Across smart card users there tends to be the desire to get around as many PIN prompts as possible. Most people dislike having to reenter a password multiple times and that tends to be the same case with smart card PINs. The PIN is a basic security check to unlock your certificate and private key on the card, which is then used to authenticate to a system. To understand the number of PIN prompts expected when connecting through the NetScaler Gateway, we need to look at how the communication occurs.
Connecting via a NetScaler Gateway (NSG) happens using a SSL or TLS algorithm (referred to as just SSL moving forward). When utilizing SSL, a server presents a certificate to verify its identification during what is called the handshake. If that server is expecting a smart card user on the other end, it will request the smart card certificate as part of that handshake, triggering the PIN on the client.
Once each side verifies the other, the handshake completes and there is a mutual trust during a specified period of time. For a visual example watch the scene from 50 First Dates where everyone meets 10-second Tom. After introductions, an extremely brief conversation occurs before Tom again introduces himself and shakes everyone’s hands. On the NSG this brief amount of time is the session reuse time.
Now let’s look at Citrix Receiver to NSG communication. There are about four main steps that tend to occur in this communication.
1) Receiver authenticates to the NSG
2) Receiver enumerates the applications via NSG
3) Receiver requests launch of a resource via NSG, obtaining an ICA file
4) Receiver launches an ICA proxy connection through the NSG
Each one of these steps happens via a SSL connection. Step two happens automatically after step one and reuses that session. If a resource is launched within the session reuse window (default of 120s), a new SSL connection will not be initiated. The launch of the ICA Proxy, step 4, is always a new SSL connection.
Putting the knowledge of both together, one can discover when and where a smartcard certificate will be expected.
1) Initial auth – Always needs the certificate and triggers a PIN
2) Enumeration – Only triggers a PIN if refreshed after authentication (usually outside the reuse window)
3) Launch request – Triggers a PIN if outside the reuse window
4) ICA proxy initiation – Always triggers a PIN
There is also a PIN prompt when a user logs into the actual OS for the launched resource. This will add up to three expected PIN prompts as the resource launch request usually always falls within the session reuse window.
PIN to authenticate -> Enumerate apps -> request resource launch -> PIN to initiate ICA proxy -> PIN to authenticate to OS
So, is it possible to eliminate any of these PIN prompts? Yes. The PIN to initiate the ICA proxy is due to the usage of the same NSG virtual server (VIP) as authentication and enumeration. This VIP has a client certificate requirement in order to authentication the client. The ICA file contained an STA ticket in it that can validate the launch of the ICA proxy. This means it is possible to create another NSG VIP, without a client cert requirement, that solely is used for doing the ICA proxy. Additional features in the NetScaler can even be used to restrict traffic to this VIP to Citrix Receiver only. This will take the solution down to two PIN prompts.
PIN to authenticate -> Enumerate apps -> request resource launch -> Initiate ICA proxy -> PIN to authenticate to OS
Keep in mind this has the assumption that the request to launch a resource occurs right after logging in. If after the PIN to authenticate a user steps away for a few minutes, the session reuse window time will most likely expire, causing the user to be prompted for a PIN again. If users are always accessing applications, and not a desktop, chances are most applications launches may occur outside the reuse windows, causing more PIN prompts. A smart card user may have a better user experience if they access a virtual desktop that leverages a pass-through authentication type to backend applications.
Keep this in mind when designing a Citrix environment with smart card users authenticating to NetScaler Gateway. While it is not possible to get down to a single PIN prompt, certain design considerations can get you down to two PIN prompts. Contact your Citrix Sales Engineer if you have any questions.