Tag: Security and safety features new to Windows Vista

Error “Invalid Login” on launch of FAS enabled Linux VDA Desktop.

Citrix Leave a comment

You need to have the Kerberos Authentication certificate on all the domain controllers. To enroll for a new certificate follow the below steps.

1.On the domain controller, open mmc.

2.Click File, Click Add/Remove Snap-in.

3.Select Certificates, click Add, then select Computer account.

4.Expand Certificates (Local Computer), right-click Personal, click All Tasks, and then click Request New Certificate.

5.Press Next.

6.Select Kerberos Authentication and press Enroll.

Note: If you do not see the Kerberos Authentication on the Auto Enrollment in the Domain Controller certificate mmc, you need to go to Certificate Authority server and add the domain controller in the security of the Domain Controller Authentication Template and give AutoEnroll permissions.

Also, make sure you have configured krb5.conf on the VDA with the correct RootCA & Subordinate CA certificate information.

Refer ‘Incorrect root CA certificate configuration’ section in the below link:

https://docs.citrix.com/en-us/linux-virtual-delivery-agent/current-release/configuration/federated-authentication-service.html/

Related:

  • No Related Posts

Deploy ShareConnect Host Installer

Citrix Leave a comment

Note: To follow the steps below, you must have a Windows 2012 domain controller. There may be slight differences in the 2008/2003 environments of the domain controller.

1. Log in to the domain controller and open the Active Directory Users and Computers window.

2. On the Active Directory console tree, right-click on your domain to create a newOrganizational Unit (for example, ShareConnect) and add computers you want to install ShareConnect to this organizational unit.

User-added image

3. Open Group Policy Management window to create a new Group Policy Object (for example, Windows SSO) for the Organizational Unit that you’ve created above.

User-added image

4. Right-click on the Group Policy object created and select Edit to modify its properties.

User-added image

5. In the Group Policy Management Editor window, go to Computer configuration >Policies > WindowsSettings > Scripts in the console tree.

User-added image

6. Click on the Properties link under Startup script to open the Startup Properties windows.

Note: You can also right-click on Startup script to open the Startup Properties window.

7. Click on the Add button to open the Add Script window. In the Script Name field enter the script path created here.

Leave the Script Parameters field empty.

User-added image

8. Right-click on the organizational unit created and select Group Policy Update.

This will update the group policy settings of the computers in the domain. If this fails, open the command prompt on your client computer and run ‘gpudate /force’.

User-added image

9. When the user reboots their computer and logs in using their domain credentials, ShareConnect will be installed.

Related:

  • No Related Posts

Resolve Username Being Modified Before Sending to RADIUS Server Using NetScaler nFactor

Citrix Leave a comment

The solution proposed here checks for the format of the username from the client. If it is UPN, then user is taken to next factor for actual authentication. We employ NO_AUTHN to take the users to next factor in this case. If user enters domainusername, authentication is performed in the first factor itself.

Configuration

Configuration is best understood by following a bottom-up manner. That is, we configure the most specific factor (or the last factor) first.

  1. Create the factor for authenticating users entering UPN
    1. Create loginschema for second factor

      > add loginschema second_factor_schema –authenticationSchema noschema –userexpression q{http.req.user.name.after_str(“@”) + “\” + http.req.user.name.before_str(“@”)}

      In the above loginschema, we are setting userExpression such that “user@domain” becomes “domainuser”. We also set authenticationSchema as noschema to signify that user intervention is not needed for this factor

    2. Create second authentication factor

      >add authentication policylabel second_factor -loginSchema second_factor_schema

      > add authentication radiusAction Radius_server -serverIP 10.217.22.20 –radKey <> -radNASid netscaler –radVendorID 311 -radAttributeType 11

      > add authentication Policy Radius_Pol -rule true -action Radius_server

      Please note that same radius policy/action are used in both factors.

