Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

Transcription

1 Protecting Juniper SA using Certificate-Based Authentication

2 Copyright 2013 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate. SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice. SafeNet and SafeNet Authentication Service are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks referenced in this Manual are trademarks of their respective owners. SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications. Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification. Support SafeNet technical support specialists can provide assistance when planning and implementing SafeNet Authentication Service. In addition to aiding in the selection of the appropriate authentication products, SafeNet can suggest deployment procedures that will provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. SafeNet works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a SafeNet channel partner, please contact your partner directly for support needs. To contact SafeNet Authentication Service support directly: Europe / EMEA Freephone: (UK) Telephone: +44 (0) (Int l) [email protected] North America Toll Free: Telephone: [email protected] Customer Feedback Help us to improve this documentation, our products and our services by communicating any ideas and suggestions that you feel would improve the usefulness and clarity of the documentation, product feature set or application in practice. Suggestions should be sent to: [email protected] Introduction 2

3 Publication History Date Description Revision 04/25/2013 Initial Release 1.0 Introduction 3

4 Table of Contents Introduction... 5 Integration System Requirements... 5 Configuring Juniper SA for PKI... 6 Downloading a CA Certificate... 6 Creating a Certificate Authentication Server... 7 Adding the Certificate to the List of Trusted Client CAs... 9 Configuring the User Realm Configuring KCD Configuring the User Account Creating a KCD User Account in Active Directory Defining the Delegated Authentication Services Configuring SA Configuring Web SSO Configuring the Constrained Delegation Service List Configuring SSO Policies Configuring SSO Profile Configuring the Exchange Server Running the Solution User Authentication Scenario Introduction 4

5 Introduction This document guides you through setting up a certificate-based authentication solution in a Juniper Networks Junos Pulse Secure Access Service (SA) environment. This integration guide describes a single sign-on solution for Microsoft OWA based on SAC 8.2 and SafeNet tokens. This section includes the following: Integration System Requirements Integration System Requirements For this scenario, the working environment must include the following software: Juniper Networks Junos Pulse Secure Access Service Version 7.1 R5 or later Microsoft Exchange 2010 Microsoft Active Directory Microsoft Enterprise CA SAC 8.2 GA etoken 5100 Introduction 5

6 Configuring Juniper SA for PKI This section describes how to configure the server to enable Juniper SA certificate authentication with SafeNet s PKI tokens. This section includes the following: Downloading a CA Certificate Creating a Certificate Authentication Server Adding the Certificate to the List of Trusted Client CAs Configuring the User Realm Downloading a CA Certificate The first step is to download and save a CA certificate. To download a CA certificate: 1. Access the CA server web interface. 2. Select Download a CA Certificate. 3. Select Base Save the certificate to the local hard drive. Configuring Juniper SA for PKI 6

7 Creating a Certificate Authentication Server This step guides you through creating a certificate authentication server on the Juniper SA. To create a certificate authentication server on the Juniper SA: 1. Select Authentication > Auth. Servers. The Authentication Servers window opens. 2. From the New drop-down list, select Certificate Server. Configuring Juniper SA for PKI 7

8 3. Click New Server. The New Certificate Server window opens. 4. Next to Name, enter the new server a name; leave the default settings unchanged for all other options. 5. Click Save Changes. Configuring Juniper SA for PKI 8

9 Adding the Certificate to the List of Trusted Client CAs The certificate can now be added to the list of Trusted Client CAs on the Juniper SA. To add the certificate to the list of Trusted Client CAs: 1. Select System > Configuration > Certificates > Trusted Client CAs. The Configuration window opens. 2. Click the Import CA Certificate button and browse to select the saved file. Configuring Juniper SA for PKI 9

10 3. Click the Import Certificate button. The Trusted Client CA window opens. 4. Check that the Root CA Certificate details are correct. Configuring Juniper SA for PKI 10

11 5. Under Client certificate status checking, select Use CRLs (Certificate Revocation Lists) and click Save Changes. 6. Select CRL Checking Options. Configuring Juniper SA for PKI 11

12 The CRL Checking Options window opens. 7. In the Use drop-down list, select CDP(s) specified in the Trusted Client CA. 8. Click Save Changes. The new CDP appears in the Certificate Detail page under Client certificate status checking. Configuring Juniper SA for PKI 12

13 Configuring the User Realm The user realm needs to be configured to use certificate authentication, client certificate restrictions, and the Role Mapping Rules. To configure the user realm: 1. Select Users > User Realms. Configuring Juniper SA for PKI 13

