Application Note Intelligent Application Gateway with SA server using AD password and OTP
ii Preface All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto s information. This document can be used for informational, non-commercial, internal and personal use only provided that: The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies. This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made. Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided AS IS without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein. The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time. Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy. Copyright 2008 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners. GEMALTO, B.P. 100, 13881 GEMENOS CEDEX, FRANCE. Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90 September 20, 2007
Contents Preface... 3 Who Should Read This Book...3 For More Information...3 Conventions...4 Contact Our Hotline...4 Overview... 5 Intelligent Application Gateway...5 Gemalto SA Server...5 Integration of SA Server with IAG...6 Use Case... 7 Main steps...7 Components description...8 Configure the Internet Authentication Service... 9 Add a RADIUS Client...10 Configure Access Policies...11 Configure the Gemalto Strong Authentication Server... 16 Installation...16 User management...18 Check SA Server usage...20 Install and configure SA Server agent for IAS... 21 Restart IAS...21 Configure Intelligent Application Gateway... 23 Client connection... 27
List of Figures Figure 1 Global Architecture... 6 Figure 2 Architecture for the use case... 7 Figure 3 - IAS RADIUS Server... 9 Figure 4 - New RADIUS Client... 10 Figure 5 - New RADIUS Client with shared secret... 10 Figure 6 - Policy Configuration... 11 Figure 7 - Policy Conditions... 11 Figure 8 - Attribute type... 12 Figure 9 - Client IP Address... 12 Figure 10 - Policy Conditions... 13 Figure 11 - Selecting Permissions... 13 Figure 12 - Editing Authentication... 14 Figure 13 - Encryption Type... 14 Figure 14 SA Installation LDAP Server Information... 17 Figure 15 SA Installation Administrator account... 17 Figure 16 SA Configuration Administrator connection... 18 Figure 17 SA Configuration User management... 18 Figure 18 SA Configuration Create OATH device... 19 Figure 19 SA Configuration Policy modification... 19 Figure 20 SA Configuration Link the device to the user... 20 Figure 21 IAS Agent installation... 21 Figure 22 - Stopping the IAS Service... 22 Figure 23 - Starting the IAS Service... 22 Figure 24 IAG Configuration Portal properties... 23 Figure 25 IAG Configuration Advanced Trunk Configuration... 24 Figure 26 IAG Configuration Add authentication server... 24 Figure 27 IAG Configuration - Add RADIUS Server... 25 Figure 28 IAG Configuration Select OTP Method... 25 Figure 29 IAG Configuration Select both authentication servers... 26 Figure 30 Client connection - Login... 27 Figure 31 Client connection - IAG Portal... 28 Figure 32 Client connection - OWA Access... 28 Figure 33 Client connection - OWA... 29 Figure 34 Client connection - Sharepoint Access... 29 2
Preface The Gemalto two-factor authentication solution provides strong authentication based on smart cards for the enterprise, banking, and internet service provider (ISP) markets. This solution enables organizations to deploy a strong authentication solution for their endusers, whether local or remote. The system can service a broad range of deployments, from small corporations with less than 100 users to ISPs with potentially millions of users. Who Should Read This Book This guide is intended for system administrators responsible for configuring the Microsoft IAG and Gemalto SA Server in order to use Gemalto OTP devices to authenticate mobile users with IAG. Administrators should be familiar with: Intelligent Application Gateway of Microsoft. The Gemalto SA Server system architecture. For More Information For a complete list of the documentation for the Gemalto Strong Authentication (SA) Server, refer to the release notes (README.txt) on the Gemalto SA Server CD (or zip image of the CD). For more information about other supported components, see the manufacturer s documentation for those products. 3
Conventions The following conventions are used in this document: In this manual, the following highlighting styles are used: Bold Instructions, commands, file names, folder names, key names, icons, menus, menu items, field names, buttons, check boxes, tabs, registry keys and values. Italic Variables that you must replace with a value, book titles, news or emphasized terms. In this manual, hyperlinks are marked as described below Internal Links Displayed in quotation marks. When viewing this book online, click an internal link to jump to a different section of the book. External Links Displayed in blue, underlined text. When viewing this book online, click an external link to launch your default browser (or email program) to navigate to that Web address or compose an email. In this manual, notes and cautions are marked like this: Notes: Information that further explains a concept or instruction, tips, and tricks. Caution: Information that alerts you to potentially severe problems that might result in loss of data or system failure. Contact Our Hotline If you do not find the information you need in this manual, or if you have any questions, contact our hotline commissioning.support@gemalto.com 4
