CRYPTOLogon Agent for Windows Domain Logon Authentication Deployment Guide
Table of Contents 1. OVERVIEW... 1 1.1 SINGLE AUTHENTICATION MODE (MS-GINA REPLACEMENT)... 1 1.2 DUAL AUTHENTICATION MODE (MS-GINA FILTER)... 1 1.3 LOCAL MACHINE LOGON... 1 1.4 TERMINOLOGY... 2 2. CRYPTOLOGON FEATURES AND DEPLOYMENT CONSIDERATIONS... 3 2.1 INTEROPERABILITY... 3 2.2 COMPATIBILITY... 3 2.3 OPERATION... 3 2.4 TYPICAL LOGON SEQUENCE... 4 2.5 CRYPTOLOGON SECURITY FEATURES... 4 2.6 DEPLOYMENT CONSIDERATIONS... 5 2.7 DEPLOYMENT METHODS... 5 3. INSTALLATION... 6 3.1 PREREQUISITES... 6 3.2 INSTALLATION SEQUENCE... 6 3.3 STEP 1 - RADIUS SERVER CONFIGURATION FOR SINGLE OR DUAL AUTHENTICATION MODE... 7 3.3.1 FOR EASYRADIUS:... 7 3.3.2 FOR FUNK STEEL-BELTED RADIUS:... 7 3.3.3 FOR CISCO SECURE:... 7 3.4 STEP 2- ADDITIONAL RADIUS SERVER CONFIGURATION FOR SINGLE AUTHENTICATION MODE ONLY... 8 3.4.1 FOR EASYRADIUS:... 8 3.4.2 FOR FUNK STEEL-BELTED RADIUS:... 9 3.4.3 FOR CISCO SECURE ACS RADIUS:... 10 3.5 CRYPTOLOGON INSTALLATION... 11 3.5.1 TYPICAL INSTALLATION... 11 3.5.2 CUSTOM INSTALL... 12 For assistance mailto:support@cryptocard.com i
4. USING CRYPTOLOGON... 13 4.1 USING CRYPTOLOGON IN DUAL AUTHENTICATION MODE... 13 4.2 USING CRYPTOLOGON IN SINGLE AUTHENTICATION MODE... 14 4.3 TROUBLESHOOTING... 15 4.3.1 ON WINDOWS... 15 4.3.2 ON REDHAT... 15 4.3.3 ON SOLARIS... 15 4.4 LOGGING ON TO MULTIPLE DOMAINS IN SINGLE AUTHENTICATION MODE... 15 For assistance mailto:support@cryptocard.com ii
1. Overview CRYPTOLogon is a strong user authentication agent for Windows NT, 2000, and XP based computers. It provides two-factor authentication for LANs (Windows domain) and local machine logon. It can be used in one of two modes: 1.1 Single Authentication Mode (MS-GINA replacement) In this mode, an End-user is required to authenticate against a CRYPTOAdmin SPT Server, using their CRYPTOCard token. The End-user is immediately logged onto the domain after a successful CRYPTOCard authentication. Single Authentication Mode is ideal where there will be no requirement for the End-user to be aware of a Microsoft User Name / Password. In this mode, a token will be used to access the network regardless of the location of the Enduser in the network. It provides the End-user with a single, universal logon method from any point in the network. The user will not need to know a Microsoft User Name / Password and will therefore not be required to periodically change their password although they retain their network access and privileges. In Single Authentication mode the MS-GINA module is replaced with the CRYPTOCard CCGina module. Note that some 3rd party applications also perform an MS-GINA replacement (such as some VPN clients), which will conflict with Single Authentication mode. If this is a concern then Dual Authentication Mode should be selected. 1.2 Dual Authentication Mode (MS-GINA filter) In this mode, a user is required to authenticate against a CRYPTOAdmin SPT Server using their CRYPTOCard token. After the successful CRYPTOCard authentication, the user must then provide their Microsoft User Name / Password to complete the logon process. Dual Authentication Mode is most commonly employed if it is desirable to have a different logon method depending on the location of the user. For example, Dual Authentication Mode could require both CRYPTOCard authentication and Microsoft User Name / Password for remote access to Terminal Server but require only Microsoft User Name / Password for local access to the same facility. Dual Authentication Mode can be used with existing MS-GINA or any 3 rd party (e.g. VPN Client) GINA module. 1.3 Local Machine Logon CRYPTOLogon also protects access to the local machine. Once installed an ST-1/EUS Software or SC-1/EUS Smart Card token is required to logon to the local machine and gain access to the desktop. These tokens may also be used for VPN, Web server and all other authentication requirements. For assistance mailto:support@cryptocard.com 1
