digipass authentication for f5 firepass - vasco · digipass authentication for microsoft isa 2006...
TRANSCRIPT
DIGIPASS Authentication for
Microsoft ISA 2006 Single Sign-On for Sharepoint 2007
With IDENTIKEY Server / Axsguard IDENTIFIER
Integration Guidelines
Disclaimer Disclaimer of Warranties and Limitations of Liabilities
This Report is provided on an 'as is' basis, without any other warranties, or conditions.
No part of this publication may be reproduced, stored in a retrieval system, or
transmitted, in any form or by any means, electronic, mechanical, photocopying,
recording, or otherwise, without the prior written permission of VASCO Data Security.
Trademarks
DIGIPASS , IDENTIKEY, IDENTIFIER & AXSGUARD are registered trademarks of
VASCO Data Security. All trademarks or trade names are the property of their
respective owners. VASCO reserves the right to make changes to specifications at any
time and without notice. The information furnished by VASCO in this document is
believed to be accurate and reliable. However, VASCO may not be held liable for its
use, nor for infringement of patents or other rights of third parties resulting from its
use.
Copyright
2010 VASCO Data Security. All rights reserved.
Table of Contents
DIGIPASS Authentication for Microsoft ISA 2006 ........................................... 1
Disclaimer ...................................................................................................... 2
Table of Contents............................................................................................ 3
1 Reader ...................................................................................................... 5
2 Overview ................................................................................................... 5
3 Problem Description .................................................................................. 5
4 Solution .................................................................................................... 5
5 Technical Concept ..................................................................................... 7
5.1 General overview .................................................................................. 7
5.2 Microsoft Active Directory prerequisites .................................................... 7
5.3 Microsoft ISA server 2006 prerequisites ................................................... 7
5.4 Microsoft Sharepoint 2007 prerequisites ................................................... 7
5.5 IDENTIKEY Server Prerequisites .............................................................. 7
6 Active Directory Settings .......................................................................... 8
6.1 Domain functional level .......................................................................... 8
6.2 Constrained Delegation .........................................................................10
7 Sharepoint 2007 Settings ........................................................................ 13
7.1 Create Web Application .........................................................................13
7.2 Create Site Collection ............................................................................17
7.3 Create Alternate Access Mappings ..........................................................20
8 Microsoft IIS Settings ............................................................................. 23
8.1 SSL Server Certificate ...........................................................................23
9 Microsoft ISA 2006 Settings .................................................................... 28
9.1 Certificate settings ...............................................................................28
9.1.1 Importing root certificate ................................................................28
9.1.2 Requesting Web Server certificate ....................................................34
9.2 Publishing Sharepoint ...........................................................................39
9.3 RADIUS settings ...................................................................................49
10 IDENTIKEY Server ................................................................................ 53
10.1 Policy configuration ..............................................................................53
10.2 Client configuration ..............................................................................56
11 Test Sharepoint logon .......................................................................... 58
12 About VASCO Data Security .................................................................. 59
1 Reader This Document is a guideline for configuring the partner product with IDENTIKEY
SERVER or Axsguard IDENTIFIER. For details about the setup and configuration of
IDENTIEKEY SERVER and Axsguard IDENTIFIER, we refer to the Installation and
administration manuals of these products. Axsguard IDENTIFIER is the appliance
based solution, running IDENTIKEY SERVER by default.
Within this document, VASCO Data Security, provides the reader guidelines for
configuring the partner product with this specific configuration in combination with
VASCO Server and Digipass. Any change in the concept might require a change in the
configuration of the VASCO Server products.
The product name`IDENTIKEY SERVER`will be used throughout the document keeping
in mind that this document applies as well to the Axsguard IDENTIFIER.
2 Overview The purpose of this document is to demonstrate how to configure IDENTIKEY SERVER
to work with Microsoft ISA server (ISA) to perform Single Sign On (SSO) to a
Sharepoint portal with a One Time Password (OTP).
