Presentation is loading. Please wait.

Presentation is loading. Please wait.

Self Paced QBA Advanced Training

Published byNatalie Young Modified over 9 years ago

Similar presentations

Presentation on theme: "Self Paced QBA Advanced Training"— Presentation transcript:

1 Self Paced QBA Advanced Training
Single Sign-On Load Balanced with NS VPX for Question Based Authentication with DFS By: WWSR – Carlos H Lopez

2 Agenda Module 1: Certificates for Load Balancing the Single Sign-On Service Module 2: Central Store with a DFS Namespace and Replication Module 3: Single Sign-On Service with a Load Balanced Configuration Module 4: Netscaler VPX for Load Balancing the Single Sign-On Service Module 5: Single Sign-On User Configuration for Self-Service and QBA Module 6: Single Sign-On Plugin and testing QBA functionality Troubleshooting Resources

3 Certificates for Load Balancing the Single Sign-On Service
Module 1 By the end of this module, you should be able to: Request a certificate from a CA Complete the certificate request from the CA

4 Certificates The CPM Service is a secure web service and requires an SSL certificate The CPM Service machine and every agent machine must have the root certificate from the issuing root CA The name on the SSL certificate must match the FQDN of the CPM service machine unless using virtual host name Certificate expiration is a common issue Root certificates missing is another common issue Self assigned certificates will not work. Third party certs need to have the full certificate chain to work.

5 Load Balanced Certificate
To load balance any service that requires SSL you need to provide one of the following certificates: A Certificate with an exportable private key and export with same common name A Certificate with a wild card identifier A Certificate issued to two separate servers independently with the same common name Certificate FQDN must match the servers FQDN CPM allows the use of a Virtual Host name to spoof the FQDN to match the certificates FQDN The 3 options above will work for any certificate, as long as you have the root certificate also. For a certificate to work, the FQDN of the cert and the server must match Virtual Host Name allows the spoofing on the servers FQDN to match the certificate FQDN

6 Central Store with a DFS Namespace and Replication
Module 2 By the end of this module, you should be able to: Setup a Central Store with a backup repository with DFS Setup a DFS namespace and replication for the SSON Central Store

7 Central Store Types NTFS Active Directory
Leverage the convenience of your existing Active Directory user authentication and tree structure No need to extend the Active Directory schema Active Directory Leverage the convenience of your existing Active Directory user authentication and object administration Requires you to extent the schema of your existing Active Directory Active directory may give you the benefit of replicating the data to other domain controllers, but extending the schema on an existing Active Directory could potentially cause more issues later on for the support engineer if a call is made in regards to issues on a central store in AD. It is easier to troubleshoot an issues using an NTFS store, since you can always create a new one for testing. You cannot create a new domain and extend schemas that easy for testing and troubleshooting.

8 Central Store with a DFS Namespace
A DFS namespace is a virtual view of shared folders in an organization It allows the use of one name i.e. \\DS1\Share To point to a share location that points to two locations The share folders in a namespace must contain mirrored information, this can be done by using replication from DFS DFS allows for a share file address for example: \\DFS1\CPMStore and this location can point to a specific share file location. To keep the data synchronized we use replication services to replicate the data from one share file to another.

9 Central Store with backup replication: DFS
DFS allows administrators to group shared folders located on different servers by transparently connecting them to one or more DFS namespaces FRS, file replication service is a dependency of DFS, this is the technology that allows the replication of share folders to keep data highly available and synchronized With this technology you do not have to use an active directory structure to have your data replicated on all domain controllers, just use DFS

10 Single Sign-On Service with a Load Balanced Configuration
Module 3 By the end of this module, you should be able to: Configure the SSON service on multiple SSON servers for load balancing

11 Citrix Single Sign On Architecture
Review the Image above and see how CPM data flows, this shows an endpoint with the CPM Agent and a XenApp Server with the CPM Agent installed. This is a typical xenapp SSON setup with no load balancing

12 Citrix Single Sign On Architecture with DFS and Load Balancing
XTE Service NetScaler VPX with a Virtual IP Self Service Account SSON Service Active Directory 443 SSON Service FQDN Review the Image above and see how CPM data flows, this shows an endpoint with the CPM Agent and a XenApp Server with the CPM Agent installed. Citrix Licensing DFS Namespace NTFS Central Store DFS Replication Data Proxy Account SSON Agent

