Client certificate or certificate plus domain authentication

The default configuration for XenMobile is user name and password authentication. To add another layer of security for enrollment and access to the XenMobile environment, consider using certificate-based authentication. In the XenMobile environment, this configuration is the best combination of security and user experience. Certificate plus domain authentication has the best SSO possibilities coupled with the security provided by two-factor authentication at Citrix ADC.

For optimal usability, you can combine certificate plus domain authentication with Citrix PIN and Active Directory password caching. As a result, users don’t have to enter their LDAP user names and passwords repeatedly. Users enter user names and passwords for enrollment, password expiration, and account lockout.

Important:

XenMobile doesn’t support changing the authentication mode from domain authentication to some other authentication mode after users enroll devices in XenMobile.

If you don’t allow LDAP and use smart cards or similar methods, configuring certificates allows you to represent a smart card to XenMobile. Users then enroll using a unique PIN that XenMobile generates for them. After a user has access, XenMobile then creates and deploys the certificate used to authenticate to the XenMobile environment.

You can use the Citrix ADC for XenMobile wizard to perform the configuration required for XenMobile when using Citrix ADC certificate-only authentication or certificate plus domain authentication. You can run the Citrix ADC for XenMobile wizard one time only.

In highly secure environments, usage of LDAP credentials outside of an organization in public or insecure networks is considered a prime security threat for the organization. For highly secure environments, two-factor authentication that uses a client certificate and a security token is an option. For information, seeConfiguring XenMobile for Certificate and Security Token Authentication.

Client certificate authentication is available for XenMobile MAM mode (MAM-only) and ENT mode (when users enroll into MDM). Client certificate authentication isn’t available for XenMobile ENT mode when users enroll into legacy MAM mode. To use client certificate authentication for XenMobile ENT and MAM modes, you must configure the Microsoft server, the XenMobile Server, and then Citrix Gateway. Follow these general steps, as described in this article.

On the Microsoft server:

1. Add a certificate snap-in to the Microsoft Management Console.
2. Add the template to Certificate Authority (CA).
3. Create a PFX certificate from the CA server.

On the XenMobile Server:

1. Upload the certificate to XenMobile.
2. Create the PKI entity for certificate-based authentication.
3. Configure credentials providers.
4. Configure Citrix Gateway to deliver a user certificate for authentication.

For information about Citrix Gateway configuration, see these articles in the Citrix ADC documentation:

• Client authentication
• SSL profile infrastructure
• Configuring and Binding a Client Certificate Authentication Policy

Prerequisites

• When you create a Microsoft Certificate Services Entity template, avoid possible authentication issues with enrolled devices by excluding special characters. For example, don’t use these characters in the template name:: !$ () # % + * ~ ?| {} []

• To configure Certificate-based Authentication for Exchange ActiveSync, see thisMicrosoft blog. Configure the certificate authority (CA) server site for Exchange ActiceSync to require client certificates.
• If you use private server certificates to secure the ActiveSync traffic to the Exchange Server, ensure that the mobile devices have all necessary Root/Intermediate certificates. Otherwise, certificate-based authentication fails during the mailbox setup in Secure Mail. In the Exchange IIS Console, you must:
  • 添加一个网站XenMobile交流与使用bind the web server certificate.
  • Use port 9443.
  • 网站,you must add two applications, one for “Microsoft-Server-ActiveSync” and one for “EWS”. For both of those applications, underSSL Settings, selectRequire SSL.

Add a certificate snap-in to the Microsoft Management Console

1. Open the console and then clickAdd/Remove Snap-ins.

2. Add the following snap-ins:

   • Certificate Templates
   • Certificates (Local Computer)
   • Certificates - Current User
   • Certificate Authority (Local)

   

3. ExpandCertificate Templates.

   

4. Select theUsertemplate andDuplicate Template.

   

5. Provide the Template display name.

   Important:

   Select thePublish certificate in Active Directorycheck box only if necessary. If this option is selected, all user client certificates are created in Active Directory, which might clutter your Active Directory database.

