Objective
Instructions
Terminology
| Term | Defination |
| XMS | XenMobile Server |
| NS | NetScaler |
| NSG | NetScaler Gateway |
| FQDN | Fully Qualified Domain |
| CA | Certificate Authority |
1. Pre-Requisites
- A Citrix Cloud account is required.
- Working XenMobile Service in Citrix Cloud.
- On-Premise NS configured (using Citrix Cloud Connector and not IPSec)
Note: – A domain name is already added to the Citrix XenMobile Cloud instance using the Cloud Connector. In this document, metglobal.net is already added to the Citrix XenMobile Cloud Instance using the Cloud Connector. Also, device enrollment is functional using domain-only authentication method.
- To create and configure XenMobile Template on MS CA: https://support.citrix.com/article/CTX220328
- To export Root CA and Subordinate CA: https://technet.microsoft.com/en-in/library/dd261928.aspx
Note: All screenshots in this document are for representational purposes only.
1. Uploading the Certificate to XMS.
| STEP 1 | Login to XenMobile Cloud Instance using Admin Credentials and navigate to Settings – Certificates – Import Set the following parameters: |
· Import: Keystore
· Keystore type: PKCS#12
· Use as: Server
· Keystore file: Your XenMobile ClientCertificate.pfx
· Password: Type the PrivateKey Passphrase
STEP 2Click Import.STEP 3Once imported, verify the certificate was installed correctly. It would display as a “Users” certificate.
2. Configuring Certificate Based Authentication in XMS.
2.1. Configuring PKI Entities.
| STEP 1 | To configure PKI entities under the XenMobile Cloud Instance, navigate to Settings – PKI Entities – Add – Microsoft Certificate Services Entity
|
| STEP 2 | Enter the following parameters and click Next.
|
| STEP 3 | Click Test Connection to test the connectivity between XMS and the CA Server.
|
| STEP 4 | Under Templates, add the template that you have created when configuring the Microsoft CA in Pre-requisites.
|
| STEP 5 | Click Next and to move to CA Certificates Section. |
| STEP 6 | Select the Issuing CA name that corresponds to your environment. This Issuing CA is part of the chain imported from the XenMobile client certificate.
|
| STEP 7 | Click Save. |
2.2. Configuring Credential Providers.
| STEP 1 | To configure Credential Providers, navigate to Settings – Credential Providers – Add
|
| STEP 2 | Under General, enter the following parameters:
|
| STEP 3 | Click Certificate Signing Request and then enter the following parameters:
Note: – Key size and Signature algorithm can be set as per CA server configuration.
|
| STEP 4 | Click Distribution and enter the following parameters:
|
| STEP 5 | For the next two sections — Revocation XenMobile and Revocation PKI — set the parameters as required. For the purpose of this article, both options are skipped. |
| STEP 6 | Click Renewal. For Renew certificates when they expire, select ON. Leave all the other settings as default or change them as required. |
STEP 7Click Save.
3. Credential Policy.
Note: – The aim of creating credential policy is to test if the certificate is getting generated successfully.
| STEP 1 | To create Credential Policy, refer article: https://docs.citrix.com/en-us/xenmobile/10-4/policies/credentials-policy.html |
| STEP 2 | To Check the Policy deployment is successful, navigate to XenMobile Cloud Instance – Manage – Devices – Search for the device (On which the policy is deployed) |
| STEP 3 | Select the Device – Edit – Assigned Policies
|
| STEP 4 | If the Credential policy is deployed successfully, it means user certificate is getting generated on CA server and getting deployed on the device successfully.
If the Credential Policy is getting failed, refer to below blogs for troubleshooting. |
4. NSG Configuration for Domain + Certificate Based Authentication on XMS.
| STEP 1 | To enable NetScaler Gateway feature for XenMobile Cloud Instance, open a support case with Citrix XenMobile Support Team. https://www.citrix.com/support/open-a-support-case/ Note: – By default this feature is Disabled in XMS Cloud Instance. Once this feature is enabled, Admin would be able to see this option under XMS Settings. |
| STEP 2 | Navigate to XMS Cloud Instance – Settings – NetScaler Gateway Enter the below parameters; Authentication: ON Deliver user certificate for authentication: ON Credential Provider: Select the Credential Provider created in Section 2.2 |
STEP 3Click Add
Enter the below parameters; and Click Save.
Name: Type Any Name
Alias: Optional
External URL: Type NSG URL
Logon Type: Select Certificate and domain
Password Required: ON
Set as Default: ON
STEP 4Click Save.
5. Enabling NSG for Cert Based Authentication.
| STEP 1 | To configure NetScaler Gateway for Certificate based Authentication, Navigate to NetScaler console – NetScaler Gateway – Virtual Servers – Select and Edit XenMobile Gateway Virtual Server
Note: Assuming you already have Domain Authentication configuration already in place. Only enabling Certificate based authentication is shown in the below steps. |
| STEP 2 | Navigate to Certificate Section – CA certificate – Under CA Certificate Binding – Click +
|
| STEP 3 | Enter below information and click Install Certificate-Key Pair Name :- Provide Name Certificate File Name :- Select Local and upload the CA certificate |
STEP 4Select OCSP Optional under CRL and OCSP Check and click Bind.
STEP 5Navigate to Basic Authentication – Click on + – Add below details under Policies and click Continue.
Choose Policy :- CERTIFICATE
Choose Type :- Primary
STEP 6
Click + – To create Policy.
STEP 7Enter Name and click + to create cert profileSTEP 8To create Authentication Cert Profile, enter below information and click on Create.
Name :- Enter Name
Two Factor :- ON
User Name Field :- Subject:CN
Group Name Field :- SubjectAltName:PrincipalName
STEP 9
Add Expression as “NS_TRUE” and click Create
STEP 10Click BindSTEP 11
Navigate to SSL Parameters – Edit – Enable Client Authentication – Select Client Certificate Mandatory – OK
STEP 12Click Done and Save the configuration.
| STEP 1 | Once the XMS and NSG are configured for certificate based authentication, user can now enroll their devices to validate the configuration.
If enrolled successfully, navigate to XenMobile Admin Console à Manage à Search for the device. |
| STEP 2 | Select the Device – Edit – Delivery Groups
Under the Delivery group’s Action, user can see the certificate is requested and delivered for the NetScaler Gateway authentication. |
| STEP 3 | If the user experiences issues when enrolling the device, refer to the Citrix blogs for troubleshooting.
|