Throughout the XenMobile deployments with Certificate Based Authentication(CBA) I came across some items which I thought was worth mentioning.
1. CBA up until Secure Mail 10.6.20 / Secure Hub 10.6.20 was requesting new certificates on SSL exceptions, in effect the exceptions were triggered on every SSL connection error that occurred and thus requesting a new certificate from the PKI, this got resolved in version 10.6.20 by not using Java codes anymore but instead reading the NetScaler Gateway error code which gets presented to the client.
2. The PKI / Credential Provider settings configured with template, validity, CRL and renewal configured on the PKI server won’t work for CBA, this is because CBA is not a payload certificate but only a SIGN method. WiFi certificate which get pushed do honor the validity, renewal and CRL options.
3. With above actions you’ve might get a really large PKI environment which is not necessary and therefore maybe you would need to migrate to a new PKI server, this can be done side by side by creating a new PKI/Credential Provider and configuring those accordingly and migrate in a controlled fashion
4. You might see issued Certificates which aren’t valid anymore or revoked and those devices still get access to the MAM store, this is resolved when you apply CRL mandatory or OCSP mandatory see the following article for some more information regarding CRL: https://docs.citrix.com/en-us/netscaler/12/ssl/manage-cert-revocate-lists.html
Hope these lessons learned help and if there are any comments or questions please feel free to drop them here.
For those who are not aware Apple has an upcoming change regarding App Transport Security (ATS)
The date it should be in effect was originally January 2017… but was pushed back for migration purposes, and the new date is yet a mystery.
It will have impact! Be proactive and check your XenMobile / NetScaler environments:
– NetScaler 11.1 will be the preferred build for TLS1.2 and the ECDHE cipher suites
– XenMobile 10.4 RP4 and XenMobile 10.5 have the TLS1.2 and ECDHE cipher suites (plus ATS hotfix)
Once ATS is enforced, Apple will require at least one cipher suite enabled from a specific list of cipher suites. Apple supported ATS cipher suites are:
If SSL-Offloading is used in combination with XenMobile, remember that 11.1 is the preferred build.
I came across a peculiar issue regarding a new NetScaler SDX 14020 setup in combination with a Cisco Nexus C9372-PX-E and C9336PQ infrastructure, a new buildup of the SDX/VPX with multiple HA instances spinning and a working environment. LA sets configured for HA probes and everything nice and easy separated through vlan access. Long story short, at first it looked like a bug regarding the combination of NetScaler and Cisco: https://support.citrix.com/article/CTX215720 and created an support case with the follow ups with it, afterwards it seemed that the untagged management vlan setup was overlapping from data channels and the root cause for this was at the Cisco ACI side of things, the EPG(EndpointGroup) and BridgeDomain were overlapping in that case. The solution was to create a new and dedicated EPG/BridgeDomain for the data channels of the NetScaler.
So lessons learned:
- Double check the setup of the ACI even if you get the “yes it’s correct” statement from your customer
Came across a pretty specific issue in a large mobility environment regarding an old value from XenMobile 9 and still present in XenMobile 10, this is called device triangulation, with this the mobile service provider can triangulate the exact location from the device with constant updates regarding there location (this was an old value which was used with SMG and not applicable anymore).
This can cause significant impact on your database server with deadlocks.
The solution is to look for the following value:
Enable Device Triangulation
Preffered value: false
Default value: true
This won’t change application actions regarding geofencing because those are application and container specific.
Besides the above there is also an global value optional regarding location services in combination with iOS devices (the annoying popup you’ll get when enrolling the device which security people always ask you about 🙂 the following article will explain the values for XenMobile 9 and XenMobile 10: https://support.citrix.com/article/CTX137614
Thanks to Arnaud Pain for going into more detail regarding location services client side, take a look at his blog: http://arnaudpain.com/index.php/2017/02/06/xenmobile-disable-location-service/
Citrix Provisioning Servers can be showing a offline status because the SQL native client version (11.0.2100.60) installed with it will not support TLS 1.2 and due to this it will give an error in event viewer with event ID 11 – Undefined database error
Installing the latest version of SQL native client on the PVS servers should resolve the issue.
When you are using enrollment invitations and you don’t clean this up for let’s say an environment with a few thousand of users/devices this could be a time absorbing action to do.
Luckily there is a quick win for this and you’ll want to create a query for “dbo.ENROLLMENT_PASS” on the Database server and remove those entries afterwards the redeemed invitations are gone.
