000033186 - How to increase chances for successfully implementing Risk Based Authentication on the RSA Authentication Agent for Citrix StoreFront

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 14, 2017
Version 8Show Document
  • View in full screen mode

Article Content

Article Number000033186
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Citrix StoreFront
RSA Version/Condition: 1.0
 
IssueRSA Authentication Agent for Citrix StoreFront 1.0 is a variation on the RSA Authentication Agent for Windows. Primary references for this product are the RSA Authentication Agent for Citrix StoreFront 1.0 Installation and Administration Guide and the RBA Integration with Citrix NetScaler and RSA Authentication Agent for Citrix StoreFront RSA SecurID Ready Implementation Guide, last modified 10 December 2015.  
 

Introduced at the end of 2015, this agent integrated both the Citrix NetScaler and Citrix StoreFront as a standard agent to Authentication Manager. It supersedes the older RSA SecurID Ready Implementation Guide, last modified 29 September 2015, that configured the NetScaler as a RADIUS client to Authentication Manager, but which required an LDAP password logon in addition to the RSA SecurID passcode or RBA logon.
Notes:
  • The Citrix RSA StoreFront Bridge or RSA bridge mentioned in the Citrix documentation on Configuration of Delegated Forms Authentication for RSA Adaptive Authentication on NetScaler Gateway is for RSA Adaptive Authentication (AA) and not for RSA Authentication Manager (AM).  Authentication Manager uses something called the RBA Helper Application on the Citrix StoreFront in addition to the RSA Authentication Agent for Citrix StoreFront 1.0.
  • As of Q2 2016, only Citrix StoreFront 3.0 is supported by RSA Authentication Manager.  StoreFront 3.5 and 3.6 are not supported and probably will not work because the Delegated Forms Authentication (DFA) used in Citrix has changed.
Tasks
  1. Make sure the Citrix StoreFront and NetScaler gateways are working with password logon.
  2. Configure Citrix StoreFront for DFA and LDAP password.
  3. Install and successfully test the RSA Authentication Agent 1.0 for Citrix StoreFront.  Get tokencode/passcode/fixed passcode logon working before attempting to get RBA to work.  Use a fixed passcode if you do not have tokens.
  4. Configure the StoreFront to allow an RSA passcode authentication through DFA.
  5. Test StoreFront logon with the fixed passcode, which includes enabling DFA on the virtual server that publishes the StoreFront.
  6. Install the RBA Helper application on the StoreFront Windows Server, use the Citrix NetScaler 11 with DFA integration script.
Resolution
  1. Make sure Citrix StoreFront works through the NetScaler's gateways with AD or LDAP password logons.
  2. Confirm that Citrix Storefront works with DFA and with an AD or LDAP password.  
  3. Review Citrix's product documentation on Delegated Forms Authentication.
  4. Once you have Citrix StoreFront working with LDAP passwords and DFA, you can install the RSA Authentication Agent for Citrix StoreFront.
  5. Complete two test authentications through the RSA Control Center to verify that you can communicate from the Citrix StoreFront to RSA and successfully create the node secret.
Agent Test Authentication

  1. Configure the StoreFront to allow an RSA passcode authentication through DFA.
    1. Follow Chapter 4 of the RSA Authentication Agent for Citrix® StoreFront 1.0 Installation and Administration Guide, Revision 1, "Configuring and Managing the Agent for Citrix StoreFront," to:
       
      • Exclude specific network adapters from auto-registration, and 
      • Maintain the primary IP address of the agent.
      • There should be no need to use the node secret load utility because test authentication should create the node secret.
       
    2. Follow the steps in Chapter 5 of the Installation and Administration Guide to enable Citrix Delegated Forms Authentication because DFA is a prerequisite for extending the RSA Authentication Agent for Citrix StoreFront to authenticate users with either RSA SecurID or RBA. Chap. 5 p.39 includes:
       
      • Enabling DFA and configuring it to use RSA SecurID. 
      • Given that the online Citrix docs include obsolete – and potentially misleading – references to the AA RSA RBA solution, we recommend following the instructions in the .rtf installed on StoreFront to enable DFA. This is described in the second half of step 2 on page 42: “Citrix provides similar information in a document installed on Citrix StoreFront servers. See <ProgramFiles>\Citrix\Receiver StoreFront\Management\Cmdlet\DFAServerFPReadMe.rtf. 
       
  2. Configure DFA to use RSA SecurID authentication by using the PowerShell command (also described on page 42 ("Set-DSDFAProperty -ConversationFactory“SecurIDAuthentication”).
  3. Use the StoreFront MMC to enable Passthrough from the NetScaler on the published store.
  4. The last step for just the passcode logon is to Enable DFA on the virtual server that publishes StoreFront, Add a DFA authentication policy and configure the action of the policy with the details of the StoreFront server set when enabling DFA (the ClientID and the passphrase). At this point, authentication to the StoreFront with an RSA SecurID passcode through the virtual server URL should be successful.
  5. Next, add RBA by installing the RBA helper application and downloading the redirect script for the RBA agent.  Be sure to choose Citrix NetScaler 11 with DFA not Citrix NetScaler 10.
  6. Also try clearing the domain passthrough if you are browsing the website URL from inside the network, but not getting prompted for an RSA passcode
NotesTo turn on the RBA Helper Application debug is a registry setting.  Set HKEY_LOCAL_MACHINE\SOFTWARE\RSA\RSA Desktop Common\Logging\Components\RBAHelper to 1.
If you need to email any .htm or .js files such as the integration script, you might need to rename the .js or .html extensions to .txt then zip them before you attach them to an email, so that the mail filters do not strip them out

Outcomes