14 2. Click on the Users link under Authentication Realm column. The Realm window opens ( Users Realm in this example). 3. In the General tab, under Servers, select the certificate server created in the previous step from the Authentication drop-down list. Configuring Juniper SA for PKI 14

15 4. Select the Authentication Policy tab and then click Certificate. 5. Select Only allow users with a client-side certificate signed by Trusted Client CAs to sign in. 6. Click Save Changes. The Juniper Networks Junos Pulse Secure Access is ready to authenticate users using certificates. Configuring Juniper SA for PKI 15

16 Configuring KCD Juniper SA is often used to protect Web application resources, such as Outlook Web Access (OWA) and SharePoint, which are based on Windows authentication. Kerberos Constrained Delegation (KCD) enables Single Sign On for the application resource, so that users are required to log on only once per session. The user logs on to SA, and then is not required to authenticate again when accessing Microsoft applications. Setting up KCD with SA involves the following steps: Configuring the User Account in Active directory Configuring SA Configuring the User Account Creating a KCD User Account in Active Directory KCD requires an Active Directory user account that has Protocol Transition and Delegation rights. This account has rights to request a Kerberos ticket on behalf of a user signing in to SA. To create a new user in Active Directory: 1. From the Windows taskbar, select Start > Programs > Administrative Tools > Active Directory Users and Computers. The Active Directory Users and Computers window opens. 2. In the left pane, expand the domain name, and right-click Users. Configuring KCD 16

17 3. In the menu that appears, select New > User. The New Object - User window opens. 4. Add the new user's information. This account will be used to access Web application resources, such as OWA. 5. Follow the instructions in the dialog box to progress through the windows. Defining the Delegated Authentication Services To configure the new account for Web application access, do the following: Use the setspn command to enable the Delegation tab in the new user account s Properties window. Use the Delegation tab to enable the user to be trusted for delegation to all authentication protocols. To define the Delegated Authentication Services for the new user: 1. Open the Command Prompt window, and enter the command: setspn -A HTTP/<user_account> <domain>\<user_account> where: <user_account> is the User logon name created under Creating a KCD User Account in Active Directory <domain> is your domain Configuring KCD 17

18 In the example that follows, testdomain is the domain, and samservice is the user account s User logon name. 2. In the Active Directory Users and Computers window, right-click the defined user. The user s Properties window opens. Configuring KCD 18

19 3. Select the Delegation tab. 4. Select the following options: Trust this user for delegation to specified services only Use any authentication protocol Note: Do not select Use Kerberos only because that option is not compatible with Protocol Transition and Constrained Delegation. 5. Click Add. The Add Services window opens. Configuring KCD 19

20 6. Click Users or Computers to select the computer hosting the constrained services. The Select Users or Computers window opens. 7. Enter the name of the protected service s server in the domain. Note: In this example, the OWA service is hosted on the same server as Active Directory Domain Controller, so DC is selected. 8. In the Add Services window, the services available on the selected server are displayed. 9. Select the appropriate service type, and click OK. Note: In this example, Constrained Delegation must be configured for OWA. Select http to configure for OWA and for any other Web-based applications running on this server, such as Share Point. Configuring KCD 20

21 The delegated services are displayed in the user s Properties window. 10. Click Apply, and then click OK. Active Directory is now configured for this solution. Configuring SA Configuring SA with Constrained Delegation for users connecting via SA to a selected application involves the following steps: Configuring Web SSO Configuring the Constrained Delegation Service List Configuring SSO Policies For example purposes in this section, the connection will be to the OWA application. Configuring KCD 21

22 Configuring Web SSO In this step, you will add the Kerberos Realm to SA s Kerberos SSO Settings. 1. In the SA Administrator console, select Users > Resource Policies > SSO > General. The WebPolicySSOGeneral window opens. 2. Click Kerberos SSO Settings to see additional settings. 3. Select Enable Kerberos SSO. Configuring KCD 22

23 4. In the Realm Definition area, add the Kerberos realm. In this example, test-domain.com realm was added. Note: The Kerberos Realm is typically the DNS domain. 5. Save the changes. Configuring the Constrained Delegation Service List This step consists of uploading a text file to create a Constrained Delegation Service List. To configure the Constrained Delegation Service List: 1. Open Notepad or a similar text application, and create a file containing the DC server name. 2. Save the file. Configuring KCD 23

