NetIQ Advanced Authentication Framework. Security and Encryption Guide. Version 5.1.0

Similar documents
NetIQ Advanced Authentication Framework - Administrative Tools. Installation Guide. Version 5.1.0

NetIQ Advanced Authentication Framework - Password Filter. Installation Guide. Version 5.1.0

Use the below instructions to configure your wireless settings to connect to the secure wireless network using Microsoft Windows Vista/7.

NetIQ Advanced Authentication Framework - Client. User's Guide. Version 5.1.0

NetIQ Advanced Authentication Framework. FIDO U2F Authentication Provider Installation Guide. Version 5.1.0

NetIQ Advanced Authentication Framework

NetIQ Advanced Authentication Framework - Network Policy Server (NPS) Plugin. Administrator's Guide. Version 5.1.0

NetIQ Advanced Authentication Framework. System Requirements. Version 5.1.0

Integrating LANGuardian with Active Directory

NetIQ Advanced Authentication Framework - MacOS Client

NetIQ Advanced Authentication Framework. Maintenance Guide. Version 5.1.0

NetIQ Access Manager - Advanced Authentication Plugin. User's Guide. Version 5.1.0

RoomWizard Synchronization Software Manual Installation Instructions

Using etoken for Securing s Using Outlook and Outlook Express

Professional Mailbox Software Setup Guide

NetIQ Advanced Authentication Framework - Smartphone Applications

Issue 1. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

SELF SERVICE RESET PASSWORD MANAGEMENT ARCHITECTURE GUIDE

RSA SecurID Ready Implementation Guide

How to connect to the diamonds wireless network with Vista.

TrueEdit Remote Connection Brief

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

NetIQ Advanced Authentication Framework - Citrix XenDesktop Plugin. Installation Guide. Version 5.1.0

4. Getting started: Performing an audit

4cast Server Specification and Installation

Implementation Guide for protecting

DIGIPASS CertiID. Getting Started 3.1.0

Undergraduate Academic Affairs \ Student Affairs IT Services. VPN and Remote Desktop Access from a Windows 7 PC

Professional Mailbox Software Setup Guide

Using Entrust certificates with Microsoft Office and Windows

Defender EAP Agent Installation and Configuration Guide

NovaBACKUP xsp Version 15.0 Upgrade Guide

Getting Started With Delegated Administration

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

Acunetix Web Vulnerability Scanner. Getting Started. By Acunetix Ltd.

Check Point FW-1/VPN-1 NG/FP3

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

Note that if at any time during the setup process you are asked to login, click either Cancel or Work Offline depending upon the prompt.

Check Point FDE integration with Digipass Key devices

Windows XP Exchange Client Installation Instructions

Configuring and Monitoring Citrix Access Gateway-Linux Servers. eg Enterprise v5.6

User guide. Business

HELP DOCUMENTATION SSRPM WEB INTERFACE GUIDE

SCADA Security. Enabling Integrated Windows Authentication For CitectSCADA Web Client. Applies To: CitectSCADA 6.xx and 7.xx VijeoCitect 6.xx and 7.

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

IHS USER SECURITY AUDIT

Hosted Microsoft Exchange Client Setup & Guide Book

Instructions: Configuring Outlook 2003 with Exchange 2010 on the FIUMail

Step-by-Step Guide to Setup Instant Messaging (IM) Workspace Datasheet

How to Secure a Groove Manager Web Site

Management Utilities Configuration for UAC Environments

Cloud Services ADM. Agent Deployment Guide

SELF SERVICE RESET PASSWORD MANAGEMENT ADMINISTRATOR'S GUIDE

YubiKey PIV Deployment Guide

Configuring and Monitoring Event Logs

ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example

SafeWord Domain Login Agent Step-by-Step Guide

Yale Software Library

McAfee Endpoint Encryption for PC 7.0

Hosted Microsoft Exchange Client Setup & Guide Book

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

External Authentication with Windows 2008 Server with Routing and Remote Access Service Authenticating Users Using SecurAccess Server by SecurEnvoy

Windows Vista: Connecting to the wireless network at Hood College

Eclipse.Net Hosted Librarian Guide

HOW TO CONFIGURE SQL SERVER REPORTING SERVICES IN ORDER TO DEPLOY REPORTING SERVICES REPORTS FOR DYNAMICS GP

BlackShield ID Agent for Remote Web Workplace

ibaan ERP 5.2a Configuration Guide for ibaan ERP Windows Client

IHS Emergency Department Dashboard

University Computing & Telecommunications Virtual Private Networking: How To/Self- Help Guide Windows 8.1 Operating System.

