SafeWord Domain Login Agent Step-by-Step Guide Author Johan Loos Date January 2009 Version 1.0 Contact johan@accessdenied.be
Table of Contents Table of Contents... 2 Why SafeWord Agent for Windows Domains?... 3 What I ve used for this lab... 3 Prepare the environment for SafeWord Token based authentication Task List... 4 Install SafeWord 2008... 4 Activating SafeWord... 9 Import token data... 10 Assigning Tokens to User Accounts... 10 Create a security group SafeWord_Token_Authentication... 11 Add user account to the SafeWord_Token_Authentication group... 12 Configure the agent using the SafeWord Agent for Windows Domains Configuration. 13 Create a GPO to deploy the Domain Logon Agent... 16 Create a GPO to configure the Domain Logon Agent... 17 Logon using your token... 27 SafeWord Domain Login Agent 2
Why SafeWord Agent for Windows Domains? The SafeWord Agent for Windows Domains provides strong authentication for Windows Domain access using workstations. The Domain Logon Agent (DLA) needs to be installed on the client workstation. The preferred way to install the DLA is via Group Policy. The SafeWord Agent will not replace a password for logons on Windows Vista but is an additional security feature so that both the username/password and passcode must be specified before a user can logon. Before the user can use his/her token, the token needs to be assigned in Active Directory for each user account who want to logon with a token. The DLA consists of three components: Agent Service (AS): This service validates the user against a SafeWord Server Sub-authentication Filter (SAF): The service must be installed on every Windows Server 2008 domain controller. This enables the domain controller to perform additional authentication after the user has successfully been authenticated using username/password. Workstation Agent (WA): This agent needs to be installed on every Windows Vista Workstation in the domain and is responsible to request the token passcode of the user account. What I ve used for this lab Name Software Role ADDEVDC01 Windows Server 2008 DC,DNS,Safeword Server ADDEVVI01 Windows Vista Client SafeWord Domain Login Agent 3
Prepare the environment for SafeWord Token based authentication Task List Install SafeWord 2008 Activating SafeWord Import token data Assigning Tokens to User Accounts Create a security group SafeWord_Token_Authentication Add user account to the SafeWord_Token_Authentication group Configure the agent using the SafeWord Agent for Windows Domains Configuration Create a GPO to deploy the Domain Logon Agent Create a GPO to configure the Domain Logon Agent Logon using your token Install SafeWord 2008 Launch setup.exe Enter the Product Serial number On the Welcome page, click Next SafeWord Domain Login Agent 4
On the License Agreement page, click Yes On the Choose Destination Location page, click Next SafeWord Domain Login Agent 5
On the Select Components page, select SafeWord Server, select Management Snap-in for Active Directory, select Domain Login Agent and click Next On the Select Program Folder page, click Next SafeWord Domain Login Agent 6
On the Start Copying Files page, click Next On the Please Choose User Management Configuration page, select I will Manage users in Active Directory, and click Next SafeWord Domain Login Agent 7
On the Server Components page, click Next On the Host Address page, verify domain name and click Next SafeWord Domain Login Agent 8
On the Complete page, select Yes, I want to restart my computer now and click Finish Activating SafeWord Activation is required if you want to use to software more than 30 days. To download the activation key and token data, you need to activate the product based on the SafeWord Serial Number and Token Group ID. Open Active Directory Users and Computers, right click on SafeWord and select Activate Product. A webpage will open and enter all information needed. After registration, the wizard install all files needed. SafeWord Domain Login Agent 9
Import token data Open Active Directory Users and Computers, expand SafeWord, and right click on Import/Backup/Restore On Import Token page, click on the Browse button. Navigate to the following location c:\program Files\Aladdin\SafeWord\ImportData, select importalpine.dat and click Open Click on the Import button Assigning Tokens to User Accounts A token needs to be assigned to the user account before s/he can logon with a token. On the back of the token, you can find the token serial number. Optionally, you can also specify a PIN code in Active Directory that the user needs to be included at the end of his/her passcode. Open Active Directory Users and Computers from Administrative Tools Right click on user account you want a token too and select Properties Select the SafeWord tab, type the Token serial number, optionally type a PIN code and click OK SafeWord Domain Login Agent 10
Create a security group SafeWord_Token_Authentication Right click on the OU where that you want to create the group and select New - Group On the New - Group dialog box, type the name of the group you want to create, for example SafeWord_Token_Authentication and click OK. SafeWord Domain Login Agent 11
Add user account to the SafeWord_Token_Authentication group Double click on SafeWord Token Authentication group Click on the Member tab and click Add. In the Select Users, Contacts, Computers, or Groups dialog box, in the Enter the object names to select add the user Johan and click OK. SafeWord Domain Login Agent 12
