Self Paced QBA Advanced Training Single Sign-On Load Balanced with NS VPX for Question Based Authentication with DFS By: WWSR – Carlos H Lopez

Self Paced QBA Advanced Training

Single Sign-On Load Balanced with NS VPX for Question Based Authentication with DFS

By: WWSR – Carlos H Lopez

• Module 1: Certificates for Load Balancing the Single Sign-On Service

• Module 2: Central Store with a DFS Namespace and Replication• Module 3: Single Sign-On Service with a Load Balanced C

onfiguration• Module 4: Netscaler VPX for Load Balancing the Single Sign-On

Service• Module 5: Single Sign-On User Configuration for Self-Service and

QBA• Module 6: Single Sign-On Plugin and testing QBA functionality• Troubleshooting Resources

Agenda

Certificates for Load Balancing the Single Sign-On ServiceModule 1

By the end of this module, you should be able to:• Request a certificate from a CA• Complete the certificate request from the CA

© 2013 Citrix | Confidential – Do Not Distribute

Certificates

•The CPM Service is a secure web service and requires an SSL certificate

•The CPM Service machine and every agent machine must have the root certificate from the issuing root CA

•The name on the SSL certificate must match the FQDN of the CPM service machine unless using virtual host name


Load Balanced Certificate

•To load balance any service that requires SSL you need to provide one of the following certificates:ᵒ A Certificate with an exportable private key and export with same common nameᵒ A Certificate with a wild card identifierᵒ A Certificate issued to two separate servers independently with the same common name

•Certificate FQDN must match the servers FQDN

•CPM allows the use of a Virtual Host name to spoof the FQDN to match the certificates FQDN

Central Store with a DFS Namespace and ReplicationModule 2

By the end of this module, you should be able to: • Setup a Central Store with a backup repository with DFS• Setup a DFS namespace and replication for the SSON Central Store


Central Store Types

•NTFSᵒ Leverage the convenience of your existing Active Directory user authentication and tree

structure ᵒ No need to extend the Active Directory schema

•Active Directoryᵒ Leverage the convenience of your existing Active Directory user authentication and

object administrationᵒ Requires you to extent the schema of your existing Active Directory


Central Store with a DFS Namespace

•A DFS namespace is a virtual view of shared folders in an organization

• It allows the use of one name i.e. \\DS1\Share To point to a share location that points to two locations

•The share folders in a namespace must contain mirrored information, this can be done by using replication from DFS


Central Store with backup replication: DFS

•DFS allows administrators to group shared folders located on different servers by transparently connecting them to one or more DFS namespaces

•FRS, file replication service is a dependency of DFS, this is the technology that allows the replication of share folders to keep data highly available and synchronized

Single Sign-On Service with a Load Balanced ConfigurationModule 3

By the end of this module, you should be able to: • Configure the SSON service on multiple SSON servers for load balancing


Citrix Single Sign On Architecture


Citrix Single Sign On Architecture with DFS and Load Balancing

SSON Agent

443

NTFS Central Store

SSONService

Active Directory

Data Proxy Account

Self Service Account

XTE ServiceNetScaler VPX with a Virtual

IP

DFS Replication

SSONService

DFS Namespace

FQDN

Citrix Licensing


Citrix Single Sign-On Service & Accounts

•Required for the following advanced features:ᵒ Account Self-Serviceᵒ Automatic Key Recovery or Security Questions Key Recovery

•Apache web based Citrix XTE Service for authentication of users during SSPR

•Data Proxy Account for central store read & write access

•Self Service Account for AD account unlock and password resets


Account Self-Service

•Allows a user to reset or unlock their windows password

•Users can reset/unlock passwords on the SSON agent, where ever installed (i.e. Endpoint, XenApp Server, or Web Interface)

•Uses Question-Based Authentication System

•Requires the Password Manager Serviceᵒ XTE


How Does Account Self-Service Work?

