Application Note. Intelligent Application Gateway with SA server using AD password and OTP

Application Note

Preface

ii

All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information.

Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto’s information.

This document can be used for informational, non-commercial, internal and personal use only provided that:

• The copyright notice below, the confidentiality and proprietary legend and this full warning notice appear in all copies.

• This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made.

Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities. The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein.

The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time.

Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document. Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy.

© Copyright 2008 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners.

GEMALTO, B.P. 100, 13881 GEMENOS CEDEX, FRANCE. Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90

Contents

Preface ... 3

Who Should Read This Book ...3

For More Information ...3

Conventions...4

Contact Our Hotline ...4

Overview... 5

Intelligent Application Gateway ...5

Gemalto SA Server...5

Integration of SA Server with IAG...6

Use Case... 7

Main steps ...7

Components description ...8

Configure the Internet Authentication Service... 9

Add a RADIUS Client ...10

Configure Access Policies ...11

Configure the Gemalto Strong Authentication Server ... 16

Installation...16

User management ...18

Check SA Server usage ...20

Install and configure SA Server agent for IAS... 21

Restart IAS ...21

Configure Intelligent Application Gateway ... 23

2

List of Figures

Figure 1 – Global Architecture... 6

Figure 2 –Architecture for the use case ... 7

Figure 3 - IAS RADIUS Server ... 9

Figure 4 - New RADIUS Client ... 10

Figure 5 - New RADIUS Client with shared secret... 10

Figure 6 - Policy Configuration ... 11

Figure 7 - Policy Conditions... 11

Figure 8 - Attribute type ... 12

Figure 9 - Client IP Address ... 12

Figure 10 - Policy Conditions... 13

Figure 11 - Selecting Permissions... 13

Figure 12 - Editing Authentication ... 14

Figure 13 - Encryption Type ... 14

Figure 14 – SA Installation – LDAP Server Information ... 17

Figure 15 – SA Installation – Administrator account ... 17

Figure 16 – SA Configuration – Administrator connection ... 18

Figure 17 – SA Configuration – User management ... 18

Figure 18 – SA Configuration – Create OATH device... 19

Figure 19 – SA Configuration – Policy modification ... 19

Figure 20 – SA Configuration – Link the device to the user ... 20

Figure 21 – IAS Agent installation ... 21

Figure 22 - Stopping the IAS Service ... 22

Figure 23 - Starting the IAS Service ... 22

Figure 24 – IAG Configuration – Portal properties ... 23

Figure 25 – IAG Configuration – Advanced Trunk Configuration ... 24

Figure 26 – IAG Configuration – Add authentication server... 24

Figure 27 – IAG Configuration - Add RADIUS Server... 25

Figure 28 – IAG Configuration –Select OTP Method ... 25

Figure 29 – IAG Configuration – Select both authentication servers ... 26

Figure 30 – Client connection - Login... 27

Figure 31 – Client connection - IAG Portal ... 28

Figure 32 – Client connection - OWA Access ... 28

Figure 33 – Client connection - OWA... 29

Preface

The Gemalto two-factor authentication solution provides strong authentication based on smart cards for the enterprise, banking, and internet service provider (ISP) markets.

This solution enables organizations to deploy a strong authentication solution for their end-users, whether local or remote. The system can service a broad range of deployments, from small corporations with less than 100 users to ISPs with potentially millions of users.

Who Should Read This Book

This guide is intended for system administrators responsible for configuring the Microsoft IAG and Gemalto SA Server in order to use Gemalto OTP devices to authenticate mobile users with IAG.

Administrators should be familiar with:

• Intelligent Application Gateway of Microsoft.

• The Gemalto SA Server system architecture.

For More Information

For a complete list of the documentation for the Gemalto Strong Authentication (SA) Server, refer to the release notes (README.txt) on the Gemalto SA Server CD (or zip image of the CD).

4

Conventions

The following conventions are used in this document:

In this manual, the following highlighting styles are used:

Bold – Instructions, commands, file names, folder names, key names, icons, menus, menu items, field names, buttons, check boxes, tabs, registry keys and values.

Italic – Variables that you must replace with a value, book titles, news or emphasized

terms.

In this manual, hyperlinks are marked as described below

Internal Links – Displayed in quotation marks. When viewing this book online, click an internal link to jump to a different section of the book.

External Links – Displayed in blue, underlined text. When viewing this book online, click an external link to launch your default browser (or email program) to navigate to that Web address or compose an email.

