Configuring Support for Citrix Federated Authentication Service

NOTE:

This documentation makes reference to ADFS as one example Identity Provider (IdP) that Imprivata customers can choose to leverage with Citrix FAS. However, it’s important to note that Citrix also supports other IdPs beyond ADFS, and those IDP’s are not detailed here in Imprivata’s documentation. For more information on IdPs, see your Citrix documentation.

As part of Citrix Federated Authentication Service (FAS), the Microsoft Active Directory Federated Services (ADFS) create a certificate on behalf of the user. Citrix FAS uses this certificate to log the user into their virtual desktops or applications, without requiring them to enter their Active Directory credentials.

Enabling Kerberos support allows Imprivata OneSign to trust the Citrix FAS user certificate, which extends the Citrix environment to Imprivata Virtual Desktop Access functionality.

  • Microsoft Active Directory Federated Services (ADFS) acts as the Identity Provider - during user authentication, the Imprivata agent requests a SAML artifact from the Imprivata appliance.

  • Citrix StoreFront functions as the Service Provider - The Imprivata agent uses the SAML artifact to authenticate the user to Citrix. Citrix StoreFront validates the SAML artifact with the Imprivata appliance.

Supported Workflows

Supported workflows include:

Citrix Web Portal — Manually Launched Desktops

Desired end-user workflow:

  1. The user opens a browser and accesses the Citrix web portal.

  2. The user supplies the credentials to access the Citrix web portal. All of the remote resources (VMs and apps) entitled to the user are displayed.

  3. The user selects the dedicated desktop to launch. The desktop launches and automatically logs the user in using the Imprivata OneSign agent installed on the desktop .

Citrix Web Portal — Manually Launched Applications

Desired end-user workflow:

  1. The user opens a browser and accessed the Citrix web portal.

  2. The user supplies the credentials to access the Citrix web portal. All of the remote resources (VMs and apps) entitled to the user are displayed.

  3. The user selects the applications to launch. If the application is a server-based desktop, the user is automatically logged into the Imprivata OneSign agent installed on the desktop.

Auto-Launched Desktops

Desired end-user workflow:

  1. Install the Imprivata agent on the endpoint computer.

  2. Enable Citrix dedicated desktop auto-launching by configuring a user policy and computer policy. Apply the computer policy to the endpoint and the user policy to the user.

  3. User logs onto the endpoint computer.

  4. The desktop is launched automatically. If the user has more than one desktop available, they select the appropriate desktop from the list.

Auto-Launched Applications

Desired end-user workflow:

  1. Install the Imprivata agent on the endpoint computer.

  2. Enable Citrix application auto-launching by configuring a user policy and computer policy. Apply the computer policy to the endpoint and the user policy to the user.

  1. User logs onto the endpoint computer.

    The selected Citrix applications are launched automatically. If the application is a Citrix full desktop, the user is logged into Imprivata OneSign on the full desktop automatically.

Before You Begin

Before you begin:

  • Review the Imprivata OneSign Supported Components to confirm that your Citrix environment meets the minimum requirements to support Citrix FAS with Imprivata OneSign.

  • Verify that the Citrix Federated Authentication Service (FAS) environment is functioning normally, independent of Imprivata OneSign, before installing and configuring Imprivata components.

    For more information, see your Citrix documentation on the FAS architecture and installation steps.

  • The following assumes that an Imprivata single-user agent (type 1) or an Imprivata agent for Citrix or Terminal servers (type 3) is installed on the computers that employees use to access their entitled resources. For complete details, see the Imprivata online help.

Configure Citrix StoreFront Authentication Methods

In Citrix StoreFront, configure the authentication methods for users accessing stores.

  1. In the Citrix StoreFront Admin Console, go to the required store, and click Manage Authentication Methods. Select the following authentication methods:

    1. Username and Password.

    2. SAML Authentication. From the SAML Authentication Setting drop-down list, configure the following settings:

      1. Identity Provider. Type the address of the AD FS server.

        For example: https://myServer.myDomain.com/adfs/ls

      2. Service Provider Type the address of the Citrix controller. This information is required by the Identity Provider.

        For example: https://myCitrix.myDomain.com/citrix/Authentication.

