QUICKStart Guide Integrating Active Directory Lightweight Services 2010 CRYPTOCard Corp. All rights reserved. http://www.cryptocard.com
Trademarks CRYPTOCard, CRYPTO Server, CRYPTO Web, CRYPTO Kit, CRYPTO Logon, CRYPTO VPN, CRYPTO MAS, are either registered trademarks or trademarks of CRYPTOCard Inc. Microsoft Windows and Windows XP/2000/2003/2008/NT are registered trademarks of Microsoft Corporation. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners. Publication History Date Description Version August 9, 2010 Initial release 1.0 Solution Overview Summary Product Name Active Directory Lightweight Directory Service AD LDS Server Side Software Active Directory Lightweight Directory Service AD LDA Client Side Software N/A - Solution is server based only Pre-Requisites System must be joined to a domain CRYPTOCard Product Requirements CRYPTOCard Professional 2.x + Support Token types KT-1, KT-2, KT-4, KT-5, RB-1, MP-1 Server OS Windows 2008 R2 x64 Server Type Member Server i
Table of Content Active Directory Lightweight Directory Services Installation... 1 Creating an instance... 1 Preparing AD LDS Schema Synchronization... 4 Active Directory Schema Analyzer Overview... 4 Launching and using ADSchemaAnalyzer utility... 4 Loading Active Directory/AD LDS Schema LDF Files... 7 Loading AD LDS Synchronization Schema LDF Files... 8 Editing/Customizing AD LDS Synchronization Config File... 9 Creating AD LDS Synchronization Config File... 9 Option 1... 9 Option 2... 10 Installing custom AD LDS Synchronization Config File... 12 First time Synchronization... 13 Disabling SSL Authentication in AD LDS... 13 Creating AD LDS User for... 16 Configuring AD LDS to auto synchronize... 19 ADAM Multi Domain Support... 20 Creating an OU for additional Domains... 20 Create an OU within the existing AD LDS instance for the second domain information... 20 Displaying Currently Loaded Configurations... 21 Batch File Example... 21 Configuring BlackShield to use AD LDS proxy user... 22 Caveats... 22 ii
Active Directory Lightweight Directory Services Installation Microsoft Active Directory Lightweight Directory Services (formerly Microsoft Active Directory Application Mode) is part of Windows 2008 R2. To install Active Directory Lightweight Directory Services (AD LDS) go to: 1. Launch Server Manager 2. Select Roles on the left pane 3. Click Add Roles on the right pane 4. When the wizard spawns, click Next 5. Place a checkmark in Active Directory Lightweight Directory Services 6. Click Add Required Features, then Next, and Next again 7. Click Install Creating an instance The following instructions are used to create an instance (virtual LDAP domain) which BlackShield will use to query its user information from. The user information is populated into your instance from your main LDAP server (Active Directory). To create a new AD LDS instance: Click Start Select All Programs Select Administrative Tools Then select Active Directory Lightweight Directory Services Setup Wizard The Active Directory Lightweight Directory Services Setup Wizard will spawn. Click next to begin creating new AD LDS instance. On the Setup Options dialogue, to create A unique instance or replicate the information from an existing AD LDS instance. Since this is the first time through AD LDS, select A unique instance, and then click Next. Figure 1 Active Directory Lightweight Directory Service (AD LDS) Integration 1
On the Instance Name page, provide a name for the instance. Choose a name that will be easily recognizable as it will be used when creating the Windows service. In this instance, BlackShield will be used as the instance name. Provide a Description for the instance name. Click Next to continue. Figure 2 By default, LDAP and LDAPS use port 389 and 636 respectively. If the default LDAP ports have been modified, please change the port numbers accordingly. Click Next to continue Note: If installation is performed on a domain controller, or a second AD LDS is being created then the ports will default to 50000 and 50001 respectively. Figure 3 On the Application Directory Partition page. Then select Yes, create an application directory partition. Create a partition with the name in the following syntax: DC=blackshield,dc=domain,dc=com e.g.: DC=blackshield,dc=intel,dc=com) Click Next to continue. Figure 4 Active Directory Lightweight Directory Service (AD LDS) Integration 2
On the File Locations page, verify the default file location is acceptable. After verifying, click Next to continue. Figure 5 On the Service Account Selection page, select the Network service account radio button. Click Next to continue. Figure 6 On the AD LDS Administrators page, select Currently logged on user DOMAIN\Administrator Click Next to continue. Figure 7 Active Directory Lightweight Directory Service (AD LDS) Integration 3
On the Importing LDIF Files page, select the following: MS InetOrgPerson.LDF MS User.LDF MS UserProxy.LDF Click Next to continue. Click Next again to create the AD LDS instance. Figure 8 Click Finish once the instance has been created. Preparing AD LDS Schema Synchronization The previous steps will have created and prepared your AD LDS instance to accept LDAP information. During the setup of the AD LDS instance, you told it to load 3 LDF files. These 3 LDF files provide the AD LDS instance information pertaining to particular LDAP object classes, attributes and help it understand as to what its default schema should look like. However, the three provided LDF files do not provide ALL needed information. You are required to use a utility provided by Microsoft called ADSchemaAnalyzer. Active Directory Schema Analyzer Overview ADSchemaAnalyzer is a utility that will analyze your current LDAP schema and then analyze what is currently in the local AD LDS schema. It will create an LDF file with all the missing object classes and attributes in AD LDS so that your synchronization can be performed successfully. Launching and using ADSchemaAnalyzer utility To start the ADSchemaAnalyzer, launch a command prompt and navigate to: C:\Windows\ADAM Then type in: ADSchemaAnalyzer The AD DS/LDS Schema Analyzer will appear. Figure 9 Active Directory Lightweight Directory Service (AD LDS) Integration 4
In the AD DS/LDS Schema Analyzer click on File. Then select Load target schema Figure 10 Enter in the following information for your Active Directory Server: Server:[port] IP or DNS of Active Directory:Port Username Username (ex. Administrator) Password Password for user Domain Domain name (ex. Intel.com) Under Bind type, select Secure. Under Server type, select AD DS/LDS. Figure 11 Click OK when all the information has been entered. At the bottom of the AD DS/LDS Schema Analyzer, the application is attempting to load the AD schema and all its attributes. The base schema must now be loaded. Figure 12 Active Directory Lightweight Directory Service (AD LDS) Integration 5
In the AD DS/LDS Schema Analyzer, click on File. Then select Load base schema Figure 13 Enter in the following information for the local AD DS/LDS instance: Server:[port] 127.0.0.1:389 Under Bind type, select Secure. Under Server type, select Auto. Click OK when all the information has been entered. Figure 14 For the local AD DS/LDS instance, Only the server & port are required. After clicking the Ok button, the application will compare the two schemas and once it is finished, it will display Done completing schema. Figure 15 Active Directory Lightweight Directory Service (AD LDS) Integration 6
Within the AD DS/LDS Schema Analyzer, click on the Schema menu. Then select Mark all non present elements as included Note: A pop up will appear display the total amount of non presents elements were marks as included. Figure 16 Within the AD DS/LDS Schema Analyzer: Click on the File Then select Create LDIF file... In the Save As window, provide a name for the LDF file. Provide the file with a recognizable name as will be used in the next section. Save the LDF file in the default directory. Figure 17 Loading Active Directory/AD LDS Schema LDF Files To load the custom LDF file that was created in the previous section, a command will be required to be executed from the command prompt within the ADAM directory. On the AD LDS system, launch a command prompt and navigate to: C:\Windows\ADAM Then issue the following command: ldifde -i -s localhost -c CN=Configuration,DC=X #ConfigurationNamingContext -f (custom LDF filename).ldf Active Directory Lightweight Directory Service (AD LDS) Integration 7
