PoC Guide: nFactor for Citrix Gateway Authentication with Device Certificate

Introduction

大型企业环境要求aut灵活hentication options to meet the needs of various user personas. With Device Certificate, coupled with LDAP credentials, Enterprises get “something you have” and “something you know” multifactor authentication. This allows users to seamlessly verify their identity and securely access their applications and data.

Overview

This guide demonstrates how to implement a Proof of Concept environment using two factor authentication with Citrix Gateway. It validates a Device Certificate as the first factor using Endpoint Analysis (EPA). Then it uses the user’s domain credentials as the second factor. It uses a Citrix Virtual Apps and Desktops published virtual desktop to validate connectivity.

It makes assumptions about the completed installation and configuration of the following components:

• Citrix ADC installed, and licensed
• Citrix Gateway configured with an externally reachable virtual server bound to a wildcard Certificate
• Citrix Gateway integrated with a Citrix Virtual Apps and Desktops environment which uses LDAP for authentication
• Active Directory (AD) is available in the environment with Microsoft Certificate Authority installed
• A Windows 10 endpoint is domain joined, and has Citrix Workspace app installed
• The endpoint user must have local admin rights or have the Citrix Gateway Plug-in installed

Refer to Citrix Documentation for the latest product version, licensing, and requirement details:Device certificate in nFactor as an EPA component

Configuration

First, we log in to the CLI on our Citrix ADC and enter the authentication actions and associated policies for EPA and LDAP respectively along with the login schema. Then we log in to our GUI to build our nFactor flow in the visualizer tool and complete the multifactor authentication configuration.

美国环保署认证政策

Next we create the EPA action to check the device certificate, and the policy that references it.

EPA action 1 - authAct_EPA_dcnf

Update the following fields for your environment and copy and paste the string into the CLI:add authentication epaAction authAct_EPA_dcnf -csecexpr "sys.client_expr(\"device-cert_0_0\")"

EPA policy 1 - authPol_EPA_dcnf

Update the following fields for your environment and copy and paste the string into the CLI:add authentication Policy authPol_EPA_dcnf -rule true -action authAct_EPA_dcnf

LDAP Authentication policies

We create the LDAP actions, and the policies that reference them.

For LDAP Actions populate the required fields to create the LDAP action in a string and paste it into the CLI:

• ldapAction- enter the action name.
• serverIP- enter the domain server/s FQDN or IP address.
• serverPort- enter the LDAP port.
• ldapBase- enter the string of domain objects and containers where pertinent users are stored in your directory.
• ldapBindDn- enter the service account used to query domain users.
• ldapBindDnPassword- enter your service account password.
• ldapLoginName- enter the user object type.
• groupAttrName- enter the group attribute name.
• subAttributeName- enter the sub attribute name.
• secType- enter the security type.
• ssoNameAttribute- enter the single sign-on name attribute.

For LDAP Policies populate the required fields to reference the LDAP Action in a string and paste it into the CLI:

• Policy- enter the policy name.
• action- enter the name of the Email action we created above.

For more information seeLDAP authentication policies

1. First connect to the CLI by opening an SSH session to the NSIP address of the Citrix ADC and log in as thensrootadministrator or equivalent admin user.

LDAP action 1 - authAct_LDAP_dcnf

Update the following fields for your environment and copy and paste the string into the CLI:add authentication ldapAction authAct_Ldap_dcnf -serverIP 192.0.2.50 -serverPort 636 -ldapBase "DC=workspaces,DC=wwco,DC=net" -ldapBindDn wsadmin@workspaces.wwco.net -ldapBindDnPassword xyz123 -encrypted -encryptmethod ENCMTHD_3 -kek -suffix 2021_03_23_19_58 -ldapLoginName userPrincipalName -groupAttrName memberOf -subAttributeName cn -secType SSL -passwdChange ENABLED

LDAP policy 1 - authPol_LDAP_dcnf

Update the following fields for your environment and copy and paste the string into the CLI:add authentication Policy authPol_LDAP_dcnf -rule true -action authAct_Ldap_dcnf

Login Schema

Next we create Login Schemas used with each factor.

lSchema 1 - lSchema_EPA_dcnf

The EPA factor does not require a Login Schema.

lSchema 2 - lSchema_LDAP_dcnf

Update the following fields for your environment and copy and paste the string into the CLI:add authentication loginSchema ls_ldap_dcnf -authenticationSchema "/nsconfig/loginschema/LoginSchema/SingleAuth.xml"

Certificates

Domain Certificate

In this POC we used a wildcard certificate corresponding to our Active Directory domain and it also corresponds to the fully qualified domain name we use to access to the Gateway virtual server (gateway.workspaces.wwco.net)

1. Log in to the Citrix ADC GUI
2. Navigate toTraffic Management > SSL> Certificates > All Certificatesto verify you have your domain certificate and CAs installed and linked. SeeCitrix ADC SSL certificatesfor more information.

Device Certificate

There are many systems and options for user and device certificate management. In this POC we use the Microsoft Certificate Authority installed on our Active Directory server. We also have our Windows 10 endpoint joined to the domain.

