DIGIPASS 860 Windows Logon

Similar documents
Check Point FDE integration with Digipass Key devices

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

DIGIPASS Authentication for Check Point Connectra

DIGIPASS Authentication for GajShield GS Series

DIGIPASS CertiID. Getting Started 3.1.0

YubiKey PIV Deployment Guide

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

DIGIPASS Authentication for Cisco ASA 5500 Series

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

PrivateServer HSM Integration with Microsoft IIS

DIGIPASS Authentication for Check Point Security Gateways

DIGIPASS Authentication for SonicWALL SSL-VPN

DIGIPASS Authentication for Juniper ScreenOS

Microsoft Windows Server 2003 Integration Guide

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

Configuration Guide. SafeNet Authentication Service AD FS Agent

DriveLock Quick Start Guide

DIGIPASS Authentication for Windows Logon Product Guide 1.1

HOTPin Integration Guide: DirectAccess

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Identikey Server Getting Started Guide 3.1

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

SECO Whitepaper. SuisseID Smart Card Logon Configuration Guide. Prepared for SECO. Publish Date Version V1.0

Citrix Systems, Inc.

VERITAS Backup Exec 9.1 for Windows Servers Quick Installation Guide

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

NSi Mobile Installation Guide. Version 6.2

MIGRATION GUIDE. Authentication Server

NetWrix Password Manager. Quick Start Guide

Yale Software Library

Installation Guide. SafeNet Authentication Service

VeriSign PKI Client Government Edition v 1.5. VeriSign PKI Client Government. VeriSign PKI Client VeriSign, Inc. Government.

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Symantec Managed PKI. Integration Guide for ActiveSync

Identikey Server Windows Installation Guide 3.1

Entrust Managed Services PKI

Secure IIS Web Server with SSL

Setup and Configuration Guide for Pathways Mobile Estimating

X.509 Certificate Generator User Manual

SafeGuard Enterprise Web Helpdesk. Product version: 6 Document date: February 2012

INTEGRATION GUIDE. DIGIPASS Authentication for Office 365 using IDENTIKEY Authentication Server with Basic Web Filter

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

SafeGuard Enterprise upgrade guide. Product version: 7

Technical Certificates Overview

Sophos Anti-Virus for NetApp Storage Systems startup guide

DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO

StarWind iscsi SAN Software: Tape Drives Using StarWind and Symantec Backup Exec

Xcalibur Global Version 1.2 Installation Guide Document Version 3.0

How to Secure a Groove Manager Web Site

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

USER GUIDE WWPass Security for Windows Logon

IDENTIKEY Server Windows Installation Guide 3.2

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Agent Configuration Guide

STATISTICA VERSION 10 STATISTICA ENTERPRISE SERVER INSTALLATION INSTRUCTIONS

Windows SharePoint Services Installation Guide

Client Authenticated SSL Server Setup Guide for Microsoft Windows IIS

NetIQ Advanced Authentication Framework - Administrative Tools. Installation Guide. Version 5.1.0

SafeGuard Enterprise Web Helpdesk

WhatsUp Gold v16.2 Installation and Configuration Guide

Application Note Gemalto.NET 2.0 Smart Card Certificate Enrollment using Microsoft Certificate Services on Windows 2008

INTEGRATION GUIDE. DIGIPASS Authentication for Microsoft Exchange ActiveSync 2007

Setup SSL in SharePoint 2013 Using Domain Certificate

HELP DOCUMENTATION SSRPM WEB INTERFACE GUIDE

CRM to Exchange Synchronization

IDENTIKEY Server Windows Installation Guide 3.1

IBM Client Security Solutions. Client Security User's Guide

HELP DOCUMENTATION E-SSOM CONFIGURATION GUIDE

HELP DOCUMENTATION E-SSOM DEPLOYMENT GUIDE

Omniquad Exchange Archiving

HELP DOCUMENTATION E-SSOM INSTALLATION GUIDE

Step-by-Step Guide for Creating and Testing Connection Manager Profiles in a Test Lab