Note: The (custom LDF filename).ldf is to be replaced to the filename of the LDF file that was created in the previous section. After executing the command, it will show the following text output: Connecting to "localhost" Logging in as current user using SSPI Importing directory from file "(custom LDF filename).ldf" Loading entries... Note: Loading entries make take a while depending on how many attributes are being loaded. Once the command has complete, a message in the command line as follows. (Number of entries may be vary) Figure 18 Loading AD LDS Synchronization Schema LDF Files To load the custom LDF file that was created in the previous section, a command will be required to be executed from the command prompt within the ADAM directory. On the AD LDS system, launch a command prompt and navigate to: C:\Windows\ADAM Then issue the following command: ldifde -i -s localhost -c CN=Configuration,DC=X #ConfigurationNamingContext -f MS-AdamSyncMetaData.ldf After executing the command, it will show the following text output: Connecting to "localhost" Logging in as current user using SSPI Importing directory from file "MS AdamSyncMetaData.ldf" Loading entries... Active Directory Lightweight Directory Service (AD LDS) Integration 8
Once the command has complete, a message in the command line as follows. (Number of entries may be vary) Figure 19 Editing/Customizing AD LDS Synchronization Config File AD LDS requires a special file in order to determine the information it should synchronize from LDAP. In a nutshell, this file will ultimately contain connection information to the target LDAP server, and the destination AD LDS instance. It will also contain information as to what attributes will be synchronized. Creating AD LDS Synchronization Config File This section will provide steps on how to create an AD LDS Synchronization file. The file that will be created will indicate to AD LDS the objects and attributes that will be synchronized from an LDAP server. This file is loaded into AD LDS using a special command, and then is used by any subsequent automated synchronization. There are two options to creating a customized AD LDS Synchronization file. First option is to copy the MS AdamSyncConf.xml and modify the necessary information or second option is to copy the Sample AD LDS Synchronization XML Config File in Section 4.1.2, modify the necessary information, and save it to a file. Option 1 The MS AdamSyncConf.xml file is located in c:\windows\adam. Make a copy of the file to the desktop, and open the file with a text editor. There are 6 lines that are required to be modified within the synchronization file. The lines are: <source-ad-name>your-dc-hostname</source-ad-name> <source-ad-partition>dc=yourdomain,dc=com</sourcead-partition> <source-ad-account>administrator</source-adaccount> <account-domain>yourdomain.com</account-domain> Hostname of Active Directory Server (ensure it s resolvable by DNS) Instance path of Active Directory tree (Ex. dc=intel,dc=com) Username of user who has Domain Administrative privileges Domain name of Active Directory (Ex. intel.com) Active Directory Lightweight Directory Service (AD LDS) Integration 9
<targetdn>dc=blackshield,dc=cryptocard,dc=com</target-dn> <base-dn>dc=yourdomain,dc=com</base-dn> Local AD LDS instance (See Figure 14 on page 6 for local AD LDS DN) Remote LDAP Distinguished Name (Active Directory Server An optional but non critical line that can be modified is the description. Here is Microsoft's explanation of the values in the event the above explanation is not adequate or is not clear. The following is taken out of the ADAM quick start guide produced by Microsoft. <source-ad-name>seattledc1</source-ad-name> <source-ad-partition>dc=fabrikam,dc=com</source-adpartition> <source-ad-account>administrator</source-adaccount>. <account-domain>fabrikam.com</account-domain>. <target-dn>o=microsoft,c=us</target-dn>. <base-dn>dc=fabrikam,dc=com</base-dn> Replace the value of <source adname> with the name of the source Active Directory domain controller Replace the value of <source adpartition> with the distinguished name of the source domain Replace the value of <source adaccount> with the name of an account in the Domain Admins group of the source domain Replace the value of <accountdomain> with the fully qualified name of the source domain Replace the value of <target dn> with the name of the partition of the target ADAM instance Replace the value of <base dn> with the base distinguished name of the source domain Option 2 Copy the AD LDS Synchronization XML Config file below into a notepad. Then modify the following section s below that is in bold. For more information and explanation, please see previous section. <?xml version="1.0"?> Active Directory Lightweight Directory Service (AD LDS) Integration 10