6. SelectWindows 2003 Serverfor the template type. In Windows 2012 R2 server, underCompatibility, selectCertificate authorityand set the recipient asWindows 2003.

7. UnderSecurity, select theEnrolloption in theAllowcolumn for the authenticated users.

   

8. UnderCryptography,确保你亲vide the key size. You later enter the key size when configuring XenMobile.

   

9. UnderSubject Name, selectSupply in the request. Apply the changes and then save.

   

Adding the template to Certificate Authority

1. Go toCertificate Authorityand selectCertificate Templates.

2. Right-click in the right pane and then selectNew > Certificate Template to Issue.

   

3. Select the template you created in the previous step and then clickOKto add it into theCertificate Authority.

   

Creating a PFX certificate from the CA server

1. Create a user .pfx cert using the service account with which you logged in. The .pfx is uploaded to XenMobile, which then requests a user certificate on behalf of the users who enroll their devices.

2. UnderCurrent User, expandCertificates.

3. Right-click in the right pane and then clickRequest New Certificate.

   

4. TheCertificate Enrollmentscreen appears. ClickNext.

   

5. SelectActive Directory Enrollment Policyand then clickNext.

   

6. Select theUsertemplate and then clickEnroll.

   

7. Export the .pfx file that you created in the previous step.

   

8. ClickYes, export the private key.

   

9. SelectInclude all certificates in the certification path if possibleand select theExport all extended propertiescheck box.

   

10. Set a password to use when uploading this certificate into XenMobile.

    

11. Save the certificate onto your hard drive.

Uploading the certificate to XenMobile

1. In the XenMobile console, click the gear icon in the upper-right corner. TheSettingsscreen appears.

2. ClickCertificatesand then clickImport.

3. Enter the following parameters:

   • Import:Keystore
   • Keystore type:PKCS #12
   • Use as:Server
   • Keystore file:ClickBrowseto select the.pfxcertificate you created.
   • Password:Enter the password you created for this certificate.

   

4. ClickImport.

5. Verify that the certificate installed correctly. A correctly installed certificate displays as a User certificate.

Creating the PKI entity for certificate-based authentication

1. InSettings, go toMore > Certificate Management > PKI Entities.

2. ClickAddand then clickMicrosoft Certificate Services Entity. TheMicrosoft Certificate Services Entity: General Informationscreen appears.

3. Enter the following parameters:

   • Name:Type any name
   • Web enrollment service root URL:https://RootCA-URL/certsrv/(Be sure to add the last slash, /, in the URL path.)
   • certnew.cer page name:certnew.cer (default value)
   • certfnsh.asp:certfnsh.asp (default value)
   • Authentication type:Client certificate
   • SSL client certificate:Select the User Certificate to be used to issue the XenMobile client certificate.

   

4. UnderTemplates, add the template that you created when configuring the Microsoft certificate. Don’t add spaces.

   

5. Skip HTTP Parameters and then clickCA Certificates.

6. Select the root CA name that corresponds to your environment. This root CA is part of the chain imported from the XenMobile client certificate.

   

7. ClickSave.

Configuring credentials providers

1. InSettings, go toMore > Certificate Management > Credential Providers.

2. ClickAdd.

3. UnderGeneral, enter the following parameters:

   • Name:Type any name.
   • Description:Type any description.
   • Issuing entity:Select the PKI entity created earlier.
   • Issuing method:SIGN
   • Templates:Select the template added under the PKI entity.

   

4. ClickCertificate Signing Requestand then enter the following parameters:

   • Key algorithm:RSA
   • Key size:2048
   • Signature algorithm:SHA256withRSA
   • Subject name:cn=$user.username

   ForSubject Alternative Names, clickAddand then enter the following parameters:

   • Type:User Principal name
   • Value:$user.userprincipalname

   

5. ClickDistributionand enter the following parameters:

   • Issuing CA certificate:Select the Issuing CA that signed the XenMobile Client Certificate.
   • Select distribution mode:SelectPrefer centralized: Server-side key generation.