Quick Start Guide for Parallels Virtuozzo

Installation and Setup Guide

File and Printer Sharing with Microsoft Windows

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

4.0. Offline Folder Wizard. User Guide

Kaseya Server Instal ation User Guide June 6, 2008

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess

Project management integrated into Outlook

Compiled By: Chris Presland v th September. Revision History Phil Underwood v1.1

Installing Windows Rights Management Services with Service Pack 2 Step-by- Step Guide

Sophos Anti-Virus for NetApp Storage Systems startup guide. Runs on Windows 2000 and later

SafeGuard Enterprise upgrade guide. Product version: 6.1

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

Lepide Exchange Recovery Manager

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

DriveLock and Windows 8

Administration Guide ActivClient for Windows 6.2

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

Diamond II v2.3 Service Pack 4 Installation Manual

Setting Up SSL on IIS6 for MEGA Advisor

MaaS360 Cloud Extender

NovaBACKUP xsp Version 12.2 Upgrade Guide

Sophos Mobile Control Installation guide. Product version: 3

Server Installation Guide ZENworks Patch Management 6.4 SP2

Microsoft OCS with IPC-R: SIP (M)TLS Trunking. directpacket Product Supplement

Transcription:

DIGIPASS 860 Windows Logon Certificate Based DIGIPASS 860 Windows Logon - Integration Guideline V1.0 2006 VASCO Data Security. All rights reserved. Page 1 of 30 Integration Guideline

Disclaimer Disclaimer of Warranties and Limitations of Liabilities This Report is provided on an 'as is' basis, without any other warranties, or conditions. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security. Trademarks DIGIPASS & VACMAN are registered trademarks of VASCO Data Security. All trademarks or trade names are the property of their respective owners. VASCO reserves the right to make changes to specifications at any time and without notice. The information furnished by VASCO in this document is believed to be accurate and reliable. However, VASCO may not be held liable for its use, nor for infringement of patents or other rights of third parties resulting from its use. Copyright 2006 VASCO Data Security. All rights reserved.

Table of Contents DIGIPASS 860 Windows Logon... 1 Disclaimer... 2 Table of Contents... 3 1 Overview... 4 2 Problem Description... 4 3 Solution... 4 4 Technical Concept... 5 4.1 General overview... 5 4.2 Prerequisites... 5 5 Setting up DIGIPASS Logon... 6 5.1 Certificate Authority... 6 5.1.1 Issue the right type of certificates... 6 5.1.2 Security groups for enrollment station and agents... 7 5.1.3 Specifying the Enrollment Policy... 10 5.2 Enrollment Station... 12 5.3 Logon Settings... 19 6 Enrolling Users... 20 6.1 Requesting certificates... 20 6.2 DIGIPASS 860 removal behavior... 25 7 Using the DIGIPASS 860... 27 7.1 Logon using the DIGIPASS 860... 27 7.2 Offline usage... 28 8 Unconnected Functionality... 29 9 About VASCO Data Security... 30

1 Overview The purpose of this document is to demonstrate how to secure your Windows logon with he DIGIPASS 860. This device let s you add a certificate and be able to logon with the right user credentials. On removing the Digipass a controlled action can take place. 2 Problem Description The basic Windows logon requires a static password. We know static passwords are not secure. To use the DIGIPASS 860 as logon device, we manually need to install and change a few things. 3 Solution By creating an extra profile in your organization, the Enrollment Agent, it will be possible to rollout certificates on the Digipass 860 for every user. With the Digipass 860 it is possible to logon to Windows, you have SSL functionalities and you are able to encrypt emails. This way you create a safe and easy manageable environment for you and all your users. Figure 1: Digipass 860