      >bind authentication policylabel second_factor –policy Radius_Pol –priority 100

  2. ​Add first factor
    1. Create a policy to bypass first factor if username is UPN

      >add authentication Policy upn_no_auth -rule “HTTP.REQ.BODY(1000).TYPECAST_NVLIST_T(‘=’,’&’).VALUE(“login”).CONTAINS(“%40″)” -action NO_AUTHN
    2. Bind the bypass policy to authentication vserver to navigate to second factor

      >bind authentication vserver aaa_nfactor -policy upn_no_auth -priority 90 -nextFactor second_factor -gotoPriorityExpression END
    3. Bind the radius policy to authentication vserver for domainuser format

      We will reuse the Radius policy created above in the first factor as well.

      >bind authentication vserver aaa_nfactor –policy Radius_Pol –priority 100
  3. Creating nFactor flow (required only for Gateway logins)

    > add authentication vserver aaa_nfactor SSL

    > add authnProfile nfactor_prof –authnVsName aaa_nfactor

    > set vpn vserver <> -authnProfile nfactor_prof

The above nFactor configuration can also be done using the nFactor Visualizer which is a few feature that is available on the ADC firmware starting 13.0, the above config for step 1 and 2 can be achieved as below,

Complete Flow:


  1. Go To Security > AAA-Application Traffic > nFactor Visualizer > nFactor Flow and click on Add
  2. Click on the + sign to add the nFactor Flow

    https://support.citrix.com/files/public/support/article/CTX231361/images/0EM0z0000005hcN.jpeg

  3. Add Factor, this will be the name of the nFactor Flow



Click on Create.

  1. Click on “Add Schema” for the initial login page to be presented,



Click on Create, then click on Add.

  1. Click on “Add Policy” to create the first factor authentication, if the policy is already added select the same from drop down list if not then create the below Auth policy.

Click on OK.

  1. Click on the green + icon to add the next factor in case the user has entered the UPN in the username field.



Click on Create

  1. Click on “Add Schema” to add the schema for second factor, the userExpression added is such that “user@domain” becomes “domainuser”

In case the schema is already added then select the same from the drop down list, if not then create the schema as below,



Click on Create and then click on Add

  1. Click on “Add Policy” to add the authentication for the second factor, In case the Radius server is added then select the same from drop down list if not then add the Radius server,

Click on Create and then click on Add.

  1. Click on the blue + icon of the first factor to add the authentication policy for users that are entering the username in domainuser format,

  1. In the Add Policy, we will be reusing the same Radius policy that we just added in step 8



Click on Add, then click on Done

  1. Now Select the Nfactor flow that we created to bind it to an authentication Vserver.


Related:

User mode communication settings

Symantec Community Leave a comment
I need a solution

Hi I have installed a new symantec server.Now i want to migrate the old users from old server to new one.For that i have export the the user mode communication settings from new server.If i import the user communication setting in client machine it is comming to computer mode in sepm.I am changing to user mode manually.How to do user mode directly?

0

Related:

7005894: IDM Remote Loader on Windows 2008 R2 and PWFilter firewall settings

Novell Leave a comment

The existing Windows Firewall configuration prevents the remote loader from receiving any password changes as captured by the PWFilter.dll on other Domain Controllers within the domain. To solve this problem, do the following:

On the Windows Server firewall, (required only on the server which hosts the Active Directory Remote Loader) add the following rules:

— Inbound Rules —

Name Group Profile Enabled Action Override Program Local Address Remote Address Protocol Local Port Remote Port Allowed Users Allowed Computers.

Rule 1

dirxml port 8090 IN Domain Yes Allow No Any Any Any TCP 8090 Any Any Any

Rule 2

dirxml process dirxml_remote.exe IN Domain Yes Allow No %SystemDrive%NovellRemoteLoaderdirxml_remote.exe Any Any Any Any Any Any Any

NOTE: The port number should be the port number specified on the Remote Loader configuration. So instead of 8090, it will be whatever you specified in the configuration.

No specific Outbound Rules are needed.

