TUT Integrating Access Manager into a Microsoft Environment November 2014

Transcription

1 TUT Integrating Access Manager into a Microsoft Environment November 2014 #BrainShare #NetIQ7189

2 Session Agenda Integrating Access Manager with Active Directory Federation Services (ADFS) ADFS Basics Configuring a Test Application with an ADFS Service Provider Configuring Access Manager as an Identity Provider Common Issues Using Kerberos Authentication Understanding Kerberos and SPNEGO Configuration Using edirectory as the source of user attributes Common Issues Demo 2

3 Session Agenda SharePoint Integration Options SharePoint Authentication Options Access Gateway SSO Options Federation SSO Options 3

4 Integrating Access Manager with ADFS

5 What is ADFS? Microsoft implementation of federated identity Supports SAML2, WS-*, and OAuth ADFS 3.0 included with Windows Server 2012 R2 Version 3 Installed as a server role in Windows Server 2012 R2 Version 2 installed as separate download for Windows Server 2008 R2 5

6 Federation Configuration Windows Server Sample App WIF Claims ADFS SAML 2.0 Access Manager Identity Server 6

7 Lab Configuration A working Domain Controller A working ADFS member server (2012, 2012R2 or 2008R2) A working IIS member server (2012 or 2012R2) A client machine joined to the domain It is possible to do all this on a single machine but there are some issues to overcome See 7

8 Install a Claims Aware App Sample Code Pre-built app WindowsIdentityFoundation-SDK-4.0.msi 8

9 Sample Application for Testing Add DNS record for your ADFS server adfs1.pointbluetech.com Download and Install the Windows Identity Foundation SDK Create the Windows Identity Foundation sample app Open Windows Explorer, and navigate to C:\Program Files(x86)\Windows Identity Foundation SDK\v4.0\Samples\Quick Start\Using Managed STS. Right-click setup.bat, and then click Run as administrator. 9

10 Sample Application for Testing - continued Open the Internet Information Services (IIS) Manager console. In the console tree, in the root node that contains the name of the computer, right-click Application Pools, and then click Add Application Pool. In the Add Application Pool dialog box, in Name type WifSamples, and then click OK. In IIS Manager, in the center pane, right-click the newly created WifSamples application pool, and then click Advanced Settings. In the Advanced Settings dialog box, in the Process Model section, change the value for Load User Profile to True, and then click OK. Close the IIS Manager console. 10

11 Sample Application for Testing - continued 11

12 Sample Application for Testing - continued 12

13 Sample Application for Testing - continued If IIS, ADFS, and Active Directory are installed on the same system, make the following permissions adjustments: Application Pools running as Network Service ADFSAppPool should already be Network Service WifSamples will need to be changed Websites in IIS running as Domain\Administrator (or another username in the administrators group) **** 13

14 Sample Application for Testing - continued 14

15 Configure the WIF sample application to trust incoming claims Navigate to C:\Program Files (x86)\windows Identity Foundation SDK\v4.0, and run FedUtil.exe On the Welcome to the Federation Utility Wizard page, in Application Configuration, type ClaimsAwareWebAppWithManagedSTS/ to indicate the path to the sample application that will trust the incoming claims from the federation server. Click Next. On the Welcome to the Federation Utility Wizard page, in Application URI, type to indicate the path to the sample application that will trust the incoming claims from the federation server. Click Next. On the Security Token Service page, click Use an existing STS, type fsweb.<domain>.com, and then click Next. On the STS signing certificate chain validation error page, click Disable certificate chain validation, and then click Next. On the Security token encryption page, click No encryption, and then click Next. On the Offered claims page, review the claims that will be offered by the federation server, and then click Next. On the Summary page, review the changes that will be made to the sample application by the Federation Utility Wizard, and then click Finish. 15

16 Configure the WIF sample application to trust incoming claims 16

17 Configure the WIF sample application to trust incoming claims 17

18 Configure the WIF sample application to trust incoming claims 18

19 Add the Sample Application as a Relying Party In the AD FS Management console, click AD FS, and then, in the details pane, click Required: Add a trusted relying party to start the Add Relying Party Wizard. On the Welcome page, click Start. On the Select Data Source page, click Import data about the relying party published online or on a local network, type and then click Next. This action prompts the wizard to check for the metadata of the application that the Web server role hosts. On the Specify Display Name page, in Display name type WIF Sample App, and then click Next. On the Choose Issuance Authorization Rules page, click Permit all users to access this Relying Party, and then click Next. On the Ready to Add Trust page, review the relying party trust settings, and then click Next to save the configuration. On the Finish page, click Close to exit the wizard. This also opens the Edit Claim Rules for WIF Sample App properties page. Leave this dialog box open, and then go to the next procedure. 19

