Configuring two-factor authentication in SP1
Updated: February 1, 2011
Applies To: Unified Access Gateway
Forefront UAG DirectAccess supports standard user authentication using a user name and password. For greater security, you can implement as a requirement, two-factor authentication which provides improved security because it requires the user to meet two authentication criteria: a user name and password combination and a token or certificate.
For relevant planning information, see Planning for authentication in Forefront UAG DirectAccess SP1 (https://go.microsoft.com/fwlink/?LinkId=205664).
Configuring two-factor authentication
Forefront UAG DirectAccess can be configured to enable the following types of two-factor authentication:
PKI smart card—This scenario requires a user to insert a smart card in addition to typing in their user credentials. Smart card authentication prevents an attacker who acquires a user’s password (but not the smart card) from connecting to the intranet.
One-time password (OTP)—This scenario method requires a user to authenticate with an RSA SecurID or with a RADIUS authentication server.
This following describe how to select and configure two-factor authentication.
Configuring PKI smart card authentication
Configuring one-time password authentication
Configuring PKI smart card authentication
It is recommended that you have a PKI smart card deployment in your organization before configuring the PKI smart card authentication option.
To configure PKI smart card authentication
Under Step 2, under Optional Settings, click Two-Factor Authentication. The Client Authentication page appears.
Select Require two-factor authentication, click Clients will log on using a PKI smart card, and then click Finish.
Configuring one-time password authentication
The following are required to deploy two-factor authentication:
An RSA SecurID, or a RADIUS authentication server configured to work with Forefront UAG.
A dedicated Certification Authority (CA) server for OTP. (Multiple CA clusters can be configured for failover support.)
Note
The dedicated OTP CA prerequisites are:
- It cannot be the CA that issues the certificates for IPsec authentication, or one of its parent CAs.
- It cannot be the CAs configured as part of a Network Access Protection (NAP) deployment, or one of their parent CAs.
- It must be an Enterprise CA running Windows Server 2008 R2.
- It is recommended that the CA is not installed on the Forefront UAG DirectAccess server.
- It cannot be the CA that issues the certificates for IPsec authentication, or one of its parent CAs.
The dedicated CA certificate templates must be configured for Forefront UAG DirectAccess OTP.
Note
The Forefront UAG DirectAccess Configuration Wizard can create a script that configures the CA certificate templates for you, or alternately you can use preconfigured CA certificate templates.
The following describe the steps required to configure OTP:
Configuring connectivity between a Forefront UAG server and an RSA SecurID authentication server.
Selecting an authentication server
Selecting a CA server
Configuring the CA templates
Manually configuring preconfigured OTP certificate templates (Optional)
Configuring connectivity between a Forefront UAG server and an RSA SecurID authentication server.
Before you can use an RSA SecurID authentication server for one-time password authentication, connectivity must be established between the Forefront UAG server and the RSA SecurID authentication server.
To configure connectivity between a Forefront UAG server and an RSA SecurID version 7.1 authentication server
Open the RSA Management Console from Internet Explorer and in the RSA Management Console do as follows:
Add the Forefront UAG server as an Authentication agent.
Generate a configuration file, click Download now, and when prompted save the configuration file on the Forefront UAG server desktop.
Extract the downloaded file to C:\Windows\System32.
In the RSA Management Console, verify that a configured user has been granted access to the authentication agent.
To configure connectivity between a Forefront UAG server and an RSA SecurID version 6.0 authentication server
Define the Forefront UAG DirectAccess server as an Agent Host with agent type of Net OS Agent.
Activate users on the Forefront UAG DirectAccess agent host.
Copy sdconf.rec to C:\Windows\System32.
Note
When the sdconf.rec file on the Forefront UAG DirectAccess server is replaced with a new sdconf.rec file, you must restart the Forefront UAG DirectAccess server. For example when the IP address or the port number of the RSA SecurID authentication server is changed and a new sdconf.rec file is generated. When you have an array configured, the sdconf.rec file must be copied to all array members and each array member must be restarted.
To configure connectivity between a Forefront UAG server and a RADIUS authentication server
In the RADIUS Management Console, configure the Forefront UAG DirectAccess server as a RADIUS client.
Configure an encryption secret key.
Ensure that the secret key is entered when adding the RADIUS authentication server on the Client Authentication page of the Two-factor Authentication Optional Settings Wizard.
