archiveren

infrastructure

Because I actually got some requests on how to accomplish this on my previous Belgium eID post, a more technical post here… It’s a bit chaotic, so I hope you’ll figure the details out on your own 🙂

I’m not reinventing wheels here. All of the things are loosely based on http://blog.debilloez.net/2010/12/ad-authentication-with-be-eid.html , http://setspn.blogspot.be/2014/10/configure-windows-logon-with-electronic.html and https://social.technet.microsoft.com/Forums/office/en-US/4eae5d60-c90c-4238-82b7-67b0ac261b8e/eid-login-for-domain?forum=winserversecurity  , https://blogs.msdn.microsoft.com/spatdsg/2008/04/17/smartcard-in-2008-and-vista-national-id-card-no-upn-no-eku-no-problem/ and there even was a word document i can’t seem to find anymore…

You can have this up and running in less then an hour.

Requirements:

  • Active Directory Domain Services
  • Active Directory Certificate Services with Enterprise CA (in good circumstances, this role is NOT installed on your DC…)
  • Some server or workstation (Windows Desktop or Terminal Server or whatever where you want your users to log-on)

Configuration

Forest/Domain

Basically, the certificate chain consists of end-entity -> intermediate -> root ( -> globalsign, FEDICT made 2 roots)

Root needs to be in “Trusted Root Certification Authorities”, intermediate needs to be in “Intermediate Certificate Authorities” of all involved machines: DC, client, server.

Download all useful certificates from http://certs.eid.belgium.be/ (please script this)

“useful” meaning:

  • non expired root certificates
  • all non expired citizen intermediate certificates
  • (foreigner if your use case needs this)

For easy deployment: create a new group policy, and add the root’s to “Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities” and the intermediates to the “Intermediate Certificate Authorities” store in the same location.

Deploy this GPO to all servers involved: Domain Controllers, IIS, RDP, …

ADCS

Make sure the “Kerberos Authentication” certificate template is made available for Domain Controllers on your freshly installed CA, DC’s have enrolled them, and have them actually available in the certlm.msc (this is the newer version of Domain Controller Authentication template, which is a newer version of the very original Domain Controller template). On of them good enough). Make sure your general PKI is healthy.

DC

Create a user.

Export the authentication certificate from the smart card (either with the Be eID viewer or using certmgr.msc).

The mapping of a Be eID to an active directory user happens in Active Directory Users and Computers (dsa.msc). Go to a user, right mouse click, name mapping, and add the exported version of the Be eID authentication certificate here.

 

The DC’s also need a modification in the registry

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
"CRLTimeoutPeriod "=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
"AllowCertificatesWithNoEKU"=dword:00000001
"AllowSignatureOnlyKeys"=dword:00000001

 

Note: the new 2017 BE eID’s don’t require the AllowCertificatesWithNoEKU and AllowSignatureOnlyKeys  anymore (as they actually set the correct EKU), old eID’s do.
CRL timeout is also not really required  if outgoing network access allows it.

Target

IIS/Terminal Server/Windows logon

Always install the eID middleware, download from https://eid.belgium.be/

And set the same registry keys again

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
"CRLTimeoutPeriod "=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
"AllowCertificatesWithNoEKU"=dword:00000001
"AllowSignatureOnlyKeys"=dword:00000001
"ForceReadingAllCertificates"=dword:00000001

Same notes on regkeys as above, for the newest eID’s only ForceReadingAllCertificates is really required.
ForceReadingAllCertificates is needed because the smart card contains 2 certs.

Windows Logon

You can use a eID for regular logon on a physical machine (with a reader – think cherry keyboard or terminals)

On the lock screen, logon but select smart card.
Rest should be self explanatory.

RDP host

It’s best to set an gateway in between, as NLA sometimes blocks smart card logon (or disable NLA, but not recommended).

Under normal operations, use mstsc to connect to an RDP, in the authentication windows select the correct smart card (authentication) and logon.

Once connected, you’ll notice a 1-4 seconds delay, just give it some time to tunnel the reader over the rdp connection and logon will occur.

On the computer you are using to connect to the RDP server, also set the registry keys and install the eID middleware (driver for the smart card), see below for more info.

IIS

To be updated…

Basically use the iisClientCertificateMappingAuthentication, which needs to installed as an additional feature, and us that from there on. It’s also possible to cover the mapping directly in asp. Will update this part if I find some time.

Client

The machine you’re actually working on, and connecting to the servers above.

