What is the need for authentication based on the client certificate in XenMobile
based authentication with client certificates, end user experience is simplified with a PIN (PIN worx) which allow access to the store of worx company. During a part of the inscription, the Device Manager will ask the CA server to a user cert, once the device manager receives user cert same is pushed to the user terminal via Worx Home which in turn is added to keystore of the device and apply the user to set a PIN code (PIN worx), PIN Worx is added security feature to protect access to the user, once the user gives worx pin access will be granted to enterprise applications such as email Worx Worx web and other mdx, Web and SaaS apps delivered via AppController.
steps to configure the client certificate authentication
Pirmary Pre-Requsites to meet customer cert based authentication is to have Xenmobile 8.6 install base. Components involved on the server side are XenMobile Device Manager 8.6, XenMobile AppController 2.9, NetScaler Gateway 10.1, MS CA server and Worx Home 8.6 on the client side
Pre-Requsites to Device Manager and the MS CA server can be found @ Citrix edocs http://support.citrix.com/proddocs/topic/xmob-dm-85/xmob-dm-manage-securityid-configDM-MScertificatesvs-con.html[1945004link]
rating: the steps will help you / guide you through the basic auth certificate configuration for rapid POC. This is one of the ways to achieve based authentication certificate. There may be other ways to achieve the same.
Generally, we can classify the configuration into 4 parts.
- MS CA Server Configuration.
- Configuration in Device Manager.
- Setting in AppController.
- Configuration in NetScaler.
_________________________________________________________
1. Configuration Steps in CA Server MS
Add certificate Snap-In in MMC
- Open MMC, click Add / Remove snap
- Add Certificates as local user and current user
- Add certificate authority as a local account.
- Expand certificate Templates
- Select the user model and duplicated model.
- provide model Display Name
- Under security option please check the Register to authenticated users.
- Under Cryptography parameters make sure you provide the size of the key (you must remember this you need to use the same key size in the device manager configuration.)
- Under [tab Name topic select Provided in the application . After that, apply the changes and save it.
Add the CA model
- Go to CA and select certificate Templates .
- Right-click in the right pane and select New > certificate template to issue .
- Select the template you created in the previous step and click OK to add the same in the certification authority.
- Create User pfx cert using the service account with which you are connected. (.pfx This will be loaded into the device manager, which will require a user cert on behalf of the end user who registered their devices).
- develop Certificates under current user.
- Right-click in the right pane and click the request [Nouveaucertificat.
- You will be shown registration certificate and click Next
- Select policy Directory active inclusion and Click Next
- Select user model Register . (Here you need to use the user's model, or you can not Sign with the cert model you created in the previous step, since we used supply optional Application on model creation where the device Manager provide the attribute on which certificate will be issued.)
- Export the .pfx that you created in the previous step.
- Make sure that you export the private key
- Include all certificates in the certification path as well as Export all extended properties
- Define Password [pourcettecertvousallezêtreenutilisantcemotdepasselorsquevoustéléchargezcepfxcertdanslegestionnairedepériphériques
- Save the cert on your hard drive.
__________________________________________________________
2. Stages Configurations in Device Manager
- Log in to Device Manager using the administrator credentials.
Note:. Make sure your AD attribute is set to UPN in LDAP configurations XDM
Transfer the .pfx into the Device Manager server
- Select options (Top banner).
- Drill down PKI and select for the certificate server
- Select Download a certificate.
- type certificate dropdown, select Keystore .
- Browse file pfx you created and exported in the previous step and provide the password and the relevant description Upload same.
- Check the downloaded certificate.
Defining entities in PKI Device Manager
- Expand PKI .
- Select the entities, in the right pane, select New entity CertSrv MS.
- Provide Name of entity root URL of the service (Example : https://ad.mycompany.com/certsrv/, make sure Cert Server IIS is enabled on https)
- Select authentication type. from the menu as client certificate .
- Select the certificate in SSL client certificate (Make sure you choose the right certificate to verify the certificate / pfx number series that you downloaded in the previous step.)
- Select Templates tab , click New model and rename the model (It is recommended use the name of the same model as the model name in the server CA.
- Select CA Certificates . (You can jump custom HTTP Settings )
- Click on the Add to Add a CA certificate from the dropdown Select certificate. (If you have more a CA server in the drop-down list, please select the CA server that will issue the certificate)
- Check PKI entities you configured in the previous step.
Definition of verification of supplier power in the Device Manager
- Select provider powers and click on New credential provider
- Under General tab
- Provide Credential name supplier description .
- issuing entity method and emission Template from the menu,
- Under CSR tab.
- Select key algorithm key size (algorithm and key size should be the same that you used during model definition) signature algorithm .
- Provide name Subject cn = $ user.username and Subject Alternative Names using New alternative name the default, it will be pre-filled with RFC822 to change [nomprincipal user from the dropdown menu and provide the value $ user.userprincipalname
- Under distribution Tab
- Select Transmitter from the dropdown menu and select the mode of distribution I prefer centralized.
- Click Add. (Here in these steps i have not specified certificate revocation).
integration Device Manager with APPC
- Under Modules Configurations
- Select AppController , provide APPC host name and shared key, check the Enable option AppController and be sure to check deliver user certificate for authentication and select Provider from the dropdown menu.
__________________________________________________________
3. Configurations steps in APPC Configurations
APPC integration with NS
- log in to AppController and click deployment under Settings .
- Provide the host name to access external NetScaler and select the type of login as certificate (only for cert auth base) and save the configuration in AppController.
integrate with APPC Device Manager
- Click XenMobile MDM and provide details and respective saveit.
__________________________________________________
4. Stages Configurations NS configurations
- Login for Netscaler.
- Build Traffic Management, under SSL make sure you downloaded the right Root, Intermediate cert CA that issues user certs in NS and link.
- If you configure NS Gateway for the first time Run wizard or if you have the VIP AGED configuration and make changes accordingly.
- Open the virtual server.
- In the Certificates tab.
- Push the CA's root certificate using the Add .
- of Add drop down, press the cert that CA
- Make -you verify Check [option form the pull-down menu, if your server has the CA CRL / OCSP configured please check the corresponding option.
- If your CA server does not support CRL / OCSP so make sure you check for the option or client authentication else fails.
- Click SSL Parameter ..
- Select the check box for client authentication and select Certificate customer as required from the menu.
- Click OK to add the above-configured policy.
- in the Authentication
- Select a new policy and name cert auth base.
- Set the expression to ns_true
- Create profile politics
- Set the option to two factors according to your requirement.
- Select the user name field in SubjectAltName: PrincipalName from the menu. (If using Cert Auth basis only, please set two factors OFF.)
user experience final
- register the device set the PIN code Worx and experience the simplified user authentication.
0 Komentar