DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Sharepoint 2007

Transcription

1 DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Sharepoint 2007 With IDENTIKEY Server / Axsguard IDENTIFIER Integration Guidelines

2 Disclaimer Disclaimer of Warranties and Limitations of Liabilities This Report is provided on an 'as is' basis, without any other warranties, or conditions. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security. Trademarks DIGIPASS, IDENTIKEY, IDENTIFIER & AXSGUARD are registered trademarks of VASCO Data Security. All trademarks or trade names are the property of their respective owners. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use. Copyright 2010 VASCO Data Security. All rights reserved.

3 Table of Contents DIGIPASS Authentication for Microsoft ISA Disclaimer... 2 Table of Contents Reader Overview Problem Description Solution Technical Concept General overview Microsoft Active Directory prerequisites Microsoft ISA server 2006 prerequisites Microsoft Sharepoint 2007 prerequisites IDENTIKEY Server Prerequisites Active Directory Settings Domain functional level Constrained Delegation Sharepoint 2007 Settings Create Web Application Create Site Collection Create Alternate Access Mappings Microsoft IIS Settings SSL Server Certificate Microsoft ISA 2006 Settings Certificate settings Importing root certificate Requesting Web Server certificate... 34

4 9.2 Publishing Sharepoint RADIUS settings IDENTIKEY Server Policy configuration Client configuration Test Sharepoint logon About VASCO Data Security... 59

5 1 Reader This Document is a guideline for configuring the partner product with IDENTIKEY SERVER or Axsguard IDENTIFIER. For details about the setup and configuration of IDENTIEKEY SERVER and Axsguard IDENTIFIER, we refer to the Installation and administration manuals of these products. Axsguard IDENTIFIER is the appliance based solution, running IDENTIKEY SERVER by default. Within this document, VASCO Data Security, provides the reader guidelines for configuring the partner product with this specific configuration in combination with VASCO Server and Digipass. Any change in the concept might require a change in the configuration of the VASCO Server products. The product name`identikey SERVER`will be used throughout the document keeping in mind that this document applies as well to the Axsguard IDENTIFIER. 2 Overview The purpose of this document is to demonstrate how to configure IDENTIKEY SERVER to work with Microsoft ISA server (ISA) to perform Single Sign On (SSO) to a Sharepoint portal with a One Time Password (OTP). 3 Problem Description When using a DIGIPASS to authenticate to the ISA Server, your OTP will be checked by IDENTIKEY SERVER. When another website, requiring authentication, will be accessed behind the ISA firewall and you would like to use a single sign-on schema, ISA will send your username and OTP to this site. As the OTP would be validated a second time, you would receive a code replay on the IDENTIKEY SERVER and access will be rejected. The solution to this problem could be entering your regular username and password or at least a second OTP. The user would then have to authenticate twice, once on the ISA server and once for the Sharepoint portal, however this is less convenient for the user... 4 Solution In ISA Server 2006 it is now possible to authenticate to the Sharepoint web site using Kerberos constrained delegation. This means the ISA server will, after a successful authentication to the IDENTIKEY SERVER, create a Kerberos ticket on the domain controller. With this ticket the user will be able to perform an integrated authentication on the Sharepoint web site, without having to authenticate a second time. After configuring the IDENTIKEY SERVER, the ISA server and the Active Directory in the right way, you eliminate the weakest link in any security infrastructure the use of static passwords that are easily stolen guessed, reused or shared.

6 Figure 1: Solution

7 5 Technical Concept 5.1 General overview The main goal of the ISA server is to perform authentication in a secure way to gain access to the Sharepoint portal. As the ISA server can do authentication to an external service with RADIUS, we will place the IDENTIKEY SERVER in the middle of this process to secure the authentication with our proven IDENTIKEY SERVER software. 5.2 Microsoft Active Directory prerequisites I Important Notice To make use of the Kerberos constrained delegation, the domain functional level should be Windows Server If there are currently older domain controllers (2000, NT4 ) deployed in your domain, raising the domain function level is not possible. By default, in Windows 2003 server, the domain functional level is Windows 2000 mixed and will have to be raised. If you want to make use of HTTPS/SSL connections, you need a root CA to be installed for your domain. 5.3 Microsoft ISA server 2006 prerequisites Please make sure you have a working setup of the ISA server. It is very important this is working correctly before you start implementing the authentication to the IDENTIKEY SERVER and make a rule to publish a Sharepoint portal. 5.4 Microsoft Sharepoint 2007 prerequisites We assume you have MS Office Sharepoint Server 2007 installed. Configuration for a new site will be shown in this guide. 5.5 IDENTIKEY Server Prerequisites In this guide we assume you already have IDENTIKEY Server installed and working. If this is not the case, make sure you get it working before installing any other features.

