Implementation Guide for protecting

Transcription

1 Implementation Guide for protecting Remote Web Workplace (RWW) Outlook Web Access (OWA) 2003 SharePoint 2003 IIS Web Sites with BlackShield ID Copyright 2010 CRYPTOCard Inc.

2 Copyright Copyright 2010, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard. Trademarks BlackShield ID, BlackShield ID SBE and BlackShield ID Pro are either registered trademarks or trademarks of CRYPTOCard Inc. All other trademarks and registered trademarks are the property of their owners. Additional Information, Assistance, or Comments CRYPTOCard s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your partner directly for support needs. To contact CRYPTOCard directly: International Voice: North America Toll Free: support@cryptocard.com For information about obtaining a support contract, see our Support Web page at Related Documentation Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation and interoperability guides: Publication History Date Changes Version January 26, 2009 Document created 1.0 July 9, 2009 Copyright year updated 1.1 October 16, 2009 Minor updates 1.2 BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW i

3 Table of Contents Overview... 1 Applicability... 1 Assumptions... 2 Operation... 2 Preparation and Prerequisites... 2 Configuration... 3 Protecting Microsoft Remote Web Workplace...3 Protecting Microsoft Outlook Web Access (OWA) using forms-based authentication...3 Protecting Microsoft Outlook Web Access (OWA) using basic authentication...4 Protecting Microsoft Share Point...5 Protecting custom virtual directories...6 GrIDsure Tokens... 7 Outlook Web Access Forms based authentication...7 SharePoint...9 Troubleshooting BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW ii

4 Overview By default Remote Web Workplace, Outlook Web Access and SharePoint requires that a user provide a correct user name and password to successfully logon. This document describes the steps necessary to augment this logon mechanism with strong authentication by adding a requirement to provide a one-time password generated by a CRYPTOCard token using the BlackShield ID Agent IIS ( Agent ). The BlackShield ID IIS Agent allows two-factor authentication of users accessing IIS web sites, including Microsoft Remote Web Workplace Microsoft Outlook Web Access (Basic & Web forms) Microsoft Share Point Any virtual directory you have created Applicability Summary Product Name Microsoft Internet Information Server 6.0 Vendor Site Supported Application Software Remote Web Workplace 2003 Outlook Web Access 2003 Microsoft SharePoint 2003 IIS Virtual Directories Authentication Method Supported BlackShield ID Pro Agent functionality BlackShield ID Pro Agent Authentication Mode New PIN Mode Web Site Protection One-time password Challenge-response / Next Tokencode BlackShield ID Pro static password User-changeable Alphanumeric 3-16 digit PIN User-changeable Numeric 3-16 digit PIN Server-changeable Alphanumeric 3-16 digit PIN Server-changeable Numeric 3-16 digit PIN Virtual Directories BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW 1

5 This integration guide is applicable to: CRYPTOCard Server Authentication Server Version BlackShield ID Small Business Edition 1.2+ Professional Edition 2.3+ CRYPTOCard Agent Agent BlackShield ID Authentication Agent for IIS Version 2.x Operating System 32-bit Windows 2003 Assumptions BlackShield ID has been installed and configured and a Test user account can be selected in the Assignment Tab. Operation The BlackShield ID Agent for IIS modifies the logon pages for Remote Web Workplace, Outlook Web Access, and Sharepoint. It adds an additional field labeled OTP (One-Time Password) to the logon pages. The user will enter in their regular credentials as well as an OTP after the plug-in has been enabled. Preparation and Prerequisites 1. Ensure you can successfully authenticate to the given service using a static username and password prior to enabling BlackShield ID protection. 2. If you are using a generated key file, ensure to place it in the appropriate key file directory within the agent s installation directory. BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW 2

6 Configuration Protecting Microsoft Remote Web Workplace 1. Open the Internet Information Services (IIS) Manager. It can be started by clicking Start Administrative Tools Internet Information Services (IIS) Manager. 2. Expand the first node in the left hand pane, which is the name of your web server (local computer). 3. Expand Web Sites. 4. Expand Default Web Site. 5. Right click the virtual directory Remote, and select Properties. 6. Select the CRYPTOCard tab. 7. Select Enable BlackShield Authentication for this virtual directory 8. From the drop down menu, select the option for RWW, which has its path ending in iis agent\rww\authisapi.dll. 9. Select OK. RWW is now protected. To verify, right click the virtual directory Remote and select Browse. A modified logon form should appear with an OTP field added. Protecting Microsoft Outlook Web Access (OWA) using forms-based authentication 1. Open the Internet Information Services (IIS) Manager. It can be started by clicking Start Administrative Tools Internet Information Services (IIS) Manager. 2. Expand the first node in the left hand pane, which is the name of your web server (local computer). 3. Expand Web Sites. 4. Expand Default Web Site. 5. Expand ExchWeb. 6. Right click the virtual directory bin, and select Properties. 7. Select the CRYPTOCard tab. 8. Select Enable BlackShield Authentication for this virtual directory 9. From the drop down menu, select the option for OWA, which has its path ending in iis agent\owa\authisapi.dll. 10. Select OK. BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW 3