20 Add the Sample Application as a Relying Party 20

21 Add the Sample Application as a Relying Party 21

22 Add the Sample Application as a Relying Party 22

23 Add the Sample Application as a Relying Party 23

24 Add the Sample Application as a Relying Party 24

25 Configure the Claim Rule for the Sample Application On the Edit Claim Rules for WIF Sample App properties page, on the Issuance Transform Rules tab, click Add Rule to start the Add Transform Claim Rule Wizard. On the Select Rule Template page, under Claim rule template, click Pass Through or Filter an Incoming Claim on the menu, and then click Next. This action passes an incoming claim through to the user by means of Windows Integrated Authentication. On the Configure Rule page, in Claim rule name type Pass Through Windows Account Name Rule. In the Incoming claim type drop-down list, click Windows account name, and then click Finish. Click OK to close the property page and save the changes to the relying party trust. NOTE!! This is only needed to test the app before we configure federation 25

26 Configure the Claim Rule for the Sample Application 26

27 Configure the Claim Rule for the Sample Application 27

28 Configure the browser to trust the ADFS server Start Internet Explorer. On the Tools menu, click Internet Options. On the Security tab, click Local intranet, and then click Sites. Click Advanced. In Add this Web site to the zone, type and then click Add. Click Close, and then click OK two times. 28

29 Test Access to the Sample Application Log on to a domain computer using the <domain>\administrator account. Open a browser window, and then go to hmanagedsts/default.aspx. This action automatically redirects the request to the federation server role and then back to the sample application with claims. Notice that the claims that AD FS issues appear in the page. 29

30 Configuring NAM as the Identity Provider

31 Getting the AD FS Metadata Access the ADFS server metadata URL at (hostname or IP)/FederationMetadata/ /FederationMetadata.xml. Save the ADFS metadata file. Open the saved ADFS metadata file in Notepad, WordPad, or in any XML editor. Remove the <RoleDescriptor> tags from the metadata. For example, remove the following tags: <RoleDescriptor xsi:type="fed:applicationservicetype" protocolsupportenumeration= >.</RoleDescriptor> <RoleDescriptor xsi:type="fed:securitytokenservicetype" protocolsupportenumeration= > </RoleDescriptor> Save the changes. 31

32 Use the Metadata to Add a New Service Provider Configuration In the Access Manager Administration Console, click Devices > Identity Server > Edit > SAML 2.0. Click New > Add Service Provider. In the Name field, specify a name by which you want to refer to the provider. Select Metadata Text from the Source list. Paste the copied AD FS metadata that you saved in earlier into the Text field. Click Next > Finish. Update the Identity Server. 32

33 Install the AD FS Server Trusted Certificate Download the certificate authority (CA) certificate from the AD FS server. In the Access Manager Administration Console, click Security > Certificates > Trusted Roots. Click Import. Specify a name for the certificate and browse for the ADFS certificate. Click OK. Click Uploaded AD FS CA certificate. Click Add to Trusted Store and select the IDP config store. Update the Identity Server. 33

34 Create an Attribute Set in Access Manager In the Access Manager Administration Console, click Devices > Identity Servers > Shared Settings > Attribute Sets > click New. Provide the attribute set name as adfs-attributes. Click Next with the default selections. In the Create Attribute Set section, click New. Select ldap attribute mail from the Local Attribute list. Specify address in the Remote attribute field. Select from the Remote namespace list. Click OK. Click New. Select All Roles from the Local Attribute list. Specify a role in the Remote Attribute field. Select from the Remote namespace list. Click OK. Update the Identity Server. 34

35 Configure the Service Provider in Access Manager In the Access Manager Administration Console, select the ADFS service provider in the SAML 2.0 tab. Click Authentication Response. Set the Binding to POST. Specify the name identifier format default value and select unspecified along with the defaults. Click Attributes. Select adfs-attributes from the Attribute Set list. Select the required attributes to be sent with authentication. For example, the mail and role attributes. Click OK. Update the Identity Server. 35

36 Configuring ADFS as a Service Provider

37 Creating the Claims Provider Trust Export the IDP Metadata from server>/nidp/saml2/metdata to a text file In the ADFS console tree, right-click the Claims Provider Trusts folder, then click Add Claims Provider Trust to start the Add Claims Provider Trust Wizard. Click Start. On the Select Data Source page, select Import data about the claims provider from a file. In the Federation metadata file location field, click Browse. Navigate to the location where you saved metadata file, click Open, then click Next. On the Specify Display Name page, type NAM Example. Click Next > Next > Close. 37

38 Creating the Claims Provider Trust 38

39 Edit the Claim Rules for the Provider Trust The following claim rule describes how the data from Access Manager is used in the security token that is sent to the WIF sample application. In AD FS console, click Relying Party Trusts, right click WIF Sample App, and then click Edit Claim Rules. or In the AD FS center pane, under Claims Provider Trusts, rightclick NAM Example, then click Edit Claim Rules. On the Acceptance Transform Rules tab, click Add Rule. On the Select Rule Template page, select the Pass Through or Filter an Incoming Claim option. Click Next. 39

40 Edit the Claim Rules for the Provider Trust - Continued On the Configure Claim Rule page, use the following values: Claim rule name: Name ID Rule Incoming claim type: Name ID Incoming name ID format: Unspecified Select the Pass through all claim values option and click Finish. Click Add Rule. On the Select Rule Template page, select the Pass Through or Filter an Incoming Claim option. Click Next. 40

41 Edit the Claim Rules for the Provider Trust - Continued 41

42 Edit the Claim Rules for the Provider Trust - Continued On the Configure Claim Rule page, under Claim rule name, use the following values: Claim rule name: Name Rule Incoming claim type: Name Leave the Pass through all claim values option selected and click Finish. To acknowledge the security warning, click Yes. Click OK. Click Add Rule. On the Select Rule Template page, select the Pass Through or Filter an Incoming Claim option. Click Next. 42

43 Edit the Claim Rules for the Provider Trust - Continued On the Configure Claim Rule page, in the Claim rule name field, use the following values: Claim rule name: Rule Incoming claim type: Address Leave the Pass through all claim values option selected and click Finish. To acknowledge the security warning, click Yes. Click OK. 43

44 Edit the Claim Rules for the Sample Application In the AD FS console, click Relying Party Trusts. Right-click WIF Sample App, then click Edit Claim Rules. On the Issuance Transform Rules tab, click Add Rule. On the Select Rule Template page, click Pass Through or Filter an Incoming Claim > Next. On the Configure Claim Rule page, enter the following values: Claim rule name: Pass Name Rule Incoming claim type: Name Leave the Pass through all claim values option selected, then click Finish. 44

45 Edit the Claim Rules for the Sample Application - Continued On the Issuance Transform Rules tab, click Add Rule. On the Select Rule Template page, click Pass Through or Filter an Incoming Claim. Click Next. On the Configure Claim Rule page, enter the following values: Claim rule name: Pass Name ID Rule Incoming claim type: Name ID Incoming Name ID format Unspecified Leave the Pass through all claim values option selected, then click Finish. Click OK. 45

46 Common Issues Signature Algorithm Both sides need to be configured to use a common algorithm CRL/OSCP Checking Usually will need to be disabled on both sides in a test environment. Authentication Contract URI Windows requires that URI's are in a URL format, not a *nix file path. instead of /custom/name/password 46

47 Accessing the WIF Sample Application On the AD FS computer, open a browser window, then navigate to name>/claimsawarewebappwithmanagedsts/defau lt.aspx. The first page prompts you to select your organization from a list. Select NAM Example, then click Continue to sign in. When only one Identity Provider is available, AD FS forwards the request to that Identity Provider by default. The NAM login page appears. Type a valid user name and password, then click Login. 47

48 Common Issues - Continued When running on a Domain Controller Permissions: IIS application pools must run as NetworkService to prevent errors. Certs: NAM certs must be installed on DC in Trusted People store. Fsweb certs (including CA, signing, and encryption) must be installed on NAM. Virtual Studio as a 'requirement': False. The FedUtil.exe is the only external tool required to integrate SAML functionality into the WIF application. 48