Selecting an authentication server
DirectAccess clients are authenticated against an RSA SecurID or a RADIUS authentication server. User credentials are sent to the authentication server through the Forefront UAG DirectAccess server.
To select an RSA SecurID or a RADIUS authentication server
Under Step 2, under Optional Settings, click Two-Factor Authentication. The Client Authentication page appears.
Select Require two-factor authentication, click Clients will authenticate using a one-time password (OTP) , and then click Next. The OTP Authentication page appears.
Select an authentication server, or click Add to add a new authentication server. The Add Authentication Server dialog box appears.
Note
- Although the Forefront UAG DirectAccess Configuration Wizard allows you to add more than one RSA SecureID authentication server, authentication of OTP users can only take place with one RSA SecureID authentication server. This is the server that generated the sdconf.rec file copied to the C:\Windows\System32 folder on the Forefront UAG DirectAccess servers.
- The Forefront UAG DirectAccess Configuration Wizard only supports the adding of authentication servers. To edit and delete authentication and authorization servers, from the Forefront UAG Management console on the Admin menu, click Authentication and Authorization servers and perform the required action.
- Although the Forefront UAG DirectAccess Configuration Wizard allows you to add more than one RSA SecureID authentication server, authentication of OTP users can only take place with one RSA SecureID authentication server. This is the server that generated the sdconf.rec file copied to the C:\Windows\System32 folder on the Forefront UAG DirectAccess servers.
On the Add Authentication Server dialog box:
To add an RSA SecurID authentication server, in Server type, select RSA SecurID, and configure the following authentication server settings:
Server name—The name of the server or repository. This name is used when you select the server or repository during the configuration of Forefront UAG.
IP address/host—IP address or host name of the RSA SecurID server.
Note
When activating the Forefront UAG configuration, you may receive a warning message that the server name cannot be resolved. This can occur when the following is true:
- You enter the FQDN of the RSA SecurID authentication server
- The RSA SecurID authentication server is only resolvable to an IPv6 address
- You enter the FQDN of the RSA SecurID authentication server
Port—Port number of the RSA SecurID server.
Alternate IP/host—IP address or host name of the alternate RSA SecurID server. (Optional)
Alternate Port—Port number of the alternate RSA SecurID server. (Optional)
To add a RADIUS authentication server, in Server type, select RADIUS, and configure the following authentication server settings:
Server name—The name of the server or repository. This name is used when you select the server or repository during the configuration of Forefront UAG.
IP address/host—IP address or host name of the RADIUS server.
Note
When activating the Forefront UAG configuration, you may receive a warning message that the server name cannot be resolved. This can occur when the following is true:
- You enter the FQDN of the RADIUS authentication server
- The RADIUS authentication server is only resolvable to an IPv6 address
- You enter the FQDN of the RADIUS authentication server
Port—Port number of the RADIUS server.
Alternate IP/host—IP address or host name of the alternate RADIUS server. (Optional)
Alternate Port—Port number of the alternate RADIUS server. (Optional)
Secret key— The secret key that will be used to encrypt and decrypt the user password. This key must be identical to the secret key assigned for the DirectAccess clients in the RADIUS authentication server.
Click OK.
If you require that intranet access will be granted to the DirectAccess client, only if the user name on the authentication server used in the OTP login matches the Active Directory user name of the currently logged-in user, select Require OTP user names to match Active Directory user names, and then click Next. The OTP CA Servers page appears.
Selecting a CA server
You must install a dedicated CA server before configuring OTP. You can configure the Forefront UAG DirectAccess Configuration Wizard to create a script that automatically configures the selected CA certificate templates, or alternately you can use pre-configured CA certificate templates.
For more information on the CA server requirements for OTP, see Planning for authentication in Forefront UAG DirectAccess SP1 (https://go.microsoft.com/fwlink/?LinkId=205664).
To select a CA server and define how the certificate templates are configured
On the OTP CA Servers page, click Add. The Add a CA Server dialog box appears.
In the Add a CA Server dialog box, click Browse, select the CA, and then click OK two times.
Note
The displayed list automatically filters out CAs which cannot be used for OTP authentication, as explained above in Configuring one-time password authentication.
Select I want to deploy a UAG DirectAccess script to configure CA templates, or I want to use existing CA templates located on the CA servers, and then click Next. The OTP CA Templates page appears.
