Direkt zum Hauptbereich

Using TMG, one-time passwords and Kerberos Constrained Delegation


Access to corporate resources from external computers requires secure authentication methods. This article explains how to configure One-Time Password pre-authentication.
In the previous article of this Kerberos Delegation series, you learned how to configure Kerberos Constrained Delegation. Today, I will discuss pre-authentication methods that are not based on Active Directory. Users can pre-authenticate using Windows Active Directory authentication, RADIUS OTP authentication, Certificate authentication or LDAP authentication, and even with PKI certificates.
In the example here, we will use a one-time password solution that provides a simple, user friendly and very secure solution that is ideal for securing access to corporate resources when used with Microsoft (TMG) and Kerberos Constrained Delegation. I will describe how Protocol Transition works with TMG, i.e. how you can authenticate users with one method and then pass the credentials to the backend using Kerberos.
So how is the end-user experience when multiple pre-authentication methods are used without Credential Delegation? If you were to use RADIUS One-Time Password pre-authentication on the TMG Listener, a user would have to enter his OTP credentials first and then provide his Windows credentials for access to the web server.
Why is this not good? You expose critical security information (Domain username and password, which are static) when a user has to enter Domain credentials on a machine that doesn’t belong to your corporate network. This is especially problematic in a “hostile” environment such as internet cafes or the “mother-in-law” computer (I heard this term at a Microsoft presentation for UAG and I just had to use it). You can probably imagine the variety of threats in those environments. Such a machine could run key logging malware that collects static passwords and other information that could be used in a subsequent attack.
How can a security minded administrator make sure that users would enter only OTP credentials when accessing backend HTTP/HTTPS based services? It’s obvious that you can’t achieve this by using Basic Credential Delegation which means passing username and password from the TMG server to the backend server. For working with OTP credentials, Kerberos Constrained Delegation and Protocol Transition is required.
In my previous article, I already explained how to configure Kerberos Constrained Delegation in a Publishing rule. In this post, I will describe how to configure the Listener to use OTP and PKI pre-authentication. But first we have to configure TMG to query an authentication server. We will do this by defining a RADIUS server with TMG. First select “Tasks” in the TMG console.
One-time passwords TMG - Configure Autentication
TMG – Configure Authentication
Locate “Configure Authentication Server settings”
A new window will pop up, click “add” and enter the relevant information (IP, Shared Secret And Port). Also be aware, that if your RADIUS server uses a port other than 1812, you will have to allow it independently.
TMG One-time passwords Configure authentication server
TMG – Authentication Servers
I continue by reconfiguring the Listener on the TMG from the previous article. Select “Toolbox” and then click on “Network Objects” in the TMG Console.
One-time passwords TMG - Web Listener
TMG – Web Listeners
Locate and open the “Web Listener” dialog at the bottom and right click the Listener that you created in the previous article.
One-time passwords - Authentication Validation Method
Authentication Validation Method
Now select “RADIUS OTP” authentication in the Authentication settings tab. You can then use this Listener in a Publishing Rule. The Publishing Rule from the previous article can be used without reconfiguration. Click OK and Apply.
How would an end user experience this? When a user first accesses the URL of the published web application, he will be asked to enter his OTP credentials. The TMG would then authenticate him to the backend application using a Kerberos Token by delegating the credentials. The user has successfully logged in using only his OTP credentials without being asked to enter his domain credentials. In the next article, I will explain how to use Smart Cards and PKI credentials to access published resources.

Kommentare

Beliebte Posts aus diesem Blog

Microsoft Office 2013 aktivieren via Kommandozeile

Wie man das neue Microsoft Office 2013 aktiviert via Kommandozeile, das werde ich euch in dem folgenden Beitrag Schritt für Schritt erklären. Gerade in grösseren Systemumgebungen in welchen die Clients und Standard Software automatisiert installiert werden, kann das sehr hilfreich sein und erspart einem viel Arbeit nach der Installation des Clients. Das Ziel sollte sein, möglichst viel zu automatisieren und soweit möglich, wenig noch händisch zu konfigurieren. Da kommt dieser Beitrag sicherlich nicht ungelegen. Die folgenden Befehle könnte man beispielsweise ganz einfach in eine MDT (Microsoft Development Toolkit) Umgebung mit einbeziehen oder auch mit anderer Software benutzen. Wichtig zu wissen ist, dass dies nur dann funktioniert, wenn Microsoft Office 2013 über das Internet aktiviert wird. Hat man einen eigenständigen Aktivierungsserver (KMS), funktioniert dies nicht. Zudem müssen die Befehle alle mit Administrator Rechte ausgeführt werden. Normale Benutzerberechtigungen genügen …

Windows Domain Controller: Es sind momentan keine Anmeldeserver zum Verarbeiten der Anmeldeanforderung verfügbar

Zurzeit häuft sich (warum auch immer) das Problem dass nach einem Neustart eines Windows Domain Controllers bei der Anmeldung die Fehlermeldung „Es sind momentan keine Anmeldeserver zum Verarbeiten der Anmeldeanforderung verfügbar“ kommt und eine Anmeldung so nicht möglich ist Das Problem ist hierbei das der Domain Controller im Active Directory Reperatur Modus (Abgesicherter Modus) startet. Am einfachsten lässt sich dieses Problem folgendermaßen beheben: 1) Anmeldung mit dem DSRM (Directory Services Restore Mode) / Verzeichnisdienstwiederherstellungskennwort Falls die Anmeldung nicht funktioniert kann man einen Workaround wie hier beschrieben durchführen. 2) Systemkonfiguration mittels msconfig.exe aufrufen

WSUS won’t uninstall or re-install

Hat heute ein Problem mit WSUS unter Windows Server 2008 R2 bei einem Kunden. Das Problem - die Clients konnten keinen Verbindung zum WSUS Server herstellen. Die Deinstallation wurde unerwartet beenden mit folgender Fehlermeldung: Attempt to un-install Windows Server Update Services failed with error code 0x80070643. Fatal error during installation  Die Lösung: I don’t like Windows Server Update Services (WSUS), but it’s the free alternative many companies select over the higher cost alternatives like Intune or Systems Center. So, today I had to repair a damaged WSUS installation. Turns out someone uninstalled SQL Server 2005 Express not realizing WSUS was using it. Now firing up the WSUS console just yielded an error complaining about the missing SQL database. So like any good troubleshootin IT guy the first thing I tried was to uninstall WSUS…sadly, however the product would not uninstall or re-install. Here’s how I finally got rid of it: [the problem] WSUS 3.0 SP2 is missing SQL serv…