Bruce Huber
Citrix Systems, Inc.
Citrix MetaFrame Password Manager 2.0
Installation and Configuration
Lead Sales EngineerLead Sales Engineer
Non Disclosure Agreement
This presentation is confidential. By virtue of your relationship with Citrix, you are bound to retain in confidence all information in this presentation.
Agenda
Introduction slides 15 mins.
Technical Detail slides 30 mins.
Q & A 5 mins.
Credentials, Credentials & more Credentials
Where do the credentials end up?
What is Single Sign-On?
User authenticates ONCE and gains access to multiple secured applications/resources
User needs to remember only ONE set of credentials
Application credentials automatically (and securely) handled by the system
Who Needs Single Sign-on?
“I already have single sign-on. I use the same password everywhere!”
- Anonymous
Introducing:Citrix MetaFrame Password Manager
What is MetaFrame Password Manager?
Single Sign-On solution for:– MetaFrame Presentation Server Deployment– Desktop Deployment– Mixed Deployment (MetaFrame Presentation Server + Desktop)
User only needs to remember primary credentials Handles all secondary logons and password change
requests automatically End users and administrators can configure applications
using an easy-to-use wizard Central administration and control Meets all traveling/mobile user needs
MetaFrame Password ManagerBenefits
Simplification of end-user computing– Only need to remember a single set of credentials– Automatic password changes
Reduction of help-desk costs– Eliminating calls for password resets– Simplifying password management
Increase in network security– Helps enforce stricter password policies– Eliminates weak password selection– No more Post-It Notes !!!– No sharing of passwords
“Each time an end-user calls the help desk, it costs the
organization $25-$50.”- Giga Research
“Each time an end-user calls the help desk, it costs the
organization $25-$50.”- Giga Research
“Majority of end users end up writing down their
passwords.”
“Majority of end users end up writing down their
passwords.”
“30 percent of all calls to the help desk are for password
resets”- Gartner Group
“30 percent of all calls to the help desk are for password
resets”- Gartner Group
How does it work?
Features
MetaFrame Presentation Server XP
Web Interface for MetaFrame
MetaFrame Secure Access Manager
All ICA clients
Designed to work seamlessly with:
Features
Provides password security and single sign-on access
• No application modification needed
• No programming or scripting required
• Predefined templates
• Create your own application definitions
Benefits
Enterprise-level Single Sign-on
• Rapidly SSO-enable Applications
• Centralized Configuration
• Access Security
• Reduced Help Desk Costs
Components
• The Management Console is used to administer the MetaFrame Password Manager environment
The ‘Agent’ resides with the applications that need credentials filled in
Authentication
Windows Authentication including Active Directory
Graphical Identification & Authentication (GINA) Chaining
Deployment Options
Workstation
• MetaFrame XP Presentation Server
• Mixed Mode
Types of Central Credential Stores
• MS File Share- CtxFileSyncPrep
OR
MS Active Directory
- CtxSchemaPrep
- CtxDomainPrep
Technical Overview
MetaFrame Password ManagerFunctional Components
MetaFrame Password ManagerFunctional Components
Administrative tool to centrally manage MetaFrame Password Manager deployment
Configures applications and user settings
Pushes settings into Central Credential Store for Agents to synchronize from
MetaFrame Password ManagerFunctional Components
Stores all settings configured by administrators
Based on Active Directory or Network File Share
Agent synchronizes settings from credential store
All credentials stored encrypted using Microsoft Crypto API
MetaFrame Password ManagerFunctional Components
Stores all settings configured by administrator
Client/Desktop component
Synchronizes settings from Credential Store
Has its own local credential store for offline/mobile use
Detects logon and change password events
Automatically fills in secondary credentials and changes passwords for end users
MetaFrame Password ManagerArchitectural Components
Architectural Benefits
Event-driven Client Side Intelligence– No scripts or connectors
– No changes to applications
– Automatically detects logon and password change events
Authentication– Support for strong authentication
– No need for additional authentication servers
Architectural Benefits (cont.)
