Application Note. SA Server and ADAM

Application Note SA Server and ADAM

Solution Overview All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto s information. This document can be used for informational, non commercial, internal and personal use only provided that: The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies. This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made. Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided AS IS without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein. The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time. Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy. Copyright 2008 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners. GEMALTO, B.P. 100, 13881 GEMENOS CEDEX, FRANCE. Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90 Printed in France. Document Reference: June 16, 2008 ii

Contents Preface... iv Who Should Read This Book...iv For More Information...iv Conventions...v Contact Our Hotline...v Overview... 1 Main steps...1 Architecture...2 Elements description...2 ADAM Setup... 3 Prerequisites...3 Installation...3 Create an instance...3 Configuration...7 Creation the Schema Extension in ADAM...7 Connection to ADAM with ADSI Edit tool...8 Disable LDAPS between ADAM and AD... 11 Organization Unit creation... 14 Preparation of XML synchronization file between AD and ADAM.... 15 Initialization of the synchronization... 15 Creation of ADAM Proxy Users for the SA administration... 17 SA Setup... 24 Check SA Server... 25 ANNEXE... 26 AdamSync configuration file... 26

iv Preface The Gemalto two-factor authentication solution provides strong authentication based on smart cards for the enterprise, banking, and internet service provider (ISP) markets. This solution enables organizations to deploy a strong authentication solution for their end-users, whether local or remote. The system can service a broad range of deployments, from small corporations with less than 100 users to ISPs with potentially millions of users. Who Should Read This Book This guide is intended for system administrators responsible for configuring the SA Server and Microsoft Exchange 2003 in order to use Gemalto OTP devices to authenticate users defined in several Active Directories. Administrators should be familiar with: Microsoft 2003 server. Active Directory and ADAM (Active Directory Application Mode) The Gemalto SA Server system architecture. For More Information For a complete list of the documentation for the Gemalto Strong Authentication (SA) Server, refer to the release notes (README.txt) on the Gemalto SA Server CD (or zip image of the CD). For more information about other supported components, see the manufacturer s documentation for those products.

v Conventions The following conventions are used in this document: In this manual, the following highlighting styles are used: Bold Instructions, commands, file names, folder names, key names, icons, menus, menu items, field names, buttons, check boxes, tabs, registry keys and values. Italic Variables that you must replace with a value, book titles, news or emphasized terms. In this manual, hyperlinks are marked as described below Internal Links Displayed in quotation marks. When viewing this book online, click an internal link to jump to a different section of the book. External Links Displayed in blue, underlined text. When viewing this book online, click an external link to launch your default browser (or email program) to navigate to that Web address or compose an email. In this manual, notes and cautions are marked like this: Notes: Information that further explains a concept or instruction, tips, and tricks. Caution: Information that alerts you to potentially severe problems that might result in loss of data or system failure. Contact Our Hotline If you do not find the information you need in this manual, or if you find errors, contact the Gemalto hotline at http://support.gemalto.com/. Please note the document reference number, your job function, and the name of your company. (You will find the document reference number at the bottom of the legal notice on the inside front cover.)

1 Overview This document provides a deployment scenario to show you to configure ADAM in order to interact with the Gemalto SA Server. In this Scenario, a company wants to use SA server (for example, to authenticate and authorize mobile users), but this company has several Active Directory Domains (3 in this use case). As SA Server can only reach one LDAP server, the fact to use ADAM to synchronize user accounts from other Active Directory Domains is a solution. Caution: Consequently, this document should not be considered as an instruction manual on how to configure your system. Main steps The main steps are: 1. ADAM Configuration 2. SA Server installation

2 Architecture Elements description 1. Three Domain Controller machines (dc1, dc2, dc3) hosting respectively an Active Directory ad1.gemalto.gem, ad2.gemalto.gem, ad3.gemalto.gem 2. A server named SA server hosting the SA Service and ADAM. In the schema, SA Service and ADAM are on different machines for a better understanding.

