Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

Similar documents
SAM Context-Based Authentication Using Juniper SA Integration Guide

Juniper SSL VPN Authentication QUICKStart Guide

SafeNet Authentication Service

Microsoft Office 365 Using SAML Integration Guide

Welcome Guide for MP-1 Token for Microsoft Windows

Cisco ASA Authentication QUICKStart Guide

Remote Logging Agent Configuration Guide

Cloud Authentication. Getting Started Guide. Version

SafeNet Authentication Manager 8.2 and Windows Azure. Quick Start Guide

SAML Authentication Quick Start Guide

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

Configuring IBM Cognos Controller 8 to use Single Sign- On

How To Install Ctera Agent On A Pc Or Macbook With Acedo (Windows) On A Macbook Or Macintosh (Windows Xp) On An Ubuntu (Windows 7) On Pc Or Ipad

LDAP Synchronization Agent Configuration Guide

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

SafeNet Authentication Client (Windows)

Entrust Managed Services PKI

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

Microsoft IAS and NPS Agent Configuration Guide

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

Enabling Kerberos SSO in IBM Cognos Express on Windows Server 2008

Implementation Guide for protecting

Defender Token Deployment System Quick Start Guide

SAM Backup and Restore Guide. SafeNet Integration Guide

SAM 8.0 Backup and Restore Guide. SafeNet Integration Guide

USER GUIDE WWPass Security for (Outlook) For WWPass Security Pack 2.4

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

SECO Whitepaper. SuisseID Smart Card Logon Configuration Guide. Prepared for SECO. Publish Date Version V1.0

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess

Juniper Networks Secure Access Kerberos Constrained Delegation

Integration Package for Microsoft Office SharePoint3

Optimization in a Secure Windows Environment

ACTIVID APPLIANCE AND MICROSOFT AD FS

Strong Authentication for Juniper Networks SSL VPN

HOTPin Integration Guide: DirectAccess

How-to: Single Sign-On

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.

ECA IIS Instructions. January 2005

Using etoken for Securing s Using Outlook and Outlook Express

Enabling single sign-on for Cognos 8/10 with Active Directory

SafeNet Authentication Client

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Symantec Managed PKI. Integration Guide for ActiveSync

Exchange 2010 PKI Configuration Guide

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365


Strong Authentication for Juniper Networks

etoken Enterprise For: SSL SSL with etoken

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

Owner of the content within this article is Written by Marc Grote

Integration Guide. SafeNet Authentication Service. Using SAS with Web Application Proxy. Technical Manual Template

WHITE PAPER Citrix Secure Gateway Startup Guide

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

SafeNet Authentication Service

Load Balancing. Outlook Web Access. Web Mail Using Equalizer

SafeNet Authentication Client (Mac)

S/MIME on Good for Enterprise MS Online Certificate Status Protocol. Installation and Configuration Notes. Updated: October 08, 2014

PC-Duo Web Console Installation Guide

Single Sign On for ShareFile with NetScaler. Deployment Guide

CA Nimsoft Service Desk

Installing and Configuring vcloud Connector

NetWrix Password Manager. Quick Start Guide

Apache Server Implementation Guide

Secure IIS Web Server with SSL

Certificate technology on Junos Pulse Secure Access

SAS Token Validator Proxy Agent Configuration Guide

Cloud Attached Storage

Configure Cisco Unified Customer Voice Portal

Deploying RSA ClearTrust with the FirePass controller

Using Internet or Windows Explorer to Upload Your Site

Install SQL Server 2014 Express Edition

Smart Card Certificate Authentication with VMware View 4.5 and Above WHITE PAPER

Microsoft Dynamics GP Release

Installation Guide. . All right reserved. For more information about Specops Inventory and other Specops products, visit

BusinessObjects Enterprise XI Release 2

BlackBerry Enterprise Service 10. Version: Configuration Guide

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

Step-by-step installation guide for monitoring untrusted servers using Operations Manager (Part 1 of 3)

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Extending Microsoft Windows Active Directory Authentication to Access HP Service Health Reporter

Siteminder Integration Guide

How To Run A Password Manager On A 32 Bit Computer (For 64 Bit) On A 64 Bit Computer With A Password Logger (For 32 Bit) (For Linux) ( For 64 Bit (Foramd64) (Amd64 (For Pc

Integration Guide. SafeNet Authentication Client. Using SAC with Putty-CAC

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Copyright 2012 Trend Micro Incorporated. All rights reserved.

