SafeNet Authentication Client

SafeNet Authentication Client
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or
its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual
property protection in connection with such information.
Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under
any intellectual and/or industrial property rights of or concerning any of Gemalto’s information.
This document can be used for informational, non-commercial, internal and personal use only provided that:

The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in
all copies.

This document shall not be posted on any network computer or broadcast in any media and no modification
of any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided “AS IS” without any warranty of any kind. Unless
otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information
contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically added to
the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the
specifications data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein,
including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In
no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential
damages or any damages whatsoever including but not limited to damages resulting from loss of use, data,
profits, revenues, or customers, arising out of or in connection with the use or performance of information
contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not
incur, and disclaims, any liability in this respect. Even if each product is compliant with current security
standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to
the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall
Gemalto be held liable for any third party actions and in particular in case of any successful attack against
systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security
for direct, indirect, incidental or consequential damages that result from any use of its products. It is further
stressed that independent testing and verification by the person using the product is particularly encouraged,
especially in any application in which defective, incorrect or insecure functioning could result in damage to
persons or property, denial of service or loss of privacy.
© 2015 Gemalto. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of
Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service
marks, whether registered or not in specific countries, are the property of their respective owners.
Document Part Number: 007-013213-001, Rev. B
Release Date: January 2016
Contents
Third-Party Software Acknowledgement ........................................................................................................ 4
Description ...................................................................................................................................................... 4
Applicability ..................................................................................................................................................... 5
Environment .................................................................................................................................................... 5
Audience ......................................................................................................................................................... 5
CBA Flow using SAC ...................................................................................................................................... 5
Prerequisites ................................................................................................................................................... 6
Supported Tokens in SAC .............................................................................................................................. 6
Certificate-based USB Tokens ................................................................................................................. 6
Smart Cards ............................................................................................................................................. 6
Certificate-based Hybrid USB Tokens ..................................................................................................... 6
Software Tokens ...................................................................................................................................... 6
Configuring Citrix XenApp 7.6 ........................................................................................................................ 7
Configuring Citrix Smart Card Authentication for Citrix Receiver............................................................. 7
Configuring Smart Card Authentication for Web Access ......................................................................... 9
Configuring Citrix StoreFront 2.6 to Use Smart Card Pass-through Authentication ..................................... 10
Configuring SafeNet Authentication Client ............................................................................................. 10
Configuring the StoreFront 2.6 Server ................................................................................................... 11
Changing the CSP PIN Prompt from the Citrix Default to SafeNet Authentication Client ..................... 12
Configuring Citrix Receiver for Single Sign-On ...................................................................................... 12
Running the Solution .................................................................................................................................... 13
Smart Card Authentication using Citrix Receiver for Web Access......................................................... 13
Smart Card Pass-through Authentication using Citrix Receiver for Web Access .................................. 15
Smart Card Authentication using Citrix Receiver ................................................................................... 17
Smart Card Pass-through Authentication using Citrix Receiver ............................................................ 19
Support Contacts .......................................................................................................................................... 21
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
3
Third-Party Software Acknowledgement
This document is intended to help users of Gemalto products when working with third-party software, such as
Citrix XenApp 7.6.
Material from third-party software is being used solely for the purpose of making instructions clear. Screen
images and content obtained from third-party software will be acknowledged as such.
Description
Customers today are looking to desktop virtualization to transform static desktops into dynamic mobile
workspaces that can be centrally and securely managed from the datacenter, and accessed across a wide
range of devices and locations. Deploying desktop virtualization without strong authentication is like putting your
sensitive data in a vault (the datacenter), and leaving the key (user password) under the door mat. A robust user
authentication solution is required to screen access and provide proof-positive assurance that only authorized
users are allowed access.
SafeNet Authentication Client (SAC) is a Public Key Infrastructure (PKI) middleware that provides a secure
method for exchanging information based on public key cryptography, enabling trusted third-party verification of
user identities. SafeNet’s certificate-based tokens provide secure remote access, as well as other advanced
functions, in a single token, including digital signing, password management, network logon, and combined
physical/logical access.
The tokens come in different form factors, including USB tokens, smart cards, and software tokens. All of these
form factors are interfaced using a single middleware client, SafeNet Authentication Client (SAC). The SAC
generic integration with CAPI, CNG, and PKCS#11 security interfaces enables out-of-the-box interoperability
with a variety of security applications offering secure web access, secure network logon, PC and data security,
and secure email. PKI keys and certificates can be created, stored, and used securely with the hardware or
software tokens.
SafeNet Authentication Manager (SAM) provides your organization with a comprehensive platform to manage
all of your authentication requirements, across the enterprise and the cloud, in a single, integrated system. SAM
enables management of the complete user authentication life cycle. SAM links tokens with users, organizational
rules, and security applications to allow streamlined handling of your organization's authentication infrastructure
with a flexible, extensible, and scalable management platform.
SAM is a comprehensive token management system. It is an out-of-the-box solution for Public Certificate
Authorities (CA) and enterprises to ease the administration of SafeNet’s hardware or software tokens devices.
SAM is designed and developed based on the best practices of managing PKI devices in common PKI
implementations. It offers robust yet easy to customize frameworks that meets different organizations’ PKI
devices management workflows and policies. Using SAM to manage tokens is not mandatory, but it is
recommended for enterprise organizations.
For more information, refer to the SafeNet Authentication Manager Administrator Guide.
XenApp is the industry-leading solution for virtual application delivery, providing Windows applications to
workers on any device, anywhere. By centralizing control with XenApp, you can provide your team the freedom
of mobility, while increasing security and reducing IT costs.
This document provides guidelines for deploying certificate-based authentication (CBA) for user authentication
to Citrix XenApp 7.6 using SafeNet tokens.
It is assumed that the Citrix XenApp 7.6 environment is already configured and working with static passwords
prior to implementing SafeNet multi-factor authentication.
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
4
Citrix XenApp 7.6 can be configured to support multi-factor authentication in several modes. CBA will be used
for the purpose of working with SafeNet products.
Applicability
The information in this document applies to:

