Archive

Posts Tagged ‘sso’

Azure AD Premium a visionary in Gartner IDaaS Magic Quadrant! I love it! – #Azure, #AzureAD, #IDaaS

This is awesome! I just love what Microsoft is doing with all the cool Azure offerings! That’s also why I’ve been digging deeper into this area lately and also took the Microsoft Specialist – Architecting Microsoft Azure Solutions exam and been playing around with Azure AD, DirSync and ADFS a lot.

Now with the whole release of Windows 10, Azure AD, Intune, ADFS and System Center we’re going to have a lovely story going forward with how to do client management going forward, just take a Windows 1o device, join it through Azure AD, Intune and federation and then sign in using your on-premise AD credentials. On top of that you can also then leverage Azure AD or federation with it for your SaaS apps as well and with SSO, and why not use the Azure connector to make your on-premise web apps available on the Internet with authentication as well!

Microsoft and Azure rocks!

Now also with the magic quadrant from Gartner that shows how well Microsoft is doing! It look very promissing, and just think about combingin all this also with Citrix Workspace cloud going forward! So great! ūüôā

Gartner just released their Magic Quadrant for Identity Management as a Service (IDaaS) and after only ~10 months in market, Azure AD premium was placed in the “Visionary” quadrant, far to the right of our competitors for our completeness of vision and our ability to execute, only slightly below companies with established, multi-year track records.

If you are a Gartner client, you can find the report here. We will have a complimentary copy to share soon, so please check back.

We’re really pleased with this result. We believe it validates our vision of providing of a complete solution for hybrid identity management, a solution that includes not just a directory and employee identity management, but full suite of identity capabilities, an integrated device management offering (Microsoft Intune), leading edge information protection (Azure RMS) and a robust set monitoring and security capabilities.

I am especially delighted by this validation because it says a lot about our customers, implementation partners and ISV partners who have worked together with us. They have been awesome about sharing their time and energy every day, to make sure that the products and services we build meet their needs and are helping them position their companies to thrive in the emerging world of cloud and devices.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Microsoft.
Gartner does not endorse any vendor, product…

Continue reading here!

//Richard

Upgrading to #Citrix #Receiver for #Windows – why and how?

This is something that all Citrix admins should read! How many questions don’t U get about which version of the client to use and why etc?

This document describes the various versions of Receivers for Windows, lists the reasons for upgrading, and recommends best practices for upgrading to the latest version of Receiver based on specific circumstances.

Note: The Online Plug-in 12.x will reach end of its maintenance in March 2013. Customers using Online Plug-in with XenApp 5, XenApp 6.x, XenDesktop 4.x, or XenDesktop 5.x must upgrade to the latest version of Receiver for Windows 3.X prior to that date where practical.

Citrix Receiver is the latest Citrix software you install on Windows end points to gain access to virtualized apps and desktops. It is also regularly installed on virtual desktops to enable access to virtualized apps.

The name of Citrix client software and the built-in functions are changed over the years. The clients in common use today are the Online Plug-in for Windows 12.X and the Receiver for Windows 3.X.

Where the Online Plug-in for Windows 12.X provided Web and PNAgent support, Receiver for Windows 3.X provides additional support. It can be configured for self-service access to applications, VPN-less remote access, single sign-on the Windows, Web, and SaaS applications, and has a built-in method to check for updates.

Both the Online Plug-in and Receiver have two versions.

  • The¬†Online Plug-in Web¬†is used solely for Web access to applications and the¬†Online Plug-in (Full)¬†supports Web access as well as PNA Services. The¬†Full¬†version supported SSO, Smart Cards, and access to apps through the Start menu¬†
    The standard Receiver for Windows, CitrixReceiver.exe, can be considered is a complete replacement for the Online Plug-in Web and largely a replacement for the Online Plug-in (Full). It can be used for web access. It can be configured to access PNA Services. And it can also be used with the latest versions of StoreFront, CloudGateway (App Controller), and Access Gateway to provide a rich set of services. It contains the latest, multithread, multi-stream HDX engine.