49 AD Domain Integrated Authentication / Kerberos

50 Kerberos in Access Manager Implemented as an additional login method using SPENGO (RFC 2478) Allows client to obtain a session with Access Manager IdP using Kerberos Provides Single Sign-On (SSO) to Windows based clients in a domain Windows XP or later, Internet Explorer 7 or later Works with Firefox and Chrome as well Active Directory on Windows 2003 SP2 or later Users and Machines must be in domain 50

51 Kerberos in Access Manager (continued) Currently limited to one Active Directory domain IdP must have access to AD User Principal Name (UPN) Active Directory does NOT have to be the default user store, can still use edirectory Can use Password Fetch method to obtain password from edirectory for form fills, header injection, etc. Allows fallback mechanism to other methods if Kerberos is not available to client 51

52 Configuration

53 Kerberos Configuration Create AD User IdP URL Realm 53

54 Kerberos Configuration Create AD User (Continued) 54

55 Kerberos in Configuration Service Principal Name SPN is just a username given to a service, nothing more. Convention is ServiceType/HostName Verify value using setspn -L 55

56 Kerberos Configuration Keytab File Contains secret encryption key used to decrypt ticket Placed on Identity Server Linux: /opt/novell/java/jre/lib/security Windows: C:\Program Files (x86)\novell\jre\lib\security 56

57 Kerberos Configuration Add DNS entry 57

58 Kerberos Configuration Authentication Class 58

59 Kerberos Configuration Authentication Class (Continued) Not using AD as user store, so need UPN from edir! Alternate UPNs? Put them here. 59

60 Kerberos Configuration Method 60

61 Kerberos Configuration Contract 61

62 Kerberos Configuration Defaults 62

63 Kerberos Configuration bcslogin.conf com.sun.security.jgss.accept { com.sun.security.auth.module.krb5loginmodule required debug="true" useticketcache="true" ticketcache="/opt/novell/java/jre/lib/security/spnegoticket.cache" donotprompt="true" principal="http/ids1.samlexperts.com@ad.samlexperts.com" usekeytab="true" keytab="/opt/novell/java/jre/lib/security/nidpkey.keytab" storekey="true"; }; 63

64 Kerberos Configuration Verifying Configuration >>> KrbAsReq creating message >>> KrbKdcReq send: kdc= UDP:88, timeout=30000, number of retries =3, #bytes=252 >>> KDCCommunication: kdc= UDP:88, timeout=30000,attempt =1, #bytes=252 >>> KrbKdcReq send: #bytes read=108 >>> KrbKdcReq send: kdc= TCP:88, timeout=30000, number of retries =3, #bytes=252 >>> KDCCommunication: kdc= TCP:88, timeout=30000,attempt =1, #bytes=252 >>>DEBUG: TCPClient reading 1486 bytes >>> KrbKdcReq send: #bytes read=1486 >>> KdcAccessibility: remove Added key: 23version: 4 Ordering keys wrt default_tkt_enctypes list Using builtin default etypes for default_tkt_enctypes default etypes for default_tkt_enctypes: >>> EType: sun.security.krb5.internal.crypto.arcfourhmacetype >>> KrbAsRep cons in KrbAsReq.getReply HTTP/ids1.samlexperts.com principal is HTTP/ids1.samlexperts.com@AD.SAMLEXPERTS.COM Will use keytab Added key: 23version: 4 Ordering keys wrt default_tkt_enctypes list Using builtin default etypes for default_tkt_enctypes default etypes for default_tkt_enctypes: Commit Succeeded 64

65 Demo

66 Kerberos in Access Manager Controlling Kerberos Authentication IP inclusion/exclusion lists Fall Back to alternate authentication class Controlling fall back using HTTP Header (NO_NEGO_HEADER_NAME) 66

67 Kerberos in Access Manager IP inclusion/exclusion Modify kerb.properties file found in: /opt/novell/nam/idp/webapps/nidp/web-inf/classes #kerberos.include= range of IPAddress of client machines will be challenged for Negotiate and out this range client IPAddress will not be challenged for Negotiate(kerberos) #kerberos.exclude= range of IPAddress of client machines will not be challenged for Negotiate, All other IP ranges will be challenged for Negotiate authentication (kerberos) # # IMPORTANT: Either use include or exclude property # # e.g., kerberos.include= , or # kerberos.exclude= , # #kerberos.exclude= kerberos.include= Note: Can only have EITHER Exclude or Include, NOT BOTH! 67