<doc> <configuration> <description>blackshield AD LDS Sync File</description> <security-mode>object</security-mode> <source-ad-name>your-dc</source-ad-name> <source-ad-partition>dc=yourdomain,dc=com</source-ad-partition> <source-ad-account>administrator</source-ad-account> <account-domain>yourdomain.com</account-domain> <target-dn>dc=blackshield,dc=cryptocard,dc=com</target-dn> <query> <base-dn>dc=yourdomain,dc=com</base-dn> <object-filter>(objectclass=*)</object-filter> <attributes> <include></include> <exclude>extensionname</exclude> <exclude>displaynameprintable</exclude> <exclude>flags</exclude> <exclude>isprivelegeholder</exclude> <exclude>mscom-userlink</exclude> <exclude>mscom-partitionsetlink</exclude> <exclude>reports</exclude> <exclude>serviceprincipalname</exclude> <exclude>accountexpires</exclude> <exclude>admincount</exclude> <exclude>primarygroupid</exclude> <exclude>useraccountcontrol</exclude> <exclude>codepage</exclude> <exclude>countrycode</exclude> <exclude>logonhours</exclude> <exclude>lockouttime</exclude> </attributes> </query> <schedule> <aging> <frequency>0</frequency> Active Directory Lightweight Directory Service (AD LDS) Integration 11
<num-objects>0</num-objects> </aging> <schtasks-cmd></schtasks-cmd> </schedule> </configuration> <synchronizer-state> <dirsync-cookie></dirsync-cookie> <status></status> <authoritative-adam-instance></authoritative-adam-instance> <configuration-file-guid></configuration-file-guid> <last-sync-attempt-time></last-sync-attempt-time> <last-sync-success-time></last-sync-success-time> <last-sync-error-time></last-sync-error-time> <last-sync-error-string></last-sync-error-string> <consecutive-sync-failures></consecutive-sync-failures> <user-credentials></user-credentials> <runs-since-last-object-update></runs-since-last-object-update> <runs-since-last-full-sync></runs-since-last-full-sync> </synchronizer-state> </doc> Once all changes have been made, please save the file to C:\Windows\ADAM, with a.xml extension. Please provide a name that is recognizable as the xml file will be used in the next section. Installing custom AD LDS Synchronization Config File The following instruction will explain how to install the custom configuration file that was created in the previous section. The custom configuration file should be placed in C:\Windows\ADAM. Launch a command prompt and navigate to: C:\Windows\ADAM Then type in the following command: ADAMSync /install localhost:389 %windir%\adam\(custom sync filename).xml After running the command, the prompt will move to the next line and display Done. Active Directory Lightweight Directory Service (AD LDS) Integration 12
Note: If there is a second XML file to add a second domain, then please use the same command above, but specify the appropriate file name. First time Synchronization After installing the custom XML configuration file, a sync must occur between the LDAP Server specified in the custom XML config file to the AD LDS instance. The following instructions in this section will require the creation of a directory to store a sync file, and then running the command to start the sync. A directory needs to be created for the AD LDS synchronizations logs. Create a directory on the C:\ drive named ADLDS Logs. Launch a command prompt and navigate to: C:\Windows\ADAM Then type in the following command: ADAMSync /fs localhost:389 "dc=blackshield,dc=cryptocard,dc=com" /log C:\ADLDS-Logs\sync.log Note: (Optional) Additional Domain:... "OU=Domain2,dc=cryptoserver,dc=sparks,dc=com" /log C:\ADAMLogs\syncDomain2.log Synchronization of data Active Directory to the newly created AD LDS instance can take from 5 minutes to 5 hours depending on how many users exist within Active Directory. Please monitor the AD LDS Sync log in C:\ADLDS Logs\sync.log as it can grow in size rapidly and cause low disk space. Disabling SSL Authentication in AD LDS By default, SSL authentication is enabled AD LDS. The instructions in this section will show how to disable SSL authentication into AD LDS. This is needed to allow BlackShield to bind (authenticate) to the AD LDS instance without requiring a certificate. To disable SSL authentication, the ADSI Edit tool will be needed. Active Directory Lightweight Directory Service (AD LDS) Integration 13
Note: If SSL authentication is required to access an AD LDS instance from a remote system, then please skip this section. Please also note that AD LDS should have a valid certificate loaded. To launch the ADSI Edit tool go to: Start All Programs Administrative Tools ADSI Edit In the ADSI Edit Application: Right click on ADSI Edit on the left pane Select Connect to Figure 20 In the Connection Settings window, perform the following: Select the Select a well known Naming Context radio button, and select Configuration in the dropdown menu. Select the Select or type a domain or sever: (Server Domain [:port]) radio button, and then enter in localhost:389 in the field below. Enter in a name for the connection settings. (Ex Local AD LDS Instance) Figure 21 Click OK button In the ADSI Edit application, expand the newly added object, and then: Expand CN=Configuration,CN= Then Expand CN=Services Then Expand CN=Windows NT Right click on CN=Directory Service Select Properties Figure 22 Active Directory Lightweight Directory Service (AD LDS) Integration 14
