Solution Overview All information herein is either public information or is the property of and owned solely by Gemalto NV. and/or its subsidiaries who shall have and keep the sole right to file patent applications or any other kind of intellectual property protection in connection with such information. Nothing herein shall be construed as implying or granting to you any rights, by license, grant or otherwise, under any intellectual and/or industrial property rights of or concerning any of Gemalto’s information. This document can be used for informational, non‐commercial, internal and personal use only provided that: • The copyright notice below, the confidentiality and proprietary legend and this full warning notice
appear in all copies.
• This document shall not be posted on any network computer or broadcast in any media and no modification of any part of this document shall be made.
Use for any other purpose is expressly prohibited and may result in severe civil and criminal liabilities.
The information contained in this document is provided “AS IS” without any warranty of any kind. Unless otherwise expressly agreed in writing, Gemalto makes no warranty as to the value or accuracy of information contained herein.
The document could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Furthermore, Gemalto reserves the right to make any change or improvement in the specifications data, information, and the like described herein, at any time.
Gemalto hereby disclaims all warranties and conditions with regard to the information contained herein, including all implied warranties of merchantability, fitness for a particular purpose, title and non‐infringement. In no event shall Gemalto be liable, whether in contract, tort or otherwise, for any indirect, special or consequential damages or any damages whatsoever including but not limited to damages resulting from loss of use, data, profits, revenues, or customers, arising out of or in connection with the use or performance of information contained in this document.
Gemalto does not and shall not warrant that this product will be resistant to all possible attacks and shall not incur, and disclaims, any liability in this respect. Even if each product is compliant with current security standards in force on the date of their design, security mechanisms' resistance necessarily evolves according to the state of the art in security and notably under the emergence of new attacks. Under no circumstances, shall Gemalto be held liable for any third party actions and in particular in case of any successful attack against systems or equipment incorporating Gemalto products. Gemalto disclaims any liability with respect to security for direct, indirect, incidental or consequential damages that result from any use of its products. It is further stressed that independent testing and verification by the person using the product is particularly encouraged, especially in any application in which defective, incorrect or insecure functioning could result in damage to persons or property, denial of service or loss of privacy. © Copyright 2008 Gemalto N.V. All rights reserved. Gemalto and the Gemalto logo are trademarks and service marks of Gemalto N.V. and/or its subsidiaries and are registered in certain countries. All other trademarks and service marks, whether registered or not in specific countries, are the property of their respective owners. GEMALTO, B.P. 100, 13881 GEMENOS CEDEX, FRANCE. Tel: +33 (0)4.42.36.50.00 Fax: +33 (0)4.42.36.50.90
Printed in France. Document Reference:
June 16, 2008
Contents
Preface ... iv
Who Should Read This Book... iv
For More Information... iv
Conventions ...v
Contact Our Hotline...v
Overview ... 1
Main steps...1
Architecture ...2
Elements description...2
ADAM Setup ... 3
Prerequisites ...3
Installation ...3
Create an instance ...3
Configuration...7
Creation the Schema Extension in ADAM...7
Connection to ADAM with ADSI Edit tool ...8
Disable LDAPS between ADAM and AD... 11
“Organization Unit” creation ... 14
Preparation of XML synchronization file between AD and ADAM. ... 15
Initialization of the synchronization... 15
Creation of ADAM Proxy Users for the SA administration ... 17
SA Setup ... 24
Check SA Server... 25
ANNEXE ... 26
AdamSync configuration file ... 26
iv
Preface
The Gemalto two-factor authentication solution provides strong authentication based on smart cards
for the enterprise, banking, and internet service provider (ISP) markets.
This solution enables organizations to deploy a strong authentication solution for their end-users,
whether local or remote. The system can service a broad range of deployments, from small
corporations with less than 100 users to ISPs with potentially millions of users.
Who Should Read This Book
This guide is intended for system administrators responsible for configuring the SA Server and Microsoft
Exchange 2003 in order to use Gemalto OTP devices to authenticate users defined in several Active
Directories.
Administrators should be familiar with:
• Microsoft 2003 server.
• Active Directory and ADAM (Active Directory Application Mode)
• The Gemalto SA Server system architecture.
For More Information
For a complete list of the documentation for the Gemalto Strong Authentication (SA) Server, refer to the
release notes (README.txt) on the Gemalto SA Server CD (or zip image of the CD).
v
Conventions
The following conventions are used in this document:
In this manual, the following highlighting styles are used:
Bold
– Instructions, commands, file names, folder names, key names, icons, menus, menu items, field
names, buttons, check boxes, tabs, registry keys and values .
Italic
– Variables that you must replace with a value, book titles, news or emphasized terms.
In this manual, hyperlinks are marked as described below
Internal Links –
Displayed in quotation marks. When viewing this book online, click an internal link to
jump to a different section of the book.
External Links
– Displayed in blue, underlined text. When viewing this book online, click an external link to
launch your default browser (or email program) to navigate to that Web address or compose an email.
In this manual, notes and cautions are marked like this:
Notes: Information that further explains a concept or instruction, tips, and tricks.
Caution: Information that alerts you to potentially severe problems that might result in loss of data or
system failure.
Contact Our Hotline
If you do not find the information you need in this manual, or if you find errors, contact the Gemalto hotline at
http://support.gemalto.com/
.
1
Overview
This document provides a deployment scenario to show you to configure ADAM in order to interact with the
Gemalto SA Server.
