Use smart cards with Citrix Receiver for Linux or Citrix Workspace app for

pcbinary June 27, 2021 0 Comments



User authentication


StoreFront supports a number of different authentication methods for usersaccessing stores; although, not all are available depending on the user accessmethod and their network location. For security reasons, some authenticationmethods are disabled by default when you create your first store. For moreinformation about enabling and disabling user authentication methods, seeCreate and configure the authentication service.

To enable domain pass-through authentication


1. Install Citrix Receiver for Windows or Citrix Workspace app for Windows or the Citrix Online plug-in for Windows on user devices. Ensure that pass-through authentication is enabled. 2. In the Citrix Receiver for Web site node in the administration console, enable domain pass-through authentication. 3. Configure SSON on Citrix Receiver for Windows or Citrix Workspace app for Windows, described in Configure domain pass-through authentication. Citrix Workspace app for HTML5 does not support domain pass-through authentication. 4. Windows’ default behavior is “Automatic logon only in the Intranet zone.” For Internet Explorer, Mozilla Firefox and Google Chrome, either configure your Citrix Receiver for Web sites as Intranet sites using the Internet Options, or enable automatic logon for the Trusted zone. For Microsoft Edge you must configure your Citrix Receiver for Web sites as Intranet sites. 5. For Mozilla Firefox, modify the browser advanced settings to trust the Citrix Receiver for Windows or Citrix Workspace app for Windows URI. > Warning:>> Editing the advanced settings incorrectly can cause serious problems. Make> edits at your own risk. 1. Start Firefox, enter about:config in the address field and select “I accept the risk!” 2. Type ntlm to the search box. 3. Double-click on “network.automatic-ntlm-auth.trusted-uris” and type the Citrix Receiver for Windows or Citrix Workspace app for Windows site URL to the pop-up dialog. 4. Click OK.

Pass-through from Citrix Gateway


Users authenticate to Citrix Gateway and are automatically logged on when theyaccess their stores. Pass-through from Citrix Gateway authentication isenabled by default when you first configure remote access to a store. Userscan connect through Citrix Gateway to stores using Citrix Workspace app orCitrix Receiver for Web sites. For more information about configuringStoreFront for Citrix Gateway, see Add a Citrix Gateway connection.StoreFront supports pass-through with the following Citrix Gatewayauthentication methods. * Security token. Users log on to Citrix Gateway using passcodes that are derived from tokencodes generated by security tokens combined, in some cases, with personal identification numbers. If you enable pass-through authentication by security token only, ensure that the resources you make available do not require additional or alternative forms of authentication, such as users’ Microsoft Active Directory domain credentials. * Domain and security token. Users logging on to Citrix Gateway are required to enter both their domain credentials and security token passcodes. * Client certificate. Users log on to Citrix Gateway and are authenticated based on the attributes of the client certificate presented to Citrix Gateway. Configure client certificate authentication to enable users to log on to Citrix Gateway using smart cards. Client certificate authentication can also be used with other authentication types to provide double-source authentication.StoreFront uses the Citrix Gateway authentication service to provide pass-through authentication for remote users so that they only need to enter theircredentials once. However, by default, pass-through authentication is onlyenabled for users logging on to Citrix Gateway with a password. To configurepass-through authentication from Citrix Gateway to StoreFront for smart cardusers, delegate credential validation to Citrix Gateway. For more information,see Create and configure the authentication service.Users can connect to stores within Citrix Workspace app with pass-throughauthentication through a Secure Sockets Layer (SSL) virtual private network(VPN) tunnel using the Citrix Gateway plug-in. Remote users who cannot installthe Citrix Gateway plug-in can use clientless access to connect to storeswithin Citrix Workspace app with pass-through authentication. To useclientless access to connect to stores, users require a version of CitrixWorkspace app that supports clientless access.Additionally, you can enable clientless access with pass-throughauthentication to Citrix Receiver for Web sites. To do this, configure CitrixGateway to act as a secure remote proxy. Users log on to Citrix Gatewaydirectly and use the Citrix Receiver for Web site to access their applicationswithout needing to authenticate again.Users connecting with clientless access to App Controller resources can onlyaccess external software-as-a-service (SaaS) applications. To access internalweb applications, remote users must use the Citrix Gateway plug-in.If you configure double-source authentication to Citrix Gateway for remoteusers accessing stores from within Citrix Workspace app, you must create twoauthentication policies on Citrix Gateway. Configure RADIUS (RemoteAuthentication Dial-In User Service) as the primary authentication method andLDAP (Lightweight Directory Access Protocol) as the secondary method. Modifythe credential index to use the secondary authentication method in the sessionprofile so that LDAP credentials are passed to StoreFront. When you add theCitrix Gateway appliance to your StoreFront configuration, set the Logon typeto Domain and security token. For more information, seehttp://support.citrix.com/article/CTX125364To enable multidomain authentication through Citrix Gateway to StoreFront, setSSO Name Attribute to userPrincipalName in the Citrix Gateway LDAPauthentication policy for each domain. You can require users to specify adomain on the Citrix Gateway logon page so that the appropriate LDAP policy touse can be determined. When you configure the Citrix Gateway session profilesfor connections to StoreFront, do not specify a single sign-on domain. Youmust configure trust relationships between each of the domains. Ensure thatyou allow users to log on to StoreFront from any domain by not restrictingaccess to explicitly trusted domains only.Where supported by your Citrix Gateway deployment, you can use SmartAccess tocontrol user access to Citrix Virtual Apps and Desktops resources on the basisof Citrix Gateway session policies. For more information about SmartAccess,see How SmartAccess works for Citrix Virtual Apps and Desktops.