The rules can be given any name.

They rules must be assigned to at least the Domain profile.

If using the 64 bit remote loader, the path differs: %SystemDrive%NovellRemoteLoader64bitdirxml_remote.exe

The rules can be also added from the command line using the following commands, modifying the port and path as applicable:

netsh advfirewall netsh advfirewall firewall add rule name="dirxml port 8090" dir=in action=allow enable=yes profile=domain protocol=TCP localport=80
netsh advfirewall firewall add rule name="dirxml process dirxml_remote.exe" dir=in action=allow program="%SystemDrive%NovellRemoteLoaderdirxml_remote.exe" enable=yes profile=domain

Related:

“New users or computer that have been created but that dont yet have client software installed” Report

Symantec Community Leave a comment
I need a solution

Hello,

In client windows, the filter of computer is set to show the “New users or computer that have been created but that dont yet have client software installed”

Is possible to take a list or report of this computer? 

0

Related:

Can an integrity check be made completely invisible to the user?

Symantec Community Leave a comment
I need a solution

I setup a host integrity check with notifications turned off, but machines that failed the check still have a SEP icon indicator and a warning message “Your computer failed its security compliance check.  Please see the Client Managemnet Security log for more information.”

Can an integrity policy be configured to provide no end-user visibility at all?

0

1537552319

Related:

XenMobile BitLocker Policy for Windows 10 Desktop/Tablet

Citrix Leave a comment
XenMobile BitLocker Policy for Windows 10 Desktop/Tablets

BitLocker is a disk encryption feature that is built into Windows 10. It can be controlled via MDM policy beginning in Windows 10 1703 build. The policy CSP is available at https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp

Bitlocker policy settings configure what settings the user sees when going through BitLocker UI on device. The policy does not auto start encryption on device. The user will need to start the BitLocker wizard on device and the settings from policy from server will control what options are available to user.

BitLocker Policy

Windows Desktop/Tablet settings

  1. ‘Require device to be encrypted’– Configure whether to prompt user to enable BitLocker encryption on device. If enabled the device will show a toast message after enrollment is completed. The message would say that enterprise requires the device to be encrypted. If not enabled the BitLocker policy settings will be applied on device but user will not be prompted to enable encryption. When user starts BitLocker encryption the UI options will be controlled by policy from XMS server.
  2. ‘Configure encryption methods’ – What encryption to use for a specific drive type. Drive types are
    1. OS Drive – Recommended encryption algorithm is XTS-AES 128 0r 256 bit. We default to XTS-AES 128 bit.
    2. Fixed drive – Recommended encryption algorithm is XTS-AES 128 0r 256 bit. We default to XTS-AES 128 bit.
    3. Removable drive – Recommended encryption algorithm is AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in version of Windows 10 older than 1511. We default to AES-CBC 128-bit.
  3. ‘Require additional authentication at startup’– Configure if admin wants to allow or not allow BitLocker on device that do not have TPM chip. Trusted Platform Module(TPM) is hardware based and provides security related functions. A TPM chip is secure crypto-processor that is designed to carry out cryptographic operations. It will be used to generate, store and limit use of cryptographic keys. More information about TPM is available at https://docs.microsoft.com/en-us/windows/device-security/tpm/trusted-platform-module-overview
    1. On a device with no TPM chip BitLocker will require user to create a unlock password or startup key. The startup key will be store in USB drive which is necessary to be plugged into device during startup. Unlock password is minimum 8 characters.
    2. On a device with TPM there are 4 unlock modes available.
      1. TPM only – Encryption keys are store in TPM chip. No additional unlock data needed from user. Device will automatically unlock during boot using the encryption key from TPM chip.
      2. TPM + PIN – PIN is 6-20 digit PIN which user needs to configure during BitLocker setup and provide during device startup.
      3. TPM + Key – Key will be stored in USB drive and user will need to connect the USB drive every time the device boots.
      4. TPM + PIN and Key
  4. ‘Minimum PIN length’– if TPM + PIN is used on device. PIN length should be between 6 – 20.
  5. ‘Configure OS drive recovery’– Configure what recovery mechanism is available to user if they don’t have the unlock password or USB key.
    1. Hide or show recovery options to user in BitLocker UI. If recovery options are hidden from user then they need to be saved to AD which means that device should be registered to AD otherwise the policy will fail.
    2. Allow/require/not allow data recovery agent. This is cert-based data recovery agent that is added from either Group Policy Management Console or Local Group Policy Editor. This is done outside of BitLocker policy.
    3. Allow/require/not allow user to save a copy of recovery key(256 bit) or password(48 digit) for drive recovery. The key or password is generated by BitLocker on device. User can only save a copy of it for later use.
    4. Configure if machine has to be AD joined before starting BitLocker.
    5. Configure if recovery information can be stored in AD.
  6. Configure if default or custom recovery message and URL are to be shown to user when in BitLocker recovery mode. A custom message or a custom URL can be configured but both cannot be configured at same time.
  7. ‘Configure fixed drive recovery’– Configure recovery options for BitLocker encrypted fixed drive on device. There is no toast message setting for fixed drives. A password or smart card is required to unlock drive during startup. The startup unlock settings are not part of policy but show in BitLocker UI when enabling BitLocker encryption on Fixed drive.
  8. ‘Block write access to fixed drives not using BitLocker’ – When enabled allow write to fixed drive only when fixed drive is encrypted with BitLocker.
  9. ‘Block write access to removable drives not using BitLocker’ – Configure if write access should be denied to removable drive if BitLocker is not enabled on that drive.
    1. Configure if write access is allowed on other organization removable drives

