Jump to content
Welcome to our new Citrix community!
  • 0

Question

Hi,

We are looking to implement Windows Hello for Business in our environment.

On Citrix Environment:

On AD side we meet all the requirements for Windows HFB

We introduced MS AD FS On-Prem as part of the Hello For Business prep. 

 

Since Windows HFB works using Hardware TPM( or Software Substitute), curious how Citrix will handle that with a XenApp shared Desktop environment. 

 

Any Thoughts, Links for Citrix+ Hello For Business, guidance, etc are welcomed. 

Thanks

 

 

 

  

Link to comment

7 answers to this question

Recommended Posts

  • 0

I'm only commenting because I am working (fighting) with Windows Hello for Business at the moment and am intrigued at where you view there would be any sort of integration with Citrix?


I cant imagine a situation where it and Citrix would have much to do with each other outside of maybe SSO for receiver, but am very interested in where you are thinking they might?

Link to comment
  • 0

Hi James, You may be further along the process than I am. Still gathering information on all effected systems. 

 

HFB is based on 1 single Private key for the user and needs a Federation Service. A common setup is on TPM (Physical Device). 

 

Challenges are:

  • We use Shared Desktop/Apps (Xenapp) for remote access. This means that the Private Key in HFB needs to be portable by Microsoft's companion devices. 
  • We only use Citrix via Netscaler that currently uses 3rd party IDP. Netscaler is configured for SAML between IDP<>Netscaler. I plan to create a Trusted Federated Authority between my IDP and On-Prem but unsure of the Auth flow. 
  • A Separate Challange is we Citrix published Apps that use SQL via NTAuth.

 

We are have been deploying Windows for Hello (Local not Business) in Office PC which works great for In Office login into the Domain. From my understanding, the Domain password HAshes are locally sealed then opened up when needed. (I am still looking for solid docs on the security of Hello (local )in domain PCs)

 

Interested in hearing/learning your pain point and how far you have gotten. 

 

 

Link to comment
  • 0

Sorry for the delay, been a bit wild over here - this topic just popped up at work and reminded me to come back

 

I think in your scenario with full Hello for Business moving forward, you are going to need to look at FAS

https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-15-ltsr/secure/federated-authentication-service.html

 

Little demo here

https://www.youtube.com/watch?v=d7OXjAWi94g&feature=youtu.be&t=2205

 

We haven't gotten to this part yet - still deciding how far we want to go with HELLO for business, at the moment we are having some issues getting kerberos tickets against on premise DC's when using PIN etc - username and password is fine, PIN is not so great - tracing is slow

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...