GTA SSO Auth Single Sign-On Service SSOAuth200912-01 Global Technology Associates 3505 Lake Lynda Drive Suite 109 Orlando, FL 32817 Tel: +1.407.380.0220 Fax. +1.407.380.6080 Email: info@gta.com Web: www.gta.com
Table of Contents GTA SSOAuth... 1 Requirements for Single Sign-On 1 Operating the Single Sign-On Server 1 Server Mode 1 Client mode 1 How the Single Sign-On Server Works 2 SSOAuth Installation 2 SSOAuth Configuration 3 Firewall Configuration 4 Configuring Groups 6 Group Policies 7 Testing the Single Sign-On Authentication 7 Frequently Asked Questions 8 Legal Notices... 11 ii Table of Contents
GTA SSOAuth Active Directory Single Sign-On service is an authentication method which allows users to authenticate only once when logging into a Windows Active Directory domain. When a user logs into the domain and attempts to access the Internet via a GTA firewall, the firewall checks to see if the user s IP address is in the Authentication Server database. If yes, the firewall retrieves the group, matching policies, to see if the Internet access is allowed. The Single Sign-On Authentication (SSOAuth) server maintains the database of users that have authenticated via Active Directory. Requirements for Single Sign-On GB-OS version 5.1.0 or later Windows 2003, 2003 R2 or Active Directory server. Active Directory server must have a valid certificate and certificate service installed GTA Single Sign-On server installed on the Active Directory server.net Framework 2.0 (or above) If a Windows firewall is enabled, the host with SSOAuth service installed must be configured to accept connections from the GTA firewall for SSOAuth. The default port is TCp/8443. Operating the Single Sign-On Server Server Mode The SSOAuth servers are installed on other hosts, or on the Active Directory server itself. The firewall and SSOAuth clients then connect to the SSOAuth server. Client mode This mode is used when there is more than one AD server. In this mode, the clients point to the SSOAuth server and are installed on the AD servers. The SSOAuth server builds a database of all users that authenticate on the network. 1
How the Single Sign-On Server Works 1. Users login into their PC or PC s that are members of a domain. 2. When the credentials are checked on the Active Directory server the Single Sign-On server adds the login of the user to it s database. This information includes the user name, IP address, and group. 3. Next, a user opens a Web browser or other application which requires Internet access. 4. When the packet reaches the firewall, the packet from the host is matched against a policy which requires authentication. The firewall checks the SSOAuth server for the IP address. 5. The SSOAuth server returns the user name and group to the firewall. 6. If the group returned matches the group referenced by a policy, the connection is allowed. Otherwise, it is denied and logged as authentication required. User 3. User opens Web application GB-2000 6. If group matches policy, access allowed. Otherwise, denied. Internet 1. User logs into the domain 4. Firewall checks SSOAuth server for IP address 5. SSOAuth server returns group and user name Active Directory Server 2. User added to SSOAuth Database Figure 1: Authentication via SSOAuth SSOAuth Installation SSOAuth Server installation requires a user with administrative permissions on the Active Directory server. 1. Download SSOAuth from the GTA Support Center or install from the CD. Running the windows installer will set up all files required for the service. 2. Export the certificate after the GTA SSOAuth service is installed and started. This certificate will be used to validate that the firewall is connecting to the SSOAuth server. By default the certificate is exported in DER format. The certificate is located in the GTA directory, GTA SSOAuth folder. 2
SSOAuth Configuration Figure 2: GTA SSOAuth Configuration Field Name Mode Valid Duration Port Server (Client mode only) Service Certificate Database Table A: GTA SSOAuth Configuration Description GTA SSOAuth service operates in two modes, either Server or Client. Client mode can only be utilized if more than one Active Directory server is running GTA SSOAuth. Server mode allows firewalls to connect directly to the Active Directory server to query its database of authenticated domain users. When a direct connection between the Active Directory server and the firewall is not available, client mode is utilized. Client mode will connect to a GTA SSOAuth service running in server mode to propagate domain authentication information. The amount of time an authenticated domain user remains in the GTA SSOAuth database before requiring the user to reauthenticate with the domain. The SSL port the GTA SSOAuth service uses for firewall and GTA SSOAuth client connections. The address of a GTA SSOAuth service running in server mode. Starts or stops the GTA SSOAuth Service. Exports the Active directory server certificate. If not highlighted, this indicates the Active Directory server certificate may not be valid. Show Contents in the Event Log: Exports current database to the Windows Event log. Clear: Clears the entire authenticated user database. Clearing the database may force users to re-login to their systems. 3