13 Citrix Single Sign-On Service & Accounts
Required for the following advanced features: Account Self-Service Automatic Key Recovery or Security Questions Key Recovery Apache web based Citrix XTE Service for authentication of users during SSPR Data Proxy Account for central store read & write access Self Service Account for AD account unlock and password resets The service is required for the advanced features such as SSPR, Automatic Key Recovery and data integrity. Note: This service can not use the same XTE service that Presentation Server uses in this release. The XTE service uses to authenticate the user to the domain controller, if this site does not display in a browser, something is wrong with the service. NOTE: The site will require the user to authenticate through to know if the service is working. The data proxy account is used to access the data in the central store. If the data proxy does not have the correct permissions on the central store, it will be unable to read and write as needed. The self service account facilitates the resetting and unlocking of passwords for users, this account needs to be a Domain Admin account to have the required access to change passwords for users. This CTX shows you the command to add a user to the central store permissions using citrixfilesyncprep.exe

14 Account Self-Service Allows a user to reset or unlock their windows password Users can reset/unlock passwords on the SSON agent, where ever installed (i.e. Endpoint, XenApp Server, or Web Interface) Uses Question-Based Authentication System Requires the Password Manager Service XTE Account Self-service allows end users to unlock their accounts or reset their primary password without needing the intervention of the Helpdesk (Administrator). Uses an alternate authentication mechanism in order to identify the user who cannot login because either the password expired or because it was forgotten. Account Self-service uses Question-based Authentication. Users will have to answer a set of questions in order to authenticate.

15 How Does Account Self-Service Work?
Data Proxy Account Central Store 443 XTE Service Self Service Account Endpoint Device SSON Agent SSON Service Active Directory User needs to be authenticated by submitting their credentials. XTE service (Network Service/Local Service/or SPN Account) The Service does a proxy read to determine if the user has registered. (Data Proxy Account) If user QBA data is found, a series of questions is sent to the user, if not, it will present the user with QBA registration. (Data Proxy Account) Once questions are answered, the user proceeds with Account Self-Service. If registering, once registration is done, answers will be saved in the Central Store. (Data Proxy Account) User attempts a password reset or account unlock, this request is sent to a DC. (Self Service Account) The user is informed of the result : Success/Fail The above image details what the Self Service\Dataproxy accounts are used for.

16 Account Self-Service Considerations
Active Directory integration only Active Directory password policies are enforced when resetting password Message given to user if new password does not meet requirements Security questions are customizable Four sample questions provided by default Only one set of questions can be used per central store Questions need to apply to all Password Manager users tied to central store Questions can be written in multiple languages See Above

17 Account Self-Service Considerations
Deployment Method (Agent Device versus Web Interface) Agent device Password Manager Agent can only be deployed on Windows machines so restricts Account Self-Service access to Windows machines Agent machine needs to be able to access Password Manager Service so this machine needs to be on the LAN Web Interface Provides browser access to Account Self Service from any OS (Windows, MAC, etc) Requires user to get on some machine and access the web Web Interface needs to be SSL secured See Above

18 Netscaler VPX for Load Balancing the Single Sign-On Service
Module 4 By the end of this module, you should be able to: Setup a “service” for each Single Sign-On server hosting the service Setup a virtual server and apply the existing services to the virtual server Configure a Netscaler VPX1000 for Load balancing

19 © 2006 Citrix Systems, Inc.—All rights reserved.
NetScaler Overview Citrix NetScaler is an all-in-one web application delivery controller that makes applications run five times better, reduces web application ownership costs, and makes sure that applications are always available Just a standard overview of Netscaler © 2006 Citrix Systems, Inc.—All rights reserved. 19

20 NetScaler Load Balancing
The NetScaler VPX appliance can be used to load balance any service running on a windows server To create a load balanced service, you would created a service definition for each server hosting the service and a virtual server, this would be the main server using the services defined to do the load balancing The above is an example of setting up a virtual server on a netscaler to load balance 2 servers for the CPM service © 2006 Citrix Systems, Inc.—All rights reserved. 20

21 Single Sign-On User Configuration for Self-Service and QBA
Module 5 By the end of this module, you should be able to: Configure the User Configuration for Self Service with QBA Setup the Key Management Module and validate the service

22 Key Management Overview
An encryption key is… Generated based on the user’s primary credential (username/password) Used to lock/unlock the local store to use the agent When a user’s primary password changes, the Agent… must regenerate the old encryption key to gain access to the user’s local store must apply a new encryption key based on the new password Read Above

