Product Documentation

Steps to Configure XenMobile Client Certificate Authentication

Oct 20, 2015

The topics in this section outline the eight procedures you need to follow consecutively to configure client certificate authentication in your XenMobile environment.

  1. Set up a Certificate Authority (CA) if the organization does not currently have a CA. The XenMobile infrastructure was tested with the Microsoft Certificate Services.
  2. Create a certificate template for XenMobile certificate requests on the Microsoft CA server.
  3. Generate the XenMobile client certificate.
  4. Create the XenMobile Microsoft CA payload configuration on the Device Management server.
  5. Configure Device Manager to provide a user certificate to App Controller.
  6. Configure NetScaler Gateway to accept client certificates.
  7. Configure App Controller.
  8. Configure StoreFront.

Set Up a Certificate Authority

The first procedure you need to complete to configure client certificate authentication in your XenMobile environment is to set up a certificate authority (CA) if your organization does not currently have a CA.

Prerequisites

  • Microsoft Certificate Services running on Microsoft Windows 2008 Server R2.The XenMobile infrastructure was tested with the Microsoft Certificate Services.
  • Port 443 (default) open from XenMobile Device Manager to the Microsoft Certificate Services server.
  • Microsoft KB 980436 patch installed on the Microsoft Certificate Services server.
  • Microsoft KB 953461 patch installed on Microsoft Certificate Services server on Windows 2008 Server Enterprise.
  • Web enrollment for Microsoft Certificate Services enabled.
  • SSL enabled on Microsoft Internet Information Services (IIS).
  • IIS configured to accept client certificate authentication.
  • The client certificate in .p12 format which is used to authenticate.

To enable web enrollment for Microsoft Certificate Services

  1. Go to Administrative Tools and select Server Manager on the server to host the Certificate Authority.
  2. Under Active Directory Certificate Services, check to see if Certificate Authority Web Enrollment is installed.
  3. Select Add Role Services to install Certificate Authority Web Enrollment, if necessary.
  4. Select Certificate Authority Web Enrollment and then click Next.
  5. Click Close or Finish when the installation is complete.

Configure Microsoft IIS

  1. Go to Administrative Tools and then click Server Manager.
  2. Under Web Server (IIS), look under Role Services and then verify that Client Certificate Mapping Authentication and IIS Client Certificate Mapping Authentication are installed. If not, install these role services.
  3. Go to Administrative Tools and then click Internet Information Services (IIS) Manager.
  4. In the left-hand pane of the IIS Manager window, select the server running the IIS instance for web enrollment and then click Authentication.
  5. Make sure Active Directory Client Certificate Authentication shows the status of Enabled and then click Sites.
  6. In the right-hand pane, click Bindings and then add a site binding of the type https if one does not exist.
  7. Go to the Default Web Site Home.
  8. Click SSL Settings and then click Accept for Client Certificates.

In the next topic, follow the steps to create a certificate template for XenMobile certificate requests.

Create the Certificate Template for XenMobile Certificate Requests

The second procedure you need to complete to configure client certificate authentication in your XenMobile environment is to create a certificate template for XenMobile certificate requests. You configure the template on the Microsoft CA server.
  1. Open the MMC Console on the Microsoft CA server.
  2. Add a Snap-In for Certificate Templates.
  3. Open Certificate Templates.
  4. Right-click the User template and then click Duplicate Template.
  5. Select Windows 2003 Server, Enterprise Edition for the template type and then click OK.
  6. In Template display name, enter a template name.
    Note: Save the name that appears in Template name because you need it later in the configuration.
  7. Click the Request Handling tab and then, in Purpose, specify Signature and encryption.
  8. (Optionally) enable or disable the Allow private key to be exported check box.
  9. Click Enroll subject without requiring any user input.
  10. Click the Subject Name tab and then click Supply in the request.
  11. In the notification dialog box, click OK.
  12. Click the Security tab and then, under Permissions for Administrator, select Enroll to give permissions to a user account that will be making the certificate requests from Device Manager.
  13. Open MMC and add a Snap-In for Certification Authority.
  14. Expand the CA server and then right-click Certificate Templates.
  15. Click New and then click Certificate Template to Issue. Select the certificate template you created in the preceding steps.

In the next topic, follow the steps to generate the XenMobile client certificate.

Generate the XenMobile Client Certificate

The third procedure you need to complete to configure client certificate authentication in your XenMobile environment is to generate the XenMobile client certificate. You can request a certificate from any system in the domain. The domain account must have local administrator rights to the system requesting a certificate from the Certificate Server.
  1. Click Start and then click Run to open the command-line console.
  2. Type MMC.
  3. Click File > Add/Remove Snap-in.
  4. In the Snap-in list, click Certificates as shown in the following figure.