1.4 Terminology Shared Secret: an alphanumeric string (key) that will be used to encrypt communications between the RADIUS Client (in this case the CRYPTOLogon enabled workstation) and the RADIUS Server. It is recommended that each client use a unique key. Token Name: The token name is the name assigned to a token in the CRYPTOAdmin Server. Though not mandatory, it is recommended that the Windows User Name and the token name be identical to minimize CRYPTOLogon configuration. EUS: The term EUS will be used throughout this document to refer to functionality common to all supported token types (ST-1, SC-1). ST-1/EUS: The term ST-1/EUS will be used to distinguish implementation or usage specific to the ST-1 software token. SC-1/EUS: Collectively the SC-1 and EUS are referred to as SC-1/EUS. The term SC-1/EUS will be used to distinguish implementation or usage specific to the SC-1 smart card token. SC-1: The term SC-1 refers to tokens that are installed on a smart card. The SC-1 smart card interface with the end-user computer is either a USB reader or a PC Card (PCMCIA). The EUS provides the application level interface between the SC-1 token and the end-user, agent or plug-in. ST-1: The term ST-1 refers to tokens that are installed on the end-user computer. This token type is strictly a software token. The EUS provides the application level interface between the ST-1 token and the end-user, agent or plug-in. Collectively the ST-1 and EUS are referred to as ST-1/EUS. KT-1: The term KT-1 refers to a hardware token that can be placed on a key chain. RB-1: The term RB-1 refers to a hardware token which resembles a calculator. End-user: The end-user is the person that will use a token to gain access to a CRYPTOCard protected network. In the context of this document, end-users do not have administrator rights on the domain or the local computer. For assistance mailto:support@cryptocard.com 2
2. CRYPTOLogon Features and Deployment Considerations 2.1 Interoperability CRYPTOLogon is available for Windows NT4, 2000, and XP based systems. However, operating system support for smart cards is not yet universal, therefore the SC-1 is available for a smaller range of computing environments. The following chart reflects interoperability at time of publication. CRYPTOLogon Interoperability Token Type CRYPTOLogon Installation Environment ST-1/EUS SC-1/EUS KT-1/RB-1 Windows NT 4.0 SP6 Windows 2000 (SP3 required for SC-1) Windows XP SP1 Windows 2000 Terminal Server Windows Citrix Metaframe Server 2.2 Compatibility CRYPTOLogon can be used with any CRYPTOCard token type. Either an ST-1/EUS or SC- 1/EUS must be installed on computers that will be used when not connected to the LAN. Computers that are always connected to the LAN are not required to have the /EUS tokens installed. CRYPTOLogon provides advanced functionality, security and interoperability and is designed for use with the CRYPTOAdmin 5.32 SPT Authentication Server. The ST-1 application and tokens prior to Version 5.32 cannot be used with CRYPTOLogon version 5.32. Earlier versions of ST-1 tokens can be upgraded for use with the EUS as required. The upgrade does not require tokens to be reissued. 2.3 Operation CRYPTOLogon is invoked during system boot and any interactive logon (Ctrl+Alt+Del). In addition to domain logon, it is configurable to require an authentication to unlock a workstation or terminate a screen saver. If using the SC-1/EUS Smart Card, CRYPTOLogon may be configured to lock the workstation when the smart card is removed. It may be further configured to allow only the locking user to unlock the workstation or allow any user with a valid CRYPTOCard token to do so. The latter functionality is useful in shared workstation environments such as nursing stations. Only by re-authentication can the keyboard be unlocked. For assistance mailto:support@cryptocard.com 3
2.4 Typical Logon Sequence Single Authentication Mode: User unlocks token with secret security PIN. Token generates a new, one-time password. Password is automatically (ST-1/EUS or SC-1/EUS) or manually (RB-1, KT-1) entered into CRYPTOLogon dialogue box. The actual user experience will vary depending on the token type from fully transparent with EUS tokens to manual input of onetime password with hardware tokens. The CRYPTOAdmin SPT Server authenticates the user and returns an access accept to CRYPTOLogon. In Single Authentication mode the End-user is now logged onto the domain. If using Dual Authentication Mode the End-user is now required to enter their Microsoft User Name / Password for authentication against the Domain Controller. The End-user is now logged onto the domain. Note that if the computer is not connected to the domain the End-user must enter the tokens secret security PIN (ST-1/EUS or SC-1/EUS) to enable the token, allowing the computer to continue booting. 2.5 CRYPTOLogon Security Features CRYPTOLogon provides the following features which can be modified to suit your network security needs. CRYPTOLogon Security Features Y standard feature set according to security policy Hardware Tokens EUS Tokens Token specific features RB-1 KT-1 ST-1 SC-1 Select a Domain Name Separator Character Y Y n/a n/a Display Default Username Y Y n/a n/a Don t Display the Last Username Y Y n/a n/a Enable CRYPTOCard Options Button n/a n/a Y Y Enable Shutdown Button Y Y Y Y Lock Workstation on Removal n/a n/a n/a Y Logoff Workstation on Removal n/a n/a n/a Y Lock Workstation on Screensaver Timeout Y Y Y Y Default Shutdown Setting: Restart or Shutdown Y Y Y Y User Filter Choice: Checkbox to allow user to choose Windows Authentication after successfully logging on to the CRYPTOAdmin SPT Server. Y Y Y Y Legal Notice Caption Y Y Y Y Legal Notice Text Y Y Y Y Shutdown workstation without logging off. Y Y Y Y For assistance mailto:support@cryptocard.com 4
