Winfrasoft HAS Installation and Configuration Guide...Winfrasoft UAG Appliance or a server running...
Transcript of Winfrasoft HAS Installation and Configuration Guide...Winfrasoft UAG Appliance or a server running...
© 2006-2011 Winfrasoft Corporation. All rights reserved. This publication is for informational purposes only. Winfrasoft makes no warranties, express or implied, in this summary. Winfrasoft and Winfrasoft HAS are trademarks of Winfrasoft Corporation. All other trademarks are property of their respective owners.
Winfrasoft HAS
Installation and Configuration Guide
Installation and configuration guide
Winfrasoft HAS for Microsoft Forefront UAG 2010
Published: October 2011
Applies to: Winfrasoft HAS (Build 2.0.2300.4)
Web site: http://www.winfrasoft.com
Email: [email protected]
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organisations, products,
domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious,
and no association with any real company, organisation, product, domain name, e-mail address,
logo, person, place or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user.
Winfrasoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written licence agreement from Winfrasoft, the furnishing of this document does not give you any
licence to these patents, trademarks, copyrights, or other intellectual property.
Microsoft, Active Directory, UAG 2010, Windows and Windows Server are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Copyright © 2006-2011 Winfrasoft Corporation. All rights reserved.
Table of Contents 3
Table of Contents TABLE OF CONTENTS .............................................................................................................. 3
INTRODUCTION ......................................................................................................................... 4
CONSIDERATIONS ......................................................................................................................... 4 Server System Requirements ................................................................................................... 4 Language Requirements .......................................................................................................... 4
CONFIGURATION OVERVIEW ........................................................................................................ 4 LICENSING ................................................................................................................................... 5
Running a trial ........................................................................................................................ 5 Applying a new licence ............................................................................................................ 5
DESIGN AND DEPLOYMENT SCENARIOS .......................................................................... 6
SMARTCARD TECHNOLOGY ................................................................................................. 6
BACKGROUND .............................................................................................................................. 6
DEPLOYMENT ............................................................................................................................ 7
OVERVIEW ................................................................................................................................... 7 INSTALLING THE WINFRASOFT HAS SERVER ............................................................................... 8 INSTALLING THE WINFRASOFT HAS PLUG-IN FOR UAG 2010 ................................................... 12 INSTALLING THE WINFRASOFT HAS MANAGEMENT CONSOLE .................................................. 15 UNINSTALLING WINFRASOFT HAS ............................................................................................ 18
HAS CONFIGURATION ON UAG 2010 ................................................................................. 20
CONFIGURE IIS MIME TYPES (INTERNET ONLY) ....................................................................... 20 ADD A HAS AUTHENTICATION REPOSITORY (INTERNET) .......................................................... 22 ADD A HAS AUTHENTICATION REPOSITORY (N3) ..................................................................... 24 CONFIGURE A UAG TRUNK TO USE HAS (INTERNET) ............................................................... 26 CONFIGURE A UAG TRUNK TO USE HAS (N3) .......................................................................... 35 CONFIGURE USER AUTO PROVISIONING WITHOUT SELF SERVICE PASSWORD RESET ................ 42 CONFIGURE USER AUTO PROVISIONING WITH SELF SERVICE PASSWORD RESET ....................... 50
Active Directory Configuration ............................................................................................. 50 UAG 2010 Configuration ...................................................................................................... 52
CONFIGURE THE TMG FIREWALL (N3 ONLY) ............................................................................ 59
CERTIFICATE CONFIGURATION ....................................................................................... 60
CERTIFICATE TRUST LIST CONFIGURATION ............................................................................... 60
WINFRASOFT HAS MANAGEMENT.................................................................................... 62
ADVANCED CONFIGURATION ............................................................................................ 63
HAS REGISTRY KEYS ................................................................................................................ 63 HAS Server / Appliance keys ................................................................................................. 63 UAG Server / Appliance keys ................................................................................................ 64
4 Winfrasoft HAS
Introduction Winfrasoft HAS is a two-factor authentication and provisioning application that integrates
with Microsoft Forefront UAG 2010 to:-
Provide smart card two-factor authentication for NHS CRS cards.
Provision smart card users into Microsoft Active Directory without AD schema
extensions and without an AD integrated PKI.