  • The¬†CitrixReceiverEnterprise.exe¬†version essentially…

Continue reading here!

//Richard

#Windows #Azure Active Directory steps out of the shadows

I’ve blogged about this release before with some info but here is another good article about how it can assist you in managing user authentication in the cloud.

Microsoft recently announced the general availability of Windows Azure Active Directory, a cloud-based service that lets admins manage multiple user identities and access. Although it’s been lurking in the background of other Microsoft products for some time — and still requires work to make it a fully useful tool — it’s a step in the right direction.

At its core, Windows Azure Active Directory is essentially a copy of Active Directory held in the cloud that provides basic authorization and authentication when users access cloud services. Ideally, admins use it to centralize the database of authorized users for cloud services, which then lets them authorize employees and contractors to work in certain applications. This allowance includes both Microsoft and third-party applications that accept authentication through common industry standards.

Through synchronization with an on-premises Active Directory deployment, you can also deploy¬†single sign-on, so users don’t have to remember multiple passwords or enter them more than once to access cloud applications. More importantly, it provides a better way to remove access to cloud services for users who have left the company — a previous weak link in the cloud identity management story.

Windows Azure Active Directory: Not exactly new

True to Microsoft’s history of¬†dogfooding¬†its own products, Windows Azure Active Directory had been in use for nearly a year before its current general release. Few actually knew that all¬†Office 365¬†accounts have been using a preview release of Windows Azure Active Directory for some time. Users of the general Windows Azure service, Dynamics CRM andWindows Intune¬†also have their details stored in private Windows Azure Active Directory accounts.

According to Microsoft, since just after the beginning of the 2013 calendar year, “Windows Azure AD has processed over 65 billion authentication requests while maintaining 99.97% or better monthly availability.” Windows Azure Active Directory is a distributed service running across 14 of Microsoft’s data centers all over the globe.

User interface improvements

One improvement that happened between the preview release of Windows Azure Active Directory and the Web version release is the user interface, which was basically nonexistent before. Now you can access a clean section of the modern-looking Windows Azure control panel to create and manage instances of Windows Azure Active Directory (Figure 1).

Create and manage instances of Windows Azure Active Directory

You can add these instances to your Windows Azure subscription by logging into your Microsoft account, which…

Continue reading here!

//Richard

Windows Azure Active Directory (AD) has reached General Availability!

April 9, 2013 1 comment

This is cool! And I think that it’s a great step in the right direction for many companies! ūüôā

Windows Azure Active Directory

Windows Azure Active Directory (Windows Azure AD) is a modern, REST-based service that provides identity management and access control capabilities for your cloud applications. Now you have one identity service across Windows Azure, Microsoft Office 365, Dynamics CRM Online, Windows Intune and other 3rd party cloud services. Windows Azure Active Directory provides a cloud-based identity provider that easily integrates with your on-premises AD deployments and full support of third party identity providers.

Use Windows Azure AD to:

Integrate with your on-premises active directory

Quickly extend your existing on-premises Active Directory to apply policy and control and authenticate users with their existing corporate credentials to Windows Azure and other cloud services.

Offer access control for you applications

Easily manage access to your applications based on centralized policy and rules. Ensure consistent and appropriate access to your organizations applications is maintained to meet critical internal security and compliance needs. Windows Azure AD Access Control provides developers centralized authentication and authorization for applications in Windows Azure using either consumer identity providers or your on-premises Windows Server Active Directory

Build social connections across the enterprise

Windows Azure AD Graph is an innovative social enterprise graph providing an easy RESTful interface for accessing objects such as Users, Groups, and Roles with an explorer view for easily discovering information and relationships.

Provide single sign-on across your cloud applications

Provide your users with a seamless, single sign-on experience across Microsoft Online Services, third party cloud services and applications built on Windows Azure with popular web identity providers like Microsoft Account, Google, Yahoo!, and Facebook.

