1 12/10/2017 9:39 PM SmartCard Authentication: Considerations, Options and Pitfalls with SharePoint These slides are the property of Dan Usher and Joel Ward. The views expressed in these slides are those of the authors, and do not reflect SharePoint Saturday, Microsoft, or their respective employer. Dan Usher Joel Ward © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Agenda Who we are… What we’ve seen… Security Concerns in today’s worldWhy SmartCards? Authentication & Authorization of SharePoint IIS and SmartCards Implementation Considerations and Pitfalls This is the ubiquitous agenda slide that pretty much we’re required to show by consultantese law. Without, you all might be lost. 

3 We are very eager to talk about SharePoint…We are very eager to talk about SharePoint, but first…

4 But first…the SmartCards!!!

5 Please excuse this err in judgment…Please excuse this err in judgment, we really need to stick to the order of the agenda. 

6 First the introductions…Dan Usher MCP, MCTS, Security+ SharePoint Architect and Implementation / Deployment Engineer UVA - BS Physics Joel Ward MCP, MCAD Solutions Developer and Architect Penn State - BA Integrative Arts

7 What we've seen… Large and Small SharePoint implementationsAuthentication schemas using SmartCard authentication integrated with Active Directory and third party SSO systems Extranet Enabled SmartCard SharePoint systems We have worked in environments of various sizes with differing purposes. We’ve worked with smart card authentication and soft certificate authentication environments. Additionally, we have worked with products that leverage smartcards with third party single sign on systems.

8 Security Concerns in today’s worldCyber Security Identity Theft Phishing Information Assurance Cyber Security – So we’re talking about the security of the Internet – that little https thing that you see when you’re browsing the web and buying something off of Amazon – keeping your identity and payment all your own without that hacker getting your information. Identity Theft – Certainly most of you have probably heard about people having their identities stolen, bank accounts emptied and lives turned upside down… this is one of those things that could take years to fix – hopefully this hasn’t happened to any of you. Phishing – You may have heard about this term, but it’s basically social engineering through or other messaging systems. Essentially it’s a decorated URL that may seem like something you want to go to, but once you go to the page, it’s definitely not what you thought it was – unless of course you wanted to give someone your username and password to someone else. Information Assurance – The practice of managing information-related risks. More specifically, IA practitioners seek to protect and defend information and information systems by ensuring confidentiality, integrity, authentication, availability, and non-repudiation. These goals are relevant whether the information are in storage, processing, or transit, and whether threatened by malice or accident. In other words, IA is the process of ensuring that authorized users have access to authorized information at the authorized time. (Source:

9 How we protect IdentityStrong Passwords Web of Trust Two Factor Authentication Biometrics There are several different ways that we work to protect identity. A few of which include strong passwords that require some complexity, a web of trust where users are signing other users certificates as trustworthy – similar to like a notary public, two factor authentication such as a SmartCard or a fob or a macaroon. And of course there are biometrics that are a potential form of two factor authentication if you pair together a retinal scan with perhaps a pin or a finger print.