In this manual, notes and cautions are marked like this:

Notes: Information that further explains a concept or instruction, tips, and tricks.

Caution: Information that alerts you to potentially severe problems that might result in loss of data or system failure.

Contact Our Hotline

1

Overview

This document provides a deployment scenario to show you how it is possible to configure the Microsoft IAG to use Gemalto SA Server to authenticate Mobiles Users in order to get access to applications through IAG Portal.

Caution: Consequently, this document should not be considered as an instruction manual on how to configure your system.

Intelligent Application Gateway

Microsoft’s Intelligent Application Gateway (IAG) 2007 with Application Optimizers provides secure socket layer (SSL) virtual private network (VPN), a Web application firewall, and endpoint security management that enable access control, authorization, and content inspection for a wide variety of line-of-business applications.

Together, these technologies provide mobile and remote workers with easy and flexible secure access from a broad range of devices and locations including kiosks, PCs, and mobile devices.

IAG also enables IT administrators to enforce compliance with application and information usage guidelines through a customized remote access policy based on device, user, application, or other business criteria.

For more information, visit:

http://www.microsoft.com/forefront/edgesecurity/iag/en/us/overview.aspx

Gemalto SA Server

Gemalto SA Server is a strong authentication platform that was developed to incorporate the strengths of Gemalto’s smart card technology. It consists of a family of smart card-based user authentication devices, a browser plug-in, an authentication and customer care server and a self-service user care portal.

This server provides the usage of OTP (One Time Password) and the possibility to a “Two Factor Authentication” for a strongest authentication.

For more information about OTP, visit http://en.wikipedia.org/wiki/One-time_password, and about Two Factor Authentication, visit http://en.wikipedia.org/wiki/Two_factor_authentication

Gemalto SA Server runs under Windows and Linux operating systems and is easily integrated with existing network and authentication infrastructure.

6

Integration of SA Server with IAG

The fact to integrate SA Server in an existing IAG architecture reinforces the security, especially for mobile user by using an OTP.

The installation and configuration is simple at the company side, just install the SA Server with Radius and configure IAG to use the radius for authentication.

At the client side, nothing has to be installed. The user has to fill the authentication page by using his login, password and the OTP (provided by any OATH token).

List of Gemalto’s OATH device: http://www.protiva.gemalto.com/download/SADevices.pdf

After a successful authentication, you have a direct access to your application or IAG present to you a web page listing all your applications you are able to reach.

2

Use Case

In this section, we are focusing on a specific use case to show in detail how the integration of SA Server with IAG can be done.

In this scenario, the mobile user can access his applications such as OWA and/or Sharepoint through IAG with a “Two Factor Authentication” (Login / AD Password / OTP).

We add the OTP mechanism to an existing IAG configuration by installing and configuring the Microsoft radius server (IAS) and the Gemalto SA Server.

Figure 2 –Architecture for the use case

Main steps

Components description

External Network (39.0.0.9/255.255.255.0):

CLIENT is the machine used by the “mobile user” from the external network. It could be any machines like windows 2000, XP, Vista, Macintosh and Linux. In this case, we use a windows XP SP2 machine with Internet Explorer.

Gateway:

IBIZA is the name of the IAG Appliance and has two network cards. We can also imagine a configuration with only one card for an IAG located in a DMZ for example.

Note: This use case works also when IAG is not in the AD domain

Internal Networks (10.1.1.0/255.255.255.0):

DALLAS is a machine hosting Active Directory and acting as domain controller.

3

Configure the Internet

Authentication Service

On Saserver machine, install the IAS service embedded in Windows Server 2003.

Check IAS RADIUS Server domain

The IAS RADIUS server must be part of the AD Domain as IAS RADIUS has to check that each Mobile User has an account in the directory.