Quick win see the following article for the all you can need regarding NetScaler upgrade articles: https://support.citrix.com/article/CTX220371
Came across two bugs on a XenServer 7 deployment in combination with XenDesktop/XenApp 7.12 worth sharing:
The first is a mouse alignment issue which results in VNC mouse pointer slowness or disalignment of the pointer on a console session in XenServer, the following can check the status of the usb and usb_tablet parameters on the vm’s:
## xe vm-list uuid=[of the provisioned machine] params=platform
which will give the output of the VM and the following command will set the value’s:
## xe vm-param-set uuid=[of the provisioned machine] platform:usb=true
## xe vm-param-set uuid=[of the provisioned machine] platform:usb_tablet=true
confirm the settings with the xe vm-list command and afterwards reboot the machine and the issue is resolved.
The second bug is in a newly provisioned MCS catalog the XenTools of all provisioned machines won’t get installed, there is a private fix for this with Citrix Support under LC6769, the definitive solution shall be updated in 7.13 according to support.
Just to start it off I’m assuming that the following is in place and fully configured and you are familiar with these concepts:
– XenMobile 10.x cluster (XMS)
– Active Directory (AD)
– Active Directory Certificate Services (ADCS)
– Active Directory Certificate Template(s)
– NetScaler Gateway (NSGW)
– Certificate Based Authentication (CBA)
Which all of them are combined in a XenMobile deployment which is configured to use CBA as an enrollment requirement.
I came across a limitation/by design issue in conjunction with the web enrollment of ADCS that XMS cannot solve, meaning that enrollment and requests for the first time will work just fine but when you revoke or selective wipe a device/user and the latter enrolls again you will get a cached certificate from XMS (you say what…) Revocation in XMS will work just fine but not at this point because according to support the API used in ADCS is not capable of doing a revocation, and basically XMS is using the web-enrollment for this and relying on that.
If you want to check it just enroll a user with the above setup and check for yourself, user gets revoked, you revoke the user certificate in ADCS and enroll again and you will see the cached certificate being issued from XMS (and no new issued certificate from ADCS)
But there is a workaround/solution for this, query the XMS database for this certificate and select the user certificate to delete..
The following query will give you the certificates which are present on XMS
Select * from dbo.keystore where name like ‘%ag%’
To delete the certificate you execute this query with your ID (in my case 22)
Delete from dbo.keystore where id=22
After this the cached gateway certificate is deleted and with a new enrollment you will also get a new certificate.
When combining the above with a CRL or OCSP integration on the NetScaler this will give an automatic renewal request for the device, meaning no manual action needed anymore. This seems to be a builtin behaviour client side (Secure Hub) see the following article for more information: https://docs.citrix.com/en-us/netscaler/11-1/ssl/manage-cert-revocate-lists.html
I’ve done a couple of Xenmobile implementations and found at least two interesting caveats that stood out, when implementing XenMobile and finding resolutions for the problems you’ll get when not adding it in your deployment.
NTP got introduced again with XenMobile 10.3.x to be configured in the appliance, a little tip enter in an reachable internal server, when you don’t pay attention and let it stay not configured for example on VMware you will get a very nice error message from time to time on the console of your VM: “hrtimer: interrupt took XXXXXX ns” (the xxxxxx is variable) this leaves your node in an failed state and the only resolution then is a reboot of the node.
ADCS integration and let’s say you will have a tiered set for your ADCS regarding seperation of the roles. The thing that is not documented, is that XenMobile cannot request certificates when there are role seperations, everything needs to be on the same machine.
Certificate Pinning is something than can be enabled to function against MITM attacks, see Worx Home Certificate Pinning for more information. Usually when you demo or poc/pilot the solution you show al the different flavours that you can choose from. The customer I was started out with e-mailbased enrollment to the environment until the latter we changed to dual factor with certificate based authentication, and for ease of access we changed to upn enrollment with worxpin. Problem is I don’t know why or how, but when changing ADS the certificate pinning part breaks, corrupt certificate messages in worx home log or mismatch errors, you might think what’s going on! Had this kind of fun two times, and conclusion was remove the current certificate pinning / ads part and add the same setup again with the same certificates and all works again. Cloudops confirmed this on both occasions. Bug or not very annoying! I believe an support article is in the worx! (;-p)
Hope these insights help out!