CRYPTO-Logon for Windows Quick Reference

CRYPTO-Logon for Windows Quick Reference

340 March Road Suite 600 Kanata, Ontario, Canada K2K 2E4 Tel: +1-613-599-2441 Fax: +1-613-599-2442 International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042 www.cryptocard.com Please check CRYPTOCard web site for updates to this and other documentation.

CRYPTO-Logon for Windows Quick Reference i

Table of Contents

Overview................................................................................................................ 1 Modes of Operation........................................................................................................... 3 User Experience ............................................................................................................... 3 Disconnected Authentication .............................................................................................. 4

Installation ............................................................................................................ 5 Installation Prerequisites ................................................................................................... 5 Installation Procedure ....................................................................................................... 5

CRYPTO-Logon Authentication Process ...................................................................................... 6 Install the CRYPTO-Logon Domain Controller package ................................................................. 8

CRYPTO-Logon for Domain Authentication............................................................. 9 Logon to a LAN ................................................................................................................ 9 Enabling Static Passwords for the Administrator Account (Active Directory)..............................10

CRYPTO-Logon for Terminal Server...................................................................... 11

CRYPTO-Logon for OWA ....................................................................................... 13 Installation.....................................................................................................................13

CRYPTO-Logon for IIS 6.0.................................................................................... 15

CRYPTO-Logon for Citrix on Windows .................................................................. 19 CRYPTO-Logon Citrix Server/Client agent............................................................................19

CRYPTO-Logon Citrix Web Interface Agent .......................................................... 21 Installation.....................................................................................................................21

CRYPTO-Logon Citrix Secure Access Manager Agent ............................................ 24 Installation.....................................................................................................................24 Uninstall CRYPTO-Logon Components .................................................................................25

Edit CRYPTO-Logon Registry Keys........................................................................ 26 Client-side Registry Keys ..................................................................................................26 Domain Controller Registry Keys........................................................................................26 Related Documentation ....................................................................................................27

CRYPTO-Logon for Windows Quick Reference ii

License and Warranty Information CRYPTOCard Inc and its affiliates retain all ownership rights to the computer program described in this manual and other computer programs offered by the company (hereinafter called CRYPTOCard) and any documentation accompanying those programs. Use of CRYPTOCard software is governed by the license agreement accompanying your original media. CRYPTOCard software source code is a confidential trade secret of CRYPTOCard. You may not attempt to decipher, de-compile, develop, or otherwise reverse engineer CRYPTOCard software, or allow others to do so. Information needed to achieve interoperability with products from other manufacturers may be obtained from CRYPTOCard upon request. This manual, as well as the software described in it, is furnished under license and may only be used or copied in accordance with the terms of such license. The material in this manual is furnished for information use only, is subject to change without notice, and should not be construed as a commitment by CRYPTOCard. CRYPTOCard assumes no liability for any errors or inaccuracies that may appear in this document. Except as permitted by such license, no part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means electronic, mechanical, recording or otherwise, without the prior written consent of CRYPTOCard. CRYPTOCard reserves the right to make changes in design or to make changes or improvements to these products without incurring the obligation to apply such changes or improvements to products previously manufactured. The foregoing is in lieu of all other warranties expressed or implied by any applicable laws. CRYPTOCard does not assume or authorize, nor has it authorized any person to assume for it, any other obligation or liability in connection with the sale or service of these products. In no event shall CRYPTOCard or any of its agents be responsible for special, incidental, or consequential damages arising from the use of these products or arising from any breach of warranty, breach of contract, negligence, or any other legal theory. Such damages include, but are not limited to, loss of profits or revenue, loss of use of these products or any associated equipment, cost of capital, cost of any substitute equipment, facilities or services, downtime costs, or claims of customers of the Purchaser for such damages. The Purchaser may have other rights under existing federal, state, or provincial laws in the USA, Canada, or other countries or jurisdictions, and where such laws prohibit any terms of this warranty, they are deemed null and void, but the remainder of the warranty shall remain in effect. Customer Obligation Shipping Damage: The Purchaser must examine the goods upon receipt and any visible damage should immediately be reported to the carrier so that a claim can be made. Purchasers should also notify CRYPTOCard of such damage. The customer should verify that the goods operate correctly and report any deficiencies to CRYPTOCard within 30 days of delivery. In all cases, the customer should notify CRYPTOCard prior to returning goods. Goods returned under the terms of this warranty must be carefully packaged for shipment to avoid physical damage using materials and methods equal to or better than those with which the goods were originally shipped to the Purchaser. Charges for insurance and shipping to the repair facility are the responsibility of the Purchaser. CRYPTOCard will pay return charges for units repaired or replaced under the terms of this warranty.

Copyright Copyright © 2006, CRYPTOCard Inc All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of CRYPTOCard Inc.

