How to Configure Certificate Based Authentication for XenMobile Service in Citrix Cloud

Certificate Based Authentication Cloud Service

Objective

The primary intent of this article is to provide steps on how an admin can enable certificate based authentication for XenMobile in Cloud.

Instructions

Terminology

Term Defination
XMS XenMobile Server
NS NetScaler
NSG NetScaler Gateway
FQDN Fully Qualified Domain
CA Certificate Authority

 

1.    Pre-Requisites

  • A Citrix Cloud account is required.
  • Working XenMobile Service in Citrix Cloud.
  • On-Premise NS configured (using Citrix Cloud Connector and not IPSec)

User-added image

Note: – A domain name is already added to the Citrix XenMobile Cloud instance using the Cloud Connector. In this document, metglobal.net is already added to the Citrix XenMobile Cloud Instance using the Cloud Connector. Also, device enrollment is functional using domain-only authentication method.

Note: All screenshots in this document are for representational purposes only.

 

1.    Uploading the Certificate to XMS.
STEP 1 Login to XenMobile Cloud Instance using Admin Credentials and navigate to Settings – Certificates – Import
Set the following parameters:

· Import: Keystore
· Keystore type:  PKCS#12
· Use as:  Server
· Keystore file: Your XenMobile ClientCertificate.pfx
· Password: Type the PrivateKey Passphrase

User-added image

STEP 2Click Import.STEP 3Once imported, verify the certificate was installed correctly. It would display as a “Users” certificate.

User-added image
2.    Configuring Certificate Based Authentication in XMS.
2.1.    Configuring PKI Entities.
STEP 1 To configure PKI entities under the XenMobile Cloud Instance, navigate to Settings – PKI Entities – Add – Microsoft Certificate Services Entity

User-added image
STEP 2 Enter the following parameters and click Next.

  • Name: Type Name
  • Web enrollment service root URL: https://RootCA-URL/certsrv/
    NoteAdd the slash (/) at the end of the URL path.
  • certnew.cer page name: certnew.cer (default value)
  • certfnsh.asp: certfnsh.asp (default value)
  • Authentication type: Client certificate
  • SSL client certificate: Select the User Certificate which is uploaded in (Section 1) to issue the XenMobile client certificate.
  • Use Cloud Connector : ON
  • Resource Location:  Select appropriate option from the drop down menu.
  • Allowed Relative Paths: Type /certsrv/*
User-added image
STEP 3 Click Test Connection to test the connectivity between XMS and the CA Server.

User-added image
STEP 4 Under Templates, add the template that you have created when configuring the Microsoft CA in Pre-requisites.

User-added image
STEP 5 Click Next and to move to CA Certificates Section.
STEP 6 Select the Issuing CA name that corresponds to your environment. This Issuing CA is part of the chain imported from the XenMobile client certificate.

User-added image
STEP 7 Click Save.
2.2.    Configuring Credential Providers.
STEP 1 To configure Credential Providers, navigate to Settings – Credential Providers – Add

User-added image
STEP 2 Under General, enter the following parameters:

  • Name: Type Name.
  • Description: Type Description.
  • Issuing entity: Select the PKI entity created in Section 2.1
  • Issuing method: SIGN
  • Templates: Select the template added under the PKI entity.
User-added image
STEP 3 Click Certificate Signing Request and then enter the following parameters:

  • Key algorithm: RSA
  • Key size: 2048
  • Signature algorithm: SHA1withRSA
  • Subject name: cn=$user.username

Note: – Key size and Signature algorithm can be set as per CA server configuration.
For Subject Alternative Names, click Add and then enter the following parameters:

  • Type: User Principal name
  • Value: $user.userprincipalname
User-added image
STEP 4 Click Distribution and enter the following parameters:

  • Issuing CA certificate: Select the Issuing CA that signed the XenMobile Client Certificate.
  • Select distribution mode: Select “Prefer centralized: Server-side key generation”.
User-added image
STEP 5 For the next two sections — Revocation XenMobile and Revocation PKI — set the parameters as required. For the purpose of this article, both options are skipped.
STEP 6 Click Renewal.
For Renew certificates when they expire, select ON.
Leave all the other settings as default or change them as required.
User-added image

STEP 7Click Save.

