Successfully reported this slideshow.
Troubleshooting XenMobile Enterprise
Karen Sciberras and Adolfo Montoya
May 2014
Deep dive Authentication Flow
© 2014 Citrix. Confidential.2
Agenda
Authentication flow from Worx Home to Worx Store
Single Sign-on process between NetSc...
XenMobile Enterprise Authentication flows
© 2014 Citrix. Confidential.4
Authentication flow
Device
Worx Home
MDM
MAM
NetScaler
Load
Balancer
Gateway
Active
Director...
© 2014 Citrix. Confidential.5
Authentication flow
© 2014 Citrix. Confidential.6
Authentication flow
App
Controller
XDM
Device
Worx Home
MDM
MAM
NetScaler
Load
Balancer
Gate...
© 2014 Citrix. Confidential.7
Authentication flow
App
Controller
XDM
Device
Worx Home
MDM
MAM
NetScaler
Load
Balancer
Gate...
© 2014 Citrix. Confidential.8
Authentication flow
Active
Directory
App
Controller
XDM
Device
Worx Home
MDM
MAM
NetScaler
L...
© 2014 Citrix. Confidential.9
Authentication flow
App
Controller
XDM
Device
Worx Home
MDM
MAM
Worx Mail
MDX Apps
Worx Web
...
© 2014 Citrix. Confidential.10
Troubleshooting
Obtaining XenMobile Device Manager logs
• Accessing helper.jsp console
© 2014 Citrix. Confidential.11
Troubleshooting
© 2014 Citrix. Confidential.12
Troubleshooting
Obtaining XenMobile Device Manager logs
• Accessing helper.jsp console
Worx...
© 2014 Citrix. Confidential.13
Troubleshooting
© 2014 Citrix. Confidential.14
Troubleshooting
Obtaining XenMobile Device Manager logs
• Accessing helper.jsp console
Worx...
© 2014 Citrix. Confidential.15
NetScaler Gateway and XM App Controller
How Single Sign-on Works
© 2014 Citrix. Confidential.17
How Single Sign-on works?
App
Controller
Device
Worx Home
MDM
MAM
NetScaler
Load
Balancer
G...
© 2014 Citrix. Confidential.18
How Single Sign-on works?
App
Controller
Device
Worx Home
MDM
MAM
NetScaler
Load
Balancer
G...
© 2014 Citrix. Confidential.19
What are these HTTP Headers for?
XenMobile App Controller needs to trust NetScaler
Gateway ...
© 2014 Citrix. Confidential.20
Why HTTP Headers?
X-Citrix-Via HTTP Header
These values provide key information to
App Cont...
© 2014 Citrix. Confidential.21
Why HTTP Headers?
X-Citrix-Via-VIP HTTP Header
X-Citrix-Via-VIP HTTP header is valuable for...
© 2014 Citrix. Confidential.22
What to check?
NetScaler and App Controller
(App Controller) Ensure External URL is correct...
Step-up Authentication Policy
© 2014 Citrix. Confidential.24
Benefits
New MDX application policy introduced with App Controller 2.9
Allows users authent...
© 2014 Citrix. Confidential.25
Troubleshooting
© 2014 Citrix. Confidential.26
Further Reading
Worx Home - User Authentication and Communication Flow -
http://www.citrix....
© 2014 Citrix. Confidential.27
Take Aways
Authentication process from server URL to Worx Store
Using helper.jsp console to...
© 2014 Citrix. Confidential.28
@XMtipster | @XMinformer
© 2014 Citrix. Confidential.29
WORK BETTER. LIVE BETTER.
Upcoming SlideShare
Loading in …5
×

Citrix TechEdge 2014 - Troubelshooting Top Issues with XenMobile Enterprise Edition

5,240 views

Published on

XenMobile Enterprise Edition includes multiple Citrix components which can result in many different integration issues. In this session we will review the top integration issues and discuss the recommended troubleshooting and prevention steps for each issue.

What you will learn:
- Device Manager and App Controller integration best practices
- NetScaler configuration troubleshooting - SSL Bridge vs. SSL Offloading
- Device Manager enrollment - using a 3rd party certificate

Published in: Technology
  • Be the first to comment

Citrix TechEdge 2014 - Troubelshooting Top Issues with XenMobile Enterprise Edition