Trademarks CRYPTOCard, CRYPTO-Server, CRYPTO-Web, CRYPTO-Kit, CRYPTO-Logon, CRYPTO-VPN, are either registered trademarks or trademarks of CRYPTOCard Inc. Java is a registered trademarks of Sun Microsystems, Inc.; Microsoft Windows and Windows XP/2000/2003/NT are registered trademarks of Microsoft Corporation. SecurID is a registered trademark of RSA Security. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners.

Publication History Date Changes

August 21, 2006 Initial release

CRYPTO-Logon for Windows Quick Reference iii

Additional Information, Assistance, or Comments CRYPTOCard’s technical support specialists can provide assistance when planning and implementing CRYPTOCard in your network. In addition to aiding in the selection of the appropriate authentication products, CRYPTOCard can suggest deployment procedures that provide a smooth, simple transition from existing access control systems and a satisfying experience for network users. We can also help you leverage your existing network equipment and systems to maximize your return on investment. This complimentary support service is available from your first evaluation system download. CRYPTOCard works closely with channel partners to offer worldwide Technical Support services. If you purchased this product through a CRYPTOCard channel partner, please contact your reseller directly for support needs. To contact CRYPTOCard directly: International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042 [email protected] For information about obtaining a support contract, see our Support Web page at http://www.cryptocard.com.

Related Documentation Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation and interoperability guides:

http://www.cryptocard.com/index.cfm?PID=364&PageName=Support%20%26%20Downloads

CRYPTO-Logon for Windows Quick Reference 1

Overview

The CRYPTO-Logon for Microsoft® Windows® two-factor authentication solution is designed to help Microsoft enterprise customers ensure that valuable network resources are accessible only by authorized users, whether working remotely or inside the firewall. It delivers a simplified and consistent user login experience, virtually eliminates help-desk calls related to password management, and helps organizations comply with regulatory requirements.

The use of two-factor authentication instead of just traditional static passwords to access a Windows environment is a necessary critical step for information security.

CRYPTO-Logon for Microsoft Windows provides organizations with the following:

• Stronger Security - CRYPTO-Logon for Microsoft Windows provides enhanced security when the user is online and connected to the network, or offline, by using one-time passcodes. It provides protection against the clear and present threat of security breaches from both outside and within the firewall, ensuring that only legitimate users gain network access.

• Ease-of-Use - CRYPTO-Logon for Microsoft Windows provides a simple, consistent logon procedure for users logging on to their desktop. Through CRYPTOCard’s extensive support of industry standards, this solution extends to provide seamless integration for VPN, WLAN, Web and application access solutions from industry leaders such as Citrix and Cisco.

• Compliance/Auditing - CRYPTO-Logon for Microsoft Windows complements Microsoft Windows auditing and reporting with detailed access logs and reports that can help companies meet compliance requirements for industry and government regulations, such as HIPAA, Sarbanes-Oxley, or Gramm-Leach-Bliley.

CRYPTO-Logon for Microsoft Windows is a complete solution that enforces token authentication for all domain access points, including domain logon, IIS, OWA, Terminal Server, and Citrix. Once fully implemented, only users who have been issued a CRYPTOCard token will be able to gain access to the protected Windows network, systems, or resources.

CRYPTO-Logon authenticates exclusively to CRYPTO-Server software contained within the Active Directory domain controller, but not every workstation within the domain has to use CRYPTO-Logon, nor must all users be assigned a token. CRYPTO-Logon implementations support the concurrent use of


both legacy Microsoft static password protection and CRYPTOCard’s strong two-factor authentication, for different users within the domain. This enables a staged migration of users to CRYPTO-Logon, as/when convenient and appropriate. Once migrated, a user must use the CRYPTOCard token to generate a one-time-password when accessing the domain from any point. At this point, the user enjoys a simple, consistent logon procedure.

A CRYPTO-Logon protected domain is depicted below:

• The CRYPTO-Logon Domain Controller package (#1 in the diagram below) is installed on all Domain Controllers.

• The CRYPTO-Logon Desktop client (2) is installed on all clients requiring domain authentication. The CRYPTO-Logon Desktop client is also installed on the Terminal Services server and any Terminal Services clients.

• The CRYPTO-Logon OWA 2003 agent (3) is installed on the OWA/Exchange Server.

• The CRYPTO-Logon IIS 6.0 agent (4) is installed on the IIS 6.0 Server.

• The CRYPTO-Logon Citrix for Windows agent (5) is installed on the Terminal Services server (after it has a fully functional Citrix Metaframe Presentation Server installed) and any Citrix for Windows clients.

• The CRYPTO-Logon Citrix for Windows Web Interface agent (6) is installed on the Citrix Web Interface 3.0/4.0 Server.

• The CRYPTO-Logon Citrix for Windows Secure Access Manager 2.2 agent (7) is installed on the system running the Citrix Secure Gateway Service and Logon Agent 2.2.

In a CRYPTO-Logon network, entities with native RADIUS protocol support can communicate with the CRYPTO-Server, out-of-the-box. Entities/clients that do not have a native RADIUS capability are integrated into the CRYPTO-Logon solution through the addition of “agent” software, which imparts the capability to communicate with the CRYPTO-Server.


Modes of Operation

There are three modes of operation for CRYPTO-Logon. The mode of operation is selected during installation and is never changed. You must select the same mode on the Domain Controller, Terminal Services Server, and all clients. CRYPTO-Logon will not function if there is a mismatch of operation modes among network elements. The modes of operation are:

Mode Description

Static Password Mode In Static Password Mode, each user authenticates with a token-generated one-time password and then logs on with their static domain password. The user is prompted for the static domain password every time they log on.

Password Manager Mode In Password Manager Mode, each user authenticates with a token-generated one-time password and then logs on with their static domain password. The user is prompted for the static domain password only the first time they log on. Subsequently, CRYPTO-Logon acts as a password manager, furnishing the password to the domain controller as required. However, the user will be prompted to supply a new password if/when Active Directory enforces password-change policies.

One-Time Password Mode

CRYPTO-Logon for Windows in One-Time Password Mode is not compatible with applications where static password support is built into the application and is not extracted from the user’s cached credentials. For example, CRYPTO-Logon in this mode does not support Outlook Express, Mozilla Thunderbird, or any mail client using POP. CRYPTO-Logon for Windows is compatible with OWA and Outlook running IMAP.

User Experience

When a user presses Ctrl-Alt-Delete or inserts an SC-1 Smart Card token, they are presented with a CRYPTO-Logon authentication dialog. If the user’s token is in QUICKLog mode, the user must enter:

• User name

• PIN or Password

• Domain Controller name

For hardware tokens in Challenge-response mode, the user must enter:

• User name

• A space for the password

• Domain Controller name

A challenge will be displayed. The user then enters the challenge in their hardware token to obtain a response. Click Ok to remove the challenge dialog and enter the response in the Password field.

For software tokens in Challenge-response mode, the challenge-response process is handled by the application invisibly; the user only needs to enter their PIN.

For details about QUICKLog and Challenge-response token operation, see the CRYPTO-Server 6.4 Administrator’s Manual.


After a successful authentication with the CRYPTO-Server, the logon process will act in one of the following ways, depending on what mode of operation was selected during the install:

• Static Password Mode: A dialog will appear prompting the user for their static domain password.

• Password Manager Mode: A dialog will appear prompting the user for their static domain password, the first time they log on. Subsequently, the user will not be asked for their domain password - it will be automatically read from a file in the user’s home directory.

• One-Time Password Mode: The user will not be asked for their domain password – it will be automatically changed in Active Directory after every log on.

If a token requires a user-changeable PIN change, a dialog will prompt the user to enter and confirm the new PIN, and then authenticate with the new PIN.

If there is a server-side PIN change, a dialog will inform the user of the new PIN and prompt the user to authenticate with the new PIN.

Disconnected Authentication

CRYPTO-Server 6.4 supports disconnected authentication; that is, the facility for a user to log on with a CRYPTOCard one-time password when there is no connection to the CRYPTO-Server. For details about enabling and configuring disconnected authentication, see the CRYPTO-Server 6.4 Administrator’s Manual.

The CRYPTO-Logon desktop client permits end-user workstations that may be offline periodically to authenticate. The normal CRYPTO-Logon authentication process requires that the user furnish a token-generated one-time password for transmission to the CRYPTO-Server. When offline, there is no communication with the domain controller or CRYPTO-Server, only the local CRYPTO-Logon agent. However, two-factor authentication is preserved: the user must have the token, and must know a PIN.

Disconnected authentication is supported in all three CRYPTO-Logon for Windows modes of operation (Static Password, Password Manager, and One-time Password), with any account using any type of token in QUICKLog mode.

The token can be enabled (i.e. using one-time passwords for logon) or disabled (i.e. using a static password for logon). However, disconnected authentication logon can only be done with a one-time password if the last logon before disconnecting from the network was done with a one-time password. If the last logon before disconnecting was done with a static password, the user can log on with either a one-time password or static password.

Tokens in Challenge-response mode are not supported.

Conditions When Disconnected Authentication Does Not Work

Disconnected authentication does not work under the following conditions:

• Clients are using Terminal Services or Citrix.

• If the user has been assigned to more than one token.


Installation

Installation Prerequisites • CRYPTO-Server 6.4 installed and registered

• CRYPTO-Console 6.4

• A Windows 2003 Server with SP1 installed is functioning as the domain controller

• One or more users exist in CRYPTO-Server and have assigned, operational tokens

• If using JDBC, the username in the CRYPTO-Server system must be identical to the username in Active Directory

Individual CRYPTO-Logon components may also have platform and/or CRYPTOCard token requirements/restrictions. Please refer to the relevant installation section for details.

Installation Procedure

CRYPTO-Logon for Windows components should be installed in the following order:

1. CRYPTO-Logon Domain Controller package (on all domain controllers)

2. Appropriate CRYPTO-Logon Desktop Client package (on all clients requiring domain authentication)

• The CRYPTO-Logon.exe package is installed on CRYPTO-Logon clients, the Terminal Services server, and Terminal Services clients

• The CRYPTO Logon for Citrix.exe package is installed on the Terminal Services Server/Citrix Metaframe Presentation Server and Citrix clients

3. CRYPTO-Logon agents for all of the following, if present in the domain:

• OWA with Exchange 2003 and form-based, SSL-enabled logon • IIS 6.0 • Citrix for Windows Web Interface 3.0/4.0 • Citrix for Windows Secure Access Manager (MSAM and Logon Agent 2.2)


CRYPTO-Logon Authentication Process

The figure below illustrates the CRYPTO-Logon authentication process. In this example, we assume a user is trying to access Citrix Web Interface using a software token. The process is essentially the same for the other CRYPTO-Logon for Windows agents (i.e. the desktop client agent, Terminal Server agent, OWA agent, IIS 6.0 agent, Citrix for Windows Presentation Server agent, and Citrix for Windows Secure Access Manager agent).

1. The user enters the Citrix Web Interface URL into the browser.

2. The Citrix Web Interface logon page appears. In this case, the user has a software token so the following fields appear:

• Username (this field is grayed out since a software token is being used) • Domain (this may already be set in the Citrix configuration, and so may not appear) • PIN • Token (this field is auto-populated since a software token is being used) • Manual Mode checkbox (toggles between hardware and software token mode)

3. The user enters their CRYPTOCard PIN, and domain (if required), and then clicks Log In. The software token will verify the PIN; if successful, a one-time passcode will be generated.

4. The Citrix Web Interface server sends the authentication request to the CRYPTO-Logon domain controller package installed on the Windows 2003 SP1 Domain Controller (via TCP port 5742).

5. The CRYPTO-Logon domain controller package sends the authentication request to the CRYPTO-Server (using the CAP protocol on UDP port 624), which verifies the one-time passcode. If the passcode verification fails or the LDAP account (if used) is disabled, the request is denied.


6. The final step depends on which mode of operation was selected for CRYPTO-Logon:

• In Static Password Mode, if the one-time password is accepted, the CRYPTO-Server responds with an Access Accept message to the CRYPTO-Logon domain controller package. The user is then prompted to enter their Windows domain password, which is handled by Microsoft as usual. If this is logon is successful, the user is able to log on to the domain (and therefore the Citrix Web interface authentication will succeed).

• In One-Time Password Mode, if the one-time password is accepted and the LDAP account (if used) is enabled, the CRYPTO-Server responds with an access Accept message to the CRYPTO-Logon domain controller package, which generates a new Windows password. The new Windows password is then set on the domain controller, enabling the user to log on to the domain (and therefore the Citrix Web interface authentication will succeed).


Install the CRYPTO-Logon Domain Controller package

The CRYPTO-Logon Domain Controller.exe package must be installed first (i.e. before any other CRYPTO-Logon components).

1. Using the native Microsoft Add/Remove Programs tool, install CRYPTO-Logon Domain Controller.exe. This package should be installed on all Domain Controllers.

2. A CRYPTOCard software license agreement appears. Review the license agreement to ensure that you wish to Accept. Select the appropriate radio button.

3. Enter the IP or Hostname of the primary and secondary CRYPTO-Server. If there is only one CRYPTO-Server installed, the same entry can be used in both fields. Ensure that the Organization Name matches the setting in CRYPTO-Server. The Port entry specifies the CRYPTO-Logon communications port (5742 by default). Click Next to continue.

4. Select the CRYPTO-Logon mode of operation. This setting determines system operation and cannot be changed later. You will also need to ensure that you select the same mode when installing other CRYPTO-Logon components. For more information about the modes of operation, see Modes of Operation on page 3.

5. Follow the prompts to Install, Finish, and Restart.

6. The CRYPTO-Logon domain controller package sends the authentication request to the CRYPTO-Server using the CAP protocol on UDP port 624. For details about configuring the CAP protocol, see the CRYPTO-Server 6.4 Administrator’s Manual.


CRYPTO-Logon for Domain Authentication

The CRYPTO-Logon desktop client replaces Microsoft’s logon window on end-user client workstations to provide strong, two-factor domain authentication. It eliminates the use of static passwords and replaces them with one-time passwords.

Note: The Active Directory Administrator account cannot be assigned a CRYPTOCard token of any type.

Logon to a LAN 1. Ensure the CRYPTO-Logon Domain Controller package has been installed on all Domain

Controllers.

2. Using the native Microsoft Add/Remove Programs tool, install CRYPTO-Logon.exe on all end-user workstations. A CRYPTOCard software license agreement is displayed. Review the license agreement to ensure that you wish to Accept. Select the appropriate radio button.

3. You will be prompted to enter the Port over which CRYPTO-Logon communicates (5742 by default). This must be the same port selected during the domain controller agent installation. Click Next to continue.

4. Select a radio button to indicate whether this is a Terminal Services server, client, or non-Terminal Services client (see CRYPTO-Logon for Terminal Server on page 11). Click Next to continue.

5. Select a radio button to configure the CRYPTO-Logon mode of operation. This must be the same mode selected during the domain controller agent installation. Click Next to continue.

6. Select a radio button to configure with/without software token support. Click Next to continue.

7. Select a radio button to configure with/without smart card token support. Click Next to continue. If you install with smart card support, the computer will either Lock or Log off when the smart card is removed. You will be prompted to select one of these options.


8. Click Install. The warning that appears in the Wizard at this point: You must activate your software token or smart card before restarting your system, if you have installed in One-Time Password mode. Otherwise your system will be locked by CRYPTO-Logon.

9. Restart after ensuring your software or smart card token has been activated. The CRYPTO-Logon desktop client logon window is shown here:

Enabling Static Passwords for the Administrator Account (Active Directory)

The Active Directory Administrator account cannot be assigned a CRYPTOCard token of any type.

If you want the Administrator account to log on to the domain via a CRYPTO-Logon enabled desktop client, the CRYPTO-Console must have been set to Allow user to authenticate and the Active Directory Administrator account tab must be filled in properly:

Navigate to Active Directory Users and Computers.

1. Select the Administrator account, right-click, and select Properties.

2. Select the Account tab. Fill in the User Logon Name and drop-down menu fields.


CRYPTO-Logon for Terminal Server

Microsoft Terminal Server provides functionality that is analogous to that provided by a Citrix solution. Terminal Server gives client computers access to Windows-based programs installed on terminal servers. In this way, a single point of installation can be leveraged to allow multiple, remote users to access Windows desktops, where they can run programs, save files, and use network resources. The CRYPTO-Logon desktop client can be installed on the Terminal Server to replace the Windows logon mechanism with two-factor authentication and one-time passwords. This is the same install package as is used for non-Terminal Services clients (see CRYPTO-Logon for Domain Authentication).

1. Ensure the CRYPTO-Logon Domain Controller package has been installed on all Domain Controllers.

2. Using the native Microsoft Add/Remove Programs tool, install CRYPTO-Logon.exe on all end-user workstations.

3. A CRYPTOCard software license agreement appears. Review the license agreement to ensure that you wish to Accept. Select the appropriate radio button. You will be prompted to enter the Port over which CRYPTO-Logon communicates (5742 by default). This must be the same port selected during the domain controller agent installation. Click Next to continue.

4. Select a radio button to indicate whether this is a Terminal Services server or client. Click Next to continue.

5. Select a radio button to configure the CRYPTO-Logon mode of operation. This must be the same mode selected during the domain controller agent installation. Click Next to continue.

6. Select a radio button to configure with/without software token support. Click Next to continue.

7. Select a radio button to configure with/without smart card token support. Click Next to continue. If you install with smart card support, the computer will either Lock or Log off when the smart card is removed. You will be prompted to select one of these options.

8. Click Install. Note the warning that appears in the Wizard at this point: You must activate your software token or smart card before restarting your system. Otherwise your system will be locked by CRYPTO-Logon.

9. Restart after ensuring your software or smart card token has been activated. To avoid a Terminal Service user remotely shutting down the system, you must define which users/groups have


permission to shut down the Terminal Server. On the server, select Security Settings|Local Policies|User Rights Assignment. Modify the Shut down the system policy to include only the users or groups that will be permitted to shut down system. Refer to Microsoft Windows documentation for more information.


CRYPTO-Logon for OWA

The CRYPTO-Logon OWA agent enables strong two-factor authentication for the Microsoft OWA 2003 Logon form, thereby protecting Outlook resources (i.e. Exchange 2003) that are accessed via the Web. The CRYPTO-Logon OWA agent requires an existing OWA form-based logon installation.

The CRYPTO-Logon OWA agent can be configured to run in either Static Password or One-Time Password mode. The mode of operation is determined at installation time and must be consistent with the mode setting for the CRYPTO-Logon for Domain Controller.exe agent, as described below:

Mode Description

Static Password mode In this mode, the user must provide both a one-time password and a static Windows password for validation. This mode of operation is used when the CRYPTO-Logon for Domain Controller.exe agent was installed in Static Password or Password Manager mode. Note that even if the Password Manager mode was selected, the OWA Web agent will prompt the user for their static password.

One-Time Password mode

In this mode, the user is only prompted for their one-time password. This mode of operation is used when the CRYPTO-Logon for Domain Controller.exe agent was installed in One-Time Password mode.

Installation 1. Ensure the CRYPTO-Logon Domain Controller package has been installed on all Domain

Controllers.

2. Using the native Microsoft Add/Remove Programs tool, install CRYPTOCard Outlook Web Access.exe on the OWA/Exchange 2003 server.


