View
47
Download
3
Category
Preview:
Citation preview
qÜÉ=a~í~=pÉÅìêáíó=`çãé~åóK=
Utimaco Safeware
www.utimaco.com
ríáã~Åç=håçïäÉÇÖÉ=^êíáríáã~Åç=håçïäÉÇÖÉ=^êíáríáã~Åç=håçïäÉÇÖÉ=^êíáríáã~Åç=håçïäÉÇÖÉ=^êíáÅÅÅÅääääÉÉÉÉ====
eçï=íç=ìëÉ=hÉêÄÉêçë=áå=eçï=íç=ìëÉ=hÉêÄÉêçë=áå=eçï=íç=ìëÉ=hÉêÄÉêçë=áå=eçï=íç=ìëÉ=hÉêÄÉêçë=áå=
ÅçåàìåÅíáçå=ïáíÜ=ÅçåàìåÅíáçå=ïáíÜ=ÅçåàìåÅíáçå=ïáíÜ=ÅçåàìåÅíáçå=ïáíÜ=
p~ÑÉdì~êÇ∆=båíÉêéêáëÉp~ÑÉdì~êÇ∆=båíÉêéêáëÉp~ÑÉdì~êÇ∆=båíÉêéêáëÉp~ÑÉdì~êÇ∆=båíÉêéêáëÉ====
Author
Version
Document information
Corporate Technical Operations
1.00, last changes: December 30, 2008
Title: How to use Kerberos in conjunction with SafeGuard® Enterprise
Version: 1.00
Last changes: 12/30/2008
2
Contents
1 Prerequisites & Informational Links regarding CA & enrollment ...................... 3
2 Import of the Certificate Authority (CA) & Certificate Revocation List (CRL) ... 4
3 Configuration steps in the SafeGuard Management Console ............................ 6
4 Import of the User Certificates .............................................................................. 9
4.1 Single import for a User Certificate ............................................................ 9
4.2 Mass import from Active Directory ........................................................... 12
4.3 Import of a User's .cer File ....................................................................... 13
5 Client Authentication with Kerberos via Token ................................................. 15
5.1 UMA (User Machine Assignment) ........................................................... 15
5.2 Token Logon After UMA (User Machine Assignment) ............................. 17
Title: How to use Kerberos in conjunction with SafeGuard® Enterprise
Version: 1.00
Last changes: 12/30/2008
3
1 Prerequisites
1. Microsoft (Server 2K3) PKI was configured to run the enrollment station for certificates on tokens
2. Installed Middleware / PKCS#11 software on the Management Console client
3. A certificate for the user is already enrolled on a token
4. Client Configuration Package installed and assigned policies on the client with SafeGuard
Management Console
5. The logon process to Windows already occurs via Kerberos
Informational links regarding Certificate Authorities & Certificate enrollment
Public Key Infrastructure for Windows Server 2003
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx
Installing and configuring a Certification Authority
http://technet.microsoft.com/en-ms/library/cc756120.aspx
Prepare a smart card certificate enrollment station
http://technet.microsoft.com/en-us/library/cc781592.aspx
Certificate enrollment using smart cards
http://support.microsoft.com/kb/257480
Title: How to use Kerberos in conjunction with SafeGuard® Enterprise
Version: 1.00
Last changes: 12/30/2008
4
2 Import of the CA certificate and CRL
The CA certificate and CRL can be requested via the Certification Authority webpage:
(https://yourserver/certsrv)
Note: At the moment, delta CRL’s are not supported.
Title: How to use Kerberos in conjunction with SafeGuard® Enterprise
Version: 1.00
Last changes: 12/30/2008
5
To import the CA certificate, Sub CA (if available) and CRL, Sub CRL (if available) into the
Management Console, navigate to Keys & Certificates.
Note: The Certificate Hierarchy (Chain of Trust) has to be complete.
� Click on the Import CRL button to import the CRL
� Click on the Import CA certificate button to import the CA certificate
Title: How to use Kerberos in conjunction with SafeGuard® Enterprise
Version: 1.00
Last changes: 12/30/2008
6
3 Configuration steps in the SafeGuard Management
Console
� Create an Authentication Policy and set Logon Mode to Token or
UserID/Password; Token
� Set Logon options using token to Kerberos
� Save the policy
Title: How to use Kerberos in conjunction with SafeGuard® Enterprise
Version: 1.00
Last changes: 12/30/2008
7
� Create a Specific Machine Settings Policy
� Set Enable Power-on Authentication to Yes
� Set Windows cryptographic toolkits to SafeGuard Cryptographic Engine
� Select the Module name. Here, we use Aladdin eToken PKI Client. Please
remember that the appropriate middleware and client configuration package must be
installed on the Management Console machine and that the license must include the
required module. Furthermore, the machine needs the policies to be assigned.