Install the eID middleware, download from https://eid.belgium.be/

The chip on the eID itself contains 2 certificates: 1 meant for signing, 1 for authenticating.

By default, Windows only reads the 1 certificate on a smart card, and tries to use that one to authenticate. On the Belgium eID’s, this is the signing one. (plus, with pre-2017 certificates, it has a wrong EKU). So we need to configure the Windows Client to actually read both certificates and allow certificates without EKU… (Note, in the 2017 eID’s the correct EKU, client authentication, is actually set, but still on the 2nd certificate)

Registry keys!

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider]
"AllowCertificatesWithNoEKU"=dword:00000001
"AllowSignatureOnlyKeys"=dword:00000001
"ForceReadingAllCertificates"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
"CRLTimeoutPeriod "=dword:00000001

Also, same comments on regkeys as earlier.

Limitations

There are some limitations for this solution, such as the certificate-user mapping process, deployment of eID certificates to servers, exceptions when someone lost his eID, etc…

At tSF we did try to fix those limitations, using extra policies when a user forgot their smart card and give them an exception on the authentication policy, and by building some extra tools to manage all this way easier.

But of course I can’t share those… =)

Other way around, if you’re interested, you’re always free to contact tSF: https://www.thesecurityfactory.be 😉

 

Advertenties

I hate backups, I really do… Even more than I hate printers 🙂

But, as recent happenings proved again, you definitely need one… Either being it for a virus or ransomware, or a failing hard disk, or even if you just delete something (why would you delete something?)

I’ve been looking around for a good off-site backup for ages, but never found a “good” (read: cheap) one… If you look at cloud-hosted backup solutions such as backblaze, crashplan, …, you’re always going to spend more than $50 yearly… (http://www.pcmag.com/article2/0,2817,2288745,00.asp)
I always figured, yeah, that’s the price of a physical disk you can keep forever…

Anyway, next issue, backup software… If someone can give me a tool that just actually works… PLEASE be my guest…
In the past I’ve used the build-in Windows one… But that one failed terrible resulting in me losing a lot of pictures… 😦

One of my last interests was backup up to Amazon’s Glacier service… But never took the actual step.

 

Last week, I took two steps!

 

Azure Simple File

https://azure.microsoft.com/en-us/services/storage/files/

A couple of months ago, a new “feature” was made available on Azure. Basically it’s just an oldskool file server in an Azure datacenter… Meaning: accessible over smb 🙂

\\fileserver.onmicrosoft and you’re good to go!
Jieehaa!
No shitty REST-interfaces! 🙂

It’s SMB 3.0, so authentication, encryption and data integrity are handled by the protocol 🙂 (hey, you’re communicating over a public network, of-course you’ll need that!)

Having a “regular” interface to the cloud opens possibilities… But, bringing me back to my earlier point of having the right tool for the job…
I don’t trust the file-history any more, so I’m looking around for other tools…

Currently running Iperius -> http://www.iperiusbackup.com/
Curious how that’s going to turn out…
It doesn’t have a restore option? WTF?

backupazure

Azure Backup

https://azure.microsoft.com/en-us/services/backup/

Another service I’m testing on Azure is the Backup functionality.

It comes with a client application. Install, configure, select data and you’re good to go! This app definitely impressed me!

azurebackupI know it says “failed”, one of the big issues with cloud storage is your upload speed… As I’m only a Belgian internet user, I’m stuck with a 5 mbit upload rate over adsl… So uploading 120GB takes forever… (forever being 2.5 days). So, on a daily schedule, after a day, the previous backup hasn’t finished yet 🙂
http://beta.speedtest.net/result/4976075067

Big plus, I crossed my “downloadlimit” uploading 650GB on backup data 😦
JEEEEJ CLOUD

Did I tell you it’s slow as hell?
And you have to pay extra for outbound network traffic, aka: to restore data you have to pay more…

I’m even considering installing this on all computers from my family!

Ok, let’s get it over with. Once and for all a decent how-to to setup Authentication Mechanism Assurance (AMA) in Active Directory Domain Services…

The last time I talked about this, is when I just found out of it existence at techet, in a talk by Hasain Alshakarti and Marcus Murray .

It basically shows a difference in group memberships between logging in using a regular username/password , and logging in using smarcards. If you login with a password you’ll become a normal user, when you logon with a smartcard you’re an admin! 🙂

The Microsoft step-by-step guide however is a bit long, and a bit clumsy… So here a quick rewrite 🙂

➡ Required components: a Windows Server, a PKI (or the default one in ADDS whatever), and some time.

