Client certificate or certificate plus domain authentication 编辑

The default configuration for Endpoint Management is user name and password authentication. To add another layer of security for enrollment and access to Endpoint Management environment, consider using certificate-based authentication. In the Endpoint Management environment, this configuration is the best combination of security and user experience. Certificate plus domain authentication has the best SSO possibilities coupled with security provided by two-factor authentication at Citrix Gateway.

For optimal usability, you can combine certificate plus domain authentication with Citrix PIN and Active Directory password caching. As a result, users don’t have to enter their LDAP user names and passwords repeatedly. Users enter user names and passwords for enrollment, password expiration, and account lockout.

Important:

Endpoint Management doesn’t support changing the authentication mode from domain authentication to some other authentication mode after users enroll devices in Endpoint Management.

If you don’t allow LDAP and use smart cards or similar methods, configuring certificates allows you to represent a smart card to Endpoint Management. Users then enroll using a unique PIN that Endpoint Management generates for them. After a user has access, Endpoint Management then creates and deploys the certificate used to authenticate to the Endpoint Management environment.

You can use the NetScaler for XenMobile wizard to perform the configuration required for Endpoint Management when using Citrix Gateway certificate-only authentication or certificate plus domain authentication. You can run the NetScaler for XenMobile wizard one time only.

In highly secure environments, usage of LDAP credentials outside of an organization in public or insecure networks is considered a prime security threat for the organization. For highly secure environments, two-factor authentication that uses a client certificate and a security token is an option. For information, see Configuring Endpoint Management for Certificate and Security Token Authentication.

Client certificate authentication is available for devices enrolled in MAM and MDM+MAM. To use client certificate authentication for those devices, you must configure the Microsoft server, Endpoint Management, and then Citrix Gateway. Follow these general steps, as described in this article.

On the Microsoft server:

  1. Add a certificate snap-in to the Microsoft Management Console.
  2. Add the template to Certificate Authority (CA).
  3. Create a PFX certificate from the CA server.

On Endpoint Management:

  1. Upload the certificate to Endpoint Management.
  2. Create the PKI entity for certificate-based authentication.
  3. Configure credentials providers.
  4. Configure Citrix Gateway to deliver a user certificate for authentication.

For information about Citrix Gateway configuration, see these articles in the Citrix ADC documentation:

Prerequisites

  • When you create a Microsoft Certificate Services Entity template, avoid possible authentication issues with enrolled devices by excluding special characters. For example, don’t use these characters in the template name: : ! $ () # % + * ~ ? | {} []

  • To configure Certificate-based Authentication for Exchange ActiveSync, see the Microsoft documentation on Exchange Server. Configure the certificate authority (CA) server site for Exchange ActiceSync to require client certificates.
  • If you use private server certificates to secure the ActiveSync traffic to the Exchange Server, ensure that the mobile devices have all of the Root/Intermediate certificates. Otherwise, certificate-based authentication fails during the mailbox setup in Secure Mail. In the Exchange IIS Console, you must:
    • Add a website for Endpoint Management use with Exchange and bind the web server certificate.
    • Use port 9443.
    • For that website, you must add two applications, one for “Microsoft-Server-ActiveSync” and one for “EWS”. For both of those applications, under SSL Settings, select Require SSL.

Add a certificate snap-in to the Microsoft Management Console

  1. Open the console and then click Add/Remove Snap-ins.

  2. Add the following snap-ins:

    • Certificate Templates
    • Certificates (Local Computer)
    • Certificates - Current User
    • Certificate Authority (Local)

    Microsoft Management Console

  3. Expand Certificate Templates.

    Microsoft Management Console

  4. Select the User template and Duplicate Template.

    Microsoft Management Console

  5. Provide the Template display name.

    Important:

    Select the Publish certificate in Active Directory check box only if necessary. If this option is selected, all user client certificates are created in Active Directory, which might clutter your Active Directory database.

  6. Select Windows 2003 Server for the template type. In Windows 2012 R2 server, under Compatibility, select Certificate authority and set the recipient as Windows 2003.

  7. Under Security, click Add and then select the AD user account that Endpoint Management will use to generate certificates.

    Important:

    Add only the service account user here. Add the Enroll permission only to this AD user account.

    As described later in this article, you will create a user .pfx certificate using the service account. For information, see Creating a PFX certificate from the CA server.

    Microsoft Management Console

  8. Under Cryptography, ensure that you provide the key size. You later enter the key size during Endpoint Management configuration.

