Certificate authentication is available for XenMobile MAM-only mode. Certificate authentication isn’t available for XenMobile ENT mode when users enroll in the legacy MAM mode. For more information about MAM-only mode, see New MAM-only mode.
To use certificate authentication in MAM-only mode, you must configure the Microsoft server, the XenMobile server, and then the NetScaler Gateway server. The following general steps are detailed in this article.
On the Microsoft server:
- Add a certificate snap-in to the Microsoft Management Console.
- Add the template to Certificate Authority (CA).
- Create a PFX certificate from the CA server.
On the XenMobile server:
- Upload the certificate to XenMobile.
- Create the PKI entity for certificate-based authentication.
- Configure credentials providers.
- Configure NetScaler Gateway to deliver a user certificate for authentication.
On NetScaler Gateway:
- Configure NetScaler Gateway for XenMobile MAM-only mode certificate authentication
To add a certificate snap-in to the Microsoft Management Console
1. Open the console and then click Add/Remove Snap-Ins.
2. Add the following snap-ins:
Certificate Templates
Certificates (Local Computer)
Certificates – Current User
Certificate Authority (Local)
3. Expand Certificate Templates.
\Important: Do not select the Publish certificate in Active Directory check box unless required. If this option is selected, all user client certificates will be pushed/created in Active Directory, which might clutter your Active Directory database.
6. Select Windows 2003 Server for the template type. In Windows 2012 R2 server, under Compatibility, select Certificate authority and set the recipient as Windows 2003.
7. Under Security, select the Enroll option in the Allow column for the authenticated users.
8. Under Cryptography, make sure you provide the key size, which you will need to enter during XenMobile configuration.
9. Under Subject Name, select Supply in the request. Apply the changes and then save.
To add the template to Certificate Authority
1. Go to Certificate Authority and select Certificate Templates.
2. Right-click in the right pane and then select New > Certificate Template to Issue.
3. Select the template you created in the previous step and then click OK to add it into the Certificate Authority.
To create a PFX certificate from the CA server
1. Create a user .pfx cert using the service account with which you logged in. This .pfx will be uploaded into XenMobile, which will request a user certificate on behalf of the users who enroll their devices.
2. Under Current User, expand Certificates.
3. Right-click in the right pane and then click Request New Certificate.
4. The Certificate Enrollment screen appears. Click Next.
5. Select Active Directory Enrollment Policy and then click Next.
6. Select the User template and then click Enroll.
7. Export the .pfx file that you created in the previous step.
8. Click Yes, export the private key.
9. Select Include all certificates in the certification path if possible and select the Export all extended properties check box.
10. Set a password that you’ll use when uploading this certificate into XenMobile.
11. Save the certificate onto your hard drive.
To upload the certificate to XenMobile
1. In the XenMobile console, click the gear icon in the upper-right corner. The Settings screen appears.
2. Click Certificates and then click Import.
3. Enter the following parameters:
- Import: Keystore
- Keystore type: PKCS#12
- Use as: Server
- Keystore file: Click Browse to select the .pfx certificate you just created.
- Password: Enter the password you created for this certificate.
5. Click Import.
6. Verify that the certificate installed correctly. It should display as a User certificate.
To create the PKI entity for certificate-based authentication
1. In Settings, go to More > Certificate Management > PKI Entities.
2. Click Add and then click Microsoft Certificate Services Entity. The Microsoft Certificate Services Entity: General Information screen appears.
3. Enter the following parameters:
- Name: Type any name
- Web enrollment service root URL: https://RootCA-URL/certsrv/
Note: Be sure to add the last slash (/) in the URL path. - certnew.cer page name: certnew.cer (default value)
- certfnsh.asp: certfnsh.asp (default value)
- Authentication type: Client certificate
- SSL client certificate: Select the RootCA that signed the XenMobile client certificate.
4. Under Templates, add the template that you created when configuring the Microsoft certificate. Be sure not to add spaces.
