GW -certkeyName CitrixDemoCenter-cert
bind ssl vserver AAA_EPA_GW -certkeyName Defaultroot -CA -ocspCheck Optional
bind authentication vserver AAA_EPA_GW -policy Certauth_pol -priority 100 -nextFactor ldapauth1 -gotoPriorityExpression NEXT
set ssl vserver AAA_EPA_GW -clientAuth ENABLED -clientCert Mandatory
Authentication Profile
add authentication authnProfile EPA_GW -authnVsName AAA_EPA_GW
Traffic Policy
add vpn trafficAction sso http -SSO ON -userExpression "AAA.USER.ATTRIBUTE(11)" -passwdExpression "AAA.USER.ATTRIBUTE(12)"
add vpn trafficPolicy sso true sso
Session Policy
add vpn sessionAction AC_WB_172.30.200.112 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://xd1.citrix.lab/Citrix/StoreWeb" -ClientChoices OFF -ntDomain Citrix -clientlessVpnMode OFF -sfGatewayAuthType domain
add vpn sessionPolicy PL_WB_172.30.200.112 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT"
VPN vServer
add vpn vserver EPA_Gateway SSL 172.30.200.112 443 -downStateFlush DISABLED -Listenpolicy NONE -authnProfile EPA_GW
bind vpn vserver EPA_Gateway -staServer https://xd1.citrix.lab
bind vpn vserver EPA_Gateway -portaltheme RfWebUI
bind vpn vserver EPA_Gateway -policy PL_WB_172.30.200.112 -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver EPA_Gateway -policy sso -priority 100 -gotoPriorityExpression END -type REQUEST
bind ssl vserver EPA_Gateway -certkeyName CitrixDemoCenter-cert
bind ssl vserver EPA_Gateway -certkeyName Defaultroot -CA -ocspCheck Optional
set ssl vserver EPA_Gateway -clientAuth ENABLED -clientCert mandatory
The traffic flow at high-level would be as follows:
- Client performs an SSL handshake and is presented with a Citrix NetScaler login page.
- Client provides credentials, and NetScaler connects to an external authentication server for validation.
- These credentials are presented to the Citrix StoreFront server to perform SSO.
- Citrix StoreFront after verifying with Citrix DDC enumerates appropriate applications to the user.
- Client clicks on the application and receives the ICA file.
- When client launches the ICA file received, a new non-browser session is initiated with NetScaler Gateway vServer. Due to this user receives a new prompt to provide a certificate or enter a pin.
- After validation is successful, client is connected to the application/desktop.
As we can see browser/workspace app caches the information about client certificate/pin and uses it for subsequent SSL handshakes that are done with NetScaler Gateway’s AAA vServer. However, when the session switches from the web to ICA, client gets prompted again to select a certificate/pin to complete the connection.
To avoid these multiple prompts, we can use the below-mentioned solution using SAML authentication.
Consider a NetScaler Gateway vServer configured with SAML policy configured to redirect the client to another AAA vServer hosted on the same NetScaler instance using SAML IdP that performs certificate authentication followed by LDAP authentication configured as below:
Authentication Policy
add authentication certAction certauth_act -twoFactor ON -userNameField Subject:CN
add authentication Policy Certauth_pol -rule true -action certauth_act
add authentication ldapAction AD1_SAM -serverIP 172.30.200.20 -ldapBase "dc=citrix,dc=lab" -ldapBindDn citrixservices@citrix.lab -ldapBindDnPassword XXXX -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2021_11_05_17_13_55 -ldapLoginName sAMAccountName
add authentication Policy adv_ldap_sam -rule true -action AD1_SAM
add authentication samlAction saml_sp -samlIdPCertName CitrixDemoCenter-cert -samlSigningCertName CitrixDemoCenter-cert -samlRedirectUrl "https://108-168-156-36.mycitrixdemo.net/saml/login" -samlUserField UserID -samlRejectUnsignedAssertion OFF -samlIssuerName "https://108-168-156-37.mycitrixdemo.net"
add authentication Policy saml_sp -rule TRUE -action saml_sp
add authentication samlIdPProfile saml_idp -samlSPCertName mylabcert -samlIdPCertName mylabcert -assertionConsumerServiceURL "https://108-168-156-37.mycitrixdemo.net/cgi/samlauth" -samlIssuerName "https://108-168-156-36.mycitrixdemo.net" -signatureAlg RSA-SHA1 -digestMethod SHA1 -Attribute1 Userid -Attribute1Expr "AAA.USER.ATTRIBUTE(11)" -Attribute2 Password -Attribute2Expr "AAA.USER.ATTRIBUTE(12).B64ENCODE" -serviceProviderID "https://108-168-156-37.mycitrixdemo.net"
add authentication samlIdPPolicy saml_idp -rule TRUE -action saml_idp
