Web Interface Mod: Take Smart Card Authentication to the DMZ
|
For several versions now Web Interface has included a feature that allows users to authenticate using a smart card instead of entering their username and password. It works like this:
As you can see, the process depends entirely on IIS for doing the authentication and mapping the user’s certificate to their domain account. This only works when the IIS server is a domain member, and since nobody wants to put a domain member server in their DMZ we’ve always said that this is a solution for internal (or VPN) users only. But what if there were another way? What if we could validate the client certificate without having to talk to Active Directory? That’s possible using an IIS feature called the Certificate Trust List. Using this feature of IIS, you can specify exactly which Certificate Authorities whose client certificates should be trusted for connection to the website. During the SSL handshake, if a user presents a client certificate from any other CA, IIS will refuse access to the site. The problem though is that there’s no way to tie the user certificate to a domain user. So here’s a solution that will work for the DMZ while still requiring valid client certificates: Configure Web Interface for normal (explicit) authentication, but then configure IIS to require a trusted client certificate in order to reach that explicit site. Users will be prompted for their certificate and then they’ll have to type in their username and password in order to log into Web Interface. To do this, open IIS Manager and edit the properties of the web site or virtual directory that hosts the Web Interface pages. On the Directory Security tab, edit the "Secure Communications" properties. Select Require secure channel (SSL) and the choose to Require client certificates. So far all we've done is get Web Interface to show us the icons of the applications. The next phase is for the user to click an icon and receive a dynamically generated ICA file that connects them to a Presentation Server. On normal (unmodified) Web Interface sites that are configured for explicit authentication, the ICA file will contain a username and a ticket that logs the user in without requiring them to re-type their password. For sites configured to use smart card authentication, the ICA file will contain no logon ticket or credentials. Instead of credentials, the ICA file will include this obscure little command: DisableCtrlAltDel=Off Next time you’re bored you should try adding that parameter to an ICA file and watch what happens. Instead of logging you in with a ticket or showing you the Windows GINA where you can type your username and password, you will see the Windows logo from the Presentation Server as though you had walked up to the server but not touched the keyboard yet:
This GINA will be floating seamlessly on your desktop and you’ll have to type Ctrl-F1 to simulate the Ctrl-Alt-Del command on the server. When a smart card CSP is installed on the server though, an ICA virtual channel lights up and reads your client-side smart card to log you into the server. So to use the smart card for Presentation Server authentication too, we need to modify the ICA files that Web Interface generates so that the credentials (username plus logon ticket) are removed and the DisableCtrlAltDel=False line is added. Web Interface 4.x makes this a trivial task by just adding some lines into the ICA override file located at conf/default.ica. Locate the physical path for your web interface site, such as C:\Inetpub\wwwroot\Citrix\Metaframe. There you should find a conf directory with several ICA override files inside. Edit default.ica with notepad and add these lines to the [Application] section: This has the effect of blanking out any explicit logon information that would have been included in the ICA file, and triggers smart card authentication through an ICA virtual channel instead.Username= Domain= ClearPassword= DisableCtrlAltDel=False This can be made to work with Access Gateway or Secure Gateway, but you will need to allow direct HTTPS access to the IIS server that is hosting Web Interface. If the HTTPS traffic is relayed through the Secure Gateway service or an Access Gateway appliance before reaching the WI server, then the SSL termination at the gateway will filter out client certificates before traffic reaches the web server. It should go without saying that this is not an official tested or supported deployment, but it could suffice in some instances to provide smart card authentication to users who are not on the Presentation Server network. Jay |
Comments
Great Article Jay. I have previously fixed up the secure gateway with a member server in the dmz as a screened proxywith two nics. It works ok but feels a bit clunky and the reliability has not been what we had with an explicit login.
I will try this method and see where I get. The biggest problem I have seen the other way is that our login times went from 2 minutes with an explicit login to over 30 minutes with a smart card.
Posted by: G. Reese | September 22, 2006 04:35 AM
Good Article, This is the way I have already done the PKI for the NAVY. I have not had issues and I also have a way to set up the UPN to allow them to login completly but does require WI to contact AD, but does not need to be Domain Member. From my experience you may want to add, that if the presentation server is going to use the certificate and its a smart card, the PS server will require having the software and driver loaded for the card reader.
Posted by: Tom Johnson | November 29, 2006 12:55 PM
Our logins only take about 18 secs total. Sounds like G Reese may have a CRL Lookup issue, I recommend using Tumbleweed Desktop Validator.
Posted by: Tom Johnson | November 29, 2006 12:57 PM