Synchronization– Centralized management
– Integration with existing infrastructure
Active Directory
File System
– Local credential store on agent for offline/mobile Single Sign On
Encryption– Credentials stored securely
– Support for standard 3DES encryption
Authentication
Functions– Gets credentials and passes them to get the user authenticated– Unlocks credential store– Passes credentials to the Shell on request
Primary authentication managed by the operating system
Password Manager GINA (SSOGINA) added for pre-processing– Captures credentials and passes them to shell in order to unlock credential databases (local
and central credential store)– Passes credentials to existing GINA for authentication
Authentication performed by existing GINA– MSGINA for standard Windows 2000/2003– Other custom GINA for smart card or biometric devices
a. NOTE: Microsoft Password Policy settings should be used to enforce high standards for primary authentication (password length, age, complexity)
Multi-Factor Authentication
Something you know + something you have
Examples: Time-synchronous tokens, smart cards, biometric scanners, proximity badges
A variety of strong authenticators have been successfully tested for interoperability with Password Manager
Re-authentication
Timer after which end users have to re-authenticate to the Agent– Administratively controlled setting
Administrator can force reauthentication when users access certain applications
Helps administrators build tighter security– End users may forget to log-off or lock the system
End users still need to only remember one set of credentials
Primary Authentication Process
Re-authentication
Ships with Windows Authenticator
Validates credentials using existing systems
Conduit between Authentication Service and Shell
The Shell
Intelligent Intelligent Agent Agent
ResponseResponse
Authenticator Authenticator APIAPI
First-time useShellShell
DataSynchronization
CryptoCryptoAPIAPI
Welcome! Logon Screen
Local Credential
Storage
Credential Credential ManagerManager
Primary credentials Encryption
Triggers synchronization
Secondary Credentials for SSO
Data Synchronization
Local CredentialStorage
Microsoft Active Directory
DomainOUOU
OUOU
OUOU
File server
Benefits
• Enables mobility for end users
• Eases deployment of application configurations and settings
• Centralizes administration
Data Synchronization (cont.)
Keeps local and central credential stores in sync
Latest version of the store overwrites settings– All changes have time-stamps
– Similar to MS Profile
Always initiated by the Agent based on administrative configuration
Allows administrator to push application configuration and agent settings to end users
Data Synchronization (cont.)
Administrator controls frequency of synchronization
“Aggressive Sync” mode - Synchronization occurs whenever user performs an action that should use most current credentials or settings
– Example – a new application launch, etc.
– Aggressive Sync used in MetaFrame Presentation Server deployments since a user may have multiple MetaFrame Presentation Server session in progress
Central Credential StoreActive Directory vs. File Share
File Share– Pros
Does not require any changes to existing infrastructure Easier to setup and administer
– Cons Different settings cannot be configured for different users Additional servers required
Active Directory– Pros
Does not require any additional infrastructure or servers Allows configuration of different settings for different users or containers
– Cons Requires extending Active Directory schema
No scalability limits for File share or Active DirectoryNo scalability limits for File share or Active DirectoryBoth can support thousands of usersBoth can support thousands of usersBoth are equally secureBoth are equally secure
Synchronization Process
Annie User
June 5, 2003
Password
9:14 AM
XLB639
MAL929
New Password
LocalCredential
Store
Encrypted
CentralCredential
Store
Encrypted
Annie User
June 6, 2003
Password
6:43 AM
MAL929
New Password
Synchronizes with Central
Credential Store
1
2
Other machines pull the data into their Local Stores
Encryption
Uses cryptography to confirm end user authentication
Secure storage of data to protect end user credentials
Uses Symmetric encryption (Secret Key Encryption)– Same key used to encrypt and decrypt data
3 DES encryption algorithm used to encrypt end user credentials– Secret key crypto algorithm used to create 56-bit keys
– Used three times
SecuritySSO Encryption
Crypto API– Confirms end user authentication with Authenticator API– Generates unique primary authentication key that secures local and central credential store– Uses primary authentication key to decrypt individual credentials
Primary Authentication Key– Unlocked upon successful end user authentication– Created based on random number generation using MS CAPI– Self encrypted using 3 DES– Two different keys stored with MS CAPI
Encrypted with Windows password Encrypted with user question information
– Not stored anywhere in the raw form
Credential Data– Some data encrypted – Username, password, third and fourth fields– Remaining data encoded – windows title, application name, etc.
