Secure Mail and ActiveSync for iOS

Question :

Securemail and Active sync for iOS

Answer :

Secure Mail syncs with Exchange Server via the ActiveSync messaging protocol to give users real-time access to their Outlook mail, contacts, calendar events, automatically generated mailboxes, and user-created folders.

Note: ActiveSync doesn’t support the synchronization of Exchange public folders. In Exchange Server 2013, ActiveSync doesn’t sync the Drafts folder.

To sync user-created folders, follow these steps:

iOS:

  1. Go to Settings > Auto Refresh.
  2. Set Auto Refresh to On.
  3. Tap On. A list of all mailboxes appears.
  4. Tap the folders you want to sync.

Related:

  • No Related Posts

FAQ : SecureMail and ActiveSync for Android

Question :

How SecureMail and Active sync for Android works.

Answer :

SecureMail syncs with Exchange Server via the ActiveSync messaging protocol to give users real-time access to their Outlook mail, contacts, calendar events, automatically generated mailboxes, and user-created folders.

Note: ActiveSync doesn’t support the synchronization of Exchange public folders. In Exchange Server 2013, ActiveSync doesn’t sync the Drafts folder.

To sync user-created folders, follow these steps:

Android:

  1. Go to the Mailboxes list.
  2. Tap the mailbox you want to sync.
  3. Tap the More icon in the lower-right corner.
  4. Tap Sync options.
  5. Under Check frequency, select how often you want the folder to sync.

Related:

  • No Related Posts

How to Add RADIUS Shared Secret in NetScaler for RADIUS Deployments?

This article describes how to add RADIUS shared secret in NetScaler for RADIUS deployments.

Background

Why RADIUS shared secret?

In a typical RADIUS deployment where a RADIUS server is accessed by RADIUS clients or by RADIUS proxy a shared secret is maintained by the participating nodes to achieve security. This shared secret is pre-configured in these RADIUS nodes before they start communication with each other. The fact that this shared secret is not sent over the network anytime, provides security and helps in authenticating the RADIUS communications. It eliminates the possibility of intruders snooping on an unsecure network which is quite critical in this case, as user’s passwords are transmitted during RADIUS communications.

How does RADIUS shared secret work?

Let us take the example of RADIUS client and RADIUS server in a network. As already mentioned a RADIUS shared secret key is configured on RADIUS client and RADIUS server. Now, if RADIUS client sends a request to RADIUS server, it validates the client messages using the shared secret. If the RADIUS client doesn’t have a valid shared secret, then the message is silently discarded. If the RADIUS client is valid, then RADIUS server performs further processing of the message and proceeds with communication. RADIUS shared secret also helps to identify if the message has been modified during transit. It is also used to encrypt some of the RADIUS attributes like passwords which are highly sensitive information.

Given the fact that this RADIUS secret key plays a vital role in secure communication, it should be selected such that it is large, at least 16 octets to protect against search attacks and should not be guessable.

How RADIUS shared secret is used in NetScaler?

Use case – RADIUS Load Balancing

The concept of shared secret applies to RADIUS load balancer also. In this case, a RADIUS load balancer which load balances RADIUS client messages to RADIUS servers should have a shared secret configured in RADIUS server and RADIUS load balancer on the server side and a shared secret should be configured in RADIUS client and RADIUS Load balancer on the client side.

For more information on RADIUS load balancing in NetScaler refer to – https://docs.citrix.com/en- us/netscaler/11/traffic-management/load-balancing/load-balancing-persistence/radius- persistence.html

User-added image

Use case- Subscriber Management

When NetScaler receives RADIUS accounting messages from RADIUS proxy (which is consumed and used to query PCRF to get subscriber information using Gx interface), NetScaler uses a RADIUS listener service. RADIUS shared secret has to be configured for RADIUS listener service in NetScaler and also in RADIUS proxy for proper RADIUS communication.

