Configuring Support for Citrix Federated Authentication Service

As part of Citrix Federated Authentication Service (FAS), the Microsoft Active Directory Federated Services (ADFS) create a certificate on behalf of the user. Citrix FAS uses this certificate to log the user into their virtual desktops or applications, without requiring them to enter their Active Directory credentials.

Enabling Kerberos support allows Imprivata Enterprise Access Management to trust the Citrix FAS user certificate, which extends the Citrix environment to Imprivata Virtual Desktop Access functionality.

  • Microsoft Active Directory Federated Services (ADFS) acts as the Identity Provider - during user authentication, the Imprivata agent requests a SAML artifact from the Imprivata appliance.

  • Citrix functions as the Service Provider - The Imprivata agent uses the SAML artifact to authenticate the user to Citrix. Citrix validates the SAML artifact with the Imprivata appliance.

NOTE:

This documentation makes reference to ADFS as one example Identity Provider (IdP) that Imprivata customers can choose to leverage with Citrix FAS. However, it’s important to note that Citrix also supports other IdPs beyond ADFS, and those IDP’s are not detailed here in Imprivata’s documentation. For more information on IdPs, see your Citrix documentation.

Supported Workflows

Supported workflows include:

Desired end-user workflow:

  1. The user opens a browser and accesses the Citrix web portal.

  2. The user supplies the credentials to access the Citrix web portal. All of the remote resources (VMs and apps) entitled to the user are displayed.

  3. The user selects the dedicated desktop to launch. The desktop launches and automatically logs the user in using the Imprivata agent installed on the desktop .

Desired end-user workflow:

  1. The user opens a browser and accessed the Citrix web portal.

  2. The user supplies the credentials to access the Citrix web portal. All of the remote resources (VMs and apps) entitled to the user are displayed.

  3. The user selects the applications to launch. If the application is a server-based desktop, the user is automatically logged into the Imprivata agent installed on the desktop.

Desired end-user workflow:

  1. Install the Imprivata agent on the endpoint computer.

  2. Enable Citrix dedicated desktop auto-launching by configuring a user policy and computer policy. Apply the computer policy to the endpoint and the user policy to the user.

  3. User logs onto the endpoint computer.

  4. The desktop is launched automatically. If the user has more than one desktop available, they select the appropriate desktop from the list.

Desired end-user workflow:

  1. Install the Imprivata agent on the endpoint computer.

  2. Enable Citrix application auto-launching by configuring a user policy and computer policy. Apply the computer policy to the endpoint and the user policy to the user.

  1. User logs onto the endpoint computer.

    The selected Citrix applications are launched automatically. If the application is a Citrix full desktop, the user is logged into Imprivata on the full desktop automatically.

Before You Begin

Before you begin:

  • Review the Enterprise Access Management with SSO Supported Components to confirm that your Citrix environment meets the minimum requirements to support Citrix FAS with Enterprise Access Management.

  • Verify that the Citrix Federated Authentication Service (FAS) environment is functioning normally, independent of Enterprise Access Management, before installing and configuring Imprivata components.

    For more information, see your Citrix installation and deployment architectures.

  • The following assumes that an Imprivata single-user agent (type 1) or an Imprivata agent for Citrix or Terminal servers (type 3) is installed on the computers that employees use to access their entitled resources. For complete details, see the Imprivata online help.

Configure Citrix

After you deploy your Citrix FAS environment, addition configuration is required to integrate with Enterprise Access Management

If you are managing your Citrix environment on-premises, configure additional StoreFront authentication methods.

  1. In the Citrix StoreFront Admin Console, go to the required store, and click Manage Authentication Methods and select following authentication methods.

  2. Username and Password.

  3. SAML Authentication. From the SAML Authentication Setting drop-down list, configure the following settings:

    1. Identity Provider. Type the address of the ADFS server.

      For example: https://myServer.myDomain.com/adfs/ls

    2. Service Provider Type the address of the Citrix controller. This information is required by the Identity Provider.

      For example: https://myCitrix.myDomain.com/citrix/Authentication.

  4. HTTP basic. Enable HTTP Basic authentication. Users authenticate with the StoreFront server's IIS web server.

  5. Pass-through from NetScaler Gateway. From the Pass-through from NetScaler Gateway drop-down list, configure the following settings:

    1. In the Configure Trusted Domains section, select Any domain.

    2. In the Configure Delegated Authentication section, select Fully delegate credential validation to NetScaler Gateway.

    3. In the Configure Password Validation section, select Active Directory as the setting to select how passwords are validated.

  6. Advanced. In the Install/Uninstall Authentication Methods section, select SAML Authentication.

If you are managing your deployment through the Citrix Cloud, you can connect your existing Citrix FAS servers in Citrix Workspace.

For more information, see the Citrix documentation.

Configure Kerberos Authentication

To configure Kerberos authentication:

Review the following prerequisites before you begin:

  • Verify that Kerberos is configured and enabled in your Windows environment. This topic details how to configure Enterprise Access Management for Kerberos authentication and assumes that the Kerberos deployment is running normally.

  • The Imprivata keytab utility (keytab utility), which you use to create and upload a keytab file to an appliance, uses ktpass to create and upload a keytab file to an appliance. The keytab utility is installed with the Imprivata agent.