23 Key Recovery Methods Specifies how agent should recover key after primary password change to unlock local store Three options Enter previous password Answer security questions or enter previous password Automatic key recovery The key recovery methods that work with QBA will be option 2, no other option will work for QBA

24 Key Recovery Options for Self Service
Answer Security Questions or Supply Previous Password User chooses between the two options for key recovery event Requires security question enrollment during agent first time use Requires use of Password Manager Service Automatic Key Recovery No user interaction required for key recovery event User impersonation is possible by a rogue Admin Read Above Option in RED is required for Question Based Authentication

25 Question Based Authentication
A series of ‘life’ questions – or questionnaire Managed by the admin from the Console Requires the CPM Service Used as a secondary method of authentication Account Self-Service Key Recovery User registers their answers on First-time use The Question-based authentication system for Account self-service may also be used for key recovery. It replaces IVQ in the Nassau release. IVQ = Instinctual Variants Questionnaire When SSPR is used to change the primary password, the user configuration is marked as such. When the user next logs in (from any terminal), the keys are automatically recovered based on a hash of the answers. This is a different mechanism than AKR, but is similar to the way IVQ works. If the user used SSPR to change their primary password, and hence uses QBA, but does not log-in for a period, and the password gets reset again manually (say by the admin), then the user will have to go through QBA once they have logged in in order for CPM to recover the keys. When an SSPR operation is done from any location, the key recovery is automatic once QKR (Question-Based Key Recovery) is also being used. Users will have to answer a set of questions in order to authenticate. Like Account Self-Service this also requires the Password Manager service. © 2006 Citrix Systems, Inc.—All rights reserved. 25

26 Manage Questions – Security Questions
By default the top 4 questions will be used if no custom questions were created A database of questions and question groups is maintained here. The minimum length of the answers expected and the case sensitivity is chosen here. A question group is made up of one or more existing questions. Once a questions or question group is used in the questionnaire, the “In use” flag is shown next to the question. Once a question or question group is created it cannot be deleted. © 2006 Citrix Systems, Inc.—All rights reserved. 26

27 Manage Questions – Question groups
You can also create Security Question group, to group the questions you wish the user to be presented with You can also choose the amount of questions to be answered Similar to IVQ but with some key differences : Give the group an appropriate name. In this example “Sports – group” is chosen. You can choose the questions that you would like included in your group. Select the number of questions that must be answered for this group. © 2006 Citrix Systems, Inc.—All rights reserved. 27

28 Manage Questions - Questionnaire
The Questionnaire allows the user to select from the pool of questions and question groups Questions and question groups may be added to the questionnaire The Questionnaire allows the user to select from the pool of questions and question groups : Questions and question groups may be added to the questionnaire. They may also be removed from the Questionnaire. You can choose the display order of the questions using the Move Up and Move Down buttons. © 2006 Citrix Systems, Inc.—All rights reserved. 28

29 Manage Questions - Key Recovery
The checkboxes are used to select which questions and/or question groups will be used in the key recovery process The user will be presented will all the questions in the questionnaire during registration. Similarly they will be challenged with the same questions during authentication. They are chosen as the best questions from which a hash is formed of the answers, to aid in key recovery. Selecting all questions may produce a performance penalty on key recovery. © 2006 Citrix Systems, Inc.—All rights reserved. 29

30 Single Sign-On Plugin and testing QBA functionality
Module 6 By the end of this module, you should be able to: Install and test a Single Sign-On plugin for a load balanced SSON environment

31 Setting up the Single Sign-On Agent
When load balancing the Single Sign-On service and using DFS namespace and replication, setting up the agent with the correct information is required for it to function When configuring the NTFS central store, use the namespace created in the DFM Management console When configuring the Key Management Module, use the FQDN of the load balanced Certificate Name\Virtual Hostname FQDN The single sign on agent must be configured to use the load balanced FQDN for the certificate/virtual hostname and the DFS namespace to reach the correct locations © 2006 Citrix Systems, Inc.—All rights reserved. 31

32 Troubleshooting Resources

33 Agent Logging Client side logging is the most helpful direction when troubleshooting QBA issues. You will typically encounter a SOAP error if QBA fails.. To enable agent logging please create the following registry… HKEY_LOCAL_MACHINE\Software\Wow6432node\Citrix\Metaframe Password Manager\Log\ The values contained in this key are: Enabled (DWORD) 0 – Logging is disabled  1 – Logging is enabled Filter (DWORD) Default:0xFFFFFFFF 0xFFFFFFFF – Turns on logging for all components There are other options for filter, but for troubleshooting its best to turn on all components. The log file will start to run immediately and will be locate here : %USERPROFILE%\Application Data\Citrix\MetaFrame Password Manager\sso_%USERNAME%.log Agent logging is one of the key tools for troubleshooting SSPR/QBA issues

34 Certificate Request In these labs we use IIS Manager to request the certificates, this is only one method to do a request for a certificate from a CA. Certificate requests can also be made via the MMC and the Web Enrolment, thus not having to install IIS Manager a-certificate-request-using-microsoft-management-console- mmc.aspx Certificate requests can also be made from the command line using certreq on W2K8R2 and above.