In this Scenario, a company wants to use SA server (for example, to authenticate and authorize mobile
users), but this company has several Active Directory Domains (3 in this use case). As SA Server can only
reach one LDAP server, the fact to use ADAM to synchronize user accounts from other Active Directory
Domains is a solution.
Caution:
Consequently, this document should not be considered as an instruction manual on how to
configure your system.
Main steps
The main steps are:
2
Architecture
Elements description
1. Three Domain Controller machines (dc1, dc2, dc3) hosting respectively an Active Directory
ad1.gemalto.gem, ad2.gemalto.gem, ad3.gemalto.gem
2
ADAM Setup
Prerequisites
All Active Directory Domains (AD1, AD2, AD3,..) must have a full “trust relationship”
between all of them.
You must have some xml files provided by Gemalto:
MS‐AdamSyncMeta.LDF, MS‐AdamSchemaW2K3.LDF, MS‐UserProxyFull.LDF,
ADAMSync_Template.xml
Installation
Install ADAM application on the SA machine by using the installer
“ADAMSP1_x86_english.exe”. The installation is done in c:\windows\adam.
Create an instance
7
Configuration
The following chapter describes the configuration needed to complete the installation
and to adjust the configuration for SA Server.
Creation the Schema Extension in ADAM
Copy the 3 files provided by Gemalto (AdamSyncMeta.LDF,
MS-AdamSchemaW2K3.LDF, MS-UserProxyFull.LDF) in c:\windows\adam.
Use the Prompt Command for ADAM: Start->ADAM-> ADAM Tool Command
Prompt.
Launch these commands:
ldifde -i -f MS-AdamSyncMetadata.LDF -s localhost -t 389 -c "cn=configuration,dc=x" #configurationNamingContext
8
Connection to ADAM with ADSI Edit tool
9
RightClick on ADAM ADSI Edit -> Connect…
10
RightClick on ADAM ADSI Edit -> Connect…
11
Disable LDAPS between ADAM and AD
Use “ADSI Edit” in the ADM Menu..
12
13
Edit
Remove « RequireSecureProxyBind=1 »
14
“Organization Unit” creation
We have to create an OU where the users imported from others AD will be stored. To
create this kind OU, use “ADSI Edit”. From the server root (DC=SA, DC=GEMALTO,
DC=GEM), right click, New→Object→Organization Unit.
15
Preparation of XML synchronization file between AD and
ADAM.
To import user accounts in ADAM, we have to create an XML file per AD to define
which user group to import.
Gemalto provide a template “ADAMSync_Template.xml” for this task.
Create three copies of this file to
ADAMSync_AD1.XML , ADAMSync_AD2.XML
and
ADAMSync_AD3.XML. See in Annexe the file ADAMSync_AD1.XML.
Modify them regarding the information described below (find in Annexe an example
for AD1):
source-ad-name : DNS name for the Active Directory source
source-ad-partition : Partition name for this AD.(format : DC=xx,DC=yy…) source-ad-account : samaccountname of the user used for the
synchronisation(This account doesn’t need any special priviledge, the password will be asked during the installation of the synchronisation script).
account-domain : The Active Directory domain name (usualy same as « source-ad-name »).
target-dn : DN where all ADAM account will be stored. (We will create one OU per AD forest)
base-dn : DN of the base of Active Directory source. object-filter : LDAP filter which for example allow only the
synchronisation of users in a group. (exemple : memberOf=CN=SAUSERS,CN=Users,DC=sa,DC=gemalto,DC=g em)
Initialization of the synchronization
To perform a synchronization, you have firstly to install it by using the xml files created just
before.
Launch the command with the right xml file:
adamsync /install localhost:389 ADAMSync_AD1.XML /passprompt adamsync /install localhost:389 ADAMSync_AD2.XML /passprompt adamsync /install localhost:389 ADAMSync_AD3.XML /passprompt
At this time “Adamsync” asking you the password (for the user declared in xml file
source-ad-account).
16
adamsync /sync localhost:389 "OU=AD1,DC=SA,DC=GEMALTO,DC=GEM" adamsync /sync localhost:389 "OU=AD2,DC=SA,DC=GEMALTO,DC=GEM" adamsync /sync localhost:389 "OU=AD3,DC=SA,DC=GEMALTO,DC=GEM"
You must see with the ADSI Edit tool all users from AD1, AD2 and AD3 in respective OU.
17
Creation of ADAM Proxy Users for the SA administration
18
For the SVCSA users :
19
20
About the SID, you can get it by launching the command :
¾ DSQUERY USER –samid <user> | dsget user -sid
For the ADMSA user, you do the same as the SVCSA user:
Go to Browse‐>Add Child and create
25
Check SA Server
Check SA Server by using the administrator user (admsa) and users from different Active
Directory.
With a Web Browser, reach the url
http://127.0.0.1/saserver/adminportal
from SA machine
for example.
Authenticate by password the SA Server’s administrator: Enter the login ‘admsa’ and his
password.
You are able to migrate user from different Active Directories.
26
ANNEXE
AdamSync configuration file
For AD1:
<?xml version="1.0"?> <doc>
<configuration>
<description> Adamsync configuration file</description> <security-mode>object</security-mode>
<source-ad-name>
ad1.gemalto.gem
</source-ad-name><source-ad-partition>
dc=ad1,dc=gemalto,dc=gem
</source-ad-partition> <source-ad-account>administrator
</source-ad-account> <account-domain>AD1.GEMALTO.GEM
</account-domain><target-dn>
OU=AD1,DC=SA,DC=GEMALTO,DC=GEM
</target-dn> <query><base-dn>
