What are Derived Credentials?

Derived credentials provide strong authentication for mobile devices. The credentials, derived from a smart card, reside in a mobile device instead of the card. The smart card is either a Personal Identity Verification (PIV) card or Common Access Card (CAC).
The derived credentials are an enrollment certificate that contains the user identifier, such as UPN. XenMobile stores the credentials obtained from the credential provider in a secure vault on the device.

What are the Requirements for Derived Credentials?

• One of the following derived credential solutions:
  • Intercede
  • Other derived credential solutions
    • Credential Management Server
    • PKI Provider
    • CMS App (e.g. Intercede MyID)

While it's likely that most other credential solutions are compatible with XenMobile, test the integration before deploying it to production.

• XenMobile Server 10.6 or later, configured for Enterprise (XME) mode
  • Must have the root certificate of the Certificate Authority that issues certificates to the Credentials Provider server. That setup enables XenMobile to accept the digitally signed certificates during enrollment.
  • If the user email domain differs from the LDAP domain, include the email domain in the Domain alias setting in Settings > LDAP. For example, if the domain for email addresses is myID.com and the LDAP domain name is sample.com, set Domain alias to sample.com, myID.com.
  • You can't use derived credentials with shared devices.
• NetScaler Gateway needs to be configured for certificate authentication or certificate plus security token authentication

For information about PKI configuration, see PKI entities.

• Secure Hub 10.6 (minimum version)
• XenMobile apps 10.5.10 (minimum version)
  • Use the same developer certificate to sign all apps in the Apple App Store. 

Can I use Derived Credentials for iOS enrollment with other types of iOS Enrollments?

XenMobile can use derived credentials for iOS device enrollment. If configured for derived credentials, XenMobile doesn't support enrollment invitations or other enrollment modes for iOS devices. However, you can use the same XenMobile server to enroll Android devices through enrollment invitations and other enrollment modes.

What is the Enrollment Flow?

For enrollment, XenMobile Server connects to the components describe in the "Requirements" section, as shown in the following diagram.


 

• During device enrollment, Secure Hub obtains certificates from the derived credentials app.
• The derived credentials app communicates with the credential management server during enrollment.
• You can use the same or different server for the credential management server and a third-party PKI provider.
• XenMobile Server connects to your third-party PKI server to obtain certificates.

After enrollment, the components connect as shown in the following diagram.

I can’t find the Derived Credentials Configuration option. How do I enable Derived Credentials?

To enable the Derived Credential option, a new server property, derived.credentials.enable  has been introduced:
On the XenMobile server, navigate to Settings -> Server Properties
Select Add a new Server Property, and Choose Custom Key

• Key – Custom Key
• Key* –  derived.credentials.enable
• Value* –  true
• Display name* – Derived Credentials

 

You will need to reboot the XenMobile Server to activate the changes.
Click OK, and reboot server.


 

After the server reboots, a new option is available under Settings -> Authentication



Below you see the new Derived Credentials for iOS configuration panel


 

How do I configure Derived Credentials?

To configure Derived Credentials, access the documentation page located HERE for help with the information needed to complete the configuration.
 

What enrollment settings need to be configured for Derived Credentials?

To enable derived credentials for enrollment: On the Settings > Enrollment page, under Advanced Enrollment, select Derived Credentials (iOS only) and then click Enable.


 
A confirmation dialog box appears. To enable derived credentials, select the checkbox, and click Enable.


 

What log messages are generated by derived credentials?