For more information on Telco Subscriber management refer to- https://docs.citrix.com/en- us/netscaler/11/solutions/netscaler-support-for-telecom-service-providers/lsn-telco- subscriber-management.html

User-added image

Related:

  • No Related Posts

How to Use NetScaler SNIP for Authentication (AAA) Server Communication

This article describes how to use NetScaler SNIP for authentication server communication.

Background

Authentication server communication on NetScaler is by default done using the NetScaler IP (NSIP). So, apart from it being used for management purposes, it is also used as a source IP for LDAP, RADIUS, SAML and similar AAA protocols. But, in some cases, such as a firewall blocking the NSIP or, configuring RADIUS client for NetScaler in HA (high availability) mode, a subnet IP (SNIP) can be used as a Source IP address for traffic that is sent to the authentication server instead of an NSIP. This can be set in NetScaler as discussed below.

Related:

  • No Related Posts

How to Configure NetScaler for Web Authentication with Vasco and Use the Extracted Attributes for SSO to StoreFront

StoreFront Configuration

  1. Open Citrix StoreFront console, select Create a Store option. Provide a name for the store. In my case, I gave ‘nsslvpn’ as store name.

  2. Select Delivery Controller; choose XenAPP/XenDesktop based on the deployment and specify IP address, port of the server. In my case, I chose XenAPP 6.5 or earlier and specified 10.217.22.236:80 (HTTP).

  3. In Remote Access section choose ‘No VPN Tunnel’ for ICA Proxy mode, otherwise choose ‘Full VPN Tunnel’.

  4. Select the NetScaler Gateway appliance if it is already configured. Otherwise add it. For example, use below screen shot as a reference.

    User-added image

  5. Specify STA server IP and complete NetScaler appliance settings.

    User-added image

  6. After completing Remote Access configuration, choose that NetScaler Gateway and complete StoreFront configuration.

NetScaler Configuration

  1. Expression to extract Username from /cgi/login request:

    add policy expression user_name "http.REQ.BODY(1000).SET_TEXT_MODE(IGNORECASE). AFTER_STR("login=").BEFORE_STR("&")"
  2. Expression to extract Password from /cgi/login request:

    add policy expression user_pwd "http.REQ.BODY(1000).SET_TEXT_MODE(IGNORECASE). AFTER_STR("passwd=")"
  3. Create WebAuth Action with Vasco server IP, Port and scheme settings.

    Text highlighted in Yellow explains how the username and password expressions in Step 1 and Step 2 are used

    Text highlighted in Grey explains on what basis NetScaler treats it as a successful authentication.

    Text highlighted in Red explains how the username and password are extracted from the Vasco server response.

    add authentication webAuthAction Vasco_1 - serverIP 10.217.22.197 -serverPort 8888 - fullReqExpr q{"POST / HTTP/" + http.req.version.major + "." + http.req.version.major + "rnAccept:*/*rnHost: Vasco.nsi- test.comrnReferer: https://vasco.nsi- test.com:8888rnAccept-Language: en-US" + "rnContent-Length: 2000rnrn" + "<soapenv:Enveloperxmlns:soapenv="http://sche mas.xmlsoap.org/soap/envelope/"rxmlns:xsd="h ttp://www.w3.org/2001/XMLSchema"rxmlns:xsi=" http://www.w3.org/2001/XMLSchema- instance"rxmlns:aut="http://www.vasco.com/Id entikeyServer/IdentikeyTypes/Authentication"> r" + "n<soapenv:Header/>rn<soapenv:Body>rn<aut: authUser>rn<credentialAttributeSet>rn<attri butes>rn<value xsi:type="xsd:string">"+ user_name +"</value>rn<attributeID>CREDFLD_USERID</attri buteID>rn</attributes>rn<attributes>rn<va lue xsi:type="xsd:string">nsi- test.com</value>rn<attributeID>CREDFLD_DOMAIN</attributeID>rn</attributes>rn<attributes>rn<value xsi:type="xsd:string">" + user_pwd+"</value>rn<attributeID>CREDFLD_PASSWORD</att ributeID>rn</attributes>rn<attributes>rn< value xsi:type="xsd:string">NetScaler_221</value>rn<attributeID>CREDFLD_COMPONENT_TYPE</attribut eID>rn</attributes>rn<attributes>rn<value xsi:type="xsd:unsignedInt">" + 0 + "</value>rn<attributeID>CREDFLD_PASSWORD_FORM AT</attributeID>rn</attributes>rn</credenti alAttributeSet>rn</aut:authUser>rn</soapenv:Body>rn</soapenv:Envelope>"} -scheme https - successRule "http.res.status.eq(200) && HTTP.RES.BODY(10000).REGEX_MATCH(re/\STAT_SUCCESS/)" -Attribute1 "HTTP.RES.BODY(10000).XPATH(xp%//attributes[1]/ value%)" -Attribute2 "HTTP.RES.BODY(10000).XPATH(xp%//attributes[2]/ value%)" -Attribute3 "HTTP.RES.BODY(10000).XPATH(xp%//attributes[3]/ value%)"
    add authentication webAuthPolicy Vasco_1 -rule ns_true -action Vasco_1

    At the time of Response evaluation, NetScaler looks for STATUS CODE returned in the response, if the STATUS Code is STAT_SUCCESS then it treats as successful authentication otherwise failed authentication. If the status code matches then NetScaler will extract the configured attributes.

  4. Create a VPN vserver, bind WebAuth policy created above (Step 3), bind STA service.

    add vpn vserver vpn2 SSL 10.217.22.226 443
    bind ssl vserver vpn2 dmn12
    bind ssl vserver vpn2 -certkeyName nsi-ca -CA - ocspCheck Optional
    bind ssl vserver vpn2 -certkeyName dmn12CA -CA -ocspCheck Optional
    bind vpn vserver vpn2 -policy Vasco_1 -priority 10
    bind vpn vserver vpn2 -staServer "http://xa.dmn12.nsi-test.com"
  5. Create a VPN session policy, specify – StoreFronturl, -wihome options in Sessionaction.

    add vpn sessionAction wisso -SSO ON - ssoCredential PRIMARY -icaProxy ON -wihome "https://xa.dmn12.nsi- test.com/Citrix/nsslvpnweb" -ntDomain DMN12.NSI-TEST.COM -StoreFronturl "https://xa.dmn12.nsi- test.com/Citrix/nsslvpnWeb" -kcdAccount NONE
    add vpn sessionPolicy wisso ns_true wisso
    bind vpn vserver vpn2 -policy wisso
  6. Create a VPN traffic policy with extracted user attributes and bind it to VPN vserver.

The reason to use http.req.user.attribute(1) and http.req.user.attribute(3) is because user name and password extracted from Vasco are there in those attributes.

In the following config, text highlighted in RED specifies the rule when the traffic action to evaluate.

add vpn trafficAction vpn-sso http -SSO ON -userExpression "http.req.user.attribute(1)" -passwdExpression "http.req.user.attribute(3)"
add vpn trafficPolicy vpn-sso "REQ.HTTP.URL CONTAINS Citrix/nsslvpnWeb" vpn-sso
bind vpn vserver vpn2 -policy vpn-sso

SOAP Request, Responses (Posted and Received by NetScaler)