   

6. For the next two sections,Revocation XenMobileandRevocation PKI, set the parameters as required. In this example, both options are skipped.

7. ClickRenewal.

8. ForRenew certificates when they expire, selectON.

9. Leave all other settings as default or change them as required.

   

10. ClickSave.

Configuring Secure Mail to use certificate-based authentication

When you add Secure Mail to XenMobile, be sure to configure the Exchange settings underApp Settings.

Configuring Citrix ADC certificate delivery in XenMobile

1. Log on to the XenMobile console and click the gear icon in the upper-right corner. TheSettingsscreen appears.

2. UnderServer, clickCitrix Gateway.

3. If Citrix Gateway isn’t already added, clickAddand specify the settings:

   • External URL:https://YourCitrixGatewayURL
   • Logon Type:Certificate and domain
   • Password Required:OFF
   • Set as Default:ON

4. ForDeliver user certificate for authentication, selectOn.

   

5. ForCredential Provider, select a provider and then clickSave.

6. To use sAMAccount attributes in the user certificates as an alternative to User Principal Name (UPN), configure the LDAP connector in XenMobile as follows: Go toSettings > LDAP, select the directory and clickEdit, and selectsAMAccountNameinUser search by.

   

Enable Citrix PIN and user password caching

To enable Citrix PIN and user password caching, go toSettings > Client Propertiesand select these check boxes:Enable Citrix PIN AuthenticationandEnable User Password Caching. For more information, seeClient properties.

Troubleshooting your client certificate configuration

After a successful configuration of the preceding configuration plus the Citrix Gateway configuration, the user workflow is as follows:

1. Users enroll their mobile device.

2. XenMobile prompts users to create a Citrix PIN.

3. Users are then redirected to the XenMobile Store.

4. When users start Secure Mail, XenMobile doesn’t prompt them for user credentials for mailbox configuration. Instead, Secure Mail requests the client certificate from Secure Hub and submits it to the Microsoft Exchange Server for authentication. If XenMobile prompts for credentials when users start Secure Mail, check your configuration.

If users can download and install Secure Mail, but during the mailbox configuration Secure Mail fails to finish the configuration:

1. If Microsoft Exchange Server ActiveSync uses private SSL server certificates to secure the traffic, verify that the Root/Intermediate certificates installed on the mobile device.

2. Verify that the authentication type selected for ActiveSync isRequire client certificates.

   

3. On the Microsoft Exchange Server, check theMicrosoft-Server-ActiveSyncsite to verify that client certificate mapping authentication is enabled. By default client certificate mapping authentication is disabled. The option is underConfiguration Editor > Security > Authentication.

   

   After selectingTrue, be sure to clickApplyfor the changes take effect.

4. Check the Citrix Gateway settings in the XenMobile console: Ensure thatDeliver user certificate for authenticationisONand thatCredential providerhas the correct profile selected.

To determine if the client certificate was delivered to a mobile device

1. In the XenMobile console, go toManage > Devicesand select the device.

2. ClickEditorShow More.

3. Go to theDelivery Groupssection, and search for this entry:

   Citrix Gateway Credentials: Requested credential, CertId=

To validate whether client certificate negotiation is enabled

1. Run thisnetshcommand to show the SSL Certificate configuration that is bound on the IIS website:

   netsh http show sslcert

2. If the value forNegotiate Client CertificateisDisabled, run the following command to enable it:

   netsh http delete sslcert ipport=0.0.0.0:443

   netsh http add sslcert ipport=0.0.0.0:443 certhash=cert_hash appid={app_id} certstorename=store_name verifyclientcertrevocation=Enable VerifyRevocationWithCachedClientCertOnly=Disable UsageCheck=Enable clientcertnegotiation=Enable

   For example:

   netsh http add sslcert ipport=0.0.0.0:443 certhash=609da5df280d1f54a7deb714fb2c5435c94e05da appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstorename=ExampleCertStoreName verifyclientcertrevocation=Enable VerifyRevocationWithCachedClientCertOnly=Disable UsageCheck=Enable clientcertnegotiation=Enable