Web Interface Mod: Take Smart Card Authentication to the DMZ
Friday, 08 September 2006 by Michel Roth
From WebInterface-meister Jay Tomlin comes a Citrix Web Interface Mod that enables you to implement smard card authentication in the DMZ:

"For several versions now Web Interface has included a feature that allows users to authenticate using a smart card instead of entering their username and password. It works like this:

1. During the SSL handshake, IIS metabase settings trigger a request for the client certificate
2. IIS Directory service mapping associates the user certificate with a user account in Active Directory
3. After a successful mapping IIS impersonates the user account, allowing Web Interface to deduce the groups to which the user belongs
4. That list of groups (actually a list of group SIDs) is sent to the Presentation Server XML service instead of a username and password
5. The XML service returns the list of published applications that are available to those groups

As you can see, the process depends entirely on IIS for doing the authentication and mapping the user’s certificate to their domain account. This only works when the IIS server is a domain member, and since nobody wants to put a domain member server in their DMZ we’ve always said that this is a solution for internal (or VPN) users only.

But what if there were another way?"

Read on here.

Related Items:

Federation Reflection: A Better Way To Do Pass-Through Authentication? (7 November 2006)
The New Citrix Authentication Landscape (6 December 2006)
Restricted Groups for Web Interface 4.5 (27 March 2007)
Citrix released Hotfix PM450W001 for Password Manager 4.5 (25 July 2007)
VMware ESX Server Multiple Vulnerabilities (2 August 2006)
Automation Control Products announces TermSecure with SmartContex (5 May 2006)
Ericom Releases Free PowerTerm WebConnect For Windows Server 2008 (27 February 2008)
Citrix Releases ADFS Support For Presentation Server (12 July 2006)
Web Interface 4.5 Now Available (22 November 2006)
RDP Client 6.0 FAQ (24 January 2007)
Comments (0)add feed
Show/Hide comment formtoggle
password
 

busy