POST / HTTP/1.1Accept:*/*Host: Vasco.nsi-test.comReferer: https://vasco.nsi-test.com:8888Accept-Language: en-USContent-Length: 1030<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/enve lope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:aut="http://www.vasco.com/IdentikeyServer/Ide ntikeyTypes/Authentication"> <soapenv:Header/> <soapenv:Body> <aut:authUser> <credentialAttributeSet> <attributes><value xsi:type="xsd:string">user2</value> <attributeID>CREDFLD_USERID</attributeID> </attributes><attributes><value xsi:type="xsd:string">nsi-test.com</value> <attributeID>CREDFLD_DOMAIN</attributeID> </attributes><attributes><value xsi:type="xsd:string">1Citrix</value> <attributeID>CREDFLD_PASSWORD</attributeID> </attributes><attributes><value xsi:type="xsd:string">NetScaler_221</value> <attributeID>CREDFLD_COMPONENT_TYPE</attributeID> </attributes><attributes><value xsi:type="xsd:unsignedInt">0</value> <attributeID>CREDFLD_PASSWORD_FORMAT</attributeID> </attributes></credentialAttributeSet></aut:authUser></soapenv:Body></soapenv:Envelope>HTTP/1.1 200 OKServer: gSOAP/2.8 Content-Type: text/xml; charset=utf-8 Content-Length: 7630 Connection: keep-alive <?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP- ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP- ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xop="http://www.w3.org/2004/08/xop/include" xmlns:CREDENTIAL- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/CredentialTypes.xsd" xmlns:USER- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserTypes.xsd" xmlns:BACKEND- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BackEndTypes.xsd" xmlns:COMPONENT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ComponentTypes.xsd" xmlns:CONFIGURATION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ConfigurationTypes.xsd" xmlns:DIGIPASS- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DigipassTypes.xsd" xmlns:DOMAIN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DomainTypes.xsd" xmlns:ORGUNIT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/OrgunitTypes.xsd" xmlns:USER-ATTRIBUTE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserAttributeTypes.xsd" xmlns:DIGIPASSAPPL- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DigipassApplTypes.xsd" xmlns:POLICY- TYPES="http://www.vasco.com/IdentikeyServer/IdentikeyTypes/PolicyTypes.xsd" xmlns:REPLICATION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReplicationTypes.xsd" xmlns:REPORTFORMAT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFormatTypes.xsd" xmlns:REPORTFIELD- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFieldTypes.xsd" xmlns:REPORT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportTypes.xsd" xmlns:DPXFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DPXFileTypes.xsd" xmlns:USERFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserFileTypes.xsd" xmlns:ADMINSESSION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/AdminSessionTypes.xsd" xmlns:OFFLINEDATA- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/OfflineDataTypes.xsd" xmlns:RADIUSDICT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/RadiusDictTypes.xsd" xmlns:BACKENDSERVERGROUP- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BackEndServerGroupTypes.xsd" xmlns:TASK- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/TaskTypes.xsd" xmlns:KEY- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/KeyTypes.xsd" xmlns:REPORTFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFileTypes.xsd" xmlns:TIMEZONELIST- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/TimeZoneListTypes.xsd" xmlns:BASIC- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BasicTypes.xsd" xmlns:EMVCAP- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/EmvCapTypes.xsd" xmlns:PROVISIONING- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ProvisioningTypes.xsd" xmlns:SERVER- CONFIGURATION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