10 Why does IA matter? Confidentiality Integrity AuthenticityAvailability Non-repudiation Confidentiality Confidential information must only be accessed, used, copied, or disclosed by users who have been authorized, and only when there is a genuine need. A confidentiality breach occurs when information or information systems have been, or may have been, accessed, used, copied, or disclosed, or by someone who was not authorized to have access to the information. For example: Permitting someone to look over your shoulder at your computer screen while you have confidential data displayed on it would be a breach of confidentiality if they were not authorized to have the information. If a laptop computer, which contains employment and benefit information about 100,000 employees, is stolen from a car (or is sold on eBay) could result in a breach of confidentiality because the information is now in the hands of someone who is not authorized to have it. Giving out confidential information over the telephone is a breach of confidentiality if the caller is not authorized to have the information. Integrity Integrity means data can not be created, changed, or deleted without proper authorization. It also means that data stored in one part of a database system is in agreement with other related data stored in another part of the database system (or another system). For example: A loss of integrity occurs when an employee accidentally, or with malicious intent, deletes important data files. A loss of integrity can occur if a computer virus is released onto the computer. A loss of integrity can occur when an on-line shopper is able to change the price of the product they are purchasing. Authenticity Authenticity is necessary to ensure that the users or objects (like documents) are genuine (they have not been forged or fabricated). For example: Authentication breech can occur when a user's login id and password is used by un-authorized users to send un-authorized information. Availability Availability means that the information, the computing systems used to process the information, and the security controls used to protect the information are all available and functioning correctly when the information is needed. The opposite of availability is denial of service (DOS). For example: In 2000 Amazon, CNN, eBay, and Yahoo! were victims of a DOS attack. “ Yahoo Attacked. No one knows what happened except that it was inaccessible for more than 3 hours. It was also known that the attack was coordinated and hence the standard firewall algorithms failed to figure out what was happening. ” — -Techhawking Non-repudiation Non-repudiation implies that one party of a transaction can not deny having received a transaction nor can the other party deny having sent a transaction. For example: Electronic commerce uses technology such as digital signatures to establish authenticity and non-repudiation. (Source:

11 How does IA impact you? Stricter Password PoliciesResetting Passwords More Often Password Enabled Screensavers …disruptions in your daily work …things aren’t quite as secure as they were So really, how does this impact you? Well, there are multiple ways that there are several ways of doing this with just basic usernames and passwords. So you’ll see that many of the organizations that you work for require that you have stricter password policies – special characters, numbers, case sensitivities, I love to use the pound, exclamation and question mark characters personally. You’ll end up with password aging where you’ve got to reset your password unexpectedly after 38 days… oh and that password policy that requires 26 characters of which no words or past 20 passwords can be used, recognizable keyboard patterns and forbidden, and stock market symbols or three letter abbreviations for phrases that aren’t very collegial are outlawed… yeah, you know what I’m talking about. And of course what we all love, the password enabled screensaver, to enter that 26 character password that we’re still learning because it seems like we just changed it yesterday. Gee, passwords sure do seem to be difficult to manage.

12 So why SmartCards? Simplicity… Source: http://go.spdan.com/pkiIt’s so simple, isn’t it? For an individual to go and access a site that requires some sort of certificate authentication requires the user to register with a registration authority (RA) like Verisign, Thawte, Entrust, or one of several other certificate providers. Once the individual has been verified, a certificate authority provides the individual a certificate. In the process of providing that certificate, the certificate authority alerts the verification authority of the new user. When the user attempts to connect to the site requiring a certificate, they present their public key to the site which is then verified by the verification authority (VA) which in turn allows the individual access.

13 So why SmartCards? Simplicity… to the end userProvides a secure tamper resistant storage physical token Enables portability of credentials and private information similar to other Federated Identity… …like OpenID, Facebook Connect, Google OpenSocial, Microsoft Hailstorm A PIN is used …Security You’re not stove piped to a single system – how many different user names and passwords do you have within your organization? They probably vary from system to system in terms of what is required, how long the username can be, if it’s just your address, what the complexity of the password is. Call it an SSO if you like, though it’s not really, but it is at the same time, all your accounts are linked to one common identity All you need is a token with a common identity… It’s linked to your account that resides within a windows networking infrastructure domain through the user principal name which is a property of the SmartCard and happens to be the same thing as your user account. It’s similar to Federated Identity, but different. It’s merely an identifier. There still has to be a user account on the system linked and then integrated with the other systems that are attempting to make use of it. It’s similar in that like OpenID, Facebook Connect, Google OpenSocial, of Microsoft Hailstorm, it’s a single identity that you carry with you everywhere. PIN or a passphrase – something short and sweet, but it requires that the token actually be there. No longer are you having to remember if it’s something that’s case sensitive or whether it changed last week or the day before So what about the PIN being compromised, well, not to worry, typically there’s a policy set around this… a few strikes and the card is physically locked, you can’t use it anywhere else. A reader is required – again, you’ve already required that there be a token present, but now you’re also requiring additional hardware be there that’s standards based so that you’re able to authenticate. If some low lying scum steals your card and thinks that they’re going to cash in on it, more than likely they won’t have a card reader so they won’t necessarily be able to get into your identity, card locked, all is well. A trusted certificate – so on that card, there’s a little more than meets the eye. More than likely to associate the card with a particular organization there’s a certificate that’s linked to the organizations certificate establishing a community of trust.