Integrated Self Service Password Reset capabilities to help reduce helpdesk costs
since users can securely prove who they are with their smart card.
Integrate with the NHS Identify Agent and Spine.
Considerations
Server System Requirements The minimum system requirements for Winfrasoft HAS are:
Winfrasoft UAG Appliance or a server running Forefront UAG 2010
o HAS supports UAG RTM, Update 1, Update 2, SP 1 & SP 1 Update 1.
Winfrasoft HAS Appliance or Windows Server 2003 (SP2) or 2008 running IIS
32bit / 64bit PC with Active Directory Users and Computers MMC
Microsoft Active Directory
Language Requirements
Server
The Winfrasoft HAS MMC Add-in is compatible with multi-lingual versions of Windows
Server 2003 / 2008, however is only available in English. Product support and
documentation is only available in English.
Configuration Overview Prior to installation, ensure you have the following:
Fully configured Winfrasoft Gateway Appliance running Forefront Unified Access
Gateway 2010, including networking and portal configuration information.
A Winfrasoft HAS Appliance or an available server running Windows Server 2003
(SP2) or Windows Server 2008 to install the HAS Web Services onto.
A valid Winfrasoft HAS Licence file with sufficient licences for the deployment
requirements. The installation includes 10 free licences.
Smart cards and their appropriate middle-ware smartcard reader software (e.g.
GemAuthenticate Client). This can be remotely installed via the login page.
Optional - NHS Identity Agent if accessing from N3.
A client test workstation on either the Internet, or N3 with a functioning NHS
Identity Agent installed.
Introduction 5
Licensing Winfrasoft HAS is licensed on a combination of a per server basis and client access licences.
A licence file must be installed onto each Microsoft UAG 2010 appliance otherwise the
application will not function.
Running a trial Winfrasoft HAS is available for trial. Fully functional time-limited trial licences can be
requested from Winfrasoft.
All installations of the Winfrasoft HAS server software include a non-expiring 10 user
licence.
Applying a new licence Once you receive a new licence from Winfrasoft, install the Winfrasoft HAS licence file onto
the server running the HAS Web Services by copying the new licence file into the Winfrasoft
HAS installation directory and rename it to licence.lic. Once the licence has been installed,
restart the IIS web server by running IISRESET for the new licence to take effect.
Note
For detailed information on the licence types please refer to the licence
agreement document embedded within the installation package.
6 Winfrasoft HAS
Design and Deployment Scenarios
Winfrasoft HAS is designed to operate with Microsoft Forefront UAG 2010 update 1. The
Winfrasoft HAS Management utility utilises Microsoft Management Console technology
which can be run remotely and installed on any 32bit or 64bit machine where Active
Directory Users and Computers is installed.
Winfrasoft HAS is a true Enterprise-class solution designed for highly availability multi-
master Active Directory integrated deployments. In high-availability deployments and
scenarios with numerous users, provisioned user information can be stored across multiple
domains in an Active Directory Forest with no schema extensions required.
There are two main deployment scenarios for Winfrasoft HAS:
(1) Access from the Internet:
This scenario makes use of public and private key (protected by the PIN) to verify
the card and user. The UID in the smart card is linked with an AD user account.
(2) Access from N3 using the Identity Agent:
This scenario makes use of the NHS Identity Agent and validates sessions against
Spine. The UID from Spine is linked with an AD user account.
When is a user is provisioned to use HAS they are able to make use of both authentication
methods, there is no need to provision a user twice.
Smartcard Technology
Background As the usage of Information Technology has increased exponentially, the need for security of
these systems has increased accordingly. Traditionally, authenticating users was solely done
by the user providing a valid username and password. This was known as single-factor
authentication as the user “knows” all parts of the authentication process. Over time,
additional user provided information wasn’t sufficient and additional factors were required.
Physical token technology came to the fore and smart cards have become a recognised
industry standard for authentication. The major benefit of smart cards is the versatility of the
solution as smart cards can not only prove the identity of holder and authenticate the user to a
network, but also be used for physical perimeter access. Furthermore, picture identification
can be printed on the card for additional verification and user identification.
Deployment 7
Deployment
Overview This deployment section assumes that the UAG 2010 Appliance has been installed and is
configured.
