1 / 89

Bruce Huber

Citrix MetaFrame Password Manager 2.0 Installation and Configuration. Bruce Huber. Lead Sales Engineer. Citrix Systems, Inc. Non Disclosure Agreement.

Télécharger la présentation

Bruce Huber

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript

  1. Citrix MetaFrame Password Manager 2.0 Installation and Configuration Bruce Huber Lead Sales Engineer Citrix Systems, Inc.

  2. Non Disclosure Agreement This presentation is confidential. By virtue of your relationship with Citrix, you are bound to retain in confidence all information in this presentation.

  3. Agenda • Introduction slides 15 mins. • Technical Detail slides 30 mins. • Q & A 5 mins.

  4. Credentials, Credentials & more Credentials

  5. Where do the credentials end up?

  6. What is Single Sign-On? • User authenticates ONCE and gains access to multiple secured applications/resources • User needs to remember only ONE set of credentials • Application credentials automatically (and securely) handled by the system

  7. Who Needs Single Sign-on? “I already have single sign-on. I use the same password everywhere!” • Anonymous

  8. Introducing:Citrix MetaFrame Password Manager

  9. Single Sign-On solution for: MetaFrame Presentation Server Deployment Desktop Deployment Mixed Deployment (MetaFrame Presentation Server + Desktop) User only needs to remember primary credentials Handles all secondary logons and password change requests automatically End users and administrators can configure applications using an easy-to-use wizard Central administration and control Meets all traveling/mobile user needs What is MetaFrame Password Manager?

  10. MetaFrame Password ManagerBenefits • Simplification of end-user computing • Only need to remember a single set of credentials • Automatic password changes • Reduction of help-desk costs • Eliminating calls for password resets • Simplifying password management • Increase in network security • Helps enforce stricter password policies • Eliminates weak password selection • No more Post-It Notes !!! • No sharing of passwords “30 percent of all calls to the help desk are for password resets” - Gartner Group “Each time an end-user calls the help desk, it costs the organization $25-$50.” - Giga Research “Majority of end users end up writing down their passwords.”

  11. How does it work?

  12. Features • MetaFrame Presentation Server XP • Web Interface for MetaFrame • MetaFrame Secure Access Manager • All ICA clients Designed to work seamlessly with:

  13. Features • Provides password security and single sign-on access • No application modification needed • No programming or scripting required • Predefined templates • Create your own application definitions

  14. Benefits • Enterprise-level Single Sign-on • Rapidly SSO-enable Applications • Centralized Configuration • Access Security • Reduced Help Desk Costs

  15. The Management Console is used to administer the MetaFrame Password Manager environment Components • The ‘Agent’ resides with the applications that need credentials filled in

  16. Authentication • Windows Authentication including Active Directory • Graphical Identification & Authentication (GINA) Chaining

  17. Deployment Options • Workstation • MetaFrame XP Presentation Server • Mixed Mode

  18. Types of Central Credential Stores • MS Active Directory - CtxSchemaPrep - CtxDomainPrep OR • MS File Share - CtxFileSyncPrep

  19. Technical Overview

  20. MetaFrame Password ManagerFunctional Components

  21. MetaFrame Password ManagerFunctional Components • Administrative tool to centrally manage MetaFrame Password Manager deployment • Configures applications and user settings • Pushes settings into Central Credential Store for Agents to synchronize from

  22. MetaFrame Password ManagerFunctional Components • Stores all settings configured by administrators • Based on Active Directory or Network File Share • Agent synchronizes settings from credential store • All credentials stored encrypted using Microsoft Crypto API

  23. MetaFrame Password ManagerFunctional Components • Stores all settings configured by administrator • Client/Desktop component • Synchronizes settings from Credential Store • Has its own local credential store for offline/mobile use • Detects logon and change password events • Automatically fills in secondary credentials and changes passwords for end users

