Certificate-based Multi-Form Factor Authentication for ... · - Asks for Certificate, but ONLY...
Transcript of Certificate-based Multi-Form Factor Authentication for ... · - Asks for Certificate, but ONLY...
Certificate-based Multi-Form
Factor Authentication for
Websites
2018
USING ACTIVE DIRECTORY USER CERTIFICATE AUTHENTICATION ON IIS WEB SERVER FOR SYNERGETIC BRADLEY PULLEY;STEPHEN BLOOMER
ST. PETER'S COLLEGE | Cranbourne, Victoria, Australia, 3977
P a g e | 1
Contents First Thing’s First… ............................................................................................................................................... 2
Setting up Group Policy for Users to obtain Certificates from the CA ..................................................................... 3
Creating the Certificate Template for Staff Laptops ............................................................................................... 5
Installing the IIS Web Server with AD Certificate Authentication feature ............................................................. 10
Setting up IIS Websites to ask for Client Certificates ............................................................................................ 13
Manual Enrolment for Certificates ...................................................................................................................... 17
Appendices ........................................................................................................................................................ 21
IMPORTANT! All of the set-up requirements in this document will require
Administrator credentials, or logged in to an Administrator rights account.
P a g e | 2
First Thing’s First…
Before starting this guide, there are a few prerequisites and preambles required to be able to get this working.
You will need a Certificate Authority (CA) server on your domain. This is set up using Active Directory
Certificate Services.
o There are plenty of Microsoft TechNet Articles available for you to use to set-up a CA server
First place you can look is here:
https://docs.microsoft.com/en-us/windows-server/networking/core-network-
guide/cncg/server-certs/install-the-certification-authority
This guide has been written during testing in a test environment including Windows Server 2016 and
Windows 10 machines. This has proven to also work in a Windows Server 2012 R2 environment with
Windows 8.1 and 10 clients.
So providing your domain environment has a Minimum OS of Windows Server 2012 R2 and Windows 8.1
clients, you’ll be fine!
This has NOT been tested in a Windows Server 2019 environment, but most, if not all, aspects of this guide
should work.
This guide is designed to work for domain-joined, staff laptops and desktop machines. This heightens
security by preventing ability to access the website from non-school provided machines.
P a g e | 3
Setting up Group Policy for Users to obtain Certificates from the CA On a Domain Controller, run gpmc.msc. (Group Policy Management)
Create a Group Policy, and navigate to this area (User Configuration -> Policies -> Windows Settings ->
Security Settings -> Public Key Policies)
Open Certificate Services Client – Certificate Enrollment Policy
Next to Configuration Model, select “Enabled” from the Drop-down box.
Ensure that “Active Directory Enrollment Policy” is enabled and selected, and then click Properties
Under Enrollment configuration,
Check the “Enable for automatic enrolment and renewal” checkbox.
Apply and OK those settings.
P a g e | 4
Open Certificate Services Client – Auto-Enrollment
Select “Enabled” from the Configuration Model drop-down box
Then check the following boxes
“Renew expired certificates, update pending certificates, and remove revoked certificates”
“Update certificates that use certificate templates”
Then Apply and OK.
In the Group Policy Management console, Link the appropriate Organisational Units (OUs) and or Security Groups to
the Group Policy Object.
P a g e | 5
Creating the Certificate Template for Staff Laptops On the Certification Authority Server, open the CA Server console (Run certsrv.msc)
WARNING: For Certificate enrolment to work successfully, User accounts must have an Email Address in the Email
Field in Active Directory Users and Computers.
Expand the Server node, and Right Click “Certificate Templates”, then click “Manage”.
This will open the Certificate Templates Console.
You will see a windows like the following open up. This is the Certificate Templates Console.
P a g e | 6
Find the “User” template in the list of templates
Right Click the “User” template, and select “Duplicate
Template”
Under the General Tab
o Set the Template Display Name and Template
Name, Validity Period, Renewal Period as you like
for the purposes of the certificate
o For Certificate Publishing:
Check “Publish certificate in
Active Directory”
Uncheck “Do not automatically
reenrol if a duplicate certificate
exists in Active Directory
Under the Compatibility Tab
o In Certification Authority Drop-down box, select
what the minimum CA operating system is for
your template (under the premise that it can be
exported). In our circumstances, our CA runs on
Windows Server 2012 R2
o In the Certificate Recipient drop-down box, select
the earliest compatible operating system that the
certificate will be deployed to.
P a g e | 7
Under the Extensions tab
Ensure that under “Application Policies”
o Only “Client Authentication” appears in the list of
Application Policies
o If other items appear, Click “Edit”; and remove
Secure Email
Encrypting File System
All other values in this tab are fine.