8 6 Active Directory Settings The domain functional level must be raised to be able to use the advanced constrained delegation features in the Active Directory. Windows 2003 server will be installed standard in Windows 2000 mixed mode. The advanced features are only available when your active directory level is Windows Server 2003 mode. Constrained delegation is a ticketing system relying on Kerberos. Any computer in a domain, that is trusted to request tickets, can request a ticket for a certain user. With this ticket the user is able to authenticate himself when authentication is demanded, instead of supplying his credentials again. 6.1 Domain functional level I Important Notice Before continuing, please do be aware of the consequences of raising your domain functional level. If any older domain controllers (2000, NT4, ) are active in you network, do not raise the functional level. As it is required to raise the functional level to use Kerberos constrained delegation, you will not be able to complete this integration guide. On the domain controller, open the Active Directory Users and Computers administrative tool. Right-click your top domain and select Raise Domain Functional Level. Figure 2: Domain functional level (1)

9 Choose Windows Server 2003 in the select box and click Raise. Figure 3: Domain functional level (2) You get a notice that once you raised the domain functional level, you are not able to reverse this action and it is raised domain wide. Click OK to continue. Figure 4: Domain functional level (3) You will receive a confirmation message when raising the domain was successfully completed. Click OK to finish. Figure 5: Domain functional level (4)

10 6.2 Constrained Delegation Next, in the same window, go to the folder Computers and select the computer containing the ISA server. Right-click the server name and select Properties. Figure 6: Constrained Delegation (1) Go to the Delegation tab. This tab is only shown when your domain functional level is Windows Server Select the option: Trust this computer for delegation to specified services only. And beneath this option select Use any authentication protocol. When this is done, the Add button will be available and click it. Figure 7: Constrained Delegation (2)

11 Click the Users or Computers button to select the computer we want to delegate to. Figure 8: Constrained Delegation (3) Search or select the computer where the Sharepoint portal is located. Click OK to continue. Figure 9: Constrained Delegation (4)

12 When you selected the computer to delegate to, you have to choose the service type. The authentication comes from and goes to a web service, so find http in the list and click OK. Figure 10: Constrained Delegation (5) The next screen shows you an overview of the delegation settings. This screen is actually saying: We give the computer where ISA is installed the authority to delegate an http authentication to the chosen computer. Click OK to finish. In our setup the ISA server is installed on a computer named: MEMBER. Figure 11: Constrained Delegation (6)

13 7 Sharepoint 2007 Settings To create a new Sharepoint portal we will have to create a web application that contains the required IIS settings and addsome content to this web application. Additionally we must make sure the URL external users type in is also known in Sharepoint. (The published URL, used by external users passing the ISA server.) 7.1 Create Web Application First thing to do in Sharepoint is to create a web application. In the Application Management tab select Create or extend Web application. Figure 12: Create Web Application (1) Then choose to Create a new Web application. Figure 13: Create Web Application (2)

14 Next 4 Figures (14 to 17) will show you how the settings should be set on this page. We only mention the fields which require changes, other fields are filled in automatically or are optional. IIS Web Site o Port: 443 (for standard SSL connections) o Host header: sharepoint Figure 14: Create Web Application (3) Security Configuration o Authentication provider: Negiotiate (Kerberos) o Allow Anonymous: No o Use Secure Sockets Layer: Yes Figure 15: Create Web Application (4)

15 Load Balanced URL Leave all default settings Application Pool: Create new application pool o Predefined: Network Service Figure 16: Create Web Application (5) Database Name and Authentication: Leave all default settings If all the settings are filled in, by you or automatically, click the OK button. Figure 17: Create Web Application (6)