3 Problem Description When using a DIGIPASS to authenticate to the ISA Server, your OTP will be checked
by VACMAN Middleware. When another website, requiring authentication, will be
accessed behind the ISA firewall and you would like to use a single sign-on schema,
ISA will send your username and OTP to this site. As the OTP would be validated a
second time, you would receive a code replay on the IDENTIKEY SERVER and access
will be rejected. The solution to this problem could be entering your regular username
and password or at least a second OTP. The user would then have to authenticate
twice, once on the ISA server and once for the Sharepoint portal, however this is less
convenient for the user...
4 Solution In ISA Server 2006 it is now possible to authenticate to the Sharepoint web site using
Kerberos constrained delegation. This means the ISA server will, after a successful
authentication to the VACMAN Middleware, create a Kerberos ticket on the domain
controller. With this ticket the user will be able to perform an integrated authentication
on the Sharepoint web site, without having to authenticate a second time.
After configuring the IDENTIKEY SERVER, the ISA server and the Active Directory in
the right way,
you eliminate the weakest link in any security infrastructure – the use of static
passwords – that are easily stolen guessed, reused or shared.
192.168.1.0/24
10.0.10.0/24
IDENTIKEY Server
IP: 10.0.10.20
RADIUS Port: 1812
Microsoft ISA Server 2006
- IP int: 10.10.0.100
- IP ext: 192.168.1.20
- Sharepoint published:
https://sharepoint.labs.vasco.com
Client
IP: 192.168.1.10
Domain Controller
(dc.labs.vasco.com)
IP: 10.0.10.10
CA: dc.labs.vasco.jsm
Sharepoint 2007
- IP: 10.0.10.10
- Sharepoint published:
https://sharepoint
RADIUS
Authentication
Back-end
Authentication
Kerberos
AuthenticationKerberos
ticket
Kerberos ticket
Figure 1: Solution
5 Technical Concept
5.1 General overview
The main goal of the ISA server is to perform authentication in a secure way to gain
access to the Sharepoint portal. As the ISA server can do authentication to an external
service with RADIUS, we will place the IDENTIKEY SERVER in the middle of this
process to secure the authentication with our proven VACMAN Middleware software.
5.2 Microsoft Active Directory prerequisites
I Important Notice To make use of the Kerberos constrained delegation, the domain functional level
should be “Windows Server 2003”. If there are currently older domain controllers
(2000, NT4 …) deployed in your domain, raising the domain function level is not
possible. By default, in Windows 2003 server, the domain functional level is “Windows
2000 mixed” and will have to be raised.
If you want to make use of HTTPS/SSL connections, you need a root CA to be installed
for your domain.
5.3 Microsoft ISA server 2006 prerequisites
Please make sure you have a working setup of the ISA server. It is very important this
is working correctly before you start implementing the authentication to the VACMAN
Middleware and make a rule to publish a Sharepoint portal.
5.4 Microsoft Sharepoint 2007 prerequisites
We assume you have MS Office Sharepoint Server 2007 installed. Configuration for a
new site will be shown in this guide.
5.5 IDENTIKEY Server Prerequisites
In this guide we assume you already have IDENTIKEY Server installed and working. If
this is not the case, make sure you get it working before installing any other features.
6 Active Directory Settings
The domain functional level must be raised to be able to use the advanced constrained
delegation features in the Active Directory. Windows 2003 server will be installed
standard in “Windows 2000 mixed” mode. The advanced features are only available
when your active directory level is “Windows Server 2003” mode.
Constrained delegation is a ticketing system relying on Kerberos. Any computer in a
domain, that is trusted to request tickets, can request a ticket for a certain user. With
this ticket the user is able to authenticate himself when authentication is demanded,
instead of supplying his credentials again.
