Module version: 1.3.1 Document revision: 1.3.1 Date: Feb 12, 2014
McAfee One Time Password
Table of Contents
Integration Module Overview ... 3
Prerequisites and System Requirements... 3
Windows Server ... 3
Active Directory ... 3
Microsoft Exchange 2010 ... 3
McAfee One Time Password ... 3
Installation ... 4
Installing the Integration Module ... 4
Configuration ... 5
Creating the Virtual Directory OWAIISIntegration ... 5
Edit OWA 2010 web.config ... 6
Filter Configuration ... 7
Exchange Configuration ... 9
Outlook Web App Forms Authentication ... 9
Restarting the IIS Web Server ... 10
One Time Password Configuration (Server-side) ... 11
McAfee One Time Password (server and soft token) enables you to rapidly deploy
two-factor authentication, including soft tokens, so that remote and mobile employees can
securely access critical information while maintaining compliance. The password
security offering includes strong two-factor authentication and streamlined deployment
and management, reducing operational effort and costs associated with traditional and
legacy one time password solutions.
Integration Module Overview
The McAfee One Time Password Outlook Web App integration module enables strong authentication for Microsoft OWA. An http module filter protects the OWA web application and communicates with the One Time Password server.
Module features:
Supports OWA Forms authentication
Installed as an HTTP Module filter to protect all incoming requests Debug logging (Event Viewer)
SMS, Pledge and E-mail authentication method support
Prerequisites and System Requirements
Windows Server
Microsoft Windows Server 2003 or later.
Microsoft .NET Framework 3.5 or later has to be installed on the server.
Active Directory
Active Directory has to be configured for McAfee One Time Password to authenticate and retrieve mobile numbers for users.
Microsoft Exchange 2010
Version: 14.02.0318.004 or later
McAfee One Time Password
Version 3.0 or later.
Note: McAfee One Time Password can use any LDAP v3 compatible Directory Service and also an ODBC compliant database server to perform authentication and mobile number lookup.
Installation
Installing the Integration Module
Before installing the OWA Integration Module, make sure that Exchange 2010 is installed and working as it should. Also make sure that One Time Password server available (it does not have to be installed on the same machine as OWA 2010).
Follow these steps for a successful installation of OWA integration module: 1. Download the latest OWA integration installation package:
2. Run OTP_Integration_OWA_2010.exe. Unzip the files. The default installation path is
C:\Program Files\McAfee\OTP_Integrations\OWA
If the path is changed, make sure to change references to it (registry settings).
Screenshot 1 – OTP OWA integration files
3. As Administrator:
Double click OTP_OWA2010_RegistrySettings.reg. This will create the registry key SOFTWARE\McAfee\One Time Password\OWA and its sub keys.
Registry settings are described further down in the section Configuration – Filter Configuration.
4. Copy or move files to the destination folder:
Files Destination
\OTP_Integrations\OWA\owa_bin\McAfee.OTP.IIS.dll \OTP_Integrations\OWA\owa_bin\NordicEdgeOTP.dll
Configuration
Creating the Virtual Directory OWAIISIntegration
In IIS Manager:
1. Right click the Default Web Site and click Add Virtual Directory…
2. Set Alias to OWAIISIntegration
Set Physical path to C:\Program Files\McAfee\OTP_Integrations\OWA\OWAIISIntegration\UI
Screenshot 2 – Add Virtual Directory OWAIISIntegration
3. Click OK.
Edit OWA 2010 web.config
1. Browse to C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa 2. Make a copy of web.config as a backup. Just in case…
3. Open web.config with a text editor
4. Locate the tag <modules> and add the following row as the first module in the list:
<add name="HttpAuthenticationModule" type="McAfee.OTP.IIS.HttpAuthenticationModule" />
After editing, the modules section should look like this:
<modules>
<add name="HttpAuthenticationModule" type="McAfee.OTP.IIS.HttpAuthenticationModule" /> <add type="Microsoft.Exchange.Clients.Owa.Core.OwaModule,
Microsoft.Exchange.Clients.Owa" name="OwaModule" /> <add name="exppw" />
</modules>
Filter Configuration
All settings for the filter are defined in the Windows registry. If any keys are missing, default values will be used by the filter. Several keys specify URL or file paths, which obviously must be valid for the filter to run properly. All file paths used by the filter must have the necessary access rights.
Configure the module settings: On your server:
Click Start > Run… Type regedit and click OK. Navigate to HKLM SOFTWARE\McAfee\One Time Password
Most of the predefined key values do not have to be modified but there are some values that are specific for your environment like StaticLogonDomain (this is simply your AD domain) and the OtpServerAddress.
Remember to configure SmsClientDetectionName, PledgeClientDetectionName and/or EmailClientDetectionName according to your OTP Server settings.
NOTE: The registry configuration is read at the web application startup which means that the web application requires to be restart ed
if the configuration is changed.