    3. HTTP basic. Enable HTTP Basic authentication. Users authenticate with the StoreFront server's IIS web server.

    4. Pass-through from NetScaler Gateway. From the Pass-through from NetScaler Gateway drop-down list, configure the following settings:

      1. In the Configure Trusted Domains section, select Any domain.

      2. In the Configure Delegated Authentication section, select Fully delegate credential validation to NetScaler Gateway.

      3. In the Configure Password Validation section, select Active Directory as the setting to select how passwords are validated.

    5. Advanced.

      1. In the Install/Uninstall Authentication Methods section, select SAML Authentication.

Imprivata agents communicate with known Citrix stores. The URL required to configure the Imprivata agent connection to Citrix depends on how the Citrix store is configured:

  • Store URL – If the store is configured with a Store URL, the Imprivata agent communicates with Citrix using the respective Web Site URL.

    Example: If the store is configured with https://example.com/Citrix/SalesStore, then configure the Imprivata agent connection with https://example.com/Citrix/SalesStoreWeb.

  • XenApp Services URL – If the store is configured with a XenApp Services URL (the Storefront legacy URL or the Storefront URL), the Imprivata agent communicates with Citrix using the same XenApp Services URL.

    Example: If the store is configured with https://example.com/Citrix/SalesStore/PNAgent/config.xml, then configure the Imprivata agent connection with https://example.com/Citrix/SalesStore/PNAgent/config.xml.

Configure Kerberos Authentication

Kerberos Prerequisites

Review the following prerequisites before you begin:

  • Verify that Kerberos is configured and enabled in your Windows environment. This topic details how to configure Imprivata OneSign for Kerberos authentication and assumes that the Kerberos deployment is running normally.

  • The Imprivata OneSign keytab utility (keytab utility), which you use to create and upload a keytab file to an appliance, uses ktpass to create and upload a keytab file to an appliance. The keytab utility is installed with the Imprivata agent.

    Ktpass is part of the Microsoft Windows Server resource kit. Beginning with Windows Server 2008, the resource kit tools are installed as part of the server role installation.

  • The endpoint computer from which you run the keytab utility and the primary appliance to which the Imprivata agent communicates must be in the same Active Directory domain.

    For example, if the fully qualified domain name (FQDN) of the endpoint computer is endpoint.example.com, then the Imprivata appliance FQDN could be server_name.example.com.

  • The Service Principal Name (SPN) of the appliance that the keytab utility registers with Active Directory is case-sensitive.

    The hostname and the domain name that appear in the Imprivata Appliance Console of this appliance must contain all lowercase letters.

  • If the Imprivata enterprise includes more than one domain that share a trust relationship, for example a parent company (company.com) and two subdomains (us.company.com and eu.company.com), make sure that at least one appliance is placed in company.com.

    Upload the keytab file to this appliance. Uploading to the appliance that is in the second-level domain (SLD) ensures that the keytab file is valid for all domains.

Enable Kerberos Authentication

Enabling Kerberos authentication requires that you:

Configuring Kerberos authentication requires access to the following:

  • Domain administrator access to an endpoint computer on which the Imprivata agent is installed.
  • The Imprivata Appliance Console.
  • The Imprivata Admin Console.

If more than one person is responsible for domain administration, appliance administration, and Imprivata OneSignadministration, coordinate with these individuals before beginning.

Configuring Network Protocol Time (NTP) servers makes sure that the Kerberos ticket does not expire before the appliance can extract the user identity from the Kerberos ticket.

Complete the following for each appliance in the enterprise to enable time synchronization.

  1. In the Imprivata Appliance Console, go to Network > NTP.

  2. Enter the IP address for one or more NTP servers.

  3. Click Save.

The endpoint computer from which you run the keytab utility and the primary appliance to which the Imprivata agent communicates must be in the same Active Directory domain.

