Smart Card EverywhereLalit KaushalEscalation Engineer EMEA25th October, 2011

• Business drivers for using smart card

• Configuring Smart Cards

• Smart card support architecture in XA/XD• Smart Card Client Driver

• Smart card scenarios• SSON Enhancements

• Tips-N-Tricks• Troubleshooting tools & techniques

Agenda

Smart Cards in our life

• Credit\Debit Cards

• Control Access (physical and logical resource)

• Citizen ID Card

• Strong authentication• Spectrum of requirements

• Convenience / speed

• Apps using smart card (Outlook, Word, bespoke)

• Citizen ID card (in some regions)

• Public sector employee ID cards

• Legislation / regulation

Business Drivers for using Smart Cards

• User needs to login / reconnect using a smart card• May be running apps that need to use smart card as well

• Often multiple points need authentication• Client Machine (if domain joined)• Access Gateway• Web Interface (in future Delivery Services)• XA or XD

• User does not want to enter PIN more than necessary• Security Officer (often) does not like us to cache the PIN

• Speed is frequently very important

Requirements

Configuring Smartcard

Configuration – Smartcard XenApp\XenDesktop

Four main components

Certificate Authority

Windows 2000 + Active Directory

Certificate enrolment changes in Windows 2008+

Web Interface

Latest Web Interface to support new features e.g. AGEE

XenApp Server (VDA for XD)

Client machines

WinXP – Smartcard SSOn possible

Windows 7\Vista - Kerberos require for SSOn

• Web Interface Server• IIS

• Enable the Windows directory service mapper• Citrix Virtual Directory settings:

• Require secure channel (SSL)• Accept client certificates (Ignore client certificates if using Pass-through)• Enable client certificate mapping

• DSC/WI Console• “Authentication Methods” select “Pass-through with smart card” or “Smart card”• Pass-through only: “Use Kerberos”, if required (Windows 7\Vista Smart card SSON)• Smartcard removal policy settings

• Can also be handled at GPO level

Configuration (Contd.)

• XenApp/XenDesktop• Enable “Trust requests sent to the XML Service”• Kerberos

• Enable “Trust for Delegation”• Enable “DNS address resolution”

• Client Side settings• Use Icaclient ADM template and enable Smartcard Authentication

• Allow Smart Card Authentication • Use pass-through for PIN

• HKEY_CURRENT_USER\Software\Policies\Citrix\ICA Client\Engine\Lockdown Profiles\All Regions\Lockdown\Logon

• Enable Kerberos Authentication for Windows 7\Vista

Configuration (Cont’d)

Important Points...

• SSL cert

• Kerberos for Smart card Single Sign-on (SSON)

• Trust XML

• If Kerberos – DNS resolution

• ADM template to apply client-side GPOs

HDX Smart Card Remoting(Deep-Dive)

Smart Card Infrastructure

Components

• Personal Computer/Smart Card (PC/SC) subsystem:• Governed by the PC/SC workgroup formed in 1996 • Operating System component• Enforces interoperability among cards and readers made by the different

manufacturers.

• Cryptographic Service Provider (CSP):• Leverages Microsoft exposed API’s via the Microsoft Platform SDK for smart

card use• ActivCard• Gemalto• AET

• The CSP provider • implements certain functions• registers itself in the registry

• Smart card is inserted into the reader• Windows reads the ATR from the card to determine which CSP to use

• Windows uses this information to acquire the appropriate CSP.dll.

• CSP.dll file • Makes the PC/SC calls to get information from the smart card.

Smart Card Infrastructure

Smart Card Components (XA\XD)

• Host Side (XA\XD)

•Citrix Hook (ScardHook.dll)

•Citrix Services (CtxSVCHost, CtxCertPropSvc, etc)

•CDM (in XA 5 or earlier)

• End-point (e,g, XP, W7)

• ICA Client engine – Wfica32

•Smart card Client driver – VdScardN.dll

Hooking – MfApHook (SCardHook)

Citrix hooking

• Final Stage in application launch process

• Inject XenApp feature dlls into application processes • Overwrites existing MS functions with XenApp enhanced versions

• Useful to implement additional functionality• TWAIN redirection• Virtual IP address• MultiMonitor• Plus many more

Citrix hooking – mfaphook.dll

• Windows injects dlls that are part of Appinit_dlls• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\

AppInit_DLLs• User32.dll loads this key• On process startup• Citrix binary mfaphook.dll is in this added to this key

• Consider mfaphook.dll the parent hook• It chooses which of the children hook to inject into each process

AppInit_dlls injects Mfaphook.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Per feature hooks

• Mfaphook will check the registry for a list of feature dll to use• Depending on the flag value mfpahook will inject the dll or not• HKEY_LOCAL_MACHINE\SOFTWARE\Citrix\CtxHook\AppInit_Dlls

• Flag values• 0x80000000 - All Processes• 0x00000000 - Disable Hook• 0x00000002 - Only for specific processes (subkeys)• 0x00000004 - Remote sessions only

• Hooking of Microsoft Windows smart card components• Mfaphook injects the defined hooking DLL’s into the published application process’s

address space• Scardhook hooks many necessary SCard functions in WinScard.dll and redirects most* of

these to client• SCardHook is loaded in RDP session as well

• Old way (XA5 and older)• SCardhook.dll• CDM

• New way (XA 6 and XD)• No dependency on CDM!!!• Introduced new services to keep hook code cleaner and simpler

Smart Card Subsystem

• Routes the host calls to corresponding WinScard API

• Win32 and WinCE driver have subtle differences• Memory restrictions on WinCE box

• Design optimization in WinCE client smart card driver

• String encoding negotiation• Any string manipulation on the host side should be based on the string

encoding negotiated with the client.• WinCE client uses Unicode strings while Win32 client uses ASCII strings.

Smart Card Client Driver

• Domain credentials are supported on all client OS

• For Smart Card SSON• XP supports NP APIs• Windows 7\Vista Winlogon doesn’t call NP API, credentials are not feed to

SSON

• Launching application with SSON enabled:• For domain credentials, ICA file contains the LogonTicket• For Smart Card credentials, wfica32 uses credentials from SSON machinery

Single Sign-on (SSON)

User Mode

Kernel Mode

XD/XA Host

CtxSvcHost.exe(CtxSmartCardSvc DLL)

VC User Mode API (Pica/WTS)

Winlogon.exe

Winword.exeSCardHook DLL

SCardHook DLL

ICA Stack

End-Point (e.g. XP)

Kernel Mode

User Mode

SC Reader Driver

SCardSvc.exe (MS)

Wfica32.exe(ICA Client Engine)

SC Reader

VDSCardN DLL

WinSCard DLL (MS)

PC/SC APIPC/SC API

PC/SC API

PC/SC (WinSCard) APIRemoted over ICA protocol(ICA Smart Card VC Protocol)

Remote calls: SCardEstablishContext, SCardConnect, SCardTransmit…

Smart Card Core Subsystem Architecture

No smart card code in the

kernel!

Remoting industry standard API

Remoted calls look like local smart card

app

Current Support Scenarios

• Different Customers has different requirements• Military Never cache PIN. Don’t care if users must re-enter it• Medical User must never re-enter PIN. Don’t care if it is cached

• Lots of technical options• Can trade off quality of login for some customers to reduce reliance on PIN

• Password > Smartcard > Full Kerberos > Constrained Kerberos > Tagged Anon > Anonymous• Several well understood techniques, and several potential new techniques

• Hardware/OS is an issue• Require different sorts of driver support for different cards on different platforms• Server-side limitations for non-windows machines or shared local/remote use

Multiple approaches

• Authentication Steps:• (Optionally) authenticate user to local windows machine with smart card• (Optionally) authenticate user to gateway• Authenticate user to Delivery Services (or WI or WR or PNA)• Authenticate user to Windows Session (XA or XD)

• Minimize pin prompts, but keep security officer happy

• Can trade of ‘quality’ of ultimate windows login• Smartcard login has ‘full’ credentials• Kerberos Login or even Constrained Kerberos Login may be good enough for

some customers/apps.