SafeNet Authentication Client (SAC)—SafeNet Authentication Client is the middleware that manages
SafeNet's tokens.

Citrix XenApp

Citrix StoreFront
Environment
The integration environment that was used in this document is based on the following software versions:

SafeNet Authentication Client (SAC)—Version 9.0

Citrix XenApp—Version 7.6

Citrix StoreFront—Version 2.6
Audience
This document is targeted to system administrators who are familiar with Citrix XenApp 7.6 , and are interested
in adding certificate-based authentication capabilities using SafeNet tokens.
CBA Flow using SAC
The diagram below illustrates the flow of certificate-based authentication.
ICA / HDX
2
3
1
Citrix StoreFront
Citrix XenApp 7.6
Published Apps/RDP
Thin Clients / Desktop / Laptops
1. A user attempts to connect to the Citrix XenApp 7.6 server using the Citrix Receiver or using the StoreFront
web portal. The user inserts the SafeNet token on which his certificate resides, and when prompted, enters
the token password.
2. After successful authentication, the user is allowed access to the published apps/desktops.
3. The user selects the app/desktop to use.
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
5
Prerequisites
This section describes the prerequisites that must be installed and configured before implementing certificatebased authentication for Citrix XenApp 7.6 using SafeNet tokens.

To use CBA, the Microsoft Enterprise Certificate Authority must be installed and configured. Note that any
CA can be used. However, in this guide, integration is demonstrated using Microsoft CA.

If SAM is used to manage the tokens, TPO (token policy object) should be configured with a Microsoft CA
connector. For additional details, refer to the “Connector for Microsoft CA” section in the SafeNet
Authentication Manager Administrator’s Guide.

Users must have a SafeNet token with an appropriate certificate enrolled.

