Implementation Guide for protecting

(1)

Implementation Guide for protecting

Remote Web Workplace (RWW)

Outlook Web Access (OWA) 2003

SharePoint 2003

IIS Web Sites

with

(2)

BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW i Copyright

Copyright © 2010, CRYPTOCard All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard.

Trademarks

BlackShield ID, BlackShield ID SBE and BlackShield ID Pro are either registered trademarks or trademarks of CRYPTOCard Inc. All other trademarks and registered trademarks are the property of their owners.

Additional Information, Assistance, or Comments

CRYPTOCard’s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment.

CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your partner directly for support needs.

To contact CRYPTOCard directly:

International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042 [email protected]

For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com.

Related Documentation

Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation and interoperability guides: http://www.cryptocard.com.

Publication History

Date Changes Version

January 26, 2009 Document created 1.0

July 9, 2009 Copyright year updated 1.1

(3)

BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW ii

Overview

By default Remote Web Workplace, Outlook Web Access and SharePoint requires that a user provide a correct user name and password to successfully logon. This document describes the steps necessary to augment this logon mechanism with strong authentication by adding a requirement to provide a one-time password generated by a CRYPTOCard token using the BlackShield ID Agent IIS (“Agent”).

The BlackShield ID IIS Agent allows two-factor authentication of users accessing IIS web sites, including

• Microsoft Remote Web Workplace

• Microsoft Outlook Web Access (Basic & Web forms) • Microsoft Share Point

• Any virtual directory you have created

Applicability

Summary

Product Name Microsoft Internet Information Server 6.0

Vendor Site http://www.microsoft.com

Supported Application Software Remote Web Workplace 2003 Outlook Web Access 2003 Microsoft SharePoint 2003 IIS Virtual Directories Authentication Method BlackShield ID Pro Agent

Supported BlackShield ID Pro Agent functionality

Authentication Mode One-time password

Challenge-response / Next Tokencode BlackShield ID Pro static password

New PIN Mode User-changeable Alphanumeric 3-16 digit PIN

User-changeable Numeric 3-16 digit PIN

Server-changeable Alphanumeric 3-16 digit PIN Server-changeable Numeric 3-16 digit PIN

(5)

BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW 2 This integration guide is applicable to:

CRYPTOCard Server

Authentication Server BlackShield ID

Version Small Business Edition 1.2+

Professional Edition 2.3+

CRYPTOCard Agent

Agent BlackShield ID Authentication Agent for IIS

Version 2.x

Operating System 32-bit Windows 2003

Assumptions

BlackShield ID has been installed and configured and a “Test” user account can be selected in the Assignment Tab.

Operation

The BlackShield ID Agent for IIS modifies the logon pages for Remote Web Workplace, Outlook Web Access, and Sharepoint. It adds an additional field labeled OTP (One-Time Password) to the logon pages. The user will enter in their regular credentials as well as an OTP after the plug-in has been enabled.

Preparation and Prerequisites

1. Ensure you can successfully authenticate to the given service using a static username and password prior to enabling BlackShield ID protection.

(6)

Configuration

Protecting Microsoft Remote Web Workplace

1. Open the Internet Information Services (IIS) Manager.

It can be started by clicking Start | Administrative Tools | Internet Information Services (IIS) Manager.

2. Expand the first node in the left hand pane, which is the name of your web server (local computer).

3. Expand Web Sites.

4. Expand Default Web Site.

5. Right click the virtual directory Remote, and select Properties. 6. Select the CRYPTOCard tab.

7. Select Enable BlackShield Authentication for this virtual directory

8. From the drop down menu, select the option for RWW, which has its path ending in

iis agent\rww\authisapi.dll.

9. Select OK.

RWW is now protected. To verify, right click the virtual directory Remote and select

Browse. A modified logon form should appear with an OTP field added.

Protecting Microsoft Outlook Web Access (OWA) using forms-based authentication

4. Expand Default Web Site. 5. Expand ExchWeb.

6. Right click the virtual directory bin, and select Properties. 7. Select the CRYPTOCard tab.

9. From the drop down menu, select the option for OWA, which has its path ending in

iis agent\owa\authisapi.dll.

(7)

BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW 4 OWA is now protected. To verify, right click the virtual directory Exchange and select

Browse. A modified logon form should appear with an OTP field added.