Deployment of Keepit for Windows

Administrator Guide. DigitalPersona Pro. for Active Directory. Version 4.0

Configuring Security Features of Session Recording

Configuring IBM Cognos Controller 8 to use Single Sign- On

EJBCA with GemSAFE Toolbox Part2 Sign. and Encrypt

Xerox Multifunction Devices. Verify Device Settings via the Configuration Report

Microsoft Dynamics GP Release

ThinManager and Active Directory

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

NODE4 SERVICE DESK SYSTEM

Configuration Task 3: (Optional) As part of configuration, you can deploy rules. For more information, see "Deploy Inbox Rules" below.

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring WPA-Enterprise/WPA2 with Microsoft RADIUS Authentication

Password Manager Windows Desktop Client

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

Step-by-step installation guide for monitoring untrusted servers using Operations Manager (Part 1 of 3)

Two-Factor Authentication

Table of Contents. Introduction. Audience. At Course Completion

MadCap Software. Upgrading Guide. Pulse

Phone: Fax: Box: 230

Advanced Event Viewer Manual

Microsoft Dynamics GP Web Services Installation and Administration Guide

SELF SERVICE RESET PASSWORD MANAGEMENT WEB INTERFACE GUIDE

Version Devolutions inc.

Configuring and Monitoring SiteMinder Policy Servers

Kaseya 2. User Guide. Version 6.1

Creating a User Profile for Outlook 2013

Course Agenda: Managing Active Directory with NetIQ Directory and Resource Administrator and NetIQ Exchange Administrator

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Configuring Network Load Balancing with Cerberus FTP Server

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

Transcription:

NetIQ Advanced Authentication Framework Security and Encryption Guide Version 5.1.0

Table of Contents 1 Table of Contents 2 Introduction 3 About This Document 3 Architecture 4 Components 5 Authentication Flow 5 Disconnected mode 6 Data Storage and Encryption 7 Data Storage 7 Session Management 7 Storage of biometric data 8 Communication Channels 8 Auditing and Logging 9 Index 10 2

Introduction About This Document Purpose of the Document This Security & Encryption Guide is intended for administrators and security officers and describes the security and encryption protocols used in NetIQ Advanced Authentication Framework. For more general information on NetIQ Advanced Authentication Framework and the authentication software you are about to use, see NetIQ Advanced Authentication Framework Client User s Guide. Document Conventions Warning. This sign indicates requirements or restrictions that should be observed to prevent undesirable effects. Important notes. This sign indicates important information you need to know to use the product successfully. Notes. This sign indicates supplementary information you may need in some cases. Tips. This sign indicates recommendations. Terms are italicized, e.g.: Authenticator. Names of GUI elements such as dialogs, menu items, buttons are put in bold type, e.g.: the Logon window. 3

Architecture This chapter describes the high-level architecture of NetIQ Advanced Authentication Framework and the components that participate in the authentication process. It also describes the authentication flow. 4

Components NetIQ workstation is a client computer with NetIQ components installed and used for strong authentication. Authentication Provider is a component responsible for capturing authentication credentials, computing a hash or creating a template on the clientside and verifying or identifying the credential on the server side. NetIQ Client is a component that must be installed on every NetIQ-secured workstation. It allows users to enroll authenticators and to authenticate in their operating systems using enrolled authenticators. NetIQ RTE (Run Time Environment) allows to use the SDK (Software Developer Kit) with no need to install NetIQ Advanced Authentication Framework Client component. It is useful when you would like to use NetIQ Advanced Authentication Framework to secure access to certain applications only, without changing the regular Windows logon procedure. NetIQ Authenticore Server is responsible for user data processing, particularly for the user authentication process. It also stored audit information in the Windows eventlog. Active Directory is used to store the user credentials and NetIQ user settings. AD-LDS (Active Directory-Lightweight Directory Services) is a separate application partition used to store user credentials and NetIQ user settings. This is used when it is not possible to extend the Active Directory itself. Authentication Flow 1. The user presents their credentials, this can be a username and fingerprint, contactless card, password, OTP token or any other supported authentication method. 2. The Authentication Provider receives the credential and depending on the authentication method used performs some actions. This can be creating a fingerprint template out of a fingerprint to hashing the credential for further use. 3. The Client then sends the credential including the time, source and authentication provider identifier to the Authenticore server. 4. The Authenticore server searches the user and retrieves the enrolled credential from the repository. 5. The Authentication Provider matches the user credential with the enrolled credential and checks with Active Directory if the user is authorized. 5