2.6 Deployment Considerations An end-user or administrator can apply new ST-1/SC-1 tokens but administrator rights are required to remove or reapply a token to the EUS. A CRYPTOCard token is locked when the number of consecutive incorrect PIN attempts threshold is exceeded. A locked token cannot be re-enabled. Locked tokens are replaced by removing and re-issuing the token. Function Software Token (ST-1/SC-1) End-user Hardware token (RB-1/KT-1) Software Token (ST-1/SC-1) Administrator Hardware token (RB-1/KT-1) Install CRYPTOLogon Yes Yes Yes Yes Install EUS Yes Yes Yes Yes Apply token Yes n/a Yes n/a Reapply/Reinitialize token No No Yes Yes Delete/Rename token No No Yes Yes Unlock token No No No No 2.7 Deployment Methods Deployment of CRYPTOLogon requires the following: 1. Installation of CRYPTOLogon and a CRYPTOCard ST-1/EUS or SC-1/EUS on any computer that will be used when disconnected from the LAN. This can be done using standard practices including local installation, Microsoft SMS, drive ghosting etc. 2. Delivery of the CRYPTOCard tokens to the end-user / machine. For software tokens this can be accomplished by any practical means including local installation or email. 3. Initialization of the CRYPTOCard token using the initial deployment PIN. The PIN can be delivered to the end user using any practical means. If using electronic deployment it is good practice to use separate delivery of the initialization file from the initial deployment PIN. CRYPTODeploy is an optional web based enrolment system for CRYPTOCard applications and software and hardware tokens. It provides for both Push and Pull deployment. Push provides the administrator with the facility to deliver a CRYPTOCard application and the tokens to pre-approved end-users. Pull provides a method for end-users to request a token and upon approval, receive the token and the CRYPTOCard application. In both cases, the user is directed by email to a unique URL for one-time pick-up and installation of either a CRYPTOCard Application or a ST-1/SC-1 token. A separate email provides the initial deployment PIN required to complete the installation. The URL is invalidated after installation of the CRYPTOCard token. Contact sales@cryptocard.com for more information about CRYPTODeploy. For assistance mailto:support@cryptocard.com 5
3. Installation 3.1 Prerequisites The following systems must be installed and functioning prior to installing and testing CRYPTOLogon: 1. CRYPTOAdmin SPT Server must be installed with one of the following RADIUS servers: easyradius (included with CRYPTOAdmin SPT Server), Cisco Secure ACS v2.6+ or Funk Steel Belted RADIUS 2.27+. 2. The End-user (NT/2000/XP) must be able to logon to the domain using standard Microsoft user name / password. 3. The End-user must have a valid CRYPTOCard token issued by the CRYPTOAdmin SPT Server. Any token type can be used however either an ST-1/EUS or SC- 1/EUS token must be installed if the computer will be used when disconnected from the LAN. Refer to the SC-1/EUS and ST-1/EUS Token Deployment Guide for installation instructions. 4. For Single Authentication Mode Only: An account called cryptocard with an initial password of 111111 or "1111,AAAA,zzzz", (whichever is compatible with your password policy) must be configured on the domain controller. This account must have the right to modify domain passwords. Normally it is sufficient to add the cryptocard account to the Account Operators group. Bear in mind, if a user is part of a group which has more rights than that of the account operator, the cryptocard account will not be able to reset the users password. This account is not required for Dual Authentication Mode. 5. The following information is also required: IP Address of the RADIUS server, port number used by the RADIUS server and the shared secret. 6. Install CRYPTOLogon in Single Mode if upgrading a previous CRYPTOLogon implementation. 3.2 Installation Sequence Configure RADIUS Server for CRYPTOLogon Install EUS based tokens if required Install CRYPTOLogon Agent For assistance mailto:support@cryptocard.com 6
