Domain or domain plus security token authentication

XenMobile supports domain-based authentication against one or more directories that are compliant with the Lightweight Directory Access Protocol (LDAP). You can configure a connection in XenMobile to one or more directories and then use the LDAP configuration to import groups, user accounts, and related properties.

LDAP is an open-source, vendor-neutral application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network. Directory information services are used to share information about users, systems, networks, services, and applications available throughout the network.

A common usage of LDAP is to provide single sign-on (SSO) for users, where a single password (per user) is shared among multiple services. Single sign-on enables a user to log on one time to a company website, for authenticated access to the corporate intranet.

A client starts an LDAP session by connecting to an LDAP server, known as a Directory System Agent (DSA). The client then sends an operation request to the server, and the server responds with the appropriate authentication.

Important:

XenMobile doesn’t support changing the authentication mode from domain authentication to a different authentication mode after users enroll devices in XenMobile.

To add LDAP connections in XenMobile

1. In the XenMobile console, click the gear icon in the upper-right corner of the console. TheSettingspage appears.

2. Under服务器, clickLDAP. TheLDAPpage appears. You can add, edit, or delete LDAP-compliant directories, as described in this article.

   

To add an LDAP-compliant directory

1. On theLDAPpage, clickAdd. TheAdd LDAPpage appears.

   

2. Configure these settings:

   • Directory type:In the list, click the appropriate directory type. The default isMicrosoft Active Directory.
   • Primary server:Type the primary server used for LDAP; you can enter either the IP address or the fully qualified domain name (FQDN).
   • Secondary server:Optionally, if a secondary server has been configured, enter the IP address or FQDN for the secondary server. This server is a failover server used if the primary server cannot be reached.
   • Port:Type the port number used by the LDAP server. By default, the port number is set to389for unsecured LDAP connections. Use port number636for secure LDAP connections, use3268for Microsoft unsecure LDAP connections, or3269for Microsoft secure LDAP connections.
   • Domain name:Type the domain name.
   • User base DN:Type the location of users in Active Directory through a unique identifier. Syntax examples include:ou=users,dc=example, ordc=com.
   • Group base DN:Type the location of groups in Active Directory. For example,cn=users, dc=domain, dc=netwherecn=usersrepresents the container name of the groups anddcrepresents the domain component of Active Directory.
   • User ID:输入用户ID与活动直接相关ory account.
   • Password:Type the password associated with the user.
   • Domain alias:Type an alias for the domain name. If you change theDomain aliassetting after enrollment, users must re-enroll.
   • XenMobile Lockout Limit:Type a number between0and999for the number of failed logon attempts. A value of0means that XenMobile never locks out the user based on failed logon attempts.
   • XenMobile Lockout Time:Type a number between0and99999representing the number of minutes a user must wait after exceeding the lockout limit. A value of0means that the user isn’t forced to wait after a lockout.
   • Global Catalog TCP Port:Type the TCP port number for the Global Catalog server. By default, the TCP port number is set to3268; for SSL connections, use port number3269.
   • Global Catalog Root Context:可选地,类型全局根上下文值使用d to enable a global catalog search in Active Directory. This search is in addition to the standard LDAP search, in any domain without the need to specify the actual domain name.
   • User search by:In the list, click eitheruserPrincipalName, orsAMAccountName. The default isuserPrincipalName. If you change theUser search bysetting after enrollment, users must re-enroll.
   • Use secure connection:Select whether to use secure connections. The default isNO.

3. ClickSave.

To edit an LDAP-compliant directory

1. In theLDAPtable, select the directory to edit.

   When you select the check box next to a directory, the options menu appears above the LDAP list. Click anywhere else in the list and the options menu appears on the right side of the listing.

