To date, the majority of XenMobile deployments utilized active directory for both authentication and user groupings. However, depending your requirements, authentication via a ‘local’ directory may be preferred.
- Third-party contractors who are issued AD credentials out of necessity and this approach should be avoided where possible.
- Retail or educational institutions where devices are shared resources and are not dedicated to an individual user.
- Rare occasions where users are authenticated via an unsupported directory (Novell eDirectory, for example)
- Any other scenario where use of an AD account is not the preferred option
In XenMobile 9.0 and earlier, local authentication was available for MDM deployments. XenMobile 10 builds on this by introducing support for local accounts in MAM and EMM mode.
While it’s possible to deploy XM standalone using local accounts without Netscaler, in order to benefit from features like mVPN, this document focuses on a deployment that includes Netscaler Gateway.
- Integration with XenApp or XenDesktop is not supported
- In the absence of a ‘credential’, SSO via WorxWeb will not work out of the box. However, a shared/known AD credential could be typed manually and cached by WW the first time an internal site is accessed. This is an optional MDX policy setting. See this eDoc below for more information and refer to the ‘Enable web password caching’ policy.
Configuration Phase 1 – Single User Creation
Step 1 – Create a local user and group(s) in the XenMobile 10 management console
- Select ‘Configure’ -> ‘Settings’ -> Local Users and Groups
- Use the ‘Manage Local Groups’ workflow to create groups in line with your requirements. These groups will be used to assign policies, applications and actions via delivery groups.
- Close the ‘Manage Local Groups’ window. Select ‘Add’ to create a local user account. Complete the fields as pictured below. Click to enlarge the image if required.
Step 2 – Create a corresponding user account on the Netscaler Gateway
- From the Netscaler administration console, select ‘AAA Users’ from the ‘User Administration’ subheading within the ‘Netscaler Gateway’ section.
- Select ‘Add’
- Enter the same username and password from step 1.3 above (case sensitive) click “OK” to Save.
Step 3 – Create a local authentication policy
- Select ‘LOCAL’ from the ‘Authentication’ subheading under ‘Policies’
- Select ‘Add’
- Give the policy a name and enter ns_true in the expression box and click ‘Create’.
Step 4 – Bind the local authentication policy to the XenMobile Netscaler Gateway vServer.
Note: This step assumes that XenMobile 10 Netscaler configuration wizard has already been completed. The local authentication policy can be bound and created during the wizard or it can be added at a later date (as per this example).
- Select and ‘Edit’ your XM10 vServer
- Unbind any existing authentication policies you have defined
Note: In scenarios where your XM Gateway needs to support local AND LDAP authentication policies simultaneously, please see the miscellaneous section at the end of this article.
- Bind the local policy you created in step 3.
Step 5 – Check the Netscaler Gateway setting on the XMS
- Login to the XenMobile management console
- From the ‘Settings’ menu select ‘Netscaler Gateway’
- Ensure the XenMobile Netscaler Gateway FQDN users connect to is specified and ‘Domain’ authentication is selected’
That’s it! You should now be able to enroll using a local user account…
However, the example above describes how to add one account. So the question is, how can you make this scalable? Hire an office temp to do this repetitive task over and over? Probably not the most efficient use of anyone’s time.
Therefore, the next two sections explain how to add user accounts in bulk to both the Netscaler and the XenMobile Server.
Configuration Phase 2 – Bulk user creation
Step 1 – Create an import file
The file should look like the example listed here. In my example, I started from CSV.
Remember to include any local Groups you would like to create. If the group does not exist, XMS creates one automatically. If the group already exists, the XenMobile server updates the group membership but does not create duplicates. Custom attributes such as email address can be added later on as described in this eDoc. The column titles in the image below are for illustration purposes. Please do not add column titles to your file. The first row should contain your first user.
Note: As described in the eDoc above, files must use a semi-colon as the delimiter. In my example, I used Excel to create a CSV file then updated Advanced Regional Settings in Control Panel to use a semicolon for ‘List Separation’.
Step 2 – Upload the file from Step 1 into the XenMobile management console.
Depending on the number of records this may take some time. The console will not timeout while this process runs so leaving this running in the background is perfectly acceptable.
- Navigate back to ‘Local Users and Groups’ in the XenMobile management console.
- Select ‘Import’
- Make sure the ‘User’ radio button is selected
- Import the file
Step 4 – Creating accounts in bulk on the Netscaler
Open the file from Step 1 in Excel or your workbook editor of choice and complete the following tasks:
- Copy the ‘username’ column in its entirety.
- Open a new workbook
- Paste the cells from step 1 into the second column on the new workbook
- Return to the original file. Copy the ‘Password’ column in its entirety.
- Paste the ‘Passwords’ into the fouth column on the new workbook
- On the new workbook, in the first column type add aaa user. Copy this to the required number of rows in the first column.
- In the third column type password. Copy this to the required number of rows in the third column.
The file should now look like this:
- Copy all of the text
- Login to the Netscaler using your SSH client of choice.
- At the prompt, paste the text from step 8. Netscaler creates the accounts.
Alternative Configuration – Combining local user accounts with certificate based authentication
Maintaining these local accounts in two different places may not be the desired approach for every organization. As an alternative option, local accounts could be created on the XenMobile server (as described in step 2) and by following Avinash’s excellent blog, the XenMobile server can supply a certificate for Gateway authentication. In this model, Netscaler does not require local accounts to be created as WorxHome uses the certificate pushed from the XenMobile server for authentication.
Miscellaneous – Combining LOCAL and LDAP Authentication on the same Netscaler Gateway vServer
Earlier in this blog the configuration suited an environment where only local authentication was required. For many deployments, it may be desirable to serve local and LDAP users on a single XenMobile instance. For example, a retail organization who uses XenMobile to provide email and intranet access for office users but use local accounts to serve communal devices used in retail outlets for demonstration purposes.
- Open the Netscaler Gateway vServer properties screen
- Click the + in the authentication section
- Bind your LDAP policy that was removed earlier in the article. Ensure it has a lower priority (higher number) than the ‘local’ policy that is already bound to the vServer. This ensures that authentication requests for local accounts are not sent to Active Directory. When AD authentication is required, the Netscaler checks its local database to ensure that a local account does not exist before forwarding the request to AD. When using this configuration, it is important to name your local accounts appropriately and not to have any conflicts with accounts in AD.
Note: To check the priority of the local policy select the binding and look under the ‘Priority’ column.
Thank you to everyone who made it this far. This is my first Citrix blog so if you would like me to expand on anything described above, please leave a comment below!