Read more about the service here!

Pricing

Access Control

Access Control is available at no charge. Historically, we have charged for Access Control based on the number of transactions. We are now making it a free benefit of using Windows Azure.

Directory

The base directory, Tenant, User & Group Management, Single Sign On, Graph API, Cloud application provisioning, Directory Synchronization and Directory Federation, is available at no charge. Certain additional capabilities such as Azure AD Rights Management will be available as a separately priced option.

Read more about pricing here!

//Richard

#Citrix #XenMobile #MDM Integration With #Cisco ISE for #BYOD

Interesting and a good blog post by Sameer Mehta.

World of BYOD

 Bring your own device (BYOD) initiatives are enabling employees to bring their own personal devices to work and allowing them corporate access to services such as Email. We did a recent audit using our ability to integrate with security incident and event management (SIEM) systems for a customer. The audit provided visibility into their ActiveSync traffic and found devices that belonged to executives that were not under IT management. Here’s a snapshot of their BYO devices.

 

There are several reasons to enable such access ‚Äď for example, to boost employee productivity or convenience of accessing email from any device. Having said that, as¬†Uncle Ben¬†puts it,¬†‚Äúwith great power comes great responsibility‚ÄĚ, and this responsibility is on the IT administrator from a security point of view. It‚Äôs IT‚Äôs responsibility to make sure that corporate data is not compromised or leaked in the following scenarios:

  • What happens when this personal device is lost or stolen?
  • What happens if this device is jailbroken or rooted?
  • What happens if this device ends up outside an approved geofence. For example, outside of the US?
  • What happens if the user inadvertently installs an application that has the ability and access to the entire device memory, thereby having unauthorized access to corporate data?

End User’s perspective on Enterprise Mobility

End users want access to corporate services such as email, intranet, ability to share and collaborate over documents, and also use 3rd¬†party applications such as Evernote, Quick Office or GoodReader. With mobile solutions such as XenMobile MDM, CloudGateway, ShareFile and GoToAssist, Citrix provides ubiquity i.e. ‚Äėaccess any app. from any device‚Äô, and a unified view for applications with an enterprise app store, documents via ShareFile. Having said that, since the user is accessing multiple applications; end user experience is a key component of mobility solutions. For example, bootstrap authentication and provide single sign on (SSO) to other applications.

Enterprise IT perspective on BYOD

As IT is providing access to corporate services, the main concern is around data loss prevention (DLP) and protecting corporate content on the mobile device. This means, encrypting data at rest for application data, and documents that are hosted either on Sharepoint, Network File share or Cloud storage. From a DLP perspective, for security conscious organizations, the mobile solutions bundle, which includes XenMobile MDM and CloudGateway…

Continue reading here!

//Richard

Configuring Email-Based Account Discovery for #Citrix #Receiver

Check out this great blog post from Avinash Golusula:

Configuring Email-Based Account Discovery

1     Add DNS Service Location (SRV) record to enable email based discovery

During initial configuration, Citrix Receiver can contact Active Directory Domain Name System (DNS) servers to obtain details of the stores available for users. This means that users do not need to know the access details for their stores when they install and configure Citrix Receiver. Instead, users enter their email addresses and Citrix Receiver contacts the DNS server for the domain specified in the email address to obtain the required information.

To enable Citrix Receiver to locate available stores on the basis of users‚Äô email addresses, configure Service Location (SRV) locator resource records for Access Gateway or StoreFront/AppController connections on your DNS server. If no SRV record is found, Citrix Receiver searches the specified domain for a machine named ‚ÄúdiscoverReceiver‚ÄĚ to identify a StoreFront/AppController server.

You must install a valid server certificate on the Access Gateway appliance and StoreFront/AppController server to enable email-based account discovery. The full chain to the root certificate must also be valid. For the best user experience, install either a certificate with a Subject or Subject Alternative Name entry of discoverReceiver.domain, or a wildcard certificate for the domain containing your users’ email accounts.