SafeNet Authentication Client (9.0) should be installed on all client machines.
Supported Tokens in SAC
SAC supports a number of tokens that can be used as second authentication factor for users who authenticate
to Citrix XenApp 7.6 .
SafeNet Authentication Client 9.0 (GA) supports the following tokens:
Certificate-based USB Tokens

SafeNet eToken PRO Java 72K

SafeNet eToken PRO Anywhere

SafeNet eToken 5100/5105

SafeNet eToken 5200/5205

SafeNet eToken 5200/5205 HID and VSR
Smart Cards

SafeNet eToken PRO Smartcard 72K

SafeNet eToken 4100
Certificate-based Hybrid USB Tokens

SafeNet eToken 7300

SafeNet eToken 7300-HID

SafeNet eToken 7000 (SafeNet eToken NG-OTP)
Software Tokens

SafeNet eToken Virtual

SafeNet eToken Rescue
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
6
Configuring Citrix XenApp 7.6
NOTE: XenApp 7.6 and StoreFront 2.6 were installed on the same server in the
lab that was prepared to create this guide.
It is assumed that before using the guide, you have Citrix XenApp 7.6 and Citrix
StoreFront 2.6 installed and configured with username and password
authentication.
To configure CBA with Citrix XenApp 7.6 requires:

Configuring Citrix Smart Card Authentication for Citrix Receiver, page 7

Configuring Smart Card Authentication for Web Access, page 9
Configuring Citrix Smart Card Authentication for Citrix Receiver
Citrix StoreFront authentication will be used when connecting to XenApp using Citrix Receiver.
1. Open Citrix Studio.
2. In the left pane, select Citrix StoreFront > Authentication.
(The screen image above is from Citrix®. Trademarks are the property of their respective owners).
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
7
3. In the Actions pane, select Add/Remove Methods.
(The screen image above is from Citrix®. Trademarks are the property of their respective owners).
4. In the Add/Remove Authentication Methods window, select Smart card, and then click OK.
(The screen image above is from Citrix®. Trademarks are the property of their respective owners).
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
8
Configuring Smart Card Authentication for Web Access
Configure the Receiver to use CBA for web access.
1. Open Citrix Studio.
2. In the left pane, select Citrix StoreFront > Receiver for Web.
(The screen image above is from Citrix®. Trademarks are the property of their respective owners).
3. In the Actions pane, select Store Web Receiver > Choose Authentication Methods.
(The screen image above is from Citrix®. Trademarks are the property of their respective owners).
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
9
4. In the Choose Authentication Methods window, select Smart card, and then click OK.
(The screen image above is from Citrix®. Trademarks are the property of their respective owners).
Configuring Citrix StoreFront 2.6 to Use Smart Card Passthrough Authentication
Complete the procedures in this section to configure Citrix StoreFront to use smart card pass-through
authentication.
Configuring SafeNet Authentication Client
Enable single log on in SafeNet Authentication Client.
1. Open the SafeNet Authentication Client console.
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
10
2. Click the Advanced View icon
, click Client Settings, and then click the Advanced tab.
3. Select Enable single logon, and the click Save.
4. From the Windows Start menu, select Run, and then type regedit.exe, to open the Windows Registry
Editor.
5. Complete the following steps:
a. Go to HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAC, create a new key, and
name it General.
b. In the new key, create a new DWORD (32-bit), name it SingleLogon, and specify a value of 1.
c.
Exit the Windows Registry.
Configuring the StoreFront 2.6 Server
Configure the default.ica file on the IIS.
1. Open the default.ica file with a text editor. (This file is typically located in
C:\inetpub\wwwroot\Citrix\<Store_Name>\App_Data\.)
2. In the [Application] section, add the following setting: DisableCtrlAltDel=Off
3. Save the file.
For more information, go to:
http://support.citrix.com/proddocs/topic/dws-storefront-25/dws-configure-conf-smartcard.html
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
11
Changing the CSP PIN Prompt from the Citrix Default to SafeNet
Authentication Client
To change the Citrix default CBA PIN prompt to SAC, do the following:
1. On the client machine, from the Windows Start menu, select Run, and then type regedit.exe, to open the
Windows Registry Editor.
2. Add the following key value to the registry key: HKLM\Software\[Wow6432Node\]Citrix\AuthManager\
SmartCardPINEntry=CSP
(The screen image above is from Microsoft®. Trademarks are the property of their respective owners).
Configuring Citrix Receiver for Single Sign-On
We recommend reading the following document for Citrix Receiver Single Sign-On (SSO) configuration:
http://support.citrix.com/article/CTX133982
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
12
Running the Solution
Check the final running solution of Citrix XenApp 7.6 with SafeNet Authentication Client. In this solution,
SafeNet eToken 5100 is used.
Smart Card Authentication using Citrix Receiver for Web Access
