1. No category

Integration Guide

SafeNet Authentication Manager
Integration Guide
Using SafeNet Authentication Manager with Citrix
XenApp 6.5
Technical Manual Template
Release 1.0, PN: 000-000000-000, Rev. A, March 2013, Copyright © 2013 SafeNet, Inc. All rights reserved.
1
Document Information
Release Date
March 2014
Trademarks
All intellectual property is protected by copyright. All trademarks and product names used or referred to are the
copyright of their respective owners. No part of this document may be reproduced, stored in a retrieval system
or transmitted in any form or by any means, electronic, mechanical, chemical, photocopy, recording, or
otherwise, without the prior written permission of SafeNet, Inc.
Disclaimer
SafeNet makes no representations or warranties with respect to the contents of this document and specifically
disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, SafeNet
reserves the right to revise this publication and to make changes from time to time in the content hereof without
the obligation upon SafeNet to notify any person or organization of any such revisions or changes.
We have attempted to make these documents complete, accurate, and useful, but we cannot guarantee them to
be perfect. When we discover errors or omissions, or they are brought to our attention, we endeavor to correct
them in succeeding releases of the product.
SafeNet invites constructive comments on the contents of this document. These comments, together with your
personal and/or company details, should be sent to the address or email below.
Contact Method
Contact Information
Mail
SafeNet, Inc.
4690 Millennium Drive
Belcamp, Maryland 21017, USA
Email
[email protected]
SafeNet Authentication Manager: Integration Guide
Using SafeNet Authentication Manager with Citrix XenApp 6.5
Copyright © 2014 SafeNet, Inc., All rights reserved.
2
Contents
Contents
About SafeNet Authentication Manager ................................................................................................................ 4
Applicability............................................................................................................................................................ 4
Audience................................................................................................................................................................ 4
Overview................................................................................................................................................................ 5
RADIUS-based Authentication Using SAM ........................................................................................................... 6
NPS Configuration ................................................................................................................................................. 7
SAM Configuration ................................................................................................................................................ 8
SAM 8.2 Installation .............................................................................................................................................. 8
SAM 8.2 OTP Connector ....................................................................................................................................... 8
Configuring RADIUS Authentication ..................................................................................................................... 8
User Store Deployment ....................................................................................................................................... 11
Supported User Stores ........................................................................................................................................ 11
Supported Tokens ............................................................................................................................................... 12
Supported OTP Hardware Tokens ............................................................................................................... 12
Supported OTP Software-based Tokens ...................................................................................................... 12
Running the Solution ........................................................................................................................................... 12
Support Contacts ................................................................................................................................................. 13
SafeNet Authentication Manager: Integration Guide
Using SafeNet Authentication Manager with Citrix XenApp 6.5
Copyright © 2014 SafeNet, Inc., All rights reserved.
3
About SafeNet Authentication Manager
SafeNet Authentication Manager (SAM) enables complete user token lifecycle management. SAM links tokens
with users, organizational rules, and security applications to enable streamlined handling of users' needs
throughout the various user token lifecycle stages.
Citrix XenApp 6.5 is a secure application and data access solution that provides IT administrators with a single
interface for managing access control, and for limiting actions within sessions, based on both user identity and
the endpoint device.
Integrating SAM with Citrix XenApp 6.5 provides a strong authentication approach based on multi-factor
authentication (MFA) for handling evolving business requirements, as well as new threats, risks, and
vulnerabilities. This document provides guidance for deploying multi-factor authentication in Citrix XenApp 6.5
using authentication methods managed by SafeNet Authentication Manager (SAM).
The user store is configured and synchronized between SAM and Citrix AG. The solution supports various user
stores, as described under “User Store” on page 11. In this document, Citrix XenApp 6.5 uses Microsoft’s Active
Directory (AD) as its user store.
In this document, the demonstrated solution includes one-time password (OTP) authentication.
Applicability
The information in this document applies to SafeNet Authentication Manager version 8.2 and Citrix XenApp 6.5.
Audience
This document is targeted to system administrators who are familiar with Citrix XenApp 6.5 and are interested in
adding multi-factor authentication capabilities using SafeNet Authentication Manager.
SafeNet Authentication Manager: Integration Guide
Using SafeNet Authentication Manager with Citrix XenApp 6.5
Copyright © 2014 SafeNet, Inc., All rights reserved.
4
Overview
This document assumes that Citrix XenApp 6.5 is deployed in the organization. It will guide you through the
process of adding multi-factor authentication capabilities to Citrix XenApp 6.5 using SafeNet Authentication
Manager.
For the purpose of working with SafeNet Authentication Manager, the RADIUS protocol is used. Remote
Authentication Dial-In User Service (RADIUS) is a networking protocol that provides centralized authentication,
authorization, and accounting management for computers that connect and use a network service.
The deployment of multi-factor authentication support using SafeNet Authentication Manager with Citrix XenApp
6.5 requires completion of the following steps:

Configure RADIUS communication between the Citrix Web Interface and SafeNet Authentication Manager.

Synchronize the Citrix Web Interface with the SAM User Store.

Assign tokens to users. See the section “Supported Tokens” on page 12 for a list of supported one-time
password (OTP) tokens.

Test the authentication solution.
NOTE: This document assumes that the XenApp 6.5 environment is already
configured and working with static passwords prior to implementing multi-factor
authentication using SafeNet Authentication Manager.
SafeNet Authentication Manager: Integration Guide
Using SafeNet Authentication Manager with Citrix XenApp 6.5
Copyright © 2014 SafeNet, Inc., All rights reserved.
5
RADIUS-based Authentication Using SAM
Figure 1 illustrates the data flow of a multi-factor authentication transaction for Citrix XenApp 6.5.
The user attempts to log in to the Citrix published resource via the Citrix Web Interface.
Citrix Web Interface sends a RADIUS request with the user’s credentials to the NPS Server.
The NPS server validates the credentials.
The SAM reply (approving or declining access) is sent back to the NPS server.
The NPS server forwards the reply to the Web Interface.
The user is granted or denied access to the web application, based on the validation result.
If validation is successful, the user receives access to the XenApp published application.
Figure 1: Data flow of multi-factor authentication for Citrix XenApp 6.5 using SAM
SafeNet Authentication Manager: Integration Guide
Using SafeNet Authentication Manager with Citrix XenApp 6.5
Copyright © 2014 SafeNet, Inc., All rights reserved.
6
NPS Configuration
Communication between Citrix Web Interface and Microsoft Network Policy Server (NPS) is based on the
RADIUS protocol. NPS can be used as a RADIUS server to perform authentication, authorization, and
accounting for RADIUS clients.
To add a RADIUS client entry in NPS so that it can receive RADIUS authentication requests from Citrix Web
Interface, you will need the following information:

the IP address of Citrix Web Interface

the shared secret to be used by both NPS and Citrix Web Interface
To configure Citrix Web Interface as a RADIUS client:
1. Click Start > Administrative Tools > Network Policy Server.
2. On the Network Policy Server dialog box, in the left pane, click RADIUS Clients and Servers, then select
RADIUS Clients.
3. On the menu bar, click Action > New.
4. On the New RADIUS Client dialog box, complete the following fields:
Friendly name
Type a name for the client.
Address
Type the IP address or the DNS name of the Citrix Web Interface.
Shared secret
Select Manual, and then type the shared secret that was configured in
SAM. This secret will be needed later for the Citrix Web Interface
RADIUS authentication configuration.
Confirm shared secret
Type the shared secret again to confirm.
5. Click OK.
SafeNet Authentication Manager: Integration Guide
Using SafeNet Authentication Manager with Citrix XenApp 6.5
Copyright © 2014 SafeNet, Inc., All rights reserved.
7
SAM Configuration
SafeNet's OTP plug-in for Microsoft RADIUS Client works with Microsoft’s Internet Authentication Service (IAS)
Server or Network Policy Server (NPS) to provide strong authentication for remote access through the Microsoft
IAS or NPS RADIUS Server. When configured, users requesting remote access to their network using IAS or
NPS are prompted to enter a token-generated OTP passcode.
SAM 8.2 Installation
For the integration described in this document, install one-time password (OTP) authentication for MS RADIUS
Client.

