Protecting Juniper SA using
Certificate-Based
Authentication
Quick Start Guide
Introduction 2 Copyright © 2013 SafeNet, Inc. All rights reserved.
All attempts have been made to make the information in this document complete and accurate. SafeNet, Inc. is not responsible for any direct or indirect damages or loss of business resulting from inaccuracies or omissions. The specifications contained in this document are subject to change without notice.
SafeNet and SafeNet Authentication Service are either registered with the U.S. Patent and Trademark Office or are trademarks of SafeNet, Inc., and its subsidiaries and affiliates, in the United States and other countries. All other trademarks referenced in this Manual are trademarks of their respective owners.
SafeNet Hardware and/or Software products described in this document may be protected by one or more U.S. Patents, foreign patents, or pending patent applications.
Please contact SafeNet Support for details of FCC Compliance, CE Compliance, and UL Notification.
Support
SafeNet technical support specialists can provide assistance when planning and implementing SafeNet Authentication Service. In addition to aiding in the selection of the appropriate authentication products, SafeNet can suggest deployment procedures that will provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment.
SafeNet works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a SafeNet channel partner, please contact your partner directly for support needs.
To contact SafeNet Authentication Service support directly:
Europe / EMEA North America
Freephone: 0800 694 1000 (UK) Telephone: +44 (0)1276 608 000 (Int’l) E-mail: [email protected]
Toll Free: 800-307-7042 Telephone: +1 613 599 2441
E-mail: [email protected]
Customer Feedback
Help us to improve this documentation, our products and our services by communicating any ideas and suggestions that you feel would improve the usefulness and clarity of the documentation, product feature set or application in practice. Suggestions should be sent to:
Introduction 3 Publication History
Date Description Revision
04/25/2013 Initial Release 1.0
Introduction 4
Table of Contents
Introduction ... 5
Integration System Requirements ... 5
Configuring Juniper SA for PKI... 6
Downloading a CA Certificate ... 6
Creating a Certificate Authentication Server ... 7
Adding the Certificate to the List of Trusted Client CAs ... 9
Configuring the User Realm ... 13
Configuring KCD ... 16
Configuring the User Account ... 16
Creating a KCD User Account in Active Directory ... 16
Defining the Delegated Authentication Services ... 17
Configuring SA ... 21
Configuring Web SSO ... 22
Configuring the Constrained Delegation Service List ... 23
Configuring SSO Policies ... 27
Configuring SSO Profile ... 29
Configuring the Exchange Server ... 32
Running the Solution ... 34
User Authentication Scenario ... 34
Introduction 5
Introduction
This document guides you through setting up a certificate-based authentication solution in a Juniper Networks’ Junos Pulse Secure Access Service (SA) environment. This integration guide describes a single sign-on solution for Microsoft OWA based on SAC 8.2 and SafeNet tokens.
This section includes the following:
Integration System Requirements
Integration System Requirements
For this scenario, the working environment must include the following software:
Juniper Networks Junos Pulse Secure Access Service Version 7.1 R5 or later
Microsoft Exchange 2010
Microsoft Active Directory
Microsoft Enterprise CA
SAC 8.2 GA
eToken 5100
Configuring Juniper SA for PKI 6
Configuring Juniper SA for PKI
This section describes how to configure the server to enable Juniper SA certificate authentication with SafeNet’s PKI tokens.
This section includes the following:
Downloading a CA Certificate
Creating a Certificate Authentication Server
Adding the Certificate to the List of Trusted Client CAs
Configuring the User Realm
Downloading a CA Certificate
The first step is to download and save a CA certificate.
To download a CA certificate:
1. Access the CA server web interface.
2. Select Download a CA Certificate.
3. Select Base 64.
4. Save the certificate to the local hard drive.
Configuring Juniper SA for PKI 7
Creating a Certificate Authentication Server
This step guides you through creating a certificate authentication server on the Juniper SA.
To create a certificate authentication server on the Juniper SA:
1. Select Authentication > Auth. Servers. The Authentication Servers window opens.
2. From the New drop-down list, select Certificate Server.
Configuring Juniper SA for PKI 8 3. Click New Server. The New Certificate Server window opens.
4. Next to Name, enter the new server a name; leave the default settings unchanged for all other options.
5. Click Save Changes.
Configuring Juniper SA for PKI 9
Adding the Certificate to the List of Trusted Client CAs
The certificate can now be added to the list of Trusted Client CAs on the Juniper SA.
To add the certificate to the list of Trusted Client CAs:
1. Select System > Configuration > Certificates > Trusted Client CAs. The Configuration window opens.
2. Click the Import CA Certificate button and browse to select the saved file.
Configuring Juniper SA for PKI 10 3. Click the Import Certificate button. The Trusted Client CA window opens.
