State of the Art Mobile Single Sign-On to Microsoft Exchange with OWA and ActiveSync This document describes a secure single sign-on (SSO) solution for accessing Microsoft Exchange on tablets and smartphones. It is based on Evidian Web Access Manager PERSPECTIVES
White Paper > June 2014-2 -
Protecting Microsoft Exchange in a Cloud Environment An e-mailing system such as Microsoft Exchange is one of the most critical resources of any business. It is therefore essential that its access be protected. This is all the more important since most web applications now use email to transmit or reset passwords. The e-mailing system, if not adequately protected, thus becomes a weak link in the information system. To protect and simplify access to web applications, single sign-on (SSO) solutions are growing in popularity. After an initial sign-on (password, smart card, OTP token), the user accesses all the applications for which he or she has rights, without having to know the passwords of the applications themselves. How can Microsoft Exchange be easily integrated into an SSO access security system? In practice, there are obstacles to overcome: Web access to Microsoft Exchange is not natively compatible with most modern strong authentication mechanisms. Microsoft Exchange web access requires the Windows password, which the user may not know. The IT department must therefore ensure that the corporate web authentication system can effectively protect Microsoft Outlook. - 3 -
What are Microsoft Outlook Web App and Microsoft ActiveSync? Microsoft supplies two main solutions to access Microsoft Exchange from outside the Windows ecosystem. One solution makes it possible to consult a mailbox via a web browser; the other one directly connects a native mail reader to the Microsoft Exchange server. Microsoft Outlook Web App (OWA) is the web interface used to access Microsoft Exchange mailboxes. The ergonomics differs according to the browser, e.g. Internet Explorer (which supports ActiveX), Firefox or Chrome (which do not support ActiveX). Microsoft ActiveSync is the protocol that enables a Microsoft Exchange mailbox to be synchronized on a mobile phone or another mobile device, such as a tablet. This protocol is based on OWA and IIS 1 ; it uses a subset of the HTTP protocol. Organizations using Microsoft Exchange must generally activate both solutions at the same time in order to cover the various uses of their employees. What is Evidian Web Access Manager? Evidian Web Access Manager is a single sign-on (SSO) solution for web applications. It requires no installation on the workstation, which can be a tablet or a smartphone. Evidian Web Access Manager can be used alone or in cooperation with Evidian Enterprise SSO, a solution based on a local Windows client that provides access to web and non-web applications. Evidian 1 Microsoft Internet Information Services - 4 -
Enterprise SSO and Evidian Web Access Manager can share information about a web application s user account and login as well as Windows login. This document uses Evidian Web Access Manager to illustrate examples of web access to Microsoft Outlook via single sign-on mechanisms. - 5 -
Use Case: Single Sign-On to Microsoft Outlook Outlook Web App and ActiveSync are web applications that can be controlled by a single sign-on web solution such as Evidian Web Access Manager. Evidian Web Access Manager can control access to Outlook Web App just like it does for any traditional web application. Evidian Web Access Manager can also control mobile accesses to the e-mailing system, using the ActiveSync protocol. Use Case with Outlook Web App (OWA) A mobile user accesses his Outlook mailbox via the Outlook Web App interface. To log in to this interface, the Windows password must usually be entered. However, the user may not know the Windows password required by Outlook Web App: On his desktop PC, the user does not always use the Windows password. Access may be managed by a local tool, such as Evidian Enterprise SSO or Authentication Manager. Similarly, the user may enter a single-use password (One-Time Password, OTP RADIUS) or an X.509 certificate for remote web access via Evidian Web Access Manager. In this case, Evidian Web Access Manager uses the Windows password known by Evidian Enterprise SSO to authenticate on the OWA server. Result: once logged onto Evidian Web Access Manager, the user accesses OWA via his or her browser, without having to enter another password. - 6 -
