| Author | Messages | |
RobSilver
Posts:0
 | | 07/02/2010 9:22 AM |
| Hi
I have a question and would be interested in anyone's past experience with this.
I have a customer who has an internal PKI (no CDPs in a DMZ etc) and use smartcards for login. Something you have, something you know.
There is a requirement for users to access resources such as OWA, Active Sync etc from the web. External facing services are signed by a trusted root (like VeriSign). There is significant security concern with authentication and security on the web e.g. key loggers at Internet Cafes etc.
What's the general approach in a situation like this. Anyone here have to deal with something of a similar nature?
Regards,
Rob Silver<http://robsilver.org/>
| | | |
| dmanger
Posts:0
| | 07/02/2010 12:09 PM |
| Rob,
I work with a product called IdentityGuard which is a multi-factor
authentication platform. One adjunct of this platform is an ISAPI filter
that plugs in with IIS/ISA and Exchange to provide mfa for OWA. The filter
is open and extensible, so it could leverage the IdentityGuard APIs for
certificate authentication. I know that the next version of the filter will
have cert-based auth available out of the box.
With regard to the certificate authentication, the IdentityGuard server will
look at incoming authentication requests and, if a certificate is the
primary form of second-factor auth, it will look to the internal CA for
chaining, as well as look at the internal CRL to insure the cert is valid.
Just offering up some of my experience in this area. Let me know if you
have any questions.
Regards,
Doug Manger, CISSP
www.thegeekispeak.com
On 2 July 2010 04:15, [Infraspec] Rob Silver <rob@infraspec.net> wrote:
> *Hi*
>
>
>
> I have a question and would be interested in anyone’s past experience with
> this.
>
>
>
> I have a customer who has an internal PKI (no CDPs in a DMZ etc) and use
> smartcards for login. Something you have, something you know.
>
>
>
> There is a requirement for users to access resources such as OWA, Active
> Sync etc from the web. External facing services are signed by a trusted
> root (like VeriSign). There is significant security concern with
> authentication and security on the web e.g. key loggers at Internet Cafes
> etc.
>
>
>
> What’s the general approach in a situation like this. Anyone here have to
> deal with something of a similar nature?
>
>
>
> *Regards, *
>
>
>
> *Rob Silver <http://robsilver.org/> *
>
>
>
| | | |
| RobSilver
Posts:0
| | 07/02/2010 12:39 PM |
| Thanks Doug
I am going to look into this.
Rob Silver<http://robsilver.org/>
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Doug Manger, CISSP
Sent: 02 July 2010 12:05 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Smart Card login for External OWA
Rob,
I work with a product called IdentityGuard which is a multi-factor authentication platform. One adjunct of this platform is an ISAPI filter that plugs in with IIS/ISA and Exchange to provide mfa for OWA. The filter is open and extensible, so it could leverage the IdentityGuard APIs for certificate authentication. I know that the next version of the filter will have cert-based auth available out of the box.
With regard to the certificate authentication, the IdentityGuard server will look at incoming authentication requests and, if a certificate is the primary form of second-factor auth, it will look to the internal CA for chaining, as well as look at the internal CRL to insure the cert is valid.
Just offering up some of my experience in this area. Let me know if you have any questions.
Regards,
Doug Manger, CISSP
www.thegeekispeak.com<http://www.thegeekispeak.com>
On 2 July 2010 04:15, [Infraspec] Rob Silver <rob@infraspec.net<mailto:rob@infraspec.net>> wrote:
Hi
I have a question and would be interested in anyone's past experience with this.
I have a customer who has an internal PKI (no CDPs in a DMZ etc) and use smartcards for login. Something you have, something you know.
There is a requirement for users to access resources such as OWA, Active Sync etc from the web. External facing services are signed by a trusted root (like VeriSign). There is significant security concern with authentication and security on the web e.g. key loggers at Internet Cafes etc.
What's the general approach in a situation like this. Anyone here have to deal with something of a similar nature?
Regards,
Rob Silver<http://robsilver.org/>
| | | |
| dmanger
Posts:0
| | 07/02/2010 2:27 PM |
| Let me know if you have any questions or need further details about the
filter.
On 2 July 2010 07:33, [Infraspec] Rob Silver <rob@infraspec.net> wrote:
> *Thanks Doug*
>
>
>
> I am going to look into this.
>
>
>
> *Rob Silver <http://robsilver.org/>** *
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Doug Manger, CISSP
> *Sent:* 02 July 2010 12:05 PM
>
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Smart Card login for External OWA
>
>
>
> Rob,
>
>
>
> I work with a product called IdentityGuard which is a multi-factor
> authentication platform. One adjunct of this platform is an ISAPI filter
> that plugs in with IIS/ISA and Exchange to provide mfa for OWA. The filter
> is open and extensible, so it could leverage the IdentityGuard APIs for
> certificate authentication. I know that the next version of the filter will
> have cert-based auth available out of the box.