4. Check that the Root CA Certificate details are correct.
Configuring Juniper SA for PKI 11 5. Under Client certificate status checking, select Use CRLs (Certificate Revocation Lists) and click Save
Changes.
6. Select CRL Checking Options.
Configuring Juniper SA for PKI 12 The CRL Checking Options window opens.
7. In the Use drop-down list, select CDP(s) specified in the Trusted Client CA.
8. Click Save Changes. The new CDP appears in the Certificate Detail page under Client certificate status checking.
Configuring Juniper SA for PKI 13
Configuring the User Realm
The user realm needs to be configured to use certificate authentication, client certificate restrictions, and the Role Mapping Rules.
To configure the user realm:
1. Select Users > User Realms.
Configuring Juniper SA for PKI 14 2. Click on the Users link under Authentication Realm column. The Realm window opens (“Users” Realm
in this example).
3. In the General tab, under Servers, select the certificate server created in the previous step from the Authentication drop-down list.
Configuring Juniper SA for PKI 15 4. Select the Authentication Policy tab and then click Certificate.
5. Select Only allow users with a client-side certificate signed by Trusted Client CAs to sign in.
6. Click Save Changes. The Juniper Networks Junos Pulse Secure Access is ready to authenticate users using certificates.
Configuring KCD 16
Configuring KCD
Juniper SA is often used to protect Web application resources, such as Outlook Web Access (OWA) and SharePoint, which are based on Windows authentication.
Kerberos Constrained Delegation (KCD) enables Single Sign On for the application resource, so that users are required to log on only once per session. The user logs on to SA, and then is not required to
authenticate again when accessing Microsoft applications.
Setting up KCD with SA involves the following steps:
Configuring the User Account in Active directory
Configuring SA
Configuring the User Account
Creating a KCD User Account in Active Directory
KCD requires an Active Directory user account that has Protocol Transition and Delegation rights. This account has rights to request a Kerberos ticket on behalf of a user signing in to SA.
To create a new user in Active Directory:
1. From the Windows taskbar, select Start > Programs > Administrative Tools > Active Directory Users and Computers. The Active Directory Users and Computers window opens.
2. In the left pane, expand the domain name, and right-click Users.
Configuring KCD 17 3. In the menu that appears, select New > User. The New Object - User window opens.
4. Add the new user's information. This account will be used to access Web application resources, such as OWA.
5. Follow the instructions in the dialog box to progress through the windows.
Defining the Delegated Authentication Services
To configure the new account for Web application access, do the following:
Use the setspn command to enable the Delegation tab in the new user account’s Properties window.
Use the Delegation tab to enable the user to be trusted for delegation to all authentication protocols.
To define the Delegated Authentication Services for the new user:
1. Open the Command Prompt window, and enter the command:
setspn -A HTTP/<user_account> <domain>\<user_account> where:
<user_account> is the User logon name created under Creating a KCD User Account in Active Directory
<domain> is your domain
Configuring KCD 18 In the example that follows, testdomain is the domain, and samservice is the user account’s User logon name.
2. In the Active Directory Users and Computers window, right-click the defined user. The user’s Properties window opens.
Configuring KCD 19 3. Select the Delegation tab.
4. Select the following options:
Trust this user for delegation to specified services only
Use any authentication protocol
Note: Do not select Use Kerberos only because that option is not compatible with Protocol Transition and Constrained Delegation.
5. Click Add. The Add Services window opens.
Configuring KCD 20 6. Click Users or Computers to select the computer hosting the constrained services. The Select Users
or Computers window opens.
7. Enter the name of the protected service’s server in the domain.
Note: In this example, the OWA service is hosted on the same server as Active Directory Domain Controller, so DC is selected.
8. In the Add Services window, the services available on the selected server are displayed.
9. Select the appropriate service type, and click OK.
Note: In this example, Constrained Delegation must be configured for OWA. Select http to configure for OWA and for any other Web-based applications running on this server, such as Share Point.
Configuring KCD 21 The delegated services are displayed in the user’s Properties window.
10. Click Apply, and then click OK.
Active Directory is now configured for this solution.
Configuring SA
Configuring SA with Constrained Delegation for users connecting via SA to a selected application involves the following steps:
Configuring Web SSO
Configuring the Constrained Delegation Service List
Configuring SSO Policies
For example purposes in this section, the connection will be to the OWA application.
Configuring KCD 22
Configuring Web SSO
In this step, you will add the Kerberos Realm to SA’s Kerberos SSO Settings.
1. In the SA Administrator console, select Users > Resource Policies > SSO > General. The WebPolicySSOGeneral window opens.
2. Click Kerberos SSO Settings to see additional settings.
3. Select Enable Kerberos SSO.
Configuring KCD 23 4. In the Realm Definition area, add the Kerberos realm. In this example, test-domain.com realm was
added.
Note: The Kerberos Realm is typically the DNS domain.
5. Save the changes.
Configuring the Constrained Delegation Service List
This step consists of uploading a text file to create a Constrained Delegation Service List.
To configure the Constrained Delegation Service List:
1. Open Notepad or a similar text application, and create a file containing the DC server name.
2. Save the file.
Configuring KCD 24 3. In the SA Administrator console, select Users > Resource Policies > Web > SSO (Single Sign-on) >
General.
Configuring KCD 25 4. In the Constrained Delegation area, click Edit. The Constrained Delegation Service Lists window
opens.
5. Click New Service List.
6. In the Name field, enter any value.
7. Click Choose File, and browse to the text file saved at the beginning of this procedure.
Configuring KCD 26 8. Click OK. The Upload Status window opens.
9. When the upload completes, click Close.
10. In the Constrained Delegation area, do the following:
a. In the Label field, enter any value. In this example, we used test-domain.com.
b. In the Realm drop-down menu, select the Kerberos realm defined in Configuring Web SSO.
c. In the Principal Account field, enter the user logon name (samservice) created in Creating a KCD User Account in Active Directory.
d. In the Password field, enter the user’s domain password.
e. In the Service List drop-down list, select the service list name.
f. Click Add.
g. Save the changes.
Configuring KCD 27
Configuring SSO Policies
In this step, you will define the roles and resources for which Constrained Delegation will be performed.
To configure SSO policies for OWA:
1. In the SA Administrator console, select Users > Resource Policies > Web > Kerberos/NTLM/Basic Auth.
2. Click the New Policy button. The New Policy window opens.
Configuring KCD 28 3. In Name field, enter a name for the policy.
4. In the Resource field, enter the exact fully-qualified domain name.
5. Under Roles, select Policy applies to selected Roles and add the necessary role.
6. Under Action, choose Constrained Delegation and define appropriate credentials, defined in Configuring the Constrained Delegation Service List.
7. Save the changes.
Configuring KCD 29
Configuring SSO Profile
1. In the SA Administrator console, select Users > Resource Profiles > Web.
2. Click the New Profile button. The New WEB Application Resource Profile window opens.
Configuring KCD 30 3. From the Type drop-down list, select Microsoft OWA 2010. The OWA 2010 window opens.
4. In the Name field, enter any value for the policy name.
5. In the Base URL field, enter the OWA site’s base URL.
6. Under Autopolicy: Web Compression, do the following:
a. In the Resource column, enter the OWA site.
Configuring KCD 31 b. From the Action drop-down list, select Compress.
c. Click Add.
7. Under Autopolicy: Single Sign-on, do the following:
a. Select Constrained Delegation.
b. In the Resource field, enter the host FQDN of the web server.
c. From the Credential drop-down list, select the Constrained Delegation’s Label defined in Configuring the Constrained Delegation Service List.
8. Click Save Changes.
Configuring the Exchange Server 32
Configuring the Exchange Server
This section guides you through configuring the server hosting the web application.
Note: This solution can be configured for any web application hosted on any server within the domain.
For example purposes, we will use the OWA web application, hosted on the same server as the Active Directory Domain Controller.
To configure OWA and ECP:
1. Open the Microsoft Exchange console.
2. In the left pane, select Server Configuration > Client Access.
3. In the Client Access area (middle pane), select your Exchange server.
4. Select the Outlook Web App tab.
Configuring the Exchange Server 33 5. Right-click owa (Default Web Site), and select Properties. The owa (Default Web Site) Properties
window opens.
6. Select the Authentication tab, and do the following:
a. Select Use one or more standard authentication methods.
b. Select Integrated Windows Authentication.
c. Click OK.
7. In the Microsoft Exchange console, select the Exchange Control Panel tab.
8. Right click ecp (Default Web Site), and select Properties. The ecp (Default Web Site) Properties window opens.
9. Select the Authentication tab, and do the following:
a. Select Use one or more standard authentication methods.
b. Select Integrated Windows Authentication.
c. Click OK.
10. Restart IIS for the configuration to take effect. To do this, open a terminal and enter iisreset.
Running the Solution 34
Running the Solution
User Authentication Scenario
In this example, a user named John authenticates to SA in the following environment:
The user authenticates using a certificate saved on a token against Juniper SA.
Juniper SA validates authentication on the Authenticated Server; if validation succeeds, the user can access to OWA.
Procedure:
1. Enroll a smartcard user certificate on behalf of the domain for the user “John”.
2. Install SAC 8.2 GA on the client machine used for certificate-based authentication.
3. Connect the token.
4. Open a web browser and browse to the Juniper SA portal. In this example, the SA site is:
https://Juniper.test-domain.com
5. When prompted for the smartcard PIN, enter the Token Password. Click OK.
6. If the credentials are accepted, the user “John” is redirected to the SA portal.
Running the Solution 35 7. Click the OWA 2010 link. The user “John” is automatically authenticated to the OWA account using
KCD.