Smart Card Single Sign On with Access Gateway Enterprise Edition
description
Transcript of Smart Card Single Sign On with Access Gateway Enterprise Edition
![Page 1: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/1.jpg)
Smart Card Single Sign On with Access Gateway Enterprise EditionNicolas Ogor, Escalation Engineer. 06/10/10
![Page 2: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/2.jpg)
• Introduction of Access Gateway Enterprise Edition.
• What's new in Web Interface 5.3 ?
• Configuration.
• Limitations and solutions.
• Troubleshooting.
Agenda
![Page 3: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/3.jpg)
Introduction to Access Gateway Enterprise Edition
![Page 4: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/4.jpg)
• Combine your traditional IPSec VPN and Secure Gateway into a single appliance.
• Easy to configure with XenApp and XenDesktop.
• Support up to 10,000 concurrent connections.
• Physical and Virtual version available.
![Page 5: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/5.jpg)
What's new in Web Interface 5.3 ?
![Page 6: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/6.jpg)
New enhancements and features in this release
• Pass-through with smart card from the Access Gateway.
• Support for 32-bit color.
• XenApp farm migration.
• Multiple launch prevention.
• Support for Windows Server 2008 R2.
![Page 7: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/7.jpg)
How does the Pass-through work ?
• Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller.
• This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user.
![Page 8: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/8.jpg)
How does the Pass-through work ?
• Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller.
• This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user.
User
AGEE
Web Interface
Domain Controller
XenApp
![Page 9: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/9.jpg)
How does the Pass-through work ?
• Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller.
• This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user.
User
AGEE
Web Interface
Domain Controller
XenApp
![Page 10: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/10.jpg)
How does the Pass-through work ?
• Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller.
• This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user.
User
AGEE
Web Interface
Domain Controller
XenApp
Certificate validation
![Page 11: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/11.jpg)
How does the Pass-through work ?
• Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller.
• This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user.
User
AGEE
Web Interface
Domain Controller
XenApp
Citrix AGBasicNo password
![Page 12: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/12.jpg)
How does the Pass-through work ?
• Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller.
• This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user.
User
AGEE
Web Interface
Domain Controller
XenApp
Local PTS service
![Page 13: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/13.jpg)
How does the Pass-through work ?
• Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller.
• This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user.
User
AGEE
Web Interface
Domain Controller
XenApp
Username and Domain name
![Page 14: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/14.jpg)
How does the Pass-through work ?
• Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller.
• This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user.
User
AGEE
Web Interface
Domain Controller
XenApp
S4U
![Page 15: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/15.jpg)
How does the Pass-through work ?
• Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller.
• This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user.
User
AGEE
Web Interface
Domain Controller
XenApp
.NET WindowsIdentity class
![Page 16: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/16.jpg)
How does the Pass-through work ?
• Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller.
• This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user.
User
AGEE
Web Interface
Domain Controller
XenApp
.NET WindowsIdentity class
![Page 17: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/17.jpg)
How does the Pass-through work ?
• Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller.
• This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user.
User
AGEE
Web Interface
Domain Controller
XenApp
XML
![Page 18: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/18.jpg)
How does the Pass-through work ?
• Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller.
• This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user.
User
AGEE
Web Interface
Domain Controller
XenApp
Application list
![Page 19: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/19.jpg)
How does the Pass-through work ?
• Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller.
• This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user.
User
AGEE
Web Interface
Domain Controller
XenApp
HTTPS
![Page 20: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/20.jpg)
How does the Pass-through work ?
• Web Interface uses the Protocol Transition Service with the User and domain name parameters to obtain an instance of the .NET WindowsIdentity class from the Domain Controller.
• This .NET object represents the user’s logon session. This is used to create a WindowsToken that can authenticate the user.
User
AGEE
Web Interface
Domain Controller
XenApp
HTTPS
![Page 21: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/21.jpg)
Configuration
![Page 22: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/22.jpg)
Certificate Authority
• Install a Certificate Authority in the domain.
• Open MMC-select Certificate Authority and Certificate template.
• Duplicate the Smart card logon template.
• Select your CSP.
![Page 23: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/23.jpg)
Certificate Authority
• Issue the Certificate template created previously to be available for users.
![Page 24: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/24.jpg)
Client computer
• Install your CSP software on your computer.
• Logon to your Certificate Authority.
