Many security-aware customers require two-factor authentication to any service requiring elevated privileges. This is typically accomplished via credentialing that’s tied to a separate user account with higher-than-user privileges on a Microsoft Windows domain and is typically validated via smart card, PIV, or alt token authentication. Prior to recent changes in Citrix Director, users who were required to log on to systems with a regular user account, then log into administrative GUIs with smart card / PIV key, were not able to meet that requirement with Citrix Director. In the past, there have been a few workarounds for this problem:

  • Exempting the requirement for smart card / PIV key on the Citrix Director site and using username and password for the elevated account
  • Enabling smart card passthrough authentication for Director and logging into the system with an elevated account (via smart card)
  • Adding a regular/non-elevated user account to the Citrix admins group and enabling smart card passthrough authentication for the Citrix Director site
  • Setting up a Citrix StoreFront store with smart card / PIV key enabled and passthrough auth disabled, then launching a compatible browser with your elevated account to access Citrix Director

For many customers (especially DoD/government users), these workarounds were either not possible or required information security exemptions to be processed. In most cases, simply processing an exemption to a security rule is not enough. Not only are the systems with the exemptions running in a lowered security state, many organizations will require tracking of exemptions and a 30/60/90-day plan to resolve the issue and remove the exemption (often by working with the product vendor to resolve the vulnerability).

Due to these issues and the need for greater security through practices such as least-privilege and role-based access, Citrix identified a greater requirement to log on to Citrix Director with an alternate user certificate provided via smart card.

In this blog post, I’ll walk you through setting up a smart card logon for Citrix Director so you can enable this functionality. This post complements the PIV card instructions on our Citrix Docs site and is different from the passthrough authentication previously supported via earlier versions of Citrix Director.

I have tested the following instructions with Citrix Director version 7.15.5000, running on Server 2012 R2 and Server 2016, with an Active Directory Server 2012 functional level. I haven’t been able to get PIV authentication to work on a Citrix Director server running on Server 2008 R2 or below.

Active Directory Authentication

  • Create domain service account: To allow for smart card authentication in Director, we will need a domain service account that we can delegate certain permissions to, as well as run the Director server IIS application pool with. To begin, create a regular user account in Active Directory Users and Computers. This account should be placed in a specific OU and/or be named to indicate it is a service account. (Depending on the organization, other hardening rules may apply, such as preventing interactive logon.)
  • Create SPN records: Next, we will create the SPN records required to allow us to further configure delegation to our newly created service account. You will need to do this for each Director server, as well as load-balanced VIPs used to access a pool of Director servers (slightly different command).

The command to create the SPN record for a Director server is:

setspn -a http/<directorServer>.<domain_fqdn> <domain>\<DirectorAppPoolServiceAcct>

The command to create the SPN record for an LB VIP is:

setspn -S http/<DirectorFQDN> <domain>\<DirectorAppPoolServiceAcct>

The command to view/test the created SPNs is:

setspn –l <DirectorAppPoolServiceAcct>

3) Next, browse to Active Directory Users and Computers and open the newly created service account properties. Click on the “Delegation” tab, and add the following delegations:

Delivery Controllers: HOST, http
Director Servers: HOST, http
Domain Controllers: GC, LDAP

4) With the Active Directory configuration complete, log into the Director server to complete the configuration.

5) Assuming the install and initial configuration of Director is complete, open up Server Manager and add the Client Certification Mapping Authentication feature, under Web Server\Security.

6) Once the Client Certification Mapping Authentication feature has been installed, open the IIS console, highlight the server in the left panel, double click “Authentic­ation,” and enable “Active Directory Client Certificate Authentication.”

7) In the IIS console, select the Director virtual directory in the left-hand pane, double click “Authentication,” and disable “Forms Authentication.” Only “Anonymous Authentication” should be enabled.

8) Click the Director virtual directory again to see all options, then double-click “SSL Settings” in the middle pane. Check the “Require SSL” box, and set Client Certificates to “Require.”

9) For the last step in the IIS console, again select the Director virtual directory in the left pane and double click “Application Settings” in the first section. Inside the Application Settings window, click “Add” from the Actions pane and make sure “AllowKerberosConstrainedDelegation” is set to 1.

10) Select “Application Pools” in the left-hand pane, then right click the Director application pool and select “Advanced Settings.”

11) Select “Identity” and click the ellipses (“…”) to enter the service account domain\logon and password credentials. Close the IIS console.

12) From an elevated command prompt, change directories to C:\Windows\System32\inetsrv and enter the following commands:

appcmd.exe set config “Default Web Site” -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:”True” /commit:apphost

appcmd.exe set config “Default Web Site” -section:system.webServer/security/access /sslFlags:”Ssl, SslNegotiateCert” /commit:apphost

Click image to view larger.

13) From the same elevated command prompt, run Notepad, click File > Open, and browse to the web.config file under C:\inetpub\wwwroot\Director.

14) Scroll to the <system.webServer> node. Directly under the <system.webServer> node, paste the following text:


    <defaultDocument enabled="true">
      <files>
        <add value="LogOn.aspx" />
      </files>
    </defaultDocument>

15) From the same elevated command prompt, type: iisreset

16) At this point, visiting the Director URL should immediately prompt for a client certificate and prompt for the user’s PIN. Once entering the PIN, you should be taken directly to the Director dashboard.

Conclusion

In this blog post, we’ve covered how to configure Citrix Director to prompt a regular user for an alternate smart card / PIV key token to authenticate with an elevated account, separate from the non-elevated account they logged into the system with. This configuration enables organizations to meet the tenets of role-based access and least-privilege without security exemptions that could lower the security level of key management systems.