Note: Refresh the ADSI Edit application if the expand button does not show up. In the CN=Directory Service Properties Window scroll down and fine the msds Other Settings attribute, and highlight it. Then select Edit Figure 23 Select RequireSecureProxyBind=1 under the Values section. Select the Remove button. The RequireSecureProxyBind=1 value is then goes to Value to add field. Change the value from 1 to 0. Click the Add button. Click OK. Figure 24 Active Directory Lightweight Directory Service (AD LDS) Integration 15
Creating AD LDS User for With the AD LDS instance configured, a user must now be created so when BlackShield connects to the AD LDS instance. The user will be created as a user that is part of the AD LDS instance. This user is outside of the synchronization that is occurring between the source Active Directory and destination AD LDS instance. To start the Ldp application, launch a command prompt and navigate to: C:\Windows\ADAM Then type in: Ldp The Ldp application will appear. Figure 25 In the Ldp application Click on Connection Then select Connect Figure 26 In the Server field, enter in localhost. Then click on the OK button. Figure 27 Active Directory Lightweight Directory Service (AD LDS) Integration 16
In the Ldp application Click on Connection Then select Bind Figure 28 Under the Bind type section, select Bind as currently logged on user. If Encrypt traffic after bind is checked off, please remove the checkmark. Click the OK button Figure 29 After clicking the OK button, the right pane, will output at the bottom. The last line should read: Authenticated as: Domain\Username Figure 30 Active Directory Lightweight Directory Service (AD LDS) Integration 17
In the Ldp application, Click on View, then select Tree. Click the dropdown menu BaseDN field and select DN of the AD LDS Instance. See Figure 14 on page 6 for more information. Figure 31 Click the OK button. Figure 32 In the Ldp instance, select Browse. Then select Add child. Figure 33 Enter in the following in the DN field: cn=adamproxy,dc=blackshi eld,dc=cryptocard,dc=com Under Edit Entry, enter in the information in there respective fields: Attribute: ObjectClass Values: userproxy Click the Enter button. Note: the cn=adamproxy within the DN field is the user that is being created. Figure 34 Active Directory Lightweight Directory Service (AD LDS) Integration 18
Open up a command prompt and type in: whoami /user The command prompt will display the username, along with the user s SID. Copy the SID as it will be needed to be added as an attribute in the Add Child window. Figure 35 In Edit Entry section of the Add Child window, enter in the information in there respective fields: Attribute: ObjectSID Values: S 1 5 21 140381145 1539809123 3681150278 500 Click the Enter button Figure 36 Once the ObjectSID attribute and its value has been added into the Entry List, click the Run button. Configuring AD LDS to auto synchronize To have AD LDS auto synchronize based on a schedule, a batch file will need to be created either through Scheduled Task or the AT command. Add the following command into the batch file to automate the sync: ADAMSync /sync localhost:389 "DC=blackshield,DC=cryptocard,DC=com" /log C:\adamlogs\autoSync.log A time interval will need to be set within Scheduled Task or using the AT command on how often you would like this command to run. In turn, this is specifying how often AD LDS will synchronize user information from LDAP to the AD LDS instance. [Optional Second Domain] Active Directory Lightweight Directory Service (AD LDS) Integration 19