• Select the Certificate template and CSP vendor.
• The certificate will be installed into the smart card.
![Page 25: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/25.jpg)
XenApp and Web Interface requirements
• XenApp and Web Interface servers must be domain members.
• XenApp XML service must be running with IIS on servers chosen as XML brokers and STA servers
• XenApp version 4.5 and 5 are currently supported.
• Web Interface 5.3 or later must be used.
• Active Directory domain functional level must be 2003 or 2008.
![Page 26: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/26.jpg)
Setup delegation on your domain
•Delegation definition: Some server services require access to a second server.In order to establish a session with the second server, the primary server must be authenticated on behalf of the client's user account and authority level.
![Page 27: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/27.jpg)
Setup delegation on your domain
![Page 28: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/28.jpg)
Setup delegation on your domain
1 - Client provides credentials and domain controller returns a Kerberos TGT to the client.
![Page 29: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/29.jpg)
Setup delegation on your domain
2 - Client uses TGT to request a service ticket to connect to Server 1.
![Page 30: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/30.jpg)
Setup delegation on your domain
3 - Client connects to Server 1 and provides both TGT and service ticket.
![Page 31: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/31.jpg)
Setup delegation on your domain
4 - Server 1 uses the clients TGT to request a service ticket so Server 1 can connect to Server 2 .
![Page 32: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/32.jpg)
Setup delegation on your domain
5 - Server 1 connects to Server 2 using the client’s credentials.
![Page 33: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/33.jpg)
Setup delegation on your domain
• Web Interface must delegate http service to the XML broker.
![Page 34: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/34.jpg)
Setup delegation on your domain
• XML broker must delegate the http service to itself and host services to all XenApp servers in the farm.
![Page 35: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/35.jpg)
Setup delegation on your domain
• Each XenApp server must delegate cifs and ldap services to the Domain Controllers and host services to itself and http services to the XML broker.
![Page 36: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/36.jpg)
Access Gateway configuration
• Create a Virtual Server and associate a server certificate.
• Bind the root certificate as a Root Certificate Authority on the Virtual server.
![Page 37: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/37.jpg)
Access Gateway configuration
• Enable client authentication and client certificate to optional on the Virtual server properties.
![Page 38: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/38.jpg)
Access Gateway configuration
• Create an authentication profile of type certificate.
• Under the User Name field specify the certificate attribute to extract.
![Page 39: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/39.jpg)
Access Gateway configuration
• Create a session profile that will redirect users to the Web Interface after successful authentication.
• Specify the NetBIOS name of your domain for the Single Sign- on domain.
• Bind the session profile to your Virtual server.
![Page 40: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/40.jpg)
Web Interface Site
• Install a server certificate on the Web Server.
• Create a site and specify the path of the Web site.
![Page 41: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/41.jpg)
Web Interface Site
• Set the Authentication to take place at the Access Gateway and select the option “Enable Smart Card-pass-through”.
![Page 42: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/42.jpg)
Web Interface Site
• Once the site is created , you must restart your Web Interface server.
![Page 43: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/43.jpg)
Web Interface Site
• Specify your XML broker.
![Page 44: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/44.jpg)
Web Interface Site
• Finish the Web Interface site configuration and restart the Web Interface server.
![Page 45: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/45.jpg)
Web Interface Site
• Check if the Protocol Transition Service is running.
![Page 46: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/46.jpg)
Web Interface Site
• Configure the Secure Access to go through the Gateway.
![Page 47: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/47.jpg)
Web Interface Site
• Specify the FQDN of your Access Gateway Virtual Server.
![Page 48: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/48.jpg)
Web Interface Site
• Specify the Secure Ticket Authority servers on the Web Interface and AGEE.
![Page 49: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/49.jpg)
Limitations and solutions
![Page 50: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/50.jpg)
PIN prompt when launching a Published Application
• Cause : User receives a Pin prompt when hitting the AGEE Virtual server with the ICA client because the option Client Certificate is On.
![Page 51: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/51.jpg)
PIN prompt when launching a Published Application
• Solution : Create another Virtual server with same IP address, certificate but a different port and with the option Client certificate set to off.
• On Vserver binds the STA server specified on the Web Interface site.
• Create a dummy authentication policy and bind it to the Vserver to avoid users to logon directly to that Virtual server.
