Key Storage Providers (KSP) remoting (Preview)

Introduction

Previously, remoting of cryptographic operations from a Windows VDA to the FAS server was achieved using a pair of Cryptographic Service Providers (CSPs) running on the VDA:

  • CitrixLogonCsp.dll - for single sign-on (SSO) to the VDA
  • CitrixVirtualSmartcardCsp.dll - for in-session certificates

With this feature, cryptographic operation remoting can also be achieved using a pair of KSPs:

  • CitrixLogonKsp.dll - for SSO to the VDA
  • CitrixVirtualSmartcardKsp.dll - for in-session certificates

KSP is the latest way of exposing cryptographic operations to Windows applications, which provides more capabilities. For example:

  • Certificates with ECC keys are supported
  • Probabilistic Signature Scheme (PSS) padding is supported

Note:

There is no way to enable the ECC keys on FAS.

Enable KSP remoting

KSP remoting is enabled by creating the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\Authentication\UserCredentialService\RemoteKspFeature

Type: string

Value: on

  • Both the FAS server and the VDA software must be running CVAD 2407 software.

  • KSP remoting is enabled by creating a registry key both on the FAS server and the VDA.

  • Restart the FAS server and VDA for the change to take effect.

If any of the above conditions are not met, the VDA falls back to use CSP remoting.

Verify if KSP remoting is turned on

On the FAS server, you can check if KSP remoting is turned on using Powershell:

KSP remoting enabled

To check if KSP remoting has been used for VDA SSO, look for the following event in the FAS server’s Windows Application log:

VDA SSO

Operation SignHash2 indicates the use of KSP remoting, whereas SignHash indicates CSP remoting.

Similarly, when an in-session certificate is used for cryptography, such as TLS client authentication, look for the following event on the FAS server:

Cryptography event

Known limitations

KSP remoting is only supported when FAS itself is configured to use a KSP. This is the default configuration. If FAS is configured to use a CSP, KSP remoting won’t work.

The relevant setting is:

<add key="Citrix.TrustFabric.ClientSDK.TrustAreaJoinParameters.ProviderLegacyCsp" value="false" /> in the file %programfiles%\Citrix\Federated Authentication Service\Citrix.Authentication.FederatedAuthenticationService.exe.config

Here, False indicates that FAS is configured with a KSP, and therefore KSP remoting is supported.

Key Storage Providers (KSP) remoting (Preview)