68 Kerberos in Access Manager Fall Back Authentication Class 68

69 Kerberos in Access Manager Handling Forms and Header Injection No password available during Kerberos Auth How can we get the password for Form Fills and Header Injection? Password Fetch Class 69

70 Kerberos in Access Manager Password Fetch Class 70

71 Kerberos in Access Manager Password Fetch Method 71

72 Kerberos in Access Manager Add Password Fetch to Contract 72

73 Kerberos in Access Manager Password Fetch Limitations Relies on being able to obtain the user s RDN in edirectory in order to retrieve the password If it cannot determine the DN, it cannot grab the password If CN is not the default naming attribute (e.g. uid), then you must store the RDN in another attribute, or method cannot determine edirectory user object User configured in User Store definition must have permission to retrieve user passwords See TID for more troubleshooting help 73

74 SharePoint SSO Options

75 SharePoint Authentication Version Dependent Integrated Windows Authentication Kerberos NTLM HTTP Basic Authentication RFC 2617 Form Based Authentication AD, SQL, LDAP Federation / Claims Based SAML, WS-Federation/WS-Trust 75

76 SharePoint SSO via Access Gateway Basic Authentication Identity Injection Policies Requires Password Password Fetch Class Secure via HTTPS Form Based From Fill Policies Fallback for kerberos - Requires Password Password Fetch Class or Shared Secrets Rewriter TID: Non-AD LDAP Authentication Option See TUT

77 SharePoint SSO via Access Gateway Kerberos Constrained Delegation (KCD) Independent from Kerberos authentication to NAM Allows NAM AG to request a Kerberos ticket on behalf of user for authentication to Kerberized applications Requires AG on Windows Windows Server Must be member of domain Injects ticket into header More Info MS Overview / Description: NAM AG Docs: 77

78 SharePoint SSO Federation / Claims Authentication & Authorization Limitations? SAML Requires ADFS as Service Provider / Relying Party Secure Token Service (STS) WS-Federation Claims Identity Roles The People Picker Abnormality Custom Claims Provider

79 Appendix

80 What is Kerberos? Kerberos is a computer network authentication protocol which works on the basis of 'tickets' to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client server model and it provides mutual authentication both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks. -- Wikipedia 80

81 Kerberos Authentication Step 1: Authentication Service Request TGT Authentication Service (KDC) TGS Session Key and TGT TGS Session key encrypted with user s client secret key. TGT You cannot decrypt, encrypted with TGS secret key. This step happens when you login to the domain, TGT is cached on client. 81

82 Kerberos Authentication Step 2: Ticket Granting Server Request Ticket For HTTP Service Authentication Service (KDC) TGS Session Key and TGT TGS checks if service exists, decrypts TGT. Sends back session key for HTTP service (encrypted with HTTP service s key, client cannot decrypt). 82

83 Kerberos Authentication Step 3: HTTP Service Ticket for HTTP Service HTTP Service (NAM IdP) Authenticator and Timestamp HTTP service decrypts ticket with its secret key. Sends back session key for HTTP service (encrypted with HTTP service s key, client cannot decrypt). 83

84 Don t miss the Identity-Powered Experience in IT Central. Thank you NetIQ Corporation. All rights reserved.

85

86 This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time. Copyright ActiveAudit, ActiveView, Aegis, AppManager, Change Administrator, Change Guardian, Compliance Suite, the cube logo design, Directory and Resource Administrator, Directory Security Administrator, Domain Migration Administrator, Exchange Administrator, File Security Administrator, Group Policy Administrator, Group Policy Guardian, Group Policy Suite, IntelliPolicy, Knowledge Scripts, NetConnect, NetIQ, the NetIQ logo, PSAudit, PSDetect, PSPasswordManager, PSSecure, Secure Configuration Manager, Security Administration Suite, Security Manager, Server Consolidator, VigilEnt, and Vivinet are trademarks or registered trademarks of NetIQ Corporation or its subsidiaries in the United States.