2 ADAM Setup Prerequisites All Active Directory Domains (AD1, AD2, AD3,..) must have a full trust relationship between all of them. You must have some xml files provided by Gemalto: MS AdamSyncMeta.LDF, MS AdamSchemaW2K3.LDF, MS UserProxyFull.LDF, ADAMSync_Template.xml Installation Install ADAM application on the SA machine by using the installer ADAMSP1_x86_english.exe. The installation is done in c:\windows\adam. Create an instance Create instance by using the tool named Create ADAM Instance from the menu Start->ADAM Instance Name: Gemalto Directory Partition: DC=sa, DC=Gemalto, DC=gem For the rest, choose the defaults. Be careful not to import the LDIF files proposed by default. We will use other LDIF files compatible with SA Server provided by Gemalto.

4

5

6

7 Configuration The following chapter describes the configuration needed to complete the installation and to adjust the configuration for SA Server. Creation the Schema Extension in ADAM Copy the 3 files provided by Gemalto (MS-AdamSyncMeta.LDF, MS- AdamSchemaW2K3.LDF, MS-UserProxyFull.LDF) in c:\windows\adam. Use the Prompt Command for ADAM: Start->ADAM-> ADAM Tool Command Prompt. Launch these commands: ldifde -i -f MS-AdamSyncMetadata.LDF -s localhost -t 389 -c "cn=configuration,dc=x" #configurationnamingcontext ldifde -i -f MS-AdamSchemaW2K3.LDF -s localhost -t 389 -c "cn=configuration,dc=x" #configurationnamingcontext ldifde -i -f MS-UserProxyFull.LDF -s localhost -t 389 -c "cn=configuration,dc=x" #configurationnamingcontext

8 Connection to ADAM with ADSI Edit tool Use ADSI Edit in the ADM Menu..

9 RightClick on ADAM ADSI Edit -> Connect Click ok

10 RightClick on ADAM ADSI Edit -> Connect Click ok

11 Disable LDAPS between ADAM and AD Use ADSI Edit in the ADM Menu.. Go to the container CN=Configuration,. / CN=Services / CN=Windows NT / CN=Directory Service

12 In the properties, modify the attribute msds-other-settings by changing the parameter RequireSecureProxyBind to 0.

13 Edit Remove «RequireSecureProxyBind=1» Change 1 to 0 and click add. Click on ok to close all windows.

14 Organization Unit creation We have to create an OU where the users imported from others AD will be stored. To create this kind OU, use ADSI Edit. From the server root (DC=SA, DC=GEMALTO, DC=GEM), right click, New Object Organization Unit. Enter the name of OU: AD1 for the first one, next AD2, next AD3.

15 Preparation of XML synchronization file between AD and ADAM. To import user accounts in ADAM, we have to create an XML file per AD to define which user group to import. Gemalto provide a template ADAMSync_Template.xml for this task. Create three copies of this file to ADAMSync_AD1.XML, ADAMSync_AD2.XML and ADAMSync_AD3.XML. See in Annexe the file ADAMSync_AD1.XML. Modify them regarding the information described below (find in Annexe an example for AD1): source-ad-name : source-ad-partition : source-ad-account : account-domain : target-dn : base-dn : object-filter : DNS name for the Active Directory source Partition name for this AD.(format : DC=xx,DC=yy ) samaccountname of the user used for the synchronisation(this account doesn t need any special priviledge, the password will be asked during the installation of the synchronisation script). The Active Directory domain name (usualy same as «source-ad-name»). DN where all ADAM account will be stored. (We will create one OU per AD forest) DN of the base of Active Directory source. LDAP filter which for example allow only the synchronisation of users in a group. (exemple : memberof=cn=sausers,cn=users,dc=sa,dc=gemalto,dc=g em) Initialization of the synchronization To perform a synchronization, you have firstly to install it by using the xml files created just before. Launch the command with the right xml file: adamsync /install localhost:389 ADAMSync_AD1.XML /passprompt adamsync /install localhost:389 ADAMSync_AD2.XML /passprompt adamsync /install localhost:389 ADAMSync_AD3.XML /passprompt At this time Adamsync asking you the password (for the user declared in xml file source-adaccount). Start the account synchronization Launch the command

16 adamsync /sync localhost:389 "OU=AD1,DC=SA,DC=GEMALTO,DC=GEM" adamsync /sync localhost:389 "OU=AD2,DC=SA,DC=GEMALTO,DC=GEM" adamsync /sync localhost:389 "OU=AD3,DC=SA,DC=GEMALTO,DC=GEM" You must see with the ADSI Edit tool all users from AD1, AD2 and AD3 in respective OU.

