Dan Usher
Joel Ward
Who we are…
What we’ve seen…
Security Concerns in today’s world
Why SmartCards?
Authentication & Authorization of SharePoi...
Dan Usher
  MCP, MCTS, Security+
  SharePoint Architect and Implementation /
  Deployment Engineer
  UVA - BS Physics
Joel...
Large and Small SharePoint implementations
Authentication schemas using SmartCard
authentication integrated with Active Di...
Cyber Security
Identity Theft
Phishing
Information Assurance
Strong Passwords
Web of Trust
Two Factor Authentication
Biometrics
Confidentiality
Integrity
Authenticity
Availability
Non-repudiation
Stricter Password Policies
  Resetting Passwords More Often
  Password Enabled Screensavers

…disruptions in your daily wo...
Simplicity…




Source: http://go.spdan.com/pki
Simplicity… to the end user
Provides a secure tamper resistant storage
physical token
Enables portability of credentials a...
Similar to a physical token
   Contains the same information
   It has an expiration date
   It can be revoked
Provides fo...
Authentication
   IIS
         Username & Password
         Client Certificates
         ISAPI Filters
         Custom Mem...
Handled by IIS and ASP.NET
Checks user against AD or other auth provider




                                             ...
User attempts to access IIS   X.509 Certificate on Smart     User Enters PIN into
 User inserts smart card
               ...
Option 0: SharePoint on an Intranet with
integrated authentication
Option 1: SharePoint in a DMZ with client
certificates ...
SharePoint is Intranet based only
Client Desktop utilizes the “SmartCard Enabled
Login Required” security policy setting
S...
Intranet only situation
   Need to be within the network boundary for
   authentication tokens to pass properly
User’s acc...
Web Server in DMZ
Utilize Authentication Store (AD)
IIS Configured to Require Client Certificate
Relatively easy to config...
Install a SSL certificate that belongs to a
managed PKI environment
Within IIS in the specific web
application, enable:
  ...
OCSP or CRL checking could cause
authentication to fail if CRL is not available
Depending on number of requests, CRL
check...
Internet Security and Acceleration 2006 (ISA)
Server Web Site Publishing with Constrained
Kerberos Delegation
Internal Win...
Windows XP + Office 2007 requires a hot fix to
allow for documents to open using ISA
Increases authentication requirements...
Intelligent Application Gateway (IAG) Server
Publishing Web Front End Server
Similar to Option 2a (ISA Server), but better...
Additional hardware to maintain
   Current IAG is a hardware appliance
   IAG 2007 available as a virtual machine for
   d...
Custom Membership provider for SmartCard
IIS or SSO/ISAPI filter handshakes with the
SmartCard
Does not require Active Dir...
Custom SharePoint login page (using Forms
Based Authentication) completes the login
process seamlessly without user input
...
Requires additional configuration in SharePoint
Requires custom development
If requiring client certificate in IIS (instea...
1) Configure domain name and SSL certificate for
   web application
2) Implement Forms Based Authentication with
   ShareP...
//Get client certificate and appropriate user ID
HttpClientCertificate cert = Request.ClientCertificate;
string userID;
us...
For SmartCard authentication to work
properly, it relies heavily on the surrounding
Windows networking infrastructure that...
Dan Usher
  dan@spdan.com
  http://www.sharepointdan.com
  @usher

Joel Ward
  joel@wardworks.com
  http://joelsef.blogspo...
Smart Card Authentication
Smart Card Authentication
Smart Card Authentication
Smart Card Authentication
Smart Card Authentication
Smart Card Authentication
Smart Card Authentication
Smart Card Authentication
Smart Card Authentication
Upcoming SlideShare
Loading in …5
×

Smart Card Authentication

11,264 views

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
11,264
On SlideShare
0
From Embeds
0
Number of Embeds
960
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Smart Card Authentication

  1. 1. Dan Usher Joel Ward
  2. 2. Who we are… What we’ve seen… Security Concerns in today’s world Why SmartCards? Authentication & Authorization of SharePoint IIS and SmartCards Implementation Considerations and Pitfalls
  3. 3. Dan Usher MCP, MCTS, Security+ SharePoint Architect and Implementation / Deployment Engineer UVA - BS Physics Joel Ward MCP, MCAD Solutions Developer and Architect Penn State - BA Integrative Arts
  4. 4. Large and Small SharePoint implementations Authentication schemas using SmartCard authentication integrated with Active Directory and third party SSO systems Extranet Enabled SmartCard SharePoint systems
  5. 5. Cyber Security Identity Theft Phishing Information Assurance
  6. 6. Strong Passwords Web of Trust Two Factor Authentication Biometrics
  7. 7. Confidentiality Integrity Authenticity Availability Non-repudiation
  8. 8. Stricter Password Policies Resetting Passwords More Often Password Enabled Screensavers …disruptions in your daily work …things aren’t quite as secure as they were
  9. 9. Simplicity… Source: http://go.spdan.com/pki
  10. 10. Simplicity… to the end user Provides a secure tamper resistant storage physical token Enables portability of credentials and private information similar to other Federated Identity… …like OpenID, Facebook Connect, Google OpenSocial, Microsoft Hailstorm A PIN is used …Security
  11. 11. Similar to a physical token Contains the same information It has an expiration date It can be revoked Provides for similar IA capabilities However… It can be exported It can be shared It can be purchased It can be stolen
  12. 12. Authentication IIS Username & Password Client Certificates ISAPI Filters Custom Membership Providers Federation (ADFS or Third Party Identity Handler) Authorization SharePoint Groups and Permissions AD / LDAP / Role Provider Security Groups
  13. 13. Handled by IIS and ASP.NET Checks user against AD or other auth provider Source: http://go.spdan.com/iisauth Passes verification to IIS to proceed ASP.NET Authentication
  14. 14. User attempts to access IIS X.509 Certificate on Smart User Enters PIN into User inserts smart card based site that requires Card with Private Key middleware software into reader smart auth verified locally prompt During Smart Card’s Public Key is Web Server receives public PIN authenticates user to authentication, challenge retrieved from card and key certificate and checks based on public key within verified through trusted the card validity against CA CRL certificate issued issuer Challenge verifies the card User’s identity from Public Key – Private Key Authentication has has a private key and that certificate UPN used to the private key can be Verified occurred reference user in AD leveraged Virtual Path Provider SharePoint verifies user’s IIS receives users identity Site is rendered to the end directs user to appropriate authorization to specific and hands them to user site site SharePoint
  15. 15. Option 0: SharePoint on an Intranet with integrated authentication Option 1: SharePoint in a DMZ with client certificates and AD integration Option 2a: SharePoint published through Internet Security and Acceleration (ISA) Server Option 2b: SharePoint published through Intelligent Application Gateway (IAG) Server Option 3: Custom Membership Provider
  16. 16. SharePoint is Intranet based only Client Desktop utilizes the “SmartCard Enabled Login Required” security policy setting SharePoint utilizing Integrated Windows authentication Kerberos or NTLM
  17. 17. Intranet only situation Need to be within the network boundary for authentication tokens to pass properly User’s account must be linked to their SmartCard user principal name Certificate Authority (CA) availability for CRL check may affect system availability
  18. 18. Web Server in DMZ Utilize Authentication Store (AD) IIS Configured to Require Client Certificate Relatively easy to configure
  19. 19. Install a SSL certificate that belongs to a managed PKI environment Within IIS in the specific web application, enable: Require Secure Channel (SSL) Require 128-bit encryption (optional) Require client certificate Certificate Revocation List (CRL) ports open LDAP or LDAP-S
  20. 20. OCSP or CRL checking could cause authentication to fail if CRL is not available Depending on number of requests, CRL checking could cause server load Puts server in DMZ, increases attack surface area – wfetch will show your SharePoint Version User’s account must be linked to their SmartCard user principal name User selecting certificate that does not contain UPN
  21. 21. Internet Security and Acceleration 2006 (ISA) Server Web Site Publishing with Constrained Kerberos Delegation Internal Windows Networking Infrastructure system utilizing Kerberos Users authenticate to their client machine using different account than SmartCard linked to their AD user object
  22. 22. Windows XP + Office 2007 requires a hot fix to allow for documents to open using ISA Increases authentication requirements for external facing or extranet systems User’s account must be linked to their SmartCard user principal name Multi-Forest trusts do not always work Reauthentication issues Only leverages Active Directory
  23. 23. Intelligent Application Gateway (IAG) Server Publishing Web Front End Server Similar to Option 2a (ISA Server), but better experience for the end user Stable session - Prevents constant requests for re-authorization using SmartCard Allows for NAP like capabilities Allows for mapping to something than AD
  24. 24. Additional hardware to maintain Current IAG is a hardware appliance IAG 2007 available as a virtual machine for demonstration purposes Future IAG will potentially be available as software and hardware IAG -> Forefront Unified Access Gateway (UAG) Costly Requires authenticating to IAG dashboard
  25. 25. Custom Membership provider for SmartCard IIS or SSO/ISAPI filter handshakes with the SmartCard Does not require Active Directory: Can use LDAP, SQL Server, or another authentication provider
  26. 26. Custom SharePoint login page (using Forms Based Authentication) completes the login process seamlessly without user input Can optionally create user account on the fly, based on SmartCard credentials Can add in logic for account approval, different access levels based on SmartCard credentials, etc.
  27. 27. Requires additional configuration in SharePoint Requires custom development If requiring client certificate in IIS (instead of SSO or ISAPI filter), OCSP or CRL checking could cause authentication to fail if CRL is not available Must secure server if in DMZ Must add in appropriate security logic to custom login page
  28. 28. 1) Configure domain name and SSL certificate for web application 2) Implement Forms Based Authentication with SharePoint using appropriate membership and role provider (AD, LDAP, ASPNET, etc.) 3) Configure IIS to accept client certificates (or custom SSO) 4) Create custom login page for SharePoint _layouts folder
  29. 29. //Get client certificate and appropriate user ID HttpClientCertificate cert = Request.ClientCertificate; string userID; userID = cert.Get(quot;[fieldname]quot;); //Create new user and add to Visitor role MembershipUser user = Membership.CreateUser(userID,[randomPassword],[email]); Roles.AddUserToRole(userID, quot;Visitorsquot;); //If user exists in membership provider, login using FBA if (Membership.GetUser(userID).UserName == userID) FormsAuthentication.RedirectFromLoginPage(userID, false);
  30. 30. For SmartCard authentication to work properly, it relies heavily on the surrounding Windows networking infrastructure that it resides within SmartCard authentication can be done several different ways depending on the surrounding infrastructure SmartCards works well when the user base understands their responsibility in upholding IA.
  31. 31. Dan Usher dan@spdan.com http://www.sharepointdan.com @usher Joel Ward joel@wardworks.com http://joelsef.blogspot.com @joelsef

×