Note
- If you select I want to deploy a UAG DirectAccess script to configure CA templates, when you apply the OTP CA configuration script, all existing CA templates are deleted from the selected CA servers.
- If you select I want to use existing CA templates located on the CA servers, you must ensure that your CA meets all the OTP CA requirements as described in Planning for authentication in Forefront UAG DirectAccess SP1 (https://go.microsoft.com/fwlink/?LinkId=205664).
- If you select I want to deploy a UAG DirectAccess script to configure CA templates, when you apply the OTP CA configuration script, all existing CA templates are deleted from the selected CA servers.
Configuring the CA templates
OTP CA templates must be configured with specific configuration settings. You can use an OTP CA configuration script to configure your OTP CA templates, or you can manually select preconfigured OTP CA templates.
To configure CA templates using a Forefront UAG DirectAccess generated script
On the OTP CA Templates page, select the CA template permissions as follows:
Limit access to UAG DirectAccess—Only Forefront UAG DirectAccess servers have permissions to enroll the CA templates.
Use a dedicated security group—Only members of the specified security group have permissions to enroll the CA templates. To select a dedicated security group, click Browse, select a security group, and then click OK.
Note
The security group must contain all the Forefront UAG DirectAccess servers.
Enter a Valid certificate lifetime.
Note
- It is recommended that you configure a valid certificate lifetime of 8 hours.
- The valid certificate lifetime cannot exceed 24 hours.
- After the certificate lifetime has expired, no new Security Associations (SAs) are created.
- It is recommended that you configure a valid certificate lifetime of 8 hours.
Select Enable certificate renewal with the number of days the certificate should be automatically renewed. This can for be used in organizations that do not have a policy where client computers periodically go into lock mode, and where administrators do not require OTP clients to authenticate at the end of the valid certificate lifetime. (Optional)
Note
When the DirectAccess client computer enters a state of unlock, the OTP client will still require authentication.
Do one of the following:
Click Export to generate and save a PowerShell OTP CA configuration script that is used to apply the configuration to the CA server at a later time.
Note
The generated script should be run from an elevated PowerShell prompt as follows:
- On the taskbar, click Start, click All Programs, click Accessories, click Windows PowerShell, right-click Windows PowerShell, and then click Run as administrator.
- From the PowerShell command prompt enter: ./<name of the saved OTP configuration script> and press ENTER.
Note
- After running the script, you must re-activate Forefront UAG.
- You can alternately run this script from another server at any time and after applying the Forefront UAG DirectAccess Configuration Wizard script and activating Forefront UAG, the CA server will be configured for OTP authentication.
- On the taskbar, click Start, click All Programs, click Accessories, click Windows PowerShell, right-click Windows PowerShell, and then click Run as administrator.
Click Apply to generate a PowerShell OTP CA configuration script that is immediately applied to the CA server.
Click Validate, and then click Finish.
.gif "note")
Note:Validate performs the following checks on the CA: - The lifetime of the certificate is not more than 24 hours.
- The CA is working and reachable.
- The CA is an enterprise CA.
- The user and workstation templates are supported by the CA.
- The Forefront UAG DirectAccess server has enrollment permissions for the templates.
Note
When a Forefront UAG DirectAccess server array is configured, this check only takes place on the array manager. All Forefront UAG DirectAccess servers in the array require enrollment permissions.
If the validation fails, you may receive a warning message containing a CA error code. For more information on error codes, see Common HRESULT values (https://go.microsoft.com/fwlink/?LinkId=204483), and Winerror.h (https://go.microsoft.com/fwlink/?LinkId=204484).
- The lifetime of the certificate is not more than 24 hours.
To use preconfigured CA certificate templates
On the OTP CA Templates page, select OTP certificate templates for client authentication and workstation authentication.
Select Enable certificate renewal with the number of days the certificate should be automatically renewed. This can for be used in organizations that do not have a policy where client computers periodically go into lock mode, and where administrators do not require OTP clients to authenticate at the end of the valid certificate lifetime. (Optional)
Note
When the DirectAccess client computer enters a state of unlock, the OTP client will still require authentication.
Click Validate and validate that the CA server can be used for OTP authentication, and click Finish.
Note:Validate performs the following checks on the CA: - The lifetime of the certificate is not more than 24 hours
- The CA is working and reachable
- The CA is an enterprise CA.
