Authentication on XenApp & XenDesktop Lalit Kaushal Escalation Engineer EMEA
Agenda • Authentication at WI: • Explicit Authentication • Pass-through Authentication • Smart Card Authentication • Anonymous Authentication • Kerberos Authentication
Authentication in XenApp\XenDesktop • Support for several authentication methods • Smart cards, client certificates, RSA SecurID, etc. • Support for OS and non-OS credentials stores • OS: Active Directory and eDirectory • Non-OS: LDAP, RADIUS, 3rd party authentication methods. • Leverage Authentication methods supported by Windows: • Smartcard support • Client certificates support • Custom 3rd party authentication mechanisms through GINA extensions. • Leverage Windows authentication to flow the OS identity tokens between Access Infrastructure services • Example: flowing Kerberos tickets between ICA client and XA server.
Kerberos Key Distribution Centre (KDC) 1 2 3 AS TGS 4 Here’s my TGT – Can you give me Service Ticket Here’s your Service Ticket Here’s my Service Ticket, Auth. me Client\Server session Authentication Service (AS) - Authenticates a client logon and issues a Ticket Granting Ticket (TGT) for future authentication. Ticket Granting Service (TGS): It grants tickets to TGT holding clients for a specific application server or resource. Ticket Granting Ticket (TGT): This ticket is received from the Authentication Service (SA) that contains the client’s Privilege Attribute Certificate (PAC). Ticket: This ticket is received from the TGS that provides authentication for a specific application server or resource.