4. You will be prompted to select Static Password or One Time Password mode.


5. You will be prompted to enter the CRYPTO-Logon Server IP Address and Port over which CRYPTO-Logon communicates (5742 by default). The port must be the same port configured on the domain controller. Click Next to continue.

6. Accept or change the default installation folder. This is the default path for the HTML OWA logon form.

7. Complete the Install. The logon form for a hardware token in One-Time Password mode is shown here. In Static Password mode, there is an additional field for the Windows password.

The logon form for a software token in CRYPTO-Logon mode is shown here (in Static Password mode, there is an additional field for the Windows password). The User Name field is disabled and the Token field is automatically populated, based on the presence of the software token.

The user can check the Manual Mode checkbox to enter the hardware token logon mode; the logon form also defaults to hardware token mode if the USB/smart card is removed or ActiveX is not supported by the browser.


CRYPTO-Logon for IIS 6.0

The CRYPTO-Logon CCISAPI.exe agent is a filter for single, multiple, and virtual Windows Server 2003 Web servers running Microsoft IIS 6.0. This agent enables IIS to communicate with the CRYPTO-Server to ensure that all Web traffic is processed by CRYPTO-Logon. This solution supports OWA access to Microsoft Exchange Server 2003, however this solution is independent of Exchange, so it does not have to be installed on the Web server.

This solution is only appropriate and required for those domains that are protected by CRYPTO-Logon in the One-Time Password mode. The CCISAPI.exe agent is not required for domains using the Static Password or Password Manager modes. Use of the CCISAPI.exe agent in CRYPTO-Logon domains operating in these modes is unsupported.

The IIS agent intercepts all requests for protected Web server assets from a user’s Internet Explorer or Firefox browser. It allows access to a requested resource only after authenticating the user and verifying that the user is authorized to receive the requested resource, as per standard CRYPTO-Logon operation. It can be configured to protect domain-name-based and IP-address-based virtual hosts. Client workstations may either be a member of the domain or outside of the domain.

The IIS agent maintains all existing pass-through and integrated authentication functionality. After the IIS agent is installed and anonymous access for a URL within IIS is disabled, CRYPTOCard’s two-factor authentication is enabled. In this way, IIS application servers, folders, and pages are protected, as are any IIS-referenced application.

1. Ensure the CRYPTO-Logon Domain Controller package has been installed on all Domain Controllers. The Web server must be part of the domain protected by CRYPTO-Logon (i.e. it must be either the domain controller itself and thus have the CRYPTO-Logon for Domain Controller.exe package installed, or more likely, have the CRYPTO-Logon.exe client software installed). Using the native Microsoft Add/Remove Programs tool, install CCISAPI.exe on the Windows Server 2003 Web server running Microsoft IIS 6.0.


3. You will be prompted to enter the CRYPTO-Logon Server IP Address and Port over which CRYPTO-Logon communicates (5742 by default). Click Next to continue.


4. Enable or Disable automatic logon for Internet Explorer by selecting the appropriate radio button. If enabled, this feature allows Internet Explorer users who are logged into their domain to automatically authenticate with their cached credentials, thus bypassing the CRYPTOCard static logon page. These users must change their browser setting to use the Automatic logon with current username and password setting in the Security Setting dialog if this feature is enabled.

5. Accept or change the default installation folder.

6. Complete the Install. The solution will automatically protect any Web page on the server that requires authentication (e.g. OWA), but CRYPTOCard strong authentication can be enabled for any file or folder under the Web Sites folder:

7. Navigate to Administrative Tools|Internet Information Services (IIS) Manager.

8. To enable CRYPTOCard authentication, right-click on a file/folder (e.g. Sales) and select Properties. Select the Directory Security tab and click the Edit button in the Authentication and access control area.


9. The Authentication Methods window appears. Clear the Enable anonymous access checkbox. Check the Integrated Windows authentication checkbox. Click OK.

If the CRYPTOCard Software Tools software is not installed on the client, the user will always see a static HTML logon form:

If the CRYPTOCard Software Tools software is installed on the client but no software/USB/smart card token is detected, the user will be prompted to manually enter their logon name and OTP via a hardware token-like logon form. If the CRYPTOCard Software Tools software is installed on the client and a software/USB/smart card token is detected, the user need only enter their PIN via a software token logon form (the OTP is generated by the logon form):


The C:\Program Files\CRYPTOCard\CCISAPI\wwwroot folder contains customizable files that govern HTML logon window display and behavior:

• index.html: is the initial CRYPTO-Logon page presented to the user. The layout and images can be modified.

• reject.html: is the page that displays the Access Denied message. The layout and images can be modified.

• challenge.html: is the challenge/response page. The layout and images can be modified. • getnewpin.html: is the page called if a server-side, server-changeable, PIN change is

detected. The layout and images can be modified. • setnewpin.html: is the page called if a server-side, user-changeable PIN is detected. The

layout and images can be modified.


CRYPTO-Logon for Citrix on Windows

Citrix provides on-demand enterprise-wide access to a personal desktop and application array, from geographically dispersed workstations. CRYPTO-Logon provides agents for Citrix Metaframe/Presentation Server (installed on the Terminal Server), Citrix Web Interface (WI), and Citrix Access Gateway/Metaframe Secure Access Manager.

Note: The CRYPTO-Logon for Citrix on Windows agents must be installed on an existing, fully functional Citrix system. Ensure that Citrix is fully functional before beginning the installation of CRYPTO-Logon for Citrix on Windows.

CRYPTO-Logon requires a minimum of 64K colors to display properly. Citrix has a default 256 colors. You must adjust accordingly in order for CRYPTO-Logon to display properly.

CRYPTO-Logon Citrix Server/Client agent

The CRYPTO Logon for Citrix.exe package is installed on both the Terminal Services server/Citrix Metaframe Presentation Server and all Citrix clients in the network.

The Citrix Metaframe Presentation Server is the foundation of all Citrix-based solutions. It enforces access control rules, delivers server-side applications to the middleware, interprets user input, and maintains a secure and separate user space for each individual logged in. The CRYPTO Logon for Citrix.exe package replaces the out-of-the-box Windows logon mechanism with two-factor authentication and one-time passwords, while retaining Metaframe Presentation Server’s environment authorization constraints and application settings.

1. Ensure the CRYPTO-Logon Domain Controller package has been installed on all Domain Controllers. Ensure that there is a fully functioning Citrix environment (i.e. all necessary Citrix components, such as the Citrix Metaframe Presentation Server, are installed on the Terminal Services server).

2. Using the native Microsoft Add/Remove Programs tool, install CRYPTO Logon for Citrix.exe.



4. You will be prompted to enter the Port over which CRYPTO-Logon communicates (5742 by default). Click Next to continue.

5. Select the CRYPTO-Logon mode of operation. Ensure the mode selected is the same that was selected when Install the CRYPTO-Logon Domain Controller package.

6. Indicate whether you are installing on a Citrix Server or Client by selecting the appropriate radio button.

7. Select a radio button to indicate whether you would prefer to Lock or Log Off the system when an SC-1 smart card token is removed.

8. Select a radio button to Enable or Disable the shutdown button on the CRYPTO-Logon dialog.

9. Complete the Install/Finish/Restart.


CRYPTO-Logon Citrix Web Interface Agent

Citrix Web Interface presents a user’s desktop or a set of applications the group or user has been assigned, via a remote browser session. There are separate install packages for Citrix Web Interface 3.0 and 4.0. The CRYPTO-Logon Citrix Web Interface agent requires an existing Citrix Presentation Server running Web Interface.

The CRYPTO-Logon Citrix Web Interface agent can be configured to run in either Static Password or One-Time Password mode. The mode of operation is determined at installation time and must be consistent with the mode setting for the CRYPTO-Logon for Domain Controller.exe agent, as described below:

Mode Description

Static Password mode In this mode, the user must provide both a one-time password and a static Windows password for validation. This mode of will send the authentication request directly to the CRYPTO-Server.



Installation 1. If selecting One-Time Password mode, ensure the CRYPTO-Logon Domain Controller package has

been installed on all Domain Controllers.

2. Using the native Microsoft Add/Remove Programs tool, install CRYPTO-Logon for Citrix Web Interface 3.0.exe or CRYPTO-Logon for Citrix Web Interface 4.0.exe, as appropriate, on the Citrix for Windows Web Interface server.


4. Select Static Password or One Time Password installation mode.


5. If you are installing the CRYPTO-Logon for Citrix Web Interface 3.0.exe package (either mode) or the CRYPTO-Logon for Citrix Web Interface 3.0.exe package in One-Time Password mode, you will be prompted to enter the CRYPTO-Logon Server IP Address and Port over which CRYPTO-Logon communicates (5742 by default). The Port must be the same port configured on the domain controller. Click Next to continue.

If you are installing the CRYPTO-Logon for Citrix Web Interface 4.0.exe package in Static Password mode, you will be prompted to enter the IP address or hostname of at least one CRYPTO-Server, the user’s organization name, and a communication timeout. Click Next to continue.

6. Accept or change the default installation folder.

7. Complete the Install.

8. The CRYPTO-Logon for Citrix Web Interface 4.0 package sends the authentication request to the CRYPTO-Server using the CAP protocol on UDP port 624. For details about configuring the CAP Protocol, see the CRYPTO-Server 6.4 Administrator’s Manual.

9. After installation is complete, open the Citrix Web Interface Console and select Authentication. Under Explicit login settings, check the Enforce 2-factor authentication box and select the Cryptocard radio button. Click Save.

A logon window for a hardware token in One-Time Password mode is shown here. In Static Password mode, there is an additional field for the Windows password.

