Home > Citrix, Linux > Configuring Two Factor Authentication For Citrix Web Interface With WiKID

Configuring Two Factor Authentication For Citrix Web Interface With WiKID

Many organizations that process credit card payments must comply with the PCI (Payment Card Industry) security standard to help maintain the integrity of their systems.  One of the technologies an organization can make use of to help in complying with this standard is to implement a multi-factor authentication scheme.  WiKID offers a robust two factor authentication method based on one-time use passcodes.  The WiKID server is based on the CentOS 5 Linux distribution.  WiKID offers a free Community Edition, however several built in features are missing (such as RADIUS) that are needed to integrate with the Citrix Web Interface.  WiKID Enterprise Server is offered with a 30 day trial and has all features necessary for integration with Citrix included out of the box.  It has a reasonable price tag that is much cheaper than competing multi-factor authentication solutions.  Facebook

In this example I will implement a WiKID server to provide an additional layer of authentication for Citrix Web Interface user logons.  WiKID offers a prebuilt VMware appliance, however I had trouble getting this to work properly.  At the moment my recommendation if you intend to set up WiKID in VMware is to set up a virtual machine manually using Red Hat Enterprise Linux 5 (32-bit) as the machine type with a basic setup (512MB RAM, 5GB Hard Drive, and 1 NIC).  Once that is complete boot using the WiKID Enterprise Server ISO.

Select your time zone and press tab until the OK button is highlighted, press enter.

Enter a password for the root user.

I attempted to run “yum update” but I needed to first configure the system with some name servers.  To configure this as other network settings run:

# wikidctl setup

This wizard makes it very easy to step through the networking set up.  In later installations I only answered Yes to using “eth0” and No on all the other interfaces.  This appears to be all that is needed, although I have seen documentation indicating that 2 NICs should be configured (at the moment I am not sure why).  Also don’t forget to enter your default gateway and nameserver info.

We now need to enter info pertaining to the self-signed SSL certificate for the WiKID administration website.  Please note that you can recreate this certificate by deleting the certificate file and restarting WiKID.

Enter Yes to create the certificate.

I entered No for replication, which if implemented will allow us to add high availability features to our WiKID installation.  Now start the WiKID server:

# wikidctl start

Now switch over to your browser:

http://YourWiKIDServer/WiKIDAdmin/

Since the SSL cert is self signed you’ll receive warnings that it is not trusted.

Now log in to the WiKID administration site with these credentials:

Username: WiKIDAdmin
Password: 2Factor

Click the Configuration tab.

Advertisements

Pages: 1 2 3 4 5

Categories: Citrix, Linux Tags: ,
  1. JanJ
    September 16, 2010 at 8:28 am

    Nice document, i made kinda same document together with securenvoy sms authentication and citrix + radius. Some thing not mentiod in here: make a backup of the conf files you edit, because if you do a ‘repair website’in the ctx webinterface server all you settings are overwitten.
    Also this setup doesn’t work with upn logon names correctly for that you need to change the TwoFactorAuth.java file.

    • September 16, 2010 at 2:42 pm

      Good point and thanks for the info, Jan. It is always a good idea to make backups of the config files that get edited.

  2. September 20, 2010 at 9:18 pm

    Great document! This fills a nice hole for us!

    Nick

    • September 22, 2010 at 12:44 am

      Thanks for the kind words, Nick.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: