Pass-Through Authentication Changes in ICA Client Version 8

One of the new features in version 8 of the Windows 32-bit ICA client is Kerberos authentication. This authentication provides a new and improved way for the ICA client software to automatically authenticate users based on the credentials they used to logon to Windows.

One of the new features in version 8 of the Windows 32-bit ICA client is Kerberos authentication. This authentication provides a new and improved way for the ICA client software to automatically authenticate users based on the credentials they used to logon to Windows.

At Citrix iForum in Edinburgh, Scotland last week, I had the opportunity to sit down with Chris Mayers, a security architect for Citrix. He gave me a quick lesson in Kerberos and how it’s used in the new ICA clients.

Traditional ICA Pass-Through Authentication

Before talking about the new capabilities, we first discussed the “traditional” way that pass-through authentication has always worked in ICA clients. Prior to version 8, the Win32 ICA client software made use of the Windows “secondary network provider” This is an interface available to programmers that dates back to the days of Windows for Workgroups. It allows locally-running programs to grab unencrypted user credentials from Windows. Back in the day, this would have been used to log users into Banyan or Novell environments based on their Windows credentials.

On Windows NT/2000/XP workstations, the “security” of this secondary network provider service comes from the fact that, you must have administrative rights to install anything that uses it. (This is why the ICA client installation routine only asked you if you want to use pass-through authentication when you’re installing it while logged onto the client with admin rights.)

With pass-through authentication enabled, a Citrix ICA client component grabbed the user’s cleartext credentials via the secondary network provider interface and passed them to the ICA client software.

Some people openly questioned the security of this technique. Even though all of this took place locally within a client and the cleartext credentials never crossed the network, it would still be possible for an attacker to compromise to Citrix software holding the user credentials, and then extract the cleartext credentials.

The other big drawback to pass-through authentication using the secondary network provider was that only username, password, and domain credentials were exposed. Therefore, if a company used two-factor authentication, the Citrix ICA client could not use pass-through authentication.

ICA Clients Version 8 Kerberos Authentication

Microsoft added Kerberos authentication as the default authentication protocol for Windows 2000, and Citrix introduced Kerberos support in MetaFrame Presentation Server 3 and ICA clients version 8.

Kerberos is an authentication protocol that is challenge/response based. It never transmits the actual credentials anywhere. Kerberos also supports delegation, which means that a receiving server can forward the authentication request to the proper location.

In Presentation Server 3, Citrix introduced a Kerberos virtual channel to facilitate the exchange of Kerberos handles. Therefore, when using ICA client v8 from a Windows 2000/XP client connecting to Presentation Server 3, the pass-through authentication functionality uses Kerberos instead of the secondary network provider. This is also used as part of the Citrix XML service to provide application lists for users.

The user experience is the 100% identical either way, but using Kerberos provides two distinct benefits:

  1. The client can use any type of authentication, including two-factor.
  2. Kerberos authentication is controlled by a standard AD policy. This policy allows you to specify which servers have been delegated for authentication and can be applied / disabled / blocked as part of a GPO.

When a fresh install of a version 8 client is done on a Windows 2000 or newer client, the “Use local credentials” option automatically enables Kerberos-based authentication. (You can use an INI file setting to manually change this as needed.)

Join the conversation

7 comments

Send me notifications when other members comment.

Please create a username to comment.

This message was originally posted by Citrix Customer on June 21, 2004
We would love to see this go one step further. Instead of using the Kerberos Ticket on the client, have Web Interface retrieve a Kerberos ticket via delegation. This ticket would then be passed from the ICA Web Client to the Back-End MF Server. The goal out of this is that Web Interface could use other forms of Authentication besides NT User Name and Password. Similar to how the desktop can now use two-factor methods of authentication. Our belief is that this would allow third-party Web SSO products to possibly authenticate to Web Interface and MetaFrame.
Cancel
This message was originally posted by Jim Kenzig http:alID=CTX104289
CTX104289 - How to Uninstall Program Neighborhood Client and Install Program Neighborhood Agent as the Pass-through Client on MetaFrame Presentation Servers.
Cancel
This message was originally posted by an anonymous visitor on July 13, 2004
It is a known fact today that the Internet Security is most vulnerable at the Login entry.
No SSL or other protocols will prevail if your Password is exposed.
The most secured and affordable methodology available today is the TFA (Two Factor Authentication) and OTP (One Time Password) generation.
These methods cost a bundle with today Token system. That is the reason only VIPs or very secured sites offer this level of security to their clients.
Change the Token system in a way that every organization can offer it to their customers, and you get a high level of security for everybody.
Mega AS Consulting Ltd (www.megaas.co.nz) has developed a new CAT (Cellular Authentication Token) that follows that thought. It is a new concept that enables new services such as eAuthentication. The CAT runs on a cellular, does not require SMS or any type of communication and can be installed (one time OTA) by any Service’s client. It does not cost the user anything.
With this in mind, Services can now offer the users the option to register to a secured OTP login, at their own time. The Service does not have to supply or manage the tokens. It is the users’ responsibility to join the secured service to secure his login.
The eAuthentication Service takes this approach even further. Since the user can choose to join the secured Login of the Service, the company providing the service does not have to buy the Authentication package anymore, they get the users authenticated at Mega AS Consulting CAT Authentication server by implementing a simple API.
This approach is new. It will change the whole industry and it is available now
Cancel
How much do you wanna bet that if I track the IP address of this anonymous visitor I'll find that it belongs to Mega AS Consulting?
Cancel
Hello,

Kerberos authentication is controlled by a standard AD policy. Can we make this work in NT4? We also have two-factor authentication - users login to novell 6 and nt domain simultaneously.

Thank you,
Jean
Cancel
There's a company in Finland that has a similar product: valimo (www.valimo.com). And, no, I don't work for valimo.

regards Pelle
Cancel
RE: "When a fresh install of a version 8 client is done on a Windows 2000 or newer client, the “Use local credentials” option automatically enables Kerberos-based authentication."

Q-This also happens on the web client install (ica32t)?

Q-Could be the reason why some of my boxes get must reboot window at the end of the install (after the close browser window)?

Cancel

-ADS BY GOOGLE

SearchVirtualDesktop

SearchEnterpriseDesktop

SearchServerVirtualization

SearchVMware

Close