LoginSchema
add authentication loginSchema ldap1 -authenticationSchema "/nsconfig/loginschema/LoginSchema/PrefilUserFromExpr.xml" -userCredentialIndex 11 -passwordCredentialIndex 12
Policy Label
add authentication policylabel ldapauth1 -loginSchema ldap1
bind authentication policylabel ldapauth1 -policyName adv_ldap_sam -priority 100 -gotoPriorityExpression NEXT
Authentication vServer (SAML IdP)
add authentication vserver SAML_IDP SSL 172.30.200.111 443
bind authentication vserver AAA_EPA_GW -portaltheme RfWebUI
bind ssl vserver SAML_IDP -certkeyName CitrixDemoCenter-cert
bind ssl vserver SAML_IDP -certkeyName Defaultroot -CA -ocspCheck Optional
bind authentication vserver SAML_IDP -policy saml_idp -priority 100 -gotoPriorityExpression NEXT
bind authentication vserver SAML_IDP -policy Certauth_pol -priority 100 -nextFactor ldapauth1 -gotoPriorityExpression NEXT
set ssl vserver SAML_IDP -clientAuth ENABLED -clientCert Mandatory
Authentication vServer (SAML SP)
add authentication vserver AAA_EPA_GW SSL 0.0.0.0
bind authentication vserver AAA_EPA_GW -portaltheme RfWebUI
bind ssl vserver AAA_EPA_GW -certkeyName CitrixDemoCenter-cert
bind authentication vserver AAA_EPA_GW -policy saml_sp -priority 100 -gotoPriorityExpression NEXT
Authentication Profile
add authentication authnProfile EPA_GW -authnVsName AAA_EPA_GW
Traffic Policy
add vpn trafficAction sso http -SSO ON -userExpression "AAA.USER.ATTRIBUTE(1)" -passwdExpression "AAA.USER.ATTRIBUTE(2)"
add vpn trafficPolicy sso true sso
Session Policy
add vpn sessionAction AC_WB_172.30.200.112 -transparentInterception OFF -defaultAuthorizationAction ALLOW -SSO ON -ssoCredential PRIMARY -icaProxy ON -wihome "https://xd1.citrix.lab/Citrix/StoreWeb" -ClientChoices OFF -ntDomain Citrix -clientlessVpnMode OFF -sfGatewayAuthType domain
add vpn sessionPolicy PL_WB_172.30.200.112 "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT"
VPN vServer
add vpn vserver EPA_Gateway SSL 172.30.200.112 443 -downStateFlush DISABLED -Listenpolicy NONE -authnProfile EPA_GW
bind vpn vserver EPA_Gateway -staServer https://xd1.citrix.lab
bind vpn vserver EPA_Gateway -portaltheme RfWebUIbind vpn vserver EPA_Gateway -policy PL_WB_172.30.200.112 -priority 100 -gotoPriorityExpression NEXT -type REQUEST
bind vpn vserver EPA_Gateway -policy sso -priority 100 -gotoPriorityExpression END -type REQUEST
bind ssl vserver EPA_Gateway -certkeyName CitrixDemoCenter-cert
bind ssl vserver EPA_Gateway -certkeyName Defaultroot -CA -ocspCheck Optional
In this method, the certificate or smart card check is offloaded to AAA vServer acting as an Idp server. So once client is authenticated, their credentials are returned using the SAML attribute to the AAA vServer bound to NetScaler Gateway vServer, which can be then used for SSO with CVAD infrastructure. Notice the difference in authentication policy bindings, client cert setting in SSL parameters for AAA vServer, and SSO credential index used in traffic profile in both scenarios.
The traffic flow at high-level would be as follows:
- The Client performs an SSL handshake with NetScaler Gateway vServer and is redirected to a SAML IdP vServer configured on the same NetScaler.
- Client performs SSL handshake with AAA vServer that acts as IdP vServer and presents Client certificate.
- Upon certificate validation, client is presented with the Citrix NetScaler login page.
- Client provides credentials, and NetScaler connects to an external authentication server to validate the user.
- Once authenticated, client connects back to NetScaler Gateway vServer, with credentials returned as a part of SAML attributes.
- These credentials are presented to the Citrix StoreFront server to perform SSO.
- Citrix StoreFront after verifying with Citrix DDC enumerates appropriate applications to the user.
- Client clicks on the application and receives the ICA file.
- NetScaler requests the IP address from the STA server for the resource requested, post that the ICA connection is established.
To obscure the credentials further, you can also base64 encode the credentials when configuring the SAML attribute.
For an alternative method to reduce multiple prompts, a separate NetScaler Gateway vServer for call-back can also be used as described in this blog.
The trace files from the demo environment are available here.
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now