CA Templates

First, we’ll have to create a new certificate template.
Open the certificate template management console, and go to the templates.

Lets start by duplicating the “smartcard logon” one. Choose 2008R2 for everything.

dupl
This default template should be good, 1 little thing needs to change.

Open the template, go to the extensions tab. And you see the issuance policies. Here you’ll need to add a new one.

Give it some useful name, for example “server admin” or whatever.
issuancepolicy

This extra extension will now go into the actual enrolled certificate…

Mapping

Next we’ll need to teach the ADDS how to map that extension to an actual Security Group. This can be done using the weird PowerShell script provided by Microsoft, but let’s do it manually here (it goes way faster!)

The link between the OID we just created and a security group is a policy defined in the regular SYSTEM partition of ADDS. Open it either using ADSIEDIT or the Sites and Services mmc.

Ofcourse we’re working with the Public Key Services, OID config, and there are all the policies stored. We’re looking for the OID of the policy we created earlier (add the “displayname” to the mmc-colums to make your life easier).

If you’ve found the correct object, rightmouseclick it, open attributes, and search for the “msDS-OIDToGroupLink” attribute.

⭐ This is the magic attribute ⭐

Fill in the DN of the security group.
And you’re good to go!

sitesandservicesgrouplink

Next steps are of course the enrollment and issuance of the CA template to the correct users. But I hope you know how that works 😉
From here on you can either put it in a Virtual Smart Card, and start using it!

 

Because there still is a huge lack of documentation about Microsoft AD RMS, here some hints and tricks to use!

  • First thing: irmcheck! Go use it!
  • Always check ntsf acl permissions on the server side files asmx-files.
  • ConnectionString for SQL is located in registry
    http://technet.microsoft.com/en-us/library/ff660033%28v=ws.10%29.aspx
  • MSIPC (RMS client 2.0 in windows 8 and office 2013) caches in registry and %localappdata%
  •  REGISTRY:\Software\Classes\Local Settings\Software\Microsoft\MSIPC\<Server Name> \Template (HKCU or HKLM)
  • %localappdata%\microsoft\msipc
    Hint: you can delete huge file names with  “rmdir MSIPC /s” in cmd (for some reason it doesn’t work in powershell)success
  • Advanced troubleshooting on OSI Layer 7: fiddler! (enable https decryption) Really, put it in between! You’ll get some far more usefull error messages then “cannot connect to the server”, or “cannot use this feature without credentials”…
    Even better, go Wireshark (note: ssl mitm here…)!
  • The older MSDRM (RMS Client 1) puts everything in your %localappdata%\Microsoft\DRM . There you can find your user- & machine certificates, and templates.
    Regkeys under REGISTRY:\software\microsoft\msdrm
  • always check the IIS certificates! If there’s something wrong, nothing will ever work!

Please, open them up, they’re just XML-based, and contain a lot of information! For example, in the GIC-file you can confirm your RMS-location. Don’t bother trying to modify them, they’re hashed… But you definitely should check them for having :443 in their url’s (check this article)
GIC (Group Identity Certificate) = RAC (Rights Account Certificate)
CLC (Client Licensor Certificate)
CERT-Machine = SPC (Security Processor Certificate)

More about those 3 files in here

  • When you need to go deeper, use debugview (or something new: Trace Spy). This works for bot MSDRM and MSIPC
    Server-side and Client-side
  • Go and check Windows Event Logs. RMS Client doesn’t actually logs something there, but it can be a source of good information anyway!

Another story standing since November 2012 (lol 😀 ).
The only thing that has changed: ARR (read on) is now officially supported by Microsoft!
They’re even almost/perhaps/maybe/theoretical/optional considering it as a successor for TMG2010 😛

Anyway, this post is not entirely correct. What we were trying to do was reverse proxy to an sub-directory. That didn’t work…
But  you can get some feeling with the possibilities of IIS’s ARR .

3 days later, but I solved this terrible situation…

The story

Our current website http://www.smartsys.be runs on an asp-powered cms called “umbraco” (url).
So, that makes it needs IIS and MS SQL accordingly…

Second part of the story: we want to introduce a blog with our success stories!
Number one blog software of our choice: wordpress (ofcourse 🙂 )

But, as we all know, wordpress runs on php and not asp, and an accompanying database…

The options:

  1. install php/fastcgi on IIS, mess around with it’s config, use ms sql as backend db, and run everything in IIS…
  2. use apache for both reverse proxying and serving the wordpress pages
  3. let IIS serve our umbraco web pages and set it up as reverse proxy for apache!

