Citrix Systems Projector 3 User's Manual
Contents
1.2. atform OS S C Prroductt Version RSA Authentication Manager Windows 2003 Ent HS 6 0 60 i RSA SecurID for Microsoft Windows Windows 2003 Ent HS 6 0 60 RSA Native RADIUS Protocol Protocol 1 time auth node secret creation OO P o New PIN mode User forced to authenticate after NewPin set System generated Non PINPAD token PINPAD token User defined 4 8 alphanumeric Non PINPAD token Password User defined 5 7 numeric Non PINPAD token PINPAD token Software token Deny invalid PIN length Deny Alphanumeric gjg Z gt gt gt User selectable Non PINPAD token PINPAD token PASSCODE 16 Digit PASSCODE 4 Digit Password Pin less TokenCode Next Tokencode mode Non PINPAD token PINPAD token Software Token API Authentication New PIN mode 8 Digit PIN with 8 Digit TokenCode Failover User Lock Test RSA Name Lock Function No RSA Authentication Manager ATB Pass Fail or N A N A Non available function See Known Issue 2 for details SecurID 8 8 Known Issues 1 Node Secret Permissions If the Web Interface does not have permission to write the node secret into the registry authentication will succeed once then fail with a Node verification failure If the node secret is cleared from the Authentication Manager console authentication will again succeed one time This happens due to the fact that the RSA Authentication Manager send
3. an end to end trusted and secured solution for an enterprise Authentication Methods Supported Native RSA SecurlD Authentication RSA Authentication Agent Library Version 9 0 3 RSA Authentication Manager Name Locking Yes RSA Authentication Manager Replica Support Full Replica Support secondary RADIUS Server Support N A Location of Node Secret on Client In Registry RSA Authentication Agent Host Type Net OS RSA SecurlD User Specification All Users RSA SecurlD Protection of Partner Product Administrators No RSA Software Token API Integration auth i Lo eee YY ICA Client MetaFrame Presentation Server s Authentication Manager ICA RSA Authentication Agent _ securlD SecurID 2 4 Product Requirements Hardware requirements Component Name MetaFrame Presentation Server 400 500MB depending on install options Software requirements Component Name MetaFrame Presentation Server Operating System Version Patch level Windows 2000 Server Adv Server Datacenter Server Windows 2003 Server Enterprise Server Datacenter Server JRE 1 4 1_ 02 or later Component Name MetaFrame Presentation Server Web Interface Operating System Version Patch level Windows 2000 SP4 IIS 5 0 Windows Server 2003 IIS 6 0 1 NET Framework i 4 1 02 or later Visual J NET ASP NET ee Current requirements for specific patches are listed
4. filled in as you leave the Name field o For Agent Type select Net OS Agent o Under Secondary Nodes define all other hostname IP addresses that resolve to the MPS Web Interface if needed Note It s important that all hostname and IP addresses resolve to each other Please reference the RSA Authentication Manager documentation for detailed information on this and other configuration parameters within this screen You can also select the Help button at the bottom of the dialog SecurID 4 6 Partner RSA Authentication Agent configuration This section provides instructions for integrating the partners product with RSA SecurlD authentication This document is not intended to suggest optimum installations or configurations It is assumed that the reader has both working knowledge of the two products to perform the tasks outlined in this section and access to the documentation for both in order to install the required software components All products components need to be installed and working prior to this integration Perform the necessary tests to confirm that this is true before proceeding For this integration the products involved would be v RSA Authentication Manager gt RSA Authentication Agent for Windows gt Citrix MetaFrame Presentation Server gt Citrix MetaFrame Presentation Server Web Interface RSA Authentication Agent Installation For the purposes of this integration the RSA Authenticati
5. e M Enforce 2 factor authentication C Safeword PSA SecuriD MetaFrame ticket time to live 200 seconds Save your changes and then click the Apply Changes button SecurID 6 Logging into Web Interface Once these changes have been applied you will be able to log into Web Interface using RSA SecurlD authentication All Web Interface users will be challenged and this is not configurable When using RSA SecurlD authentication users will be prompted for their PASSCODE in addition to their username and password E MetaFrame Presentation Server Microsoft Internet Explorer File Edit View Favorites Tools Help Web Interface for MetaFrame Presentation Server Welcome Please log in Usemame as To log in to MetaFrame Presentation Server Password enter the credentials required and then click Log In Domains pens E parsans If you do not know your login information PASSCODE please contact your help desk or system administrator Enable reconnect at login Message Center Disconnected and Active Applications a The Message Center displays any informational or error messages that may occur For additional information on the configuration of the MPS Web Interface with RSA SecurlD authentication see the Web Interface Administrator s Guide SecurID 7 7 Certification Checklist Date Tested December 23 2004 Tested Certification Environment Prodat Cis CS Ci SC
6. eee RSA SecurlD Ready Implementation Guide Last Modified December 23 2004 1 Partner Information Product Description Citrix MetaFrame Presentation Server is the easiest way to manage enterprise applications from a central location and access them from anywhere The foundation of the MetaFrame Access Suite Citrix MetaFrame Presentation Server is the world s most widely deployed presentation server for centrally managing heterogeneous applications and delivering their functionality as a service to workers wherever they may be The Web Interface for MetaFrame Presentation Server extends this access to standard web browsers increasing user mobility and flexibility MetaFrame CITRIX ACCESS SUITE 2 Contact Information Sales Contact Support Contact a 800 4CITRIX US 800 4CITRIX US 954 267 3000 International 954 267 3000 International www citrix com www citrix com SIN SecurlD l 3 Solution Summary Citrix MetaFrame Presentation Server provides access to enterprise applications to local remote and mobile users over a variety of transports One of these transports is HTTP Users can utilize a standard web browser to access published resources via the Web Interface for MetaFrame Presentation Server When exposing enterprise data companies are concerned about positively identifying users attempting to access that data Using strong two factor authentication RSA Authentication Manager creates