Configure the agent using the SafeWord Agent for Windows Domains Configuration Open Domain Login Agent Configuration from Start Programs Aladdin SafeWord Configuration SafeWord Domain Login Agent 13
Click on the Authentication engine button Type the Hostname/IP address of the server running the SafeWord Server application. Also specify the correct Port number to listen for request coming from the DLA agent, and click OK Click on the Settings button. Click on the Sub-Authentication filter tab and verify that the computer account of your domain controllers are listed here. SafeWord Domain Login Agent 14
Click on the Key Management tab and make notice of the Public and Private Key, because we need them later. Click OK SafeWord Domain Login Agent 15
Click on the Groups button. On the Required Authentication Group Policy dialog box, select Only users in this group authenticate using SafeWord, select the group SafeWord_Token_Authentication and click OK Create a GPO to deploy the Domain Logon Agent Open Group Policy Management from Administrative Tools. SafeWord Domain Login Agent 16
Expand Domain, expand Group Policy Objects, and select New Group Policy Objects. On the New GPO dialog box, type SafeWord Domain Agent for Clients and click OK. Right click on SafeWord Domain Agent for Clients, select GPO Status, and select User Configuration Settings Disabled Right click on SafeWord Domain Agent for Clients and select Edit. Expand Computer Configuration Policies Software Settings Software Installation Right click on Software Installation and select New Package. Select DomainLoginDesktopAgentSC_x86.msi and click Open On the Deploy Software dialog box, select Assigned and click OK Close Group Policy Management Editor Link the GPO to the OU where the computer is a member of and which needs to be authenticated using SafeWord Restart client computer Note: You can find the DomainLoginDesktopAgentSC_x86 under the following location c:\program Files\Aladdin\SafeWord\Domain Login Desktop Agent Windows Installer Create a GPO to configure the Domain Logon Agent Open Group Policy Management from Administrative Tools. Expand Domain, expand Group Policy Objects, and select New Group Policy Objects. On the New Group Policy dialog box, type SafeWord Authentication and click OK. Right click on SafeWord Authentication, select GPO Status, and select User Configuration Settings Disabled Right click on SafeWord Authentication and select Edit. Expand Computer Configuration Policies Administrative Templates, right click on Administrative Templates and select Add/Remove Templates On the Add/Remove Templates dialog box, click Add Browse to c:\program Files\Aladdin\SafeWord\Domain Login Agent\ADM Template Files Select SccDLA.adm, SCCWorkStnAgent.adm and click Open SafeWord Domain Login Agent 17
Click Close Expand Computer Configuration Policies Administrative Templates Classic Administrative Templates Select SafeWord - Agent Service Settings Double click on Set the public key for encryption. On the Set the public key for encryption Properties dialog box, select Enabled and type the Public Key that you notice from above and click OK SafeWord Domain Login Agent 18
Double click on Set the private key for encryption. On the Set the private key for encryption Properties dialog box, select Enabled and type the Private Key that you notice from above and click OK SafeWord Domain Login Agent 19
Double click on Host Exclusion List On the Host Exclusion List Properties dialog box, select Enabled and type the Windows group that will be excepted from SafeWord authentication, and click OK SafeWord Domain Login Agent 20
Double click on SafeWord Authentication Group Name On the SafeWord Authentication Group Name Properties dialog box, type the Windows group that needs to be authenticate with SafeWord and click OK SafeWord Domain Login Agent 21
Double click on Select which users will authenticate using SafeWord. On the Select which users will authenticate using SafeWord Properties dialog box, select Only users from specified group and click OK SafeWord Domain Login Agent 22
Double click on Group Lookup Domain Name On the Group Lookup Domain Name Properties dialog box, select Enabled and type the name of the domain where the users are a member of and click OK. SafeWord Domain Login Agent 23
Click on SafeWord Sub-Authentication Filter Settings Double click on Public Key On the Public Key Properties dialog box, type the Public Key that you noticed from above and click OK SafeWord Domain Login Agent 24
Double click on Protocol Type On the Protocol Type Properties dialog box, select Enabled, select TCP/IP from the list box and click OK SafeWord Domain Login Agent 25
Select SafeWord - Workstation Agent Settings Double click on Public Key On the Public Key Properties dialog box, type the Public Key that you noticed from above and click OK SafeWord Domain Login Agent 26
Close Group Policy Management Editor. Link the GPO on domain level. Refresh Group Policy on Domain Controllers Refresh Group policy on client computers Logon using your token After restarting the client computers, the logon screen looks something different. SafeWord Domain Login Agent 27
Type in your password and type in the SafeWord Passcode field the One-time Password which is generated on your token. Note: The SafeWord token will not replace your password, but provides additional security against password based attacks. SafeWord Domain Login Agent 28