Smartcard authentication considerations options and pitfalls with sharepoint
This presentation is the property of its rightful owner.
Sponsored Links
1 / 40

SmartCard Authentication: Considerations, Options and Pitfalls with SharePoint PowerPoint PPT Presentation


  • 54 Views
  • Uploaded on
  • Presentation posted in: General

SmartCard Authentication: Considerations, Options and Pitfalls with SharePoint. Dan Usher Joel Ward. Agenda. Who we are… What we’ve seen… Security Concerns in today’s world Why SmartCards? Authentication & Authorization of SharePoint IIS and SmartCards

Download Presentation

SmartCard Authentication: Considerations, Options and Pitfalls with SharePoint

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Smartcard authentication considerations options and pitfalls with sharepoint

SmartCard Authentication: Considerations, Options and Pitfalls with SharePoint

Dan Usher

Joel Ward


Agenda

Agenda

  • Who we are…

  • What we’ve seen…

  • Security Concerns in today’s world

  • Why SmartCards?

  • Authentication & Authorization of SharePoint

  • IIS and SmartCards

  • Implementation Considerations and Pitfalls


We are very eager to talk about sharepoint

We are very eager to talk about SharePoint…


But first the smartcards

But first…the SmartCards!!!


Please excuse this err in judgment

Please excuse this err in judgment…


First the introductions

First the introductions…

Dan Usher

  • MCP, MCTS, Security+

  • SharePoint Architect and Implementation / Deployment Engineer

  • UVA - BS Physics

    Joel Ward

  • MCP, MCAD

  • Solutions Developer and Architect

  • Penn State - BA Integrative Arts


What we ve seen

What we've seen…

  • Large and Small SharePoint implementations

  • Authentication schemas using SmartCard authentication integrated with Active Directory and third party SSO systems

  • Extranet Enabled SmartCard SharePoint systems


Security concerns in today s world

Security Concerns in today’s world

  • Cyber Security

  • Identity Theft

  • Phishing

  • Information Assurance


How we protect identity

How we protect Identity

  • Strong Passwords

  • Web of Trust

  • Two Factor Authentication

  • Biometrics

[email protected]

[email protected]

[email protected]@n7


Why does ia matter

Why does IA matter?

  • Confidentiality

  • Integrity

  • Authenticity

  • Availability

  • Non-repudiation


How does ia impact you

How does IA impact you?

  • Stricter Password Policies

  • Resetting Passwords More Often

  • Password Enabled Screensavers

    …disruptions in your daily work

    …things aren’t quite as secure as they were


So why smartcards

So why SmartCards?

  • Simplicity…

Source: http://go.spdan.com/pki


So why smartcards1

So why SmartCards?

  • Simplicity… to the end user

  • Provides a secure tamper resistant storage physical token

  • Enables portability of credentials and private information similar to other Federated Identity…

    • …like OpenID, Facebook Connect, Google OpenSocial, Microsoft Hailstorm

  • A PIN is used

  • …Security


What about a soft cert

What about a soft cert?

  • Similar to a physical token

    • Contains the same information

    • It has an expiration date

    • It can be revoked

  • Provides for similar IA capabilities

  • However…

    • It can be exported

    • It can be shared

    • It can be purchased

    • It can be stolen


Authentication and authorization of sharepoint

Authentication and Authorization of SharePoint

  • Authentication

    • IIS

      • Username & Password

      • Client Certificates

      • ISAPI Filters

      • Custom Membership Providers

      • Federation (ADFS or Third Party Identity Handler)

  • Authorization

    • SharePoint Groups and Permissions

    • AD / LDAP / Role Provider Security Groups


Basics of sharepoint authentication

Basics of SharePoint Authentication

  • Handled by IIS and ASP.NET

  • Checks user against AD or other auth provider

  • Passes verification to IIS to proceed

Source: http://go.spdan.com/iisauth

ASP.NET Authentication


Iis and smartcards

IIS and SmartCards


Implementation considerations and pitfalls

Implementation Considerations and Pitfalls

  • Option 0: SharePoint on an Intranet with integrated authentication

  • Option 1: SharePoint in a DMZ with client certificates and AD integration

  • Option 2a: SharePoint published through Internet Security and Acceleration (ISA) Server

  • Option 2b: SharePoint published through Intelligent Application Gateway (IAG) Server

  • Option 3: Custom Membership Provider


Considerations option 0

Considerations – Option 0

  • SharePoint is Intranet based only

  • Client Desktop utilizes the “SmartCard Enabled Login Required” security policy setting

  • SharePoint utilizing Integrated Windows authentication

    • Kerberos or NTLM


Considerations option 01

Considerations – Option 0


Pitfalls option 0

Pitfalls – Option 0

  • Intranet only situation

    • Need to be within the network boundary for authentication tokens to pass properly

  • User’s account must be linked to their SmartCard user principal name

  • Certificate Authority (CA) availability for CRL check may affect system availability


Considerations option 1

Considerations - Option 1

  • Web Server in DMZ

  • Utilize Authentication Store (AD)

  • IIS Configured to Require Client Certificate

  • Relatively easy to configure


Configuration option 1

Configuration – Option 1

  • Install a SSL certificate that belongs to a managed PKI environment

  • Within IIS in the specific web application, enable:

    • Require Secure Channel (SSL)

    • Require 128-bit encryption (optional)

    • Require client certificate

  • Certificate Revocation List (CRL) ports open

    • LDAP or LDAP-S


Considerations option 11

Considerations - Option 1


Considerations option 12

Considerations - Option 1


Considerations option 13

Considerations - Option 1


Considerations option 14

Considerations - Option 1


Pitfalls option 1

Pitfalls – Option 1

  • OCSP or CRL checking could cause authentication to fail if CRL is not available

  • Depending on number of requests, CRL checking could cause server load

  • Puts server in DMZ, increases attack surface area – wfetch will show your SharePoint Version

  • User’s account must be linked to their SmartCard user principal name

  • User selecting certificate that does not contain UPN


Considerations option 2a

Considerations - Option 2a

  • Internet Security and Acceleration 2006 (ISA) Server Web Site Publishing with Constrained Kerberos Delegation

  • Internal Windows Networking Infrastructure system utilizing Kerberos

  • Users authenticate to their client machine using different account than SmartCard linked to their AD user object


Pitfalls option 2a

Pitfalls – Option 2a

  • Windows XP + Office 2007 requires a hot fix to allow for documents to open using ISA

  • Increases authentication requirements for external facing or extranet systems

  • User’s account must be linked to their SmartCard user principal name

  • Multi-Forest trusts do not always work

  • Reauthentication issues

  • Only leverages Active Directory


Considerations option 2b

Considerations - Option 2b

  • Intelligent Application Gateway (IAG) Server Publishing Web Front End Server

  • Similar to Option 2a (ISA Server), but better experience for the end user

  • Stable session - Prevents constant requests for re-authorization using SmartCard

  • Allows for NAP like capabilities

  • Allows for mapping to something than AD


Pitfalls option 2b

Pitfalls – Option 2b

  • Additional hardware to maintain

    • Current IAG is a hardware appliance

    • IAG 2007 available as a virtual machine for demonstration purposes

    • Future IAG will potentially be available as software and hardware

      • IAG -> Forefront Unified Access Gateway (UAG)

  • Costly

  • Requires authenticating to IAG dashboard


Considerations option 3

Considerations - Option 3

  • Custom Membership provider for SmartCard

  • IIS or SSO/ISAPI filter handshakes with the SmartCard

  • Does not require Active Directory: Can use LDAP, SQL Server, or another authentication provider


Considerations option 3 cont

Considerations - Option 3 (cont.)

  • Custom SharePoint login page (using Forms Based Authentication) completes the login process seamlessly without user input

  • Can optionally create user account on the fly, based on SmartCard credentials

  • Can add in logic for account approval, different access levels based on SmartCard credentials, etc.


Pitfalls option 3

Pitfalls – Option 3

  • Requires additional configuration in SharePoint

  • Requires custom development

  • If requiring client certificate in IIS (instead of SSO or ISAPI filter), OCSP or CRL checking could cause authentication to fail if CRL is not available

  • Must secure server if in DMZ

  • Must add in appropriate security logic to custom login page


How do i configure a membership provider

How do I configure a membership provider?

1) Configure domain name and SSL certificate for web application

2) Implement Forms Based Authentication with SharePoint using appropriate membership and role provider (AD, LDAP, ASPNET, etc.)

3) Configure IIS to accept client certificates (or custom SSO)

4) Create custom login page for SharePoint _layouts folder


What do i include in the custom login page

What do I include in the custom login page?

  • //Get client certificate and appropriate user ID

  • HttpClientCertificate cert = Request.ClientCertificate;

  • string userID;

  • userID = cert.Get("[fieldname]");

  • //Create new user and add to Visitor role

  • MembershipUser user = Membership.CreateUser(userID,[randomPassword],[email]);

  • Roles.AddUserToRole(userID, "Visitors");

  • //If user exists in membership provider, login using FBA

  • if (Membership.GetUser(userID).UserName == userID)

  • FormsAuthentication.RedirectFromLoginPage(userID, false);


Conclusions

Conclusions

  • For SmartCard authentication to work properly, it relies heavily on the surrounding Windows networking infrastructure that it resides within

  • SmartCard authentication can be done several different ways depending on the surrounding infrastructure

  • SmartCards works well when the user base understands their responsibility in upholding IA.


Question and answer

Question and Answer


Contact us

Contact Us

  • Dan Usher

    • [email protected]

    • http://www.sharepointdan.com

    • @usher

  • Joel Ward

    • [email protected]

    • http://joelsef.blogspot.com

    • @joelsef


  • Login