When installing SAM using the SafeNet Authentication Manager 8.2 Installer, install OTP Authentication >
RADIUS Authentication.

If the RADIUS server and SAM are on the same computer, use the SafeNet Authentication Manager 8.2
Installer to install SAM OTP plug-ins, or install the OTP Plug-In for Microsoft RADIUS Client using SafeNet
OTP Plug-In Package 8.2.

If the RADIUS server and SAM are on different computers, install the OTP Plug-In for Microsoft RADIUS
Client on the RADIUS server using SafeNet OTP Plug-In Package 8.2. For more information, refer to the
SafeNet Authentication Manager Version 8.2 Administrator Guide.
SAM 8.2 OTP Connector
For the integration described in this document, configure the SAM Connector for OTP Authentication. For more
information about the OTP connector, refer to the section “Connector for OTP Authentication” in the SafeNet
Authentication Manager Version 8.2 Administrator Guide.
Configuring RADIUS Authentication
SafeNet's OTP architecture includes the SafeNet RADIUS Server for back-end OTP authentication. This
enables integration with any RADIUS-enabled gateway or application.
For the integration described in this document, the SafeNet RADIUS Server accesses user information in the
Active Directory infrastructure via SafeNet Authentication Manager. SafeNet’s OTP architecture requires the MS
RADIUS Server (NPS) to be installed. After installing NPS, add Citrix Web Interface as a RADIUS Client in the
NPS. Communication between Citrix Web Interface and SafeNet Authentication Manager is based on RADIUS
protocol.
To enable SAM to receive RADIUS requests from Citrix Web Interface:

Ensure that end users can authenticate to Citrix Web Interface with a static password before configuring AG
to use RADIUS authentication.

Ensure that ports 1812 and 1813 are open to Citrix Web Interface.
SafeNet Authentication Manager: Integration Guide
Using SafeNet Authentication Manager with Citrix XenApp 6.5
Copyright © 2014 SafeNet, Inc., All rights reserved.
8
To configure Citrix AG to use RADIUS protocol as a secondary authentication method:
1. Open the Citrix Web Interface Management console.
2. Right-click on the XenApp website and select Authentication Methods.
3. Under Authentication Methods, select Explicit, then click Properties.
SafeNet Authentication Manager: Integration Guide
Using SafeNet Authentication Manager with Citrix XenApp 6.5
Copyright © 2014 SafeNet, Inc., All rights reserved.
9
4. On the Properties - XenApp dialog box, select Explicit > Two-Factor Authentication.
5. In the Two-factor setting field, select RADIUS.
6. In the RADIUS server addresses box, do the following:
a. Click the Add button.
b. On the Add RADIUS Server dialog box, enter the NPS IP address and port number.
c.
Click OK.
SafeNet Authentication Manager: Integration Guide
Using SafeNet Authentication Manager with Citrix XenApp 6.5
Copyright © 2014 SafeNet, Inc., All rights reserved.
10
7. Next, you must configure the RADIUS shared secret. A shared secret file must be manually created for the
RADIUS server defined under the Two-Factor Authentication method.
a. On the Citrix Web Interface server, browse to the directory \inetpub\wwwroot\Citrix\sitepath\conf.

Create a file called radius_secret.txt that contains the RADIUS shared secret.
b. Browse to the directory \inetpub\wwwroot\Citrix\sitepath\conf.
c.
Use a text editor to open the file web.config and do the following:

Search for RADIUS_NAS_IDENTIFIER and, for the value, type citrixwi.