BitLocker encryption mode once started on device cannot be modified by pushing different policy.

BitLocker unlock and recovery options UI configuration

On a device with BitLocker enabled when the device boots it will ask for unlock step. This happens even before operating system is loaded. Only after unlock is successful OS can load.

The unlock step can ask for

  • password(alpha numeric) from user on non-TPM device or
  • look for startup key on USB drive on TPM or non-TPM device or
  • a PIN(numeric) on TPM device.

If the unlock is not successul the device will enter recovery mode which will ask for one of the following

  • 48 digit recovery password which user will need to type. This is generated by BitLocker and can be stored in a file or printed or saved in Microsoft cloud account.
  • 256 bit key. This is a .bek file which can only be store on USB drive.

The 48 digit recovery password or 256 bit key is generated by BitLocker during encryption time. User can save it during encryption time and use it during recovery step.

Non-TPM device

Below lists the different unlock options for non-TPM device based on settings in ‘OS drive recovery settings'( SystemDrivesRecoveryOptions in CSP)

In non-TPM device BitLocker will need an unlock password or key to unlock the OS drive. Operating system can boot only after OS drive is unlocked. This is separate from recovery key or password which will be required only when unlock operation has failed because user forgot the unlock password or user lost the USB drive containing the startup key. Unlock password or startup key cannot be stored in AD.

Unlock password or key is not specifically mentioned in the CSP. But recovery options setting controls what options to show for system unlock. Typically 2 options are available to user to unlock OS drive.

Unlock option 1

OS drive recovery

  • Allow 48 bit password
  • Allow 256 bit key

Unlock password or startup key. If user chooses password option then user will be asked for unlock password.

Unlock option 2 BitLocker will directly ask for unlock password if 256-bit recovery key is set to ‘Do not allow’. No option to store startup key in USB will be available to unlock OS drive.