16 You will receive an alert message stating that you selected Kerberos and this needs manual configuration steps. As we did this already, click OK. Figure 18: Create Web Application (7) When everything is created on the back-end, you will get a confirmation page stating the application was successfully created. You will see in the text we need to restart the IIS so all changes will be activated. On the Sharepoint server, run the command iisreset /noforce and make sure all websites are up and running before you continue. Figure 19: Create Web Application (8)

17 7.2 Create Site Collection Now it s time we add some content to this web application. In the Application Management tab select Create site collection. Figure 20: Create Site Collection (1) The next 4 figures (21 to 24) will show you how the site collection settings are set. First make sure you have the right Web application selected in the list. If this is not correct click the Change Web Application option. Figure 21: Create Site Collection (2)

18 In the newly opened window click on your web application you want to create some content for. Figure 22: Create Site Collection (3) Now the correct web application will be shown in the list. Enter a Title and Description for your site collection and choose the web site address under which your site collection will be approachable. A template guide will help you to select the best layout for your site collection. Choose one from the list. Figure 23: Create Site Collection (5)

19 Enter a username as primary and/or secondary site collection administrator and click the check name -button behind the input field to lookup this name in your AD. When the name was found, it will be underlined. You could also browse for users, then you would have to click the address book - button behind the input field. When all settings are made click the OK button to start generating this site content in your web application. Figure 24: Create Site Collection (10) When the site collection is successfully created, you will receive a confirmation page. Click OK to get back to the main screen. Figure 25: Create Site Collection (11)

20 7.3 Create Alternate Access Mappings We now have a working Sharepoint web site for internal use, accessible through But users will access this portal page through the ISA server connecting to the address The content on our site will have to be adapted to this kind of connection. To solve this problem, Sharepoint foresees alternate access mappings. We will have to add the external address to our database. Go to the Operations tab and choose Alternate access mappings. Figure 26: Create Alternate Access Mapping (1) Click on the Add Internal URLs link on top of the page. Figure 27: Create Alternate Access Mapping (2)

21 Select the correct mapping collection by selecting the Change Alternate Access Mapping Collection link and selecting your correct site collection in the list. Figure 28: Create Alternate Access Mapping (3) Now the correct collection will be shown and an alternate mapping can be added. Type in the external address to which users connect for the Sharepoint site, this value is also present on the ISA server. In the Add Internal URL list, select the Internet option. Click Save to continue. Figure 29: Create Alternate Access Mapping (4)

22 Now you will see both URLs in the list. One for internal use, the other one for external usage. Figure 30: Create Alternate Access Mapping (5)

23 8 Microsoft IIS Settings 8.1 SSL Server Certificate Open the Internet Information Services (IIS) Manager administrative tool on the Sharepoint server. Right-click on the web site under which your Sharepoint web application is published and click Properties. Figure 31: SSL Server Certificate (1) Go to the Directory Security tab and click the Server Certificate button. This will start a wizard for creating a web server certificate. Figure 32: SSL Server Certificate (2)

24 Click Next to continue. Figure 33: SSL Server Certificate (3) Select the Create a new certificate option and click Next. Figure 34: SSL Server Certificate (4) If you use a personal root CA, you can choose to directly request the certificate at your CA. If you want to make use of a commercial root CA, you can prepare the request and send it later. The advice is to use an internal SSL certificate for the connection between the ISA server and the Sharepoint server (this wizard). For the connection from the client to the ISA server you may use an external/commercial SSL certificate if you find this more suitable. We will come back to this issue later on. For our example we just use the dc computer as root CA for the whole setup.

