topic Re: Terminal Services Agent in Windows 2016 Citrix - SMB-Sessions not mapped to user in General Topics

Terminal Services Agent in Windows 2016 Citrix - SMB-Sessions not mapped to user

WalterWerther — Thu, 20 Feb 2020 08:51:57 GMT

Dear community,

we're running W2K16 servers here using Citrix. We also installed the latest TSA and when a user logs in he is properly recognized on the firewall and the TSA assigns a port-range dedicated to the user.

When establishing new TCP-connection that is also properly recognized on the firewall and permissions can be granted depending on the user. So on first sight everything works perfect.

Now let me explain our problem. Whenever you start a file-explorer or try to open a file within a software (e.g. a Word-Document or Excel-File) access to remote-servers (SMB-Share) is not done from the ports assigned to the user. All traffic seems to be sent from the system-account and therefore the firewall cannot map the user.

So my problem is now, how could I limit the access to file-servers for requests coming from the Citrix-Server running the TSA to specific users?

e.g.

User1,2 should be able to access file-server 1 but not 2

User 3,4 should be able to access file-server 2 but not 1

We had already opened a support ticket on Palo Alto and they confirmed this behaivour but they had not been able to provide a solution.

I think this is a nightmare as File-Access is one of the core-features each software needs and I can't imagine that we're the only one having that problem. Any one else here having that problem? Any solutions? Is there a magic switch on Windows that enables a SMB-session per User, instead of per Machine? Or is no one else in this community doing file-operations on remote systems?

Thanks

Walter

Re: Terminal Services Agent in Windows 2016 Citrix - SMB-Sessions not mapped to user

reaper — Thu, 20 Feb 2020 10:44:22 GMT

This is because fileshares are accessed at the system level rather than the user level on windows machines, This happens below the level where TSAgent is able to intercept and change source port

Re: Terminal Services Agent in Windows 2016 Citrix - SMB-Sessions not mapped to user

WalterWerther — Fri, 21 Feb 2020 06:17:28 GMT

Thanks for the answer,

In the meantime I found in the internet, that other Terminal Service Agents are facing the same problem. It also seems, that there is no workaround known for that issue.

I'm quite surprised that it seems, that no one has the use-case to allow file access based on detected users. Of course SMB brings some security features and I need to rely on the security of AD anyway when using user-detection. But limiting the access of potentially attackable servers would reduce the attack surface.

So I'm quite surprised that it seems like no vendor (Palo, Cisco, Checkpoint, etc.) is trying to convience Microsoft to modify the behavior on TS-Servers that SMB-Sessions are not handled in System-Context.

Anyone out there having a solution or workaround?