3.3 Step 1 - RADIUS Server Configuration for Single or Dual Authentication Mode Every CRYPTOLogon enabled workstation must be registered as a RADIUS Client with the RADIUS Server. Be sure to verify the RADIUS Port values. The values should be either 1645 or 1812. 3.3.1 For easyradius: Edit the clients file. On Windows systems it can be found in: \Program Files\CRYPTOCard\CRYPTOAdmin\server On Solaris / Linux systems it can be found in: /etc/cryptocard directory. Include the IP address and shared secret for each CRYPTOLogon enabled workstation. By default, the shared secret is testing123 without the quotes. A network bit mask can be used to define a group of IP addresses. For example, 192.168.10.0/24 testing123 will enable the entire class C subnet using shared secret of testing123. 192.168.10.0/24 testing123 localhost testing123 127.0.0.1 testing123 3.3.2 For Funk Steel-Belted Radius: Register each CRYPTOLogon enabled workstation as a RAS Client in Funk SBR. 3.3.3 For Cisco Secure: Register each CRYPTOLogon enabled workstation as a NAS client in Cisco Secure ACS. You must also create an account in Cisco Secure ACS that matches each CRYPTOCard Token Name. RADIUS Server configuration is complete for Dual Authentication Mode implementations. Go to Section 3.5 CRYPTOLogon Installation For assistance mailto:support@cryptocard.com 7
3.4 Step 2- Additional RADIUS Server Configuration for Single Authentication Mode Only 3.4.1 For easyradius: A default entry must be created in the easyradius users file. On Windows systems it can be found in: \Program Files\CRYPTOCard\CRYPTOAdmin\server On Solaris / Linux systems it can be found in: /etc/cryptocard directory. A DEFAULT entry applies to all users. DEFAULT entries would be placed at the bottom of the users files: DEFAULT Auth-Type = CRYPTOCard NT-Domain = MyDomain Note: Only one Domain can be specified per DEFAULT entry. If you need to configure multiple domains, refer to the Troubleshooting Section. If a CRYPTOCard token name does not match the NT Username, an entry must be placed in the users file. User entries are normally placed at the top of the users file but can be placed at the bottom. Cryptocardtokename Auth-Type = CRYPTOCard NT-Username = bob, NT-Domain = MyDomain More configuration examples can be found in the users file. For assistance mailto:support@cryptocard.com 8
3.4.2 For Funk Steel-Belted Radius: Each CRYPTOCard Token must be part of a CRYPTOAdmin group and an identical profile must be created in Steel-Belted Radius. The profile must have a Filter-ID attribute in the Return-List that specifies the NT domain for those users. The graphic shows the Steel-Belted Radius administrator GUI. Since the end-user has a CRYPTOCard token account in the CRYPTOCARD group, a CRYPTOCARD profile has been created, that specifies that these users be from the MyDomain Windows NT domain. For assistance mailto:support@cryptocard.com 9
3.4.3 For Cisco Secure ACS Radius: The profile must have a Filter-ID attribute that specifies the NT domain for that user. If the token name is not the same as the NT username, then a Filter-ID attribute for the NT username must also be included. The graphic shows the Cisco Secure setting for a CRYPTOCard token account. Since this end-user has a CRYPTOCard token with a different name from their NT account, their NT username is included (shown here as NTusername ). Furthermore, the NT domain that this user is from is specified as MyDomain. These attributes can be set both at the group level and at the user level. Therefore, the NT domain can be specified at the group level in Cisco Secure, and NT usernames can be specified as needed, at the user level. For assistance mailto:support@cryptocard.com 10
3.5 CRYPTOLogon Installation The CRYPTOLogon install package requires Microsoft MSI Installer software. Windows NT 4.0 does not include this product by default. Select Typical to install CRYPTOLogon in Dual Authentication Mode with no End-user options. Select Custom to install CRYPTOLogon in Single Authentication Mode or to add End-user options to Dual Authentication Mode. 3.5.1 Typical Installation Registry Settings Dual Authentication Mode forces users to authenticate to the CRYPTOAdmin SPT Server prior to authenticating to a Microsoft Domain controller. (FilterMode = 1) Workstation is locked on removal of SC-1 Smart Card or screen saver activation. (LockWorkStnOnRemoval = 1; LockWorkStnOnTimeout = 1) For assistance mailto:support@cryptocard.com 11