Credential Encryption
Credentials are encryptedwith 3DES (Triple DES)
• Implemented through MS CAPI(Microsoft Cryptographic API)
UserSecrets
SKEY
User Q / A
SKEY
WindowsPassword Hash
SKEY
Intelligent Agent Response
Web Applications
WindowsApplications
Host-based Applications
ShellShellWindows Hook Windows Hook
ComponentComponent
Mainframe HelperMainframe HelperObjectObject
Web Web Browser Browser
SSO Helper SSO Helper
ObjectObject
Credential Credential ManagerManager
Intelligent Agent Response
Benefits Reduces the risk of credentials being supplied incorrectly or not
supplied at all
System-level approach increases security
– Keyboard-sniffing won’t compromise credentials
Better reliability than other solutions
– Scripts easily broken by user actions
WindowsApplications
Access Manager(integrated)
Web Sites
Internet ExplorerBrowser Helper
Object (integrated)
Mainframe/HostApplications
Mainframe HelperObject (integrated)HLLAPI and Telnet
CredentialManager
Event-driven detection/response• Looks for configured windows for logon and password
change requests as they popup
• Automatically supplies secondary credentials for logon or change password
• Credentials supplied at OS level directly to the controls on the window when possible – otherwise sent with key strokes
• No complex scripts required
• No application changes required
MetaFrame Password Manager Deployments
Pure MetaFrame XP Presentation Server Deployment– All applications that require single sign-on accessed through MetaFrame XP
Presentation Server over ICA
Desktop-only Deployment– All applications accessed directly from Windows 32-bit desktops– Using web browser for web applications and Mainframe emulator for host
applications
Mixed Deployment– Some applications accessed through MetaFrame XP Presentation Server– Other applications accessed directly from Windows 32-bit desktops
a. NOTE: Console can be installed anywhere with connectivity to central credential store
Deployment Example
Console
HTTPS
SSL or TLS
Central Credential Store
Central Credential Store
ICA Client
Local Credential Store
Agent
XP Server Farm
Secure Gateway ServerICA Client
Server Deployment
MetaFrame XP Presentation Servers
ICA Client
Central Credential Storage
Agent runs in ICA sessions
Agent only required to be installed on MetaFrame XP Presentation Servers
Agents runs in ICA sessions and works automatically for all Published applications
Published Applications
Desktop Deployment
Desktop
Central Credential Storage
= Agent
Local Applications
Agent installed only on Desktops
Agent can work in mobile mode by synchronizing settings and secondary credentials from central credential store
Mixed Deployment
MetaFrame XP Server
DesktopCentral Credential
Storage
= Agent
Published Applications
Local Applications
Agent installed on MetaFrame XP Presentation Servers and Desktops
Agents run on Desktop and in ICA sessions without any problems
Agents share information through synchronization from Central Credential Store
Deployment with MSAM
IE Browser
CDA CDA
Access Center for MSAM
Desktop MetaFrame XP Presentation Server
= Agent
Uses MSAM Access Center
Published Apps that require credentials
– Agent required on Presentation Server
CDAs
– Agent required on Desktops if CDAs require credentials
(Optional)
MetaFrame Password ManagerConfiguration & Deployment
Planning– Select deployment mode– Select Central Credential Store type
Prepare Central Credential Store
Add and activate license– Console automatically launches the wizard
MetaFrame Password ManagerConfiguration & Deployment (cont.)
Configure MetaFrame Password Manager deployment– Configure User Questions – Configure Application Definitions– Configure Password Policies and Password Sharing Groups– Configure Agent Settings– Configure First Time Use List
Save configurations in Central Credential Store
MetaFrame Password ManagerConfiguration & Deployment (cont.)
Create and install Agent with address of Central Credential Store– Use Custom MSI to create package– Use MSI deployment methods to install the Agent
Prepare Central Credential StoreFile share
Select a File Server accessible to the Agents
Run CTXFILESYNCPREP.EXE utility on the File Server from a command prompt
Creates a shared folder on the server
Prepare Central Credential StoreFile share (cont.)
Creates the required sub-folders
– ENTLIST – stores all application configuration, password policies and password sharing groups
– ADMINOVERRIDE – stores all Agent settings configured by administrators
– FTU – stores all User questions and Bulk add applications for first time use of the Agent
– SYNCSTATE – stores timestamp of the last change to global settings
– People – stores settings for each user in individual folders
Prepare Central Credential StoreFile share (cont.)