4 Technical Concept 4.1 General overview The DIGIPASS 860 is a hybrid security token enabling strong two factor authentication based upon the knowledge of a password or PIN and the possession of secrets stored in the token. The DIGIPASS 860 offers both DIGIPASS one-time passwords generation and PKI token in one single device. The PKI token functionality provides document signing; strong authentication against PKI enables software systems (operating systems, virtual private networks, applications); as well as e-mail, file and disk encryption. 4.2 Procedure To make the DIGIPASS 860 work with the interactive login in Windows, there are a few steps that need to be taken. First of all you have to setup a Certificate Authority. This will be the issuer for the certificates used on the DIGIPASS 860. Next we will make sure all the correct user rights are set. We will make a new group that will be responsible for issuing certificates. This will become a powerful group as they can generate certificates for all domain users, including administrators. And as last we have to enroll the users to the DIGIPASS 860 and setup the workstations to be able to use it. 4.3 Prerequisites The initial prerequisites for setting up DIGIPASS Windows logon are: Active Directory installed on a Windows 2000 or 2003 domain server A Microsoft Certificate Authority (CA) configured with the Enterprise policy module. This may be a root or subordinate CA. Users PCs are Windows 2000 or XP clients

5 Setting up DIGIPASS Logon 5.1 Certificate Authority 5.1.1 Issue the right type of certificates Start the Certification Authority Microsoft Management Console (MMC), located in the Administrative Tools folder on the Enterprise CA. Open the Certificate Templates (2003) or Policy Settings (2000) folder, and rightclick on this folder. Select New Certificate Template to Issue. Figure 2: Issue the right type of certificates (1) Select, by holding the CTRL key, the following items and click OK: Enrollment Agent Smartcard Logon Smartcard User Figure 3: Issue the right type of certificates (2)

5.1.2 Security groups for enrollment station and agents Open the Active Directory Users and Computers from the Administrative Tools folder on the Domain Controller. Right-click the Users folder and select New Group. Figure 4: Security groups for enrollment station and agents (1) Fill in a relevant group name (e.g. Enrollment_Group) and click OK. Figure 5: Security groups for enrollment station and agents (2) Now add users to this group that will be able to make certificates for the DIGIPASS 860. Caution: Please be aware that these users will become powerful users as they can create a certificate for any user in your domain, including administrators.

Right-click the group you just created and select properties. Figure 6: Security groups for enrollment station and agents (3) At the members tab, choose the Add button. Figure 7: Security groups for enrollment station and agents (4)

Select the user you want to add to the group. (E.g. Enrollment Agent) Figure 8: Security groups for enrollment station and agents (5) As you can see below, a computer can also be an Enrollment Agent. You then have to take care of the physical access to this computer. Click OK to finish Figure 9: Security groups for enrollment station and agents (6)

5.1.3 Specifying the Enrollment Policy Certificates issued by the CA are based on certificate templates stored in the Active Directory. The Access Control Lists (ACL) set on these templates determine who (user or computer) can request what (certificates). Open the Active Directory Sites and Services MMC from the Administration Tools folder on the Domain Controller. If the Services folder is not visible, choose View Show Services Node. Open Services Public Key Services Certificate Templates, right-click the Enrollment Agent and select Properties. Figure 10: Specifying the Enrollment Policy (1) By clicking the Add button, add the enrollment group you created before. Figure 11: Specifying the Enrollment Policy (2)

Once added, give this group read and enroll permissions. Click OK to finish Figure 12: Specifying the Enrollment Policy (3) Now do the same steps for the Smartcard Logon and Smartcard User template.

5.2 Enrollment Station To setup your enrollment station you need to install the DP860 Driver and also the DP860 PKI Middleware. Both can be found in the digipass860.zip file. For the DP860 PKI Middleware a full installation is required. The digipass860.zip file can be found on the demo cd or at: http://www.vasco.com/digipass-860 Login on the Enrollment Station (from any domain computer) with the Enrollment Agent user. Click the Start Run mmc. Choose File Add/Remove Snap-in. Figure 13: Enrollment Station (1) Click the Add button.