ServerConfigurationTypes.xsd" xmlns:SIGNATURE-TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/SignatureTypes.xsd" xmlns:ADMIN- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Administration" xmlns:ADMIN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Administration" xmlns:AUTH- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Authentication" xmlns:AUTH- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Authentication" xmlns:EMVCAPAUTH- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/EmvCapAuthentication" xmlns:EMVCAP-AUTH- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/EmvCapAuthentication" xmlns:PROV- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Provisioning" xmlns:PROV- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Provisioning" xmlns:SERVERCFG- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/ServerConfiguration" xmlns:SERVERCFG- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ServerConfiguration" xmlns:SIGN- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Signature" xmlns:SIGN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Signature"><SOAP-ENV:Header></SOAP- ENV:Header><SOAP-ENV:Body><AUTH- TYPES:authUserResponse><authUserResults xsi:type="AUTH-TYPES:AuthUserResults"><results xsi:type="CREDENTIAL- TYPES:CredentialResults"><resultCodes xsi:type="BASIC- TYPES:ResultCodes"><returnCodeEnum>RET_SUCCESS</ret urnCodeEnum><statusCodeEnum>STAT_SUCCESS</statusCod eEnum><returnCode>0</returnCode><statusCode>0</stat usCode></resultCodes><resultAttribute xsi:type="CREDENTIAL- TYPES:CredentialAttributeSet"><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><valuexsi:type="xsd:string">user2</value><attributeID>CRE DFLD_USERID</attributeID></attributes><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>CREDFLD_DOMAIN</attrib uteID></attributes><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><attributeOptions xsi:type="BASIC- TYPES:AttributeOptions"><masked>true</masked></attr ibuteOptions><value xsi:type="xsd:string">1Citrix</value><attributeID>C REDFLD_STATIC_PASSWORD</attributeID></attributes><a ttributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>CREDFLD_ORGANIZATIONAL _UNIT</attributeID></attributes></resultAttribute>< errorStack xsi:type="BASIC- TYPES:ErrorStack"></errorStack></results><userAttri buteList xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttributeList"><attributeList xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttributeSet"><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>UATTFLD_DOMAIN</attrib uteID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">user2</value><attributeID>UAT TFLD_USERID</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">User- Data</value><attributeID>UATTFLD_ATTR_GROUP</attrib uteID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:int">1</value><attributeID>UATTFLD_SEQ_NO</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">Reply- Message</value><attributeID>UATTFLD_NAME</attribute ID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">Reply</value><attributeID>UAT TFLD_USAGE_QUALIFIER</attributeID></attributes><att ributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><attributeOptions xsi:type="BASIC- TYPES:AttributeOptions"><masked>true</masked></attr ibuteOptions><value xsi:type="xsd:string">Success</value><attributeID>U ATTFLD_VALUE</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:dateTime">2014-11- 16T21:17:52Z</value><attributeID>UATTFLD_CREATE_TIM E</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:dateTime">2014-11- 16T21:17:52Z</value><attributeID>UATTFLD_MODIFY_TIM E</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><value xsi:type="xsd:unsignedInt">1</value><attributeID>UA TTFLD_OPTIONS</attributeID></attributes></attribute List></userAttributeList></authUserResults></AUTH- TYPES:authUserResponse></SOAP-ENV:Body></SOAP- ENV:Envelope>