25 Select Send the request immediately to an online certification authority and click Next. Figure 35: SSL Server Certificate (5) Give your certificate a meaningful Name and click Next to continue. Figure 36: SSL Server Certificate (6) Fill in your organization and organizational unit name. Click Next to advance. Figure 37: SSL Server Certificate (7)

26 Next, fill in the name of the Sharepoint server. This has to be the name internal users use to connect to the Sharepoint portal. Figure 38: SSL Server Certificate (8) Select your country in the list, fill in your state/province and city/locality. Click Next to continue. Figure 39: SSL Server Certificate (9) By default the SSL port is filled in with port 443. Unless you chose another port during the Web Application setup, leave it at the default value. Figure 40: SSL Server Certificate (10)

27 If your CA is setup correctly, it will show up in the list. Select your CA and click Next. If the CA does not show up, go back and choose to prepare the request now and send it later. Figure 41: SSL Server Certificate (11) The next screen shows you an overview of the settings for this certificate, make sure everything is correct. Click Next to continue, otherwise click Back to make some changes. Figure 42: SSL Server Certificate (12) The certificate is now created; click Finish to close the wizard. Figure 43: SSL Server Certificate (13) We now have enabled our Sharepoint web application with an SSL certificate.

28 9 Microsoft ISA 2006 Settings 9.1 Certificate settings Importing root certificate When using a personal root CA to create an SSL certificate for the connection between the ISA server and the Sharepoint web site, we have to add the certificate publisher to the Trusted Root Certification Authorities of the local computer account. This is a list of all certificate publishers that are trusted by Microsoft. When we use a certificate that was created by a personal root CA, we have to add this CA to the trusted list. When you have your personal root CA installed, you will find the root certificate on the designated server under the C:\ root. This is normally named like this: C:\COMPUTERNAME.domain.extension_friendly-name.crt In our example this would make: C:\dc.labs.vasco.com_VASCO Labs CA.crt Copy this file to the C:\ root of the ISA server. Figure 44: Importing root certificate (1) 2010 VASCO Data Security. All rights reserved. Page 28 of 59

29 Open the Microsoft Management Console (MMC). Select Add\Remove Snap-in from the File menu. Figure 45: Importing root certificate (2) Click the Add button to select what kind of snap-in you would like to add. Figure 46: Importing root certificate (3) 2010 VASCO Data Security. All rights reserved. Page 29 of 59

30 Select Certificates from the list and click Add. Figure 47: Importing root certificate (4) Select the Computer account. Click Next to continue. Figure 48: Importing root certificate (5) 2010 VASCO Data Security. All rights reserved. Page 30 of 59

31 Choose the accounts of the Local computer (the computer the console is running on). Click Finish to end the wizard. Figure 49: Importing root certificate (6) As you are able to add more snap-ins at the same time, click Close when the certificate wizard has finished. In the local computers certificates window, right-click the Trusted Root Certification Authorities and select Import from the All Tasks panel. Figure 50: Importing root certificate (7) 2010 VASCO Data Security. All rights reserved. Page 31 of 59

32 Click Browse to select the root certificate you copied earlier in the C:\ root. Afterwards click Next to continue. Figure 51: Importing root certificate (8) Figure 52: Importing root certificate (9) Default, the option Place all certificates in the following store is selected and has the right Certificate store. If not, select it and choose for the Trusted Root Certification Authorities. Figure 53: Importing root certificate (10) 2010 VASCO Data Security. All rights reserved. Page 32 of 59

33 The next screen will show an overview of the actions. Review them and click Finish to import the certificate. Figure 54: Importing root certificate (11) You will receive a message stating that the import was successful. Click OK to finish. Figure 55: Importing root certificate (12) You will now find your own root CA in the list of trusted root certification authorities. You can leave this console MMC window open for later use VASCO Data Security. All rights reserved. Page 33 of 59

34 9.1.2 Requesting Web Server certificate What we did before was creating an SSL certificate for the protection of the internal network. The next step is to secure the connection from the client. It would be an extreme task to make all your clients import your own root certificate to trust the SSL web certificate. For this matter the trusted authorities list is already in Windows. So you can just buy a commercial SSL certificate from a company on this list that is trusted by everyone that uses Windows. Instead of using a commercial SSL certificate you can still use an SSL certificate from your personal root CA. It is easily done by using the Microsoft Certificate Services web site that is installed on your root CA. Go to the address: In our example this is: Figure 56: Requesting Web Server certificate (1) 2010 VASCO Data Security. All rights reserved. Page 34 of 59