  1. 1. Troubleshooting XenMobile Enterprise Karen Sciberras and Adolfo Montoya May 2014 Deep dive Authentication Flow
  2. 2. © 2014 Citrix. Confidential.2 Agenda Authentication flow from Worx Home to Worx Store Single Sign-on process between NetScaler Gateway and App Controller ‘Step-up’ authentication for Worx apps
  3. 3. XenMobile Enterprise Authentication flows
  4. 4. © 2014 Citrix. Confidential.4 Authentication flow Device Worx Home MDM MAM NetScaler Load Balancer Gateway Active Directory XDM App Controller
  5. 5. © 2014 Citrix. Confidential.5 Authentication flow
  6. 6. © 2014 Citrix. Confidential.6 Authentication flow App Controller XDM Device Worx Home MDM MAM NetScaler Load Balancer Gateway Active Directory Load Balancer HTTPS 443 HTTPS 8443 SSL Offload vServer 1 SSL Offload vServer 2 HTTP 80 HTTP 80
  7. 7. © 2014 Citrix. Confidential.7 Authentication flow App Controller XDM Device Worx Home MDM MAM NetScaler Load Balancer Gateway Active Directory User mapped to Device Identity
  8. 8. © 2014 Citrix. Confidential.8 Authentication flow Active Directory App Controller XDM Device Worx Home MDM MAM NetScaler Load Balancer Gateway Active Directory
  9. 9. © 2014 Citrix. Confidential.9 Authentication flow App Controller XDM Device Worx Home MDM MAM Worx Mail MDX Apps Worx Web Office HD NetScaler Load Balancer Gateway Active Directory
  10. 10. © 2014 Citrix. Confidential.10 Troubleshooting Obtaining XenMobile Device Manager logs • Accessing helper.jsp console
  11. 11. © 2014 Citrix. Confidential.11 Troubleshooting
  12. 12. © 2014 Citrix. Confidential.12 Troubleshooting Obtaining XenMobile Device Manager logs • Accessing helper.jsp console Worx Home Logs • Same process to obtain MDX logs
  13. 13. © 2014 Citrix. Confidential.13 Troubleshooting
  14. 14. © 2014 Citrix. Confidential.14 Troubleshooting Obtaining XenMobile Device Manager logs • Accessing helper.jsp console Worx Home Logs • Same process to obtain MDX logs Reading Worx Home logs • MDM and MAM logs
  15. 15. © 2014 Citrix. Confidential.15
  16. 16. NetScaler Gateway and XM App Controller How Single Sign-on Works
  17. 17. © 2014 Citrix. Confidential.17 How Single Sign-on works? App Controller Device Worx Home MDM MAM NetScaler Load Balancer Gateway Active Directory Active Directory Username / Password Validate Credentials Credentials Valid! Is user valid? Start SSO Process
  18. 18. © 2014 Citrix. Confidential.18 How Single Sign-on works? App Controller Device Worx Home MDM MAM NetScaler Load Balancer Gateway HTTP Header X-Citrix-Via HTTP Header X-Citrix- Gateway HTTP Header X-Citrix-Via-VIP Gateway trusted! Perform Single Sign-on
  19. 19. © 2014 Citrix. Confidential.19 What are these HTTP Headers for? XenMobile App Controller needs to trust NetScaler Gateway incoming communication HTTP headers are very important! Client-side (Worx Home) HTTP Headers: • X-Citrix-Gateway: NetScaler Gateway FQDN NetScaler-side HTTP Headers: • X-Citrix-Via: NetScaler Gateway FQDN • X-Citrix-Via-VIP: NetScaler Gateway VIP
  20. 20. © 2014 Citrix. Confidential.20 Why HTTP Headers? X-Citrix-Via HTTP Header These values provide key information to App Controller to process trust verification X-Citrix-Via value needs to match with External URL POST /Citrix/StoreWeb/Authentication/Login HTTP/1.1 Host: appc.amc.ctx ……. X-Citrix-Via: ag.amc.ctx X-Citrix-Via-VIP: 172.16.0.63 X-Forwarded-For: 10.12.59.17 X-Citrix-Via = External URL!
  21. 21. © 2014 Citrix. Confidential.21 Why HTTP Headers? X-Citrix-Via-VIP HTTP Header X-Citrix-Via-VIP HTTP header is valuable for multiple NetScaler Gateway setup Assists App Controller which NetScaler Gateway VIP to contact for SSO POST /Citrix/StoreWeb/Authentication/Login HTTP/1.1 Host: appc.amc.ctx ……. X-Citrix-Via: ag.amc.ctx X-Citrix-Via-VIP: 172.16.0.63 X-Forwarded-For: 10.12.59.17
  22. 22. © 2014 Citrix. Confidential.22 What to check? NetScaler and App Controller (App Controller) Ensure External URL is correct(NetScaler) Ensure WIHome contains App Controller URL for RfWeb site
  23. 23. Step-up Authentication Policy
  24. 24. © 2014 Citrix. Confidential.24 Benefits New MDX application policy introduced with App Controller 2.9 Allows users authenticate through particular NetScaler Gateway vServer Configured on a per application basis Users are asked to enter additional credentials, such as an RSA token
  25. 25. © 2014 Citrix. Confidential.25 Troubleshooting
  26. 26. © 2014 Citrix. Confidential.26 Further Reading Worx Home - User Authentication and Communication Flow - http://www.citrix.com/tv/#videos/9438 XenMobile: WorxWeb Single Sign On with NetScaler - http://blogs.citrix.com/2013/12/24/xenmobile-worxweb-single-sign-on-with-netscaler/ XenMobile 8.6 - Understanding Authentication Timeout Values - http://support.citrix.com/article/CTX139600 Enrollment Process for XenMobile - http://support.citrix.com/article/CTX139029 Myth Buster: NetScaler Gateway MicroVPNs – multiple tunnels? - http://blogs.citrix.com/2013/09/13/myth-buster-netscaler-gateway-microvpns-multiple-tunnels/ XenMobile Logs Collection Guide - http://support.citrix.com/article/CTX139421
  27. 27. © 2014 Citrix. Confidential.27 Take Aways Authentication process from server URL to Worx Store Using helper.jsp console to obtain XenMobile Device Manager logs Obtain Worx Home and MDX application logs from Worx Home Reading a log file How does Single Sign-on works between NSG and App Controller Different HTTP headers used Step-up Authentication
  28. 28. © 2014 Citrix. Confidential.28 @XMtipster | @XMinformer
  29. 29. © 2014 Citrix. Confidential.29 WORK BETTER. LIVE BETTER.

×