To fully deploy the Winfrasoft HAS solution the following steps must be performed:
(1) Deploy and configure UAG 2010, including any service packs or updates
(2) Install Winfrasoft HAS Web Services on a separate server to UAG 2010
(3) Install the Winfrasoft HAS Add-on for UAG 2010 on the UAG appliance
(4) Provision users with HAS tokens
Note
This guide does not detail how to install and configure UAG 2010.
8 Winfrasoft HAS
Installing the Winfrasoft HAS Server The Winfrasoft HAS Web Services must be installed onto a server running Windows Server
2008 R2 (x64), the HAS Server. The Winfrasoft HAS Server is also available as a
preconfigured appliance from Winfrasoft.
The HAS Web Services can NOT be installed on a server running UAG 2010 due to
restrictions placed on UAG 2010 by Microsoft. This is a change from the previous version of
HAS for IAG 2007 which was able to cater for this scenario.
(1) To start the Winfrasoft HAS installation, run the Winfrasoft HAS.exe installer.
(2) The setup wizard starts:
(3) Click Next to continue.
(4) After reading the licence agreement click I accept the terms in the terms in the License
Agreement if you agree to the terms, then click Next to continue.
Note
Ensure you are logged onto the HAS Server with Domain Admin rights to
allow for the Active Directory configuration to be performed.
Deployment 9
(5) Select the setup type. Click Custom and select Next to continue.
(6) Click Next to continue.
Note
The HAS Web Services can NOT be installed on a server running UAG 2010
due to restrictions placed on UAG 2010 by Microsoft. This is a change from
the previous version of HAS for IAG 2007 which was able to cater for this
scenario.
Note
The HAS Management Console option is automatically visible when installing
on the HAS Server if Active Directory Users and Computers snap-in is already
installed.
10 Winfrasoft HAS
(7) Click Next to continue.
The installation is being performed. During the install a balloon will popup displaying the
UAG version that was detected for the Plug-in.
Note
The Winfrasoft HAS Active Directory Initialisation wizard may show extra
information or warning messages if it has previously been run in the forest.
Existing groups will be reused for multiple box deployment scenarios.
Deployment 11
(8) Ensure no critical errors have occurred during the Winfrasoft HAS Active Directory
Initialisation, if so contact Winfrasoft for support.
Click Close to continue.
(9) All necessary Winfrasoft HAS files have been installed on your HAS Server.
Click Finish to complete the installation process.
Note
The HAS Server may require a restart in order for all changes to be applied.
Without a restart the HAS Server will not have the required rights to update
smart card details on AD user accounts. If HAS is being reinstalled or the
server is already a member of the Winfrasoft HAS Servers group then a
reboot is not required.
The Winfrasoft HAS Servers group is added to the Account Operators group
by default. This grants the HAS Server the rights required to update user
accounts with Smart Card information for auto provisioning. However,
Account Operators do not have rights to modify AD Administrator accounts.
As such administrator accounts cannot use auto provisioning by default. Add
the Winfrasoft HAS Servers group to the Domain Admin group to enable this
functionality.
12 Winfrasoft HAS
Installing the Winfrasoft HAS Plug-in for UAG
2010 The Winfrasoft HAS Plug-in for UAG 2010 enables UAG to communicate with the HAS
Server.
(1) To start the Winfrasoft HAS installation, run the Winfrasoft HAS.exe installer.
(2) The setup wizard starts:
(3) Click Next to continue.
(4) After reading the licence agreement click I accept the terms in the terms in the License
Agreement if you agree to the terms, then click Next to continue.
Deployment 13
(5) Select the setup type. Click Custom and select Next to continue.
(6) Click Next to continue.
(7) Enter the fully DNS name of the HAS appliance or the web server running the HAS
authentication web service.
Click Next to continue.
Note
The HAS Web Services can NOT be installed on a server running UAG 2010
due to restrictions placed on UAG 2010 by Microsoft. This is a change from
the previous version of HAS for IAG 2007 which was able to cater for this
scenario.
Note
The HAS Management Console option is automatically selected when
installing on the UAG server if Active Directory Users and Computers snap-in
is locally installed.
14 Winfrasoft HAS
(8) Click Next to continue.
The installation is being performed.
(9) All necessary Winfrasoft HAS files have been installed on your UAG appliance.
Click Finish to complete the installation process.