  24. MetaFrame Password ManagerArchitectural Components

  25. Architectural Benefits • Event-driven Client Side Intelligence • No scripts or connectors • No changes to applications • Automatically detects logon and password change events • Authentication • Support for strong authentication • No need for additional authentication servers

  26. Architectural Benefits (cont.) • Synchronization • Centralized management • Integration with existing infrastructure • Active Directory • File System • Local credential store on agent for offline/mobile Single Sign On • Encryption • Credentials stored securely • Support for standard 3DES encryption

  27. Authentication • Functions • Gets credentials and passes them to get the user authenticated • Unlocks credential store • Passes credentials to the Shell on request • Primary authentication managed by the operating system • Password Manager GINA (SSOGINA) added for pre-processing • Captures credentials and passes them to shell in order to unlock credential databases (local and central credential store) • Passes credentials to existing GINA for authentication • Authentication performed by existing GINA • MSGINA for standard Windows 2000/2003 • Other custom GINA for smart card or biometric devices • NOTE: Microsoft Password Policy settings should be used to enforce high standards for primary authentication (password length, age, complexity)

  28. Multi-Factor Authentication • Something you know + something you have • Examples: Time-synchronous tokens, smart cards, biometric scanners, proximity badges • A variety of strong authenticators have been successfully tested for interoperability with Password Manager

  29. Re-authentication • Timer after which end users have to re-authenticate to the Agent • Administratively controlled setting • Administrator can force reauthentication when users access certain applications • Helps administrators build tighter security • End users may forget to log-off or lock the system • End users still need to only remember one set of credentials

  30. Primary Authentication Process Validates credentials using existing systems Ships with Windows Authenticator Re-authentication Conduit between Authentication Service and Shell

  31. Authenticator API Crypto API Shell Welcome! Logon Screen First-time use Credential Manager Local Credential Storage Intelligent Agent Response DataSynchronization The Shell Primary credentials Encryption Triggers synchronization Secondary Credentials for SSO

  32. OU OU OU Domain Local Credential Storage File server Microsoft Active Directory Data Synchronization • Benefits • Enables mobility for end users • Eases deployment of application configurations and settings • Centralizes administration

  33. Data Synchronization (cont.) • Keeps local and central credential stores in sync • Latest version of the store overwrites settings • All changes have time-stamps • Similar to MS Profile • Always initiated by the Agent based on administrative configuration • Allows administrator to push application configuration and agent settings to end users

  34. Data Synchronization (cont.) • Administrator controls frequency of synchronization • “Aggressive Sync” mode - Synchronization occurs whenever user performs an action that should use most current credentials or settings • Example – a new application launch, etc. • Aggressive Sync used in MetaFrame Presentation Server deployments since a user may have multiple MetaFrame Presentation Server session in progress

  35. Central Credential StoreActive Directory vs. File Share • File Share • Pros • Does not require any changes to existing infrastructure • Easier to setup and administer • Cons • Different settings cannot be configured for different users • Additional servers required • Active Directory • Pros • Does not require any additional infrastructure or servers • Allows configuration of different settings for different users or containers • Cons • Requires extending Active Directory schema No scalability limits for File share or Active Directory Both can support thousands of users Both are equally secure

  36. Annie User June 6, 2003 Annie User 6:43 AM June 5, 2003 Password 9:14 AM MAL929 Password XLB639 New Password MAL929 New Password Synchronization Process 2 Other machines pull the data into their Local Stores 1 Central Credential Store Encrypted Local Credential Store Encrypted Synchronizes with Central Credential Store

  37. Encryption • Uses cryptography to confirm end user authentication • Secure storage of data to protect end user credentials • Uses Symmetric encryption (Secret Key Encryption) • Same key used to encrypt and decrypt data • 3 DES encryption algorithm used to encrypt end user credentials • Secret key crypto algorithm used to create 56-bit keys • Used three times

  38. SecuritySSO Encryption • Crypto API • Confirms end user authentication with Authenticator API • Generates unique primary authentication key that secures local and central credential store • Uses primary authentication key to decrypt individual credentials • Primary Authentication Key • Unlocked upon successful end user authentication • Created based on random number generation using MS CAPI • Self encrypted using 3 DES • Two different keys stored with MS CAPI • Encrypted with Windows password • Encrypted with user question information • Not stored anywhere in the raw form • Credential Data • Some data encrypted – Username, password, third and fourth fields • Remaining data encoded – windows title, application name, etc.