Step-by-step installation guide for monitoring untrusted servers using Operations Manager ( Part 3 of 3)

Security Assertion Markup Language (SAML) Site Manager Setup

Oracle Enterprise Single Sign-on Provisioning Gateway. Administrator Guide Release E

Microsoft Exchange 2010 and 2007

Windows Server Update Services 3.0 SP2 Step By Step Guide

Configuring Microsoft Internet Information Service (IIS6 & IIS7)

PingFederate. IWA Integration Kit. User Guide. Version 3.0

StreamServe Persuasion SP5 Control Center

CA NetQoS Performance Center

McAfee One Time Password

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

Transcription:

Protecting Juniper SA using Certificate-Based Authentication

Copyright 2013 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate. SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice. SafeNet and SafeNet Authentication Service are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks referenced in this Manual are trademarks of their respective owners. SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications. Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification. Support SafeNet technical support specialists can provide assistance when planning and implementing SafeNet Authentication Service. In addition to aiding in the selection of the appropriate authentication products, SafeNet can suggest deployment procedures that will provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. SafeNet works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a SafeNet channel partner, please contact your partner directly for support needs. To contact SafeNet Authentication Service support directly: Europe / EMEA Freephone: 0800 694 1000 (UK) Telephone: +44 (0)1276 608 000 (Int l) E-mail: sassupport@safenet-inc.com North America Toll Free: 800-307-7042 Telephone: +1 613 599 2441 E-mail: sassupport@safenet-inc.com Customer Feedback Help us to improve this documentation, our products and our services by communicating any ideas and suggestions that you feel would improve the usefulness and clarity of the documentation, product feature set or application in practice. Suggestions should be sent to: sasfeedback@safenet-inc.com Introduction 2

Publication History Date Description Revision 04/25/2013 Initial Release 1.0 Introduction 3

Table of Contents Introduction... 5 Integration System Requirements... 5 Configuring Juniper SA for PKI... 6 Downloading a CA Certificate... 6 Creating a Certificate Authentication Server... 7 Adding the Certificate to the List of Trusted Client CAs... 9 Configuring the User Realm... 13 Configuring KCD... 16 Configuring the User Account... 16 Creating a KCD User Account in Active Directory... 16 Defining the Delegated Authentication Services... 17 Configuring SA... 21 Configuring Web SSO... 22 Configuring the Constrained Delegation Service List... 23 Configuring SSO Policies... 27 Configuring SSO Profile... 29 Configuring the Exchange Server... 32 Running the Solution... 34 User Authentication Scenario... 34 Introduction 4

Introduction This document guides you through setting up a certificate-based authentication solution in a Juniper Networks Junos Pulse Secure Access Service (SA) environment. This integration guide describes a single sign-on solution for Microsoft OWA based on SAC 8.2 and SafeNet tokens. This section includes the following: Integration System Requirements Integration System Requirements For this scenario, the working environment must include the following software: Juniper Networks Junos Pulse Secure Access Service Version 7.1 R5 or later Microsoft Exchange 2010 Microsoft Active Directory Microsoft Enterprise CA SAC 8.2 GA etoken 5100 Introduction 5

Configuring Juniper SA for PKI This section describes how to configure the server to enable Juniper SA certificate authentication with SafeNet s PKI tokens. This section includes the following: Downloading a CA Certificate Creating a Certificate Authentication Server Adding the Certificate to the List of Trusted Client CAs Configuring the User Realm Downloading a CA Certificate The first step is to download and save a CA certificate. To download a CA certificate: 1. Access the CA server web interface. 2. Select Download a CA Certificate. 3. Select Base 64. 4. Save the certificate to the local hard drive. Configuring Juniper SA for PKI 6

Creating a Certificate Authentication Server This step guides you through creating a certificate authentication server on the Juniper SA. To create a certificate authentication server on the Juniper SA: 1. Select Authentication > Auth. Servers. The Authentication Servers window opens. 2. From the New drop-down list, select Certificate Server. Configuring Juniper SA for PKI 7

3. Click New Server. The New Certificate Server window opens. 4. Next to Name, enter the new server a name; leave the default settings unchanged for all other options. 5. Click Save Changes. Configuring Juniper SA for PKI 8

Adding the Certificate to the List of Trusted Client CAs The certificate can now be added to the list of Trusted Client CAs on the Juniper SA. To add the certificate to the list of Trusted Client CAs: 1. Select System > Configuration > Certificates > Trusted Client CAs. The Configuration window opens. 2. Click the Import CA Certificate button and browse to select the saved file. Configuring Juniper SA for PKI 9

3. Click the Import Certificate button. The Trusted Client CA window opens. 4. Check that the Root CA Certificate details are correct. Configuring Juniper SA for PKI 10

5. Under Client certificate status checking, select Use CRLs (Certificate Revocation Lists) and click Save Changes. 6. Select CRL Checking Options. Configuring Juniper SA for PKI 11