6.1 Domain functional level
I Important Notice Before continuing, please do be aware of the consequences of raising your domain
functional level. If any older domain controllers (2000, NT4, …) are active in you
network, do not raise the functional level. As it is required to raise the functional level
to use Kerberos constrained delegation, you will not be able to complete this
integration guide.
On the domain controller, open the Active Directory Users and Computers
administrative tool. Right-click your top domain and select Raise Domain Functional
Level….
Figure 2: Domain functional level (1)
Choose Windows Server 2003 in the select box and click Raise.
Figure 3: Domain functional level (2)
You get a notice that once you raised the domain functional level, you are not able to
reverse this action and it is raised domain wide. Click OK to continue.
Figure 4: Domain functional level (3)
You will receive a confirmation message when raising the domain was successfully
completed. Click OK to finish.
Figure 5: Domain functional level (4)
6.2 Constrained Delegation
Next, in the same window, go to the folder Computers and select the computer
containing the ISA server. Right-click the server name and select Properties.
Figure 6: Constrained Delegation (1)
Go to the Delegation tab. This tab is only shown when your domain functional level is
“Windows Server 2003”. Select the option: Trust this computer for delegation to
specified services only. And beneath this option select Use any authentication
protocol. When this is done, the Add… button will be available and click it.
Figure 7: Constrained Delegation (2)
Click the Users or Computers… button to select the computer we want to delegate
to.
Figure 8: Constrained Delegation (3)
Search or select the computer where the Sharepoint portal is located. Click OK to
continue.
Figure 9: Constrained Delegation (4)
When you selected the computer to delegate to, you have to choose the service type.
The authentication comes from and goes to a web service, so find http in the list and
click OK.
Figure 10: Constrained Delegation (5)
The next screen shows you an overview of the delegation settings. This screen is
actually saying: We give the computer where ISA is installed the authority to delegate
an http authentication to the chosen computer. Click OK to finish.
In our setup the ISA server is installed on a computer named: MEMBER.
Figure 11: Constrained Delegation (6)
7 Sharepoint 2007 Settings To create a new Sharepoint portal we will have to create a web application that
contains the required IIS settings and addsome content to this web application.
Additionally we must make sure the URL external users type in is also known in
Sharepoint. (The published URL, used by external users passing the ISA server.)
7.1 Create Web Application
First thing to do in Sharepoint is to create a web application. In the Application
Management tab select Create or extend Web application.
Figure 12: Create Web Application (1)
Then choose to Create a new Web application.
Figure 13: Create Web Application (2)
Next 4 Figures (14 to 17) will show you how the settings should be set on this page.
We only mention the fields which require changes, other fields are filled in
automatically or are optional.
IIS Web Site
o Port: 443 (for standard SSL connections)
o Host header: sharepoint
Figure 14: Create Web Application (3)
Security Configuration
o Authentication provider: Negiotiate (Kerberos)
o Allow Anonymous: No
o Use Secure Sockets Layer: Yes
Figure 15: Create Web Application (4)
Load Balanced URL Leave all default settings
Application Pool: Create new application pool
o Predefined: Network Service
Figure 16: Create Web Application (5)
Database Name and Authentication: Leave all default settings
If all the settings are filled in, by you or automatically, click the OK button.
Figure 17: Create Web Application (6)
You will receive an alert message stating that you selected Kerberos and this needs
manual configuration steps. As we did this already, click OK.
Figure 18: Create Web Application (7)
When everything is created on the back-end, you will get a confirmation page stating
the application was successfully created. You will see in the text we need to restart the
IIS so all changes will be activated.
On the Sharepoint server, run the command “iisreset /noforce” and make sure all
websites are up and running before you continue.
Figure 19: Create Web Application (8)
7.2 Create Site Collection
Now it’s time we add some content to this web application. In the Application
Management tab select Create site collection.
Figure 20: Create Site Collection (1)
The next 4 figures (21 to 24) will show you how the site collection settings are set.
First make sure you have the right Web application selected in the list. If this is not
correct click the Change Web Application option.