  39. SKEY User Q / A UserSecrets SKEY SKEY WindowsPassword Hash Credential Encryption • Credentials are encryptedwith 3DES (Triple DES) • Implemented through MS CAPI(Microsoft Cryptographic API)

  40. Intelligent Agent Response Web Applications Shell Web Browser SSO Helper Object Windows Applications Credential Manager Windows Hook Component Host-based Applications Mainframe Helper Object

  41. Intelligent Agent Response • Event-driven detection/response • Looks for configured windows for logon and password change requests as they popup • Automatically supplies secondary credentials for logon or change password • Credentials supplied at OS level directly to the controls on the window when possible – otherwise sent with key strokes • No complex scripts required • No application changes required Benefits • Reduces the risk of credentials being supplied incorrectly or not supplied at all • System-level approach increases security • Keyboard-sniffing won’t compromise credentials • Better reliability than other solutions • Scripts easily broken by user actions

  42. MetaFrame Password Manager Deployments • Pure MetaFrame XP Presentation Server Deployment • All applications that require single sign-on accessed through MetaFrame XP Presentation Server over ICA • Desktop-only Deployment • All applications accessed directly from Windows 32-bit desktops • Using web browser for web applications and Mainframe emulator for host applications • Mixed Deployment • Some applications accessed through MetaFrame XP Presentation Server • Other applications accessed directly from Windows 32-bit desktops • NOTE: Console can be installed anywhere with connectivity to central credential store

  43. Central Credential Store XP Server Farm Console Agent Local Credential Store HTTPS SSL or TLS Central Credential Store ICA Client Secure Gateway Server ICA Client Deployment Example

  44. Server Deployment Published Applications Agent runs in ICA sessions MetaFrame XP Presentation Servers • Agent only required to be installed on MetaFrame XP Presentation Servers • Agents runs in ICA sessions and works automatically for all Published applications ICA Client Central Credential Storage

  45. = Agent Desktop Deployment Local Applications Central Credential Storage Desktop • Agent installed only on Desktops • Agent can work in mobile mode by synchronizing settings and secondary credentials from central credential store

  46. = Agent Mixed Deployment Local Applications Published Applications Desktop MetaFrame XP Server Central Credential Storage • Agent installed on MetaFrame XP Presentation Servers and Desktops • Agents run on Desktop and in ICA sessions without any problems • Agents share information through synchronization from Central Credential Store

  47. = Agent Deployment with MSAM Desktop MetaFrame XP Presentation Server IE Browser CDA CDA Access Center for MSAM (Optional) • Uses MSAM Access Center • Published Apps that require credentials • Agent required on Presentation Server • CDAs • Agent required on Desktops if CDAs require credentials

  48. MetaFrame Password ManagerConfiguration & Deployment • Planning • Select deployment mode • Select Central Credential Store type • Prepare Central Credential Store • Add and activate license • Console automatically launches the wizard

  49. MetaFrame Password ManagerConfiguration & Deployment (cont.) • Configure MetaFrame Password Manager deployment • Configure User Questions • Configure Application Definitions • Configure Password Policies and Password Sharing Groups • Configure Agent Settings • Configure First Time Use List • Save configurations in Central Credential Store

  50. MetaFrame Password ManagerConfiguration & Deployment (cont.) • Create and install Agent with address of Central Credential Store • Use Custom MSI to create package • Use MSI deployment methods to install the Agent

More Related