Under the Subject Name Tab
This is where the Certificate will get its assigned information.
Ensure “Build from this Active Directory information”
is selected
Subject Name format, we set that to “Common
name”
Check “Include e-mail name in subject name”
Also check “User principal name (UPN)”
under “alternate subject name”
P a g e | 8
Under the Security tab
Add the User and/or security groups that are applicable for
enrolment.
For each group or user
o For automatic enrolment (ie Teachers and Staff who typically
use ONE Machine),
Check “Autoenrol” & “Enrol” under “Allow”
o For manual enrolment (ie IT Staff who log on to multiple
machines),
Check “Enrol” only under “Allow”
Once this is done, you can “Apply” and “OK” the certificate
template.
You can change the values in this template again at any time.
Issuing Certificates for ability to be enrolled
Once the templates have been made, they need to be issued:
In the CA Window,
Right-Click Certificate Templates, then hover over “New”,
o Click “Certificate Templates to Issue”
o Then select your newly made template from the list in the window on the next page and Click OK.
P a g e | 9
P a g e | 10
Installing the IIS Web Server with AD Certificate Authentication feature We need to install the IIS Web Server role using Server Manager on the Webserver, including the “Active Directory
Client Certificate Mapping” feature.
Open “Server Manager” on
your Windows Server 2016 (or
2012 R2) machine
o Click “Manage” in the
top right corner, and
select “Add Roles and
Features”
Proceed through the Wizard, clicking the “Next >”
button to complete the first page.
On the “Installation Type” page, select “Role-
based or feature-based installation”, then click
“Next >”
On the “Server Selection” page, select a
server from the list. There should only be
one, since you should be currently
logged onto that Server with
administrator credentials. Click “Next >”
to continue.
P a g e | 11
On the “Server Roles” page, tick “Web Server (IIS)”
o There will be a sub-page that pops up, looking like this:
o Click “Add Features” to add the IIS Console to your
server.
o Then Click “Next >” to continue the installation
On the “Features” page, Click “Next >” to continue, unless
there’s additional Windows Features that you wish to install
You will then get the Web Server (IIS) Role brief. Click “Next >” to continue
On the “Role Services”
page, you will be
greeted with a list of
services that the Role
requires and can use.
o Scroll down the
list to the
“Security”
section, and tick
the “Client
Certificate
Mapping
Authentication”
o This is the
service that we
use for the
certificate based authentication.
o Click Next >
P a g e | 12
You will be greeted with a
summary of the role installation
changes to be made.
Click “Install” when you’re satisfied
with the summary. This will then
install the IIS Server role to the
Windows Server.
When complete, Server Manager
will tell you that installation was
successful.
It’s best to reboot the Windows
Server so changes can be assured.
P a g e | 13
Setting up IIS Websites to ask for Client Certificates Using an administrator account, open the Internet Information Services (IIS)
Manager. You can find the IIS Console by opening the Start Menu & searching
“inetmgr”.
Expand the Server tree in the left hand column, and then expand the Sites
folder.
Select the Server and you will see a window with the following options.
First up, in order to use SSL and browse using HTTPS, we need to add the Trusted Root certificate for web browsing
(from a certified certificate provider or, if hosted internally, a self-signed or AD CS deployed certificate).
To do this, we need to open the “Server Certificates” module in the IIS Manager.
You will then be greeted by a screen like this:
If you already have a certificate imported for SSL, good stuff! We’ll bind it later. If not, we need to import it!
In the Right-hand column, where Actions are;
If you are looking to use a certificate from an external “Trusted Root Certificate” provider, click Import
P a g e | 14
You will then be greeted with a
window to import a certificate
o In the first field, navigate to
your provided certificate that
you wish to import.
o If the certificate is password-
protected, you will need to
enter it into the second field.
o Thirdly, you MUST import the
certificate to the “Personal”
store. (Do not select “Web
Hosting” in the drop-down
box!)
o The checkbox for allowing the
certificate to be exported
must also be checked. (This
allows computer <-> server
certificate communication)
o Once all that is checked off and good, hit “OK” and your certificate will be imported.
Now we’re going to look at our Authentication methods.
In the Left hand
“Connections” bar,
Select the Server
Then double-click
“Authentication”
In the Authentication module;
Select “Active Directory
Client Certificate
Authentication” then click
“Enable” in the Actions pane on
the right
Select any other enabled authentication method that is not required, and click “Disable”
o If you have multiple web sites on your server, leave “Anonymous Authentication” enabled!
Note: In the settings for each site, you can enable and disable other authentication methods, but cannot change the
AD Certificate one at the site level, only the Server level.