35 Click the advanced certificate request link. Figure 57: Requesting Web Server certificate (2) Choose to Create and submit a request to this CA. Figure 58: Requesting Web Server certificate (3) 2010 VASCO Data Security. All rights reserved. Page 35 of 59

36 In the Certificate template list, select the Web Server certificate. Fill in all fields of the Identifying Information For Office Template block. Note: the Name field has to represent the URL external users will type in to go the Sharepoint portal. Otherwise most browsers show an alert that the certificate name does not match the URL entered in the location field. Figure 59: Requesting Web Server certificate (4) Check Store certificate in the local computer certificate store and click Submit to continue. Figure 60: Requesting Web Server certificate (5) 2010 VASCO Data Security. All rights reserved. Page 36 of 59

37 Now you will be able to directly install the requested certificate by clicking the Install this certificate link. Figure 61: Requesting Web Server certificate (6) You will receive a security notification stating that trusting certificates from unknown sources could be dangerous. As we know where the certificate is coming from, it is safe to click Yes and continue. Figure 62: Requesting Web Server certificate (7) 2010 VASCO Data Security. All rights reserved. Page 37 of 59

38 The web site now tells you the certificate is successfully installed. You can now close the browser window. Figure 63: Requesting Web Server certificate (8) In the certificate MMC window you can now find your newly created SSL certificate. Under the Personal folder of the local computer account you will find it. Figure 64: Requesting Web Server certificate (9) 2010 VASCO Data Security. All rights reserved. Page 38 of 59

39 9.2 Publishing Sharepoint To publish a Sharepoint web site trough ISA, there is a wizard available on the ISA server. Open the ISA administration tool and click on the firewall policy in the left pane. Select Publish Sharepoint Sites from the Tasks tab in the right pane. Figure 65: Publishing Sharepoint (1) Type in a meaningful name for this policy and click Next. Figure 66: Publishing Sharepoint (2) 2010 VASCO Data Security. All rights reserved. Page 39 of 59

40 Choose to publish a single web site or load balancer if you have a single Sharepoint server or only one load balancing address. Choose the other option if you have more than one web site or multiple load balancing addresses. Click Next to continue. Figure 67: Publishing Sharepoint (4) Choose to make use of SSL to connect to the Sharepoint web site and click Next. Figure 68: Publishing Sharepoint (5) 2010 VASCO Data Security. All rights reserved. Page 40 of 59

41 Type the Internal site name as the name of the internal Sharepoint web site. Click Next. Figure 69: Publishing Sharepoint (6) ISA acts as a proxy server, so all connections for the internal network pass the ISA server. To know when traffic is meant for the Sharepoint web site, we will only accept requests for This domain name (type below). As public name you specify the address the clients use to connect to the Sharepoint website. Example: clients type in their browser so our public name would be: sharepoint.labs.vasco.com Figure 70: Publishing Sharepoint (7) 2010 VASCO Data Security. All rights reserved. Page 41 of 59

42 You now have the ability to create a listener, this is used to get bound to a port. The ISA server will listen like a regular web service on port 80 for HTTP or 443 for HTTPS (SSL), depending on what you select in the following steps. Be aware that listeners can be used more than once. So, different ISA policies can use the same listener, based upon the domain name.. You have to see the listener apart from the ISA policy. The creation of the listener is a new wizard. The policy wizard will continue once the listener is created. Click the New button to create a new listener. Figure 71: Publishing Sharepoint (8) Fill in an appropriate name for the listener. Figure 72: Publishing Sharepoint (9) 2010 VASCO Data Security. All rights reserved. Page 42 of 59

43 Here you can choose whether you want the listener to make use of HTTPS/SSL or HTTP. We already created an SSL certificate so we will choose to require SSL secured connections with clients. Figure 73: Publishing Sharepoint (10) We select to listen on all network ports; this enables users to access Sharepoint through ISA internally as well. Figure 74: Publishing Sharepoint (11) 2010 VASCO Data Security. All rights reserved. Page 43 of 59

44 The following three figures show you how to import SSL certificate in the listener. 75. Select the Use single certificate for this web listener option. 76. Find the certificate in the list that was issued to the FQDN that users have to type in. Figure 75: Publishing Sharepoint (12) Figure 76: Publishing Sharepoint (13) 77. The external name is shown in the text field. Click Next to continue. Figure 77: Publishing Sharepoint (14) 2010 VASCO Data Security. All rights reserved. Page 44 of 59