The CRL Checking Options window opens. 7. In the Use drop-down list, select CDP(s) specified in the Trusted Client CA. 8. Click Save Changes. The new CDP appears in the Certificate Detail page under Client certificate status checking. Configuring Juniper SA for PKI 12

Configuring the User Realm The user realm needs to be configured to use certificate authentication, client certificate restrictions, and the Role Mapping Rules. To configure the user realm: 1. Select Users > User Realms. Configuring Juniper SA for PKI 13

2. Click on the Users link under Authentication Realm column. The Realm window opens ( Users Realm in this example). 3. In the General tab, under Servers, select the certificate server created in the previous step from the Authentication drop-down list. Configuring Juniper SA for PKI 14

4. Select the Authentication Policy tab and then click Certificate. 5. Select Only allow users with a client-side certificate signed by Trusted Client CAs to sign in. 6. Click Save Changes. The Juniper Networks Junos Pulse Secure Access is ready to authenticate users using certificates. Configuring Juniper SA for PKI 15

Configuring KCD Juniper SA is often used to protect Web application resources, such as Outlook Web Access (OWA) and SharePoint, which are based on Windows authentication. Kerberos Constrained Delegation (KCD) enables Single Sign On for the application resource, so that users are required to log on only once per session. The user logs on to SA, and then is not required to authenticate again when accessing Microsoft applications. Setting up KCD with SA involves the following steps: Configuring the User Account in Active directory Configuring SA Configuring the User Account Creating a KCD User Account in Active Directory KCD requires an Active Directory user account that has Protocol Transition and Delegation rights. This account has rights to request a Kerberos ticket on behalf of a user signing in to SA. To create a new user in Active Directory: 1. From the Windows taskbar, select Start > Programs > Administrative Tools > Active Directory Users and Computers. The Active Directory Users and Computers window opens. 2. In the left pane, expand the domain name, and right-click Users. Configuring KCD 16

3. In the menu that appears, select New > User. The New Object - User window opens. 4. Add the new user's information. This account will be used to access Web application resources, such as OWA. 5. Follow the instructions in the dialog box to progress through the windows. Defining the Delegated Authentication Services To configure the new account for Web application access, do the following: Use the setspn command to enable the Delegation tab in the new user account s Properties window. Use the Delegation tab to enable the user to be trusted for delegation to all authentication protocols. To define the Delegated Authentication Services for the new user: 1. Open the Command Prompt window, and enter the command: setspn -A HTTP/<user_account> <domain>\<user_account> where: <user_account> is the User logon name created under Creating a KCD User Account in Active Directory <domain> is your domain Configuring KCD 17

In the example that follows, testdomain is the domain, and samservice is the user account s User logon name. 2. In the Active Directory Users and Computers window, right-click the defined user. The user s Properties window opens. Configuring KCD 18

3. Select the Delegation tab. 4. Select the following options: Trust this user for delegation to specified services only Use any authentication protocol Note: Do not select Use Kerberos only because that option is not compatible with Protocol Transition and Constrained Delegation. 5. Click Add. The Add Services window opens. Configuring KCD 19

6. Click Users or Computers to select the computer hosting the constrained services. The Select Users or Computers window opens. 7. Enter the name of the protected service s server in the domain. Note: In this example, the OWA service is hosted on the same server as Active Directory Domain Controller, so DC is selected. 8. In the Add Services window, the services available on the selected server are displayed. 9. Select the appropriate service type, and click OK. Note: In this example, Constrained Delegation must be configured for OWA. Select http to configure for OWA and for any other Web-based applications running on this server, such as Share Point. Configuring KCD 20

The delegated services are displayed in the user s Properties window. 10. Click Apply, and then click OK. Active Directory is now configured for this solution. Configuring SA Configuring SA with Constrained Delegation for users connecting via SA to a selected application involves the following steps: Configuring Web SSO Configuring the Constrained Delegation Service List Configuring SSO Policies For example purposes in this section, the connection will be to the OWA application. Configuring KCD 21

Configuring Web SSO In this step, you will add the Kerberos Realm to SA s Kerberos SSO Settings. 1. In the SA Administrator console, select Users > Resource Policies > SSO > General. The WebPolicySSOGeneral window opens. 2. Click Kerberos SSO Settings to see additional settings. 3. Select Enable Kerberos SSO. Configuring KCD 22

4. In the Realm Definition area, add the Kerberos realm. In this example, test-domain.com realm was added. Note: The Kerberos Realm is typically the DNS domain. 5. Save the changes. Configuring the Constrained Delegation Service List This step consists of uploading a text file to create a Constrained Delegation Service List. To configure the Constrained Delegation Service List: 1. Open Notepad or a similar text application, and create a file containing the DC server name. 2. Save the file. Configuring KCD 23