Protecting Microsoft Outlook Web Access (OWA) using basic authentication The IIS agent is installed to protect OWA using forms authentication by default, however, it can be reconfigured to use Basic authentication by following the steps below if your

Exchange Server is not using Forms authentication.

4. Right click Default Web Site and select Properties. 5. Select the CRYPTOCard tab.

7. From the drop down menu, select the option for OWA, which has it's path ending in iis agent\owa\authisapi.dll.

8. Select Preconfigured application from the set of radio buttons below

9. From its drop down menu, select Exchange (Cryptocard_template_exchange.xml). 10. Select OK.

11. Expand Default Web Site. 12. Expand ExchWeb.

13. Right click the virtual directory bin, and select Properties. 14. Select the CRYPTOCard tab.

16. From the drop down menu, select the option for OWA, which has it's path ending in iis agent\owa\authisapi.dll.

17. Select OK.

OWA is now protected. To verify, right click the virtual directory Exchange and select

(8)

BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW 5 Protecting Microsoft Share Point

4. Expand the name of your SharePoint web site.

By default, the name of this site is often companyweb

5. Right click the virtual directory _vti_bin, and select Properties. 6. Select the CRYPTOCard tab.

8. From the drop down menu, select the option for Sharepoint, which has it's path ending in iis agent\sharepoint\authisapi.dll.

9. Select Preconfigured application from the set of radio buttons below 10. Select OK.

Sharepoint is now protected. To verify, right click the name of your Sharepoint web site (companyweb) and select Browse. The default BlackShield logon form should appear. Note: In order to allow Microsoft authentication to succeed through the BlackShield Sharepoint logon form, it is necessary to enable both anonymous access and basic authentication for the Sharepoint application. If this is not done, the user will be able to authenticate against BlackShield but the authentication to Sharepoint will fail.

Follow the steps below to accomplish this:

4. Right click the name of your SharePoint web site and select Properties. By default, the name of this site is often company web

5. Select the Directory Security tab.

6. Select the Edit button under the Authentication and Access Control section. 7. Select Enable Anonymous Access at the top of the screen, do not change the user

(9)

BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW 6 8. Unselect Integrated Windows Authentication.

9. Select Basic Authentication. 10. Click OK.

11. Click Yes to the popup dialog. 12. Click OK to exit the properties tab.

Protecting custom virtual directories

4. Locate the virtual directory you wish to protect and select Properties. 5. Select the CRYPTOCard tab.

7. From the drop down menu, select the option for default, which has it's path ending in

iis agent\default\authisapi.dll.

8. Select New custom application from the set of radio buttons below 9. Select Configure....

10. Select OK. 11. Select OK.

(10)

GrIDsure Tokens

GrIDsure tokens provide an end-user the ability to generate a one-time password without requiring the end-user to have any additional hardware or software applications. GrIDsure presents the end-user with a grid of cells containing random characters, from which the end-user selects their ‘personal identification pattern’ (PIP). Each time the end-user needs to authenticate the trid will display a random/unique set of characters. The end-user then just needs to remember their PIP and provide the specific characters within those cells that make up their PIP in order to authenticate and log on.

For the purpose of this guide, only the demonstration of GrIDsure tokens being used will be shown. A more detailed explanation of how GrIDsure tokens work can be obtained in the GrIDsure specific token guide.

Outlook Web Access – Forms based authentication

1. Using a web browser, browse to the OWA logon site.

2. Enter your Microsoft user name and Microsoft password.

3. Leave the OTP field empty.

(11)

BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW 8 5. Using your PIP, enter in

your OTP within the OTP field.

Note: In this example the OTP has been revealed for

(12)

BlackShield ID Implementation guide for IIS,SharePoint,OWA,RWW 9 SharePoint

1. Using a web browser, browse to the SharePoint logon site. Note: Normally a web browser pop up would appear. However, once protected with CRYPTOCard a web based logon page will appear. 2. Enter in your Microsoft user name

and Microsoft password. 3. Leave the OTP field empty. 4. Click the Log On button.

5. Using your PIP, enter in your OTP within the OTP field.

Note: In this example the OTP has been revealed for demonstration purposes.

(13)

Troubleshooting

Symptom: I access my service’s logon page, but I don’t see the addition of the OTP (One-Time password) field to enter my token code.

Possible Causes:

You have not chosen the correct logon page.

Implementation Guide for protecting