TPM device

Unlock options

Default options in BitLocker policy

  • ‘Require additional authentication at startup’ not enabled
  • ‘Configure OS drive recovery’ not enabled
  • BitLocker will use TPM for unlock at startup – no screen showed for this
  • Recovery screen is shown below
  • ‘Require additional authentication at startup’ enabled – default options below
    • TPM – allow
    • TPM + PIN – allow
    • TPM + Key – allow
    • TPM + PIN and Key – allow
  • ‘Configure OS drive recovery’ not enabled
  • BitLocker will provide choice to user
    1. Insert USB flash drive – to store unlock key
    2. Let BitLocker automatically unlock my drive

If USB option is selected it shows below screen to save the key

If ‘Let BitLocker automatically unlock my drive’ option is selected there is no specific screen shown to use for this. BitLocker saves the unlock info in TPM and proceeds to recovery options screen.

Recovery screen:
  • TPM – Require
  • TPM + PIN – do not allow
  • TPM + Key – do not allow
  • TPM + PIN and Key – do not allow
  • BitLocker uses TPM for unlock at startup – No screen specific to this
  • It shows the recovery screen based on OS drive recovery options
  • TPM – Allow – for either of 2 options below we will see this error in BitLocker wizard
    • TPM + PIN – Require
    • TPM + PIN and Key – Require

For TPM device it does not seem possible to enable TPM + PIN or TPM +PIN and Key option on tablet using BitLocker MDM CSP. The tablet devices seems to prompt that pre-boot keyboard is not available on the device. It shows the error message even if USB keyboard was connected to device when running BitLocker.

  • TPM – allow
  • TPM + Key – allow
  • TPM + PIN – do not allow
  • TPM + PIN and Key – do not allow

Unlock options screen show below.

After this screen the recovery options screen is driven by OS drive recovery choices in policy
  • TPM – allow/require
  • TPM + Key – require

Fixed drive unlock options

Fixed drive encryption is not dependent on TPM. So the flow is same for both TPM and non-TPM device.

Unlock options

Recovery options for both TPM and non-TPM devices

Recovery options are available to user after going through the unlock options screen.

  • 48 digit recovery password can be saved to file or printed or to cloud account or Microsoft account. User will need to enter the password manually during system recovery. ‘Print the recovery key’ option actually prints the 48 digit recovery password.
  • 256 bit recovery key can only be saved to USB drive. During recovery step the USB drive should be inserted in system and BitLocker will read the key from drive. ‘Save to a USB flash drive’ will save the recovery key to USB drive. This is the only option to save the recovery key.
  • Allow 48 digit recovery password
  • Allow 256 bit recovery key

  • Require 48 digit recovery password
  • Allow 256 bit recovery key

After going through unlock option user is presented with following screen.

  • Require 48 digit recovery password
  • Do not allow 256 bit recovery key

  • Allow 48 digit recovery password
  • Do not allow 256 bit recovery key

After going through unlock option user is presented with following screen.

  • Do not allow 48 digit recovery password
  • Do not allow 256 bit recovery key

BitLocker will not start and show this error

  • Allow 48 digit recovery password
  • Require 256 bit recovery key

  • Do not allow 48 digit recovery password
  • Require 256 bit recovery key

  • Require 48 digit recovery password
  • Require 256 bit recovery key

After going through unlock option user is presented with following screen.

  • Do not allow 48 digit recovery password
  • Allow 256 bit recovery key

After going through unlock option user is presented with following screen.

  • Require 48 digit recovery password
  • Do not allow 256 bit recovery key
  • Hide recovery options in UI
  • Device not enrolled to AD

BitLocker shows this error on start

  • Do not allow 48 digit recovery password
  • Require 256 bit recovery key
  • Hide recovery options in UI
  • Device not enrolled to AD

BitLocker shows this error on start

  • Allow 48 digit recovery password
  • Do not allow 256 bit recovery key
  • Hide recovery options in UI
  • Device not enrolled to AD

  • Do not allow 48 digit recovery password
  • Allow 256 bit recovery key
  • Hide recovery options in UI
  • Device not enrolled to AD

BitLocker shows this error on start

Removable drive settings

‘Block write access to removable drives not using BitLocker’ – enabled

When a USB drive is connected we see this prompt on device.

Already connected drives are not affected by this policy. They are in read/write mode.

Related:

  • No Related Posts