To allow users to configure Citrix Receiver by using an email address, you need to add a SRV record to your DNS zone.

  • Log in to your DNS server
  • In DNS > Right-click your¬†Forward Lookup Zone
  • Click on¬†Other New Records
  • Scroll down to¬†Service Location (SRV)
  • Configuring Email-Based Account Discovery
  • Choose¬†Create Record

Explaining #Citrix Pass-through Authentication

Check out this great blog post from Joel Bejar:

Introduction

Pass-through authentication is a simple concept. User credentials are passed to a Web Interface site and then to the XenApp/XenDesktop servers, preventing users from having to explicitly authenticate at any point during the Citrix application launch process. While this authentication method seems straightforward, there are some moving pieces, and this article aims to break these down to provide a more detailed understanding of how this process truly works within Citrix.

Pass-Through Authentication ‚Äď Web Interface Site

The first step to the pass-through process occurs at the Web Interface site. Users are able to navigate to the web interface site, and their credentials are passed through and they are presented with their Citrix delivered resources. Web Interface is built on Internet Information Services (IIS). For pass-through authentication to work, IIS Integrated Windows Authentication must be leveraged.  Formerly called NTLM, this authentication method hashes the user credentials before they are sent over the network. When this type of authentication is enabled, the client browser proves its is authenticated through a cryptographic exchange with the Web Interface server, involving hashing. Because of this, the web browser is responsible for authenticating with the Web Interface Server (IIS).  It is important to note, though, that credentials are actually never exchanged. Instead, the signed hash is provided to IIS, proving that said user had already been authenticated at the Windows desktop.  The web interface user uses the user’s AD context (sometimes referred to as a token) to retrieve the user’s AD group membership and pass this list of groups directly to the XML service for authentication.  At this point, the user has successfully passed through to the Web Interface site, and can now view his/her Citrix resources.

  • The WI server must be in the same domain as the user, or in a domain that has a trust relationship with domain of the user.
  • If the WI server and user are in different domains, and resources are published using Domain Local AD groups in the user domain, then the WI will not be able to enumerate these, even with a proper AD trust relationship (due to the very nature of Domain Local groups).
  • The WI site should be added as a Trusted Site or Intranet Zone site in Internet Explorer. In addition, the security settings should be modified so that User Authentication\Logon is set to ‚ÄėAutomatic Logon with Username and Password‚Äô.
  • Pass-through authentication is¬†not¬†supported on Web Interface for NetScalerPlease Note: Pass-through authentication and Kerberos authentication are¬†not¬†interchangeable and they have different requirements.

Pass-Through Authentication ‚Äď XenApp/XenDesktop Session

One of the biggest misconceptions with Pass-Through authentication in Citrix is that it only occurs when a user navigates to the Web Interface site and he/she is automatically passed through. As mentioned above, this IIS authentication method that is being used does not actually exchange the user password. In other words, Web Interface is never in control of the user credentials. This brings up the question: How are users passed through to the actual XenApp/XenDesktop ICA session?

While the web browser has a role in authenticating the user to the web site, the Citrix client (Citrix Receiver) plays an integral role in making sure the user is fully passed through to the application or desktop. Citrix Receiver installs a process called SSONSVR.exe, which is the single sign-on component of the client (no, not password manager SSO, but rather desktop credential pass-through authentication SSO.) This process is fully responsible for passing the user credentials to XenApp or XenDesktop. Without this piece, pass-authentication will not function.

Continue reading here!

//Richard

#Citrix #AppController 2.5 Implementation Tips – #CloudGateway, #BYOD

February 19, 2013 Leave a comment

Great blog post by Matthew Brooks!

AppController is a component of the Citrix CloudGateway Enterprise suite that orchestrates access to Enterprise Cloud applications.  Those applications may take many forms including Mobile Applications, Software-as-a-Service hosted in public clouds, and Web links.  Below I provided some tips to help with the implementation of AppController 2.5 (which is the latest version as of the publishing of this blog).