Firewall Configuration 1. Import the SSOAuth server certificate to the firewall (Configure>VPN>Certificates). Click NEW and name the certificate. 2. Select import and browse to where you have downloaded or stored the GTA SSOAuth server certificate. Select DER for the format. Click OK, then save. Figure 3.0: Importing the SSOAuth Server Certificate Your certificate list should display something similar to the one below. If the TYPE does not display as certificate then there was a possible issue with the import. a. Confirm that the file type imported, and the file type selected, match. b. Confirm the imported certificate is a valid certificate. Figure 3.1: Certificate Display 3. Configure the Authentication and Single Sign-On service at Accounts>Authentication. Table B: Configuring Authentication Field Name Enable Automatic Policies Service Port Valid Description Starts the authentication service on the firewall. Create policies automatically to allow the service to run properly. The policies will be based on the service port. Port the authentication service will run on and accept GBAuth connections to. NOTE: SSOAuth does NOT require GBAuth. Sets the duration by which the firewall will re-check authentication. Figure 3.2: Configuring Authentication 4
Table C: Configuring SSOAuth Field Name Enable Server Certificate Binding Interface Description Starts the Active Directory Single Sign-On service. Field to enter the server IP or name. If using names, DNS must be configured. Firewall can connect to up to 3 Single Sign-On servers. Certificate of the Single Sign-On server imported to the firewall. Used in special cases, such as VPN when the connection from the firewall needs to be sourced from a specific firewall interface. Figure 3.3: Configuring SSOAuth Once the firewall is successfully connected to the Single Sign-On server it will log the following in Monitor>Log Messages>Management Aug 4 11:06:52 pri=5 msg= SSOauth: Connecting to server 10.10.1.243:8443 type=mgmt Aug 4 11:06:52 pri=5 msg= SSOauth: Connected to server (10.10.1.243) successfully type=mgmt Aug 4 11:06:53 pri=5 msg= SSOauth: Server (10.10.1.243) ready type=mgmt Figure 3.4: Single Sign-On Log Message Failure to see the log messages may indicate a connection issue. a. Check that the firewall can ping and traceroute to the IP address of the server. b. If this fails, check for any host based firewalls that may be blocking the connections and confirm the service is running. If the connection is via a VPN then you will need to set the binding interface to the local protected network interface. 5
Configuring Groups You will need to configure groups and security polices if you wish to use groups beyond the default firewall groups. By default all Single Sign-On users are members of the following groups: Single Sign-On Users ALL_Users You can use the User Groups located on your domain server on the firewall. To do this you will need to configure the same groups on your GTA firewall. This is located in the Accounts>Groups section. Figure 4.0: Configuring Groups 1. Click the NEW button and enter the name of the group on the Active Directory server. 2. Enter a description, click OK, and save. Note It is important that the group name on the firewall matches exactly witht he group name in the Active Directory server. For more information on configuring groups, consult the GTA Users Guide. Note The VPN section is not applicable to Single Sign-On users. 6
Group Policies Once the groups are configured, you will need to create specific policies to apply to each group. This is located in the security policy section. 1. Create a new policy by clicking NEW or EDIT an existing policy. In our example below, all users wishing to use http must authenticate and be a member of the Single Sign-On Users group. This is one of the default groups for Single Sign-On. Figure 4.1: Configuring Policies 2. Once a user is authenticated they will appear in the Monitor >Authenticated section. The user name, and group will display. In the example below, the use Aaron Support is in the group Administrators. Figure 4.2: User/Group Example Testing the Single Sign-On Authentication 1. Once the service is installed and configured, create an outbound policy which references the users group and log into the Windows domain. 2. Attempt to browse the Internet. In addition to showing the firewall logs, the monitor section will include the User ID. The following is an example log message of user Aaron Support going to Google. Aug 8 18:35:56 pri=5 msg= Accept outbound, NAT cat _ action=pass dstname=www.google.com proto=80/tcp src=172.16.50.8 srcport=1108 user= Aaron Support nat=199.120.225.62 natport=1108 dst=209.85.165.104 dstport=80 rule=1 sent=470 rcvd=176 pkts _ sent=1 pkts _ rcvd=1 op=get arg=/gen _ 204 Figure 5: Monitor Log Message GTA Reporting Suite and GB Commander can be used to run detailed reports based on user names. 7
Frequently Asked Questions Q: Is GBAuth required to use SSOAuth service? No, GBAuth is no longer required for internal users. External users accessing tunnels or matching remote access policies, and not logged into the domain, may still need to use GBAuth. Q: My user is logged into the domain. However, the firewall shows them as not authenticated. Check that the user is not logged in locally to their PC. Checking the server security event log may prove helpful in confirming whether the user is logged into the domain. However, security event logs may be rather large. Also, check that the user s host has the correct DNS entries for their domain. Q: Export certificate is not available from the GTA SSOAuth configuration application. This usually means the certificate for the Active Directory server is not valid. Check that you have a valid server certificate. You may need to install the certificate service and create a new certificate, then re-start the GTA SSOAuth service. Q: How does the server know when a user has logged off? Log offs are not well maintained on Windows domains. However, GTA firewalls re-check authentication based on the Valid Time configured in the firewall Web interface under Accounts>Authentication>Advanced. Figure 6.0: Valid time Configuration The VALID time is the interval in minutes in which the firewall will re-check authentication. A smaller number means the firewall will check more frequently for users logged off or changes to the IP address authentication. A larger valid number means the firewall will check less often for authentication changes. Q: My users show up in the monitor section of the firewall. However, they are still unable to access the Internet. Confirm the user s group and the policy. If the group they are in does not match the group referenced by the policy, the connection will be denied. Q: How do Terminal or Citirix server users work with GTA SSOAuth? Terminal server and Citirx connections are cases where multiple users use the same host. When users log into a Citrix or Terminal server the SSOAuth server only sees one IP address. Normally, this is the first user signed into the domain and uses that IP address. The SSOAuth server cannot determine different groups for multiple users on the same host. 8