P a g e | 15
Enabling SSL on our site
We use the following instructions for production, and for testing.
From the “Connections” pane, select your site, then select “SSL Settings” from the icons menu.
On this page
o Check “Require
SSL”
o Then under
“Client
Certificates”, for
our requirements,
we select
“Require”.
o Then Press “Apply” on the right hand side of that window to apply the changes.
There are explanations above for what each radio button option does when enabled.
The “Require” option is not able to be applied when “Require SSL” is unchecked.
NOTE: We use the “Accept” option (as above) to test our certificates with. The “Accept” option prompts for
certificates if available, but allows all HTTPS connections regardless. The “Accept” and “Ignore” functions will not
affect current staff access to the server while testing.
- Asks for Certificate if there’s one available, but allows all connections
- Asks for Certificate, but ONLY allows certificate authenticated connections
- Allows all connections, and DOES NOT prompt for certificates
P a g e | 16
Select your site from the “Connections” pane to return to the menu, then select
“Bindings” from the Actions Pane
This is where we tell IIS what address(es) and / or ports to assign our site to.
By default, your site will automatically be bound to http on port 80, but we want
https.
Press the “Add…” button to make a new binding
We will select the following:
o Type: https
o IP address: leave as
“All Unassigned”
o Port: 443 is default
o Host name:
If you have multiple sites
on your server, you can
set the DNS name that
you want your site to
appear at. Leaving this blank will use the server’s name and DNS by default.
o SSL certificate: Select the certificate that we imported earlier from the drop-down box.
If all is in order, then press “OK”. You should then have your HTTPS binding in the bindings list.
Give your IIS Site a soft reboot, using the “Restart” link in the Actions pane, under “Manage Website”.
You should then be free to give your site a test run. You will know if your SSL authentication is working if you get a
403: Forbidden error page.
P a g e | 17
Manual Enrolment for Certificates We may have set up Auto-enrolment, via Group Policy, but our IT staff won’t be getting the certificate!
All good, they just have to manually enrol for theirs.
Click the Start button on your client machine, then type and run
certmgr.msc
When you’re greeted with the Certificates Console for Current
User, click on the “Personal” store
Right Click the empty Personal store window, hover over “All Tasks” and Click “Request New Certificate…”
P a g e | 18
This will open the Certificate Enrollment
wizard. Hit Next
Make sure that the
“Active Directory
Enrollment Policy” is
selected, and hit Next.
Select the Certificate Template you
created earlier, by ticking the check
box, then Click Enroll.
P a g e | 19
Once enrolled, you’ll receive this
screen, giving you a green tick!
Click Finish.
Then you’ll get a certificate pop up
with the account name in the
Personal Store
Now we’re ready to try it out from a client.
Confirm that all your settings are correct, then open a web browser (Google Chrome or otherwise), and navigate to
your webserver that you configured.
When the computer finds your server, the browser will prompt for a certificate, similar to below
P a g e | 20
When you select your certificate and press OK, you should end up authenticated to your site correctly.
IF you disregard the
certificate, and hit cancel, or
don’t have certificate
enrolled, then you’ll more
than likely see a 403 error
appear
You can keep track of your
certificates in the CA
Server console, under
Issued Certificates
P a g e | 21
Appendices Appendix 1: Header Size
We had found that when users browsed the Synergetic Website, and performing student search queries, they were
presented with a “Request Entity too large” error. We have found that increasing the header sizes has helped rectify
this issue, as the certificate authentication is also sending via the header requests.
There are two locations on our actual IIS server configuration.
Firstly, Select your server
from the Connections pane,
and then double click on
“Configuration Editor”
From here, use the drop down box and select the
section “system.webServer/serverRuntime”, as shown
here
P a g e | 22
In this section, we need to change the
value of the “uploadReadAheadSize”
from its default, and upsize it.
The default value for
“uploadReadAheadSize” is “49152”, we
changed this to “200000”.
Now Click the drop-down box, and select
“system.web/httpRuntime”
In this module, we need to change the values for
“maxQueryStringLength” and “maxRequestLength”.
The default values are:
“maxQueryStringLength”: 2048
“maxRequestLength”: 4096
We updated those values to 81920 each.
P a g e | 23
Appendix 2: A recommended idea for student blocking
A very good idea, for student computer lab machines is to add a Windows Firewall rule on the student networks to
prevent access to your CA. You can set this up via Windows Firewall on Group Policy, by setting a block rule on the
CA’s IP Address on your network. This is a good practice, as if a student obtains a staff member’s username and
password, and logs on to the computer on the student network, they will not be able to acquire a certificate,
because it cannot communicate the CA.