45 Choose HTML Form Authentication as how clients will provide their credentials to the ISA server. Select RADIUS OTP as the way ISA server will validate the credentials. Figure 78: Publishing Sharepoint (15) If you want to publish more than one web site with the same listener (to be used in other policies), you can enable the ISA Server SSO (Single Sign On) option, for sites using the same domain. We are currently setting up a SSO solution between the ISA Server, IDENTIKEY SERVER and Sharepoint. The SSO option talked about in the next screen is only used when more than one source is published. (Like Sharepoint, etc ) You could use for example the SSO domain: *.labs.vasco.com and be able to single sign on to mail.labs.vasco.ext and Sharepoint.labs.vasco.com, if you use the same listener for both policies in the ISA server configuration. In our example we chose not to enable the ISA server SSO option as we don t need it for this setup. Figure 79: Publishing Sharepoint (16) 2010 VASCO Data Security. All rights reserved. Page 45 of 59

46 The next screens will show you an overview of the listener settings. If all settings are correctly shown as you wanted, click Finish first, secondly click Next. Figure 80: Publishing Sharepoint (17) Figure 81: Publishing Sharepoint (18) The listener is now configured, and the policy wizard will now continue automatically. In the Authentication Delegation screen, select Kerberos constrained delegation as the method used by the ISA server to authenticate to the published web server. In other words, this is the way the ISA server will try to authenticate to the Sharepoint web site. The Service Principal Name is what is setup in chapter 5.2 Constrained Delegation. It is written like this: service_name/fqdn_sharepointserver. In our example this would become: http/dc.labs.vasco.com Figure 82: Publishing Sharepoint (19) 2010 VASCO Data Security. All rights reserved. Page 46 of 59

47 The next options will ask us if we have already setup Alternate Access Mappings (see chapter 6.3 Create Alternate Access Mappings), as we already did this, choose this option and click Next. Figure 83: Publishing Sharepoint (20) The User Sets is used to set who can use this policy. As we only want the authenticated users to be redirected to the Sharepoint web site, we add All Authenticated Users. Click Next to continue. Figure 84: Publishing Sharepoint (21) 2010 VASCO Data Security. All rights reserved. Page 47 of 59

48 What will follow is an overview of the policy settings. Check all entries and make sure they are correct. You can still use the Back button to make changes. If all settings seem to be correct, click the Finish button. Figure 85: Publishing Sharepoint (22) After clicking Finish, you will receive a notification message stating that for use of Kerberos constrained delegation you must configure the Active Directory to allow delegation. As we already did this, you can click OK. Figure 86: Publishing Sharepoint (23) 2010 VASCO Data Security. All rights reserved. Page 48 of 59

49 9.3 RADIUS settings To set up the authentication to IDENTIKEY SERVER, we still have to configure the RADIUS settings in the ISA server. You can do this by going to the properties of the Policy you just created. Figure 87: RADIUS settings (1) Then go to the Listener tab, and click the Properties button. Figure 88: RADIUS settings (2) 2010 VASCO Data Security. All rights reserved. Page 49 of 59

50 Go to the Authentication tab, and click on the Configure Validation Servers button. Figure 89: RADIUS settings (3) On the RADIUS Servers tab, click on the Add button to add a new RADIUS server. In the new window provide all details of the IDENTIKEY SERVER server. Server name is the location where it s based, can be a hostname or an IP address. The description is optional. Use the Change button to add a shared secret and make sure the Authentication port is set to the same as configured in IDENTIKEY SERVER. Figure 90: RADIUS settings (4) Figure 91: RADIUS settings (5) 2010 VASCO Data Security. All rights reserved. Page 50 of 59

51 Still in the Listener properties (Figure 89), click the Advanced button. Make sure to select the option Require all users to authenticate. Click OK until you get back to the main window. Figure 92: RADIUS settings (6) To save all changes, click the Apply button on top of the center window. This will write all your changes and make them active on the current setup. Figure 93: RADIUS settings (7) 2010 VASCO Data Security. All rights reserved. Page 51 of 59

