SmartCard Authentication: Considerations, Options and Pitfalls with SharePoint

1
SmartCard Authentication Considerations, Options
and Pitfalls with SharePoint

• Dan Usher
• Joel Ward

2
Agenda

• Who we are
• What weve seen
• Security Concerns in todays world
• Why SmartCards?
• Authentication Authorization of SharePoint
• IIS and SmartCards
• Implementation Considerations and Pitfalls

3
We are very eager to talk about SharePoint
4
But firstthe SmartCards!!!
5
Please excuse this err in judgment
6
First the introductions

• Dan Usher
• MCP, MCTS, Security
• SharePoint Architect and Implementation /
  Deployment Engineer
• UVA - BS Physics
• Joel Ward
• MCP, MCAD
• Solutions Developer and Architect
• Penn State - BA Integrative Arts

7
What we've seen

• Large and Small SharePoint implementations
• Authentication schemas using SmartCard
  authentication integrated with Active Directory
  and third party SSO systems
• Extranet Enabled SmartCard SharePoint systems

8
Security Concerns in todays world

• Cyber Security
• Identity Theft
• Phishing
• Information Assurance

9
How we protect Identity

• Strong Passwords
• Web of Trust
• Two Factor Authentication
• Biometrics

3L33tH_at_x0r0h
77M_at_Kuhr00ns
7c_at_Nd13M_at_n7
10
Why does IA matter?

• Confidentiality
• Integrity
• Authenticity
• Availability
• Non-repudiation

11
How does IA impact you?

• Stricter Password Policies
• Resetting Passwords More Often
• Password Enabled Screensavers
• disruptions in your daily work
• things arent quite as secure as they were

12
So why SmartCards?

• Simplicity

Source http//go.spdan.com/pki
13
So why SmartCards?

• Simplicity to the end user
• Provides a secure tamper resistant storage
  physical token
• Enables portability of credentials and private
  information similar to other Federated Identity
• like OpenID, Facebook Connect, Google
  OpenSocial, Microsoft Hailstorm
• A PIN is used
• Security

14
What about a soft cert?

• Similar to a physical token
• Contains the same information
• It has an expiration date
• It can be revoked
• Provides for similar IA capabilities
• However
• It can be exported
• It can be shared
• It can be purchased
• It can be stolen

15
Authentication and Authorization of SharePoint

• Authentication
• IIS
• Username Password
• Client Certificates
• ISAPI Filters
• Custom Membership Providers
• Federation (ADFS or Third Party Identity Handler)
• Authorization
• SharePoint Groups and Permissions
• AD / LDAP / Role Provider Security Groups

16
Basics of SharePoint Authentication

• Handled by IIS and ASP.NET
• Checks user against AD or other auth provider
• Passes verification to IIS to proceed

Source http//go.spdan.com/iisauth
ASP.NET Authentication
17
IIS and SmartCards
18
Implementation Considerations and Pitfalls

• Option 0 SharePoint on an Intranet with
  integrated authentication
• Option 1 SharePoint in a DMZ with client
  certificates and AD integration
• Option 2a SharePoint published through Internet
  Security and Acceleration (ISA) Server
• Option 2b SharePoint published through
  Intelligent Application Gateway (IAG) Server
• Option 3 Custom Membership Provider

19
Considerations Option 0

• SharePoint is Intranet based only
• Client Desktop utilizes the SmartCard Enabled
  Login Required security policy setting
• SharePoint utilizing Integrated Windows
  authentication
• Kerberos or NTLM

20
Considerations Option 0
21
Pitfalls Option 0

• Intranet only situation
• Need to be within the network boundary for
  authentication tokens to pass properly
• Users account must be linked to their SmartCard
  user principal name
• Certificate Authority (CA) availability for CRL
  check may affect system availability

22
Considerations - Option 1

• Web Server in DMZ
• Utilize Authentication Store (AD)
• IIS Configured to Require Client Certificate
• Relatively easy to configure

23
Configuration Option 1

• Install a SSL certificate that belongs to a
  managed PKI environment
• Within IIS in the specific web application,
  enable
• Require Secure Channel (SSL)
• Require 128-bit encryption (optional)
• Require client certificate
• Certificate Revocation List (CRL) ports open
• LDAP or LDAP-S

24
Considerations - Option 1
25
Considerations - Option 1
26
Considerations - Option 1
27
Considerations - Option 1
28
Pitfalls Option 1

• OCSP or CRL checking could cause authentication
  to fail if CRL is not available
• Depending on number of requests, CRL checking
  could cause server load
• Puts server in DMZ, increases attack surface area
  wfetch will show your SharePoint Version
• Users account must be linked to their SmartCard
  user principal name
• User selecting certificate that does not contain
  UPN

29
Considerations - Option 2a

• Internet Security and Acceleration 2006 (ISA)
  Server Web Site Publishing with Constrained
  Kerberos Delegation
• Internal Windows Networking Infrastructure system
  utilizing Kerberos
• Users authenticate to their client machine using
  different account than SmartCard linked to their
  AD user object

30
Pitfalls Option 2a

• Windows XP Office 2007 requires a hot fix to
  allow for documents to open using ISA
• Increases authentication requirements for
  external facing or extranet systems
• Users account must be linked to their SmartCard
  user principal name
• Multi-Forest trusts do not always work
• Reauthentication issues
• Only leverages Active Directory

31
Considerations - Option 2b

• Intelligent Application Gateway (IAG) Server
  Publishing Web Front End Server
• Similar to Option 2a (ISA Server), but better
  experience for the end user
• Stable session - Prevents constant requests for
  re-authorization using SmartCard
• Allows for NAP like capabilities
• Allows for mapping to something than AD

32
Pitfalls Option 2b

• Additional hardware to maintain
• Current IAG is a hardware appliance
• IAG 2007 available as a virtual machine for
  demonstration purposes
• Future IAG will potentially be available as
  software and hardware
• IAG -gt Forefront Unified Access Gateway (UAG)
• Costly
• Requires authenticating to IAG dashboard

33
Considerations - Option 3

• Custom Membership provider for SmartCard
• IIS or SSO/ISAPI filter handshakes with the
  SmartCard
• Does not require Active Directory Can use LDAP,
  SQL Server, or another authentication provider

34
Considerations - Option 3 (cont.)

• Custom SharePoint login page (using Forms Based
  Authentication) completes the login process
  seamlessly without user input
• Can optionally create user account on the fly,
  based on SmartCard credentials
• Can add in logic for account approval, different
  access levels based on SmartCard credentials, etc.

35
Pitfalls Option 3

• Requires additional configuration in SharePoint
• Requires custom development
• If requiring client certificate in IIS (instead
  of SSO or ISAPI filter), OCSP or CRL checking
  could cause authentication to fail if CRL is not
  available
• Must secure server if in DMZ
• Must add in appropriate security logic to custom
  login page

36
How do I configure a membership provider?

• 1) Configure domain name and SSL certificate for
  web application
• 2) Implement Forms Based Authentication with
  SharePoint using appropriate membership and role
  provider (AD, LDAP, ASPNET, etc.)
• 3) Configure IIS to accept client certificates
  (or custom SSO)
• 4) Create custom login page for SharePoint
  _layouts folder

37
What do I include in the custom login page?

• //Get client certificate and appropriate user ID
• HttpClientCertificate cert Request.ClientCertifi
  cate
• string userID
• userID cert.Get("fieldname")
• //Create new user and add to Visitor role
• MembershipUser user Membership.CreateUser(userID
  ,randomPassword,email)
• Roles.AddUserToRole(userID, "Visitors")
• //If user exists in membership provider, login
  using FBA
• if (Membership.GetUser(userID).UserName
  userID)
• FormsAuthentication.RedirectFromLoginPage(userID,
  false)

38
Conclusions

• For SmartCard authentication to work properly, it
  relies heavily on the surrounding Windows
  networking infrastructure that it resides within
• SmartCard authentication can be done several
  different ways depending on the surrounding
  infrastructure
• SmartCards works well when the user base
  understands their responsibility in upholding IA.

39
Question and Answer
40
Contact Us

• Dan Usher
• dan_at_spdan.com
• http//www.sharepointdan.com
• _at_usher
• Joel Ward
• joel_at_wardworks.com
• http//joelsef.blogspot.com
• _at_joelsef