Figure 14: Enrollment Station (2)

Select Certificates and click the Add button. Figure 15: Enrollment Station (3) Choose My user account en press Finish. Figure 16: Enrollment Station (4) Afterwards click the Close button of the Add Standalone Snap-in window.

Click OK to go to the main console window. Figure 17: Enrollment Station (5) At the main console window, right-click the Personal folder and select All Tasks Request New Certificate Figure 18: Enrollment Station (6)

Click Next in the first window of the Certificate Request Wizard. Figure 19: Enrollment Station (7) Choose the Enrollment Agent certificate, check the Advanced checkbox and click Next. Figure 20: Enrollment Station (8)

Choose the Microsoft Enhanced Cryptographic Provider and a key length of 1024 bit. Click Next. Figure 21: Enrollment Station (9) Verify the settings and click Next. Figure 22: Enrollment Station (10)

Type in a Friendly name and type a meaningful description. Click Next. Figure 23: Enrollment Station (11) Review all the settings and click Finish if everything is OK. Figure 24: Enrollment Station (12)

5.3 Logon Settings In order to enforce a user to log on to the network with the DIGIPASS 860, you must change the account option as described below. Open the Active Directory Users and Computers on the domain controller. In the Users folder select the desired username. Right-click the username and select Properties. Figure 25: Logon Settings (1) In the Account tab, select in the Account options: Smart card is required for interactive logon. Click OK to finish. Figure 26: Logon Settings (2) Note: If this option is not enabled the user will be able to log on either with the DIGIPASS 860 or using interactive password logon.

6 Enrolling Users For enrollment of users, you have the choice of two templates: Smartcard logon: Logon, SSL Smartcard user: Logon, SSL and Secure Email So the Smartcard user has the extra ability to secure his email transfer with the created certificate. 6.1 Requesting certificates Open your browser and go to: http://ca-server/certsrv. (Where CA-Server is the name of the machine where your CA is installed) Click Request a certificate. Figure 27: Requesting certificates (1)

Click the Advanced certificate request link. Figure 28: Requesting certificates (2) Click the Request a certificate for a smart card on behalf of another user by using the smart card certificate enrollment station link. Figure 29: Requesting certificates (3)

Select the right Certificate Template, CA and Cryptographic Service Provider (the Charismatics Smart Security Interface CSP in this case). If you are logged in as the Enrollment Agent, the right Administrator Signing Certificate should be selected by default. Otherwise you click the Select Certificate button. In the User To Enroll field, you can select the user you want to create a certificate for. Click the Select User button and a known wizard will start. Figure 30: Requesting certificates (4) Search the user you want to create a certificate for and click OK. Figure 31: Requesting certificates (5)

Now make sure your DIGIPASS 860 is plugged in the USB port, and then press the Enroll button. Figure 32: Requesting certificates (6) You will be asked for the pin of the DIGIPASS 860 and press OK to continue. This can take a while. Do not navigate away from this page as long as the process is busy. Note: the default PIN is 11111111 (8 times 1) and the default SO PIN to unlock the Digipass is 1111111111 (10 times 1). Figure 33: Requesting certificates (7)

When the certificate is saved on the DIGIPASS 860, you will get a message in the window stating The smartcard is ready. You now have the possibility to view the recently created certificate. To do so, press the View Certificate button. Figure 34: Requesting certificates (8)