Deployment 15
Installing the Winfrasoft HAS Management
Console The Winfrasoft HAS Management Console can only be installed on any 32bit or 64bit
computer that has the Active Directory Users and Computers MMC snap-in installed.
Typically, this would be a Domain Controller.
(1) To start the Winfrasoft HAS installation, run the Winfrasoft HAS.exe installer.
(2) The setup wizard starts:
(3) Click Next to continue.
(4) After reading the licence agreement click I accept the terms in the terms in the License
Agreement if you agree to the terms, then click Next to continue.
16 Winfrasoft HAS
(5) Select the setup type. Click Custom and select Next to continue.
(6) Ensure that only the HAS Management Console is selected if other choices are
displayed.
Click Next to continue.
Note
If IIS is installed on the machine you want to install the HAS Management
Console on then the HAS Web Service will display as a selected installation
option.
Deployment 17
(7) Click Next to continue
The installation is being performed.
(8) Click Finish to complete the installation process.
18 Winfrasoft HAS
Uninstalling Winfrasoft HAS If you no longer require Winfrasoft HAS you can remove it from a server by doing the
following:
(1) To start the Winfrasoft HAS un-installation, run the
Winfrasoft HAS.exe installation. Alternatively use Add/Remove Programs in the Control
Panel, select Winfrasoft HAS application and click Remove.
(2) Running the EXE file starts the setup wizard.
(3) Select Uninstall. Click Next to continue.
(4) Click Next to continue.
Deployment 19
The Winfrasoft HAS uninstall will remove configured components.
(5) Click Finish to complete the uninstall process.
20 Winfrasoft HAS
HAS Configuration on UAG 2010
Configure IIS MIME Types (Internet only) (1) On the UAG 2010 server, open IIS Manager and select the Server.
(2) Double click MIME Types.
HAS Configuration on UAG 2010 21
(3) Click Add… and add each of the following MIME types:
Extension MIME type
.dat application/octet-stream
.vslp application/octet-stream
.cfg application/octet-stream
When done the MIME types will be listed as follows:
(4) Close IIS Manager when done.
Note
Do NOT add the MIME types to the default web site, they MUST be added to
the web server directly.
22 Winfrasoft HAS
Add a HAS Authentication repository (Internet)
(1) Start the Microsoft UAG 2010 Management Console.
(2) Click Admin- Authentication and Authorization Servers…
(3) Click Add…
HAS Configuration on UAG 2010 23
(4) Select Other from the Server type drop down list. Enter “WinfrasoftHASInternet” (one
word) in the Server name box. Check the Use a different server for portal application
authorization box and select the existing Active Directory repository from the
dropdown list.
Click OK.
(5) Click Close
24 Winfrasoft HAS
Add a HAS Authentication repository (N3)
(1) Start the Microsoft UAG 2010 Management Console.
(2) Click Admin- Authentication and Authorization Servers…
(3) Click Add…
HAS Configuration on UAG 2010 25
(4) Select Other from the Server type drop down list. Enter “WinfrasoftHASN3” (one
word) in the Server name box. Check the Use a different server for portal application
authorization box and select the existing Active Directory repository from the
dropdown list.
Click OK.
(5) Click Close
26 Winfrasoft HAS
Configure a UAG Trunk to use HAS (Internet) A Trunk can be configured for use from N3 or the Internet, but not both. If you require HAS
functionality from both locations then either use the Internet configuration only and do not
rely on Spine authentication, or setup two Trunks.
(1) Start the Microsoft UAG 2010 Management Console.
(2) Every Trunk on the UAG server must be configured separately to use HAS. Select the
trunk to configure for use with HAS Authentication.
Click Configure…
Note
The URLs used in this section are listed in the C:\Program
Files\Winfrasoft HAS\readme.txt file. It is highly recommended
that the URLs are copied and pasted from the readme.txt file instead of
manually typed for speed and accuracy.
HAS Configuration on UAG 2010 27
(3) Select the Authentication tab.
(4) In the “Require users to authenticate as session logon” section:
a. Under Select authentication servers:
i. Add WinfrasoftHASInternet
28 Winfrasoft HAS
ii. Remove the existing Active Directory entry
b. Update the User login page entry with:
CustomUpdate/HASLoginInternet.asp
(5) Select the URL Set tab.
Note
Do NOT place a “/” {slash} before “CustomUpdate/HASLoginInternet.asp”
HAS Configuration on UAG 2010 29
(6) In this section, the appropriate access rules for the different custom files installed by
HAS must be created. Scroll through the URL List and select the URL
InternalSite_Rule2. Below the Parameter List Click Add to add a new parameter for
this URL Rule. Set the parameter values to the following:
Parameter List
Property Value
Name chall
Name Type String
Value {empty}
Value Type String
Length 0:350
Existence Optional
Occurrences Multiple
Max Total Length -1
Rejected values checking On
30 Winfrasoft HAS
(7) Scroll through the URL List and select the URL InternalSite_Rule20. Modify the URL
property so it contains the following new bold entries:
URL
/internalsite/scripts/customupdate/[0-9a-z]*(params|install|sslvpnpage|rds|jquery-1.3.2|format|scripts|vsapi)\.js
(8) Add the following Primary URLs. For each new URL set, click Add Primary.
HAS Configuration on UAG 2010 31
URL List
Property Value
Name InternalSite_SC1
Action Accept
URL /internalsite/scripts/customupdate/api_gsl_p7/(vsappletlauncher|vsapinative)\.jar
Parameters Ignore
Note
Methods GET
Property Value
Name InternalSite_SC2
Action Accept
URL /internalsite/scripts/customupdate/api_gsl_p7/(vsapi)\.dat
Parameters Ignore
Note
Methods GET
Property Value
Name InternalSite_SC3
Action Accept
URL /internalsite/scripts/customupdate/api_gsl_p7/(vsapiapplet)\.vslp
Parameters Ignore
Note
Methods GET
Property Value
Name InternalSite_SC4
Action Accept
URL /internalsite/scripts/customupdate/api_gsl_p7/(vstapidll)\.cfg
Parameters Ignore
Note
Methods GET
32 Winfrasoft HAS
Property Value
Name InternalSite_SC5
Action Accept
URL /internalsite/scripts/customupdate/api_gsl_p7/META-
INF/services/javax.xml.parsers.SAXParserFactory
Parameters Ignore
Note
Methods GET
Property Value
Name InternalSite_UserLookup
Action Accept
URL /internalsite/customupdate/userlookup.asp
Parameters Handle
Note
Methods GET
Parameter list Heading Entry 1 Entry 2
Name authtype sessionid
Name Type String String
Value {empty} {empty}
Value Type String String
Length 1:10 1:2000
Existence Mandatory Mandatory
Occurrences Single Single
Max Total Length -1 -1
Rejected values checking On On
HAS Configuration on UAG 2010 33
(9) Once complete and the appropriate modifications and new URL Set pages have been
successfully added, click OK to accept the changes.
(10) Open the following folder in Windows Explorer:
C:\Program Files\Microsoft Forefront Unified Access
Gateway\von\InternalSite\inc\CustomUpdate
Make a copy of the [PortalName]1PostPostValidate (Winfrasoft
HAS).inc file.
Rename the file by removing “ (Winfrasoft HAS)“ off of the end and replacing
“[PortalName]” with the actual name of the Trunk you are configuring. Do not remove
the “1”. e.g. InternetPortal1PostPostValidate.inc
(11) Click Activate Configuration to apply and save the changes.
34 Winfrasoft HAS
(12) Click Activate to apply the changes.
(13) Click Finish.
HAS Configuration on UAG 2010 35
Configure a UAG Trunk to use HAS (N3) A Trunk can be configured for use from N3 or the Internet, but not both. If you require HAS
functionality from both locations then either use the Internet configuration only and do not
rely on Spine authentication, or setup two Trunks.
(1) Start the Microsoft UAG 2010 Management Console.
(2) Every Trunk on the UAG server must be configured separately to use HAS. Select the
trunk to configure for use with HAS Authentication.
Click Configure…
Note
The URLs used in this section are listed in the C:\Program
Files\Winfrasoft HAS\readme.txt file. It is highly recommended
that the URLs are copied and pasted from the readme.txt file instead of
manually typed for speed and accuracy.
36 Winfrasoft HAS
(3) Select the Authentication tab.
