Enforcing Two-Factor Authentication with a Smart Card on a Citrix Server



By: kiranprabhu_dp

October 24, 2007 9:51 am

Reads: 206

Comments:0

Rating:0

Introduction

A smart card can be used for multiple applications, such as physical identification, logical identification, data security, digital signature, and file and disk encryption. When a smart card is combined with Novell® SecureLogin, it also enables single sign-on, which increases security and user productivity.

This article provides information about enforcing two-factor authentication with a smart card on a Citrix* server through Novell SecureLogin. The document also covers the procedure for configuring the Citrix server and client, and changes that must be done before the Citrix passthrough.

Target Audience

Novell SecureLogin end users who want to use a smart card (or a USB token), specify the PIN code, and enable a strong authentication method for Citrix passthrough.

Benefits

The foremost benefits of using the smart card in combination with Novell SecureLogin are explained below:

  • Enhanced Security: A two-factor authentication establishes the identity of the user possessing a smart card or a USB token and the correct PIN code (like an ATM). With a smart card, the user’s authentication credentials, such as PKI keys and certificates, static passwords, or one-time passwords, are stored securely within the device.
  • Accountability of Compliance: With the two-factor authentication, organizations have a stronger proof of identity to protect access to information systems. They can link online activity to users, which is an essential element in regulatory compliance.
  • Portability for Digital Certificates: Smart cards are an ideal way to store credentials and private keys. Users can carry their credentials instead of leaving the keys behind on a workstation, thereby reducing the exposure to threat. It is also easy for users to log in from multiple workstations.
  • Extensible: A smart card can also be used for multiple applications, such as physical identification and logical identification, data security, digital signatures, and file and disk encryption. When used in conjunction with Novell SecureLogin, a smart card enables single sign-on, which increases security and user productivity.

Mandatory Tasks

Ensure that you have completed the following tasks on the Citrix server:

    1. Create a user account named user3 in Microsoft* Active Directory*, using the eDirectory? username and password.

  • 2. Add “Allow log on locally” and “Allow log on through the Terminal services” to user3.

Deployment Environment

The following deployment environment has been used in the scenarios explained in this document.

Citrix Server

  • Citrix PS3 on Microsoft Windows 2003 with Microsoft Active Directory
  • PKI ActivClient* 5.4 and Hot Fix 0602012
  • Novell SecureLogin client 6.0 installed in eDirectory or LDAP mode, with the “Launch when Windows Starts” option selected for LDAP authentication
  • Smart card support

Citrix Client

  • Microsoft Windows XP Professional SP2 with Citrix client 8.0
  • PKI ActivClient 5.4 and Hot Fix 0602012
  • Novell SecureLogin client 6.0 installed in eDirectory or LDAP mode, with the “Launch when Windows Starts” option selected for LDAP authentication
  • Smart card support
  • ActivCard V2 reader

Allowing a Citrix Passthrough

To allow a Citrix passthrough, you must do the following:

A. Complete the mandatory tasks.
B. Set up a Citrix Server.
C. Set up a workstation.

The following sections discuss these steps in detail.

A: Mandatory Tasks

1. Ensure that the workstation is in the Active Directory domain.

2. Change the registry settings in the Citrix server as follows:

  • Change the ginadll to contain c:\windows\system32\ctxgina.dll value.
  • Change the ctxgina to contain c:\windows\system32\nwgina.dll value.

3. Create the registry key UseCNasWindowsUserInCitrix at HKLM\Software\Novell\Login\Ldap

B: Setting Up the Citrix Server

1. Install Novell SecureLogin on Citrix server and Citrix client in LDAP GINA mode.

2. At the Citrix server, publish an application by using SLLauncher.exe. For example, passwordtest.exe.

3. Log in to Novell SecureLogin as an admin user who is configured with out smart card support.

C: Setting Up the Workstation

1. Log in to Novell SecureLogin as “user3″ who is configured to store the credentials on the smart card.

2. Select the NT domain (Citrix server) in the LDAP GINA.

3. From client workstation invoke the above published application by using the ICA Citrix client.

4. Specify the PIN after login.

The passthrough happens successfully, and the Password Test application launches.

Conclusion

Using a smart card for Citrix passthrough provides additional security for the user session.
The single sign-on data is stored on the smart card and also on the eDirectory for all the operations performed in the Citrix session.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Categories: Uncategorized

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment