SafeNet Authentication Manager Integration Guide Using SafeNet Authentication Manager with Citrix XenApp 6.5 Technical Manual Template Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright 2013 SafeNet, Inc. All rights reserved. 1
Document Information Release Date March 2014 Trademarks All intellectual property is protected by copyright. All trademarks and product names used or referred to are the copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording, or otherwise, without the prior written permission of SafeNet, Inc. Disclaimer SafeNet makes no representations or warranties with respect to the contents of this document and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, SafeNet reserves the right to revise this publication and to make changes from time to time in the content hereof without the obligation upon SafeNet to notify any person or organization of any such revisions or changes. We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct them in succeeding releases of the product. SafeNet invites constructive comments on the contents of this document. These comments, together with your personal and/or company details, should be sent to the address or email below. Contact Method Mail Email Contact Information SafeNet, Inc. 4690 Millennium Drive Belcamp, Maryland 21017, USA TechPubs@safenet-inc.com 2
Contents Contents About SafeNet Authentication Manager... 4 Applicability... 4 Audience... 4 Overview... 5 RADIUS-based Authentication Using SAM... 6 NPS Configuration... 7 SAM Configuration... 8 SAM 8.2 Installation... 8 SAM 8.2 OTP Connector... 8 Configuring RADIUS Authentication... 8 User Store Deployment... 11 Supported User Stores... 11 Supported Tokens... 12 Supported OTP Hardware Tokens... 12 Supported OTP Software-based Tokens... 12 Running the Solution... 12 Support Contacts... 13 3
About SafeNet Authentication Manager SafeNet Authentication Manager (SAM) enables complete user token lifecycle management. SAM links tokens with users, organizational rules, and security applications to enable streamlined handling of users' needs throughout the various user token lifecycle stages. Citrix XenApp 6.5 is a secure application and data access solution that provides IT administrators with a single interface for managing access control, and for limiting actions within sessions, based on both user identity and the endpoint device. Integrating SAM with Citrix XenApp 6.5 provides a strong authentication approach based on multi-factor authentication (MFA) for handling evolving business requirements, as well as new threats, risks, and vulnerabilities. This document provides guidance for deploying multi-factor authentication in Citrix XenApp 6.5 using authentication methods managed by SafeNet Authentication Manager (SAM). The user store is configured and synchronized between SAM and Citrix AG. The solution supports various user stores, as described under User Store on page 11. In this document, Citrix XenApp 6.5 uses Microsoft s Active Directory (AD) as its user store. In this document, the demonstrated solution includes one-time password (OTP) authentication. Applicability The information in this document applies to SafeNet Authentication Manager version 8.2 and Citrix XenApp 6.5. Audience This document is targeted to system administrators who are familiar with Citrix XenApp 6.5 and are interested in adding multi-factor authentication capabilities using SafeNet Authentication Manager. 4
Overview This document assumes that Citrix XenApp 6.5 is deployed in the organization. It will guide you through the process of adding multi-factor authentication capabilities to Citrix XenApp 6.5 using SafeNet Authentication Manager. For the purpose of working with SafeNet Authentication Manager, the RADIUS protocol is used. Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication, authorization, and accounting management for computers that connect and use a network service. The deployment of multi-factor authentication support using SafeNet Authentication Manager with Citrix XenApp 6.5 requires completion of the following steps: Configure RADIUS communication between the Citrix Web Interface and SafeNet Authentication Manager. Synchronize the Citrix Web Interface with the SAM User Store. Assign tokens to users. See the section Supported Tokens on page 12 for a list of supported one-time password (OTP) tokens. Test the authentication solution. NOTE: This document assumes that the XenApp 6.5 environment is already configured and working with static passwords prior to implementing multi-factor authentication using SafeNet Authentication Manager. 5
RADIUS-based Authentication Using SAM Figure 1 illustrates the data flow of a multi-factor authentication transaction for Citrix XenApp 6.5. The user attempts to log in to the Citrix published resource via the Citrix Web Interface. Citrix Web Interface sends a RADIUS request with the user s credentials to the NPS Server. The NPS server validates the credentials. The SAM reply (approving or declining access) is sent back to the NPS server. The NPS server forwards the reply to the Web Interface. The user is granted or denied access to the web application, based on the validation result. If validation is successful, the user receives access to the XenApp published application. Figure 1: Data flow of multi-factor authentication for Citrix XenApp 6.5 using SAM 6
NPS Configuration Communication between Citrix Web Interface and Microsoft Network Policy Server (NPS) is based on the RADIUS protocol. NPS can be used as a RADIUS server to perform authentication, authorization, and accounting for RADIUS clients. To add a RADIUS client entry in NPS so that it can receive RADIUS authentication requests from Citrix Web Interface, you will need the following information: the IP address of Citrix Web Interface the shared secret to be used by both NPS and Citrix Web Interface To configure Citrix Web Interface as a RADIUS client: 1. Click Start > Administrative Tools > Network Policy Server. 2. On the Network Policy Server dialog box, in the left pane, click RADIUS Clients and Servers, then select RADIUS Clients. 3. On the menu bar, click Action > New. 4. On the New RADIUS Client dialog box, complete the following fields: Friendly name Address Shared secret Confirm shared secret Type a name for the client. Type the IP address or the DNS name of the Citrix Web Interface. Select Manual, and then type the shared secret that was configured in SAM. This secret will be needed later for the Citrix Web Interface RADIUS authentication configuration. Type the shared secret again to confirm. 5. Click OK. 7
SAM Configuration SafeNet's OTP plug-in for Microsoft RADIUS Client works with Microsoft s Internet Authentication Service (IAS) Server or Network Policy Server (NPS) to provide strong authentication for remote access through the Microsoft IAS or NPS RADIUS Server. When configured, users requesting remote access to their network using IAS or NPS are prompted to enter a token-generated OTP passcode. SAM 8.2 Installation For the integration described in this document, install one-time password (OTP) authentication for MS RADIUS Client. When installing SAM using the SafeNet Authentication Manager 8.2 Installer, install OTP Authentication > RADIUS Authentication. If the RADIUS server and SAM are on the same computer, use the SafeNet Authentication Manager 8.2 Installer to install SAM OTP plug-ins, or install the OTP Plug-In for Microsoft RADIUS Client using SafeNet OTP Plug-In Package 8.2. If the RADIUS server and SAM are on different computers, install the OTP Plug-In for Microsoft RADIUS Client on the RADIUS server using SafeNet OTP Plug-In Package 8.2. For more information, refer to the SafeNet Authentication Manager Version 8.2 Administrator Guide. SAM 8.2 OTP Connector For the integration described in this document, configure the SAM Connector for OTP Authentication. For more information about the OTP connector, refer to the section Connector for OTP Authentication in the SafeNet Authentication Manager Version 8.2 Administrator Guide. Configuring RADIUS Authentication SafeNet's OTP architecture includes the SafeNet RADIUS Server for back-end OTP authentication. This enables integration with any RADIUS-enabled gateway or application. For the integration described in this document, the SafeNet RADIUS Server accesses user information in the Active Directory infrastructure via SafeNet Authentication Manager. SafeNet s OTP architecture requires the MS RADIUS Server (NPS) to be installed. After installing NPS, add Citrix Web Interface as a RADIUS Client in the NPS. Communication between Citrix Web Interface and SafeNet Authentication Manager is based on RADIUS protocol. To enable SAM to receive RADIUS requests from Citrix Web Interface: Ensure that end users can authenticate to Citrix Web Interface with a static password before configuring AG to use RADIUS authentication. Ensure that ports 1812 and 1813 are open to Citrix Web Interface. 8
To configure Citrix AG to use RADIUS protocol as a secondary authentication method: 1. Open the Citrix Web Interface Management console. 2. Right-click on the XenApp website and select Authentication Methods. 3. Under Authentication Methods, select Explicit, then click Properties. 9
4. On the Properties - XenApp dialog box, select Explicit > Two-Factor Authentication. 5. In the Two-factor setting field, select RADIUS. 6. In the RADIUS server addresses box, do the following: a. Click the Add button. b. On the Add RADIUS Server dialog box, enter the NPS IP address and port number. c. Click OK. 10
7. Next, you must configure the RADIUS shared secret. A shared secret file must be manually created for the RADIUS server defined under the Two-Factor Authentication method. a. On the Citrix Web Interface server, browse to the directory \inetpub\wwwroot\citrix\sitepath\conf. Create a file called radius_secret.txt that contains the RADIUS shared secret. b. Browse to the directory \inetpub\wwwroot\citrix\sitepath\conf. c. Use a text editor to open the file web.config and do the following: Search for RADIUS_NAS_IDENTIFIER and, for the value, type citrixwi. Search for RADIUS_NAS_IP_ADDRESS and, for the value, type the IP address assigned to the Citrix Web Interface server. d. Save and close the file. User Store Deployment SafeNet Authentication Manager manages and maintains OTP token information in its data store. This information includes the token status, the OTP algorithm used to generate OTPs, and the token assignment to the user. User information is managed and maintained in a user store. SafeNet Authentication Manager can be integrated with your organization s external user store. If your organization does not use an external user store, SAM 8.2 enables the use of an internal ( stand-alone ) user store created and maintained by the SAM server. Supported User Stores SAM 8.2 supports the following user stores: Microsoft Active Directory (Windows Server 2003 or Windows Server 2008) ADAM (in an integrated configuration solution using a stand-alone user store) Remote Active Directory Microsoft SQL Server 2005/2008 OpenLDAP Novell edirectory For more information, refer to the SafeNet Authentication Manager Version 8.2 Administrator Guide. 11
Supported Tokens SafeNet Authentication Manager supports both hardware and software-based one-time password (OTP) tokens. Supported OTP Hardware Tokens SAM 8.2 supports the following OTP hardware tokens: etoken NG-OTP etoken PASS etoken Gold Supported OTP Software-based Tokens MobilePASS tokens are software-based OTP tokens. These tokens enable generation of OTP passwords on mobile devices or personal computers without requiring a hardware token. SAM 8.2 supports MobilePASS on the following platforms: Blackberry OS version 4.6 and later Microsoft Windows XP, Windows 7, and Windows 8 Microsoft Windows for Phone 7 All versions of Android OS All versions of ios Running the Solution 1. Open Citrix Web Interface. 2. Open the SafeNet MobilePASS app on your smartphone and generate an OTP. NOTE: The MobilePASS app may prompt you to enter your PIN. 12
3. On the Citrix XenApp Log on dialog box, complete the following fields: User name Password Domain PASSCODE Type your user name. Type your password. Type the XenApp domain name to which you are connecting. This information can be obtained from the system administrator. Type your SafeNet OTP passcode. 4. You are logged in to Citrix and the user application set is displayed. Support Contacts If you encounter a problem while installing, registering or operating this product, please make sure that you have read the documentation. If you cannot resolve the issue, contact your supplier or SafeNet Customer Support. SafeNet Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is governed by the support plan arrangements made between SafeNet and your organization. Please consult this support plan for further information about your entitlements, including the hours when telephone support is available to you. Table 1: Support Contacts Contact Method Address Contact Information SafeNet, Inc. 4690 Millennium Drive Belcamp, Maryland 21017 USA Phone United States 1-800-545-6608 International 1-410-931-7520 Email Support and Downloads support@safenet-inc.com www.safenet-inc.com/support Provides access to the SafeNet Knowledge Base and downloads for various products. 13
Technical Support Customer Portal https://serviceportal.safenet-inc.com Existing customers with a Technical Support Customer Portal account can log in to manage incidents, get the latest software upgrades, and access the SafeNet Knowledge Base. 14