Figure 21: Create Site Collection (2)
In the newly opened window click on your web application you want to create some
content for.
Figure 22: Create Site Collection (3)
Now the correct web application will be shown in the list. Enter a Title and
Description for your site collection and choose the web site address under which
your site collection will be approachable.
A template guide will help you to select the best layout for your site collection.
Choose one from the list.
Figure 23: Create Site Collection (5)
Enter a username as primary and/or secondary site collection administrator
and click the “check name”-button behind the input field to lookup this name in your
AD. When the name was found, it will be underlined.
You could also browse for users, then you would have to click the “address book”-
button behind the input field.
When all settings are made click the OK button to start generating this site content in
your web application.
Figure 24: Create Site Collection (10)
When the site collection is successfully created, you will receive a confirmation page.
Click OK to get back to the main screen.
Figure 25: Create Site Collection (11)
7.3 Create Alternate Access Mappings
We now have a working Sharepoint web site for internal use, accessible through
https://sharepoint. But users will access this portal page through the ISA server
connecting to the address http://sharepoint.labs.vasco.com. The content on our site
will have to be adapted to this kind of connection.
To solve this problem, Sharepoint foresees alternate access mappings. We will have to
add the external address to our database.
Go to the Operations tab and choose Alternate access mappings.
Figure 26: Create Alternate Access Mapping (1)
Click on the Add Internal URLs link on top of the page.
Figure 27: Create Alternate Access Mapping (2)
Select the correct mapping collection by selecting the Change Alternate Access
Mapping Collection link and selecting your correct site collection in the list.
Figure 28: Create Alternate Access Mapping (3)
Now the correct collection will be shown and an alternate mapping can be added.
Type in the external address to which users connect for the Sharepoint site, this
value is also present on the ISA server. In the “Add Internal URL” list, select the
Internet option. Click Save to continue.
Figure 29: Create Alternate Access Mapping (4)
Now you will see both URLs in the list. One for internal use, the other one for external
usage.
Figure 30: Create Alternate Access Mapping (5)
8 Microsoft IIS Settings
8.1 SSL Server Certificate
Open the Internet Information Services (IIS) Manager administrative tool on the
Sharepoint server. Right-click on the web site under which your Sharepoint web
application is published and click Properties.
Figure 31: SSL Server Certificate (1)
Go to the Directory Security tab and click the Server Certificate… button. This will
start a wizard for creating a web server certificate.
Figure 32: SSL Server Certificate (2)
Click Next to continue.
Figure 33: SSL Server Certificate (3)
Select the Create a new certificate option and click Next.
Figure 34: SSL Server Certificate (4)
If you use a personal root CA, you can choose to directly request the certificate at
your CA. If you want to make use of a commercial root CA, you can prepare the
request and send it later.
The advice is to use an internal SSL certificate for the connection between the ISA
server and the Sharepoint server (this wizard). For the connection from the client to
the ISA server you may use an external/commercial SSL certificate if you find this
more suitable. We will come back to this issue later on.
For our example we just use the “dc” computer as root CA for the whole setup.
Select Send the request immediately to an online certification authority and
click Next.
Figure 35: SSL Server Certificate (5)
Give your certificate a meaningful Name and click Next to continue.
Figure 36: SSL Server Certificate (6)
Fill in your organization and organizational unit name. Click Next to advance.
Figure 37: SSL Server Certificate (7)
Next, fill in the name of the Sharepoint server. This has to be the name internal users
use to connect to the Sharepoint portal.
Figure 38: SSL Server Certificate (8)
Select your country in the list, fill in your state/province and city/locality. Click
Next to continue.
Figure 39: SSL Server Certificate (9)
By default the SSL port is filled in with port 443. Unless you chose another port during
the Web Application setup, leave it at the default value.
Figure 40: SSL Server Certificate (10)
If your CA is setup correctly, it will show up in the list. Select your CA and click Next.
