Hello,
Can the new Citrix Access Gateway Enterprise Edition 9.0 authenticate users to XenApp with smart cards (require client certificate)?
If so, can it perform SSO to WI and XenApp with that authentication method?
Or would the users need to first authenticate to their smartcard (Pin/Bio/etc.) and then enter their domain username and password on a web form?
If the latter is true, than can the CAG at least map the client certificate to a specific domain user (UPN Mapping?) so that users won't be able to try and guess other users passwords after the smartcard authentication?
Is this an issue or have I got it all wrong?? :)
(If you use PKI and CAG EE 9.0 then how did you configured it?)
BTW The only document I found for that is this:
http://support.citrix.com/article/CTX116373
But it is applied to CAG EE 8.0. It also say some weird stuff like:
1. Set CAG client certificate to optional
2. Set ICA Proxy to OFF (huh?!)
3. Set WI access and dmz to direct. (huh?!)
4. Set WI authentication to Pass-through with smart card (Isn't that only work with the full PN Client??)
5. Set IIS to require and map client certificate.
I'm confused. Can anyone see a logic here??
Thanks for your comments,
Ron Kuper
Thanks.
I already got the answer for, at least, one question.
When using client certificate authentication the AGEE can extract the username from a specified field in the certificate and then use that for the second authentication without allowing the user to change.I think Jay Tomlin's 'Kerberos Authentication' using the WI in parallel and UPN Mapping to the AD is much more elegant, robust and secured.
I guess AGEE and co' still have some work to do for integrating XenApp authentication. (All the current NetScaler/Net6/CSG fusion is really confusing and rarely clear what it can or can't do)