  5. Click Add, click OK and then click Finish.
  6. Expand the Certificates – Current User option in the left window pane.
  7. Expand the Personal folder.
  8. Right-click Certificates and then click All Tasks.
  9. Click Request New Certificate.
  10. On the Certificate Enrollment screen, click Next.
  11. Click Next again.
  12. Scroll to the bottom of the Request Certificates list and then select the User check box in the lower left-hand corner.
  13. Click Enroll and then click Finish. The certificate is now created. Next, you need to import the certificate into the Device Manager server.
  14. Right-click Certificate, select All Tasks and then click Export.
  15. Click Yes, export the private key and then click Next.
  16. Click Personal Information Exchange – PKCS #12 (.PFX), select Include all certificates in the certification path if possible, select Export all extended properties and then click Next as shown in the following figure.

  17. To protect the security of the private key for the certificate, enter a password and then click Next.
  18. Browse to a location where you want to save the certificate with the extension .pfx and then click Next.
  19. Click Finish and then click OK.

In the next topic, follow the steps to create the XenMobile Microsoft CA payload configuration.

Create the XenMobile Microsoft CA Payload Configuration

The fourth procedure you need to complete to configure client certificate authentication in your XenMobile environment is to create the XenMobile Microsoft CA payload configuration on the Device Manager server.
  1. Open the XenMobile admin console and then browse to XenMobile Server Options.
  2. Expand the PKI section and then click Server certificates as shown in the following figure.

  3. Click Upload a certificate.
  4. On the Upload a Certificate Type page, enter the following:
    1. Certificate Type: Keystore.
    2. Keystore type: PKCS#12.
    3. Keystore file: Upload a .pfx or .p12 certificate that was exported to the server.
    4. Password: The password created with the certificate
  5. Click Upload. The certificate is now loaded into the XenMobile server.
  6. Under PKI, click Entities.
  7. Click New and then click New MS CertSrv entity as shown in the following figure.

  8. The wizard menu opens. Enter the following:
    1. Entity name: CA Server name
    2. Authentication type: Client certificate
    3. SSL client certificate: Select the client certificate that was uploaded.
  9. Click the Templates tab.
  10. Enter the template name from the Microsoft CA server.
  11. Click the CA Certificates tab.
  12. Click Add and then select the certificate. Use intermediate if available; if not, choose default CA and then click Add.
  13. Click the CA Certificates tab again and then click Update. This opens the XenMobile Server Options screen for the PKI entities option.
  14. Under PKI, click Credential providers and then click New credential provider.
  15. Click the CSR tab and then complete the following settings:
    1. The Key Size must match the key length specified in the template that was created in the second procedure in the client authentication configuration.
    2. In Subject Name, specify CN=$user.username.
    3. In Subject Alternate Names, click New alternative name and then specify the User Principal Name and a value of $user.userprincipalname as shown in the following figure.

  16. In Issuer, select the CA that is issuing the certificate and in Distribution mode, click Prefer centralized.
  17. Click the Renewal tab.
  18. Select Renew certificates when they expire.
  19. Enter the number of days within renewal before expiration and then click Add.

The credential provider is now created. Next, you need to configure Device Manager to provide a user certificate to App Controller.

Configure Device Manager to Provide a User Certificate to App Controller

The fifth procedure you need to complete to configure client certificate authentication in your XenMobile environment is configure Device Manager to provide a user certificate to App Controller.
  1. In the Device Manager admin console, in XenMobile Server Options, expand Modules Configurations and then click App Controller.
  2. Complete the following settings:
    1. Host Name of App Controller.
    2. Shared Key.
    3. Select Enable App Controller.
    4. Select Deliver user certificate for authentication.
    5. In Provider, select the provider you created in the fourth procedure in the client certificate authentication configuration.

Next, you need to configure NetScaler Gateway to accept client certificates.

Configure NetScaler Gateway to Accept Client Certificates

The sixth procedure you need to complete to configure client certificate authentication in your XenMobile environment is to configure NetScaler Gateway to accept client certificates.
  1. Open NetScaler > Configuration.
  2. Go to NetScaler Gateway > Virtual Servers.
  3. Select the NetScaler Gateway virtual server that you want to configure and then click Open.
  4. To import the CA certificate, click the Certificates tab. A list of the certificates appears in the left-hand column.
  5. Select the root certificate that was added to NetScaler Gateway from the third-party CA, click Add and then click As CA to add the CA to the Configured list on the right-hand side.
  6. Click SSL Parameter.
  7. In the Configure SSL Params dialog box, select Client Authentication.
  8. In Client Certificate, select Mandatory and then click OK as shown in the following figure.