Authentication Paths

Smart card / OtherSmart card / Other

Smartcard SSL (SSL/CA)Smartcard SSL (SSL/CA)

Assertion by Gateway OR Smartcard SSL OR Kerberos Assertion by Gateway OR Smartcard SSL OR Kerberos

Assertion OR Kerberos OR Protocol Transition Assertion OR Kerberos OR Protocol Transition

Ticket OR Kerberos OR Smartcard Login (PC/SC Redirect) Ticket OR Kerberos OR Smartcard Login (PC/SC Redirect)

Options at each step

Client Login

GatewayLogin

WILogin

WIto XA/XD

Client to XA/XD

PIN

PIN

PIN

PIN

OS logon+ PIN capture+ PNA pass-thru

WI logon using s/c ActiveX

OS logon+ PNA pass-thru

WI logon using s/c ActiveX

Smart Card Solution Summary

Windows XP

Windows 7(Vista +)

Desktop Appliance

OS logon+ PIN capture+ PNA pass-thru or WI pass-thru

WI logon orPNA logon

OS logon+ PNA pass-thru or WI pass-thru

WI logon orPNA logon

Local Desktop with Apps

Domain joined

Non-domain joined Domain joined

Non-domain joined

PIN capture not supported Extra PIN prompt

ActiveX updated for Windows 7 in next release

PIN capture not supportedExtra PIN prompts

(unless using Kerberos)

Multiple PIN prompts(unless using Kerberos PT)

• Direct smart card• SSL with client auth to WI, smart card logon to ICA host PIN prompt from OS for PNAPIN prompt from OS on ICA host

• Pass-through with smart card• Kerberos/NTLM auth to WI, smart card logon to ICA host

• Windows XP: PIN capture during OS logon one PIN prompt• Windows 7\Vista: no PIN capture during OS logon extra PIN prompt on ICA logon

• Pass-through with smart card, Kerberos option• Kerberos auth to WI, Kerberos logon to ICA host (XenApp only)PIN prompt for OS logon, no PIN capture neededHidden XenApp setting can override “Smart card required for interactive logon” policy

PNA Smart Card – Existing Options

Can be domain joined or non-domain joined

Must be domain joined

Must be domain joined

SSON Enhancements

SSON Enhancements

• Fast Connect

• For Healthcare organizations

• Need Citrix Partners involvement to build the solution

• At Web Server authentication point on Services Site

• Out-of-Box Single Sign-On support

• Already working for Windows XP client

• Kerberos is pre-requisite for SSOn on Windows 7\Vista

Fast Connect for Windows

• New feature to enable Single Sign-on to support Healthcare organizations

• Partners can use Fast Connect APIs to quickly log users into sessions (logon) and just as quickly disconnect sessions (logout).

• Available through Citrix Ready Partner

• Based on 12.1 ICA Client currently

• Faster Logons

• No Middleware*

• Single Sign-on (even on NDJ clients!)

• Access Gateway SSO Integration

Benefits of At Web Server Authentication Point

• Same basic requirements as AD FS• Constrained Delegation using Kerberos (explained in WI documentation)

At Web Server Authentication Point

Kerberos Authentication SupportConfigure Delegation on Web Interface Server

Edit the Delegation properties of each WI computer object in Active Directory

Trust this computer for delegation using any authentication protocol

Add the http service for each XenApp XML Broker

Kerberos Authentication SupportConfigure Delegation on XenApp (XML) Server

Edit the Delegation properties of each XenApp Server computer object in Active Directory

Trust this computer for delegation using any authentication protocol

Add following: -CIFS - each domain controller(s)HOST - to XenApp server(s) hosting appsLDAP - each domain controller(s)

• Same basic requirements as AD FS• Constrained Delegation using Kerberos (explained in WI documentation)

• Requires XML port to be shared with IIS

• Fully supported on Web Interface site• Currently only supported with a private on Services Site (PNA)

At Web Server Authentication Point

Smartcard SSOn for Windows 7\Vista

• Currently not working for Windows 7\Vista

• Multiple PIN prompts – multiple customers effected

• Are you waiting for it?