    Microsoft Management Console

  9. Under Subject Name, select Supply in the request. Apply the changes and then save.

    Microsoft Management Console

Adding the template to Certificate Authority

  1. Go to Certificate Authority and select Certificate Templates.

  2. Right-click in the right pane and then select New > Certificate Template to Issue.

    Microsoft Management Console

  3. Select the template you created in the previous step and then click OK to add it into the Certificate Authority.

    Microsoft Management Console

Creating a PFX certificate from the CA server

  1. Create a user .pfx cert using the service account with which you logged in. The .pfx uploads to Endpoint Management, which then requests a user certificate on behalf of the users who enroll their devices.

  2. Under Current User, expand Certificates.

  3. Right-click in the right pane and then click Request New Certificate.

    Microsoft Management Console

  4. The Certificate Enrollment screen appears. Click Next.

    Microsoft Management Console

  5. Select Active Directory Enrollment Policy and then click Next.

    Microsoft Management Console

  6. Select the User template and then click Enroll.

    Microsoft Management Console

  7. Export the .pfx file that you created in the previous step.

    Microsoft Management Console

  8. Click Yes, export the private key.

    Microsoft Management Console

  9. Select Include all certificates in the certification path if possible and select the Export all extended properties check box.

    Microsoft Management Console

  10. Set a password to use when uploading this certificate into Endpoint Management.

    Microsoft Management Console

  11. Save the certificate onto your hard drive.

Uploading the certificate to Endpoint Management

  1. In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings screen appears.

  2. Click Certificates and then click Import.

  3. Enter the following parameters:

    • Import: Keystore
    • Keystore type: PKCS #12
    • Use as: Server
    • Keystore file: Click Browse to select the .pfx certificate you just created.
    • Password: Enter the password you created for this certificate.

    Certificates configuration screen

  4. Click Import.

  5. Verify that the certificate installed correctly. A correctly installed certificate displays as a User certificate.

Creating the PKI entity for certificate-based authentication

  1. In Settings, go to More > Certificate Management > PKI Entities.

  2. Click Add and then click Microsoft Certificate Services Entity. The Microsoft Certificate Services Entity: General Information screen appears.

  3. Enter the following parameters:

    • Name: Type any name.
    • Web enrollment service root URL: https://RootCA-URL/certsrv/ (Be sure to add the last slash, /, in the URL path.)
    • certnew.cer page name: certnew.cer (default value)
    • certfnsh.asp: certfnsh.asp (default value)
    • Authentication type: Client certificate
    • SSL client certificate: Select the user certificate to be used to issue the Endpoint Management client certificate. If no certificate exists, follow the procedure in the preceding section to upload certificates.

    Certificates configuration screen

  4. Under Templates, add the template that you created when configuring the Microsoft certificate. Don’t add spaces.

    Certificates configuration screen

  5. Skip HTTP Parameters and then click CA Certificates.

  6. Select the root CA name that corresponds to your environment. This root CA is part of the chain imported from the Endpoint Management client certificate.

    Certificates configuration screen

  7. Click Save.

Configuring credentials providers

  1. In Settings, go to More > Certificate Management > Credential Providers.

  2. Click Add.

  3. Under General, enter the following parameters:

    • Name: Type any name.
    • Description: Type any description.
    • Issuing entity: Select the PKI entity created earlier.
    • Issuing method: SIGN
    • Templates: Select the template added under the PKI entity.

    Credential Providers configuration screen

  4. Click Certificate Signing Request and then enter the following parameters:

    • Key algorithm: RSA
    • Key size: 2048
    • Signature algorithm: SHA256withRSA
    • Subject name: cn=$user.username

    For Subject Alternative Names, click Add and then enter the following parameters:

    • Type: User Principal name
    • Value: $user.userprincipalname

    Credential Providers configuration screen

  5. Click Distribution and enter the following parameters:

    • Issuing CA certificate: Select the Issuing CA that signed the Endpoint Management Client Certificate.
    • Select distribution mode: Select Prefer centralized: Server-side key generation.

    Credential Providers configuration screen

  6. For the next two sections, Revocation Endpoint Management and Revocation PKI, set the parameters as required. In this example, both options are skipped.

  7. Click Renewal.

  8. Enable Renew certificates when they expire.

  9. Leave all other settings as default or change them as required.

    Credential Providers configuration screen

  10. Click Save.

Configuring Secure Mail to use certificate-based authentication

When you add Secure Mail to Endpoint Management, be sure to configure the Exchange settings under App Settings.