Use smart cards with Citrix Receiver for Windows or Citrix Workspace app


for WindowsUsers with devices running Citrix Receiver for Windows or Citrix Workspace appfor Windows can authenticate using smart cards, either directly or throughCitrix Gateway. Both domain-joined and non-domain-joined devices can be used,although the user experience is slightly different.The figure shows the options for smart card authentication through CitrixReceiver for Windows or Citrix Workspace app for Windows.For local users with domain-joined devices, you can configure smart cardauthentication so that users are only prompted for their credentials once.Users log on to their devices using their smart cards and PINs and, with theappropriate configuration in place, are not prompted for their PINs again.Users are silently authenticated to StoreFront and also when they access theirdesktops and applications. To achieve this, you configure Citrix Receiver forWindows or Citrix Workspace app for Windows for pass-through authenticationand enable domain pass-through authentication to StoreFront.Users log on to their devices and then authenticate to Citrix Receiver forWindows or Citrix Workspace app for Windows using their PINs. There is nofurther PIN prompts when they try to start apps and desktopsBecause users of non-domain-joined devices log on to Citrix Receiver forWindows or Citrix Workspace app for Windows directly, you can enable users tofall back to explicit authentication. If you configure both smart card andexplicit authentication, users are initially prompted to log on using theirsmart cards and PINs but have the option to select explicit authentication ifthey experience any issues with their smart cards.Users connecting through Citrix Gateway must log on using their smart cardsand PINs at least twice to access their desktops and applications. Thisapplies to both domain-joined and non-domain-joined devices. Usersauthenticate using their smart cards and PINs, and, with the appropriateconfiguration in place, are only prompted to enter their PINs again when theyaccess their desktops and applications. To achieve this, you enable pass-through with Citrix Gateway authentication to StoreFront and delegatecredential validation to Citrix Gateway. Then, create an additional CitrixGateway virtual server through which you route user connections to resources.In the case of domain-joined devices, you must also configure Citrix Receiverfor Windows or Citrix Workspace app for Windows for pass-throughauthentication.> Note:>> If you are using Citrix Receiver for Windows or Citrix Workspace app for> Windows, you can set up a second vServer and use the optimal gateway routing> feature to remove the need for PIN prompts when starting apps and desktops.Users can log on to Citrix Gateway using either their smart cards and PINs, orwith explicit credentials. This enables you to provide users with the optionto fall back to explicit authentication for Citrix Gateway logons. Configurepass-through authentication from Citrix Gateway to StoreFront and delegatecredential validation to Citrix Gateway for smart card users so that users aresilently authenticated to StoreFront.

