Who we are What weve seen Security Concerns in todays world Why
SmartCards? Authentication & Authorization of SharePoint IIS
and SmartCards Implementation Considerations and Pitfalls
Slide 3
Slide 4
Slide 5
Slide 6
Dan Usher MCP, MCTS, Security+ SharePoint Architect and
Implementation / Deployment Engineer UVA - BS Physics Joel Ward
MCP, MCAD Solutions Developer and Architect Penn State - BA
Integrative Arts
Slide 7
Large and Small SharePoint implementations Authentication
schemas using SmartCard authentication integrated with Active
Directory and third party SSO systems Extranet Enabled SmartCard
SharePoint systems
Slide 8
Cyber Security Identity Theft Phishing Information
Assurance
Slide 9
Strong Passwords Web of Trust Two Factor Authentication
Biometrics 3 L 3 3 t H @ x 0 r 0 h 7 c @ N d 1 3 M @ n 7 7 7 M @ K
u h r 0 0 n s
Stricter Password Policies Resetting Passwords More Often
Password Enabled Screensavers disruptions in your daily work things
arent quite as secure as they were
Simplicity to the end user Provides a secure tamper resistant
storage physical token Enables portability of credentials and
private information similar to other Federated Identity like
OpenID, Facebook Connect, Google OpenSocial, Microsoft Hailstorm A
PIN is used Security
Slide 14
Similar to a physical token Contains the same information It
has an expiration date It can be revoked Provides for similar IA
capabilities However It can be exported It can be shared It can be
purchased It can be stolen
Slide 15
Authentication IIS Username & Password Client Certificates
ISAPI Filters Custom Membership Providers Federation (ADFS or Third
Party Identity Handler) Authorization SharePoint Groups and
Permissions AD / LDAP / Role Provider Security Groups
Slide 16
Handled by IIS and ASP.NET Checks user against AD or other auth
provider Passes verification to IIS to proceed Source:
http://go.spdan.com/iisauthhttp://go.spdan.com/iisauth ASP.NET
Authentication
Slide 17
User inserts smart card into reader User attempts to access IIS
based site that requires smart auth X.509 Certificate on Smart Card
with Private Key verified locally User Enters PIN into middleware
software prompt PIN authenticates user to the card Smart Cards
Public Key is retrieved from card and verified through trusted
issuer Web Server receives public key certificate and checks
validity against CA CRL During authentication, challenge based on
public key within certificate issued Challenge verifies the card
has a private key and that the private key can be leveraged Public
Key Private Key Verified Authentication has occurred Users identity
from certificate UPN used to reference user in AD IIS receives
users identity and hands them to SharePoint SharePoint verifies
users authorization to specific site Virtual Path Provider directs
user to appropriate site Site is rendered to the end user
Slide 18
Option 0: SharePoint on an Intranet with integrated
authentication Option 1: SharePoint in a DMZ with client
certificates and AD integration Option 2a: SharePoint published
through Internet Security and Acceleration (ISA) Server Option 2b:
SharePoint published through Intelligent Application Gateway (IAG)
Server Option 3: Custom Membership Provider
Slide 19
SharePoint is Intranet based only Client Desktop utilizes the
SmartCard Enabled Login Required security policy setting SharePoint
utilizing Integrated Windows authentication Kerberos or NTLM
Slide 20
Slide 21
Intranet only situation Need to be within the network boundary
for authentication tokens to pass properly Users account must be
linked to their SmartCard user principal name Certificate Authority
(CA) availability for CRL check may affect system availability
Slide 22
Web Server in DMZ Utilize Authentication Store (AD) IIS
Configured to Require Client Certificate Relatively easy to
configure
Slide 23
Install a SSL certificate that belongs to a managed PKI
environment Within IIS in the specific web application, enable:
Require Secure Channel (SSL) Require 128-bit encryption (optional)
Require client certificate Certificate Revocation List (CRL) ports
open LDAP or LDAP-S
Slide 24
Slide 25
Slide 26
Slide 27
Slide 28
OCSP or CRL checking could cause authentication to fail if CRL
is not available Depending on number of requests, CRL checking
could cause server load Puts server in DMZ, increases attack
surface area wfetch will show your SharePoint Version Users account
must be linked to their SmartCard user principal name User
selecting certificate that does not contain UPN
Slide 29
Internet Security and Acceleration 2006 (ISA) Server Web Site
Publishing with Constrained Kerberos Delegation Internal Windows
Networking Infrastructure system utilizing Kerberos Users
authenticate to their client machine using different account than
SmartCard linked to their AD user object
Slide 30
Windows XP + Office 2007 requires a hot fix to allow for
documents to open using ISA Increases authentication requirements
for external facing or extranet systems Users account must be
linked to their SmartCard user principal name Multi-Forest trusts
do not always work Reauthentication issues Only leverages Active
Directory
Slide 31
Intelligent Application Gateway (IAG) Server Publishing Web
Front End Server Similar to Option 2a (ISA Server), but better
experience for the end user Stable session - Prevents constant
requests for re-authorization using SmartCard Allows for NAP like
capabilities Allows for mapping to something than AD
Slide 32
Additional hardware to maintain Current IAG is a hardware
appliance IAG 2007 available as a virtual machine for demonstration
purposes Future IAG will potentially be available as software and
hardware IAG -> Forefront Unified Access Gateway (UAG) Costly
Requires authenticating to IAG dashboard
Slide 33
Custom Membership provider for SmartCard IIS or SSO/ISAPI
filter handshakes with the SmartCard Does not require Active
Directory: Can use LDAP, SQL Server, or another authentication
provider
Slide 34
Custom SharePoint login page (using Forms Based Authentication)
completes the login process seamlessly without user input Can
optionally create user account on the fly, based on SmartCard
credentials Can add in logic for account approval, different access
levels based on SmartCard credentials, etc.
Slide 35
Requires additional configuration in SharePoint Requires custom
development If requiring client certificate in IIS (instead of SSO
or ISAPI filter), OCSP or CRL checking could cause authentication
to fail if CRL is not available Must secure server if in DMZ Must
add in appropriate security logic to custom login page
Slide 36
1) Configure domain name and SSL certificate for web
application 2) Implement Forms Based Authentication with SharePoint
using appropriate membership and role provider (AD, LDAP, ASPNET,
etc.) 3) Configure IIS to accept client certificates (or custom
SSO) 4) Create custom login page for SharePoint _layouts
folder
Slide 37
//Get client certificate and appropriate user ID
HttpClientCertificate cert = Request.ClientCertificate; string
userID; userID = cert.Get("[fieldname]"); //Create new user and add
to Visitor role MembershipUser user =
Membership.CreateUser(userID,[randomPassword],[email]);
Roles.AddUserToRole(userID, "Visitors"); //If user exists in
membership provider, login using FBA if
(Membership.GetUser(userID).UserName == userID)
FormsAuthentication.RedirectFromLoginPage(userID, false);
Slide 38
For SmartCard authentication to work properly, it relies
heavily on the surrounding Windows networking infrastructure that
it resides within SmartCard authentication can be done several
different ways depending on the surrounding infrastructure
SmartCards works well when the user base understands their
responsibility in upholding IA.