3.    Credential Policy.

Note: – The aim of creating credential policy is to test if the certificate is getting generated successfully.

 

STEP 1 To create Credential Policy, refer article:
https://docs.citrix.com/en-us/xenmobile/10-4/policies/credentials-policy.html
STEP 2 To Check the Policy deployment is successful, navigate to XenMobile Cloud Instance – Manage – Devices – Search for the device (On which the policy is deployed)
STEP 3 Select the Device – Edit – Assigned Policies

User-added image
STEP 4 If the Credential policy is deployed successfully, it means user certificate is getting generated on CA server and getting deployed on the device successfully.

If the Credential Policy is getting failed, refer to below blogs for troubleshooting.
iOS :- https://www.citrix.com/blogs/2016/08/16/mobility-experts-troubleshooting-xenmobile-enrollment-on-ios/

Android :- https://www.citrix.com/blogs/2016/08/12/mobility-experts-xenmobile-android-enrollment-issues-and-troubleshooting/

 

4.    NSG Configuration for Domain + Certificate Based Authentication on XMS.
STEP 1 To enable NetScaler Gateway feature for XenMobile Cloud Instance, open a support case with Citrix XenMobile Support Team.
https://www.citrix.com/support/open-a-support-case/
Note: – By default this feature is Disabled in XMS Cloud Instance. Once this feature is enabled, Admin would be able to see this option under XMS Settings.
STEP 2 Navigate to XMS Cloud Instance – Settings – NetScaler Gateway
Enter the below parameters;
Authentication: ON
Deliver user certificate for authentication: ON
Credential Provider: Select the Credential Provider created in Section 2.2

User-added imageSTEP 3Click Add
Enter the below parameters; and Click Save.
Name: Type Any Name
Alias: Optional
External URL: Type NSG URL
Logon Type: Select Certificate and domain
Password Required: ON
Set as Default: ON

User-added image

STEP 4Click Save.

 

5.    Enabling NSG for Cert Based Authentication.
STEP 1 To configure NetScaler Gateway for Certificate based Authentication, Navigate to NetScaler console – NetScaler Gateway – Virtual Servers – Select and Edit XenMobile Gateway Virtual Server

Note: Assuming you already have Domain Authentication configuration already in place. Only enabling Certificate based authentication is shown in the below steps.

User-added image

STEP 2 Navigate to Certificate Section – CA certificate – Under CA Certificate Binding – Click +

User-added image

STEP 3 Enter below information and click Install
Certificate-Key Pair Name :- Provide Name
Certificate File Name :- Select Local and upload the CA certificate
User-added image

STEP 4Select OCSP Optional under CRL and OCSP Check and click Bind.

User-added image

STEP 5Navigate to Basic Authentication – Click on + – Add below details under Policies and click Continue.
Choose Policy :- CERTIFICATE
Choose Type :- Primary

User-added imageSTEP 6

Click +  To create Policy.

User-added image

STEP 7Enter Name and click + to create cert profileSTEP 8To create Authentication Cert Profile, enter below information and click on Create.
Name :- Enter Name
Two Factor :- ON
User Name Field :- Subject:CN
Group Name Field :- SubjectAltName:PrincipalName

 

User-added image

STEP 9

Add Expression as “NS_TRUE” and click Create

User-added image

STEP 10Click BindSTEP 11

Navigate to SSL Parameters – Edit – Enable Client Authentication – Select Client Certificate Mandatory  OK

User-added image

STEP 12Click Done and Save the configuration.

6.    Validation

STEP 1 Once the XMS and NSG are configured for certificate based authentication, user can now enroll their devices to validate the configuration.

If enrolled successfully, navigate to XenMobile Admin Console à Manage à Search for the device.

STEP 2 Select the Device – Edit – Delivery Groups

Under the Delivery group’s Action, user can see the certificate is requested and delivered for the NetScaler Gateway authentication.

User-added image

STEP 3 If the user experiences issues when enrolling the device, refer to the Citrix blogs for troubleshooting.

iOS :- https://www.citrix.com/blogs/2016/08/16/mobility-experts-troubleshooting-xenmobile-enrollment-on-ios/

Android: – https://www.citrix.com/blogs/2016/08/12/mobility-experts-xenmobile-android-enrollment-issues-and-troubleshooting/