![Page 52: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/52.jpg)
PIN prompt when launching a Published Application
• Solution : On the Secure Access Settings of the Web Interface specify the new Virtual Server.
• All HTTP traffic will now go through the VIP on port 443 and ICA proxy traffic through port 444.
![Page 53: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/53.jpg)
Limitations of Kerberos Pass-through Authentication
• Issue: Applications running on XenApp that depend on the NTLM protocol for authentication generate explicit user authentication prompts or fail because the password is never sent over the network.
• Workaround: Configure delegation on the targeted servers to use Kerberos instead of NTLM authentication.
![Page 54: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/54.jpg)
Limitations of Kerberos Pass-through Authentication
• Issue: Kerberos pass-through authentication for applications expires if the XenApp session is left running for a very long time (typically one week) without being disconnected and reconnected.
• Workaround: You have to force user to disconnect after the Kerberos ticket expired.
![Page 55: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/55.jpg)
Troubleshooting
![Page 56: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/56.jpg)
Decrypt traffic between the Web Interface and AGEE
• Install Wireshark tool or other networking sniffer on the Web Interface server.
• Retrieve private keys for the Web Interface certificate and the AGEE virtual server certificate.
• Configure Wireshark SSL preferences to use the Private keys to decrypt traffic. ( http://support.citrix.com/article/CTX116557 )
• Start a trace on the Web Interface server.
![Page 57: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/57.jpg)
Authentication process
1. The client opens a Web browser and enters a URL.
2. The user presents the client certificate to the portal page and clicks Logon.
3. AGEE extracts the username from the certificate.
4. Client sends a GET request to the home page defined on the global SSL VPN settings, or a session profile. This communication is client to VIP.
5. AGEE sends the same GET to the Web Interface page called login.aspx.
6. Web Interface issue a 302 Found message with a redirect to agesso.aspx.
![Page 58: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/58.jpg)
7. Client sends a GET for agesso.aspx to the VIP and the appliance then forward it to Web Interface. 8. Web Interface responds with a 401 Unauthorized message including a header named WWW-Authenticate which should have CitrixAGBasic password_required="No" as its value as well as a ticket ID.
Authentication process
![Page 59: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/59.jpg)
9. After the 401 unauthorized message, the appliance sends another GET for agesso.aspx including an authorization.
This header includes a hash value of the user name, domain and session ID.
Web Interface responds by a 302 and set the cookie WIAuthID.
Authentication process
![Page 60: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/60.jpg)
10. This now causes the Web Interface to POST to the authentication service URL on its configuration.
11. If everything succeed the appliance responds with a HTTP 200 message and a SOAP envelope containing the smart access farm name, client IP address, and a success status code.
Authentication process
![Page 61: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/61.jpg)
12. GET request is sent for default.aspx from the client (client to VIP). GET request contains the cookie WIAuthID and the Authorization header which is a Hash of the username and domain.
Authentication process
![Page 62: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/62.jpg)
13. The Web Interface will contact the XML broker to get the application list by sending a Post request to the CtxIntegrated/wpnbr.dll
Authentication process
![Page 63: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/63.jpg)
14. The XML broker will return the published application list for user to the Web Interface.
15. The Web Interface will respond to the GET request in step 12 by a 200 response and the application will be enumerated into the client’s browser.
Authentication process
![Page 64: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/64.jpg)
Check list
• Take a Network trace on the Web Interface.
• Check application Eventviewer on the Web Interface.
• Check your delegation settings on your Active Directory.
• Ensure that the trust XML request option on the XML broker is selected.
• Ensure that the root certificate used to sign the AGEE Virtual server is stored on the Trusted root Certificate store of the Web Interface server.
• Ensure that the Web Interface can resolve the FQDN name of the Virtual server.
![Page 65: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/65.jpg)
Before you leave…
• Recommended related breakout sessions: • SUM502 - XenApp and XenDesktop authentication (Lalit Kaushal)
• Session surveys are available online at www.citrixsynergy.com starting Thursday, 7 October• Provide your feedback and pick up a complimentary gift card at the registration desk
• Download presentations starting Friday, 15 October, from your My Organiser Tool located in your My Synergy Microsite event account
![Page 66: Smart Card Single Sign On with Access Gateway Enterprise Edition](https://reader036.fdocuments.us/reader036/viewer/2022062301/56814588550346895db26bfe/html5/thumbnails/66.jpg)