Debugging Section

1. To verify if the values are extracted from web authentication run, ‘tail –f /var/log/ns.log’

Vasco Configuration:

User Settings:

User-added image

User-added image

User-added image

Policy Configuration:

User-added image

User-added image

User-added image

User-added image

User-added image

User-added image

User-added image

User-added image

User-added image

User-added image

User-added image

Client Configuration: (Configuring NetScaler: SNIP/MIP as the client)

User-added image

User-added image

Backend Configuration:

User-added image

Organization Configuration:

User-added image

Servers List:

User-added image

IAS Configuration Screenshots:

User-added image

User-added image

How to Identify Login Success/Failure

SOAP request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/enve lope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:aut="http://www.vasco.com/IdentikeyServer/Ide ntikeyTypes/Authentication"><soapenv:Header/><soapenv:Body><aut:authUser><credentialAttributeSet><attributes><value xsi:type="xsd:string">user2</value><attributeID>CREDFLD_USERID</attributeID></attributes><attributes><value xsi:type="xsd:string">nsi-test.com</value><attributeID>CREDFLD_DOMAIN</attributeID></attributes><attributes><value xsi:type="xsd:string">1Citrix</value><attributeID>CREDFLD_PASSWORD</attributeID></attributes><attributes><value xsi:type="xsd:string">Perl_Client</value><attributeID>CREDFLD_COMPONENT_TYPE</attributeID></attributes><attributes><value xsi:type="xsd:string">nsi-test.com</value><attributeID>CREDFLD_ORGANIZATIONAL_UNIT</attrib uteID></attributes><attributes><value xsi:type="xsd:unsignedInt">0</value><attributeID>CREDFLD_PASSWORD_FORMAT</attributeID></attributes></credentialAttributeSet></aut:authUser></soapenv:Body></soapenv:Envelope>