Q: How can I tell if the firewall has the correct certificate or what certificate is being used? The application event log on your Active Directory server will show the certificate being used by the SSOAuth service. Example: Event Type: Information Event Source: GTA SSOAuth Event Category: None Event ID: 0 Date: 7/28/2008 Time: 1:17:10 PM User: N/A Computer: QA-WS2003-2 Description: Selected Certificate: [Subject]: CN=qa-ws2003-2.sso.gta.com [Issuer]: CN=qa-ws2003-2, DC=sso, DC=gta, DC=com [Effective]: 6/16/2008 4:35:07 PM [Expires]: 6/16/2009 4:35:07 PM [Key Usage]: Digital Signature, Key Encipherment (a0) Figure 6.1: Event Log 1. Compare the certificate subject from the event log to the certificate subject imported into your firewall and referenced by the service. Figure 6.2: Certificate Details 2. If the certificates do not match, export the certificate using the SSOAuth configuration application and re-import to the firewall. Verification gives the following error after importing the server certificate: WARNING: Certificate 1, status unable to get local issuer certificate. Figure 6.3: Verification Warning Message 3. To correct the verification, import the authority certificate used to create the Active Directory certificate. 9
Q: How can I tell the contents of the SSOAuth database? Using the SSOAuth Configuration Tool you can send the current database to the hosts event log. This will contain all users currently logged in since the service started. Figure 6.4: Events in Event Log Q: I just started my SSOAuth service and no users are in the database? The SSOAuth database is cleared on each re-start and users must re-login to be added to the database. 10
Legal Notices Copyright 1996-2009, Global Technology Associates, Incorporated (GTA). All rights reserved. Except as permitted under copyright law, no part of this manual may be reproduced or distributed in any form or by any means without the prior permission of Global Technology Associates, Incorporated. Technical Support GTA includes 30 days up and running installation support from the date of purchase. See GTA s Web site for more information. GTA s direct customers in the USA should call or email GTA using the telephone and email address below. International customers should contact a local Authorized GTA Channel Partner. Tel: +1.407.380.0220 Email: support@gta.com Disclaimer Neither GTA, nor its distributors and dealers, make any warranties or representations, either expressed or implied, as to the software and documentation, including without limitation, the condition of software and implied warranties of its merchantability or fitness for a particular purpose. GTA shall not be liable for any lost profits or for any direct, indirect, incidental, consequential or other damages suffered by licensee or others resulting from the use of the program or arising out of any breach of warranty. GTA further reserves the right to make changes to the specifications of the program and contents of the manual without obligation to notify any person or organization of such changes. Mention of third-party products is for informational purposes only and constitutes neither an endorsement nor a recommendation for their use. GTA assumes no responsibility with regard to the performance or use of these products. Every effort has been made to ensure that the information in this manual is accurate. GTA is not responsible for printing or clerical errors. Trademarks & Copyrights GB-OS, Surf Sentinel, Mail Sentinel and GB-Ware are registered trademarks of Global Technology Associates, Incorporated. GB Commander is a trademark of Global Technology Associates, Incorporated. Global Technology Associates and GTA are service marks of Global Technology Associates, Incorporated. Microsoft, Internet Explorer, Microsoft SQL and Windows are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Adobe and Adobe Acrobat Reader are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries. UNIX is a registered trademark of The Open Group. Linux is a registered trademark of Linus Torvalds. BIND is a trademark of the Internet Systems Consortium, Incorporated and University of California, Berkeley. WELF and WebTrends are trademarks of NetIQ. Sun, Sun Microsystems, Solaris and Java are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and/or other countries. Java software may include software licensed from RSA Security, Inc. Some products contain software licensed from IBM are available at http://oss.software.ibm.com/icu4j/. Some products include software developed by the OpenSSL Project (http://www.openssl.org/). Mailshell and Mailshell Anti-Spam is a trademark of Mailshell Incorporated. Some products contain technology licensed from Mailshell Incorporated. All other products are trademarks of their respective companies. Global Technology Associates, Inc. 3505 Lake Lynda Drive, Suite 109 Orlando, FL 32817 USA Tel: +1.407.380.0220 Fax: +1.407.380.6080 Web: http://www.gta.com Email: info@gta.com