3.5.2 Custom Install Registry Settings Setup Screen if SC-1 Smart Card Token is selected. Enable Options button: permits End-user to enable/disable lock workstation on screen saver activation or on SC-1 smart card removal. Enable Shutdown button: display/hide shutdown button Allow Any User to Unlock Desktop: by default workstation can only be unlocked by current End-user. If selected, any valid CRYPTOCard Token can unlock workstation. Maximum Unlock Attempts: maximum incorrect consecutive Token PIN attempts permitted by CRYPTOLogon. If exceeded End-user is Logged Off. This value should be lower than the maximum number of incorrect consecutive PIN attempts permitted for ST-1 or SC-1 token. For assistance mailto:support@cryptocard.com 12
4. Using CRYPTOLogon 4.1 Using CRYPTOLogon in Dual Authentication Mode Once the workstation has rebooted you will be prompted with a CRYPTOCard Secure Password Logon Window. The CRYPTOCard logon screen will vary depending on the type of token being used. For Software or Smart Card tokens, CRYPTOLogon will query the CRYPTOCard EUS and a list of all available tokens will appear in the Token Name drop down box. Select your token, enter the PIN and Click on OK. For Hardware tokens such as the RB-1 and the KT-1, enter the User name and response then click on OK. If all tokens types were selected during the installation, you will be able to choose the token type by selecting the Use Hardware Token or Use Software Token buttons. Software or Smart Card Token Hardware Token Once authenticated to the CRYPTOAdmin SPT server, a Microsoft Windows logon screen will appear. For assistance mailto:support@cryptocard.com 13
4.2 Using CRYPTOLogon in Single Authentication Mode Once the workstation has rebooted you will be prompted with a CRYPTOCard Secure Password Logon Window. The CRYPTOCard logon screen will vary depending on the type of token being used. For Software or Smart Card tokens, CRYPTOLogon will query the CRYPTOCard EUS and a list of all available tokens will appear in the Token Name drop down box. Select your token, enter the PIN and Click on OK. For Hardware tokens such as the RB-1 and the KT-1, enter the User name and response then click on OK. If all tokens types were selected during the installation, you will be able to choose the token type by selecting the Use Hardware Token or Use Software Token buttons. Software or Smart Card Token Hardware Token The End-user is logged onto the domain after a successful authentication. If the RADIUS Server cannot be found (i.e. the computer is disconnected from the LAN), the End-user must first complete the CRYPTOCard Logon and then enter their Microsoft password for the local machine. Note that the End-user cannot use a cached password to logon to the domain account. For assistance mailto:support@cryptocard.com 14
4.3 Troubleshooting Troubleshooting connection problems If you are experiencing continuous authentication failures, try running the CRYPTOAdmin service and easyradius service in the foreground. 4.3.1 On Windows From the Services icon in the Control Panel, stop both the CRYPTOAdmin and easyradius services. Open a Command Prompt and go to the \ Program Files \ CRYPTOCard \ CRYPTOAdmin \ Server directory. Enter the command radiusd sfxxyz l stdout without the quotes. The screen should display the message Ready to process requests. This will send all output to the screen. This allows you to see in real-time all activity occurring on the RADIUS Server. 4.3.2 On RedHat From a console type /etc/rc.d/init.d/radiusd stop. Then type /etc/rc.d/init.d/radiusd start debug. The screen should display the message Ready to process requests. 4.3.3 On Solaris From a console type /etc/init.d/radiusd stop. Then type /etc/init.d/radiusd start debug. The screen should display the message Ready to process requests. Place CRYPTOLogon in debug mode. Open the registry editor then go to: HKEY_LOCAL_MACHINE\SOFTWARE\CRYPTOCard\CRYPTOLogon\CurrentVersion Create a new string value called Debug. The value data is deadca. Restart the workstation. If using a Third Party RADIUS server refer to its troubleshooting documentation. 4.4 Logging on to multiple domains in Single Authentication Mode. Hardware token users using Single Authentication Mode on Windows workstations can log on to multiple domains. The default domain separator character (a period) can be used to specify an alternate domain. For assistance mailto:support@cryptocard.com 15
Example: Bob.mydomain The domain name character value can be changed in the registry. Open the registry editor then go to: HKEY_LOCAL_MACHINE\SOFTWARE\CRYPTOCard\CRYPTOLogon\CurrentVersion Modify the DomainSeparatorCharacter value data and specify the character to use as a separator. If you encounter a problem that cannot be solved using the tips above, contact support@cryptocard.com or call us at (800) 307-7042 or +1-613-599-2441, Monday through Friday 8:30 am to 5:00 pm EST. For assistance mailto:support@cryptocard.com 16