Successful Authentication SOAP Response

HTTP/1.1 200 OKServer: gSOAP/2.8Content-Type: text/xml; charset=utf-8 Content-Length: 7630Connection: keep-alive<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP- ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP- ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema- instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xop="http://www.w3.org/2004/08/xop/include" xmlns:CREDENTIAL-TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/CredentialTypes.xsd" xmlns:USER- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserTypes.xsd" xmlns:BACKEND-TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BackEndTypes.xsd" xmlns:COMPONENT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ComponentTypes.xsd" xmlns:CONFIGURATION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ConfigurationTypes.xsd" xmlns:DIGIPASS- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DigipassTypes.xsd" xmlns:DOMAIN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DomainTypes.xsd" xmlns:ORGUNIT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/OrgunitTypes.xsd" xmlns:USER-ATTRIBUTE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserAttributeTypes.xsd" xmlns:DIGIPASSAPPL- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DigipassApplTypes.xsd" xmlns:POLICY- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/PolicyTypes.xsd" xmlns:REPLICATION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReplicationTypes.xsd" xmlns:REPORTFORMAT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFormatTypes.xsd" xmlns:REPORTFIELD- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFieldTypes.xsd" xmlns:REPORT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportTypes.xsd" xmlns:DPXFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/DPXFileTypes.xsd" xmlns:USERFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/UserFileTypes.xsd" xmlns:ADMINSESSION- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/AdminSessionTypes.xsd" xmlns:OFFLINEDATA- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/OfflineDataTypes.xsd" xmlns:RADIUSDICT- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/RadiusDictTypes.xsd" xmlns:BACKENDSERVERGROUP-TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BackEndServerGroupTypes.xsd" xmlns:TASK- TYPES="http://www.vasco.com/IdentikeyServer/IdentikeyTypes/TaskTypes.xsd" xmlns:KEY- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/KeyTypes.xsd" xmlns:REPORTFILE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ReportFileTypes.xsd" xmlns:TIMEZONELIST- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/TimeZoneListTypes.xsd" xmlns:BASIC- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/BasicTypes.xsd" xmlns:EMVCAP- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/EmvCapTypes.xsd" xmlns:PROVISIONING- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ProvisioningTypes.xsd" xmlns:SERVER- CONFIGURATION-TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ServerConfigurationTypes.xsd" xmlns:SIGNATURE- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/SignatureTypes.xsd" xmlns:ADMIN- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Administration" xmlns:ADMIN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Administration" xmlns:AUTH- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Authentication" xmlns:AUTH- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Authentication" xmlns:EMVCAPAUTH- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/EmvCapAuthentication" xmlns:EMVCAP-AUTH- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/EmvCapAuthentication" xmlns:PROV- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/Provisioning" xmlns:PROV- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Provisioning" xmlns:SERVERCFG- SCENARIO="http://www.vasco.com/IdentikeyServer/Scen arios/ServerConfiguration" xmlns:SERVERCFG- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/ServerConfiguration" xmlns:SIGN- SCENARIO="http://www.vasco.com/IdentikeyServer/Scenarios/Signature" xmlns:SIGN- TYPES="http://www.vasco.com/IdentikeyServer/Identik eyTypes/Signature"><SOAP-ENV:Header></SOAP- ENV:Header><SOAP-ENV:Body><AUTH-TYPES:authUserResponse><authUserResults xsi:type="AUTH-TYPES:AuthUserResults"><results xsi:type="CREDENTIAL- TYPES:CredentialResults"><resultCodes xsi:type="BASIC- TYPES:ResultCodes"><returnCodeEnum>RET_SUCCESS</ret urnCodeEnum><statusCodeEnum>STAT_SUCCESS</statusCod eEnum><returnCode>0</returnCode><statusCode>0</stat usCode></resultCodes><resultAttribute xsi:type="CREDENTIAL- TYPES:CredentialAttributeSet"><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><value xsi:type="xsd:string">user2</value><attributeID>CRE DFLD_USERID</attributeID></attributes><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>CREDFLD_DOMAIN</attrib uteID></attributes><attributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><attributeOptions xsi:type="BASIC- TYPES:AttributeOptions"><masked>true</masked></attr ibuteOptions><value xsi:type="xsd:string">1Citrix</value><attributeID>C REDFLD_STATIC_PASSWORD</attributeID></attributes><a ttributes xsi:type="CREDENTIAL- TYPES:CredentialAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>CREDFLD_ORGANIZATIONAL_UNIT</attributeID></attributes></resultAttribute>< errorStack xsi:type="BASIC- TYPES:ErrorStack"></errorStack></results><userAttri buteList xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttributeList"><attributeListxsi:type="USER-ATTRIBUTE-TYPES:UserAttributeAttributeSet"><attributes xsi:type="USER-ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">nsi- test.com</value><attributeID>UATTFLD_DOMAIN</attrib uteID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">user2</value><attributeID>UAT TFLD_USERID</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">User- Data</value><attributeID>UATTFLD_ATTR_GROUP</attrib uteID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:int">1</value><attributeID>UATTFLD_SE Q_NO</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">Reply- Message</value><attributeID>UATTFLD_NAME</attribute ID></attributes><attributes xsi:type="USER- ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:string">Reply</value><attributeID>UAT TFLD_USAGE_QUALIFIER</attributeID></attributes><att ributes xsi:type="USER-ATTRIBUTE- TYPES:UserAttributeAttribute"><attributeOptions xsi:type="BASIC- TYPES:AttributeOptions"><masked>true</masked></attr ibuteOptions><value xsi:type="xsd:string">Success</value><attributeID>U ATTFLD_VALUE</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:dateTime">2014-11- 16T21:17:52Z</value><attributeID>UATTFLD_CREATE_TIM E</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE-TYPES:UserAttributeAttribute"><valuexsi:type="xsd:dateTime">2014-11- 16T21:17:52Z</value><attributeID>UATTFLD_MODIFY_TIM E</attributeID></attributes><attributes xsi:type="USER-ATTRIBUTE-TYPES:UserAttributeAttribute"><value xsi:type="xsd:unsignedInt">1</value><attributeID>UA TTFLD_OPTIONS</attributeID></attributes></attribute List></userAttributeList></authUserResults></AUTH- TYPES:authUserResponse></SOAP-ENV:Body></SOAP- ENV:Envelope>