Apps configuration screen

Configuring Citrix Gateway certificate delivery in Endpoint Management

  1. In the Endpoint Management console, click the gear icon in the upper-right corner. The Settings screen appears.

  2. Under Server, click Citrix Gateway.

  3. If Citrix Gateway isn’t already added, click Add and specify the settings:

    • Name: A descriptive name for the appliance.
    • Alias: An optional alias for the appliance.
    • External URL: https://YourCitrixGatewayURL
    • Logon Type: Select Certificate and domain
    • Password Required: Off
    • Set as Default: On
  4. For Authentication and Deliver user certificate for authentication, select On.

    Citrix Gateway configuration screen

  5. For Credential Provider, select a provider and then click Save.

  6. To use sAMAccount attributes in the user certificates as an alternative to User Principal Name (UPN), configure the LDAP connector in Endpoint Management as follows: Go to Settings > LDAP, select the directory and click Edit, and select sAMAccountName in User search by.

    LDAP configuration screen

Enable Citrix PIN and user password caching

To enable Citrix PIN and user password caching, go to Settings > Client Properties and select these check boxes: Enable Citrix PIN Authentication and Enable User Password Caching. For more information, see Client properties.

Troubleshooting your client certificate configuration

After a successful configuration of the preceding configuration plus the Citrix Gateway configuration, the user workflow is as follows:

  1. Users enroll their mobile device.

  2. Endpoint Management prompts users to create a Citrix PIN.

  3. Users are then redirected to the app store.

  4. When users start Secure Mail, Endpoint Management doesn’t prompt them for user credentials for mailbox configuration. Instead, Secure Mail requests the client certificate from Secure Hub and submits it to Microsoft Exchange Server for authentication. If Endpoint Management prompts for credentials when users start Secure Mail, check your configuration.

If users can download and install Secure Mail, but during the mailbox configuration Secure Mail fails to finish the configuration:

  1. If Microsoft Exchange Server ActiveSync uses private SSL server certificates to secure the traffic, verify that the Root/Intermediate certificates installed on the mobile device.

  2. Verify that the authentication type selected for ActiveSync is Require client certificates.

    Microsoft ActiveSync properties screen

  3. On Microsoft Exchange Server, check the Microsoft-Server-ActiveSync site to verify that client certificate mapping authentication is enabled. By default client certificate mapping authentication is disabled. The option is under Configuration Editor > Security > Authentication.

    Microsoft ActiveSync configuration screen

    After selecting True, be sure to click Apply for the changes take effect.

  4. Check the Citrix Gateway settings in the Endpoint Management console: Ensure that Deliver user certificate for authentication is On and that Credential provider has the correct profile selected.

To determine if the client certificate was delivered to a mobile device

  1. In the Endpoint Management console, go to Manage > Devices and select the device.

  2. Click Edit or Show More.

  3. Go to the Delivery Groups section, and search for this entry:

    Citrix Gateway Credentials: Requested credential, CertId=

To validate whether client certificate negotiation is enabled

  1. Run this netsh command to show the SSL Certificate configuration that is bound on the IIS website:

    netsh http show sslcert

  2. If the value for Negotiate Client Certificate is Disabled, run the following command to enable it:

    netsh http delete sslcert ipport=0.0.0.0:443

    netsh http add sslcert ipport=0.0.0.0:443 certhash=cert_hash appid={app_id} certstorename=store_name verifyclientcertrevocation=Enable VerifyRevocationWithCachedClientCertOnly=Disable UsageCheck=Enable clientcertnegotiation=Enable

    For example:

    netsh http add sslcert ipport=0.0.0.0:443 certhash=23498dfsdfhaf98rhkjqf9823rkjhdasf98asfk appid={123asd456jd-a12b-3c45-d678-123456lkjhgf} certstorename=ExampleCertStoreName verifyclientcertrevocation=Enable VerifyRevocationWithCachedClientCertOnly=Disable UsageCheck=Enable clientcertnegotiation=Enable

If you cannot deliver Root/Intermediate certificates to a Windows Phone 8.1 device through Endpoint Management:

  • Send Root/Intermediate certificates (.cer) files through email to the Windows Phone 8.1 device and install them directly.

If Secure Mail doesn’t install successfully on Windows Phone 8.1, verify the following:

  • The Application Enrollment Token (.AETX file) is delivered through Endpoint Management using the Enterprise Hub device policy.
  • The Application Enrollment Token was created using the same Enterprise Certificate from the certificate provider used to wrap Secure Mail and sign Secure Hub apps.
  • The same Publisher ID is used to sign and wrap Secure Hub, Secure Mail, and the Application Enrollment Token.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。
列表为空,暂无数据

词条统计

浏览:33 次

字数:27063

最后编辑:6 年前

编辑次数:0 次

更多

友情链接

    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文