• Product use

• Number of Users\Licenses

• Use-case

• Feedback will be provided to Product Management

Tips-N-Tricks(Troubleshooting tools & techniques)

Certificate Requirement

Troubleshooting Questions to Ask - Environment

• Type of Smartcard & Reader

• USB Smartcard, USB Token, .NET Smartcard, etc

• CSP used

• MS-Base CSP, Vendor specific (ActivClient, SecMaker, etc)

• Are you able to login into machine with smartcard?

• Is SC cert accessible inside ICA session

• Open ‘Certificates’ snap-ins in MMC

• If IE, go to Tools Internet Options Content Certificates

Troubleshooting Questions to Ask - Configuration

• Type of authentication Method selected

• Smartcard or Smartcard with Pass-through

• If Smartcard with Pass-through

• Check CTX117239 (Is Kerberos enabled? CTX123611)

• If Kerberos is enabled then it will be used always (No fall-back)

• Define ‘SmartCardPinPass’ Regkey for Passthru sessions

• If XenDesktop - CTX130265

• Understand WinSCard API and their locking behavior

Troubleshooting Questions to Ask - Configuration

Ref

: -

http

://m

sdn

.mic

roso

ft.c

om/e

n-u

s/lib

rary

/cc2

4259

6(v=

PR

OT

.10)

.asp

x

Troubleshooting Questions to Ask – Citizen-ID

• Type of CSP use

• Usually not use to authenticate to session

• Inside ICA session use by application

• Is Certificate available inside session

• If specific application, understand application behavior

• Is CSP has its own PC\SC re-direction mechanism

• Belgium Citizen ID has

• RDP behavior

Troubleshooting Smart Card

Troubleshooting Tools

• Vendor-specific tools• GemSafe Toolbox, Mini-Manager, eID viewer, etc

• CDFControl

• Sys-Internal Tool – Process Explorer

• Network Tracing

Troubleshooting Tools – Vendor Specific

• Vendor-specific tools

• Helpful to see if card readable inside session

CDFControl

SCardCertPropSvc:SCardCertPropSession::MonitoringThread::CertPropViaContEnumGetCertificate:[1]: succeeded to retrieve key with CryptGetUserKey...   

SCardCertPropSvc:SCardCertPropSession::MonitoringThread::CertPropViaContEnumGetCertificate:[1]: succeeded to retrieve certificate...             

SCardCertPropSvc:SCardCertPropSession::MonitoringThread::CertPropViaContEnumAddCertToStore:[1]: executing for container: "435105F49F340F2CC23F850E31939C232C170163 (1)" CSP: "Net iD - CSP" keySpec: "AT_SIGNATURE" store: "My"                   

SCardCertPropSvc:SCardCertPropSession::MonitoringThread::CertPropViaContEnumAddCertToStore:[1]: succeeded to propagate certificate to user store...    

• CtxSCardCertPropSvc - propagates certificates to User Store

Certificate Propagation

• Process Explorer shows handles and DLLs processes

• Helpful to troubleshoot: • Memory Optimization issues• Application Streaming• Access issues

• Process Explorer is available from SysInternals

Process Explorer

• Very helpful for Authentication issue

• Network Monitor or WireShark

• Handy WireShark Filter for looking at Kerberos ticket requests/responseskerberos.msg.type == 12 || kerberos.msg.type == 13 || kerberos.msg.type == 30 || kerberos.msg.type == 10 || kerberos.msg.type == 11

Network Tracing

We see that it supports MS KRB5, KRB5,

and NTLMSSP

Before you leave…

• Session surveys are available online at www.citrixsummit.com starting Thursday, 27 October• Provide your feedback and pick up a complimentary gift at the registration desk

• Download presentations starting Monday, 7 November, from your My Organiser tool located in your My Account