Access to IAS administration

You have to:

1. Click on Start and Select Administrative Tools 2. Select Internet Authentication Service

10

Add a RADIUS Client

You now have to add the IAG machine as a RADIUS client:

3. Right click on RADIUS Clients and Select New RADIUS Client

Figure 4 - New RADIUS Client

4. In Friendly name enter a name for Microsoft IAG,

5. In Client address (IP or DNS) enter the <IP internal address>. a. In our laboratory, we used 10.1.1.5.

6. Click on Next.

Figure 5 - New RADIUS Client with shared secret

7. Select RADIUS Standard for Client-Vendor,

Configure Access Policies

You have to add a new remote access policy:

1. Right click on Remote Access Policies and Select New Remote Access Policy 2. Click on Next in the wizard windows

Figure 6 - Policy Configuration

3. Select Set up a custom policy choice in How do you want to set up this policy and add a friendly name in Policy name.

4. Click on Next.

Figure 7 - Policy Conditions

12

Figure 8 - Attribute type

6. Select Client-IP-Address in Attribute types: and click on Add…

Figure 9 - Client IP Address

Figure 10 - Policy Conditions

8. Click on Next.

Figure 11 - Selecting Permissions

14

Figure 12 - Editing Authentication

10. Click on Edit Profile… in the profile window

11. Select Authentication tab and uncheck all boxes except unencrypted authentication (PAP, SPAP).

12. Select Encryption tab

Figure 13 - Encryption Type

15. In the New Remote Access Policy Wizard window, click on Finish.

The new policy is now available.

16

4

Configure the Gemalto

Strong Authentication

Server

Installation

The complete installation is not detailed here. For the installation and the

configuration steps, please refer to the Gemalto SA Server documentations.

On the ‘SA Server”, you have to do a standard installation in “mixed mode” to reach

the Active Directory on Dallas.

Figure 14 – SA Installation – LDAP Server Information

LDAP Connection for SA Server: Hostname: 10.1.1.6 (dallas) Base DN: DC=CONSTOSO, DC=COM Login DN: CN=sasconnect, CN=users User Base DN: CN=users

Figure 15 – SA Installation – Administrator account

18

User management

Reach the web administrator portal (in this case http://10.1.1.10/saserver/adminportal with the user sasadmin).

You are able to “migrate” users from Active Directory to SA Server and attach OTP token to these users.

Figure 16 – SA Configuration – Administrator connection

Add a user from AD (“marc” in this example): Manage Users -> Migrate User

Add an OATH device:

In Manage Devices -> Create OATH Device

Figure 18 – SA Configuration – Create OATH device

Modify the policy to check only the OTP, and not the OTP+ AD password: Manage Policies->View all policies

Select the policy linked to your device (OATH Policy – 6R in this case) and disable “Use Password Rule”

20

Link the Device to the user:

In “Manage Device”, find the device you want to link to the user. Enter “Marc” in User field, update and activate

Figure 20 – SA Configuration – Link the device to the user

Check SA Server usage

5

Install and configure SA

Server agent for IAS

For the installation and the configuration steps, please refer to the Gemalto SA Server documentations.

In this case, as IAS and SA Server are on the same machine, the address for “SA Server Authentication Servlet URL” is localhost (Default configuration)

Figure 21 – IAS Agent installation

Restart IAS

To launch the installed agent, you now have to re-start IAS.

22

Figure 22 - Stopping the IAS Service

• Then, click on the green arrow in the same toolbar to restart the server and take the changes into account.

Figure 23 - Starting the IAS Service

6

Configure Intelligent

Application Gateway

In this section, we are going to add the OTP authentication to the existing configuration. Logon on the IAG management application…

Figure 24 – IAG Configuration – Portal properties

Select the Portal “Portal1”.

24

Figure 25 – IAG Configuration – Advanced Trunk Configuration

In the Authentication tab, click on ‘Add’ for a new authentication service.

Figure 26 – IAG Configuration – Add authentication server

Figure 27 – IAG Configuration - Add RADIUS Server

In Type field, select RADIUS, type a name, then you must type the IP/Host of RADIUS Server and Secret Key. Click on OK.

Notes: The Secret Key is the shared secret you have configured in New Radius Client.

Figure 28 – IAG Configuration –Select OTP Method

26

Always in Authentication tab, select User Must Provide Credentials for Each Selected Server and check Use the Same User Name.

7

Client connection

On the client workstation, open your web browser and type the IAG external IP address or the DNS name associated to it,

Notes: In our laboratory, the website was https://iag.contoso.com Figure 30 – Client connection - Login

28

Figure 31 – Client connection - IAG Portal

2. Select OWA 2007 to access to Outlook Web Access. Figure 32 – Client connection - OWA Access

In this example, the application authentication is done by web form. The logon is done automatically by IAG.

Figure 33 – Client connection - OWA

Connection to another application (Sharepoint):

Go back to the IAG Portal, and then click on Sharepoint, you are automatically connected to Sharepoint: