Citrix – Project Alcatraz Technology Concept

Warning : For those who download Alcatraz before the 2nd of December 2010, please update it, same link. An issue around leaking desktop handles is affecting v0.9.0.31, when you update it you should have v0.9.0.32

Citrix announced the 29th of November 2010 a new project code name “Alcatraz“, part of the project “San Francisco” and can be combine with project “GoldenGate” (Check the end of this blog for the Citrix links about each project). The idea is simple, how to add a “lock” layer to all the published applications accessed by mobile users, how to improve “security” if a device is stolen, lost etc ? Citrix Labs try to give an answer with this new project and I think this idea is very well found. Without modifying your existing Citrix (XenApp, WebInterface, CAG etc..) architecture you can provide another authentication level before launching an application with a PIN Code request (bellow screen shot from my iPhone)

To be clear, this is not a second factor authentication add-on / product for Access Gateway and Web Interface. This PIN code interface is load before the published application, once the user profile loaded.

It look neat, but how does it work ?

First you need to install Alcatraz msi on the XenApp servers you want to use for your tests, you can download msi packages here : (MyCitrix account is required) You will find one package for 32bit OS and another one for 64bit OS. All the binaries will be installed in “C:\Program Files (x86)\Citrix\Alcatraz” folder and you will find the following files:

Then the only change you need to do is to amend or create published applications dedicated to mobile users using “C:\Program Files\Citrix\Alcatraz\Alcatraz.exe” /a “command line of published application” for the 32bit XenApp servers or “C:\Program Files (x86)\Citrix\Alcatraz\Alcatraz.exe” /a “command line of published application” for the 64bit XenApp servers.

In the registry, you can find a part in HKLM\Software\Citrix\Alcatraz for 32bit servers and in HKLM\Software\WOW6432Node\Citrix\Alcatraz for 64bit servers and all the settings are explained on the project page here :

ChallengeInterval – This setting is disabled by default (set to 0). This setting will force the user to enter their pass-code after a period of time (in seconds) even if the user is interacting with the published application.
(Default: Disabled)

InactivityTimeout – This is the amount of time (in seconds) that a user has not interacted with their published application at which point the passcode keypad will be displayed, and the application locked.
(Default: 60 seconds)

PasscodeHistorySize – This is the amount of passcodes that Alcatraz will remember for each user, preventing re-use of any remembered passcodes in the history for additional security.
(Default: 5 passcodes)

PasscodeLength – This is the number of digits required for a passcode.
(Default: 4 digits)

PasscodeLifeSpan – This is the amount of time (in days) that a passcode will be valid, after which time the user will be prompted to set a new passcode.
(Default: 90 days)

PasscodeRetries – This is the amount of passcode attempts permitted before the user is forced to enter their domain password, before being allowed to reset their passcode.
(Default: 3 attempts)

I made ADM files for both 32bit and 64bit XenApp servers, you can grab it here : 5registration required, 1 minute)

I also made a video to show you how and when the PIN code is requested, as you might notice in this very short video, the logon is processed, user profile is load and then the Code PIN is requested before being able to access the published application.

[flash w=480 h=385]

If you forgot your PIN code, don’t worry about that, you just need to delete the following registry key : HKCU\Software\Citrix\Alcatraz and then the next time you’ll open an application, the new code generation process will begin :

Just a little tip when you authenticate with your domain password during the first launch, you need to validate by using the return (or enter) key on the virtual keyboard. I think this is a great way to bring some more security to mobile applications without bringing another system, token or whatever user will need to learn how to use. The Code PIN is used every day by everyone.

To make this project better, I think Citrix guys should had a validation or enter button on the Alcatraz screen to validate the domain password

Sources :
Project San Francisco
Project GoldenGate
Project Alcatraz
Steve Parry post on the Citrix Community Blog

Post author