- That the user and workstation templates are supported by the CA
- The Forefront UAG DirectAccess server has enrollment permissions for the templates.
Note
When a Forefront UAG DirectAccess server array is configured, this check only takes place on the array manager. All Forefront UAG DirectAccess servers in the array require enrollment permissions.
If the validation fails, you may receive a warning message containing a CA error code. For more information on error codes, see Common HRESULT values (https://go.microsoft.com/fwlink/?LinkId=204483), and Winerror.h (https://go.microsoft.com/fwlink/?LinkId=204484).
- The lifetime of the certificate is not more than 24 hours
Manually configuring preconfigured OTP certificate templates
When using preconfigured certificate templates, the user and workstation certificate templates must be configured to work with OTP.
The following steps are required to manually configure OTP certificate templates:
Manually configuring an OTP user certificate template
Manually configuring an OTP workstation certificate template
Configuring the dedicated OTP CA to issue the OTP user and Workstation certificates
Deleting additional certificate templates
Manually configuring an OTP user certificate template
A user template is issued for DirectAccess users by the Forefront UAG DirectAccess server and used to open the second IPsec tunnel. It can be duplicated from the User template with changes listed below.
To manually configure an OTP user certificate template
Open the MMC and add the Certificate Templates snap-in.
Right-click the User template, click Duplicate Template, and select Windows Server 2008 Enterprise as the minimum supported CA version for this template.
On the General tab:
Enter a Template Name
Under Validity Period, enter a recommended value of 8 hours. If prompted, click OK to automatically change the Renewal Period accordingly (6 hours).
Clear Publish certificate in Active Directory. This lessens the storage requirements in Active Directory, and improves certificate issuing performance.
On the Request Handling tab, clear Allow private key to be exported.
On the Subject Name tab, select Supply in the request as the method of subject name generation.
On the Server tab, select the Do not store certificates and requests in the CA database check box.
On the Security tab, Allow Read and Enroll permissions for each of the Forefront UAG DirectAccess servers, Allow Read permissions for authenticated users, and Deny Enroll permissions for all other users and groups.
On the Extensions tab, select Application Policies, click Edit, click Secure Email, click Remove, and then click OK two times.
To ensure that the Do not store certificates and requests in the CA database, setting takes effect, after completing the Forefront UAG DirectAccess Configuration Wizard it is recommended that you do the following:
On the CA server, open a command prompt and run the following command: CertUtil.exe –SetReg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS.
After running the command, on the CA server, restart the CertSvc service.
To ensure the Renewal Period setting takes effect you must do the following:
On each CA server, open a command prompt and run the following command: certutil -setreg policy\EnableRequestExtensionList +1.3.6.1.4.1.311.73.1.1.
After running the command, on the CA server, restart the CertSvc service.
Manually configuring an OTP workstation certificate template
A Workstation template is installed on the Forefront UAG DirectAccess servers. It can be duplicated from the Workstation Authentication template with the changes listed below.
To manually configure an OTP workstation certificate template
Open the MMC and add the Certificate Templates snap-in.
Right-click the Workstation Authentication template, click Duplicate Template, and select Windows Server 2008 Enterprise as the minimum supported CA version for this template.
On the General tab, enter a Template Name.
On the Security tab, Allow Read, Enroll and AutoEnroll permissions to each of the Forefront UAG DirectAccess servers, Allow Read permissions for authenticated users, and Deny Enroll permissions for all other users and groups.
Configuring the dedicated OTP CA to issue the OTP user and Workstation certificates
The dedicated OTP CA must be configured to issue the OTP user and workstation certificates.
To configure the OTP CA to issue user and workstation certificates
Open MMC and add the Certification Authority snap-in.
Select the CA to manage, and in the left pane, navigate to the Certificate Templates folder.
Right-click the folder name, click New, and then Certificate Template to Issue.
Select the DA OTP user certificate template and click OK.
Repeat steps 3-4 for the DA OTP Workstation certificate template.
Deleting additional certificate templates
All certificate templates other than the user and workstation templates must be deleted from the dedicated OTP CA.
To delete non-OTP specific templates
Open MMC and add the Certification Authority snap-in.
Select the CA to manage, and in the left pane, navigate to the Certificate Templates folder.
Select all the non-OTP specific certificate templates, right-click, click Delete, and then click Yes to approve.