35 Soap Error Codes SOAP is a lightweight protocol for exchange of information in a decentralized, distributed environment For QBA almost all errors will be in the form of a SOAP error code in the agent logs. Use the soap error code to help you understand where to start troubleshooting You can use the Google developers site for soap errors: Do not take the error as an OS/System indicator, for example: (Soap Error code 21 = The given profile name is not valid) This does not indicate the users system profile, It is referencing the User Configuration <- User Profile in SSON

36 Soap Error Codes Cont.. Looking at the above we can see a soap error 20, Please specify a valid network to impersonate, this may not mean exactly what it says, it could be referencing a DNS issue and not an interface issue. You need to validate the FQDN can be reached from the agent side.

37 CDF Tracing Typically only used in QBA troubleshooting when you encounter an Exception 12 error. This error will typically be presented in the agent logging. Typically not needed to troubleshoot QBA Exception 12 typically is found when there are other issues than just the service, this can even be corrupt data in the central store for the user, permission issues on the central store, or some other mix of the two.

38 Troubleshooting Methodology
Validate XTE service configuration via the service configuration tool Review the XTE service logs for clues of the issues Check correct user groups in the httpd.conf file Validate certificates Verify firewall is not blocking ports Verify all the settings in the User Configuration in the AppCenter Verify DNS and that you can ping the FQDN of the service from the client, check the services via a web browser to see if you have certificate, authentication, or service issues If the soap error is not helpful or confusing, run through the entire CPM environment and verify all the configurations as if you were going over the install. If QBA fails for a user, the first thing to do is set agent logging. Depending on what the agent log says, this is where we focus our attention based on the soap errors. For authentication issues to a domain controller validate the authentication ports: If a customer uses LDAP SSL the port is no longer 389, it is now 636. Use the technet doc as a guide for LDAP ports

39 Troubleshooting Methodology Cont.
Admin error can also play a big role, if there are any misspellings or misconfigurations when installing the Single Sign-On Agent, this can also cause QBA and other things to fail. Validate the agent via the registry: SSPR/QBA: Central Store: Validating the registry entries will solidify the settings and you can continue troubleshooting.

40 Environment Setup Lab Open the Lab_Guide.docx – formatting will be different if using Word 2007 and below Go through modules 1- 6, the Lab Guide will walk you through setting up a Load balanced and an HA Single Sign-On environment using distribute file system replication and namespace with a Netscaler VPX Once the environment lab is done, continue to the practice labs.

41 Practice Labs There will be 3 Practice Labs, each lab will have an executable, these executable must be run from a specified location, instructions can be found in the lab guide. You must complete each lab to continue to the next lab. A GoToMeeting session will be available for Q&A to assist you during your training.

42 Support Articles for Question Based Authentication
CTX : Troubleshooting Citrix Single Sign-On Question Based Authentication The above article was written to address and assist troubleshooting Question Based Authentication failures CTX : Troubleshooting the Citrix Password Manager Service CTX : How to Obtain an SSL Certificate from a Windows 2008 or Windows 2008R2 Certificate Authority for Citrix Password Manager CTX : How to Only Deploy the Account Self-Service Features of Password Manager

Download ppt "Self Paced QBA Advanced Training"

Similar presentations

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,

© 2009 GroundWork Open Source, Inc. PROPRIETARY INFORMATION: Information contained herein is not for use or disclosure outside of GroundWork Open Source,
1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.

1 Dynamic DNS. 2 Module - Dynamic DNS ♦ Overview The domain names and IP addresses of hosts and the devices may change for many reasons. This module focuses.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.

Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 5 Administering File Resources.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 7 Configuring File Services in Windows Server 2008.
Understanding Active Directory

Understanding Active Directory
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Corso referenti S.I.R.A. – Modulo 2 Local Security 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.

Corso referenti S.I.R.A. – Modulo 2 Local Security 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

Similar presentations

Ads by Google