System Related

Including settings such as the Hostname, SSL certificates, and Restore.

TIPs:

  • Take a hypervisor level snapshot after the initial installation so that you can easily return to that base level if configuration or integrations efforts go awry.
  • The hostname cannot contain special characters in the AppController certificate signing request.
  • The hostname must match SSL certificate.
  • The system cert must be chained to its CA/(s).

Active Directory Related

Including settings such as the Server (Domain Controller), Base DN, and Service Account credentials.

TIPs:

  • The AppController only supports integration with a single domain.¬† Multiple domains require multiple AppControllers.¬† The NetScaler Access Gateway may be configured to allow users to access a single fully qualified domain name, yet be directed to their respective domain AppController through the use of Global Groups.¬† See CTX116169 for more informationhttp://support.citrix.com/article/CTX116169
  • All user accounts must have a first name, last name, and email address configured or they will receive an authorization error when attempting to launch applications.¬† The bind Administrator account must also have email address configured or directory integration will fail.
  • Only LDAP (TCP 389) may be configured through the wizard that must be completed initially.¬† Thereafter LDAPS (TCP 636) may be configured through the full administration menu.
  • If the server name domain name is a load balanced DNS entry the initial import may work, yet subsequent bind attempts will fail.¬† Alternatively you may use the IP address of an LDAPS load balancer on a Netscaler with specific domain controllers configured as services.¬† See CTX135092 for more information¬†http://support.citrix.com/article/CTX135092

Network Related

Including settings such as the IP address, @Workweb and NTP server.

TIPs:

  • Use IP private addresses as system addresses if possible.¬† When Trust Settings are configured for NetScaler Access Gateway it does not allow SSO to public addresses.¬† If public addresses must be used the NetScaler may be configured with an SSL Bridge to access the AppController.¬† See NetScaler Traffic Management document for more information.
  • NTP must be configured or SAML authentication may fail for SaaS sites if the time difference is significant.
  • When Trust Settings are configured for NetScaler Access…

Continue reading here!

//Richard

SSO to StoreFront not working in CVPN mode – #Citrix, #NetScaler, #StoreFront

January 31, 2013 3 comments

Single Sign-On from Access Gateway to StoreFront not working in CVPN mode

There is yet another “thing” to have in mind when setting up Access Gateway and StoreFront in CVPN mode!

It’s been an interesting day (or days/weeks/months I must admit) with some “issues” with a NetScaler ADC, Access Gateway with CVPN profiles and StoreFront 1.2. And one thing that we have been struggling with was Single Sign-On to StoreFront when we had the AG configured for CVPN access. And it was just this environment where I’ve seen this issue!!

After a lot of troubleshooting the Citrix guys came up with an explanation on why SSO from AG doesn’t work in this specific environment! And it’s not an obvious one to find I must say… but I now understand why it doesn’t work!

So let’s explain the design reason for why it doesn’t work (so bear with me, solution at the end!!)…

The following picture tries to give a VERY rough picture of how it could look like, clients on the Internet on the left, then a NetScaler ADC with the Access Gateway feature enabled and a vServer configured. This AG vServer has session policies and profiles for ICA proxy (old traditional ICA proxy policy) and the little newer CVPN mode. And YES; I’ve left out a lot of stuff like AD etc. to simplify this picture A LOT…

High_Level_Design_overview_SSO_not_working

The overall idea and config is that AG authenticates the user and then shall do SSO to StoreFront. The CVPN policy have been created according to all best practices etc. (Citrix CloudGateway Express 2.0 – Implementation Guide).

But SSO still doesn’t work!! If you login through a browser when having the CVPN policy linked to the vServer you’ll see that authentication works perfectly but then when it tries to passthrough the authentication to StoreFront it fails.

This picture just shows the login to the NetScaler ADC Access Gateway vServer:

NetScaler_Access_Gateway_login

Read more…

%d bloggers like this: