2. Who we are…
What we’ve seen…
Security Concerns in today’s world
Why SmartCards?
Authentication & Authorization of SharePoint
IIS and SmartCards
Implementation Considerations and Pitfalls
3.
4.
5.
6. Dan Usher
MCP, MCTS, Security+
SharePoint Architect and Implementation /
Deployment Engineer
UVA - BS Physics
Joel Ward
MCP, MCAD
Solutions Developer and Architect
Penn State - BA Integrative Arts
7. Large and Small SharePoint implementations
Authentication schemas using SmartCard
authentication integrated with Active Directory
and third party SSO systems
Extranet Enabled SmartCard SharePoint systems
11. Stricter Password Policies
Resetting Passwords More Often
Password Enabled Screensavers
…disruptions in your daily work
…things aren’t quite as secure as they were
13. Simplicity… to the end user
Provides a secure tamper resistant storage
physical token
Enables portability of credentials and private
information similar to other Federated
Identity…
…like OpenID, Facebook Connect, Google
OpenSocial, Microsoft Hailstorm
A PIN is used
…Security
14. Similar to a physical token
Contains the same information
It has an expiration date
It can be revoked
Provides for similar IA capabilities
However…
It can be exported
It can be shared
It can be purchased
It can be stolen
15. Authentication
IIS
Username & Password
Client Certificates
ISAPI Filters
Custom Membership Providers
Federation (ADFS or Third Party Identity Handler)
Authorization
SharePoint Groups and Permissions
AD / LDAP / Role Provider Security Groups
16. Handled by IIS and ASP.NET
Checks user against AD or other auth provider
Source: http://go.spdan.com/iisauth
Passes verification to IIS to proceed
ASP.NET Authentication
17. User attempts to access IIS X.509 Certificate on Smart User Enters PIN into
User inserts smart card
based site that requires Card with Private Key middleware software
into reader
smart auth verified locally prompt
During Smart Card’s Public Key is
Web Server receives public
PIN authenticates user to
authentication, challenge retrieved from card and
key certificate and checks
based on public key within verified through trusted the card
validity against CA CRL
certificate issued issuer
Challenge verifies the card
User’s identity from
Public Key – Private Key Authentication has
has a private key and that
certificate UPN used to
the private key can be Verified occurred
reference user in AD
leveraged
Virtual Path Provider SharePoint verifies user’s IIS receives users identity
Site is rendered to the end
directs user to appropriate authorization to specific and hands them to
user
site site SharePoint
18. Option 0: SharePoint on an Intranet with
integrated authentication
Option 1: SharePoint in a DMZ with client
certificates and AD integration
Option 2a: SharePoint published through
Internet Security and Acceleration (ISA) Server
Option 2b: SharePoint published through
Intelligent Application Gateway (IAG) Server
Option 3: Custom Membership Provider
19. SharePoint is Intranet based only
Client Desktop utilizes the “SmartCard Enabled
Login Required” security policy setting
SharePoint utilizing Integrated Windows
authentication
Kerberos or NTLM
20.
21. Intranet only situation
Need to be within the network boundary for
authentication tokens to pass properly
User’s account must be linked to their
SmartCard user principal name
Certificate Authority (CA) availability for CRL
check may affect system availability
22. Web Server in DMZ
Utilize Authentication Store (AD)
IIS Configured to Require Client Certificate
Relatively easy to configure
23. Install a SSL certificate that belongs to a
managed PKI environment
Within IIS in the specific web
application, enable:
Require Secure Channel (SSL)
Require 128-bit encryption (optional)
Require client certificate
Certificate Revocation List (CRL) ports open
LDAP or LDAP-S
24.
25.
26.
27.
28. OCSP or CRL checking could cause
authentication to fail if CRL is not available
Depending on number of requests, CRL
checking could cause server load
Puts server in DMZ, increases attack surface
area – wfetch will show your SharePoint Version
User’s account must be linked to their
SmartCard user principal name
User selecting certificate that does not contain
UPN
29. Internet Security and Acceleration 2006 (ISA)
Server Web Site Publishing with Constrained
Kerberos Delegation
Internal Windows Networking Infrastructure
system utilizing Kerberos
Users authenticate to their client machine using
different account than SmartCard linked to their
AD user object
30. Windows XP + Office 2007 requires a hot fix to
allow for documents to open using ISA
Increases authentication requirements for
external facing or extranet systems
User’s account must be linked to their
SmartCard user principal name
Multi-Forest trusts do not always work
Reauthentication issues
Only leverages Active Directory
31. Intelligent Application Gateway (IAG) Server
Publishing Web Front End Server
Similar to Option 2a (ISA Server), but better
experience for the end user
Stable session - Prevents constant requests for
re-authorization using SmartCard
Allows for NAP like capabilities
Allows for mapping to something than AD
32. Additional hardware to maintain
Current IAG is a hardware appliance
IAG 2007 available as a virtual machine for
demonstration purposes
Future IAG will potentially be available as software
and hardware
IAG -> Forefront Unified Access Gateway (UAG)
Costly
Requires authenticating to IAG dashboard
33. Custom Membership provider for SmartCard
IIS or SSO/ISAPI filter handshakes with the
SmartCard
Does not require Active Directory: Can use
LDAP, SQL Server, or another authentication
provider
34. Custom SharePoint login page (using Forms
Based Authentication) completes the login
process seamlessly without user input
Can optionally create user account on the
fly, based on SmartCard credentials
Can add in logic for account approval, different
access levels based on SmartCard
credentials, etc.
35. Requires additional configuration in SharePoint
Requires custom development
If requiring client certificate in IIS (instead of
SSO or ISAPI filter), OCSP or CRL checking could
cause authentication to fail if CRL is not
available
Must secure server if in DMZ
Must add in appropriate security logic to
custom login page
36. 1) Configure domain name and SSL certificate for
web application
2) Implement Forms Based Authentication with
SharePoint using appropriate membership and
role provider (AD, LDAP, ASPNET, etc.)
3) Configure IIS to accept client certificates (or
custom SSO)
4) Create custom login page for SharePoint
_layouts folder
37. //Get client certificate and appropriate user ID
HttpClientCertificate cert = Request.ClientCertificate;
string userID;
userID = cert.Get(quot;[fieldname]quot;);
//Create new user and add to Visitor role
MembershipUser user =
Membership.CreateUser(userID,[randomPassword],[email]);
Roles.AddUserToRole(userID, quot;Visitorsquot;);
//If user exists in membership provider, login using FBA
if (Membership.GetUser(userID).UserName == userID)
FormsAuthentication.RedirectFromLoginPage(userID, false);
38. For SmartCard authentication to work
properly, it relies heavily on the surrounding
Windows networking infrastructure that it
resides within
SmartCard authentication can be done several
different ways depending on the surrounding
infrastructure
SmartCards works well when the user base
understands their responsibility in upholding IA.
39.
40. Dan Usher
dan@spdan.com
http://www.sharepointdan.com
@usher
Joel Ward
joel@wardworks.com
http://joelsef.blogspot.com
@joelsef