7 OWA is now protected. To verify, right click the virtual directory Exchange and select Browse. A modified logon form should appear with an OTP field added. Protecting Microsoft Outlook Web Access (OWA) using basic authentication The IIS agent is installed to protect OWA using forms authentication by default, however, it can be reconfigured to use Basic authentication by following the steps below if your Exchange Server is not using Forms authentication. 1. Open the Internet Information Services (IIS) Manager. It can be started by clicking Start Administrative Tools Internet Information Services (IIS) Manager. 2. Expand the first node in the left hand pane, which is the name of your web server (local computer). 3. Expand Web Sites. 4. Right click Default Web Site and select Properties. 5. Select the CRYPTOCard tab. 6. Select Enable BlackShield Authentication for this virtual directory 7. From the drop down menu, select the option for OWA, which has it's path ending in iis agent\owa\authisapi.dll. 8. Select Preconfigured application from the set of radio buttons below 9. From its drop down menu, select Exchange (Cryptocard_template_exchange.xml). 10. Select OK. 11. Expand Default Web Site. 12. Expand ExchWeb. 13. Right click the virtual directory bin, and select Properties. 14. Select the CRYPTOCard tab. 15. Select Enable BlackShield Authentication for this virtual directory 16. From the drop down menu, select the option for OWA, which has it's path ending in iis agent\owa\authisapi.dll. 17. Select OK. OWA is now protected. To verify, right click the virtual directory Exchange and select Browse. A modified logon form should appear with an OTP field added. BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW 4

8 Protecting Microsoft Share Point 1. Open the Internet Information Services (IIS) Manager. It can be started by clicking Start Administrative Tools Internet Information Services (IIS) Manager. 2. Expand the first node in the left hand pane, which is the name of your web server (local computer). 3. Expand Web Sites. 4. Expand the name of your SharePoint web site. By default, the name of this site is often companyweb 5. Right click the virtual directory _vti_bin, and select Properties. 6. Select the CRYPTOCard tab. 7. Select Enable BlackShield Authentication for this virtual directory 8. From the drop down menu, select the option for Sharepoint, which has it's path ending in iis agent\sharepoint\authisapi.dll. 9. Select Preconfigured application from the set of radio buttons below 10. Select OK. Sharepoint is now protected. To verify, right click the name of your Sharepoint web site (companyweb) and select Browse. The default BlackShield logon form should appear. Note: In order to allow Microsoft authentication to succeed through the BlackShield Sharepoint logon form, it is necessary to enable both anonymous access and basic authentication for the Sharepoint application. If this is not done, the user will be able to authenticate against BlackShield but the authentication to Sharepoint will fail. Follow the steps below to accomplish this: 1. Open the Internet Information Services (IIS) Manager. It can be started by clicking Start Administrative Tools Internet Information Services (IIS) Manager. 2. Expand the first node in the left hand pane, which is the name of your web server (local computer). 3. Expand Web Sites. 4. Right click the name of your SharePoint web site and select Properties. By default, the name of this site is often company web 5. Select the Directory Security tab. 6. Select the Edit button under the Authentication and Access Control section. 7. Select Enable Anonymous Access at the top of the screen, do not change the user name or password. BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW 5

9 8. Unselect Integrated Windows Authentication. 9. Select Basic Authentication. 10. Click OK. 11. Click Yes to the popup dialog. 12. Click OK to exit the properties tab. Protecting custom virtual directories 1. Open the Internet Information Services (IIS) Manager. It can be started by clicking Start Administrative Tools Internet Information Services (IIS) Manager. 2. Expand the first node in the left hand pane, which is the name of your web server (local computer). 3. Expand Web Sites. 4. Locate the virtual directory you wish to protect and select Properties. 5. Select the CRYPTOCard tab. 6. Select Enable BlackShield Authentication for this virtual directory 7. From the drop down menu, select the option for default, which has it's path ending in iis agent\default\authisapi.dll. 8. Select New custom application from the set of radio buttons below 9. Select Configure Select OK. 11. Select OK. Your custom virtual directory is now protected. To verify, right click the name of the virtual directory and select Browse. The default BlackShield logon form should appear. BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW 6

10 GrIDsure Tokens GrIDsure tokens provide an end-user the ability to generate a one-time password without requiring the end-user to have any additional hardware or software applications. GrIDsure presents the end-user with a grid of cells containing random characters, from which the end-user selects their personal identification pattern (PIP). Each time the end-user needs to authenticate the trid will display a random/unique set of characters. The end-user then just needs to remember their PIP and provide the specific characters within those cells that make up their PIP in order to authenticate and log on. For the purpose of this guide, only the demonstration of GrIDsure tokens being used will be shown. A more detailed explanation of how GrIDsure tokens work can be obtained in the GrIDsure specific token guide. Outlook Web Access Forms based authentication 1. Using a web browser, browse to the OWA logon site. 2. Enter your Microsoft user name and Microsoft password. 3. Leave the OTP field empty. 4. Click Log On BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW 7

11 5. Using your PIP, enter in your OTP within the OTP field. Note: In this example the OTP has been revealed for demonstration purposes. 6. Click the Logon button. BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW 8

12 SharePoint 1. Using a web browser, browse to the SharePoint logon site. Note: Normally a web browser pop up would appear. However, once protected with CRYPTOCard a web based logon page will appear. 2. Enter in your Microsoft user name and Microsoft password. 3. Leave the OTP field empty. 4. Click the Log On button. 5. Using your PIP, enter in your OTP within the OTP field. Note: In this example the OTP has been revealed for demonstration purposes. 6. Click the Log On button. BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW 9

13 Troubleshooting Symptom: I access my service s logon page, but I don t see the addition of the OTP (One- Time password) field to enter my token code. Possible Causes: You have not chosen the correct logon page. Solution: Redo the instructions for protecting your chosen service, and ensure you select the correct template from the appropriate pull down. BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW 10