Sets required security permissions
– Only Authenticated users can access the network share
– No user can access each others’ credential files in the People folder Only CREATOR_OWNER has access to data in People folder
Prepare Central Credential StoreActive Directory
A member of Schema Admin group needs to log on to a machine that resides in the Active Directory
– Ensure Schema Master Role is configured to allow schema updates
Prepare Central Credential StoreActive Directory (cont.)
Run ‘cscript CTXSCHEMAPREP.VBS’ from a command prompt
– Extends the schema of Active Directory
– Adds three new classes
Citrix-SSOConfig – contains data for all administrative configurations Update frequency – only when administrator makes configuration changes
Citrix-SSOLicenseClass – contains license information Update frequency – Rarely (when license is added, removed)
Citrix-SSOSecret – contains secret data used to authenticate a user of Citrix MetaFrame Password Manager Update frequency – only when a user stores new credentials for SSO
Prepare Central Credential StoreActive Directory (cont.)
Run CTXDOMAINPREP.EXE from a command prompt
– Updates permissions of the specified container
– Enables users to create MetaFrame Password Manager objects under their Active Directory User objects based on schema extensions
User Question Configuration
Administrators configure questions that users have to answer first time they use the Agent
Answers from end users stored securely in both Local and Central Credential Store
User Question Configuration (cont.)
Later, if users forget their primary passwords, they can answer these questions to retrieve their secondary credentials
Questions can not be changed/deleted after initial deployment
New questions can be added later
Application Definition Configuration
Each application enabled for Single Sign On has ‘Application Definition’
Applications supported– Windows Applications– Web Applications– Host-based Applications
Application Definition Configuration (cont.)
Application Definition can be built using – Pre-configured Application Templates– Wizard based Application Definition configuration
Application Definition consists of– Actions for Logon– Actions for Change Password
Stored in ENTLIST file (File Share) or ENTLIST object (Active Directory)
Windows Application Definition
Each window consists of different controls (eg: text box, button, plain text/label, etc.)
– Regardless of the language application is developed in
Each control has a unique identifier on a window Control Id
Run the application until you get to its logon dialog
Application configuration wizard in the console automatically detects different controls on logon window based on their Control Ids
Windows Application Definition (cont.)
Windows Application Definition (cont.)
Window Title
Label
Label
UserIDTextBox
Control ID=3
PWD TextBox
Control ID=2
ButtonControl ID=1
Executable Name=LOGON.EXE
Windows Application Definition (cont.)
Select the required Controls for - – Username/UserID– Password– 3rd or 4th controls, if required (e.g. domain)– Logon button– Cancel button
Configure other matching fields– Window Title– Other labels on the logon dialog– etc.
Windows Application Definition (cont.)
MetaFrame Password Manager cannot detect controls on some windows– Developed using non-standard windows controls– Developed using proprietary third party windows controls
Administrators can write SendKey functions for such applications
NOTE: Most applications are developed using standard windows controls
Windows Application Definition (cont.)
Specify shortcut keys to get focus on required input fields– Username– Password– Other fields– Logon button
Enter special commands for entering username, password, other fields or pressing enter on logon button
Easy to use concise command language to develop flexible SendKey functions– e.g. &t for tab key
Web Application Definition
Web applications can be configured for
– Pop-up dialogs – Forms
Administrators specify fields similar to Windows applications
Web Application Definition (cont.)
Web Application Definition (cont.)
URL
TEXT
PASSWORD
SUBMIT
Web Application Definition (cont.)
URL distinguishes different web applications
The URL can be defined to the appropriate level by the admin– http://salesforce.com, or– http://salesforce.com/intranet.marketing
Configuration options similar to Windows apps– Automatic detection– SendKey
Basic out-of-the-box support for logon to many popular web sites/applications without configuration
Host-Based Application Definition
MetaFrame Password Manager supports single sign-on to mainframe applications through terminal emulators
– Emulators following HLLAPI (High Level Language API) standard– 3270– 5250
Launch Application Definition Configuration wizard in MetaFrame Password Manager Console
Open the mainframe application using terminal emulator
Host-Based Application Definition (cont.)
Configure position for different functions – User Id– Password– Other fields
Position includes– Row– Column– Keys after
Configure other text matching criteria– Text– Position on the emulator (row, column)
Host-Based Application Definition (cont.)
HLLAPI“WALLRED” @(X1,Y1)?
PUSH ID & PASSWORD
@(X2,Y2)
Window Title
Host-Based Application Definition (cont.)
Host-Based Application Definition (cont.)