Use Case with ActiveSync Via a mobile phone (iphone, Android, Windows Phone) or a tablet (ipad, Android, etc.), the user synchronizes his emails and calendar with his OWA email account via Wi-Fi or 3G. The ActiveSync client application must be able to authenticate and access the OWA resources using the ActiveSync protocol. However, as we have seen, the user does not necessarily know his Windows password. He may not therefore be able to use it to configure the ActiveSync client application. In this case, the user is provided with a password dedicated to ActiveSync authentication thanks to Evidian Web Access Manager. The ActiveSync client application, on the phone or tablet, is configured to use Evidian Web Access Manager as an e-mail server. Evidian Web Access Manager uses the dedicated Active Sync password to authenticate the user, then injects instead the Windows password known by Evidian Enterprise SSO for the authentication on the ActiveSync interface of the OWA server. Result: the e-mail client automatically logs on to Evidian Web Access Manager to access OWA, without de-synchronization risk when the Windows password is changed. - 7 -
Architecture Principles with Outlook Web App The figure below shows a typical architecture to enable access via the web to mailboxes under Outlook Web App (OWA). Figure 1: Architecture for Outlook Web App The nomad user authenticates thanks to an OTP (one-time-password) type method, via a device or application synchronized with an OTP server. When he/she accesses the Evidian Web Access Manager portal, authentication is checked by the OTP server using RADIUS protocol. Then Evidian Web Access Manager identifies the user in the Active Directory. Evidian Web Access Manager can obtain the user s application passwords and Windows password from Evidian Enterprise SSO, if it is present. The Windows password is thus used to authenticate on the OWA servers. The authentication type may be integrated Microsoft authentication (NTLMv2), form-based authentication or basic HTTP authentication. - 8 -
Principles and Architecture with Microsoft ActiveSync The ActiveSync protocol is a sub-set of the HTTP protocol; it does not support: 301 and 302 redirections HTTP/HTTPS ports other than 80 and 443 ActiveSync therefore imposes constraints in its portalization via a web single sign-on solution such as Evidian Web Access Manager: It is not possible to redirect to an Evidian Web Access Manager authentication server or an external authentication server. Primary authentication must therefore be carried by the Web Access Manager gateway. Authentication to an external RADIUS or Kerberos server is not possible. The gateway must run on port 80 (HTTP) or 443 (HTTPS). URL translation is not possible. The Web Access Manager gateway must be a remote web agent. ActiveSync email clients provide only one login and password field to manage authentication. The login and password values are sent for each HTTP Basic Authentication connection. There can be no further dialog between the gateway and the email client to manage a one-time authentication. For ease-of-use reasons, it is not likely to frequently change the ActiveSync password saved in the smartphone. ActiveSync protocol constraints therefore prevent the use of an OTP server. But it is not possible to use the Windows password either if the user does not know it. In the architecture described here, the primary passwords are stored in a different LDAP directory than the Active Directory. The latter contains the real users/passwords. - 9 -
The user will enter a password that is not his actual Windows password, but that will be checked by Evidian Web Access Manager. Evidian Web Access Manager then injects the actual Windows password into the flow of data exchanged with the ActiveSync server. The false Windows password can then be modified independently from the change frequency of the Windows password. The figure below presents an Evidian Web Access Manager architecture that enables access to ActiveSync mailboxes via a mobile phone. Figure 2: Web Access Manager Architecture for ActiveSync This is what happens for an ActiveSync connection from a mobile phone: The user has a user1 login and a password The user1@domain.com email account is configured on the mobile phone. The e-mailing server is set as wam.domain.com, either encrypted (HTTPS) or not (HTTP) An ActiveSync connection towards the Evidian Web Access Manager server is activated and the ActiveSync client will automatically issue the user1 login and its password for each request. - 10 -
Evidian Web Access Manager intercepts the user login to perform the following: 1. User identification - i.e. determining the user s original directory. 2. Authenticating the user in his identification directory. 3. Identification in the directory containing the real reference to the user. 4. Recovery of primary and secondary passwords associated with the user identified in step (3). Evidian Web Access Manager then connects to the ActiveSync server and injects the user name and password expected by the OWA e-mailing server. The user is then authenticated by the OWA server (5) in the Active Directory of the Windows domain. Authorization Management for ActiveSync Authorizations to access applications can be calculated dynamically using simple and, or, not rules applied to the user s attributes in the LDAP directory. These rules apply to the ActiveSync connections as well as to all other connections transiting via Evidian Web Access Manager. Static or dynamic groups can thus be created to authorize access to mailboxes on a mobile phone according to the users duties. Changing Passwords for ActiveSync The passwords used on mobile phones are separate from the Windows passwords. They can therefore be changed independently: Using a provisioning tool (such as Evidian Identity & Access Manager or Evidian ID Synchronization) which modifies the passwords in the LDAP directory. The new passwords must - 11 -
