Product Documentation

Configuring Client Certificate or Client Certificate and Domain Authentication

You can use the Citrix ADC for XenMobile wizard to perform the configuration required for XenMobile when using Citrix ADC certificate-only authentication or certificate plus domain authentication. You can run the Citrix ADC for XenMobile wizard one time only. For information about using the wizard, see Configuring Settings for Your XenMobile Environment.

If you’ve already used the wizard, use the instructions in this article for the addition configuration required for client certificate authentication or client certificate plus domain authentication.

To ensure that the user of a device in MAM-only mode can’t authenticate using an existing certificate on the device, see “Citrix ADC Certificate Revocation List (CRL)” later in this article.

Manually Configuring Citrix Gateway for Client Certificate Authentication

  1. Under Traffic Management > Load Balancing > Virtual Servers, go to each virtual server (both 443 and 8443), update the SSL Parameters, and set Enable Session Reuse to DISABLED.

    localized image

  2. On the Citrix Gateway virtual server, on Enable Client Authentication -> Client Certificate, select Client Authentication and for Client Certificate, select Mandatory.

    localized image

  3. Create a new authentication Certificate policy so XenMobile can extract the User Principal Name or the sAMAccount from the client certificate provided by Secure Hub to Citrix Gateway.

  4. Set the following parameters for the certificate profile:

    Authentication Type: CERT

    Two Factor: OFF (for certificate only authentication)

    User Name Field: Subject: CN

    Group Name Field: SubjectAltName:PrincipalName

    localized image

  5. Bind only the certificate authentication policy as the Primary Authentication in the Citrix Gateway virtual server.

    localized image

  6. Bind the Root CA certificate to validate the trust of the client certificate presented to Citrix Gateway.

    localized image

Manually Configuring Citrix Gateway for Client Certificate and Domain Authentication

  1. Under Traffic Management > Load Balancing > Virtual Servers, go to each virtual server (both 443 and 8443), update the SSL Parameters, and set Enable Session Reuse to DISABLED.

    localized image

  2. Go to Policies > Authentication > Cert, select the Servers tab, and click Add.

    localized image

  3. Enter the Name of the profile, set Two Factor to ON, and from User Name Field, select SubjectAltNamePrincipalName.

    localized image

  4. Go to Policies and click Add.

    localized image

  5. Enter the Name of the policy, from Server select the certificate profile, set the Expression as ns_true, and click Create.

    localized image

  6. Go to Virtual Servers, select the virtual server, and click Edit.

    localized image

  7. Beside Authentication, click + to add the certificate authentication.

    localized image

  8. To select the authentication method: From Choose Policy, select Certificate.

    localized image

  9. From Choose Type, select Primary. This binds certificate authentication as the primary authentication with the priority same as the LDAP authentication type.

    localized image

  10. Under Policy Binding, click Click to Select to select the certificate policy created earlier.

    localized image

  11. Select the certificate policy created earlier and click OK.

    localized image

  12. Set the Priority to 100 and then click Bind. Use the same priority number when you configure the LDAP authentication policy in the subsequent steps.

    localized image

  13. On the row for LDAP Policy, click >.

    localized image

  14. Select the policy and then, from the Edit drop-down menu, click Edit Binding.

    localized image

  15. Enter the same Priority value that you specified for the certificate policy. Click Bind.

    localized image

  16. Click Close.

    localized image

  17. Under Advanced, click SSL Parameters.

    localized image

  18. Select the Client Authentication checkbox, from Client Certificate choose Mandatory, and click OK.

    localized image

  19. Click Done.

    localized image

Citrix ADC Certificate Revocation List (CRL)

XenMobile supports Certificate Revocation List (CRL) only for a third party Certificate Authority. If you have a Microsoft CA configured, XenMobile uses Citrix ADC to manage revocation. When you configure client certificate-based authentication, consider whether you need to configure the Citrix ADC Certificate Revocation List (CRL) setting, Enable CRL Auto Refresh. This step ensures that the user of a device in MAM-only mode can’t authenticate using an existing certificate on the device; XenMobile re-issues a new certificate, because it doesn’t restrict a user from generating a user certificate if one is revoked. This setting increases the security of PKI entities when the CRL checks for expired PKI entities.