pGINA credential validation?

112 views
Skip to first unread message

Brian

unread,
May 30, 2012, 9:03:18 PM5/30/12
to pgina...@googlegroups.com
Carrying over from general group as requested..

Trying to get an interactive session to validate through Citrix. It's for user desktop sessions but it seems Citrix doesn't use the standard Credential Provider interface. It's a Windows desktop but it looks to make direct API calls to auth.

In any case I'm writing an app to front-end the login process so I can use pGINA to auth a user in C# and make it all work.

Looked for docs to use the API but didn't see anything, hoping

David Wolff

unread,
May 30, 2012, 9:17:41 PM5/30/12
to pgina...@googlegroups.com
Why not just have the IIS .NET app just connect to the LDAP server directly and auth the user that way?

David

Brian

unread,
May 30, 2012, 9:43:39 PM5/30/12
to pgina...@googlegroups.com
sorry about the first post, looks like it cut off...

The reason I ended up here is because Citrix needs a Windows account with group memberships etc. on the local machine and it's all maintained in an LDAP directory and the account list is fairly dynamic. I have pGINA authing from LDAP, creating the Windows account and applying group memberships and until I found that Citrix doesn't apparently use a Credential Provider for everything I thought it was good but it is an interactive login so it's frustrating.

Current approach is to force a pGINA auth to get all of it's benefits and pass the credentials into Citrix on the fly and since the Windows account will exist it will succeed.

I wanted to stay away from writing my own code to create the Windows account, groups, etc. after a direct LDAP auth but if that makes more sense I may habe to start marching down that path.

David Wolff

unread,
May 30, 2012, 11:31:29 PM5/30/12
to pgina...@googlegroups.com
So, if I understand you correctly, you want to have another service (IIS) trigger the logon process through pGina.

The pGina service communicates with the pGina Credential Provider via a named pipe.  I suppose that it would be theoretically possible to "impersonate" the Credential Provider and communicate with the service via that same pipe.  However, that's an option that is outside of the current pGina design.  Perhaps for a future major release we could think about supporting communication with the pGina service from other apps/services, however it's currently not a common use case.

Thanks,
David

Brian

unread,
May 31, 2012, 10:16:57 AM5/31/12
to pgina...@googlegroups.com


On Wednesday, May 30, 2012 11:31:29 PM UTC-4, David Wolff wrote:
So, if I understand you correctly, you want to have another service (IIS) trigger the logon process through pGina.

The pGina service communicates with the pGina Credential Provider via a named pipe.  I suppose that it would be theoretically possible to "impersonate" the Credential Provider and communicate with the service via that same pipe.  However, that's an option that is outside of the current pGina design.  Perhaps for a future major release we could think about supporting communication with the pGina service from other apps/services, however it's currently not a common use case.

David,

Thanks for all of the information, it's been very helpful.. I started playing with the named pipe based on the service simulation and can connect (some powershell testing) so I might give that a shot.. Are there any docs/references on the Named pipe API you can share?

David Wolff

unread,
May 31, 2012, 2:02:58 PM5/31/12
to pgina...@googlegroups.com
Are there any docs/references on the Named pipe API you can share?

Currently, no docs other than the source code itself.  

David

Nate Yocom

unread,
May 31, 2012, 9:31:54 PM5/31/12
to pgina...@googlegroups.com
I don't understand the use case here - perhaps it is because I'm not
familiar with the Citrix flow.

Can you walk me through the general case here (ignoring pGina). I.e.
I'm sitting at my desktop, I want to run an app that requires
citrix... do I get prompted for credentials? or does it just work? If
I get prompted - who is prompting me (what does it look like)? Maybe a
screenshot would help?

Thanks,
Nate

Brian

unread,
May 31, 2012, 9:55:32 PM5/31/12
to pgina...@googlegroups.com
Nate,

I can provide some context since it can be confusing...

In short all of your scenarios are valid, you may or may not get prompted depdning on the environment but the general workflow is the same.

1. I want to run an app/windows desktop via Citrix.
2. I launch the Citrix client or Web Interface, which in turn launches the client.
3. I'm prompted for a login or I'm automatically logged in via Kerberos
4. The backend uses the credentials passed to get a an identity token (WindowsIdentity I think)
5. The application/desktop is launched as an interactive Windows session and the user has a valid login session on the computer.

The backend validates the users credentials, some credential providers seem to have an impact on this process when installed, others (including pGINA) do not, it may be because some also implement an LSA while others don't.

In my case I want to auth from an LDAP directory and have the user logged in, if using standard Windows interactive login at the desltop this works fine and pGINA is good to go, when doing the same via Citrix it is bypassed.
Reply all
Reply to author
Forward
0 new messages