>
>
>
> With regard to the certificate authentication, the IdentityGuard server
> will look at incoming authentication requests and, if a certificate is the
> primary form of second-factor auth, it will look to the internal CA for
> chaining, as well as look at the internal CRL to insure the cert is valid.
>
>
>
> Just offering up some of my experience in this area. Let me know if you
> have any questions.
>
>
>
> Regards,
> Doug Manger, CISSP
>
> www.thegeekispeak.com
>
> On 2 July 2010 04:15, [Infraspec] Rob Silver <rob@infraspec.net> wrote:
>
> *Hi*
>
>
>
> I have a question and would be interested in anyone’s past experience with
> this.
>
>
>
> I have a customer who has an internal PKI (no CDPs in a DMZ etc) and use
> smartcards for login. Something you have, something you know.
>
>
>
> There is a requirement for users to access resources such as OWA, Active
> Sync etc from the web. External facing services are signed by a trusted
> root (like VeriSign). There is significant security concern with
> authentication and security on the web e.g. key loggers at Internet Cafes
> etc.
>
>
>
> What’s the general approach in a situation like this. Anyone here have to
> deal with something of a similar nature?
>
>
>
> *Regards, *
>
>
>
> *Rob Silver <http://robsilver.org/> *
>
>
>
>
>
| | | |
| robbonfiglio
Posts:10
| | 07/02/2010 3:28 PM |
| We have setup ISA to do smartcard authentication for us and pass the traffic
back to the OWA server. Army Medicine has a configuration similar to this.
(I don't know their exact configuration, but they require CAC card
authentication to ther OWA server from the internet.) You should find their
implementation if you Google: CAC OWA
You won't find the specifics of their implementation though.
On Fri, Jul 2, 2010 at 4:15 AM, [Infraspec] Rob Silver <rob@infraspec.net>wrote:
> *Hi*
>
>
>
> I have a question and would be interested in anyone’s past experience with
> this.
>
>
>
> I have a customer who has an internal PKI (no CDPs in a DMZ etc) and use
> smartcards for login. Something you have, something you know.
>
>
>
> There is a requirement for users to access resources such as OWA, Active
> Sync etc from the web. External facing services are signed by a trusted
> root (like VeriSign). There is significant security concern with
> authentication and security on the web e.g. key loggers at Internet Cafes
> etc.
>
>
>
> What’s the general approach in a situation like this. Anyone here have to
> deal with something of a similar nature?
>
>
>
> *Regards, *
>
>
>
> *Rob Silver <http://robsilver.org/> *
>
>
>
| | | |
| bdesmond
Posts:977
| | 07/02/2010 4:27 PM |
| You need to put TMG/UAG in front to do the smartcard auth AFAIK.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of [Infraspec] Rob Silver
Sent: Friday, July 02, 2010 3:16 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Smart Card login for External OWA
Hi
I have a question and would be interested in anyone's past experience with this.
I have a customer who has an internal PKI (no CDPs in a DMZ etc) and use smartcards for login. Something you have, something you know.
There is a requirement for users to access resources such as OWA, Active Sync etc from the web. External facing services are signed by a trusted root (like VeriSign). There is significant security concern with authentication and security on the web e.g. key loggers at Internet Cafes etc.
What's the general approach in a situation like this. Anyone here have to deal with something of a similar nature?
Regards,
Rob Silver<http://robsilver.org/>
| | | |
| tech4steve
Posts:17
| | 07/17/2010 4:29 AM |
| You dont need ISA\TMG in front of OWA to do smartcard auth if you dont want
to have that layer doing KCD
spat
On Fri, Jul 2, 2010 at 8:24 AM, Brian Desmond <brian@briandesmond.com>wrote:
> *You need to put TMG/UAG in front to do the smartcard auth AFAIK. *
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *brian@briandesmond.com*
>
> * *
>
> *c – 312.731.3132*
>
> * *
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *[Infraspec] Rob Silver
> *Sent:* Friday, July 02, 2010 3:16 AM
>
> *To:* activedir@mail.activedir.org
> *Subject:* [ActiveDir] Smart Card login for External OWA
>
>
>
> *Hi*
>
>
>
> I have a question and would be interested in anyone’s past experience with
> this.
>
>
>
> I have a customer who has an internal PKI (no CDPs in a DMZ etc) and use
> smartcards for login. Something you have, something you know.
>
>
>
> There is a requirement for users to access resources such as OWA, Active
> Sync etc from the web. External facing services are signed by a trusted
> root (like VeriSign). There is significant security concern with
> authentication and security on the web e.g. key loggers at Internet Cafes
> etc.
>
>
>
> What’s the general approach in a situation like this. Anyone here have to
> deal with something of a similar nature?
>
>
>
> *Regards, *
>
>
>
> *Rob Silver <http://robsilver.org/> *
>
>
>
| | | |
|
|