1. From the start menu on our domain joined Windows 10 endpoint we entermmc, right-click and run as administrator
2. Select File > Add/Remove, select Certificates, select the arrow to move it to the Selected snap-in pane, select Computer account, Next, Local computer, Finish and, click OK
3. Open the Personal folder, right-click the Certificates folder > All Tasks > Request New Certificate
4. Click next until you are offered certificate types, select Computer, and click Enroll, followed by Finish
5. Double-click the certificate it installed, select the Certification Path tab, select the root CA on the top, and click View Certificate. (Note: We can export the CA from the Active Directory server, yet for the POC we can eliminate steps by doing it here)
6. In the popup select the Details tab, select Copy to File, click Next, click Next (to accept DER encoding)
7. Select browse, and enter a file name, select save, select next, and select finish to store the CA certificate file.
8. Now we will import it into the ADC by navigating to **Traffic Management > SSL> Certificates > CA Certificates
9. Click Install, we enter the nameDeviceCertificateCA, select Chose File, Local, and select the file, Open and click Install

nFactor Visualizer

1. Next navigate toSecurity > AAA - Application Traffic > nFactor Visualizer > nFactor Flows
2. Select Add and select the plus sign in the Factor box

Factor1_Epa_dcnf

1. EnterFactor1_Epa_dcnfand select create
2. In the same box select Add Policy
3. Select the EPA policyauthPol_EPA_dcnf
4. Select Add
5. Select the green plus sign next to theauthPol_EPA_dcnfpolicy to create another factor

Factor2_Ldap_dcnf

1. EnterFactor2_Ldap_dcnf
2. Select Create
3. In the same box select Add Schema
4. Selectls_ldap_dcnf
5. In the same box select Add Policy
6. SelectauthPol_LDAP_dcnf
7. Under Goto Expression selectEND

Citrix ADC authentication, authorization, and auditing (Citrix ADC AAA) virtual server

1. Next navigate toSecurity > AAA - Application Traffic > Virtual Serversand select Add
2. Enter the following fields and click OK:
   • Name - a unique value. We enterDC_AuthVserver
   • IP Address Type -Non Addressable
3. Select No Server Certificate, select the domain certificate, click Select, Bind, and Continue
4. Select No nFactor Flow
5. Under Select nFactor Flow click the right arrow, select theFactor1_Epa_dcnfflow created earlier
6. Click Select, followed by Bind, followed by Continue

Citrix Gateway - virtual server

1. Next navigate toCitrix Gateway > Virtual Servers
2. Select your existing virtual server that provides proxy access to your Citrix Virtual Apps and Desktops environment
3. Select Edit
4. Under Basic Settings select the pencil icon to edit, then select more at the bottom
5. At the bottom right, under Device Cert CA select Add, and click the plus (+) sign next to the DeviceCertificateCA followed by OK
6. Now under Certificate, select CA Certificate, Add Binding, select the right arrow under Select CA Cert and select DeviceCertificateCA followed by Bind and Close
7. If you currently have an LDAP policy bound navigate under Basic Authentication - Primary Authentication select LDAP Policy. Then check the policy, select Unbind, select Yes to confirm, and select Close
8. Under the Advanced Settings menu on the right select Authentication Profile
9. Select Add
10. Enter a name. We enterDC_AuthProfile
11. Under Authentication virtual server click the right arrow, and select the Citrix ADC AAA virtual server we createdDC_AuthVserver
12. Click Select, and Create
13. Click OK and verify the virtual server now has an authentication profile selected while the basic authentication policy has been removed
14. 点击完成

User Endpoint Verification

We test authentication by authenticating into our Citrix Virtual Apps and Desktops environment.

1. Open a browser, and navigate to the domain FQDN managed by the Citrix Gateway. We usehttps://gateway.workspaces.wwco.net
2. Select download if the EPA plug-in has not been installed.
3. Otherwise select Yes when the EPA plug-in prompts you to scan (you can also select Always to automatically scan). Thereafter it scans for device certificates.
4. If you have multiple device certificates it prompts you to select the appropriate one to authenticate with otherwise it presents a logon prompt.
5. Enter the domain user name and password.
6. Select the virtual desktop from the available resources in their workspace and verify a successful launch.

Summary

With Citrix Workspace and Citrix Gateway Enterprises can improve their security posture by implementing multifactor authentication without making the user experience complex. Device Certificates allow Enterprises to seamlessly add a 2nd authentication factor to user credentials, maintaining a good user experience while improving security posture.

References

For more information refer to:

How to Configure Device Certificate on Citrix Gateway for Authentication- learn how to implement an OSCP responder to verify certificate revocation status.

Understanding and Configuring EPA Verbose Logging on NetScaler Gateway- verify the nsepa.txt on the endpoint logs the correct CA in the list that is downloaded. “Netscaler has sent list of allowed CA for device certificate.” If not verify you imported and bound the correct one, that issued the device certificate, to the Gateway vServer.

Citrix ADC Commands to Find the PolicyHitsfor Citrix Gateway Session Policies- learn more about CLI commands likensconmsg -d current -g _hitsto track policyhitsto help troubleshoot.