SafeWord for Citrix adds strong
authentication to your Citrix deployments, positively
identifying users who access your Citrix applications.
SafeWord for Citrix delivers security through
one-time passcode-generating hardware tokens. Only the
SafeWord server knows which passcode will allow the
user to gain access. This eliminates threats from outsiders
stealing, copying, or reusing passwords.
In addition to featuring tight integration with the Citrix Web Interface and secure access manager,
SafeWord for Citrix is managed directly from Microsoft
Active Directory, allowing administrators to easily manage
tokens and users.
Schema extension recommendations
Some network administrators and IT staff members have
expressed reluctance to install applications that extend the
Active Directory schema, as evidenced in several online
discussion groups. While the Microsoft knowledge base
suggests using caution when making changes to the Active
Directory schema, Microsoft expressly decrees that extending
the AD schema is, in fact, encouraged to extend the
Active Directory definition (when done following
Microsoft recommendations).
Microsoft recommends only using schema extensions
that follow recommended "best practices." SafeWord for
Citrix follows the Microsoft best practices list.
The list, found at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/adschemaext.asp, includes the following guidelines for extending the schema.
Best practices include:
- The schema is neither a database nor a file system.
Don't treat it as such.
- Place references in the directory that point to other
data stores instead of using the directory for something
for which it was not designed.
- Only define globally interesting, relatively static
information in the schema.
- Objects defined in the schema should not be created
very often or modified frequently.
- Objects should have a long life.
- Use twice the maximum replication frequency when
determining longevity or frequency.
- Test the application in a private forest and with other
applications before deploying.
- The schema upgrade must be separate from the
application installation.
SafeWord for Citrix has followed the
Microsoft recommendations to create the SafeWord for
Citrix Active Directory extension.
Application requirements for shipping
Microsoft offers some caveats for schema extensions that
ship with applications such as SafeWord for Citrix. All
caveats have been explicitly followed: a separate install has
been created for SafeWord for Citrix, and the following
steps recommended by Microsoft have been implemented:
- The application must use a registered prefix and base
OID for each class and attribute.
- The application must have a unique schemaIDGuid for
each class and attribute.
- LDIF files for your schema installation must be created.
- The application uses LDIFDE.exe to load the LDIF files.
- The application and schema extensions were tested on
Secure Computing's local network.
For more information
If you have additional questions or concerns on the
implementation of the Active Directory schema
extensions in SafeWord for Citrix, contact
sales@securecomputing.com or visit
http://msdn.microsoft.com/library/default.asp?url=/library/enus/dnactdir/html/adschemaext.asp.