If the CA does not show up, go back and choose to prepare the request now and send
it later.
Figure 41: SSL Server Certificate (11)
The next screen shows you an overview of the settings for this certificate, make sure
everything is correct. Click Next to continue, otherwise click Back to make some
changes.
Figure 42: SSL Server Certificate (12)
The certificate is now created; click Finish to close the wizard.
Figure 43: SSL Server Certificate (13)
We now have enabled our Sharepoint web application with an SSL certificate.
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 28 of 59
9 Microsoft ISA 2006 Settings
9.1 Certificate settings
9.1.1 Importing root certificate
When using a personal root CA to create an SSL certificate for the connection between
the ISA server and the Sharepoint web site, we have to add the certificate publisher to
the Trusted Root Certification Authorities of the local computer account. This is
a list of all certificate publishers that are trusted by Microsoft. When we use a
certificate that was created by a personal root CA, we have to add this CA to the
trusted list.
When you have your personal root CA installed, you will find the root certificate on the
designated server under the C:\ root. This is normally named like this:
C:\COMPUTERNAME.domain.extension_friendly-name.crt
In our example this would make:
C:\dc.labs.vasco.com_VASCO Labs CA.crt
Copy this file to the C:\ root of the ISA server.
Figure 44: Importing root certificate (1)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 29 of 59
Open the Microsoft Management Console (MMC). Select Add\Remove Snap-in…
from the File menu.
Figure 45: Importing root certificate (2)
Click the Add… button to select what kind of snap-in you would like to add.
Figure 46: Importing root certificate (3)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 30 of 59
Select Certificates from the list and click Add.
Figure 47: Importing root certificate (4)
Select the Computer account. Click Next to continue.
Figure 48: Importing root certificate (5)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 31 of 59
Choose the accounts of the Local computer (the computer the console is running
on). Click Finish to end the wizard.
Figure 49: Importing root certificate (6)
As you are able to add more snap-ins at the same time, click Close when the
certificate wizard has finished.
In the local computers certificates window, right-click the Trusted Root Certification
Authorities and select Import… from the All Tasks panel.
Figure 50: Importing root certificate (7)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 32 of 59
Click Browse to select the root certificate you copied earlier in the C:\ root.
Afterwards click Next to continue.
Figure 51: Importing root certificate
(8)
Figure 52: Importing root certificate
(9)
Default, the option Place all certificates in the following store is selected and has
the right Certificate store. If not, select it and choose for the Trusted Root
Certification Authorities.
Figure 53: Importing root certificate (10)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 33 of 59
The next screen will show an overview of the actions. Review them and click Finish to
import the certificate.
Figure 54: Importing root certificate (11)
You will receive a message stating that the import was successful. Click OK to finish.
Figure 55: Importing root certificate (12)
You will now find your own root CA in the list of trusted root certification authorities.
You can leave this console MMC window open for later use.
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 34 of 59
9.1.2 Requesting Web Server certificate
What we did before was creating an SSL certificate for the protection of the internal
network. The next step is to secure the connection from the client. It would be an
extreme task to make all your clients import your own root certificate to trust the SSL
web certificate. For this matter the trusted authorities list is already in Windows. So
you can just buy a commercial SSL certificate from a company on this list that is
trusted by everyone that uses Windows.
Instead of using a commercial SSL certificate you can still use an SSL certificate from
your personal root CA. It is easily done by using the Microsoft Certificate Services web
site that is installed on your root CA.
Go to the address: http://rootCA_computername/certsrv
In our example this is: http://dc/certsrv
Figure 56: Requesting Web Server certificate (1)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 35 of 59
Click the advanced certificate request link.
Figure 57: Requesting Web Server certificate (2)
Choose to Create and submit a request to this CA.
Figure 58: Requesting Web Server certificate (3)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 36 of 59
In the Certificate template list, select the Web Server certificate. Fill in all fields of
the Identifying Information For Office Template block.
