What is the need for Client Certificate Based Authentication in XenMobile

With Client Certificate based Authentication, end user experience is simplified to a PIN(worx PIN) which will allow access to the enterprise worx store. At a part of Enrollment, device manager will request the CA server for a user cert, once device manager receives the user cert the same is pushed to the user’s device via Worx Home which in turn is added into keystore of the device and enforces user’s to set a PIN(worx PIN), Worx PIN which is added security feature to protect the user access, once user provides worx pin access will be granted to enterprise apps like Worx mail, Worx web along with other mdx, web and SaaS apps delivered via AppController.

Steps to configure Client Certificate Based Authentication

Pirmary Pre-Requsites to achieve client cert based authentication is to have Xenmobile 8.6 install base. Components involved on server side are XenMobile Device Manager 8.6, XenMobile AppController 2.9, NetScaler Gateway 10.1, MS CA server and Worx Home 8.6 on the client side

Pre-Requsites for Device Manager and MS CA server can be found @ Citrix edocs link http://support.citrix.com/proddocs/topic/xmob-dm-85/xmob-dm-manage-securityid-configDM-MScertificatesvs-con.html

Note: Below steps will help/guide you in configuring certificate based auth for a quick POC.  This is one of the ways to achieve Certificate Based Authentication. There can be other ways to achieve the same.

Broadly we can classify the configuration into 4 parts.

  1. Configuration in MS CA Server.
  2. Configuration in Device Manager.
  3. Configuration in AppController.
  4. Configuration in NetScaler.


1. Configuration Steps in MS CA Server

Adding Certificate Snap-In in MMC

  • Open MMC, Click Add/Remove Snap-In
  • Add Certificates as local user and current user
  • Add Certificate authority as local account.
Creation of Certificate Template in MS CA
  • Expand Certificate Templates

  • Select the User template and Duplicate Template.
  • provide the Template Display Name
1. Please do not check  ” Publish certificate in Active Directory” option in the template unless required. If Publish certificate in Active Directory is checked then all the user client certs will be pushed/created in AD which might clutter your AD. Based on your requirement please select check this option.
2. Select Windows 2003 Server for the template type. In win 2012 R2 server under compatibility Select Certificate authority and recipient to Windows 2003
  • Under Security option please check the Enroll option for the authenticated users.
  • Under Cryptography settings make sure you provide the key size(You need to remember this as you need to use the same key size in device manager configuration.)
  • Under Subject Name tab select the option Supply in the request.  After that apply the changes and Save it.

Adding the Template to Certificate Authority

  • Go to Certificate Authority and select Certificate Templates.

  • Right click in the right pane and select New >Certificate template to issue.

  • Select the template that you have created in the previous step and click ok to add the same into Certificate Authority.
 Creating PFX certificate from CA server.
  • Create a user pfx cert using the service account with which you have logged in. (This pfx will be uploaded into device manager, which will request a user cert on behalf of the end user who enrolls their devices).
  • Expand Certificates under Current User.

  • Right click in the right pane and click on the Request New Certificate.

  • You will be shown Certificate Enrollment and click on Next

  •  Select Active Directory Enrollment policy and Click Next

  •  Select the User template and Enroll. (Here you need to use User template or else you cannot Enroll with the cert template that you have created in the previous step, since we have used Supply in Request option at the time of creating template, where Device Manger will provide the Attribute on which certificate will be issued.)

  •  Export the pfx that you have created in the previous step.

  •  Make sure you export the private key

  •  Include all certificates in the certification path along with the Export all extended properties

  •  Set a Password for this cert, you will be using this password when you upload this pfx cert into device manager.

  •  Save the cert on to your hard drive.


2. Configurations Steps in Device Manager

  •  Login to Device Manger using Admin credentials.

Note: Make sure your AD attribute is set to UPN in XDM LDAP configurations.

Uploading the pfx into Device Manager Server

  • Select Options (from Top banner).
  • Drill down PKI and select Server certificates
  • Select Upload a certificate.
  • From the certificate type drop down, select Keystore option.
  • Browse the pfx file that you have created and exported in the previous step and provide the password and relevant description and Upload the same.
  • Verify the uploaded certificate.

Defining the PKI entities in Device Manager 

  • Expand PKI.
  • Select Entities, from the right pane select New MS CertSrv entity.

  • Provide the Entity Name, Service root URL(Example: https://ad.mycompany.com/certsrv/, make sure Cert Server’s IIS is enabled over https).
  • Select the Authentication type from the drop down as Client certificate.
  • Select the certificate from the SSL client certificate option(Make sure you select the right certificate verify the certificate/pfx serial number that you have uploaded in the previous step.)

  • Select Templates tab, click New template and rename the template(It is advised to use the template name same as the template name in CA server.

  • Select CA Certificates. (You can skip Custom HTTP Parameters)
  • Click on Add option to Add a CA certificate from the drop down Select a certificate. (if you have more than one CA server in the drop down, please select the CA server which will be issuing the certificate)

  • Verify the PKI entities that you have configured in the previous step.

Defining Credentials Provider in Device Manager

  • Select Credentials Provider and click New credentials provider
  • Under General tab
  • Provide the Credential provider name, Description.
  • Issuing entity, Issuing method and Template from the drop down,

  • Under CSR tab.
  • Select the Key algorithm, key size(key algorithm and size should be the same that you have used when defining template) and Signature algorithm.
  • Provide Subject name as cn=$user.username and Subject alternative names using New alternative name option by default it will be pre-populated with RFC822 change it to User Principal Name from the drop down and provide the value as $user.userprincipalname

  • Under Distribution Tab
  • Select the Issuer from the drop down and select the distribution mode to Prefer centralized.
  • Click on Add.(Here in these steps i have not specified Revocation of Certificates).

Device Manager Integration with AppC 

  • Under Modules Configurations
  • Select AppController, provide AppC Host Name and shared key, check Enable AppController option and also make sure you check Deliver User certificate for authentication and select the Provider from the drop down.


 3. Configurations Steps inAppC Configurations

 Integration of AppC with NS

  • Login to AppController and Click on Deployment under Settings.
  • Provide NetScaler external access host name and select the Logon Type as Certificate(for only cert based auth) and save the config in AppController.

Integration of AppC with Device Manager

  • Click on XenMobile MDM and provide the respective details and saveit.


4. Configurations Steps in NS configurations

  • Login to Netscaler.
  • Expand traffic Management, Under SSL make sure you have uploaded the right Root, intermediate cert of the CA which issues User certs into NS and link them.

  • If you are configuring NS-Gateway for the first time Run the Wizard or if you already have the AGEE VIP configure and make the changes accordingly.

  • Open the Virtual Server.
  • From the certificates tab.
  • Push the Root certificate of the CA using the option Add.
  • From Add drop down, push the cert as CA

  • Make sure you check the Check option form the drop down, if your CA server has the CRL/OSCP configured please check the respective option.
  • If your CA server does not support CRL/OSCP then make sure you have the Check to optional or else client authentication fails.

  • Click on SSL Parameter..
  • Check the check box for Client Authentication and select the client Certificate as Mandatory from the drop down.
  • Click Ok to add the above configured policy.

  • From the Authentication tab
  • Select a new policy and name as cert based auth.
  • Set the expression to ns_true

  • Create profile for the policy
  • Set the Two factor option based on your requirement.
  • Select the User Name Field to SubjectAltName:PrincipalName from the drop down. (If you are using Cert based auth only, please set Two factor to OFF.)


End user experience

  •  Enroll the device set the Worx PIN and experience the simplified user authentication.