Manual Mode logon occurs when there is no ActiveX support on the system, the client’s browser does not support ActiveX controls, there are no software tokens available, or the user selects the Manual Mode checkbox.


Upon successful logon, the user will see their available resources:

If a PIN change is forced from the CRYPTO-Server, the user will see the PIN Change window:


CRYPTO-Logon Citrix Secure Access Manager Agent

Citrix Access Gateway (formerly Metaframe Secure Access Manager/MSAM) provides remote access to network resources and applications, including Web, client-server, peer-to-peer, video, and voice. The CRYPTOCard Citrix MSAM.exe agent provides CRYPTO-Logon support for all CRYPTOCard tokens.

The CRYPTOCard Citrix MSAM.exe agent must be installed on the system running the Citrix Secure Gateway Service and Logon Agent 2.2.

The CRYPTO-Logon Citrix Secure Access Manager agent can be configured to run in either Static Password or One-Time Password mode. The mode of operation is determined at installation time and must be consistent with the mode setting for the CRYPTO-Logon for Domain Controller.exe agent, as described below.

Mode Description

Static Password mode In this mode, the user must provide both a one-time password and a static Windows password for validation. This mode of operation is used when the CRYPTO-Logon for Domain Controller.exe agent was installed in Static Password or Password Manager mode. Note that even if the Password Manager mode was selected, the Citrix Secure Access Manager agent will prompt the user for their static password.



Installation 1. Ensure the CRYPTO-Logon Domain Controller package has been installed on all Domain

Controllers.

2. Using the native Microsoft Add/Remove Programs tool, install CRYPTOCard Citrix MSAM.exe on the system running the Citrix Secure Gateway Service and Logon Agent 2.2.



4. You will be prompted to enter the CRYPTO-Logon Server IP Address and Port over which CRYPTO-Logon communicates (5742 by default). The Port must be the same port configured on the domain controller. Click Next to continue.

5. Accept or change the default installation folder and complete the install. A logon window for a hardware token in One-Time Password mode is shown here. In Static Password mode, there is an additional field for the Windows password.

Manual Mode logon occurs when there is no ActiveX support on the system, the client’s browser does not support ActiveX controls, there are no software tokens available, or the user selects the Manual Mode checkbox.

Uninstall CRYPTO-Logon Components

To uninstall any CRYPTO-Logon component, use the native Microsoft Windows Add/Remove Programs tool.


Edit CRYPTO-Logon Registry Keys

It is possible to edit CRYPTO-Logon Registry keys to alter the operation of an existing installation.

Be extremely careful when making any change to a Registry entry as inappropriate changes can cause the software to fail. Do not edit any keys other than those listed below.

Client-side Registry Keys

These keys are located under: HKEY_LOCAL_MACHINE|SOFTWARE|CRYPTOCARD|CRYPTOLOGON.

DWORD keys:

• port: the port used to communicate with the domain controller (default 5742)

• Timeout: the timeout for network operations (default 10 s)

• scremoveoption: determines the behavior when an SC-1 smart card token is removed (0 is lock and 1 is logoff)

• STRING keys:

• OriginalGina: the name of the GINA DLL before CRYPTO-Logon installation

• SCLogon: 1 means SC-1 smart card tokens can be used for logon

• STLogon: 1 means ST-1 software tokens can be used for logon

Domain Controller Registry Keys

These keys are located under: HKEY_LOCAL_MACHINE|SOFTWARE|CRYPTOCARD|CRYPTOLOGON.

DWORD keys:

• cryptoKitMutexTimeout: the timeout for obtaining the mutex

• port: the port used to communicate with the domain controller (default 5742)

• cryptoTimeout: the timeout for CAP network operations


• scremoveoption: determines the behavior when an SC-1 smart card token is removed (0 is lock and 1 is logoff)

• systemLogon: binary; 1 allows system logons

• localLogon: binary; 1 allows local logons on the domain controller

• adminLogon: binary; 1 allows users with administrative privileges to log on without authenticating to the CRYPTO-Server

• csLogon: binary; 1 allows a user to log on from the PC that has the CRYPTO-Server installed on it, using a static password

• allowCryptocardUsersOnly: binary; 0 allows users from a PC with the MS GINA to log on

STRING keys:

• cryptoOrganization: the organization’s name

• cryptoLogonServer: the name of the CRYPTO-Logon server

• cryptServer1…32: up to 32 CRYPTO-Servers

• trustedCCDomainIPs: comma-separated list of trusted domain controllers’ IP addresses

• CLGroups: list of users who can bypass authentication with the CRYPTO-Server

Related Documentation

Refer to the Support & Downloads section of the CRYPTOCard website for additional documentation and interoperability guides.

http://www.cryptocard.com/index.cfm?PID=364&PageName=Support%20%26%20Downloads

CRYPTO-Logon for Windows Quick Reference

Documents

Transcript of CRYPTO-Logon for Windows Quick Reference