Note: the Name field has to represent the URL external users will type in to go the
Sharepoint portal. Otherwise most browsers show an alert that the certificate name
does not match the URL entered in the location field.
Figure 59: Requesting Web Server certificate (4)
Check Store certificate in the local computer certificate store and click Submit
to continue.
Figure 60: Requesting Web Server certificate (5)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 37 of 59
Now you will be able to directly install the requested certificate by clicking the Install
this certificate link.
Figure 61: Requesting Web Server certificate (6)
You will receive a security notification stating that trusting certificates from unknown
sources could be dangerous. As we know where the certificate is coming from, it is
safe to click Yes and continue.
Figure 62: Requesting Web Server certificate (7)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 38 of 59
The web site now tells you the certificate is successfully installed. You can now close
the browser window.
Figure 63: Requesting Web Server certificate (8)
In the certificate MMC window you can now find your newly created SSL certificate.
Under the Personal folder of the local computer account you will find it.
Figure 64: Requesting Web Server certificate (9)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 39 of 59
9.2 Publishing Sharepoint
To publish a Sharepoint web site trough ISA, there is a wizard available on the ISA
server. Open the ISA administration tool and click on the firewall policy in the left
pane. Select Publish Sharepoint Sites from the Tasks tab in the right pane.
Figure 65: Publishing Sharepoint (1)
Type in a meaningful name for this policy and click Next.
Figure 66: Publishing Sharepoint (2)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 40 of 59
Choose to publish a single web site or load balancer if you have a single
Sharepoint server or only one load balancing address. Choose the other option if you
have more than one web site or multiple load balancing addresses. Click Next to
continue.
Figure 67: Publishing Sharepoint (4)
Choose to make use of SSL to connect to the Sharepoint web site and click Next.
Figure 68: Publishing Sharepoint (5)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 41 of 59
Type the Internal site name as the name of the internal Sharepoint web site. Click
Next.
Figure 69: Publishing Sharepoint (6)
ISA acts as a proxy server, so all connections for the internal network pass the ISA
server. To know when traffic is meant for the Sharepoint web site, we will only accept
requests for This domain name (type below). As public name you specify the
address the clients use to connect to the Sharepoint website.
Example:
clients type in their browser https://sharepoint.labs.vasco.com so our public name
would be: sharepoint.labs.vasco.com
Figure 70: Publishing Sharepoint (7)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 42 of 59
You now have the ability to create a listener, this is used to get bound to a port. The
ISA server will listen like a regular web service on port 80 for HTTP or 443 for HTTPS
(SSL), depending on what you select in the following steps. Be aware that listeners
can be used more than once. So, different ISA policies can use the same listener,
based upon the domain name.. You have to see the listener apart from the ISA policy.
The creation of the listener is a new wizard. The policy wizard will continue once the
listener is created.
Click the New… button to create a new listener.
Figure 71: Publishing Sharepoint (8)
Fill in an appropriate name for the listener.
Figure 72: Publishing Sharepoint (9)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 43 of 59
Here you can choose whether you want the listener to make use of HTTPS/SSL or
HTTP. We already created an SSL certificate so we will choose to require SSL
secured connections with clients.
Figure 73: Publishing Sharepoint (10)
We select to listen on all network ports; this enables users to access Sharepoint
through ISA internally as well.
Figure 74: Publishing Sharepoint (11)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 44 of 59
The following three figures show you how to import SSL certificate in the listener.
75. Select the Use single certificate for this web listener option.
76. Find the certificate in the list that was issued to the FQDN that users have to type
in.
Figure 75: Publishing Sharepoint
(12)
Figure 76: Publishing Sharepoint (13)
77. The external name is shown in the text field. Click Next to continue.
Figure 77: Publishing Sharepoint (14)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 45 of 59
Choose HTML Form Authentication as how clients will provide their credentials to
the ISA server. Select RADIUS OTP as the way ISA server will validate the
credentials.