    Ktpass is part of the Microsoft Windows Server resource kit. Beginning with Windows Server 2008, the resource kit tools are installed as part of the server role installation.

  • The endpoint computer from which you run the keytab utility and the primary appliance to which the Imprivata agent communicates must be in the same Active Directory domain.

    For example, if the fully qualified domain name (FQDN) of the endpoint computer is endpoint.example.com, then the Imprivata appliance FQDN could be server_name.example.com.

  • The Service Principal Name (SPN) of the appliance that the keytab utility registers with Active Directory is case-sensitive.

    The hostname and the domain name that appear in the Imprivata Appliance Console of this appliance must contain all lowercase letters.

  • If the Imprivata enterprise includes more than one domain that share a trust relationship, for example a parent company (company.com) and two subdomains (us.company.com and eu.company.com), make sure that at least one appliance is placed in company.com.

    Upload the keytab file to this appliance. Uploading to the appliance that is in the second-level domain (SLD) ensures that the keytab file is valid for all domains.

Configuring Kerberos authentication requires access to the following:

  • Domain administrator access to an endpoint computer on which the Imprivata agent is installed.
  • The Imprivata Appliance Console.
  • The Imprivata Admin Console.

If more than one person is responsible for domain administration, appliance administration, and Imprivata OneSignadministration, coordinate with these individuals before beginning.

Configuring Network Protocol Time (NTP) servers makes sure that the Kerberos ticket does not expire before the appliance can extract the user identity from the Kerberos ticket.

Complete the following for each appliance in the enterprise to enable time synchronization.

  1. In the Imprivata Appliance Console, go to Network > NTP.

  2. Enter the IP address for one or more NTP servers.

  3. Click Save.

The endpoint computer from which you run the keytab utility and the primary appliance to which the Imprivata agent communicates must be in the same Active Directory domain.

For example, if the fully qualified domain name (FQDN) of the endpoint computer is endpoint.example.com, then the Imprivata appliance FQDN could be server_name.example.com.

  1. Log into the endpoint computer.
  2. Open the registry editor and go to the ISXAgent registry key:

    HKLM\SOFTWARE\SSOProvider\ISXAgent

  3. Use the IPTXPrimServer value to confirm that the agent's primary appliance is in the same Active Directory domain as the endpoint computer.

Creating and uploading a keytab file establishes a Kerberos trust relationship between Enterprise Access Management and Microsoft Active Directory. You use the Imprivata key tab utility, which is installed with the Imprivata agent, to create and upload a keytab file. After the keytab file is uploaded to the appliance, it is propagated to all other appliances in the enterprise.

NOTE: Obtain the administrator user credentials of the appliance to which you are uploading the keytab file. The Imprivata keytab utility requires these credentials to upload the keytab file.

  1. As a domain administrator, log into an endpoint computer to which the Imprivata agent is installed and open a command prompt.

  2. At the command prompt, type the following and press Enter:
    cd \Program Files (x86)\Imprivata\OneSign Agent\x64

  3. Type ISXKerbUtil and press Enter. The utility returns the names of the following:

    • The domain.

    • The domain controller.

    • The appliance host name in the Service Principal Name (SPN) format.

  4. Using the User Principal Name (UPN) format, type the username of the domain account that has Super Administrator rights in the Admin Console and press Enter.

    Example: username@example.com

  5. Enter the password of the domain account, with the Super Administrator rights you provided above, and press Enter.

  6. Enter a password that meets the Active Directory complexity requirements and press Enter. The utility does the following:

    • Creates a domain user account named ssoKerberos.

    • Sets the password.

    • Creates and uploads the keytab file to the appliance.

    NOTE: If the Imprivata keytab utility detects that a domain user account is already mapped to the SPN, it updates the domain account with the password you entered. If the utility detects that multiple domain user accounts are mapped to the SPN, the utility detects which user it previously created and updates it with the password you entered; the remaining users are removed from the SPN.

The Imprivata keytab utility creates the keytab file with all of the supported cryptographic types supported by Windows Server.

NOTE: Only 1 keytab file is allowed per Imprivata enterprise.

  1. In the Imprivata Admin Console, go to the Users menu > Directories page.

  2. Click the name of the domain from which you created the keytab file.

  3. Go to Kerberos authentication and click 5 keytab files.

  4. Verify that the keys are using the following cryptographic types:

      • DES cbc mode with CRC-32

      • DES cbc mode with RSA-MD5

      • ArcFour with HMAC/md5

      • AES-256 CTS mode with 96-bit SHA-1 HMAC

      • AES-128 CTS mode with 96-bit SHA-1 HMAC

Configure Enterprise Access Management

In addition to the computer policies that are required to enable your Imprivata Virtual Desktop Access workflows, these policies require additional configuration to enable Citrix FAS.

To configure the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer Policies

  2. Open the required computer policy, and from the General tab, go to the Authentication section.

  3. Select Accept Kerberos authentication in place of SSO authentication.

  4. Save the policy and assign it to your endpoint computers.

To configure the computer policy:

  1. In the Imprivata Admin Console, click Computers > Computer policies.

  2. Open the required computer policy, and from the General tab, go to the Authentication section.

  3. Select Accept Kerberos authentication in place of SSO authentication.

  4. Save the policy and assign it to the Citrix resources.