Log messages during Secure Hub communication with XenMobile Server indicate success or failure, as follows:
 
Messages from XenMobile Server (SessionCreate SUCCESS)
2017-05-11T23:23:28.537+0000 | D88973753C718B23 | INFO | http-nio-10080-exec-47 | com.sparus.nps.ios.agent.V9AgentUtils | Derived Credential: User extracted from certificate: XXXXXXX@XMTEST.NET
2017-05-11T23:23:28.728+0000 | D88973753C718B23 | INFO | http-nio-10080-exec-47 | com.sparus.nps.ios.agent.V9AgentUtils | Derived Credential: Using user XXXXXX@XMTEST.NET' from cert and converted to XXXXXXX with certid 60000001a95b7fecbbbf2821dd0000000001a9 Page 22 © 2017 Citrix Systems, Inc. All rights reserved.
2017-05-11T23:23:28.883+0000 | D88973753C718B23 | INFO | http-nio-10080-exec-47 | com.citrix.cg.bo.spring.impl.InternalUserServiceImpl | Input params for addUser. UserName XXXXXXX@auster.ctx' and Domain Name 'auster.ctx'
2017-05-11T23:23:29.94+0000 | D88973753C718B23 | INFO | http-nio-10080-exec-47 | com.citrix.xms.oca.imil.service.impl.GroupServiceImpl | No.of groups:0 retrieved by UserID:40
2017-05-11T23:23:29.95+0000 | D88973753C718B23 | WARN | http-nio-10080-exec-47 | com.sparus.nps.ldap.LdapCredentialHandlerImpl | No groups found for user XXXXXX@auster.ctx'
2017-05-11T23:23:34.244+0000 | 21829910a6438ef5 | INFO | http-nio-10080-exec-60 | com.sparus.nps.ios.agent.V7ContextBuilder | No matching identity found in request from 172.16.1.57 to /zdm/ios/agent;jsessionid=D88973753C718B23ADDEA26B46E5FBB2
2017-05-11T23:23:59.118+0000 | 21829910a6438ef5 | INFO | http-nio-10080-exec-52 | com.sparus.nps.ios.enroll.ProfileServiceServlet | New enrollment initiated for serialNumber=CCQLQNKPFMJF, imei=null, udid=4a621749b64f7d915849ebcef3ded9cf7f460406, meid=null
Messages from XenMobile Server (SessionCreate FAIL)
2017-05-11T23:06:46.168+0000 | 40DA582380D50C72 | INFO | http-nio-10080-exec-42 | com.sparus.nps.ios.agent.V9AgentUtils | Derived Credential: User extracted from certificate: XXXXXXXX@XMTEST.NET
2017-05-11T23:06:46.233+0000 | 40DA582380D50C72 | WARN | http-nio-10080-exec-42 | com.citrix.cg.util.CGUtil | No default Domain found redirecting to 'local' domain.
2017-05-11T23:06:46.253+0000 | 40DA582380D50C72 | WARN | http-nio-10080-exec-42 | com.citrix.cg.util.CGUtil | local domain. Directory service not managed for IDP local
2017-05-11T23:06:46.253+0000 | 40DA582380D50C72 | ERROR | http-nio-10080-exec-42 | com.sparus.nps.ios.agent.V9AgentUtils | dc ecxeption
com.citrix.xms.oca.imil.exception.OperationFailedException: Could not log on. Incorrect user name or password
 
 
Messages from Secure Hub (SessionCreate SUCCESS)
start request with id 6 and value (redacted) https://*****/zdm/ios/agent?action=sessioncreate&h=dc Handling the client cert challenge for h=dc
Cred length is 3405
Passing the credentials in DC client cert challenge
Credentials parsed successfully
received challenge NSURLAuthenticationMethodServerTrust
request with id 6 succeeded with httpResponse code 200
Messages from Secure Hub (SessionCreate FAIL)
start request with id 6 and value (redacted) https://*****/zdm/ios/agent?action=sessioncreate&h=dc
Handling the client cert challenge for h=dc
Item found.
Cred length is 3434
Passing the credentials in DC client cert challenge
Credentials parsed successfully
request with id 6 failed with httpResponse code 500

FAQ: XenMobile integration with Azure Active Directory as IDP 
How do I Set Specific SSL Protocols on XenMobile Server 10.6
FAQ: XenMobile and Windows Information Protection (WIP) Policy