Figure 78: Publishing Sharepoint (15)
If you want to publish more than one web site with the same listener (to be used in
other policies), you can enable the ISA Server SSO (Single Sign On) option, for sites
using the same domain. We are currently setting up a SSO solution between the ISA
Server, VACMAN Middleware and Sharepoint. The SSO option talked about in the next
screen is only used when more than one source is published. (Like Sharepoint, etc…)
You could use for example the SSO domain: *.labs.vasco.com and be able to single
sign on to mail.labs.vasco.ext and Sharepoint.labs.vasco.com, if you use the same
listener for both policies in the ISA server configuration.
In our example we chose not to enable the ISA server SSO option as we don’t need it
for this setup.
Figure 79: Publishing Sharepoint (16)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 46 of 59
The next screens will show you an overview of the listener settings. If all settings are
correctly shown as you wanted, click Finish first, secondly click Next.
Figure 80: Publishing Sharepoint (17)
Figure 81: Publishing Sharepoint (18)
The listener is now configured, and the policy wizard will now continue automatically.
In the Authentication Delegation screen, select Kerberos constrained delegation as
the method used by the ISA server to authenticate to the published web server. In
other words, this is the way the ISA server will try to authenticate to the Sharepoint
web site.
The Service Principal Name is what is setup in chapter 5.2 Constrained Delegation. It
is written like this: service_name/FQDN_Sharepointserver.
In our example this would become: http/dc.labs.vasco.com
Figure 82: Publishing Sharepoint (19)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 47 of 59
The next options will ask us if we have already setup Alternate Access Mappings (see
chapter 6.3 Create Alternate Access Mappings), as we already did this, choose this
option and click Next.
Figure 83: Publishing Sharepoint (20)
The User Sets is used to set who can use this policy. As we only want the
authenticated users to be redirected to the Sharepoint web site, we add All
Authenticated Users. Click Next to continue.
Figure 84: Publishing Sharepoint (21)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 48 of 59
What will follow is an overview of the policy settings. Check all entries and make sure
they are correct. You can still use the Back button to make changes. If all settings
seem to be correct, click the Finish button.
Figure 85: Publishing Sharepoint (22)
After clicking Finish, you will receive a notification message stating that for use of
Kerberos constrained delegation you must configure the Active Directory to allow
delegation. As we already did this, you can click OK.
Figure 86: Publishing Sharepoint (23)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 49 of 59
9.3 RADIUS settings
To set up the authentication to VACMAN Middleware, we still have to configure the
RADIUS settings in the ISA server. You can do this by going to the properties of the
Policy you just created.
Figure 87: RADIUS settings (1)
Then go to the Listener tab, and click the Properties… button.
Figure 88: RADIUS settings (2)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 50 of 59
Go to the Authentication tab, and click on the Configure Validation Servers…
button.
Figure 89: RADIUS settings (3)
On the RADIUS Servers tab, click on the Add… button to add a new RADIUS server.
In the new window provide all details of the VACMAN Middleware server. Server name
is the location where it’s based, can be a hostname or an IP address. The description
is optional. Use the Change… button to add a shared secret and make sure the
Authentication port is set to the same as configured in VACMAN Middleware.
Figure 90: RADIUS settings (4)
Figure 91: RADIUS settings (5)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 51 of 59
Still in the Listener properties (Figure 89), click the Advanced… button. Make sure to
select the option Require all users to authenticate. Click OK until you get back to
the main window.
Figure 92: RADIUS settings (6)
To save all changes, click the Apply button on top of the center window. This will write
all your changes and make them active on the current setup.
Figure 93: RADIUS settings (7)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 52 of 59
You will receive a notification message stating that the changes to the configuration
were successfully applied.
Figure 94: RADIUS settings (8)
The configuration of the ISA server and the Active Directory are completed. The only
thing we still need to configure is the VACMAN Middleware.
