Citrix FAS explained using four examples: internal use case

In this series of articles, we present four FAS Use Cases about how to implement two-factor authentication with vSmartCard generated in the background without users requiring a real SmartCard or multiple authentication.

Citrix FAS enables secure authentication at the StoreFront without asking users for their credentials, requesting a smart card or storing the password on the client. We have a wide range of authentication methods at hand, including Kerberos SSO. This enables us to replace the Kerberos Constrained Delegation Log-On feature in earlier versions of XenApp.
Within their Citrix FAS session, all users have access to the Public Key Infrastructure (PKI), regardless of being logged in with their SmartCard or not. This makes two-factor authentication possible, even for devices without smart card readers, such as smartphones or tablets.
In the following articles of this series, we examine four different use cases, how the FAS server is inserted into the infrastructure and authorized to issue smart card certificates if required, with which the user logs on to his Citrix HDX session as if he had a smart card.

Use Case #1: Internal

Citrix FAS Internal Use Case

Traffic Flow:

  • The user calls the NetScaler Gateway Portal and, if not yet authenticated, is redirected to the SAML Identity Provider.
  • The user authenticates at the identity provider via Active Directory integration and MFA (multi-factor authentication), whereupon a SAML token is signed and passed to the user.
  • This authenticates the user against the NetScaler Gateway Portal, which validates the SAML token.
  • The NetScaler then uses this SAML-Token to verify the identity of the user (Name ID Attribute).
  • StoreFront contacts the Active Directory Service (AD CS) to generate a Client-Certificate (vSmartCard) for the authenticated user.
  • FAS contacts the Active Directory Certificate Service (AD CS) to generate a Client-Certificate (vSmartCard) for the authenticated user. At this moment the FAS holds both, the Client-Certificate and the private key.
  • From now on, if the authenticated user contacts the VDA, the VDA authenticates the user to the FAS and redeems the certificate.

In the second part of this series we look at an external use case with the AD FS as IDP. In the third part we will show you B2B Account Mapping and in the fourth and last part we will take a closer look at a use case with Azure AD Joined Devices.
Until then, we look forward to your suggestions, comments, experience and criticism.