For example, if the fully qualified domain name (FQDN) of the endpoint computer is endpoint.example.com, then the Imprivata appliance FQDN could be server_name.example.com.

  1. Log into the endpoint computer.
  2. Open the registry editor and go to the ISXAgent registry key:

    • 64–bit — HKLM\SOFTWARE\SSOProvider\ISXAgent

  3. Use the IPTXPrimServer value to confirm that the agent's primary appliance is in the same Active Directory domain as the endpoint computer.

Creating and uploading a keytab file establishes a Kerberos trust relationship between Imprivata OneSign and Microsoft Active Directory. You use the Imprivata key tab utility, which is installed with the Imprivata agent, to create and upload a keytab file. After the keytab file is uploaded to the appliance, it is propagated to all other appliances in the enterprise.

NOTE: Obtain the Imprivata OneSign administrator user credentials of the appliance to which you are uploading the keytab file. The Imprivata keytab utility requires these credentials to upload the keytab file.

  1. As a domain administrator, log into an endpoint computer to which the Imprivata agent is installed and open a command prompt.

  2. At the command prompt, type:

    • 64–bit — cd \Program Files (x86)\Imprivata\OneSign Agent and press Enter.

  3. Type ISXKerbUtil.exe and press Enter. The utility returns the names of domain, domain controller, and the appliance host name in the Service Principal Name (SPN) format.

  4. Type the username of the Domain account that has Super Administrator rights in the Admin Console, using the User Principal Name (UPN) format and press Enter.

    Example: username@example.com

  5. Enter the password of the Domain Account, with the Super Administrator rights you provided above, and press Enter.

  6. Enter a password that meets the Active Directory complexity requirements and press Enter. The utility creates a domain user account named ssoKerberos, sets the password, and creates/uploads the keytab file to the appliance.

    NOTE: If the Imprivata keytab utility detects that a domain user account is already mapped to the SPN, it updates the domain account with the password you entered. If the utility detects that multiple domain user accounts are mapped to the SPN, the utility detects which user it previously created and updates it with the password you entered; the remaining users are removed from the SPN.

The Imprivata keytab utility creates the keytab file with all of the supported cryptographic types supported by Windows Server.

NOTE: Only 1 keytab file is allowed per Imprivata enterprise.

  1. In the Imprivata Admin Console, go to the Users menu > Directories page.

  2. Click the name of the domain from which you created the keytab file.

  3. Go to Kerberos authentication and click 5 keytab files.

  4. Verify that the keys are using the following cryptographic types:

      • DES cbc mode with CRC-32

      • DES cbc mode with RSA-MD5

      • ArcFour with HMAC/md5

      • AES-256 CTS mode with 96-bit SHA-1 HMAC

      • AES-128 CTS mode with 96-bit SHA-1 HMAC

Configure Imprivata OneSign

Imprivata agents communicate with known Citrix stores.

To configure the connection:

  1. In the Imprivata Admin Console, go to the Computers menu > Virtual Desktops page > Citrix XenDesktop section.

  2. Enter a Web Site URL or a XenApp Services URL.

  3. Optional: Click Add another server to add additional Citrix stores.

  4. Select Allow authentication from XenApp-enabled devices.

  5. Click Save.

Step 1a: Create a Computer Policy for Endpoint Computers

  1. In the Imprivata Admin Console, go to the Computers menu > Computer policies page.

    You can select an existing computer policy from the list, or make a copy of Default Computer Policy as a starting point.

  2. To edit an existing computer policy, click the computer policy name, and skip to Step 1b.

  3. To copy the Default Computer Policy, select Default Computer Policy, then click Copy.

    Click Default Computer Policy (2) and rename it.

Step 1b: Configure the Computer Policy for Endpoint Computers

  1. Click the General tab, go to the Authentication section, and select Accept Kerberos authentication in place of OneSign authentication.