Password Policies
Administrator can set policies that constrain automatic password generation
Per Application
Password Policies control – Password size– Types of characters allowed– Etc.
Password Policies (cont.)
Helps administrator enforce tighter security
– Complex passwords– More frequent password
changes– Less password sharing across
users
Must be at least as restrictive as the native application Password Policies
– Else, password changes may fail
Password Sharing Groups
Applications sharing same credentials can be grouped together
Single backend authentication system across multiple applications – single set of credentials
– Example – Multiple web applications require credentials from same DOMAIN
Third party Password Synchronization setup between different authentication systems ensuring same credentials between them
Agent Settings
Administrator configures Agent functionality available to end users
– All settings stored centrally and can be changed anytime
Examples
– Turn off Tray Icon
– Clean up Local Credential Store on shutdown
– Etc.
First Time Use List - Bulk Add
Administrators configure applications presented to end users when the Agent launched for the first time
Allows end users to enter their secondary credentials during first time use of the agent
Benefit
– End users only have to go through configuration of secondary credentials once
Saving Configurations
File Share– Connect to File Share Central Credential Store– Read existing configuration– Make changes to configuration (as described earlier)– Save configuration back to the Credential Store
Active Directory– Connect to Active Directory– Read existing configuration– Make changes to configuration– Save configuration back to any container (OU or user) in Active
Directory Allows having different settings for different users
MetaFrame Password Manager Agent Deployment
Create a new Custom MSI file using the Console
Configure the address of Central Credential Store (Synchronizer)
Optionally, add other settings, application definitions, etc. to custom MSI
Use MSI deployment tools to install the Agent– Active Directory– Third party tools– Installation Manager for deployments on MetaFrame XP Presentation
Server Enterprise Edition
MetaFrame Password Manager AgentSynchronization Workflow
Automatically launched when a user logs on
Gets users credentials from the GINA
Uses password to decrypt data in Local and Central Credential Stores
Synchronizes Local or Central Credential Stores with more recent settings – File Share
Synchronizes Local Credential Store with global folders ENTLIST – Application configuration, password policies ADMINOVERRIDE –Agent settings FTU –User questions and Bulk add applications
Updates People folder on network share– Active Directory
Starts finding the configured settings in the User object Walks up the OU tree until first container with configured settings is found Synchronizes Active Directory with Local Credential Store
Synchronizes Local and Central Store at configured interval
MetaFrame Password Manager Agent Configuration Files
APPLIST.INI– Stores pre-configured, password-protected application definitions installed with the agent
ENTLIST.INI– Stores all application definitions configured by the administrator– Synchronized from Central Credential Store
AELIST.INI– Merged version from APPLIST.INI and ENTLIST.INI– Stores all application definitions to be used by the agent
FTULIST.INI– Defines users first time use experience– Installed when the agent is installed– Modified during synchronization to accommodate administratively configured bulk-add
items
MetaFrame Password Manager AgentSingle Sign-On to Windows Applications
Intelligent Agent Response monitors all window activity without any impact on performance
Detects the application matching criteria specified by the administrator
Decrypts credentials from the credential store
Automatically enters credentials for the application– Credentials sent directly to the configured controls at operating system level for
applications with standard controls– Credentials sent to other applications via key strokes configured in SendKey
functions
MetaFrame Password Manager AgentSingle Sign-On to Web Applications
Actively monitors all web browser events without impacting those processes
Agent uniquely recognizes web logons using the URL and associated matching fields
Automatically fills in the credentials for the end user
Uses the existing web application security rather than substitute modules or custom integration
Access to all Web applications, not just intranet applications.
MetaFrame Password Manager AgentSingle Sign-On to Host-Based Apps
Agent actively monitors all emulator session events without impacting those processes
– HLLAPI session monitor
Natively supportive of multiple simultaneous emulators
Mainframe Helper Object securely sends the configured credentials to the configured position once a configured host application is detected
Also supports some emulators with scripting language capable of presenting a hidden pop-up dialog box
MetaFrame Password Manager AgentEvent Logging
Password Manager Agent logs all SSO events to the Windows Event Log:
– Credential use
– Credential changes
– Global credential events
– MetaFrame Password Manager events
– MetaFrame Password Manager feature use
Administrators can easily configure the level of event logging capability for the agent
Business Depends On…
…Depends On Citrix