52 You will receive a notification message stating that the changes to the configuration were successfully applied. Figure 94: RADIUS settings (8) The configuration of the ISA server and the Active Directory are completed. The only thing we still need to configure is the IDENTIKEY SERVER VASCO Data Security. All rights reserved. Page 52 of 59

53 10 IDENTIKEY Server Go to the IDENTIKEY Server web administration page, and authenticate with and administrative account Policy configuration To add a new policy, select Policies Create. Figure 95: Policy configuration (1) There are some policies available by default. You can also create new policies to suit your needs. Those can be independent policies or inherit their settings from default or other policies VASCO Data Security. All rights reserved. Page 53 of 59

54 Fill in a policy ID and description. Choose the option most suitable in your situation. If you want the policy to inherit setting from another policy, choose the right policy in the Inherits From list. Otherwise leave this field to None. Figure 96: Policy configuration (2) In the policy options configure it to use the right back-end server. This could be the local database, but also active directory or another radius server. This is probably the same that was in your default client authentication options before you changed it. Or you use the local database, Windows or you go further to another radius server. In our example we select our newly made Demo Policy and change it like this: Local auth.: Digipass/Password Back-End Auth.: Default (None) Back-End Protocol: Default (None) Dynamic User Registration: Default (No) Password Autolearn: Default (No) Stored Password Proxy: Default (No) Windows Group Check: Default (No Check) After configuring this Policy, the authentication will happen locally in the IDENTIKEY Server. So user credentials are passed through to the IDENTIKEY Server, it will check these credentials to its local user database and will answer to the client with an Access-Accept or Access-Reject message VASCO Data Security. All rights reserved. Page 54 of 59

55 In the Policy tab, click the Edit button, and change the Local Authentication to Digipass/Password. Figure 97: Policy configuration (3) The user details can keep their default settings. Figure 98: Policy configuration (4) 2010 VASCO Data Security. All rights reserved. Page 55 of 59

56 10.2 Client configuration Now create a new component by right-clicking the Components and choose New Component. Figure 99: Client configuration (1) 2010 VASCO Data Security. All rights reserved. Page 56 of 59

57 As component type choose RADIUS Client. The location is the IP address of the client. In the policy field you should find your newly created policy. Fill in the shared secret you entered also in the client for the RADIUS options. In our example this was vasco. Click Create. Figure 100: Client configuration (2) Now the client and the IDENTIKEY Server are set up. We will now see if the configuration is working VASCO Data Security. All rights reserved. Page 57 of 59

58 11 Test Sharepoint logon Point your browser from an external client to the external address of the Sharepoint portal. And fill in a username and a One Time Password (OTP). In our example this is Note: Make sure the username you are trying to login with is known in IDENTIKEY SERVER or Dynamic User Recognition (DUR) is enabled and has a DIGIPASS account assigned to it. Other kind of self-registration methods can be found in the IDENTIKEY SERVER Administration Guide. Figure 101: Test Sharepoint logon (1) If everything goes well, you should see the Sharepoint team page, secured through the ISA server and IDENTIKEY SERVER. Figure 102: Test Sharepoint logon (2) 2010 VASCO Data Security. All rights reserved. Page 58 of 59

59 12 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products for e-business and e-commerce. VASCO s User Authentication software is carried by the end user on its DIGIPASS products which are small calculator hardware devices, or in a software format on mobile phones, other portable devices, and PC s. At the server side, VASCO s VACMAN products guarantee that only the designated DIGIPASS user gets access to the application. VASCO s target markets are the applications and their several hundred million users that utilize fixed password as security. VASCO s time-based system generates a one-time password that changes with every use, and is virtually impossible to hack or break. VASCO designs, develops, markets and supports patented user authentication products for the financial world, remote access, e-business and e-commerce. VASCO s user authentication software is delivered via its DIGIPASS hardware and software security products. With over 25 million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for strong User Authentication with over 500 international financial institutions and almost 3000 blue-chip corporations and governments located in more than 100 countries VASCO Data Security. All rights reserved. Page 59 of 59