ADAMSync /sync localhost:389 "OU=Domain2,DC=cryptoserver,DC=Domain,DC=com" /log C:\adamlogs\autoSync.log Note: ADAMSync /sync localhost:389 "OU=Domain2,DC=cryptoserver,DC=Domain,DC=com" /log C:\adamlogs\autoSyncDomain2.log must have an associated XML synchronization file installed prior to telling it to sync pointing to the OU=Domain2 as a <target dn>. ADAM Multi Domain Support It may come to a point where AD LDS will be required to connect to more than 1 Active Directory domain. This can be achieved by manually loading in a separate synchronization XML file into the ADAM instance which is configured to pull information from a second domain. Creating an OU for additional Domains An OU needs to be created with the AD LDS instance and then information will be synced to the OU. Create an OU within the existing AD LDS instance for the second domain information Open ADAM ADSI Edit Connect to the Distinguished Name (DN) of your AD LDS instance: (ex. DC=blackshield,DC=cryptocard,DC=com) Right click the base DN (top of the domain) and select New Object Select OrganizationalUnit Give the OU a name of Domain2 In the second domain's XML synchronization file, edit the: <target dn>ou=domain2,dc=blackshield,dc=cryptocard,dc=com</target dn> Note: A second MS AdamSyncConf.xml will need to be created with the new settings pointed at a new domain referencing a <target dn> of the new ADAM instance 'Domain2' OU. Name the second XML file MS AdamSyncConf2.xml. Edit other settings within the second XML file as needed. For example, when the second XML file is installed using the command: ADAMSync /install localhost:389 %windir%\adam\ms AdamSyncConf2.xml It loads in what it should be synchronizing for one particular domain. Active Directory Lightweight Directory Service (AD LDS) Integration 20
Displaying Currently Loaded Configurations To display the currently loaded ADAM synchronization files perform the following: Open a command prompt and navigate to: C:\Windows\ADAM Enter the following command: AdamSync /list localhost:389 It should list something similar to this: C:\WINDOWS\ADAM>ADAMSync /list localhost:389 Listing configuration files: > "DC=blackshield,DC=CRYPTOCard,DC=com": BlackShield Sync > "OU=Domain2,DC=blackshield,DC=cryptocard,DC=com": BlackShield Sync Done. Note: If you want ADAM to synchronize information from both domains at a given time interval, you will need to ensure that all needed XML files have been loaded and have been both told to do a full sync /fs. Batch File Example Example: Line 1 Line 2 ADAMSync /sync localhost:389 "DC=blackshield,DC=cryptocard,DC=com" /log C:\adamlogs\autoSyncDomain1.log ADAMSync /sync localhost:389 "OU=Domain2,DC=blackshield,DC=cryptocard,DC=com" /log C:\adamlogs\autoSyncDomain2.log Line Explanations Line 1 Line 2 This line synchronizes changes from Domain 1 into ADAM top DN This line synchronizes changes from Domain 2 into ADAM Domain2 OU Active Directory Lightweight Directory Service (AD LDS) Integration 21
Configuring BlackShield to use AD LDS proxy user Now that AD LDS has been configured, it is now time to configure BlackShield to connect to the AD LDS instance for the user source. During the user source configuration, provide the IP/DNS name of the AD LDS system, NOT the AD DC system. This is to be done at the LDAP Configurations screen. Figure 37 In the LDAP Credentials screen, enter in cn=adamproxy in the User DN Click the dropdown menu and select the Base DN of the AD LDS instance (eg. dc=blackshield,dc=cryptocard,dc=com) Place a checkmark in Append Base DN to User DN Figure 38 Enter in the Password for the user. (Please see Figure 34 through Figure 36 beginning on page 18) Note: For more detailed installation instructions, please take a look at the Administrator Manual at: http://www.cryptocard.com. Caveats If multiple domains are being synchronized to a single AD LDS instance, than the container names must be unique. When importing users within the same Container name, AD LDS will rename the container to a random name. If a user (eg. JDoe) exists in two domains, with the same username, and within the same container name, than one of the username must be changed (eg. JDoe2) so that bother users will be synchronized to the AD LDS instance. It is recommended that a separate Container be created within AD LDS when synchronizing data from the second domain. This is to indicate within the synchronization XML file that the BASE DN is within the Active Directory Lightweight Directory Service (AD LDS) Integration 22
newly created container. This will allow two completely separate sets of LDAP information easily stored within AD LDS. eg. An OU has been created within AD LDS called 'Domain2'. In the second domain XML file, the base DN that will be used is CN=Domain2,DC=blackshield,DC=cryptocard,DC=com) Note: A user that exists in AD LDS can never use their Microsoft static password to authenticate against BlackShield. Usernames must be unique if multiple domains are synchronized to an AD LDS instance. Then the users will be displayed properly within. Active Directory Lightweight Directory Service (AD LDS) Integration 23