6. If all is verified and ok the Authenticore server returns the domain username and password to the client which is then used to authenticate to Windows or any other authentication event. Disconnected mode NetIQ supports the caching of credentials. After a successful authentication to NetIQ the credentials are cached on the local hard drive. More information about caching of credentials can be found in the Administative Tools - Administrator's Guide. 1. The user presents his/her credentials, this can be a username and fingerprint, contactless card, password, OTP token or any other supported authentication method. 2. The Authentication Provider receives the credentials and depending on the authentication method used performs some actions. This can be creating a fingerprint template out of a fingerprint to hashing the credential for further use. 3. The Client detects that it is not connected to the domain or an Authenticore server and tries to authenticate the user to the local cache. The Authentication Provider matches user's credentials with the cached credentials. If all is verified and ok, Client does a cached logon using the domain username and password. 6

Data Storage and Encryption In this chapter: Data Storage Session management Storage of biometric data Communication channels Data Storage While installing the first NetIQ server, the configuration wizard asks for the level of encryption. NetIQ can use any of the installed Microsoft Cryptographic Service Providers (CSP). The following configurations are supported by default but if an organization wants to use their own encryption level this is possible. Session Management Only after successful authentication a user can get access to its encrypted credentials. Per user a separate encryption key is used so it is impossible for other users or administrators to access the encrypted user credentials of another user than themselves. 7

Storage of biometric data NetIQ Advanced Authentication Framework never stores the actual fingerprint in its secure encrypted storage. A calculation is made from the minutia points and used in a one way algorithm to create a template. This template is stored in encrypted form in the secure storage. It is impossible to create a fingerprint image from the template. Communication Channels NetIQ Advanced Authentication Framework secures communication channels in order to assure confidentiality and the integrity of the transmitted data. The three communication channels are each secured by different mechanisms. 1. Client RTE <-> Authentication Provider <-> Authenticore Server Communications in this channel use Microsoft Remote Procedure Calls (RPCs), and the ncalrpc protocol sequence with the RPC_C_ AUTHN_LEVEL_PKT_ PRIVACY flag set to ensure the confidentiality and integrity of the transmitted data. Additional information about RPC can be found in the Microsoft article Remote Procedure Call located at: http://msdn2.microsoft.com/en-us/library/ms950395.aspx 2. Client / RTE <- -> Authenticore Server Communications in this channel use Microsoft Remote Procedure Calls (RPCs), and the ncacn_ ip_tcp protocol sequence with the RPC_C_AUTHN_LEVEL_PKT_PRIVACY flag set to ensure the confidentiality and integrity of the transmitted data. Additional information about RPC can be found in the Microsoft article Remote Procedure Call located at: http://msdn2.microsoft.com/en-us/library/ms950395.aspx 3. Authenticore Server <- ->Active Directory / AD-LS This communication channel uses the Microsoft Active Directory Service Interfaces (ADSI). Information about ADSI is available in the Microsoft article Active Directory Service Interfaces at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/active_directory_service_interfaces_adsi.asp 8

Auditing and Logging NetIQ Advanced Authentication Framework provides extensive event trapping and reporting using the Windows Event Log as the repository for information about: Application errors Successful and unsuccessful authentication attempts Object access System intrusion Events for NetIQ Advanced Authentication Framework are logged on the machine on which they occur and are also stored in the central logservers. When a client is disconnected, all events will be cached and when connection is re-instated to the LogServer, all events will be synchronised. This provides a full audit trail even for disconnected devices. 9

Index A Active Directory 5, 8 Administrator 6 Application 9 Authentication 1, 3-6, 8-9 Authenticator 3 Authenticore server 5 C Client 3, 5-6, 8 D Data 7 L Logon 3 O OTP 5-6 R Remote 8 RTE 5, 8 S Security 1, 3 Server 5, 8 Software 5 System 9 W Windows 5-6, 9 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information