Deployment architectures
Introduction
Federated Authentication Service (FAS) is a Citrix component that integrates with your Active Directory certificate authority, allowing users to be seamlessly authenticated within a Citrix environment. This document describes various authentication architectures that may be appropriate for your deployment.
When enabled, FAS delegates user authentication decisions to trusted StoreFront servers. StoreFront has a comprehensive set of built-in authentication options built around modern web technologies, and is easily extensible using the StoreFront SDK or third-party IIS plugins. The basic design goal is that any authentication technology that can authenticate a user to a web site can now be used to log in to a Citrix Virtual Apps or Citrix Virtual Desktops deployment.
This document describes example top-level deployment architectures, in increasing complexity.
- Internal deployment
- Citrix Gateway deployment
- ADFS SAML
- B2B account mapping
- Windows 10 Azure AD join
Links are provided to related FAS articles. For all architectures, the Install and configure article is the primary reference for setting up FAS.
Architectural overview
FAS is authorized to issue smart card class certificates automatically on behalf of Active Directory users who are authenticated by StoreFront. This uses similar APIs to tools that allow administrators to provision physical smart cards. When a user is brokered to a Citrix Virtual Apps or Citrix Virtual Desktops Virtual Delivery Agent (VDA), the certificate is attached to the machine, and the Windows domain sees the logon as a standard smart card authentication.
Trusted StoreFront servers contact FAS as users request access to the Citrix environment. FAS grants a ticket that allows a single Citrix Virtual Apps or Citrix Virtual Desktops session to authenticate with a certificate for that session. When a VDA needs to authenticate a user, it connects to FAS and redeems the ticket. Only FAS has access to the user certificate’s private key; the VDA must send each signing and decryption operation that it needs to perform with the certificate to FAS.
The following diagram shows FAS integrating with a Microsoft Certification Authority and providing support services to StoreFront and Citrix Virtual Apps and Desktops Virtual Delivery Agents (VDAs).
Internal deployment
FAS allows users to securely authenticate to StoreFront using a variety of authentication options (including Kerberos single sign-on) and connect through to a fully authenticated Citrix HDX session.
This allows Windows authentication without prompts to enter user credentials or smart card PINs, and without using “saved password management” features such as the Single Sign-on Service. This can be used to replace the Kerberos Constrained Delegation logon features available in earlier versions of Citrix Virtual Apps.
All users have access to public key infrastructure (PKI) certificates within their session, regardless of whether or not they log on to the endpoint devices with a smart card. This allows a smooth migration to two-factor authentication models, even from devices such as smartphones and tablets that do not have a smart card reader.
This deployment adds a new server running FAS, which is authorized to issue smart card class certificates on behalf of users. These certificates are then used to log on to user sessions in a Citrix HDX environment as if a smart card logon was used.
The Citrix Virtual Apps or Citrix Virtual Desktops environment must be configured in a similar manner as smart card logon, which is documented in CTX206156.
In an existing deployment, this usually involves only ensuring that a domain-joined Microsoft certificate authority is available, and that domain controllers have been assigned domain controller certificates. (See the “Issuing Domain Controller Certificates” section in CTX206156.)
Related information:
- Keys can be stored in a Hardware Security Module (HSM) or built-in Trusted Platform Module (TPM). For details, see the Private key protection article.
- The Install and configure article describes how to install and configure FAS.
Citrix Gateway deployment
The Citrix Gateway deployment is similar to the internal deployment, but adds Citrix Gateway paired with StoreFront, moving the primary point of authentication to Citrix Gateway itself. Citrix Gateway includes sophisticated authentication and authorization options that can be used to secure remote access to a company’s web sites.
This deployment can be used to avoid multiple PIN prompts that occur when authenticating first to Citrix Gateway and then logging in to a user session. It also allows use of advanced Citrix Gateway authentication technologies without additionally requiring AD passwords or smart cards.
The Citrix Virtual Apps or Citrix Virtual Desktops environment must be configured in a similar manner as smart card logon, which is documented in CTX206156.
In an existing deployment, this usually involves only ensuring that a domain-joined Microsoft certificate authority is available, and that domain controllers have been assigned Domain Controller certificates. (See the “Issuing Domain Controller Certificates” section in CTX206156).
When configuring Citrix Gateway as the primary authentication system, ensure that all connections between Citrix Gateway and StoreFront are secured with TLS. In particular, ensure that the Callback Url is correctly configured to point to the Citrix Gateway server, as this can be used to authenticate the Citrix Gateway server in this deployment.
Related information:
- To configure Citrix Gateway, see “How to Configure NetScaler Gateway 10.5 to use with StoreFront 3.6 and Citrix Virtual Desktops 7.6.”
- Install and configure describes how to install and configure FAS.
ADFS SAML deployment
A key Citrix Gateway authentication technology allows integration with Microsoft ADFS, which can act as a SAML Identity Provider (IdP). A SAML assertion is a cryptographically-signed XML block issued by a trusted IdP that authorizes a user to log on to a computer system. This means that the FAS server allows the authentication of a user to be delegated to the Microsoft ADFS server (or other SAML-aware IdP).
ADFS is commonly used to securely authenticate users to corporate resources remotely over the Internet; for example, it is often used for Office 365 integration.
Related information:
- The ADFS deployment article contains details.
- The Install and configure article describes how to install and configure FAS.
- The Citrix Gateway deployment section in this article contains configuration considerations.
B2B account mapping
If two companies want to use each other’s computer systems, a common option is to set up an Active Directory Federation Service (ADFS) server with a trust relation. This allows users in one company to seamlessly authenticate into another company’s Active Directory (AD) environment. When logging on, each user uses their own company logon credentials; ADFS automatically maps this to a “shadow account” in the peer company’s AD environment.
Related information:
- The Install and configure article describes how to install and configure FAS.
Windows 10 Azure AD Join
Windows 10 introduced the concept of “Azure AD Join,” which is conceptually similar to traditional Windows domain join but targeted at “over the internet” scenarios. This works well with laptops and tablets. As with traditional Windows domain join, Azure AD has functionality to allow single sign-on models for company websites and resources. These are all “Internet aware,” so will work from any Internet connected location, not just the office LAN.
This deployment is an example where there is effectively no concept of “end users in the office.” Laptops are enrolled and authenticate entirely over the Internet using modern Azure AD features.
Note that the infrastructure in this deployment can run anywhere an IP address is available: on-premises, hosted provider, Azure, or another cloud provider. The Azure AD Connect synchronizer will automatically connect to Azure AD. The example graphic uses Azure VMs for simplicity.
Related information:
- The Install and configure article describes how to install and configure FAS.
- The Azure AD integration article contains details.