GlobalSign Enterprise Solutions
Two Factor Authentication for SharePoint User Guide
GlobalSign Enterprise PKI for Strong Two Factor Client Authentication
using Windows SharePoint
GlobalSign Two‐Factor Authentication for SharePoint Solution Guide v1.0 2
INTRODUCTION
Microsoft SharePoint is a powerful tool that allows users to access and share a wide array of important information. Protecting this information is essential, ensuring that it is only viewed and shared by users that have been granted access to the information.
Passwords alone are a notoriously weak form of security. Unsigned network traffic is susceptible to replay attacks in which an intruder intercepts the authentication attempt and the issuance of a ticket. The intruder can reuse the ticket to impersonate the legitimate user. Additionally, unsigned network traffic is susceptible to man‐in‐the‐middle attacks in which an intruder captures packets between the client and the server, changes the packets, and then forwards them to the server. If this occurs on an LDAP server, an attacker can cause a server to make decisions that are based on forged requests from the LDAP client.
Implementing two‐factor authentication using Active Directory
Active Directory can be used to store client certificates, which can then be used to set‐up dual factor authentication into SharePoint and other Windows products. When a user tries to access a SharePoint site, the server will ask the user to provide a certificate for authentication. The provided certificate is then cross referenced with the certificate stored for that user in Active Directory. If these match, the user is then allowed access to the login screen.
Usin
clien
Impor Globa Forma Direct formang GlobalS
nt certific
rting your cer alSign. You ca at (LDIF) is a tory Access Pr at for importinePKI
GlobalSign TwSign Ente
cates for t
rtificates into n create cust a standard pl rotocol) direc ng and exportI
Two‐Factor Autherprise PK
two‐facto
Active Directo tom templateain text data tory content ing Active Dir
L
ntication for ShaI to issue
or authen
ory is an easy es to export i a interchange and update re ectory objectsLDIF
rePoint Solution, manage
tication.
y process if yo into an LDIF f e format forequests. In ot s.
Guide v1.0 3
e, and imp
ou have an eP file. The LDA
representing ther words, it
Activ
Direct
plement
PKI account th P Data Interc LDAP (Lightw is the standave
ory
hrough change weight ard fileUsing Direct and im Direct suppo
Usin
The L for pe expor Active opera It is p user's this c same the LDIFDE co tory. This can mport data, al tory. A utility c ort batch operng the LDI
DAP Data Inte erforming batc rt and import e Directory. A ations based o possible to ma s account. A s ertificate. If t as if the user GlobalSign Tw ommand in W be used to ad llowing batch called LDIFDE rations basedIFDE Utili
erchange Form ch operations data, allowin A utility called on the LDIF sta ap (or create erver applicat he user is aut provided a us Two‐Factor Authe Windows comm dd/ subtract u operations su is included in on the LDIF stity
mat (LDIF) is a s on directorie ng batch opera LDIFDE is inc andard. an associatio tion can then thenticated, t ser ID and pas ntication for Sha mand prompt sers, amend c uch as Add, M n the Window tandard. an Internet dr es that confor ations such as cluded in then from) a cer use public ke then the user ssword, yet th rePoint Solution , you can imp current data, e Modify, and De s 2000 – 2008 aft standard f rm to the LDA s Add, Modify Windows op rtificate that h ey cryptograph r's account is he process is m Guide v1.0 4 ort an LDIF fil etc. LDIF can b lete to be per 8 R2 operating for a file form AP standards. y, and Delete perating system has been issu hy to authent logged on. Th much more m e into Active be used to exp rformed in Act g systems to mat that can be LDIF can be u to be perform m to support ued to a user icate the user he end result anageable. port tive e used used to med in batch to the r using is the
GlobalSign Two‐Factor Authentication for SharePoint Solution Guide v1.0 5
Traditionally, computer systems have used a centralized accounts database to manage users, their user rights, and their access controls. This technique has worked well and is well understood. However, as systems become more and more distributed‐‐with hundreds of thousands to millions of users‐‐this form of centralized control becomes unwieldy. The problems range from trying to verify an account against a database located on the other side of the Internet to administering a lengthy list of users. Public key certificates can help simplify these problems. Certificates can be widely distributed, issued by numerous parties, and can be verified by simply examining the certificate, without having to refer to a centralized database. However, existing operating systems and administration tools can only deal with accounts, not certificates. The simple solution‐‐one that maintains the advantages of both certificates and user accounts‐‐ is to create a mapping between a certificate and a user account. This allows the operating system to continue using accounts while the larger "system" and the user use certificates.
In this model, when a user presents a certificate, the system looks at the mapping to determine which user account should be logged on. (Note that this should not be confused with logging on with a smart card. Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition support logging on with a smart card using account mapping that is automatic.)