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 53 of 59
10 IDENTIKEY Server Go to the IDENTIKEY Server web administration page, and authenticate with and
administrative account.
10.1 Policy configuration
To add a new policy, select PoliciesCreate.
Figure 95: Policy configuration (1)
There are some policies available by default. You can also create new policies to suit
your needs. Those can be independent policies or inherit their settings from default or
other policies.
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 54 of 59
Fill in a policy ID and description. Choose the option most suitable in your situation.
If you want the policy to inherit setting from another policy, choose the right policy in
the Inherits From list. Otherwise leave this field to None.
Figure 96: Policy configuration (2)
In the policy options configure it to use the right back-end server. This could be the
local database, but also active directory or another radius server.
This is probably the same that was in your default client authentication options before
you changed it. Or you use the local database, Windows or you go further to another
radius server.
In our example we select our newly made Demo Policy and change it like this:
Local auth.: Digipass/Password
Back-End Auth.: Default (None)
Back-End Protocol: Default (None)
Dynamic User Registration: Default (No)
Password Autolearn: Default (No)
Stored Password Proxy: Default (No)
Windows Group Check: Default (No Check)
After configuring this Policy, the authentication will happen locally in the IDENTIKEY
Server. So user credentials are passed through to the IDENTIKEY Server, it will check
these credentials to its local user database and will answer to the client with an
Access-Accept or Access-Reject message.
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 55 of 59
In the Policy tab, click the Edit button, and change the Local Authentication to
Digipass/Password.
Figure 97: Policy configuration (3)
The user details can keep their default settings.
Figure 98: Policy configuration (4)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 56 of 59
10.2 Client configuration
Now create a new component by right-clicking the Components and choose New
Component.
Figure 99: Client configuration (1)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 57 of 59
As component type choose RADIUS Client. The location is the IP address of the
client. In the policy field you should find your newly created policy. Fill in the
shared secret you entered also in the client for the RADIUS options. In our example
this was “vasco”. Click Create.
Figure 100: Client configuration (2)
Now the client and the IDENTIKEY Server are set up. We will now see if the
configuration is working.
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 58 of 59
11 Test Sharepoint logon Point your browser from an external client to the external address of the Sharepoint
portal. And fill in a username and a One Time Password (OTP).
In our example this is https://sharepoint.labs.vasco.com
Note: Make sure the username you are trying to login with is known in VACMAN
Middleware or Dynamic User Recognition (DUR) is enabled and has a DIGIPASS
account assigned to it. Other kind of self-registration methods can be found in the
VACMAN Middleware Administration Guide.
Figure 101: Test Sharepoint logon (1)
If everything goes well, you should see the Sharepoint team page, secured through
the ISA server and VACMAN Middleware.
Figure 102: Test Sharepoint logon (2)
DIGIPASS Authentication for F5 FirePass - Integration Guideline V1.0
2010 VASCO Data Security. All rights reserved. Page 59 of 59
12 About VASCO Data Security VASCO designs, develops, markets and supports patented Strong User Authentication
products for e-Business and e-Commerce.
VASCO’s User Authentication software is carried by the end user on its DIGIPASS
products which are small “calculator” hardware devices, or in a software format on
mobile phones, other portable devices, and PC’s.
At the server side, VASCO’s VACMAN products guarantee that only the designated
DIGIPASS user gets access to the application.
VASCO’s target markets are the applications and their several hundred million users
that utilize fixed password as security.
VASCO’s time-based system generates a “one-time” password that changes with every
use, and is virtually impossible to hack or break.
VASCO designs, develops, markets and supports patented user authentication
products for the financial world, remote access, e-business and e-commerce. VASCO’s
user authentication software is delivered via its DIGIPASS hardware and software
security products. With over 25 million DIGIPASS products sold and delivered, VASCO
has established itself as a world-leader for strong User Authentication with over 500
international financial institutions and almost 3000 blue-chip corporations and
governments located in more than 100 countries.