� Save the policy
Title: How to use Kerberos in conjunction with SafeGuard® Enterprise
Version: 1.00
Last changes: 12/30/2008
8
� Go to Users & Computers and assign both created policies to the OU which contains
the clients for token usage. Keep in mind that the client which is used for the
Management Console and token configurations need the policies assigned also.
� Save the changes
Title: How to use Kerberos in conjunction with SafeGuard® Enterprise
Version: 1.00
Last changes: 12/30/2008
9
4 Import of the User Certificate(s)
There are three ways to import the user certificate(s):
4.1 Single import for a user
� Select a user for token usage and navigate to the Certificate tab
� Click on the Assign a certificate from a token button while the user token is
plugged into the USB port of the Management Console machine
Title: How to use Kerberos in conjunction with SafeGuard® Enterprise
Version: 1.00
Last changes: 12/30/2008
10
� The certificate details are shown. If not, click on Rescan Token(s)
� A successful import will be confirmed with the following message:
� Afterwards, the imported certificate is listed for the user
Title: How to use Kerberos in conjunction with SafeGuard® Enterprise
Version: 1.00
Last changes: 12/30/2008
11
� Because we are using Kerberos Authentication, no changes need to be made on
the Token Data tab
Title: How to use Kerberos in conjunction with SafeGuard® Enterprise
Version: 1.00
Last changes: 12/30/2008
12
4.2 Mass import from Active Directory
To use the Auto Import Certificates function in the Management Console, a registry key has to be
imported to the Management Console machine.
Note: For more information see SafeGuard Knowledge Article 108295.
Title: How to use Kerberos in conjunction with SafeGuard® Enterprise
Version: 1.00
Last changes: 12/30/2008
13
4.3 Import of a User’s .cer file
� Select a user for token usage and navigate to the Certificate tab
� Click on the Import certificate button
Title: How to use Kerberos in conjunction with SafeGuard® Enterprise
Version: 1.00
Last changes: 12/30/2008
14
� Select the .cer file of the user and click OK
Title: How to use Kerberos in conjunction with SafeGuard® Enterprise
Version: 1.00
Last changes: 12/30/2008
15
5 Client Authentication with Kerberos via Token
5.1 UMA (User Machine Assignment)
After the installation of the client, the client configuration package and the subsequent reboot, the
POA operates in “Auto logon Mode”.
Title: How to use Kerberos in conjunction with SafeGuard® Enterprise
Version: 1.00
Last changes: 12/30/2008
16
Then, the user will be prompted for his Token PIN
After entering the Token PIN, the logon process continues and the user will be assigned to the
machine.
Title: How to use Kerberos in conjunction with SafeGuard® Enterprise
Version: 1.00
Last changes: 12/30/2008
17
5.2 Token Logon after UMA (User Machine Assignment)
If the User Token is plugged in during start up, the POA will ask for the Token PIN. Click Ok after
entering the Token PIN.
After that, you will see the message: Plug in the token again to complete logon.
Note: Due to technical limitations, the token has to be unplugged and plugged in once again to
continue the Single-Sign-On to Windows.
After you plugged in the token once again, the Single-Sign-On to Windows will continue.
Title: How to use Kerberos in conjunction with SafeGuard® Enterprise
Version: 1.00
Last changes: 12/30/2008
18
Utimaco Safeware AG
Hohemarkstrasse 22
DE-61440 Oberursel
Germany
www.utimaco.com/myutimaco
Copyright Information
© 2007 - Utimaco Safeware AG
All rights reserved.
The Information in this document must not be changed without the expressed written
agreement of the Utimaco Safeware AG.
All SafeGuard Products are registered trademarks of Utimaco Safeware AG. All other
named trademarks are trademarks of the particular copyright holder. Microsoft,
Windows and the Windows logo are trademarks or registered trademarks of Microsoft
Corporation in the United States and/or other counties.
Recommended