Registry key HKLM SOFTWARE\McAfee\One Time Password
Key Default Value Description
SessionManagerDebug 0 If set to 1, a log will be found in the Event Viewer >
Windows Logs > Application.
Look for SessionManager in the Source column.
Registry key HKLM SOFTWARE\McAfee\One Time Password\OWA
Key Default Value Description
ChangeADPasswordURL http://ChangeADPasswordURL If One Time Password detects that a user password is about to expire, the user is redirected to the URL configured in this key.
CredentialsPostURL /owa/auth/owaauth.dll An URL which user credentials are posted to after a successful two-factor authentication.
EmailClientDetectionName [empty] Example: EMAIL
Encryption 1 DES encryption between the client and the server.
0 = No encryption 1 = Encryption
EventViewerDebug 0 If set to 1, a log will be found in the Event Viewer >
Windows Logs > Application.
Look for HttpAuthenticationModule the Source column.
Note that the key SessionManagerDebug also has to be set to 1 if Session Manager debugging is desired.
Troubleshooting:
C:\Windows\system32>eventcreate /ID 1 /L APPLICATION /T INFORMATION /SO HttpAut henticationModule /D "My first log"
ExcludedPages logon.aspx
expiredpassword.aspx
Pages in the owa web application that will be excluded from the filter.
IgnoredURLs owa/service.svc?action If given string is included in the URL it will be ignored by the filter.
MaxSessions 10000 The maximum number of sessions that can exist in the
module session store.
KeepSessions 9000 Specifies the number of the current sessions that will be
kept after MaxSessions has been reached. OtpIntegrationFilePath C:\Program Files\McAfee\
OTP_Integrations\OWA\OWAII SIntegration\
The path to the directory containing the OTP integration files and directories.
OtpIntegrationIISWebAppName OWAIISIntegration The name of the web application (Virtual Directory) where images and so on are located.
OtpServerAddress 127.0.0.1:3100 Sets the OTP server address.
Either a plain host name or multiple host names/port numbers for failover with the following syntax: 192.168.10.3:3100;otp.acme.com:3567;otpserver.xyz.c om:3100
Use colons (:) to separate host name from port number and semicolon (;) to separate multiple OTP Servers.
PledgeClientDetectionName [empty] Example: PLEDGE
PostURL /owa/auth/owaauth.dll An URL to which UPLogin.html and OTPLogin.html is
posted.
RemoveOldSessionsInterval 5 Value in minutes.
Removes old sessions (sessionsToRemove = MaxSessions - KeepSessions) which not are used anymore.
RemovePrivatePublicButtons 0 If set to 1, the radio buttons Private Computer and
Public Computer will be removed from the login form.
SessionTimeOut 5 Integration module session timeout in minutes.
Note that OWA has its own session timeouts.
Radio button This is a public or shared computer has 15 minutes as default timeout.
Radio button This is a private computer has 8 hours as default timeout.
SmsClientDetectionName [empty] Example: SMS
Exchange Configuration
Outlook Web App Forms Authentication
Follow these steps to configure the OWA module to use forms based authentication. In the Exchange Management Console:
Expand Server Configuration and click Client Access Right click owa (Default Web Site) and click properties.
Make sure that Use forms-based authentication is selected and Logon format is set to Domain\user name.
Screenshot 5 – owa Properties
Restarting the IIS Web Server
Before the integration module can be used, IIS has to be restarted. As Administrator:
Open a Command Prompt and type iisreset to restart the Internet Information System.
One Time Password Configuration (Server-side)
SMS and Pledge Database Configuration
The OWA integration module offers the user to choose between Pledge, SMS (text message) and E-mail as authentication methods. OTP database configuration for Pledge and SMS are described below.
Having several authentication methods are an optional choice, however, one authentication method must be configured to make this solution work.
In OTP Server Configurator:
1. Create a new OTP Server Database that will be used for Pledge authentication. Configure the Database as shown in the screenshot below.
Note that OATH Key in the Account Settings section has to be a multivalue string attribute.
Screenshot 6 – OTP Server Database for Pledge OTP support
2. Create a new OTP Server Database that will be used for SMS authentication. Configure the Database as shown in the screenshot below.
Screenshot 7 - OTP Server Database for SMS OTP support
3. Create a new OTP Server client that will be used for Pledge authentication. Configure the client as shown in the screenshot below.
Screenshot 8 - Defining an OTP Server client for Pledge OTP support
4. Create a new OTP Server client that will be used for SMS authentication. Configure the client as shown in the screenshot below.
Screenshot 9 - Defining an OTP Server client for SMS OTP support
5. Click Ok, and Save Config.
6. Remember to set the registry values (Filter Configuration section) for SmsClientDetectionName,
PledgeClientDetectionName and EmailClientDetectionName according to your OTP Server client name settings (and
restart OWA).
Screenshot 10 – Integration module login page