5. Skip HTTP Parameters and then click CA Certificates.
6. Select the User Certificate to be used to issue the XenMobile client certificate. This is part of the chain imported from the XenMobile client certificate.
7. Click Save.
To configure credentials providers
1. In Settings, go to More > Certificate Management > Credential Providers.
2. Click Add.
3. Under General, enter the following parameters:
- Name: Type any name.
- Description: Type any description.
- Issuing entity: Select the PKI entity created earlier.
- Issuing method: SIGN
- Templates: Select the template added under the PKI entity
4. Next, click Certificate Signing Request and then enter the following parameters:
- Key algorithm: RSA
- Key size: 2048
- Signature algorithm: SHA1withRSA
- Subject name: cn=$user.username
The subject name references the sAMAccountName. This enables NetScaler to use the User Name field for authentication.
5. For Subject Alternative Names, click Add and then enter the following parameters:
- Type: User Principal name
- Value: $user.userprincipalname
6. Click Distribution and enter the following parameters:
- Issuing CA certificate: Select the Issuing CA that signed the XenMobile Client Certificate.
- Select distribution mode: Select Prefer centralized: Server-side key generation.
7. For the next two sections — Revocation XenMobile and Revocation PKI — set the parameters as required. For the purpose of this article, both options are skipped.
8. Click Renewal.
9. For Renew certificates when they expire, select ON.
10. Leave all other settings as default or change them as required.
11. Click Save.
To configure NetScaler certificate delivery in XenMobile
1. Log on to the XenMobile console and click the gear icon in the upper-right corner. The Settings screen appears.
2. Under Server, click NetScaler Gateway.
3. If NetScaler Gateway isn’t already added, click Add and specify the settings:
External URL: https://YourNetScalerGatewayURL
Logon Type: Certificate
Password Required: OFF
Set as Default: ON
4. For Deliver user certificate for authentication, select On and then click Save.
5. For Credential Provider, select a provider and then click Save.
To configure NetScaler Gateway for certificate authentication
Follow these steps on your NetScaler appliance to configure certificate authentication in XenMobile in MAM-only mode.
1. Log on to NetScaler.
2. Under Configuration, go to Integrate with Citrix Products and then select XenMobile.
This opens a wizard to configure NetScaler features for your XenMobile deployment.
3. Choose XenMobile 10.
4. Click Get Started.
5. On the next screen, select Access through NetScaler Gateway and Load Balance XenMobile Servers and then click Continue.
6. On the next screen, enter the external-facing NetScaler Gateway IP address and then click Continue.
The Server Certificate for NetScaler Gateway screen appears.
7. You will either use an existing certificate or install one. Click Continue.
The Authentication Settings screen appears.
8. In the Primary authentication method field, select Client Certificate.
This will automatically select Use existing certificate policy and Cert Auth in the next two fields.
9. Select Click here to change the CA certificate and then in the Browse list, navigate to the CA certificate you want.
10. Leave Second authentication method as None and then click Continue.
11. On the Load Balancing screen, enter the XenMobile server FQDN and a MAM-only internal load balancing IP address.
12. If this is an SSL offload deployment, select HTTP in Communication with XenMobile Server.
The Split DNS mode for MicroVPN field will appear as BOTH.
13. Click Continue.
14. On the XenMobile Server Certificate screen, choose an existing server certificate or install a new certificate. If you’re running multiple XenMobile servers, you will add a certificate for each one. Click Continue.
15. On the Device certificate screen, if not already installed, you will have to export this certificate from the XenMobile console. To do so:
a. From the console, click the gear icon in the upper-right corner to open the Settingsscreen.
b. Click Certificate and then choose the CA certificate from the list.
c. Click Export.
d. Return to the NetScaler wizard and select the certificate you exported (downloaded) to install it.
e. Click Continue.
The XenMobile server IP addresses that you’ve configured will appear.
16. Click Continue.
On the NetScaler dashboard, confirm that NetScaler Gateway and XenMobile load balancing are configured:
