One of the new features in version 8 of the Windows 32-bit ICA client is Kerberos authentication. This authentication provides a new and improved way for the ICA client software to automatically authenticate users based on the credentials they used to logon to Windows.
At Citrix iForum in Edinburgh, Scotland last week, I had the opportunity to sit down with Chris Mayers, a security architect for Citrix. He gave me a quick lesson in Kerberos and how it’s used in the new ICA clients.
Traditional ICA Pass-Through Authentication
Before talking about the new capabilities, we first discussed the “traditional” way that pass-through authentication has always worked in ICA clients. Prior to version 8, the Win32 ICA client software made use of the Windows “secondary network provider” This is an interface available to programmers that dates back to the days of Windows for Workgroups. It allows locally-running programs to grab unencrypted user credentials from Windows. Back in the day, this would have been used to log users into Banyan or Novell environments based on their Windows credentials.
On Windows NT/2000/XP workstations, the “security” of this secondary network provider service comes from the fact that, you must have administrative rights to install anything that uses it. (This is why the ICA client installation routine only asked you if you want to use pass-through authentication when you’re installing it while logged onto the client with admin rights.)
With pass-through authentication enabled, a Citrix ICA client component grabbed the user’s cleartext credentials via the secondary network provider interface and passed them to the ICA client software.
Some people openly questioned the security of this technique. Even though all of this took place locally within a client and the cleartext credentials never crossed the network, it would still be possible for an attacker to compromise to Citrix software holding the user credentials, and then extract the cleartext credentials.
The other big drawback to pass-through authentication using the secondary network provider was that only username, password, and domain credentials were exposed. Therefore, if a company used two-factor authentication, the Citrix ICA client could not use pass-through authentication.
ICA Clients Version 8 Kerberos Authentication
Microsoft added Kerberos authentication as the default authentication protocol for Windows 2000, and Citrix introduced Kerberos support in MetaFrame Presentation Server 3 and ICA clients version 8.
Kerberos is an authentication protocol that is challenge/response based. It never transmits the actual credentials anywhere. Kerberos also supports delegation, which means that a receiving server can forward the authentication request to the proper location.
In Presentation Server 3, Citrix introduced a Kerberos virtual channel to facilitate the exchange of Kerberos handles. Therefore, when using ICA client v8 from a Windows 2000/XP client connecting to Presentation Server 3, the pass-through authentication functionality uses Kerberos instead of the secondary network provider. This is also used as part of the Citrix XML service to provide application lists for users.
The user experience is the 100% identical either way, but using Kerberos provides two distinct benefits:
- The client can use any type of authentication, including two-factor.
- Kerberos authentication is controlled by a standard AD policy. This policy allows you to specify which servers have been delegated for authentication and can be applied / disabled / blocked as part of a GPO.
When a fresh install of a version 8 client is done on a Windows 2000 or newer client, the “Use local credentials” option automatically enables Kerberos-based authentication. (You can use an INI file setting to manually change this as needed.)