Certificate+Ldap Based authentication provides an extra layer of security by using the certificate authentication for the mobile apps and allows users to have seamless access to the HDX Apps. By using Client Certificates, User need to enter the WorxPin to logon with Single Sign on Access to WorxEnabled Apps. Worx PIN also simplifies the user authentication experience. Worx PIN is used to secure a client certificate or save Active Directory credentials locally on the device.

Prerequisites

1) Set up a certificate authority (CA) if your organization does not currently have a CA.

2) IP Address Requirements:

 

Steps to Configure the Certificate+Ldap Based Authentication

1. Please follow only the “Configuration in MS CA Server” Section from the below blog and Obtain the Certificate. /blogs/2013/12/10/xenmobile-configure-certificate-based-authentication/

2. Goto Settings and Click on Certificate and Click Import.

Here we are importing the Certificate we obtained in Step 1. We need to convert the .pfx file to.pem file. Open the .pem file in Notepad and copy the private key and certificate into different files and save them separately.

3. Select “Certificate” under Import and Select “Server” for Use As field.

4. Browse for the Certificate file we saved in Step 2 for the User Certificate.

5. Browse For the private Key file

6. Enter a description and Click on Import

7. Once it is imported, we can see the User Certificate imported as a Server Certificate as highlighted below.

8. Goto Configure -> Settings and click on PKI Entities under Certificate Management

9. Click on Add

10. Click on Microsoft Certificate Services Entity

11. Enter the Details of the MS CA Server such as the Certificate URL and select Authentication Type as Client Certificate.

Here we have entered the Web Enrollment Service Root URL as https://<MS CA Server IP>/Certsrv .

12. We can see the SSL Client Certificate autoselected. Click Next

13. Click on Add to add the Template

14. Enter the Template Name and Click Save and Click Next. This template should have the same name as the Template you created while following the blog in Step1.

15. Click Next

16. Select the CA Certificate and Click Save.

17. Now we can see the status as Valid as shown below

18. Click on Credential Providers under Certificate Management in Settings.

19. Click on Add to add the Credential Provider

20. We can see all the fields are Autoselected. These are the PKI Entities and the Template we created in the previous steps. Click Next.

21. Enter the Details as shown below

22. Click on Add

23. Under Type, select User Principal name.

24. Enter $user.userprincipalname as Value, Click on Save and Click Next.

25. Click Next

26. Click Next

27. Click Next

28. Click Save

29. Goto Setting -> Netscaler Gateway

30. Under Credential Provider, Select the Credential provider we created earlier.

31. Click on Deliver User certificate for authentication and Select ON and click Save.

32. Make sure you have the Logon type for Netscaler  set to Certificate and Domain.

If it is not set  then Edit it and select the logon type as Certificate and Domain.

Netscaler for XenMobile Configuration

If you have already configured Netscaler using XenMobile 10 Wizard, then make sure you have bound the right CA Certificates to the VIPs (Refer below steps if you need more information) and also make sure you have set the Authentication setting(Server logon Name attribute) to Userprincipal Name in the Authentication Policy and then move to the Netscaler Gateway Authentication Configuration section. If you are configuring the Netscaler through the wizard for the first time then please follow below steps.

1. Please launch Browse and enter the Netscaler Managment IP address and Logon to Netscaler GUI

2. Click on the configuration tab and click on XenMobile Wizard on left Side

3. Click on Get Started

4. Select Access Through Access Gateway and Load Balance Device Manager Servers and Click Continue. Here we are going to configure one Load Balancing VIP which will be used for the enrollment purpose and the Second Netscaler Gateway VIP for the secure delivery of application from XMS through the Netscaler.

5. Enter the IP address for the Netscaler Gateway.

6. Please refer to the Article  http://support.citrix.com/article/CTX109260 to upload the SSL Certificates on Netscaler.

7. Select Use Existing Certificate.

8. Under Server Certificate, Use the Certificate we uploaded in step 6 on Netscaler.

Click Continue

9. Under Authentication Settings, Add your LDAP Server details such as IP Address,  LDAP port number, Base DN which is the location of the Users in Active Directory and Service Account used for queries to the LDAP directory and its password.

Make sure you enter Userprincipalname under Server Logon Attribute.

10. Here we need to add the Load Balancing FQDN for MAM. Enter the XMS Server FQDN.

All Traffic to the XMS servers will be routed through this MAM Load Balancing (LB) VIP.

Enter the IP Address for the LB VIP (VIP2) and click Continue.

11. Select the Server Certificate for the MAM LB Vserver. Since we are using a wildcard certificate here, we are selecting the same certificate we uploaded in step 6 above.

12. Click on Add Server under XenMobile Servers. Here we are going to add the XMS Server which is going to be bound to the LB VIP.

13. Enter the IP Address of the XMS server and Click Add.

14. Click Continue

15. Click on Load Balance Device Manager Servers. Here we are going to configure the LB VIP which will be used for the Device Enrollment Purpose. We are going to bind the Same XMS Server to this LB VIP.

16. Enter the Load Balancing IP Address for MDM (VIP1).

17. Click Continue as the XMS Server we added earlier appear as shown below.

18. Click Done.

19. Once the Wizard completes, we can see the status as “UP” for both MDM LB VIP and the Netscaler Gateway.

20. Goto Netscaler Gateway -> Virtual Servers and on the Right side select the Virtual Server and Click Edit

21. Click on > Mark for “No CA Certificate”

22. Click > Mark to select the CA Certificate.

23. Select the CA Certificate and Click OK.

24. Click on Bind

25. Click Done.

26. Make sure you bind the Root Certificate of the CA (which issued the client certificate) as CA certificate here as well.

Netscaler Gateway Authentication Configuration

1. Please launch Browse and enter the Netscaler Managment IP address and Logon to Netscaler GUI

2. On Netscaler Gateway on Left side, Goto Policies -> Authentication -> Cert and Select Servers on the Right Side and Click Add

3. Enter the Name of the Profile, Select TwoFactor ON and Select Subject:AltNamePrincipalName from the Username Field

4. Goto Policies and Click Add

5. Enter the Name of the Policy and Select the Cert_Profile from the Drop Down in the Server Field.

Set the expression as ns_true and click create

6. Select the Virtual Server and Click Edit

7. Under Authentication Click on “+” Icon to add the Certificate Authentication.

8. Select the Authentication Type as Certificate

9. Choose the Authentication Type as Primary. Here we are binding the Certificate authentication as one of the primary authentication with the priority same as the LDAP authentication type.

10. Click on “Click to Select”  to select the Certificate Policy we created earlier.

11. Select the Certificate policy we created earlier and click OK.

12. Click On Bind. Here the Priority we set is 100. Please note we are going to use the same priority number in our next step while editing LDAP authentication policy.

13. Click on > Mark for LDAP Policy.

14. Select the Policy and Click on the Edit Dropdown and click on Edit Binding.

15. You can enter the Priority Number here and Make sure the Priority we set here is same as the Priority for the Certificate Policy. Click on Bind.

16. Click on Close.

18. Click on SSL Parameters on the Right Side.

19.  Select Client Authentication and select Mandatory under Client Certificate and Click OK.

17. Click Done

Now Enroll Device. As soon as the Enrollment is over, user will be asked to enter the WorxPin (which secures the client certificate and caches the AD credentials) which will further simplify the user experience.