108471-how to use kerberos in cunjunction with safeguard enterprise

qÜÉ=a~í~=pÉÅìêáíó=`çãé~åóK=

Utimaco Safeware

www.utimaco.com

ríáã~Åç=håçïäÉÇÖÉ=^êíáríáã~Åç=håçïäÉÇÖÉ=^êíáríáã~Åç=håçïäÉÇÖÉ=^êíáríáã~Åç=håçïäÉÇÖÉ=^êíáÅÅÅÅääääÉÉÉÉ====

eçï=íç=ìëÉ=hÉêÄÉêçë=áå=eçï=íç=ìëÉ=hÉêÄÉêçë=áå=eçï=íç=ìëÉ=hÉêÄÉêçë=áå=eçï=íç=ìëÉ=hÉêÄÉêçë=áå=

ÅçåàìåÅíáçå=ïáíÜ=ÅçåàìåÅíáçå=ïáíÜ=ÅçåàìåÅíáçå=ïáíÜ=ÅçåàìåÅíáçå=ïáíÜ=

p~ÑÉdì~êÇ∆=båíÉêéêáëÉp~ÑÉdì~êÇ∆=båíÉêéêáëÉp~ÑÉdì~êÇ∆=båíÉêéêáëÉp~ÑÉdì~êÇ∆=båíÉêéêáëÉ====

Author

Version

Document information

Corporate Technical Operations

1.00, last changes: December 30, 2008

Title: How to use Kerberos in conjunction with SafeGuard® Enterprise

Version: 1.00

Last changes: 12/30/2008

2

Contents

1 Prerequisites & Informational Links regarding CA & enrollment ...................... 3

2 Import of the Certificate Authority (CA) & Certificate Revocation List (CRL) ... 4

3 Configuration steps in the SafeGuard Management Console ............................ 6

4 Import of the User Certificates .............................................................................. 9

4.1 Single import for a User Certificate ............................................................ 9

4.2 Mass import from Active Directory ........................................................... 12

4.3 Import of a User's .cer File ....................................................................... 13

5 Client Authentication with Kerberos via Token ................................................. 15

5.1 UMA (User Machine Assignment) ........................................................... 15

5.2 Token Logon After UMA (User Machine Assignment) ............................. 17


Version: 1.00


3

1 Prerequisites

1. Microsoft (Server 2K3) PKI was configured to run the enrollment station for certificates on tokens

2. Installed Middleware / PKCS#11 software on the Management Console client

3. A certificate for the user is already enrolled on a token

4. Client Configuration Package installed and assigned policies on the client with SafeGuard

Management Console

5. The logon process to Windows already occurs via Kerberos

Informational links regarding Certificate Authorities & Certificate enrollment

Public Key Infrastructure for Windows Server 2003

http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx

Installing and configuring a Certification Authority

http://technet.microsoft.com/en-ms/library/cc756120.aspx

Prepare a smart card certificate enrollment station

http://technet.microsoft.com/en-us/library/cc781592.aspx

Certificate enrollment using smart cards

http://support.microsoft.com/kb/257480


Version: 1.00


4

2 Import of the CA certificate and CRL

The CA certificate and CRL can be requested via the Certification Authority webpage:

(https://yourserver/certsrv)

Note: At the moment, delta CRL’s are not supported.


Version: 1.00


5

To import the CA certificate, Sub CA (if available) and CRL, Sub CRL (if available) into the

Management Console, navigate to Keys & Certificates.

Note: The Certificate Hierarchy (Chain of Trust) has to be complete.

� Click on the Import CRL button to import the CRL

� Click on the Import CA certificate button to import the CA certificate


Version: 1.00


6

3 Configuration steps in the SafeGuard Management

Console

� Create an Authentication Policy and set Logon Mode to Token or

UserID/Password; Token

� Set Logon options using token to Kerberos

� Save the policy


Version: 1.00


7

� Create a Specific Machine Settings Policy

� Set Enable Power-on Authentication to Yes

� Set Windows cryptographic toolkits to SafeGuard Cryptographic Engine

� Select the Module name. Here, we use Aladdin eToken PKI Client. Please

remember that the appropriate middleware and client configuration package must be

installed on the Management Console machine and that the license must include the

required module. Furthermore, the machine needs the policies to be assigned.

� Save the policy


Version: 1.00


8

� Go to Users & Computers and assign both created policies to the OU which contains

the clients for token usage. Keep in mind that the client which is used for the

Management Console and token configurations need the policies assigned also.

� Save the changes


Version: 1.00


9

4 Import of the User Certificate(s)

There are three ways to import the user certificate(s):

4.1 Single import for a user

� Select a user for token usage and navigate to the Certificate tab

� Click on the Assign a certificate from a token button while the user token is

plugged into the USB port of the Management Console machine


Version: 1.00


10

� The certificate details are shown. If not, click on Rescan Token(s)

� A successful import will be confirmed with the following message:

� Afterwards, the imported certificate is listed for the user


Version: 1.00


11

� Because we are using Kerberos Authentication, no changes need to be made on

the Token Data tab


Version: 1.00


12

4.2 Mass import from Active Directory

To use the Auto Import Certificates function in the Management Console, a registry key has to be

imported to the Management Console machine.

Note: For more information see SafeGuard Knowledge Article 108295.


Version: 1.00


13

4.3 Import of a User’s .cer file

� Select a user for token usage and navigate to the Certificate tab

� Click on the Import certificate button


Version: 1.00


14

� Select the .cer file of the user and click OK


Version: 1.00


15

5 Client Authentication with Kerberos via Token

5.1 UMA (User Machine Assignment)

After the installation of the client, the client configuration package and the subsequent reboot, the

POA operates in “Auto logon Mode”.


Version: 1.00


16

Then, the user will be prompted for his Token PIN

After entering the Token PIN, the logon process continues and the user will be assigned to the

machine.


Version: 1.00


17

5.2 Token Logon after UMA (User Machine Assignment)

If the User Token is plugged in during start up, the POA will ask for the Token PIN. Click Ok after

entering the Token PIN.

After that, you will see the message: Plug in the token again to complete logon.

Note: Due to technical limitations, the token has to be unplugged and plugged in once again to

continue the Single-Sign-On to Windows.

After you plugged in the token once again, the Single-Sign-On to Windows will continue.


Version: 1.00


18

Utimaco Safeware AG

Hohemarkstrasse 22

DE-61440 Oberursel

Germany

www.utimaco.com/myutimaco

Copyright Information

© 2007 - Utimaco Safeware AG

All rights reserved.

The Information in this document must not be changed without the expressed written

agreement of the Utimaco Safeware AG.

All SafeGuard Products are registered trademarks of Utimaco Safeware AG. All other

named trademarks are trademarks of the particular copyright holder. Microsoft,

Windows and the Windows logo are trademarks or registered trademarks of Microsoft

Corporation in the United States and/or other counties.

108471-how to use kerberos in cunjunction with safeguard enterprise

Documents