2. ClickEdit. TheEdit LDAPpage appears.

   

3. Change the following information as appropriate:

   • Directory type:In the list, click the appropriate directory type.
   • Primary server:Type the primary server used for LDAP; you can enter either the IP address or the fully qualified domain name (FQDN).
   • Secondary server:Optionally, type the IP address or FQDN for the secondary server (if one has been configured).
   • Port:Type the port number used by the LDAP server. By default, the port number is set to389for unsecured LDAP connections. Use port number636for secure LDAP connections, use3268for Microsoft unsecure LDAP connections, or3269for Microsoft secure LDAP connections.
   • Domain name:You cannot change this field.
   • User base DN:Type the location of users in Active Directory through a unique identifier. Syntax examples include:ou=users,dc=example, ordc=com.
   • Group base DN:Type the group base DN group name specified ascn=groupname. For example,cn=users, dc=servername, dc=netwherecn=usersis the group name.DNandservernamerepresent the name of the server running Active Directory.
   • User ID:输入用户ID与活动直接相关ory account.
   • Password:Type the password associated with the user.
   • Domain alias:Type an alias for the domain name. If you change theDomain aliassetting after enrollment, users must re-enroll.
   • XenMobile Lockout Limit:Type a number between0and999for the number of failed logon attempts. A value of0means that XenMobile never locks out the user based on failed logon attempts.
   • XenMobile Lockout Time:Type a number between0and99999representing the number of minutes a user must wait after exceeding the lockout limit. A value of0means that the user isn’t forced to wait after a lockout.
   • Global Catalog TCP Port:Type the TCP port number for the Global Catalog server. By default, the TCP port number is set to3268; for SSL connections, use port number3269.
   • Global Catalog Root Context:可选地,类型全局根上下文值使用d to enable a global catalog search in Active Directory. This search is in addition to the standard LDAP search, in any domain without the need to specify the actual domain name.
   • User search by:In the list, click eitheruserPrincipalName, orsAMAccountName. If you change theUser search bysetting after enrollment, users must re-enroll.
   • Use secure connection:Select whether to use secure connections.

4. ClickSaveto save your changes orCancelto leave the property unchanged.

To delete an LDAP-compliant directory

1. In theLDAPtable, select the directory you want to delete.

   You can select more than one property to delete by selecting the check box next to each property.

2. Click删除. A confirmation dialog box appears. Click删除again.

Configure authentication for multiple domains

To configure XenMobile Server to use multiple domain suffixes in an LDAP configuration, see the procedure in the Citrix Endpoint Management documentation,Configure authentication for multiple domains. The steps are the same in the on-premises version of XenMobile Server and the Endpoint Management cloud release.

Configure domain plus security token authentication

You can configure XenMobile to require users to authenticate with their LDAP credentials plus a one-time password, using the RADIUS protocol.

For optimal usability, you can combine this configuration with Citrix PIN and Active Directory password caching. With that configuration, users don’t have to enter their LDAP user names and passwords repeatedly. Users enter user names and passwords for enrollment, password expiration, and account lockout.

Configure LDAP settings

Use of LDAP for authentication requires that you install an SSL certificate from a Certificate Authority on XenMobile. For information, seeUploading certificates in XenMobile.

1. InSettings, clickLDAP.

2. SelectMicrosoft Active Directoryand then clickEdit.

   

3. Verify that the Port is636, which is for secure LDAP connections, or3269for Microsoft secure LDAP connections.

4. ChangeUse secure connectiontoYes.

   

Configure Citrix Gateway settings

The following steps assume that you already have added a Citrix Gateway instance to XenMobile. To add a Citrix Gateway instance, seeAdd a Citrix Gateway instance.

1. InSettings, clickCitrix Gateway.

2. Select the“Citrix Gatewayand then clickEdit.

3. FromLogon Type, selectDomain and security token.

   

Enable Citrix PIN and user password caching

To enable Citrix PIN and user password caching, go toSettings > Client Propertiesand select these check boxes:Enable Citrix PIN AuthenticationandEnable User Password Caching. For more information, seeClient properties.

Configure Citrix Gateway for domain and security token authentication

Configure Citrix Gateway session profiles and policies for your virtual servers used with XenMobile. For information, see the Citrix Gateway documentation.