So, in the end, we tried only both last options.
I didn’t actually want to try and install php in IIS and maybe mess up our actual web service…

The result

Apache as reverse proxy didn’t end very well…
Actually, it didn’t work at all…
No idea why, didn’t put much effort in it…

On the other hand, IIS as reverse proxy wasn’t easy as well…
It took almost 3 days to figure out what went wrong, how to avoid it from happening, and in the end: how to solve it!
note: not 3 full days, but “some time during 3 days” ^^

How!

So, a little how-to:

First of all, you need IIS, just enable the feature on your Windows or Windows Server.
Secondly, you need “Application Request Routing“. You can download and install this without taking down your website.
This module is officially supported by Microsoft!

So, when both are installed, you can start configuring…

Enable ARR for your site : select your server in IIS Manager, open Application Request Routing under IIS options, choose “Server Proxy Settings” from the actions tab, and mark “enable” and press apply.

Secondly, we can start reverse proxying!

Select your site, in our example the “default web site”, and open the “url rewrite” module.
Here is where the magic should happen!

You can easily add a new rule clicking “add rule(s)”. And in our case, we’re choosing for “reverse proxy”.

Next, choose the path for your destination server, in our case being “http://localhost:8080/test/&#8221; .
Also, in the case for wordpress (very important): enable outbound rules, these are the rewrite rules…

One of the main issues want took so long to understand was a redirection issue: wordpress itself tries to redirect your to its config page, and IIS trying to rewrite the request to the wordpress folder. Resulting in endless 301 redirections… So, watch out here!
At first, I believed I could fix it by changing the config in wordpress. And I took to long to try to fix it that way. In the end (and what we’re doing in this manual) letting IIS handle all this reverse proxy work does the job…

So after adding this rule, we need to correct it somehow.
The default settings are not really good enough (maybe in your case it is!)

So, let’s have a look at the Inbound rule. Just open it.
I’m going to change the “pattern” IIS filters on from “(.*)” to “^test/(.*)” . This makes only requests for “blog.smartsys.be/test/” to be accepted.

Secondly, you have to add {R:1} to the end of the “rewrite url”. Otherwise things as http://blog.smartsys.be/test/wordpress/wp-admin/index.php would never work. It’s just the argument from the initial request that’s forwarded to the rewritten url…

That’s it, apply and close, next we’ll have a look to the outbound rule.

So, the big problem with wordpress is something with redirection. So, in the end, I made it undectectable for wordpress it’s being reverse proxied. So, in wordpress its point of view, it’s just running on localhost:8080 .

This implies we need to rewrite localhost:8080 to something external available, in our case “blog.smartsys.be”…
This is where the “outbound rule” comes in!

I just modified some parts of the default configuration the “add reverse proxy” wizard from before created.

At first: match all content!
The pattern should be” ^http(s)?://localhost:8080/(.*)”
And action value becomes: “http://blog.smartsys.be/{R:2}”

So, I hope you don’t spend any time on trying to let wordpress fix it (because it won’t), just let IIS do all the work!

AD FS, STS, SSO, Claims, Realms, Tokens, SAML, WS-Federation, WS-Security, … All these fuzzy terms that where thrown at my last month…

The project was to implement AD FS (see title) in our environment.
The single and only purpose of AD FS is to create a “single sign on experience” between applications. Sign on on any website, and you can visit all other websites with that same account! (Only trusted websites that is, ofc…)
There are claims providers for Exchange OWA, Sharepoint. You can use it native in custom and cross-platform applications, on Microsoft Azure and in our case Office 365.
And because it’s based on an open standard, you don’t have to use .net, but you can use Java (jeej) as well! Or even php -> http://code.google.com/p/simplesamlphp/.
As long as your application is compatible with saml, you’re good to go!

So, all mentioned abbreviations also have a meaning! And if you want to know what it means and what their purpose is, read this article on msdn!

A more “conceptual” article you can read: A Guide to Claims-Based Identity and Access Control (2nd Edition)
Especially the part about “the airport” explains a lot 😛

Some more “academic” OASIS articles on WS-Trust and WS-Federation

And if you want to know more about WSDL, just read wikipedia 🙂