-
-
Configuring the VPN User Experience
-
How User Connections Work with the NetScaler Gateway Plug-in
-
Integrating the NetScaler Gateway Plug-in with Citrix Receiver
-
-
Maintaining and Monitoring the System
-
Deploying with XenMobile App Edition, XenApp, and XenDesktop
-
Accessing XenApp and XenDesktop Resources with the Web Interface
-
Configuring Additional Web Interface Settings on NetScaler Gateway
-
Configuring Access to Applications and Virtual Desktops in the Web Interface
-
Configuring Settings for Your XenMobile Environment
-
Configuring Load Balancing Servers for Microsoft Exchange with Email Security Filtering
-
Configuring XenMobile NetScaler Connector (XNC) ActiveSync Filtering
-
Configuring Domain and Security Token Authentication for XenMobile
-
Configuring Client Certificate or Client Certificate and Domain Authentication
Thank you for the feedback
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已动态机器翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This content has been machine translated dynamically.
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.
Este artigo foi traduzido automaticamente.
这篇文章已经过机器翻译.放弃
Translation failed!
Configuring Client Certificates and LDAP Two-Factor Authentication
You can use a secure client certificate with LDAP authentication and authorization, such as using smart card authentication with LDAP. The user logs on and then the user name is extracted from the client certificate. The client certificate is the primary form of authentication and LDAP is the secondary form. The client certificate authentication must take priority over the LDAP authentication policy. When you set the priority of the policies, assign a lower number to the client certificate authentication policy than the number you assign to the LDAP authentication policy.
To use a client certificate, you must have an enterprise Certificate Authority (CA), such as Certificate Services in Windows Server 2008, running on the same computer that is running Active Directory. You can use the CA to create a client certificate.
To use a client certificate with LDAP authentication and authorization, it must be a secure certificate that uses Secure Sockets Layer (SSL). To use secure client certificates for LDAP, install the client certificate on the user device and install a corresponding root certificate on NetScaler Gateway.
Before configuring a client certificate, do the following:
- Create a virtual server.
- Create an LDAP authentication policy for the LDAP server.
- Set the expression for the LDAP policy to True value.
To configure client certificate authentication with LDAP
- In the configuration utility, on the Configuration tab, expand NetScaler Gateway > Policies > Authentication.
- In the navigation pane, under Authentication, click Cert.
- In the details pane, click Add.
- In Name, type a name for the policy.
- In Authentication Type, select Cert.
- Next to Server, click New.
- In Name, type a name for the server, and then click Create.
- In the Create Authentication Server dialog box, in Name, type the name of the server.
- Next to Two Factor, select ON.
- In the User Name Field, select Subject:CN and then click Create.
- In the Create Authentication Policy dialog box, next to Named Expressions, select True value, click Add Expression, click Create and then click Close.
After you create the certificate authentication policy, bind the policy to the virtual server. After binding the certificate authentication policy, bind the LDAP authentication policy to the virtual server.
Important: You must bind the certificate authentication policy to the virtual server before you bind the LDAP authentication policy to the virtual server.
To install a root certificate on NetScaler Gateway
After you create the certificate authentication policy, you download and install a root certificate from your CA in Base64 format and save it on your computer. You can then upload the root certificate to NetScaler Gateway.
- In the configuration utility, on the Configuration tab, in the navigation pane, expand SSL and then click Certificates.
- In the details pane, click Install.
- In Certificate - Key Pair Name, type a name for the certificate.
- In Certificate File Name, click Browse and in the drop-down box, select either Appliance or Local.
- Navigate to the root certificate, click Open and then click Install.
To add a root certificate to a virtual server
After installing the root certificate on NetScaler Gateway, add the certificate to the certificate store of the virtual server.
Important: When you add the root certificate to the virtual server for smart card authentication, you must select the certificate from the Select CA Certificate drop-down box, as shown in the following figure.
Figure 1. Adding a root certificate as a CA
-
In the configuration utility, on the Configuration tab, in the navigation pane, expand NetScaler Gateway and then click Virtual Servers.
-
In the details pane, select a virtual server and then click Open.
-
On the Certificates tab, under Available, select the certificate, next to Add, in the drop down box, click as CA and then click OK.
-
Repeat Step 2.
-
On the Certificates tab, click SSL Parameters.
-
Under Others, select Client Authentication.
-
Under Others, next to Client Certificate, select Optional and then click OK twice.
-
After configuring the client certificate, test the authentication by logging on to NetScaler Gateway with the NetScaler Gateway Plug-in. If you have more than one certificate installed, you receive a prompt asking you to select the correct certificate. After you select the certificate, the logon screen appears with the user name populated with the information obtained from the certificate. Type the password and then click Login.
If you do not see the correct user name in the User Name field on the logon screen, check the user accounts and groups in your LDAP directory. The groups that are defined on NetScaler Gateway must be the same as those in the LDAP directory. In Active Directory, configure groups at the domain root level. If you create Active Directory groups that are not in the domain root level, incorrect reading of the client certificate could result.
If users and groups are not at the domain root level, the NetScaler Gateway logon page displays the user name that is configured in Active Directory. For example, in Active Directory, you have a folder called Users and the certificate says CN=Users. In the logon page, in User Name, the word Users appears.
If you do not want to move your group and user accounts to the root domain level, when configuring the certificate authentication server on NetScaler Gateway, leave User Name Field and Group Name Field blank.
Thank you for the feedback
Share
Share
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select Do Not Agree to exit.