Installation Guide: SmartSignatur AD Integration

Installation Guide: SmartSignatur AD Integration

v 1.2

 

Components and supported installations

SmartSignatur Server

SmartSignatur Server runs core services, including user information and integration with Certificate Authorities.

IDM Active Directory Driver

IDM Driver defines the policies for matching and data synchronization between SmartSignatur and Active Directory.

Remote Loader and Driver Shim

Remote Loader is the integration component needed for SmartSignatur communication with Active Directory.

Password Filter

Password filters are optional; the filters are only need if SmartSignatur needs to receive the user’s password on password reset or password change.

Password filters catch a password change in clear text and sends the password encrypted to SmartSignatur using the IDM Active Directory Driver, and the policies defined.

Supported Windows Versions

Windows Server 2019 (64-bit), Windows Server 2016 (64-bit), Windows Server 2012 R2 (64-bit), Windows Server 2012 (64-bit), Windows Server 2008 R2 (64-bit), or Windows Server 2008 SP2 (32-bit and 64-bit)

NOTE: The domain functional level for the Active Directory driver is supported on all supported Windows Server platforms.

Supported Installations

AD DC server configuration

The integration can work on a single server domain and run directly on the Domain Controller. This installation type is mostly used on small on-prem installations.

 

AD Member server configuration

The integration can work on a member server in the domain. This installation type is mostly used at medium and large on-prem installations and in SAAS installations, where no components are installed on the Domain Controllers, as Remote Loader is installed on a member server.

 

 

Preparing Active Directory

Importing Root Certificates in Active Directory

The CA from Nets-DanID must to be configured as a Trusted Root CA in the Domain.

Enable the option:

Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certificate Authorities

 

Right click and select “Import”.

Click “Next”.

 

Click “Browse”.

Select the “Nets_2408_CA.crt” file.

Click “Next”.

Click “Next”.

Click “Finish”.

Click “OK”.

Enable the option:

Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Intermediate Certificate Authorities

 

Right click and select “Import”.

Click “Next”.

Click “Browse”.

Select the “Nets_2408_CA_III.crt” file.

Click “Next”.

Click “Next”.

Click “Finish”.

Click “OK”.

 

Configuration of SCLogonEKUNotRequried

Disable “Extended Key Usage” on logon.

Browse to: Computer Configuration\Preferences\Windows Settings\Registry

 

Right click and select “New Registry Item”.

Configure the following key.

Configure Smart Card logon on clients

Enable the option:

Computer Configuration\Policies\Administrative Templates\Windows Components\Smart Card

Enable the 3 settings:

“Allow certificates with no extended…”

“Allow signature Keys Valid for Logon”

“Force the reading of all certificates…”

Creating an Administrative Account

At a minimum, this account must have “Read and Replicating Directory Changes” rights at the root of the domain. “Write” rights are needed to any object modified by the integration. “Write” rights can be restricted to the containers and attributes that are in use.

Creating GPO’s for smart card Only Login

Note: this configuration is optional.

To force smart card Users to logon using the smart card the users must be member of a GPO with the following settings.

Start Group Policy Manager

Select Group Policy Objects

 

Right click and select add

 

Name the policy

Right click and select Edit on the new policy.

 

Enable the option:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive Logon:Require smard card

 

Set the removal to the desired option:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Interactive Logon:Smart Card Removal Option

Note: SmartCard removal Service needs to be running on the client.

Smart Card Removal Policy on Clients

For clients to detect the removal of smart cards the “Smart Card Removal Policy” need to be running; this can be configured using group policies.

Browse to:

Computer Configuration\Preferences\Windows Settings\Registry

Right click and select “New Registry Item”.

Creating Issuance Policy for identify SmartSignatur Login on SSO/ADFS

Note: this configuration is optional.

This section enables dynamic groups where users automatically will be added as members of a security group based on the initial used login method; the groups can be used for claims in ADFS or other federated solutions.

The membership of the security group is only present in the user’s Kerberos token and not set in Active Directory.

The federation product used must be configured to verify user membership of the two dynamic groups “IssuranceLevel2” and “IssuranceLevel3”:

  • Users that have authenticated to Windows desktop with username/password will be member of the dynamic group “IssuranceLevel2”.

  • Users that have authenticated to Windows desktop with certificates/pin from Nets/DanID will be member of the “IssuranceLevel3”.

Overview of the Kerberos ticket architecture:

The powershell script below list the security groups present in the users Kerberos ticket:

Configure the dynamic groups’ open Certificate Template Management Console and create the SmartSignatur Issurance Policy, by following the 10 simple steps:

To create the groups and assign the policies run the “SmartSignatur.ps1” PowerShell script from folder “/AD-IssuancePolicy” in the installation set.

For more information on this topic, please refer to Microsoft description of Authentication Mechanism Assurance: http://technet.microsoft.com/en-us/library/dd378897(v=WS.10).aspx

Installation

Remote Loader Installation

Download link will be supplied by Liga.

Unzip or mount the ISO.

Start idm_install.exe in the path \products\IDM\Windows\setup

Select Language and “OK”

Click “Next”

Read the License Agreement and scroll to the bottom, accept the license agreement and click “Next”.

Remove all selected components and only select “NetIQ Identity Manager Connected System Server (64-bits)”

Click “Next”.

 

NOTE: on a Windows Server 2008 SP2 (32-bit) do select the 32 bit version.

Click “OK”.

 

NOTE: The license is included in the SmartSignatur Product.

Click “Next”.

Select your preferred links.

Click “Install”.

Wait for the installation to finish.

Click “Done”.

AD Shim Configuration

Start the “Identity Manager Remote Loader Console”.

Click “Add”.

Enter a name in the “Description” field.

Select ADDriver.dll in Driver.

Set a Remote Loader Password and Driver Object Password, the passwords must be configured on the SmartSignatur Server

Select “Use an SSL Connection” and browse to the CA Certificate exported from the SmartSignatur server.

Select Trace Level 7 and change the log file if needed.

Set log file size to 20 Mb, this will split the login into 10 files of 2 MB and automatically roll the logs.

Click “OK”.

 

The Remote Loader instance is now created and can be stopped/started using the Remote Loader Console or using Windows Services.

Click “Yes” to start it now.

Password Filter Installation

The part of the installation is optional and only needed if users must authenticate to SmartSingatur with the same password as in Active Directory.

Start the “Identity Manager PassSync” from Control Panel.

Start control panel.

In the search box type “pas”.

Start “Identity Manager PassSync”.

Select “YES” - If this is the same server as the Remote Loader is running on.

Select “NO” - If this is a DIFFERENT server as the Remote Loader is running on.

Select “Add”.

If this message pops up: click “OK” and set the DNS domain name in the next screen. If there is no message, jump over the next screen and continue.

NOTE: this is often due to a RPC or DNS error in the domain/DC’s.

Type the DNS domain name and click “OK”.

Select the domain and click “Filters…”.

Select each DC and Click “Add”.

 

Each DC needs to reboot after the filter is installed.

DC’s can be restarted manually or using the Identity Manager PassSync tool.

Filters on all DC’s need to be running.