Storing Federated Authentication Service Request Agent Key Pair Certificate to SafeNet Luna HSM

book

Article ID: CTX219605

calendar_today

Updated On:

Description

The article is going provide you step by step information on configuring Hardware Security Module to store Federated Authentication Service certificate key pair.

Instructions

The steps below are based on the assumption that the FAS server is already installed.

FAS RA Configuration to HSM

Edit the configuration file on the FAS server located in C:\Program Files\Citrix\Federated Authentication Service\Citrix.Authentication.FederatedAuthenticationService.exe.config to change the default Microsoft KSP to the SafeNet KSP.

<add key="Citrix.TrustFabric.ClientSDK.TrustAreaJoinParameters.ProviderName" value="SafeNet Key Storage Provider"/>

Restart the Citrix Federated Authentication service from services.msc console.
From the SafeNet Luna 5.4 installation media, install the Luna client on the FAS server.
Once Luna is installed go to C:\Program Files\SafeNet\LunaClient\KSP and open Kspconfig.exe file.
In the SafeNet KSP config wizard, select Register or View Security Library on left pane.
On the right pane browse to C:\Program Files\SafeNet\LunaClient\cryptoki.dll and click on register to register the SafeNet Crypto.dll.

Once the Config file is edited, we need to Register the Network Service to the SafeNet KSP in the HSM Partition by opening the KSPConfig.exe.
On the left pane click on Register HSM Slots.
On the right pane, drop down the Register For User and select Network Service. Once the Network Service is selected, select one of the available slots and type in the Slot password.
Once the Slot Password is entered, click on register slot to register the Network Service with the SafeNet KSP.

Open an administrative command prompt and run the command certutil –csplist. You should see the SafeNet KSP in the output.

FAS Configuration

The FAS has 3 step configuration, below are the description of each step

Deploy Certificate Template:

This step in the configuration is to install 3 Citrix certificate templates on the Active Directory. Below are the 3 templates which will get deployed on the Active Directory. You need be a domain administrator to perform this.

Citrix_RegistrationAuthority_ManualAuthorization -> This is issued to the FAS server in the later configuration to make the FAS server the requestor of the certificate on behalf of the user.
Citrix_RegistrationAuthority -> This also serves the same purpose as the above template.
Citrix_SmartcardLogon -> This is the certificate issued by the Subordinate CA to the user UPN for authentication.

All the three certificate templates should be registered with the Active Directory which is automatically done in this step. If you want to manually check you can use the adsiedit.msc on the Primary Domain Controller to check the AD database.
Setup Certificate Authority:

After installing the Citrix certificate templates, they must be published on one or more Microsoft Certification Authority servers.
If the templates are not published on at least one server, the Setup certificate authority tool offers to publish them. You must run this tool as a user that has permissions to administer the certificate authority.

Authorize the Federated Authentication Service:

The final setup step in the console initiates the authorization of the Federated Authentication Service. The administration console uses the Citrix_RegistrationAuthority_ManualAuthorization template to generate a certificate request, and then sends it to one of the certificate authorities that publish that template.
After the request is sent, it appears in the “Pending Requests” list of the Microsoft Certification Authority console. The certificate authority administrator must choose to “Issue” or “Deny” the request before configuration of the Federated Authentication Service can continue. Note that the authorization request appears as a “Pending Request” from the FAS machine account.
Right-click All Tasks and then select Issue or Deny for the certificate request. The Federated Authentication Service administration console automatically detects when this process completes. This can take a couple of minutes.

Note:
Once the authorization is completed to make sure the key pair is saved in the HSM, open an administrative command prompt and run “cmu list”, this output should show 4 keys.
Once the FAS is authorized, below are the steps to prevent the user keys from getting saved on the HSM.
Preventing the user keys from getting saved in the HSM

On the FAS server, we need to edit the config file located in C:\Program Files\Citrix\Federated Authentication Service\Citrix.Authentication.FederatedAuthenticationService.exe.config back to the default Microsoft Software Key Storage Provider.

Restart the Citrix Federated Authentication Service.
This will make sure the User Key Pairs are not stored on the HSM and it will get stored on the Local Server.

Note:
To validate that the user keys are not getting saved to HSM, open an administrative command prompt on the FAS server and run the command “cmu list”, you should not see any other keys apart from FAS RA keys provided the partition on the HSM is only used to save the FAS RA keys.
Configure User Rules
Fields:

Certificate Authority and Certificate Template: The certificate template and certificate authority that will be used to issue user certificates. This should be the Citrix_SmartcardLogon template, or a modified copy of it, on one of the certificate authorities that the template is published to.
1. The Federated Authentication Service supports adding multiple certificate authorities for failover and load balancing, using PowerShell commands. Similarly, more advanced certificate generation options can be configured using the command line and configuration files.
In-Session Certificates: The Available after logon check box controls whether a certificate can also be used as an in-session certificate. If this check box is not selected, the certificate will be used only for logon or reconnection, and the user will not have access to the certificate after authenticating.
List of StoreFront servers that can use this role: The list of trusted StoreFront server machines that are authorized to request certificates for logon or reconnection of users. Note that this setting is security critical, and must be managed carefully.
List of VDA desktops and servers that can be logged into by this role: The list of VDA machines that can log users on using the Federated Authentication Service system.
List of users that StoreFront can log in using this role: The list of users who can be issued certificates through the Federated Authentication Service.

StoreFront Configuration
Once the FAS is configured, we need to specify the FAS server and enable the FAS based authentication on the StoreFront. Below is the PowerShell command that should be run on the StoreFront to enable FAS.

Get-Module "Citrix.StoreFront.*" -ListAvailable | Import-Module
$StoreVirtualPath = "/Citrix/name of the store"
$store = Get-STFStoreService -VirtualPath $StoreVirtualPath
$auth = Get-STFAuthenticationService -StoreService $store
Set-STFClaimsFactoryNames -AuthenticationService $auth -ClaimsFactoryName "FASClaimsFactory"
Set-STFStoreLaunchOptions -StoreService $store -VdaLogonDataProvider "FASLogonDataProvider"

Note:
Please change the name of the store to the store you want to configure the FAS.

Environment

Caution! Using Registry Editor incorrectly can cause serious problems that might require you to reinstall your operating system. Citrix cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. Be sure to back up the registry before you edit it.

Additional Information

https://docs.citrix.com/en-us/xenapp-and-xendesktop/7-11/secure/federated-authentication-service/fas-config-manage/fas-private-key-protection.html

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"