1 Overview This document provides a deployment scenario to show you how it is possible to configure the Microsoft IAG to use Gemalto SA Server to authenticate Mobiles Users in order to get access to applications through IAG Portal. Caution: Consequently, this document should not be considered as an instruction manual on how to configure your system. Intelligent Application Gateway Microsoft s Intelligent Application Gateway (IAG) 2007 with Application Optimizers provides secure socket layer (SSL) virtual private network (VPN), a Web application firewall, and endpoint security management that enable access control, authorization, and content inspection for a wide variety of line-of-business applications. Together, these technologies provide mobile and remote workers with easy and flexible secure access from a broad range of devices and locations including kiosks, PCs, and mobile devices. IAG also enables IT administrators to enforce compliance with application and information usage guidelines through a customized remote access policy based on device, user, application, or other business criteria. For more information, visit: http://www.microsoft.com/forefront/edgesecurity/iag/en/us/overview.aspx Gemalto SA Server Gemalto SA Server is a strong authentication platform that was developed to incorporate the strengths of Gemalto s smart card technology. It consists of a family of smart card-based user authentication devices, a browser plug-in, an authentication and customer care server and a self-service user care portal. This server provides the usage of OTP (One Time Password) and the possibility to a Two Factor Authentication for a strongest authentication. For more information about OTP, visit http://en.wikipedia.org/wiki/one-time_password, and about Two Factor Authentication, visit http://en.wikipedia.org/wiki/two_factor_authentication Gemalto SA Server runs under Windows and Linux operating systems and is easily integrated with existing network and authentication infrastructure. For more information, visit http://www.gemalto.com/brochures/download/protiva.pdf 5
Integration of SA Server with IAG The fact to integrate SA Server in an existing IAG architecture reinforces the security, especially for mobile user by using an OTP. The installation and configuration is simple at the company side, just install the SA Server with Radius and configure IAG to use the radius for authentication. At the client side, nothing has to be installed. The user has to fill the authentication page by using his login, password and the OTP (provided by any OATH token). List of Gemalto s OATH device: http://www.protiva.gemalto.com/download/sadevices.pdf After a successful authentication, you have a direct access to your application or IAG present to you a web page listing all your applications you are able to reach. Figure 1 Global Architecture 6
2 Use Case In this section, we are focusing on a specific use case to show in detail how the integration of SA Server with IAG can be done. In this scenario, the mobile user can access his applications such as OWA and/or Sharepoint through IAG with a Two Factor Authentication (Login / AD Password / OTP). We add the OTP mechanism to an existing IAG configuration by installing and configuring the Microsoft radius server (IAS) and the Gemalto SA Server. Figure 2 Architecture for the use case Main steps The main steps are: 1. Gemalto SA Server installation & configuration 2. Microsoft IAS Radius server configuration 3. SA Server IAS Agent installation & configuration 4. Microsoft IAG configuration 7
Components description External Network (39.0.0.9/255.255.255.0): CLIENT is the machine used by the mobile user from the external network. It could be any machines like windows 2000, XP, Vista, Macintosh and Linux. In this case, we use a windows XP SP2 machine with Internet Explorer. Gateway: IBIZA is the name of the IAG Appliance and has two network cards. We can also imagine a configuration with only one card for an IAG located in a DMZ for example. Note: This use case works also when IAG is not in the AD domain Internal Networks (10.1.1.0/255.255.255.0): DALLAS is a machine hosting Active Directory and acting as domain controller. SA Server is the additional server to add the OTP service.
3 Configure the Internet Authentication Service On Saserver machine, install the IAS service embedded in Windows Server 2003. Check IAS RADIUS Server domain The IAS RADIUS server must be part of the AD Domain as IAS RADIUS has to check that each Mobile User has an account in the directory. Access to IAS administration You have to: 1. Click on Start and Select Administrative Tools 2. Select Internet Authentication Service Figure 3 - IAS RADIUS Server 9
Add a RADIUS Client You now have to add the IAG machine as a RADIUS client: 3. Right click on RADIUS Clients and Select New RADIUS Client Figure 4 - New RADIUS Client 4. In Friendly name enter a name for Microsoft IAG, 5. In Client address (IP or DNS) enter the <IP internal address>. a. In our laboratory, we used 10.1.1.5. 6. Click on Next. Figure 5 - New RADIUS Client with shared secret 7. Select RADIUS Standard for Client-Vendor, 8. Enter the chosen shared secret in Shared secret: and in Confirm shared secret. 9. Click on Finish to validate those parameters. 10
Configure Access Policies You have to add a new remote access policy: 1. Right click on Remote Access Policies and Select New Remote Access Policy 2. Click on Next in the wizard windows Figure 6 - Policy Configuration 3. Select Set up a custom policy choice in How do you want to set up this policy and add a friendly name in Policy name. 4. Click on Next. Figure 7 - Policy Conditions 5. Click on Add in Policy Conditions window 11
Figure 8 - Attribute type 6. Select Client-IP-Address in Attribute types: and click on Add Figure 9 - Client IP Address 7. Enter <IP internal address> in Type a word or a wild card (for example, abc.*): and click on OK. 12