17 Creation of ADAM Proxy Users for the SA administration SA needs two user accounts, one for its installation and the second one for its administration. Creation in AD3: As ADAM is installed on the machine in the domain AD3, these accounts (ADMSA and SVCSA for example) must be created first in the domain AD3 Creation in ADAM: Use the LDP tool to access to ADAM in order to create the 2 userproxy accounts in ADAM matching those in AD3: On SA machine, start the ADAM Command Prompt, and launch from the command line ldp. Click on Connection >Connect Click on OK Go to Connection >Bind Click on ok, Bind as currently logged on user should be already check.

18 For the SVCSA users : Go to Browse >Add Child and create Enter the DN for the user SVCSA: DN=SVCSA,DC=SA,DC=GEMALTO,DC=GEM With the Edit Entry, add these entries: SamAccountname:svcsa objectclass:userproxyfull ObjectSID: xxxxxxxxxxxxxxxxxxxxxxxxx

19

20 About the SID, you can get it by launching the command : DSQUERY USER samid <user> dsget user -sid For the ADMSA user, you do the same as the SVCSA user: Go to Browse >Add Child and create Enter the DN for the user ADMSA: CN=ADMSA,DC=SA,DC=GEMALTO,DC=GEM With the Edit Entry, add these entries:

21 SamAccountname:svcsa objectclass:userproxyfull ObjectSID: xxxxxxxxxxxxxxxxxxxxxxxxx Define SVCSA users as the administrator of ADAM: With ADSIEdit, modify the attribute member of the object Configuration/Roles/Administrators and add the user SVCSA with its DN

22

23

24 SA Setup This is a standard installation in mixed mode reaching ADAM as LDAP Server. Just few screenshots regarding the LDAP parameters during the installation.

25 Check SA Server Check SA Server by using the administrator user (admsa) and users from different Active Directory. With a Web Browser, reach the url http://127.0.0.1/saserver/adminportal from SA machine for example. Authenticate by password the SA Server s administrator: Enter the login admsa and his password. You are able to migrate user from different Active Directories.

26 ANNEXE AdamSync configuration file For AD1: <?xml version="1.0"?> <doc> <configuration> <description> Adamsync configuration file</description> <security-mode>object</security-mode> <source-ad-name>ad1.gemalto.gem</source-ad-name> <source-ad-partition>dc=ad1,dc=gemalto,dc=gem</source-ad-partition> <source-ad-account>administrator</source-ad-account> <account-domain>ad1.gemalto.gem</account-domain> <target-dn>ou=ad1,dc=sa,dc=gemalto,dc=gem</target-dn> <query> <base-dn>cn=users,dc=ad1,dc=gemalto,dc=gem</base-dn> <objectfilter>(memberof=cn=sausers,cn=users,dc=ad1,dc=gemalto,dc=gem)</object -filter> <attributes> <include>objectsid</include> <include>samaccountname</include> <include>sourceobjectguid</include> <include>lastagedchange</include> <include>mobile</include> <include>mail</include> <include>sn</include> <include>givenname</include> <exclude></exclude> </attributes> </query> <user-proxy> <source-object-class>user</source-object-class> <target-object-class>userproxyfull</target-object-class> </user-proxy> <schedule> <aging> <frequency>1</frequency> <num-objects>0</num-objects> </aging> <schtasks-cmd></schtasks-cmd> </schedule> </configuration> <synchronizer-state> <dirsync-cookie></dirsync-cookie> <status></status> <authoritative-adam-instance></authoritative-adam-instance> <configuration-file-guid></configuration-file-guid> <last-sync-attempt-time></last-sync-attempt-time>

27 <last-sync-success-time></last-sync-success-time> <last-sync-error-time></last-sync-error-time> <last-sync-error-string></last-sync-error-string> <consecutive-sync-failures></consecutive-sync-failures> <user-credentials></user-credentials> <runs-since-last-object-update></runs-since-last-object-update> <runs-since-last-full-sync></runs-since-last-full-sync> </synchronizer-state> </doc>