7. in the MetaFrame Presentation Server 3 0 for Windows Pre Installation Checklist The most current version of this as well as any update bulletin is available on the Citrix web site The redistributable files for these frameworks are included on the MetaFrame Presentation Server CD ROM in the support folder SecurID 5 RSA Authentication Manager Configuration If your Web Interface server is not already registered as an agent host add it to the RSA Authentication Manager database as follows o Goto Start gt Programs gt RSA ACE Server and then Database Administration Host Mode o Then from the Agent Host menu choose Add Agent Host Edit Agent Host Ea Name Network address 10 100 50 59 site Select Agent type Communication Server Single lransaction Comm Server Net OS Agent Encryption Type SDI DES i Node Secret Created M Open to All Locally Known Users Search Other Realms for Unknown Users M Requires Name Lock M Enable Offline Authentication M Enable Windows Password Integration Create Verifiable Authentications Group Activaons User Activallons secondary Nodes Delete Agent Host Edit Agent Host Extension Data Assign Change Encryption Key Assign Acting Servers Create Node Secret File Cancel Help o In Name type the hostname of the MPS Web Interface o In Network address type the IP address of the MPS Web Interface if it is not automatically
8. o write the node secret into the registry the following local machine accounts must have full access to this key ASPNET IUSR_machinename and IWAM _machinename For more information on this see Known Issue 1 To enable SecurlD authentication for users logging into the Web Interface use the Web Interface Admin Tool After starting the tool click the Authentication link in the menu bar on the left side of the page Web Interface for ee a re ae simerecnen TRC Presentation Server Lise this page to specify the authentication methods that will be available to General Settings users when they log in If silent login is used the Web Interface will choose an authentication method automatically Guthentication Work sp ai amp Control Methods for authenticating to the Web Interface C Anonymous login Smart card with Single sign on Smart card C Single sign on Selected Farm Paneta E Explicit login Manage Farms Use Windows authentication i Eaman C Do not display domain field at the login form DMZ Settings Lagin Domain List Login domain Client Settings Save Cancel Ensure that the Explicit login box is checked to force users to supply a username and password to Web Interface In the settings box at the bottom of the page check the Enforce 2 factor authentication and select RSA SecurlD Explicit login settings Allow user to change password only when it expires at any tim
9. on Agent for Windows was installed as a local authentication client LAC This option must be explicitly selected during installation since it is not the default ji RSA ACE Agent for Windows Custom Setup Select the components you want to install To change how a Feature is installed click an icon in the Following list E Xr Domain Authentication Client Gomnponenmt Vescriiption This component enables a workstation to participate in an R54 SecurlD protected Windows domain x j Domain Authentication Server Ta E Local Authentication Client a x Remote Authentication Server oe M R54 Security EAP Client This component requires 4364KB6 on your hard drive It has 0 of 1 subcomponents selected The subcomponents require 27040KB on your hard drive Installshield Help lt Back Cancel Note Installation of the Authentication Agent is only required to ensure that the appropriate DLLs for SecurlD authentication are available to the Web Interface SecurlID module Even though the agent used in this integration was v6 0 any agent v5 0 or later should work SecurID Enabling SecurlD Authentication for the MPS Web Interface Prior to enabling RSA SecurlID authentication verify the permissions on the node secret Launch regedt32 navigate to HKLM SOFTWARE SDTI ACECLIENT right click on it and select Permissions In order for the Web Interface to be able t
10. s the node secret to an agent host following the first successful authentication from that host From that point on the RSA Authentication Manager requires all traffic from that host to be protected using the supplied node secret Previously simply installing the RSA Authentication Agent prior to installing the Web Interface was enough to guarantee that the permissions for node secret were modified correctly Under Windows 2003 and IIS 6 0 this does not appear to be the case Currently the local machines ASP NET account ASPNET Internet Guest account IUSR_machinename and the Launch IIS Process Account IWAM_machinename are required to have full access to the node secret key Information concerning this issue is also available from the Citrix support site in document CTX102226 titled Error The credentials supplied were invalid Please try again Invalid PIN not rejected During certification testing it was noticed that the Web Interface was not properly validating user entered PINs When system settings on the RSA Authentication Manager were modified to restrict PINs to between 5 and 7 digits the Web Interface accepted PINs of length 4 and 8 These PINs are rejected by the RSA Authentication Manager but no error is returned to the user leaving them ina confusing state Also when alphanumeric PINs are disabled the same behavior is exhibited The easiest work around for this issue is to use system generated PINs SecurID 9
Download Pdf Manuals
Related Search