HAS Configuration on UAG 2010 37
(4) In the “Require users to authenticate as session logon” section:
a. Under Select authentication servers:
i. Add WinfrasoftHASN3
ii. Remove the existing Active Directory entry
b. Update the User login page entry with:
CustomUpdate/HASLoginN3.asp
(5) Select the URL Set tab.
Note
Do NOT place a “/” {slash} before “CustomUpdate/HASLoginN3.asp”
38 Winfrasoft HAS
(6) In this section, we now need to create the appropriate access rules for the different
custom files installed by HAS. Scroll through the URL List and select the URL
InternalSite_Rule20. Modify the URL property so it contains the following new bold
entries:
URL
/internalsite/scripts/customupdate/[0-9a-z]*(params|install|sslvpnpage|rds|jquery-1.3.2)\.js
(7) Scroll through the URL List and select the URL InternalSite_Rule27. Modify the URL
property so it contains the following new bold entries:
URL
/internalsite/applet/(detectjava|microsoftclient|oesislocal|runtimeelevator|agent_win_helper|agent_mac_helper|agent_li
n_helper|gettoken)\.jar
HAS Configuration on UAG 2010 39
(8) Add the following Primary URL. For each new URL set, click Add Primary
URL List
Property Value
Name InternalSite_UserLookup
Action Accept
URL /internalsite/customupdate/userlookup.asp
Parameters Handle
Note
Methods GET
Parameter list Heading Entry 1 Entry 2
Name authtype sessionid
Name Type String String
Value {empty} {empty}
Value Type String String
Length 1:10 1:2000
Existence Mandatory Mandatory
Occurrences Single Single
Max Total Length -1 -1
Rejected values checking On On
40 Winfrasoft HAS
(9) Once complete and the appropriate modifications and new URL Set pages have been
successfully added, click OK to accept the changes.
(14) Open the following folder in Windows Explorer:
C:\Program Files\Microsoft Forefront Unified Access
Gateway\von\InternalSite\inc\CustomUpdate
Make a copy of the [PortalName]1PostPostValidate (Winfrasoft
HAS).inc
Rename the file by removing “ (Winfrasoft HAS)“ off of the end and replacing
“[PortalName]” with the actual name of the Trunk you are configuring. Do not remove
the “1”. e.g. N3Portal1PostPostValidate.inc
(10) Click Activate Configuration to apply and save the changes.
HAS Configuration on UAG 2010 41
(11) Click Activate to apply the changes.
(12) Click Finish.
42 Winfrasoft HAS
Configure User Auto Provisioning without Self
Service Password Reset To enable users to access the self-provisioning functionality i.e. the ability for users to
associate smart cards with their Active Directory account, then the Winfrasoft HAS
Provisioning application must be published in the trunk.
This section describes the process to publish the Winfrasoft HAS Auto Provisioning and Self
Service Password Reset pages in UAG 2010.
(1) Start the Microsoft UAG 2010 Management Console.
(2) Select the appropriate trunk to add the Self Service Password Reset Application to. In
the Applications section, click Add...
Note
This process must be repeated for every UAG trunk that will provide portal
access to provisioning and password resets.
HAS Configuration on UAG 2010 43
(3) The UAG Add Application Wizard will start. Click Next.
(4) Choose Other Web Application (portal hostname) from Web section. Click Next.
(5) Complete the values for the Application Values with the following and click Next:
Property Value
Application Name Winfrasoft HAS Auto Provisioning
Application Type GenericWeb
44 Winfrasoft HAS
(6) Click Next.
(7) Click Next.
HAS Configuration on UAG 2010 45
(8) Click Next.
(9) Complete the values for the Web Servers as follows:
Property Value
Address Type IP/Host
Addresses {HAS Server FQDN}
Paths /
HTTP ports 12000
HTTPS ports 12443
Note
If multiple HAS servers are deployed in a high availability scenario then
publish both together as a server farm.
46 Winfrasoft HAS
(10) Click Next.
(11) Click Next.
HAS Configuration on UAG 2010 47
(12) Untick the Add a portal and toolbar link box.
Click Next.
(13) Click Next.
48 Winfrasoft HAS
(14) Click Finish.
(15) Click Activate Configuration to apply and save the changes.
HAS Configuration on UAG 2010 49
(16) Click Activate to apply the changes.
(17) Click Finish.
