890 likes | 1.08k Vues
Citrix MetaFrame Password Manager 2.0 Installation and Configuration. Bruce Huber. Lead Sales Engineer. Citrix Systems, Inc. Non Disclosure Agreement.
E N D
Citrix MetaFrame Password Manager 2.0 Installation and Configuration Bruce Huber Lead Sales Engineer Citrix Systems, Inc.
Non Disclosure Agreement This presentation is confidential. By virtue of your relationship with Citrix, you are bound to retain in confidence all information in this presentation.
Agenda • Introduction slides 15 mins. • Technical Detail slides 30 mins. • Q & A 5 mins.
What is Single Sign-On? • User authenticates ONCE and gains access to multiple secured applications/resources • User needs to remember only ONE set of credentials • Application credentials automatically (and securely) handled by the system
Who Needs Single Sign-on? “I already have single sign-on. I use the same password everywhere!” • Anonymous
Single Sign-On solution for: MetaFrame Presentation Server Deployment Desktop Deployment Mixed Deployment (MetaFrame Presentation Server + Desktop) User only needs to remember primary credentials Handles all secondary logons and password change requests automatically End users and administrators can configure applications using an easy-to-use wizard Central administration and control Meets all traveling/mobile user needs What is MetaFrame Password Manager?
MetaFrame Password ManagerBenefits • Simplification of end-user computing • Only need to remember a single set of credentials • Automatic password changes • Reduction of help-desk costs • Eliminating calls for password resets • Simplifying password management • Increase in network security • Helps enforce stricter password policies • Eliminates weak password selection • No more Post-It Notes !!! • No sharing of passwords “30 percent of all calls to the help desk are for password resets” - Gartner Group “Each time an end-user calls the help desk, it costs the organization $25-$50.” - Giga Research “Majority of end users end up writing down their passwords.”
Features • MetaFrame Presentation Server XP • Web Interface for MetaFrame • MetaFrame Secure Access Manager • All ICA clients Designed to work seamlessly with:
Features • Provides password security and single sign-on access • No application modification needed • No programming or scripting required • Predefined templates • Create your own application definitions
Benefits • Enterprise-level Single Sign-on • Rapidly SSO-enable Applications • Centralized Configuration • Access Security • Reduced Help Desk Costs
The Management Console is used to administer the MetaFrame Password Manager environment Components • The ‘Agent’ resides with the applications that need credentials filled in
Authentication • Windows Authentication including Active Directory • Graphical Identification & Authentication (GINA) Chaining
Deployment Options • Workstation • MetaFrame XP Presentation Server • Mixed Mode
Types of Central Credential Stores • MS Active Directory - CtxSchemaPrep - CtxDomainPrep OR • MS File Share - CtxFileSyncPrep
MetaFrame Password ManagerFunctional Components • Administrative tool to centrally manage MetaFrame Password Manager deployment • Configures applications and user settings • Pushes settings into Central Credential Store for Agents to synchronize from
MetaFrame Password ManagerFunctional Components • Stores all settings configured by administrators • Based on Active Directory or Network File Share • Agent synchronizes settings from credential store • All credentials stored encrypted using Microsoft Crypto API
MetaFrame Password ManagerFunctional Components • Stores all settings configured by administrator • Client/Desktop component • Synchronizes settings from Credential Store • Has its own local credential store for offline/mobile use • Detects logon and change password events • Automatically fills in secondary credentials and changes passwords for end users
Architectural Benefits • Event-driven Client Side Intelligence • No scripts or connectors • No changes to applications • Automatically detects logon and password change events • Authentication • Support for strong authentication • No need for additional authentication servers
Architectural Benefits (cont.) • Synchronization • Centralized management • Integration with existing infrastructure • Active Directory • File System • Local credential store on agent for offline/mobile Single Sign On • Encryption • Credentials stored securely • Support for standard 3DES encryption
Authentication • Functions • Gets credentials and passes them to get the user authenticated • Unlocks credential store • Passes credentials to the Shell on request • Primary authentication managed by the operating system • Password Manager GINA (SSOGINA) added for pre-processing • Captures credentials and passes them to shell in order to unlock credential databases (local and central credential store) • Passes credentials to existing GINA for authentication • Authentication performed by existing GINA • MSGINA for standard Windows 2000/2003 • Other custom GINA for smart card or biometric devices • NOTE: Microsoft Password Policy settings should be used to enforce high standards for primary authentication (password length, age, complexity)
Multi-Factor Authentication • Something you know + something you have • Examples: Time-synchronous tokens, smart cards, biometric scanners, proximity badges • A variety of strong authenticators have been successfully tested for interoperability with Password Manager
Re-authentication • Timer after which end users have to re-authenticate to the Agent • Administratively controlled setting • Administrator can force reauthentication when users access certain applications • Helps administrators build tighter security • End users may forget to log-off or lock the system • End users still need to only remember one set of credentials
Primary Authentication Process Validates credentials using existing systems Ships with Windows Authenticator Re-authentication Conduit between Authentication Service and Shell
Authenticator API Crypto API Shell Welcome! Logon Screen First-time use Credential Manager Local Credential Storage Intelligent Agent Response DataSynchronization The Shell Primary credentials Encryption Triggers synchronization Secondary Credentials for SSO
OU OU OU Domain Local Credential Storage File server Microsoft Active Directory Data Synchronization • Benefits • Enables mobility for end users • Eases deployment of application configurations and settings • Centralizes administration