Endpoint DeviceSSON Agent

443

Central Store

SSONService

Active Directory

• User needs to be authenticated by submitting their credentials. XTE service (Network Service/Local Service/or SPN Account)

• The Service does a proxy read to determine if the user has registered. (Data Proxy Account)• If user QBA data is found, a series of questions is sent to the user, if not, it will present the user with QBA

registration. (Data Proxy Account)• Once questions are answered, the user proceeds with Account Self-Service. If registering, once registration

is done, answers will be saved in the Central Store. (Data Proxy Account)• User attempts a password reset or account unlock, this request is sent to a DC. (Self Service Account)• The user is informed of the result : Success/Fail

Data Proxy Account

Self Service Account

XTE Service


Account Self-Service Considerations

•Active Directory integration onlyᵒ Active Directory password policies are enforced when resetting passwordᵒ Message given to user if new password does not meet requirements

•Security questions are customizableᵒ Four sample questions provided by default

•Only one set of questions can be used per central storeᵒ Questions need to apply to all Password Manager users tied to central storeᵒ Questions can be written in multiple languages


Account Self-Service Considerations

•Deployment Method (Agent Device versus Web Interface)ᵒ Agent device

• Password Manager Agent can only be deployed on Windows machines so restricts Account Self-Service access to Windows machines

• Agent machine needs to be able to access Password Manager Service so this machine needs to be on the LAN

ᵒ Web Interface • Provides browser access to Account Self Service from any OS (Windows, MAC, etc)• Requires user to get on some machine and access the web• Web Interface needs to be SSL secured

Netscaler VPX for Load Balancing the Single Sign-On ServiceModule 4

By the end of this module, you should be able to: • Setup a “service” for each Single Sign-On server hosting the service• Setup a virtual server and apply the existing services to the virtual server• Configure a Netscaler VPX1000 for Load balancing


NetScaler Overview

•Citrix NetScaler is an all-in-one web application delivery controller that makes applications run five times better, reduces web application ownership costs, and makes sure that applications are always available


NetScaler Load Balancing

•The NetScaler VPX appliance can be used to load balance any service running on a windows server

•To create a load balanced service, you would created a service definition for each server hosting the service and a virtual server, this would be the main server using the services defined to do the load balancing

Single Sign-On User Configuration for Self-Service and QBAModule 5

By the end of this module, you should be able to: • Configure the User Configuration for Self Service with QBA• Setup the Key Management Module and validate the service


Key Management Overview

•An encryption key is…ᵒ Generated based on the user’s primary credential (username/password)ᵒ Used to lock/unlock the local store to use the agent

•When a user’s primary password changes, the Agent…ᵒ must regenerate the old encryption key to gain access to the user’s local storeᵒ must apply a new encryption key based on the new password


Key Recovery Methods

•Specifies how agent should recover key after primary password change to unlock local store

•Three options1. Enter previous password2. Answer security questions or enter previous password3. Automatic key recovery


Key Recovery Options for Self Service

•Answer Security Questions or Supply Previous Passwordᵒ User chooses between the two options for key recovery eventᵒ Requires security question enrollment during agent first time use ᵒ Requires use of Password Manager Service

•Automatic Key Recoveryᵒ No user interaction required for key recovery eventᵒ User impersonation is possible by a rogue Adminᵒ Requires use of Password Manager Service

Option in RED is required for Question Based Authentication


Question Based Authentication

•A series of ‘life’ questions – or questionnaire

•Managed by the admin from the Console

•Requires the CPM Service

•Used as a secondary method of authenticationᵒ Account Self-Serviceᵒ Key Recovery

•User registers their answers on First-time use


Manage Questions – Security Questions

•By default the top 4 questions will be used if no custom questions were created


Manage Questions – Question groups

•You can also create Security Question group, to group the questions you wish the user to be presented with

•You can also choose the amount of questions to be answered


Manage Questions - Questionnaire

•The Questionnaire allows the user to select from the pool of questions and question groups

• Questions and question groups may be added to the questionnaire


Manage Questions - Key Recovery

•The checkboxes are used to select which questions and/or question groups will be used in the key recovery process

Single Sign-On Plugin and testing QBA functionalityModule 6

By the end of this module, you should be able to: • Install and test a Single Sign-On plugin for a load balanced SSON environment


Setting up the Single Sign-On Agent

•When load balancing the Single Sign-On service and using DFS namespace and replication, setting up the agent with the correct information is required for it to function

•When configuring the NTFS central store, use the namespace created in the DFM Management console

•When configuring the Key Management Module, use the FQDN of the load balanced Certificate Name\Virtual Hostname FQDN

Troubleshooting Resources


Agent Logging

•Client side logging is the most helpful direction when troubleshooting QBA issues. You will typically encounter a SOAP error if QBA fails..

