Monday 26 March 2012

How To Lock Down Access To Your Citrix Web Interface 5.4 By Security Group

Hi All,
You will find everything you need from the this website.
I followed the instructions and it worked perfectly.

Below are the steps I performed.

1. Made a backup of c:\inetpub\wwwroot\Citrix\<SiteCode>\app_data\serverscripts\include.aspxf

2. Placed the following code in include.aspxf directly under Global Variable.

 * By CTX Experientia S.L.
 *    Modified for WI5.01 by Justin Bousquet
 * Gets a list of the user's groups.
 * Returns a list of all groups of an user. 
 * If your LDAP directory needs authentification (like AD) to retrieve the info, you must define
 * the AdminUSER and AdminPWD fields on DirectoryEntry.
 * If you can't use an administrator credentials to retrieve info, please
 * follow these instructions to create a guest user with read right over LDAP.
 *    1. Create a user. During creation mark "Password never expires" and "User cannot change password" checkboxes
 *       and clear "User must change password at first logon" one.
 *    2. After a user is created go to the account properties and add it to the "Domain Guests" group. Mark this 
 *       group as Primary. Remove the account from the "Domain users" group.
 *    3. Right-click the domain root and select "Delegate control" task. Select the account you've created. 
 *       On the next step select "Create a custop task to delegate" item.
 *    4. On the next step check "Only the following objects in the folder" and mark the item "Group objects"
 *       in the list below
 *    5. On the next step check the "General" checkbox only and mark the "Read all properties" item in the list below.
 *    6. Finish the wizard and specify the user's credentials in the app_data/serverscripts/include.aspxf script.
 * @return A list of groups sepparated by a bar (|)

string GetADUserGroups(string userName) {

string strLDAP = LDAP://<DC_Server_Name>/DC=<Domain>,DC=<Domain>;
DirectoryEntry entryDomain = new DirectoryEntry(strLDAP,"Username","Password");

    DirectorySearcher search = new DirectorySearcher(entryDomain);
    search.Filter = String.Format("(sAMAccountName={0})", userName);
    StringBuilder groupsList = new StringBuilder();
    SearchResult result = search.FindOne();
    if (result != null)
        int groupCount = result.Properties["memberOf"].Count;
        for(int counter = 0; counter < groupCount; counter++)

    if (groupsList.Length >0 )
        groupsList.Length -= 1; //remove the last '|' symbol
    return groupsList.ToString();
3. Created a user on my domain following the instructions above within include.aspf

4. Changed the following sections of include.aspxf to repesent my domain, username and password

string strLDAP = "LDAP://<DC_Server_Name/DC=<Domain>,DC=<Domain>";
DirectoryEntry entryDomain = new DirectoryEntry(strLDAP,"UserName","password");

5. Made a backup of c:\inetpub\wwwroot\Citrix\XenApp\<SiteCode>\default.aspx and copied the new one over

6. Copied the wimods folder under app_data to c:\inetpub\wwwroot\Citrix\<SiteCode>\app_data\

7. Edited the file groups.aspx located in c$\inetpub\wwwroot\Citrix\<SiteCode>\app_data\wimods\grpaccess. Replacing the string groups_permited = "all"; with string groups_permited = "My Security Group";

The result is

No comments:

Post a Comment