24 3. In the SA Administrator console, select Users > Resource Policies > Web > SSO (Single Sign-on) > General. Configuring KCD 24

25 4. In the Constrained Delegation area, click Edit. The Constrained Delegation Service Lists window opens. 5. Click New Service List. 6. In the Name field, enter any value. 7. Click Choose File, and browse to the text file saved at the beginning of this procedure. Configuring KCD 25

26 8. Click OK. The Upload Status window opens. 9. When the upload completes, click Close. 10. In the Constrained Delegation area, do the following: a. In the Label field, enter any value. In this example, we used test-domain.com. b. In the Realm drop-down menu, select the Kerberos realm defined in Configuring Web SSO. c. In the Principal Account field, enter the user logon name (samservice) created in Creating a KCD User Account in Active Directory. d. In the Password field, enter the user s domain password. e. In the Service List drop-down list, select the service list name. f. Click Add. g. Save the changes. Configuring KCD 26

27 Configuring SSO Policies In this step, you will define the roles and resources for which Constrained Delegation will be performed. To configure SSO policies for OWA: 1. In the SA Administrator console, select Users > Resource Policies > Web > Kerberos/NTLM/Basic Auth. 2. Click the New Policy button. The New Policy window opens. Configuring KCD 27

28 3. In Name field, enter a name for the policy. 4. In the Resource field, enter the exact fully-qualified domain name. 5. Under Roles, select Policy applies to selected Roles and add the necessary role. 6. Under Action, choose Constrained Delegation and define appropriate credentials, defined in Configuring the Constrained Delegation Service List. 7. Save the changes. Configuring KCD 28

29 Configuring SSO Profile 1. In the SA Administrator console, select Users > Resource Profiles > Web. 2. Click the New Profile button. The New WEB Application Resource Profile window opens. Configuring KCD 29

30 3. From the Type drop-down list, select Microsoft OWA The OWA 2010 window opens. 4. In the Name field, enter any value for the policy name. 5. In the Base URL field, enter the OWA site s base URL. 6. Under Autopolicy: Web Compression, do the following: a. In the Resource column, enter the OWA site. Configuring KCD 30

31 b. From the Action drop-down list, select Compress. c. Click Add. 7. Under Autopolicy: Single Sign-on, do the following: a. Select Constrained Delegation. b. In the Resource field, enter the host FQDN of the web server. c. From the Credential drop-down list, select the Constrained Delegation s Label defined in Configuring the Constrained Delegation Service List. 8. Click Save Changes. Configuring KCD 31

32 Configuring the Exchange Server This section guides you through configuring the server hosting the web application. Note: This solution can be configured for any web application hosted on any server within the domain. For example purposes, we will use the OWA web application, hosted on the same server as the Active Directory Domain Controller. To configure OWA and ECP: 1. Open the Microsoft Exchange console. 2. In the left pane, select Server Configuration > Client Access. 3. In the Client Access area (middle pane), select your Exchange server. 4. Select the Outlook Web App tab. Configuring the Exchange Server 32

33 5. Right-click owa (Default Web Site), and select Properties. The owa (Default Web Site) Properties window opens. 6. Select the Authentication tab, and do the following: a. Select Use one or more standard authentication methods. b. Select Integrated Windows Authentication. c. Click OK. 7. In the Microsoft Exchange console, select the Exchange Control Panel tab. 8. Right click ecp (Default Web Site), and select Properties. The ecp (Default Web Site) Properties window opens. 9. Select the Authentication tab, and do the following: a. Select Use one or more standard authentication methods. b. Select Integrated Windows Authentication. c. Click OK. 10. Restart IIS for the configuration to take effect. To do this, open a terminal and enter iisreset. Configuring the Exchange Server 33

34 Running the Solution User Authentication Scenario In this example, a user named John authenticates to SA in the following environment: The user authenticates using a certificate saved on a token against Juniper SA. Juniper SA validates authentication on the Authenticated Server; if validation succeeds, the user can access to OWA. Procedure: 1. Enroll a smartcard user certificate on behalf of the domain for the user John. 2. Install SAC 8.2 GA on the client machine used for certificate-based authentication. 3. Connect the token. 4. Open a web browser and browse to the Juniper SA portal. In this example, the SA site is: 5. When prompted for the smartcard PIN, enter the Token Password. Click OK. 6. If the credentials are accepted, the user John is redirected to the SA portal. Running the Solution 34

35 7. Click the OWA 2010 link. The user John is automatically authenticated to the OWA account using KCD. Running the Solution 35