3. In the SA Administrator console, select Users > Resource Policies > Web > SSO (Single Sign-on) > General. Configuring KCD 24

4. In the Constrained Delegation area, click Edit. The Constrained Delegation Service Lists window opens. 5. Click New Service List. 6. In the Name field, enter any value. 7. Click Choose File, and browse to the text file saved at the beginning of this procedure. Configuring KCD 25

8. Click OK. The Upload Status window opens. 9. When the upload completes, click Close. 10. In the Constrained Delegation area, do the following: a. In the Label field, enter any value. In this example, we used test-domain.com. b. In the Realm drop-down menu, select the Kerberos realm defined in Configuring Web SSO. c. In the Principal Account field, enter the user logon name (samservice) created in Creating a KCD User Account in Active Directory. d. In the Password field, enter the user s domain password. e. In the Service List drop-down list, select the service list name. f. Click Add. g. Save the changes. Configuring KCD 26

Configuring SSO Policies In this step, you will define the roles and resources for which Constrained Delegation will be performed. To configure SSO policies for OWA: 1. In the SA Administrator console, select Users > Resource Policies > Web > Kerberos/NTLM/Basic Auth. 2. Click the New Policy button. The New Policy window opens. Configuring KCD 27

3. In Name field, enter a name for the policy. 4. In the Resource field, enter the exact fully-qualified domain name. 5. Under Roles, select Policy applies to selected Roles and add the necessary role. 6. Under Action, choose Constrained Delegation and define appropriate credentials, defined in Configuring the Constrained Delegation Service List. 7. Save the changes. Configuring KCD 28

Configuring SSO Profile 1. In the SA Administrator console, select Users > Resource Profiles > Web. 2. Click the New Profile button. The New WEB Application Resource Profile window opens. Configuring KCD 29

3. From the Type drop-down list, select Microsoft OWA 2010. The OWA 2010 window opens. 4. In the Name field, enter any value for the policy name. 5. In the Base URL field, enter the OWA site s base URL. 6. Under Autopolicy: Web Compression, do the following: a. In the Resource column, enter the OWA site. Configuring KCD 30

b. From the Action drop-down list, select Compress. c. Click Add. 7. Under Autopolicy: Single Sign-on, do the following: a. Select Constrained Delegation. b. In the Resource field, enter the host FQDN of the web server. c. From the Credential drop-down list, select the Constrained Delegation s Label defined in Configuring the Constrained Delegation Service List. 8. Click Save Changes. Configuring KCD 31

Configuring the Exchange Server This section guides you through configuring the server hosting the web application. Note: This solution can be configured for any web application hosted on any server within the domain. For example purposes, we will use the OWA web application, hosted on the same server as the Active Directory Domain Controller. To configure OWA and ECP: 1. Open the Microsoft Exchange console. 2. In the left pane, select Server Configuration > Client Access. 3. In the Client Access area (middle pane), select your Exchange server. 4. Select the Outlook Web App tab. Configuring the Exchange Server 32

5. Right-click owa (Default Web Site), and select Properties. The owa (Default Web Site) Properties window opens. 6. Select the Authentication tab, and do the following: a. Select Use one or more standard authentication methods. b. Select Integrated Windows Authentication. c. Click OK. 7. In the Microsoft Exchange console, select the Exchange Control Panel tab. 8. Right click ecp (Default Web Site), and select Properties. The ecp (Default Web Site) Properties window opens. 9. Select the Authentication tab, and do the following: a. Select Use one or more standard authentication methods. b. Select Integrated Windows Authentication. c. Click OK. 10. Restart IIS for the configuration to take effect. To do this, open a terminal and enter iisreset. Configuring the Exchange Server 33

Running the Solution User Authentication Scenario In this example, a user named John authenticates to SA in the following environment: The user authenticates using a certificate saved on a token against Juniper SA. Juniper SA validates authentication on the Authenticated Server; if validation succeeds, the user can access to OWA. Procedure: 1. Enroll a smartcard user certificate on behalf of the domain for the user John. 2. Install SAC 8.2 GA on the client machine used for certificate-based authentication. 3. Connect the token. 4. Open a web browser and browse to the Juniper SA portal. In this example, the SA site is: https://juniper.test-domain.com 5. When prompted for the smartcard PIN, enter the Token Password. Click OK. 6. If the credentials are accepted, the user John is redirected to the SA portal. Running the Solution 34

7. Click the OWA 2010 link. The user John is automatically authenticated to the OWA account using KCD. Running the Solution 35

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information