[THIN] Re: More question on CSG/WI/User Certs
- From: "Adam Granatela" <agranatella@xxxxxxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Thu, 20 Sep 2007 16:24:04 -0500
Yeah it's a strange project that's for sure. The client (who doesn't know
Citrix) is assuming that because the user cert should verify who the user is
that WI should be able to take that info and log in as the user. Problem
is, the cert only verifies identity, and doesn't contain any user
credentials, which it needs to verify against AD.
It's been one of those days. 2 major config changes the night before and
day of this going into production. What a headache! Thanks for the
replies.
Adam
On 9/20/07, Steve Greenberg <steveg@xxxxxxxxxxxxxx> wrote:
>
> That doesn't really make sense here as the single sign-on functionality
> is about taking local users credentials and passing them to WI, or, taking
> the login to a CAG and passing it to WI. I think in your case the users need
> to login once they achieve connectivity to the WI, unless you want to bypass
> security and use some kind of generic or anonymous login…..
>
>
>
>
>
> *Steve Greenberg*
>
> Thin Client Computing
>
> 34522 N. Scottsdale Rd D8453
>
> Scottsdale, AZ 85262
>
> *(602) 432-8649*
>
> www.thinclient.net
>
> *steveg@xxxxxxxxxxxxxx*
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Adam Granatela
> *Sent:* Thursday, September 20, 2007 12:51 PM
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: More question on CSG/WI/User Certs
>
>
>
> Hey Steve, thanks for the replies first off.
>
>
>
> Clients are coming in over the Internet from who knows where. It's a
> medical app, so they could be in clinics, hospitals, dr.'s offices, homes,
> standard offices, who knows.
>
>
>
> Conceptually the user cert/CSG piece can be overcome by 2 IPs, 2 certs,
> and 2 web sites, one for the user certs that essentially is just a re-direct
> to the other which is the CSG/WI site.
>
>
>
> But I think given either situation (the one above, or what we have now
> without CSG, there's no way to bypass WI authentication just based on the
> user cert, without doing something goofy like anonymous access. At least
> that's what I'm seeing. Thoughts?
>
>
>
> On 9/20/07, *Steve Greenberg* <steveg@xxxxxxxxxxxxxx> wrote:
>
> I think you can do this by creating a Secure HTTPS site in IIS and
> requiring the private cert you are generating. I don't know how single sign
> on is impacted in that case, are you using the same domain/username/password
> on the remote computer and Citrix server?
>
>
>
>
>
> *Steve Greenberg*
>
> Thin Client Computing
>
> 34522 N. Scottsdale Rd D8453
>
> Scottsdale , AZ 85262
>
> *(602) 432-8649*
>
> www.thinclient.net
>
> *steveg@xxxxxxxxxxxxxx*
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Adam Granatela
> *Sent:* Thursday, September 20, 2007 12:01 PM
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] Re: More question on CSG/WI/User Certs
>
>
>
> Nope, Internet --> firewall --> server. Not 100% ideal, which is where
> the idea of CSG came from, but at least if we have port 80 shut off and only
> allow 443 and 1494 in it will be more secure than having the whole thing
> open.
>
>
>
> On 9/20/07, *Steve Greenberg* < steveg@xxxxxxxxxxxxxx> wrote:
>
> What is your external access point? i.e. are you using a Citrix Access
> Gateway?
>
>
>
>
>
> *Steve Greenberg*
>
> Thin Client Computing
>
> 34522 N. Scottsdale Rd D8453
>
> Scottsdale , AZ 85262
>
> *(602) 432-8649*
>
> www.thinclient.net
>
> *steveg@xxxxxxxxxxxxxx*
>
>
> ------------------------------
>
> *From:* thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] *On
> Behalf Of *Adam Granatela
> *Sent:* Thursday, September 20, 2007 11:50 AM
> *To:* thin@xxxxxxxxxxxxx
> *Subject:* [THIN] More question on CSG/WI/User Certs
>
>
>
> Ok, one more question on this. Environment: AD/resources on separate
> boxes. We then have "silos" (and I use that term loosely since it's not a
> standard Citrix silo), one for each company. In each silo is an app
> database box, and a "Citrix" box which contains PS4 and WI (and possibly CSG
> if possible/necessary). We're essentially hosting a turnkey solution for
> multiple companies to purchase this application, almost like an app
> provider, from our client who hosts everything in our data center. A bit
> confusing since there's essentially 3 levels of confusion here. All end
> user communication is done straight over the Internet.
>
>
>
> What we want to do is have one box for Citrix and have it be the single
> point of contact and communications. The app talks to the db server in the
> background on its own. The client wants to use user certs as the only form
> of 2-factor authentication. Their ideal setup is when the user opens the
> web page, it prompts them for their user certificate, and after they choose
> that, they are automatically signed into WI and see their apps, without
> having to type username/password into the WI login screen.
>
>
>
> We will be issuing user certs separately and not as a part of this Citrix
> solution, so we can assume that 100% of the users who want to use this will
> have a proper user cert on their machine prior to connecting.
>
>
>
> Is this even possible? I've never worked with user certs before, so this
> is new to me, but it doesn't seem like rocket science. Right now I can get
> the user cert dialog to come up, user chooses their cert, then WI page comes
> up, but the user has to log into WI. Pass-through authentication is looking
> to pull a local computer username/password, and not from the user cert, so
> I'm not sure if there's a way to do what I'm looking to do. At this time I
> do not have CSG in place, as I understand that will only confuse things,
> since both WI and CSG would be on the same box.
>
>
>
> Any suggestions/ideas/info that may at least give me an answer on this?
> Thanks,
>
>
>
> Adam
>
>
>
>
>
>
>
>
>
>
>
>
Other related posts:
