I think you can do this by creating a Secure HTTPS site in IIS and requiring the private cert you are generating. I don't know how single sign on is impacted in that case, are you using the same domain/username/password on the remote computer and Citrix server? Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd D8453 Scottsdale, AZ 85262 (602) 432-8649 www.thinclient.net steveg@xxxxxxxxxxxxxx _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Adam Granatela Sent: Thursday, September 20, 2007 12:01 PM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: More question on CSG/WI/User Certs Nope, Internet --> firewall --> server. Not 100% ideal, which is where the idea of CSG came from, but at least if we have port 80 shut off and only allow 443 and 1494 in it will be more secure than having the whole thing open. On 9/20/07, Steve Greenberg <steveg@xxxxxxxxxxxxxx> wrote: What is your external access point? i.e. are you using a Citrix Access Gateway? Steve Greenberg Thin Client Computing 34522 N. Scottsdale Rd D8453 Scottsdale , AZ 85262 (602) 432-8649 <http://www.thinclient.net/> www.thinclient.net steveg@xxxxxxxxxxxxxx _____ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Adam Granatela Sent: Thursday, September 20, 2007 11:50 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] More question on CSG/WI/User Certs Ok, one more question on this. Environment: AD/resources on separate boxes. We then have "silos" (and I use that term loosely since it's not a standard Citrix silo), one for each company. In each silo is an app database box, and a "Citrix" box which contains PS4 and WI (and possibly CSG if possible/necessary). We're essentially hosting a turnkey solution for multiple companies to purchase this application, almost like an app provider, from our client who hosts everything in our data center. A bit confusing since there's essentially 3 levels of confusion here. All end user communication is done straight over the Internet. What we want to do is have one box for Citrix and have it be the single point of contact and communications. The app talks to the db server in the background on its own. The client wants to use user certs as the only form of 2-factor authentication. Their ideal setup is when the user opens the web page, it prompts them for their user certificate, and after they choose that, they are automatically signed into WI and see their apps, without having to type username/password into the WI login screen. We will be issuing user certs separately and not as a part of this Citrix solution, so we can assume that 100% of the users who want to use this will have a proper user cert on their machine prior to connecting. Is this even possible? I've never worked with user certs before, so this is new to me, but it doesn't seem like rocket science. Right now I can get the user cert dialog to come up, user chooses their cert, then WI page comes up, but the user has to log into WI. Pass-through authentication is looking to pull a local computer username/password, and not from the user cert, so I'm not sure if there's a way to do what I'm looking to do. At this time I do not have CSG in place, as I understand that will only confuse things, since both WI and CSG would be on the same box. Any suggestions/ideas/info that may at least give me an answer on this? Thanks, Adam