Data Synchronization (cont.) • Keeps local and central credential stores in sync • Latest version of the store overwrites settings • All changes have time-stamps • Similar to MS Profile • Always initiated by the Agent based on administrative configuration • Allows administrator to push application configuration and agent settings to end users
Data Synchronization (cont.) • Administrator controls frequency of synchronization • “Aggressive Sync” mode - Synchronization occurs whenever user performs an action that should use most current credentials or settings • Example – a new application launch, etc. • Aggressive Sync used in MetaFrame Presentation Server deployments since a user may have multiple MetaFrame Presentation Server session in progress
Central Credential StoreActive Directory vs. File Share • File Share • Pros • Does not require any changes to existing infrastructure • Easier to setup and administer • Cons • Different settings cannot be configured for different users • Additional servers required • Active Directory • Pros • Does not require any additional infrastructure or servers • Allows configuration of different settings for different users or containers • Cons • Requires extending Active Directory schema No scalability limits for File share or Active Directory Both can support thousands of users Both are equally secure
Annie User June 6, 2003 Annie User 6:43 AM June 5, 2003 Password 9:14 AM MAL929 Password XLB639 New Password MAL929 New Password Synchronization Process 2 Other machines pull the data into their Local Stores 1 Central Credential Store Encrypted Local Credential Store Encrypted Synchronizes with Central Credential Store
Encryption • Uses cryptography to confirm end user authentication • Secure storage of data to protect end user credentials • Uses Symmetric encryption (Secret Key Encryption) • Same key used to encrypt and decrypt data • 3 DES encryption algorithm used to encrypt end user credentials • Secret key crypto algorithm used to create 56-bit keys • Used three times
SecuritySSO Encryption • Crypto API • Confirms end user authentication with Authenticator API • Generates unique primary authentication key that secures local and central credential store • Uses primary authentication key to decrypt individual credentials • Primary Authentication Key • Unlocked upon successful end user authentication • Created based on random number generation using MS CAPI • Self encrypted using 3 DES • Two different keys stored with MS CAPI • Encrypted with Windows password • Encrypted with user question information • Not stored anywhere in the raw form • Credential Data • Some data encrypted – Username, password, third and fourth fields • Remaining data encoded – windows title, application name, etc.
SKEY User Q / A UserSecrets SKEY SKEY WindowsPassword Hash Credential Encryption • Credentials are encryptedwith 3DES (Triple DES) • Implemented through MS CAPI(Microsoft Cryptographic API)
Intelligent Agent Response Web Applications Shell Web Browser SSO Helper Object Windows Applications Credential Manager Windows Hook Component Host-based Applications Mainframe Helper Object
Intelligent Agent Response • Event-driven detection/response • Looks for configured windows for logon and password change requests as they popup • Automatically supplies secondary credentials for logon or change password • Credentials supplied at OS level directly to the controls on the window when possible – otherwise sent with key strokes • No complex scripts required • No application changes required Benefits • Reduces the risk of credentials being supplied incorrectly or not supplied at all • System-level approach increases security • Keyboard-sniffing won’t compromise credentials • Better reliability than other solutions • Scripts easily broken by user actions
MetaFrame Password Manager Deployments • Pure MetaFrame XP Presentation Server Deployment • All applications that require single sign-on accessed through MetaFrame XP Presentation Server over ICA • Desktop-only Deployment • All applications accessed directly from Windows 32-bit desktops • Using web browser for web applications and Mainframe emulator for host applications • Mixed Deployment • Some applications accessed through MetaFrame XP Presentation Server • Other applications accessed directly from Windows 32-bit desktops • NOTE: Console can be installed anywhere with connectivity to central credential store
Central Credential Store XP Server Farm Console Agent Local Credential Store HTTPS SSL or TLS Central Credential Store ICA Client Secure Gateway Server ICA Client Deployment Example
Server Deployment Published Applications Agent runs in ICA sessions MetaFrame XP Presentation Servers • Agent only required to be installed on MetaFrame XP Presentation Servers • Agents runs in ICA sessions and works automatically for all Published applications ICA Client Central Credential Storage
= Agent Desktop Deployment Local Applications Central Credential Storage Desktop • Agent installed only on Desktops • Agent can work in mobile mode by synchronizing settings and secondary credentials from central credential store
= Agent Mixed Deployment Local Applications Published Applications Desktop MetaFrame XP Server Central Credential Storage • Agent installed on MetaFrame XP Presentation Servers and Desktops • Agents run on Desktop and in ICA sessions without any problems • Agents share information through synchronization from Central Credential Store
= Agent Deployment with MSAM Desktop MetaFrame XP Presentation Server IE Browser CDA CDA Access Center for MSAM (Optional) • Uses MSAM Access Center • Published Apps that require credentials • Agent required on Presentation Server • CDAs • Agent required on Desktops if CDAs require credentials
MetaFrame Password ManagerConfiguration & Deployment • Planning • Select deployment mode • Select Central Credential Store type • Prepare Central Credential Store • Add and activate license • Console automatically launches the wizard
MetaFrame Password ManagerConfiguration & Deployment (cont.) • Configure MetaFrame Password Manager deployment • Configure User Questions • Configure Application Definitions • Configure Password Policies and Password Sharing Groups • Configure Agent Settings • Configure First Time Use List • Save configurations in Central Credential Store
MetaFrame Password ManagerConfiguration & Deployment (cont.) • Create and install Agent with address of Central Credential Store • Use Custom MSI to create package • Use MSI deployment methods to install the Agent