Failed Authentication SOAP Response:

In case of authentication failure, Vasco server returns RET_DENIED as status in SOAP response.

User-added image

Related:

  • No Related Posts

App Layering: Backups with Microsoft DPM in Hyper-V cause the ELM boot disk to fill up

It appears that using Microsoft Data Protection Manager (DPM) to backup the ELM in Hyper-V can cause processes within the ELM to crash. When they do, they leave core files in folders in /var/crash. The system does not currently clean those up, so if your system generates new core files every night when DPM runs, you will soon fill up the disk.

First, delete the folders under /var/crash. They are not useful. Tools like FileZilla and WinSCP can do it remotely, or you can login as root and simply run:

cd /var/crash

rm -rf /var/crash/*

However, the long-term solution is to either find a backup solution other than DPM, or make sure the ELM is shut down while DPM runs (the ELM is not needed for any end-user VM operations, so it’s perfectly fine to shut it down or reboot it whenever you need to), or periodically look for and delete files in /var/crash. We are investigating why this happens and hope to update this article in the future.

Related:

  • No Related Posts

How to use Forcedtimeout option for Traffic Management session on NetScaler

This article provides information on one of the logout mechanisms that Netscaler offers called “Forcedtimeout”, its usage and underlying configuration.

Use case and Solution

NetScaler offers multiple ways to timeout user session.

You can configure idleTimeout in “tm session policies/actions” such that if user is idle for a certain period, session gets removed.

You can also configure traffic policy based on-demand logout such that when a user hits certain page on backend, Netscaler removes it session (after serving that logout page).

Above approaches address majority of logout cases. However, some applications have background traffic, for monitoring. So, Netscaler does not remove session for those applications in a timely fashion assuming it is active traffic. One such Application is OWA. OWA is a peculiar application that opens up a bunch of tcp connections to keep the session alive. Today in Netscaler, when the timer is fired, it sees that there are still active connections and therefore tries again after few minutes. Since OWA doesn’t close these monitoring connections, session keeps prolonging.

Therefore there is some more config required to logout user from such applications as OWA in order to essentially tell Netscaler what those monitoring sessions are .

It is due to the monitoring /keepalive messages from OWA that when a user tries to open the application in another tab, it still opens up without asking for the user credentials again.

For such applications and also for cases wherein an administrator wants to remove user session regardless of user activity, one could configure logout mechanism “forcedTimeout” such that a session lives up a maximum specified time regardless of activity. This forcedtimer can be reset if needed. Otherwise, once started, it will remove session after stipulated time.

Configuration

Two new parameters are introduced in traffic action namely, ForcedTimeout and ForcedTimeoutVal as shown below in bold.

Usage: add tm trafficAction <name> [-appTimeout <mins>] [-SSO ( ON | OFF )

[-formSSOAction <string>]] [-persistentCookie ( ON | OFF )]

[-InitiateLogout ( ON | OFF )] [-kcdAccount <string>]

[-samlSSOProfile <string>] [-forcedTimeout <forcedTimeout>

-forcedTimeoutVal <mins> ]

ForcedTimeoutVal is a number in minutes to which force timer needs to be set. ForcedTimeout argument itself can take three values START, STOP and RESET. These options are explained below:

START: When a timer is not already started, START can be used to start a timer. However, once a timer is STARTed at a timestamp t1, another start at a later timestamp t2 is a NOOP. This means, once a timer is started, another start on that timer is ignored.

STOP: This option can be used to stop an already running timer. This means, if administrator as started a timer in the past, he could stop it based on another traffic pattern.

RESET: This option can be used to START or RESET a timer. If timer is not already running, this option would start it. If timer is already running, then this option will stop the timer and start it again.

One of the differences between START and RESET is that once a timer is started, START does not result in another start.

Above trafficaction needs to referenced in a traffic policy which in turns needs to be bound to TM vserver.

add tm trafficPolicy <name> <rule> <action>

bind lb vserver lbhttp –policyName <name> -priority <number>

Example Configuration

In case of rule as “true“ as below after user session is created ,Netscaler registers a timer and when the timer is expired (2 mins here), the session gets killed regardless of user activity.

add tm trafficAction trafficact -SSO ON -forcedTimeout START -forcedTimeoutVal 2

add tm trafficPolicy trafficpol true trafficact

bind lb vs lbowa –policy tmowapol –priority 1

With rule as “HTTP.REQ.URL.CONTAINS(“UA=0″)” in the example below, after the session is created , the timer will start as soon as there is a traffic pattern matching “UA=0”.This pattern matches the keepalives from OWA application ;therefore as soon as this traffic pattern is matched,Netscaler will log -out the user from the application,

add tm trafficAction trafficact1 -SSO ON -forcedTimeout START -forcedTimeoutVal 2

add tm trafficPolicy trafficpol1 “HTTP.REQ.URL.CONTAINS(“UA=0″)” trafficact1

bind lb vs lbowa –policy trafficpol1 –priority 1

Related:

  • No Related Posts