6.2 DIGIPASS 860 removal behavior The on smart card removal (read as DIGIPASS 860 removal ) policy is a local computer policy administered on a per machine basis and not on a per user account basis like the smart card required for interactive logon policy. The decision to set the on smart card removal policy depends on the needs of the corporation and how users interact with computers. In situations where users interact with computers in an open floor or kiosk environment, the use of such a policy is highly recommended. The DIGIPASS 860 actually is a smartcard reader and a smartcard combined in one device. Removing the DIGIPASS 860 is like removing a smartcard reader from the computer. This acts completely the same as removing a smartcard from a smartcard reader. To set this removal policy, open the Domain Security Policy from the Administrative Tools on the domain controller. Go to Security Settings Local Policies Security Options. In the list, search for Interactive Logon: Smart card removal behavior. Right-click this option and select Properties. Figure 35: DIGIPASS 860 removal behavior (1) In the next window you can choose which action you want to perform on DIGIPASS 860 removal. Click OK to continue. Figure 36: DIGIPASS 860 removal behavior (2)

After setting the removal option, it is needed to update the policies. This can be done by running the command gpupdate from the command line or the Start Run menu. Figure 37: DIGIPASS 860 removal behavior (3) Note: For best practice it is advised to restart the clients when you are testing with these settings, as policy updates may take some time to synchronize.

7 Using the DIGIPASS 860 7.1 Logon using the DIGIPASS 860 Make sure, the DP860-Driver and DP860-Middleware are installed on the client pc. Afterwards, the login screen will look like the one below. Figure 38: Using The DIGIPASS (1) After connecting the DIGIPASS 860 with the computer, it will automatically be recognized as a smartcard and you will be asked for your pin. Figure 39: Using The DIGIPASS (2) After filling in the pin, the computer logs on with the user which certificate is on the DIGIPASS 860. Figure 40: Using The DIGIPASS (3)

7.2 Offline usage When a user is disconnected from the network or the domain controller is unreachable due to failure somewhere along the network path, a user must still be able to logon to his or her computer. With passwords this capability is supported by comparing the hashed password stored by the LSA with a hash of the credential that the user supplied to the GINA during logon. If the hashes are the same then the user can be authenticated to the local machine. In the smart card case, offline logon requires the user s private key to decrypt supplemental credentials originally encrypted using the user s public key. In order to cache the supplemental credentials on the local PC, you need to set correctly the policy Number of previous logons to cache (in case domain controller is not available on the domain server. Here are the values you can assign to this policy: 0 this means no logons are cached locally. If the domain controller is not available you will not be able to log on to your PC using your domain account. n (from 1 to 50) this means that if the domain controller is not available, you can log on locally using the credentials of the latest n (from 1 to 50) domain accounts cached on your machine. For security reasons, it is advisable to: set this policy to 1. Only the user with the DIGIPASS 860 (and obviously the administrator) will be able to logon to his machine when it is disconnected from the network; the administrator should remember to re-login the user if he accomplish some administrative operations on the user machine.

8 Unconnected Functionality As the DIGIPASS 860 is a very sophisticated combination of smartcard reader and smartcard. The DIGIPASS 860 has also still the function of regular unconnected Digipass like the DIGIPASS GO 3 with all its advantages. 8-character LCD display Activated by pushing 1 small button DES, 3-DES and AES Supported algorithms are: On board real time clock Time event synchronous Can be combined with a PIN entry on a PC Compatible with the Digipass family members Compatible with over 50 major application software vendors.

9 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication products for e-business and e-commerce. VASCO s User Authentication software is carried by the end user on its DIGIPASS products which are small calculator hardware devices, or in a software format on mobile phones, other portable devices, and PC s. At the server side, VASCO s VACMAN products guarantee that only the designated DIGIPASS user gets acces to the application. VASCO s target markets are the applications and their several hundred million users that utilize fixed password as security. VASCO s time-based system generates a one-time password that changes with every use, and is virtually impossible to hack or break. VASCO designs, develops, markets and supports patented user authentication products for the financial world, remote access, e-business and e-commerce. VASCO s user authentication software is delivered via its DIGIPASS hardware and software security products. With over 25 million DIGIPASS products sold and delivered, VASCO has established itself as a world-leader for strong User Authentication with over 500 international financial institutions and almost 3000 blue-chip corporations and governments located in more than 100 countries

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information