Search for RADIUS_NAS_IP_ADDRESS and, for the value, type the IP address assigned to the
Citrix Web Interface server.
d. Save and close the file.
User Store Deployment
SafeNet Authentication Manager manages and maintains OTP token information in its data store. This
information includes the token status, the OTP algorithm used to generate OTPs, and the token assignment to
the user. User information is managed and maintained in a user store. SafeNet Authentication Manager can be
integrated with your organization’s external user store. If your organization does not use an external user store,
SAM 8.2 enables the use of an internal (“stand-alone”) user store created and maintained by the SAM server.
Supported User Stores
SAM 8.2 supports the following user stores:

Microsoft Active Directory (Windows Server 2003 or Windows Server 2008)

ADAM (in an integrated configuration solution using a stand-alone user store)

Remote Active Directory

Microsoft SQL Server 2005/2008

OpenLDAP

Novell eDirectory
For more information, refer to the SafeNet Authentication Manager Version 8.2 Administrator Guide.
SafeNet Authentication Manager: Integration Guide
Using SafeNet Authentication Manager with Citrix XenApp 6.5
Copyright © 2014 SafeNet, Inc., All rights reserved.
11
Supported Tokens
SafeNet Authentication Manager supports both hardware and software-based one-time password (OTP) tokens.
Supported OTP Hardware Tokens
SAM 8.2 supports the following OTP hardware tokens:

eToken NG-OTP

eToken PASS

eToken Gold
Supported OTP Software-based Tokens
MobilePASS tokens are software-based OTP tokens. These tokens enable generation of OTP passwords on
mobile devices or personal computers without requiring a hardware token. SAM 8.2 supports MobilePASS on
the following platforms:

Blackberry OS version 4.6 and later

Microsoft Windows XP, Windows 7, and Windows 8

Microsoft Windows for Phone 7

All versions of Android OS

All versions of iOS
Running the Solution
1. Open Citrix Web Interface.
2. Open the SafeNet MobilePASS app on your smartphone and generate an OTP.
NOTE: The MobilePASS app may prompt you to enter your PIN.
SafeNet Authentication Manager: Integration Guide
Using SafeNet Authentication Manager with Citrix XenApp 6.5
Copyright © 2014 SafeNet, Inc., All rights reserved.
12
3. On the Citrix XenApp Log on dialog box, complete the following fields:
User name
Type your user name.
Password
Type your password.
Domain
Type the XenApp domain name to which you are connecting. This information
can be obtained from the system administrator.
PASSCODE
Type your SafeNet OTP passcode.
4. You are logged in to Citrix and the user application set is displayed.
Support Contacts
If you encounter a problem while installing, registering or operating this product, please make sure that you have
read the documentation. If you cannot resolve the issue, contact your supplier or SafeNet Customer Support.
SafeNet Customer Support operates 24 hours a day, 7 days a week. Your level of access to this service is
governed by the support plan arrangements made between SafeNet and your organization. Please consult this
support plan for further information about your entitlements, including the hours when telephone support is
available to you.
Table 1: Support Contacts
Contact Method
Contact Information
Address
SafeNet, Inc.
4690 Millennium Drive
Belcamp, Maryland 21017
USA
Phone
United States
1-800-545-6608
International
1-410-931-7520
Email
[email protected]
Support and
Downloads
www.safenet-inc.com/Support
Provides access to the SafeNet Knowledge Base and downloads for various products.
SafeNet Authentication Manager: Integration Guide
Using SafeNet Authentication Manager with Citrix XenApp 6.5
Copyright © 2014 SafeNet, Inc., All rights reserved.
13
Technical Support
Customer Portal
https://serviceportal.safenet-inc.com
Existing customers with a Technical Support Customer Portal account can log in to
manage incidents, get the latest software upgrades, and access the SafeNet Knowledge
Base.
SafeNet Authentication Manager: Integration Guide
Using SafeNet Authentication Manager with Citrix XenApp 6.5
Copyright © 2014 SafeNet, Inc., All rights reserved.
14

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2025 Paperzz