Use smart cards with XenApp Services URLs


Users of PCs running the Citrix Desktop Lock can authenticate using smartcards. Unlike other access methods, pass-through of smart card credentials isautomatically enabled when smart card authentication is configured for aXenApp Services URL.The figure shows smart card authentication from a domain-joined device runningthe Citrix Desktop Lock.Users log on to their devices using their smart cards and PINs. The CitrixDesktop Lock then silently authenticates users to StoreFront through theXenApp Services URL. Users are automatically authenticated when they accesstheir desktops and applications, and are not prompted for their PINs again.

Use smart cards with Citrix Receiver for Web


You can enable smart card authentication to Citrix Receiver for Web from theStoreFront Administration Console. 1. Select the Citrix Receiver for Web node in the left panel. 2. Select the site you want to use smart card authentication. 3. Select the Choose Authentication Methods task in the right panel. 4. Check the Smart card checkbox in the popup dialog screen and click OK.If you enable pass-through with smart card authentication to Citrix VirtualApps and Desktops for Citrix Receiver for Windows or Citrix Workspace app forWindows users with domain-joined devices who do not access stores throughCitrix Gateway, this setting applies to all users of the store. To enable bothdomain pass-through and pass-through with smart card authentication todesktops and applications, you must create separate stores for eachauthentication method. Your users must then connect to the appropriate storefor their method of authentication.If you enable pass-through with smart card authentication to Citrix VirtualApps and Desktops for Citrix Receiver for Windows or Citrix Workspace app forWindows users with domain-joined devices accessing stores through CitrixGateway, this setting applies to all users of the store. To enable pass-through authentication for some users and require others to log on to theirdesktops and applications, you must create separate stores for each group ofusers. Then, direct your users to the appropriate store for their method ofauthentication.

Use smart cards with Citrix Workspace app for iOS and Android


Users with devices running Citrix Workspace app for iOS and Android canauthenticate using smart cards, either directly or through Citrix Gateway.Non-domain-joined devices can be used.In the case of devices on the local network, the minimum number of logonprompts that users can receive is two. When users authenticate to StoreFrontor initially create the store, they are prompted for the smart card PIN. Withthe appropriate configuration in place, users are prompted to enter their PINsagain only when they access their desktops and applications. To achieve this,you enable smart card authentication to StoreFront and install smart carddrivers on the VDA.With these Citrix Workspace apps, you have the option of specifying smartcards OR domain credentials. If you created a store to use smart cards and youwant to connect to the same store using domain credentials, you must add aseparate store without turning on smart cards.Users connecting through Citrix Gateway must log on using their smart cardsand PINs at least twice to access their desktops and applications. Usersauthenticate using their smart cards and PINs, and, with the appropriateconfiguration in place, are only prompted to enter their PINs again when theyaccess their desktops and applications. To achieve this, you enable pass-through with Citrix Gateway authentication to StoreFront and delegatecredential validation to Citrix Gateway. Then, create an additional CitrixGateway virtual server through which you route user connections to resources.Users can log on to Citrix Gateway using either their smart cards and PINs orwith explicit credentials, depending on how you specified the authenticationfor the connection. Configure pass-through authentication from Citrix Gatewayto StoreFront and delegate credential validation to Citrix Gateway for smartcard users so that users are silently authenticated to StoreFront. If you wantto change the authentication method, you must delete and recreate theconnection.

Use smart cards with Citrix Receiver for Linux or Citrix Workspace app for


LinuxUsers with devices running Citrix Receiver for Linux or Citrix Workspace appfor Linux can authenticate using smart cards in a similar way to users of non-domain-joined Windows devices. Even if the user authenticates to the Linuxdevice with a smart card, Citrix Receiver for Linux or Citrix Workspace appfor Linux has no mechanism to acquire or reuse the PIN entered.Configure the server side components for smart cards the same way youconfigure them for use with the Citrix Receiver for Windows or CitrixWorkspace app for Windows. Refer to Configure smart card authentication andfor instructions on using smart cards, see Citrix Receiver for Linux.The minimum number of logon prompts that users can receive is one. Users logon to their devices and then authenticate to Citrix Receiver for Linux orCitrix Workspace app for Linux using their smart cards and PINs. Users are notprompted to enter their PINs again when they access their desktops andapplications. To achieve this, you enable smart card authentication toStoreFront.Because users log on to Citrix Receiver for Linux or Citrix Workspace app forLinux directly, you can enable users to fall back to explicit authentication.If you configure both smart card and explicit authentication, users areinitially prompted to log on using their smart cards and PINs but have theoption to select explicit authentication if they experience any issues withtheir smart cards.Users connecting through Citrix Gateway must log on using their smart cardsand PINs at least once to access their desktops and applications. Usersauthenticate using their smart cards and PINs and, with the appropriateconfiguration in place, are not prompted to enter their PINs again when theyaccess their desktops and applications. To achieve this, you enable pass-through with Citrix Gateway authentication to StoreFront and delegatecredential validation to Citrix Gateway. Then, create an additional CitrixGateway virtual server through which you route user connections to resources.Users can log on to Citrix Gateway using either their smart cards and PINs, orwith explicit credentials. This enables you to provide users with the optionto fall back to explicit authentication for Citrix Gateway logons. Configurepass-through authentication from Citrix Gateway to StoreFront and delegatecredential validation to Citrix Gateway for smart card users so that users aresilently authenticated to StoreFront.Smart cards for Citrix Receiver for Linux or Citrix Workspace app for Linuxare not supported with the XenApp Services Support sites.Once smart card support is enabled for both the server and Citrix Workspaceapp, provided the application policy of the smart card certificates allow it,you can use smart cards for the following purposes: * Smart card logon authentication. Use smart cards to authenticate users to Citrix Virtual Apps and Desktops servers. * Smart card application support. Enable smart card-aware published applications to access local smart card devices.

Use smart cards with XenApp Services Support


Users logging on to XenApp Services Support sites to start applications anddesktops can authenticate using smart cards without depending on specifichardware, operating systems, and Citrix Workspace apps. When a user accesses aXenApp Services Support site and successfully enters a smart card and PIN, PNAdetermines the user identity, authenticates the user with StoreFront, andreturns the available resources.For pass-through and smart card authentication to work, you must enable Trustrequests sent to the XML service.Use an account with local administrator permissions on the Delivery Controllerto start Windows PowerShell and, at a command prompt, enter the followingcommands to enable the Delivery Controller to trust XML requests sent fromStoreFront. The following procedure applies to XenApp 7.5 through 7.8 andXenDesktop 7.0 through 7.8. 1. Load the Citrix cmdlets by typing `asnp Citrix*.` (including the period). 2. Type `Add-PSSnapin citrix.broker.admin.v2`. 3. Type `Set-BrokerSite -TrustRequestsSentToTheXmlServicePort $True`. 4. Close PowerShell.For information about configuring the XenApp Services Support smart cardauthentication method, see Configure authentication for XenApp Services URLs.

Enable Modern authentication for your Exchange


Go to Microsoft 365 admin centerMicrosoft 365 admin center go to settings —-then settings —– services search for —-modern authentication then enable note: don’t enable it till you review the prerequisites

Create conditional access policy to block legacy authentication


Navigate to azure portal — conditional access create new oneAssignments all users and exclude services * Exactly as the following don’t forget to exclude services accounts (Directory Synchronization Service Account) * All cloud apps * And under clients apps (preview) configure (yes) and for mobile apps and desktop clients choose other clients (legacy or basic clients) * In the grant block

Use Multi-Factor Authentication


Multi-factor authentication is one of the best solutions to the standardsingle sign-on method.It requires that your users present multiple pieces of evidence to verifytheir identity.An example of this would be answering a question like “where did you go toschool?” and then entering your ID and password to gain access to the remoteaccess software.Just adding a simple question like this can greatly enhance your security.You could take it a step further and require your outside vendors to call youroperations department in order to acquire a single use passcode to remotelyaccess your data, in addition to using their private ID and password.If you want to get futuristic, you could use iris scanning technology orfingerprint technology for highly secure authentication.

Leave a Reply

Your email address will not be published. Required fields are marked *