Your Trunk is now configured to use the Auto Provisioning functionality.
50 Winfrasoft HAS
Configure User Auto Provisioning with Self
Service Password Reset To enable users to reset their Active Directory passwords and to access the auto provisioning
functionality i.e. the ability for users to associate smart cards with their Active Directory
account, the Self Service Password Reset application must be published in the trunk. The
Self Service Password Reset facility shares the same published application configuration as
auto provisioning to simplify the configuration.
Active Directory Configuration This section describes the process to configure the Active Directory with Kerberos
Constrained Delegation to support Self Service Password Reset.
(1) Open Active Directory Users and Computers (either on a DC or management station)
and select the properties of the UAG 2010 computer account, then select the
Delegation tab.
(2) Select Trust this computer for delegation to specific services only and Use any
authentication protocol (if they are not already selected) then click Add…
HAS Configuration on UAG 2010 51
(3) Click Users or Computers… and locate the HAS Server computer account running the
HAS Web Services.
(4) Select the “http” service type and click OK.
(5) Click OK.
52 Winfrasoft HAS
UAG 2010 Configuration This section describes the process to publish the Winfrasoft HAS Auto Provisioning and Self
Service Password Reset pages in UAG 2010.
(1) Start the Microsoft UAG 2010 Management Console.
(2) Select the appropriate trunk to add the Self Service Password Reset Application to. In
the Applications section, click Add...
Note
This process must be repeated for every UAG trunk that will provide portal
access to provisioning and password resets.
HAS Configuration on UAG 2010 53
(3) The UAG Add Application Wizard will start. Click Next.
(4) Choose Other Web Application (portal hostname) from Web section. Click Next.
(5) Complete the values for the Application Values with the following and click Next:
Property Value
Application Name Self Service Password Reset
Application Type GenericWeb
(6) Click Next.
54 Winfrasoft HAS
(7) Click Next.
(8) Click Next.
(9) Complete the values for the Web Servers as follows:
Property Value
Address Type IP/Host
Addresses {HAS Server FQDN}
Paths /
Note
If multiple HAS servers are deployed in a high availability scenario then
publish both together as a server farm.
HAS Configuration on UAG 2010 55
HTTP ports 12000
HTTPS ports 12443
(10) Click Next.
(11) Click Next.
56 Winfrasoft HAS
(12) Click Next.
(13) Click Next.
HAS Configuration on UAG 2010 57
(14) Click Finish.
(15) Double click the Self Service Password Reset application to edit it.
(16) Select the Authentication tab.
(17) Check Use single sign-on to send credentials to published applications, then select Use
Kerberos constrained delegation for single sign-on. Enter “http/*” or enter
“http/{your.server.and.domain.name}” in the Application field where
{your.server.and.domain.name} is the full DNS name of the HAS computer account in
AD.
58 Winfrasoft HAS
(18) Click OK.
(19) Click Activate Configuration to apply and save the changes.
(20) Click Activate to apply the changes.
(21) Click Finish.
Your Trunk is now configured to use Self Service Password Reset and Auto Provisioning
functionality.
HAS Configuration on UAG 2010 59
Configure the TMG Firewall (N3 only) Microsoft UAG 2010 runs on top of TMG 2010 which provides security and protocol access
to the published portals on UAG via its firewall services. As such, a firewall rule needs to be
created allowing Winfrasoft HAS access to the N3 network.
To do this, create a Firewall rule in Microsoft TMG Management Console with the following
properties:
Property Value
Name Winfrasoft N3 Spine Access
Action Allow
Protocols HTTP
HTTPS
From Local Host
To External
Conditions All users
60 Winfrasoft HAS
Certificate Configuration Various certificate configurations must be performed on the UAG server depending on the
type of Smart Card authentication is being used.
Certificate Trust List Configuration In order for Winfrasoft HAS to “trust” the certificates, the public certificate of the issuer’s
root CA needs to be applied. Winfrasoft HAS makes use of the Operating System trust list to
validate SSL certificates.
Import the Root and Intermediate certificates required into the certificate store of the
Computer account.
The required certificate files are installed in the following folder:
C:\Program Files\Winfrasoft HAS\certs\
Note
Do NOT double click the certificate file to install it, this will install the
certificate into the currently logged on users certificate store.