•To enable agent logging please create the following registry…ᵒ HKEY_LOCAL_MACHINE\Software\Wow6432node\Citrix\Metaframe Password Manager\Log\ᵒ The values contained in this key are:

• Enabled (DWORD)0 – Logging is disabled 1 – Logging is enabled

• Filter (DWORD) Default:0xFFFFFFFF0xFFFFFFFF – Turns on logging for all components

• There are other options for filter, but for troubleshooting its best to turn on all components.

ᵒ The log file will start to run immediately and will be locate here :• %USERPROFILE%\Application Data\Citrix\MetaFrame Password Manager\sso_%USERNAME%.log


Certificate Request• In these labs we use IIS Manager to request the certificates, this is only one method to do a request for a certificate from a CA.

•Certificate requests can also be made via the MMC and the Web Enrolment, thus not having to install IIS Manager http://social.technet.microsoft.com/wiki/contents/articles/10377.create-a-certificate-request-using-microsoft-management-console-mmc.aspx

•Certificate requests can also be made from the command line using certreq on W2K8R2 and above. http://technet.microsoft.com/library/cc725793.aspx

http://social.technet.microsoft.com/wiki/contents/articles/10377.create-a-certificate-request-using-microsoft-management-console-mmc.aspx



http://technet.microsoft.com/library/cc725793.aspx


Soap Error Codes

•SOAP is a lightweight protocol for exchange of information in a decentralized, distributed environment

•For QBA almost all errors will be in the form of a SOAP error code in the agent logs. Use the soap error code to help you understand where to start troubleshooting

•You can use the Google developers site for soap errors: https://developers.google.com/doubleclick-advertisers/docs/error_codes

https://developers.google.com/doubleclick-advertisers/docs/error_codes


Soap Error Codes Cont..


CDF Tracing

•Typically only used in QBA troubleshooting when you encounter an Exception 12 error. This error will typically be presented in the agent logging.

•Typically not needed to troubleshoot QBA


Troubleshooting Methodology• Validate XTE service configuration via the service configuration tool

• Review the XTE service logs for clues of the issues

• Check correct user groups in the httpd.conf file

• Validate certificates

• Verify firewall is not blocking ports

• Verify all the settings in the User Configuration in the AppCenter

• Verify DNS and that you can ping the FQDN of the service from the client, check the services via a web browser to see if you have certificate, authentication, or service issues


Troubleshooting Methodology Cont.

•Admin error can also play a big role, if there are any misspellings or misconfigurations when installing the Single Sign-On Agent, this can also cause QBA and other things to fail. Validate the agent via the registry:

•SSPR/QBA:

•Central Store:


Environment Setup Lab

• Open the Lab_Guide.docx – formatting will be different if using Word 2007 and below

• Go through modules 1- 6, the Lab Guide will walk you through setting up a Load balanced and an HA Single Sign-On environment using distribute file system replication and namespace with a Netscaler VPX

• Once the environment lab is done, continue to the practice labs.


Practice Labs

• There will be 3 Practice Labs, each lab will have an executable, these executable must be run from a specified location, instructions can be found in the lab guide. You must complete each lab to continue to the next lab.

•A GoToMeeting session will be available for Q&A to assist you during your training.


Support Articles for Question Based Authentication

• CTX136541 : Troubleshooting Citrix Single Sign-On Question Based Authentication

• The above article was written to address and assist troubleshooting Question Based Authentication failures

• CTX107169 : Troubleshooting the Citrix Password Manager Service

• CTX127082 : How to Obtain an SSL Certificate from a Windows 2008 or Windows 2008R2 Certificate Authority for Citrix Password Manager

• CTX112838 : How to Only Deploy the Account Self-Service Features of Password Manager

http://support.citrix.com/article/CTX136541







Documents

Self Paced QBA Advanced Training Single Sign-On Load Balanced with NS VPX for Question Based Authentication with DFS By: WWSR – Carlos H Lopez