1. Open a web browser and type the Citrix Receiver for Web URL.
2. The SafeNet Authentication Client opens. Enter the Token Password, and then click OK.
After a successful authentication, you are granted access to the Citrix StoreFront web portal, and can now
access the applications.
(The screen image above is from Citrix®. Trademarks are the property of their respective owners).
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
13
3. Select an application. The Windows Login window is displayed.
(The screen image above is from Microsoft®. Trademarks are the property of their respective owners).
4. Click Smart card logon, and then enter your smart card PIN.
(The screen image above is from Microsoft®. Trademarks are the property of their respective owners).
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
14
After a successful authentication, the application will open.
(The screen image above is from Citrix®. Trademarks are the property of their respective owners).
Smart Card Pass-through Authentication using Citrix Receiver for Web
Access
1. Login to the client machine using Smart card logon.
(The screen image above is from Microsoft®. Trademarks are the property of their respective owners.)
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
15
2. Open a web browser and type the Citrix Receiver for Web URL.
Since Citrix is configured for pass-through authentication, the user is not required to enter the smart card
PIN code, and is automatically logged in to the Citrix StoreFront web portal.
(The screen image above is from Citrix®. Trademarks are the property of their respective owners).
3. Select an application to use. Since Citrix is configured for pass-through authentication, the application will
open without requiring the user to authenticate again.
(The screen image above is from Citrix®. Trademarks are the property of their respective owners).
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
16
Smart Card Authentication using Citrix Receiver
1. Insert the selected SafeNet eToken or smart card.
2. Launch Citrix Receiver. The SafeNet Authentication Client opens. Enter the Token Password, and then
click OK.
(The screen image above is from Citrix®. Trademarks are the property of their respective owners.)
After a successful authentication, the Citrix Receiver application window is displayed.
(The screen image above is from Citrix®. Trademarks are the property of their respective owners).
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
17
3. Select an application. The Windows Login window is displayed.
(The screen image above is from Microsoft®. Trademarks are the property of their respective owners.)
4. Click Smart card logon, and then enter your smart card PIN.
(The screen image above is from Microsoft®. Trademarks are the property of their respective owners.)
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
18
After a successful authentication, the application will open.
(The screen image above is from Citrix®. Trademarks are the property of their respective owners.)
Smart Card Pass-through Authentication using Citrix Receiver
1. Log in to the Windows client workstation using Smart card logon.
(The screen image above is from Microsoft®. Trademarks are the property of their respective owners.)
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
19
2. After successful authentication, launch Citrix Receiver.
Since Citrix is configured for pass-through authentication, you are not required to enter the smart card PIN
code, and are automatically logged in to Citrix Receiver.
(The screen image above is from Citrix®. Trademarks are the property of their respective owners.)
3. Select an application. Since Citrix is configured for pass-through authentication, the application will open
without requiring you to authenticate again.
(The screen image above is from Citrix®. Trademarks are the property of their respective owners.)
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
20
Support Contacts
If you encounter a problem while installing, registering, or operating this product, please make sure that you
have read the documentation. If you cannot resolve the issue, contact your supplier or Gemalto Customer
Support. Gemalto Customer Support operates 24 hours a day, 7 days a week. Your level of access to this
service is governed by the support plan arrangements made between Gemalto and your organization. Please
consult this support plan for further information about your entitlements, including the hours when telephone
support is available to you.
Contact Method
Contact Information
Address
Gemalto, Inc.
4690 Millennium Drive
Belcamp, Maryland 21017 USA
Phone
Technical Support
Customer Portal
United States
1-800-545-6608
International
1-410-931-7520
https://serviceportal.safenet-inc.com
Existing customers with a Technical Support Customer Portal account can log in to
manage incidents, get the latest software upgrades, and access the Gemalto Knowledge
Base.
Integration Guide
Using SAC CBA for Citrix XenApp 7.6
Document PN: 007-013213-001, Rev. B, Copyright © 2016 Gemalto, Inc., All rights reserved.
21
Download PDF