Certificate Configuration 61
Note
HAS includes the Root and Intermediate certificates for the Live and NIS1
Spine implementations.
62 Winfrasoft HAS
Winfrasoft HAS Management Winfrasoft HAS must be configured and users need to be provisioned before they can use the
two-factor authentication technologies.
Users can be provisioned automatically via the auto-provisioning web page (if enabled), or
via the MMC Snap-In. All data is stored in the Active Directory (without the need for
schema extensions), not on the HAS or UAG server.
To configure user’s Winfrasoft HAS credentials, on a machine that has the Winfrasoft HAS
Management Console Snap-In extension installed, open Active Directory Users and
Computers. Select the user you wish to manage. Open the account properties and select the
NHS Smart Card tab.
If a User ID exists, then this user has been configured for Winfrasoft HAS. Administrators
can manually configure users by entering the user’s UID in this field.
To remove a user from Winfrasoft HAS, click the Clear button. The certificate subject name
will be removed from the user account and the licence will be released for use for another
user.
The License Availability details displayed are solely for informational purposes and cannot
be modified manually. Should you require additional licences, please contact your local
Winfrasoft partner.
Note
There is a current known limitation that Smart Card information cannot be
modified on user account properties when the accounts are located via the
Find feature of Active Directory Users and Computers.
The Read Card feature is currently only available when using a 32bit MMC.
Advanced Configuration 63
Advanced Configuration Winfrasoft HAS advanced configuration is performed by modifying pre-existing registry
keys.
HAS Registry Keys These keys should NOT be renamed or removed; only the values can be changed. Not all
keys are available on all servers as some are specific to the UAG Server or Appliance and
others to the HAS Server or Appliance; however some are common to both.
The keys are located in the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\Winfrasoft\Winfrasoft HAS
UAG Server / Appliance keys
Name Default Value Description
LicenceFolder C:\Program Files\ Winfrasoft HAS
The path on the server where the licence file is located. It is not recommended to change this location.
LoggingEnabled 0 Changing this setting to 1 enabled diagnostic logging. This should not be enabled for usual operation and is only required for troubleshooting or when instructed by Winfrasoft support.
HASWebServiceURL http://has.winfrasoftdemo.com:12000
The URL accessed by UAG 2010 then connecting to the HAS Server. This URL must be updated with the correct server name after installation. It is not supported to use a port other than 12000.
64 Winfrasoft HAS
HAS Server / Appliance keys
Name Default Value Description
AutoProvisionDisabled 0 Provides the ability to enable or disable the user auto provisioning functionality. The default of 0 indicates that auto provisioning is not disabled. To disabled auto provisioning set the value to 1.
AutoProvisionOverwriteEnabled 0 Changing this setting to 1 allows a user to overwrite an existing smart card link with a new card. When this value it set to 0 an administrator has to manually unlink the existing card before a user can link a new one.
This setting has no effect if auto provisioning has been disabled.
DisableSpineCertCheck 1 Disables checking the validity of the SSL certificate used on the Spine connection point. This is enabled by default to allow spine authentication to work in cases where the CRL or the root for the SSL certificate is not available.
GuestAccessEnabled 0 Changing this setting to 1 allows guest users to access the UAG portal. A guest user is a user with no AD users account. To allow a guest user access to internal resources create an AD user account called “PortalGuest” and assign any required rights to it.
When this setting is set to 0 guest logins are not possible.
LicenceFolder C:\Program Files\ Winfrasoft HAS
The path on the server where the licence file is located. It is not recommended to change this location.
LoggingEnabled 0 Changing this setting to 1 enabled diagnostic logging. This should not be enabled for usual operation and is only required for troubleshooting or when instructed by Winfrasoft support.
LoggingFolder C:\Program Files\ Winfrasoft HAS\Log
The path on the server where the diagnostic logging file are located. It is not recommended to change this location.
ProvisionTTL 3600 decimal Time in seconds that session information is kept in memory prior to a successful provisioning event.
SessionTTL 300 decimal Time in seconds that a session is kept active before a user must enter their smart card PIN.
SpineURL https://sbapi.national.ncrs.nhs.uk/saml/RoleAssertion?token={sso_ticket}
The URL accessed by the HAS Server when connecting to Spine. If testing against other Spine implementations this URL can be modified.