Figure 10 - Policy Conditions 8. Click on Next. Figure 11 - Selecting Permissions 9. Select Grant remote access permission in If a connection request matches the specified conditions: and click on Next. 13
Figure 12 - Editing Authentication 10. Click on Edit Profile in the profile window 11. Select Authentication tab and uncheck all boxes except unencrypted authentication (PAP, SPAP). 12. Select Encryption tab Figure 13 - Encryption Type 13. Check only the No encryption box. Then click on OK 14. In the Profile window, click on Next. 14
15. In the New Remote Access Policy Wizard window, click on Finish. The new policy is now available. Note: With PAP, there is no security mechanism, and then the traffic is in clear. As only the OTP is sent and valid once, there is no security issue. 15
4 Configure the Gemalto Strong Authentication Server Installation The complete installation is not detailed here. For the installation and the configuration steps, please refer to the Gemalto SA Server documentations. On the SA Server, you have to do a standard installation in mixed mode to reach the Active Directory on Dallas. Regarding the LDAP parameters during the installation, two users are needed for SA Server and have to be created on the AD: one is used for the AD connectivity and the second one is used for the administration of SA Server, respectively sasconnect user and sasadmin user in our case. 16
Figure 14 SA Installation LDAP Server Information LDAP Connection for SA Server: Hostname: 10.1.1.6 (dallas) Base DN: DC=CONSTOSO, DC=COM Login DN: CN=sasconnect, CN=users User Base DN: CN=users Figure 15 SA Installation Administrator account sasadmin user is used for the administration of SA Server. 17
User management Reach the web administrator portal (in this case http://10.1.1.10/saserver/adminportal with the user sasadmin). You are able to migrate users from Active Directory to SA Server and attach OTP token to these users. Figure 16 SA Configuration Administrator connection Add a user from AD ( marc in this example): Manage Users -> Migrate User Figure 17 SA Configuration User management 18
Add an OATH device: In Manage Devices -> Create OATH Device Figure 18 SA Configuration Create OATH device Modify the policy to check only the OTP, and not the OTP+ AD password: Manage Policies->View all policies Select the policy linked to your device (OATH Policy 6R in this case) and disable Use Password Rule Figure 19 SA Configuration Policy modification 19
Link the Device to the user: In Manage Device, find the device you want to link to the user. Enter Marc in User field, update and activate Figure 20 SA Configuration Link the device to the user Check SA Server usage Reach the web user portal on SA Server (In this case http://10.1.1.10/saserver/userportal) Enter the username migrated previously in SA Server, his AD password, his OTP from the token. If successful, you can go on 20
5 Install and configure SA Server agent for IAS For the installation and the configuration steps, please refer to the Gemalto SA Server documentations. In this case, as IAS and SA Server are on the same machine, the address for SA Server Authentication Servlet URL is localhost (Default configuration) Figure 21 IAS Agent installation Restart IAS To launch the installed agent, you now have to re-start IAS. In Internet Authentication Service window, click on in the toolbar to stop IAS. 21
Figure 22 - Stopping the IAS Service Then, click on the green arrow in the same toolbar to restart the server and take the changes into account. Figure 23 - Starting the IAS Service Note: You can check the status of IAS Service and can also restart it if necessary by using the Service Console. 22
6 Configure Intelligent Application Gateway In this section, we are going to add the OTP authentication to the existing configuration. Logon on the IAG management application Figure 24 IAG Configuration Portal properties Select the Portal Portal1. Click on the Configure button for Advanced Trunk Configuration. 23
Figure 25 IAG Configuration Advanced Trunk Configuration In the Authentication tab, click on Add for a new authentication service. Figure 26 IAG Configuration Add authentication server Click on Add 24
Figure 27 IAG Configuration - Add RADIUS Server In Type field, select RADIUS, type a name, then you must type the IP/Host of RADIUS Server and Secret Key. Click on OK. Notes: The Secret Key is the shared secret you have configured in New Radius Client. Figure 28 IAG Configuration Select OTP Method Click on Select to select OTP 25
Always in Authentication tab, select User Must Provide Credentials for Each Selected Server and check Use the Same User Name. Figure 29 IAG Configuration Select both authentication servers 26
7 Client connection On the client workstation, open your web browser and type the IAG external IP address or the DNS name associated to it, Notes: In our laboratory, the website was https://iag.contoso.com Figure 30 Client connection - Login 1. Enter your credentials and click Submit. Note: You must enter the OTP in the IAS Password field 27
Figure 31 Client connection - IAG Portal 2. Select OWA 2007 to access to Outlook Web Access. Figure 32 Client connection - OWA Access In this example, the application authentication is done by web form. The logon is done automatically by IAG. Notes: With IAG, the authentication method can be done with Web Form, Integrated or both (defined by the application). All are compatible is this use case. 28
Figure 33 Client connection - OWA Connection to another application (Sharepoint): Go back to the IAG Portal, and then click on Sharepoint, you are automatically connected to Sharepoint: Figure 34 Client connection - Sharepoint Access 29