then be sent to users so that they can configure their mobile phones. By the users themselves, using Web Access Manager to modify their own passwords. Filtering based on the Phone Identifier for ActiveSync For each ActiveSync request, the mobile phone issues an identifier which syntax is specific to each manufacturer. The OWA server makes it possible to declare, register and filter ActiveSync connections according to these unique identifiers. Filtering enables a user email account to be strongly associated with one or more mobile devices. This prevents fraudulent access based on the duplication of device content. Tracing all User Activity All access management policies require control. Evidian Web Access Manager logs all user access attempts. Administrators therefore know who accessed which application and when. Evidian Web Access Manager is compatible with web traffic analysis tools, such as Webtrends. This simplifies the analysis of security audit reports. Audit events are transmitted to Evidian Identity & Access Manager centralized audit database for each authentication and password transmission. - 12 -
Encryption of Confidential Data With Evidian Web Access Manager, all OWA and ActiveSync communications can be encrypted. The Evidian Web Access Manager gateway encrypts data itself using SSL. Users can therefore be sure of security when they consult their emails, since they are protected by Evidian Web Access Manager. Protecting Web Resources against Attacks Evidian Web Access Manager helps you prevent attacks on web resources exposed on the Internet. The Evidian Web Access Manager gateway can mask the actual address of web resources. It modifies the URL of the web applications ( URL translation ), thus preventing hackers from finding out the network topology. Evidian Web Access Manager controls inputs for all web accesses. This facilitates the protection of web applications against attacks via the Internet. High Availability and Load Sharing The Evidian Web Access Manager gateway can be installed on two or more servers. In this case, the servers share the web traffic load and ensure disaster recovery if either server fails. This high availability solution is purely software-based. It therefore requires neither appliances nor shared disks; it works with standard servers. Similarly, load increases are managed by simply adding extra Evidian Web Access Manager gateways. - 13 -
39 A2 22LY 00 Evidian IAM Suite Our IAM solution is recognized by customers and analysts for its completeness. The Evidian IAM Suite offers the following components to make a fully integrated solution: Evidian Identity & Access Manager allows authorization governance and a full lifecycle management of identities and access to services, driven by a security policy combined with approval workflows. Evidian Web Access Manager is designed to manage access federation to Web applications, secure remote access for mobile users and replace all user passwords with a single and strong authentication method. Evidian Enterprise SSO facilitates access to enterprise and personal applications from workstations, mobile devices and smartphone and frees users from the password constraints. Evidian Authentication Manager provides strong authentication on workstations and mobile devices: smartcard or token, X509 certificate, contactless RFID cards, biometrics, one time password. Evidian SafeKit brings high availability, failover, file replication and load balancing to applications. For more information, please consult our website: www.evidian.com 2012-2014 Evidian The information contained in this document represents the view of Evidian on the issues discussed at the date of publication. Because Evidian must respond to changing market conditions, it should not be interpreted as a commitment on the part of Evidian, and Evidian cannot guarantee the accuracy of any information presented after the date of publication. This is for informational purposes only. EVIDIAN MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. We acknowledge the rights of the proprietors of trademarks mentioned in this book. This white paper is printed on paper combining 40% eco-certified fibers from sustainable forests management and 60% recycled fibers in line with current environment standards (ISO 14001). (ISO 14001).