  2. Click the Virtual Desktops tab, and configure the following:

    1. In the Citrix XenDesktop section, select Automate access to Citrix XenDesktop. From the list of available Citrix servers, select a Citrix server to connect to.

    2. In the Citrix XenApp section, select Automate access to Citrix XenApp. From the list of available Citrix servers, select a Citrix server to connect to.

  1. Click Save.

Step 1c: Assign the Computer Policy to Endpoint Computers

To manually assign the computer policy:

  1. Go to the Computers menu > Computers page.

  2. Select the computers to which you want to apply the computer policy.

  3. Select Choose a policy and the name of the policy configured for Kerberos authentication.

  4. Click Apply policy.

Use computer policy assignment rules to assign a computer policy to existing endpoint computers and to automatically assign the policy to endpoint computers added in the future.

  1. Go to the Computers menu > Computer policy assignment page.

  2. Click Add new rule.

  3. Enter a Name for the assignment rule.

  4. Select one of the following:

    • Computer IP address, and then enter the range of IP addresses to include in the computer policy.

    • Computer host name to match the computer policy to a specific computer.

    • Imprivata agent type to apply the computer policy to all computers with a specific Imprivata agent.

Configure a computer policy for Citrix Server to accept Kerberos authentication in place of Imprivata OneSign authentication.

  1. In the Imprivata Admin Console, go to the Computers menu > Computer policies page.

  2. Click the General tab, go to the Authentication section, and select Accept Kerberos authentication in place of OneSign authentication.

  3. Save the policy and assign it to the Citrix server.

Create and apply a user policy for the users.

Step 3a: Create the User Policy for Desktop Access Authentication

To create a user policy:

  1. In the ImprivataAdmin Console, go to the Users menu > User policies page.

  2. In the Desktop Access Authentication section, select Smart Card or USB token using Active Directory certificate.

  3. Click Save.

Step 3b: Configure the User Policy to Auto-Launch Desktops

Create and apply a user policy to auto-launch desktops:

  1. In the Imprivata Admin Console, go to the Users menu > User policies page.

    You can select an existing user policy from the list, or make a copy of the Default User Policy as a starting point. If you want to edit an existing user policy, click the existing user policy name, and skip to step 5.

  2. To copy the Default User Policy, select Default User Policy, then click Copy.

  3. Click Default User Policy (2).

  4. Rename the user policy in the Policy Name field.

  5. Click the Virtual Desktops tab.

  6. Select Enable virtual desktop access automation.

  7. Select Automate access to full VDI desktops.

    1. Select the VDI desktop vendor.

    2. For applications delivered to the virtual desktop via Citrix Virtual Apps, select the applications to launch on that desktop from the right pane.

Step 3c: Configure the User Policy to Auto-Launch Applications

Create and apply a user policy to auto-launch published applications. You can set up multiple policies that launch different sets of applications.

  1. In the Imprivata Admin Console, go to the Users menu > User policies page.

    You can select an existing user policy from the list, or make a copy of the Default User Policy as a starting point. If you want to edit an existing user policy, click the existing user policy name, and skip to step 5.

  2. To copy the Default User Policy, select Default User Policy, then click Copy.

  3. Click Default User Policy (2).

  4. Rename the user policy in the Policy Name field.

  5. Click the Virtual Desktops tab.

  6. Select Enable virtual desktop access automation.

  7. Select Automate access to applications or published desktops. The list of XenApp applications that you configured in Step 1b: Configure the Computer Policy for Endpoint Computers are listed in two panes.

    Select the applications to launch from the left pane. For applications delivered to the virtual desktop via Citrix Virtual Apps, select a server-based VM from the left pane, and the applications from the right pane.

Step 3d: Assign the User Policy to Users

To assign the user policy:

  1. In the ImprivataAdmin Console, go to the Users menu > Users page.

  2. Use Search for Users to locate the users to which you want to assign the policy.

  3. Select the users from the search results.

  4. Click Apply Policy. The Apply Policy dialog box opens.

  5. Select the policy from the User policy drop-down list and click OK.