  9. Next, configure a policy to use the client certificates. Click NetScaler Gateway > Policies > Authentication/Authorization > Authentication > CERT.
  10. Click Add to add the authentication server.
  11. In User Name Field, make sure to use the SubjectAltName:PrincipalName to get the UPN delivered and then click OK.
  12. Create a second authentication policy for Active Directory credentials with a lower priority.

Next, you need to configure App Controller.

Configure App Controller Connections to NetScaler Gateway

The seventh procedure you need to complete to configure client certificate authentication in your XenMobile environment is to configure App Controller connections to NetScaler Gateway.
  1. In the App Controller management console, click the Settings tab.
  2. Under System Configuration, click Deployment.
  3. In the details pane, under NetScaler Gateway, click Edit.
  4. In Configure authentication from NetScaler Gateway if devices need to access App Controller remotely, select Yes to allow remote users to connect.
    Note: If this is the first NetScaler Gateway or virtual server you are configuring, this setting moves to Yes automatically. If this is not the first NetScaler Gateway or virtual server you are configuring, you must manually select Yes.
  5. Click the plus (+) symbol to add an appliance. When you click the plus symbol, the fields in the next several steps appear.
  6. In Alias, type a name that is easily recognizable.
  7. In Display name, type the NetScaler Gateway name.
  8. In Callback URL and External URL, enter the NetScaler Gateway web address. For example, enter https://mynetscalergateway.com.

    You can specify the port number in the web address, such as https://mynetscalergateway.com:443.

    When you add the web address to Callback URL, App Controller appends the URL automatically with the NetScaler Gateway authentication service URL. For example, the URL appears as https://NetScalerGatewayFQDN /CitrixAuthService/AuthService.asmx.

  9. Optionally, in Logon type, select one of the following:
    • Domain only. This setting requires users to enter their Active Directory credentials.
    • Security token only. This setting requires users to enter the code from a security token, such as an RSA token.
    • Domain and security token. This setting requires users to enter domain credentials and the code from a security token.
    • Certificate. This settings requires a client certificate for authentication.
    • Certificate and Domain. This setting requires a client certificate and users to enter their Active Directory credentials.
    • Certificate and security token. This setting requires a client certificate and for users to enter the code from a security token, such as an RSA token.
  10. Optionally, select the Do not require passwords check box if you do not want to require users to enter a password.
  11. Optionally, select Set as default to make this NetScaler Gateway the default appliance.
    Note: You cannot delete the default NetScaler Gateway. You can either disable NetScaler Gateway entirely or make another NetScaler Gateway the default appliance.
  12. Click Save.
  13. In the left-hand menu, click Certificates and then ensure that you imported the root CA for your client certificates as shown in the following figure.

In the next topic, follow the steps to configure StoreFront settings in NetScaler Gateway.

Configure StoreFront Settings in NetScaler Gateway

The last procedure you need to complete to configure client certificate authentication in your XenMobile environment is to configure StoreFront settings in NetScaler Gateway. To ensure a unified experience when you deploy StoreFront in conjunction with XenMobile, you need to configure an additional NetScaler Gateway virtual server for devices that run Citrix Receiver. NetScaler Gateway uses the STA token provided in the ICA file. No other authentication methods are necessary. You simply configure the appropriate authentication policies for the environment (such as LDAP and RADIUS) in the newly created virtual server. This implementation will allow the use of the second virtual server for additional items.

Prerequisites

  • An additional port is required through the firewall. This configuration uses port 8081. (You can also use an entirely different address depending on your environment.)
  • StoreFront points at the virtual server configured for this purpose.
  • StoreFront does not require knowledge of the certificate-enabled virtual server.
  • You must configure STA servers on both virtual servers.
  • This configuration assumes client certificate authentication is already configured on a separate virtual server.
  1. Log on to NetScaler Gateway by using Gateway Deployment type.
  2. On the dashboard in the upper-right corner, click Create New NetScaler Gateway.
  3. In Name, enter a name for the new virtual server.
  4. In IP Address, enter a temporary placeholder. In this example, the IP address is used when the configuration is done. If you are using a separate IP address for the virtual server, you can enter the address here.
  5. In Port, enter the port number to be used in production for the virtual server.
  6. Click Choose Certificate, select a certificate for NetScaler Gateway and then click Continue.
  7. In Primary Authentication select an authentication type. In this case, we are unbinding this policy. Adjust the settings as appropriate for your environment. To allow only STA traffic, however, you can configure other policies for web traffic.
  8. In App Controller FQDN, enter the fully qualified domain name (FQDN) from the XenMobile infrastructure and then click Done.
  9. Click Configure NetScaler Gateway Appliances to edit the appliance settings.
  10. In IP Address, modify the IP address of the new StoreFront virtual server to match the IP address of your client certificate virtual server, click OK and then click Save.
  11. In Single Sign on Domain, modify your operating system session policy to match your single sign-on (SSO) domain (for example, Citrite) and then click OK.