14 What about a soft cert? Similar to a physical tokenContains the same information It has an expiration date It can be revoked Provides for similar IA capabilities However… It can be exported It can be shared It can be purchased It can be stolen Soft certificates can sometimes take the place of a SmartCard.

15 Authentication and Authorization of SharePointIIS Username & Password Client Certificates ISAPI Filters Custom Membership Providers Federation (ADFS or Third Party Identity Handler) Authorization SharePoint Groups and Permissions AD / LDAP / Role Provider Security Groups

16 Basics of SharePoint AuthenticationHandled by IIS and ASP.NET Checks user against AD or other auth provider Passes verification to IIS to proceed Source: Step by Step of how a user authenticates to a SharePoint site, mentioning the .NET virtual path provider and the content database relative tables with the associated GUIDs that are based off of a user’s AD SID + SAMAccountName Authentication with integrated authentication AD How’s your browser setup for passing credentials… IE 6 vs. IE 7 (and 8), Firefox The diagram above shows ASP.NET authentication. Also see for NTLM/Kerberos for Forms Based Authentication ASP.NET Authentication

17 IIS and SmartCards User inserts smart card into reader User attempts to access IIS based site that requires smart auth X.509 Certificate on Smart Card with Private Key verified locally User Enters PIN into middleware software prompt PIN authenticates user to the card Smart Card’s Public Key is retrieved from card and verified through trusted issuer Web Server receives public key certificate and checks validity against CA CRL During authentication, challenge based on public key within certificate issued Challenge verifies the card has a private key and that the private key can be leveraged Public Key – Private Key Verified Authentication has occurred User’s identity from certificate UPN used to reference user in AD IIS receives users identity and hands them to SharePoint SharePoint verifies user’s authorization to specific site Virtual Path Provider directs user to appropriate site Site is rendered to the end user SmartCard auth with middleware, pass cert to IIS, UPN mapped to UPN user object, authenticated. IIS passes to virtual path provider and SharePoint and we’re on our way. Client certificate required through IIS Kerberos token through AD / Windows Networking Infrastructure Client certificate required through ISA Reference:

18 Implementation Considerations and PitfallsOption 0: SharePoint on an Intranet with integrated authentication Option 1: SharePoint in a DMZ with client certificates and AD integration Option 2a: SharePoint published through Internet Security and Acceleration (ISA) Server Option 2b: SharePoint published through Intelligent Application Gateway (IAG) Server Option 3: Custom Membership Provider

19 Considerations – Option 0SharePoint is Intranet based only Client Desktop utilizes the “SmartCard Enabled Login Required” security policy setting SharePoint utilizing Integrated Windows authentication Kerberos or NTLM Most common use case – intranet enabled SharePoint

20 Considerations – Option 0

21 Pitfalls – Option 0 Intranet only situationNeed to be within the network boundary for authentication tokens to pass properly User’s account must be linked to their SmartCard user principal name Certificate Authority (CA) availability for CRL check may affect system availability

22 Considerations - Option 1Web Server in DMZ Utilize Authentication Store (AD) IIS Configured to Require Client Certificate Relatively easy to configure

23 Configuration – Option 1Install a SSL certificate that belongs to a managed PKI environment Within IIS in the specific web application, enable: Require Secure Channel (SSL) Require 128-bit encryption (optional) Require client certificate Certificate Revocation List (CRL) ports open LDAP or LDAP-S

24 Considerations - Option 1IIS7: Web application

25 Considerations - Option 1IIS7: Require client certificate

26 Considerations - Option 1IIS6: Web application

27 Considerations - Option 1IIS6: Require client certificate

28 Pitfalls – Option 1 OCSP or CRL checking could cause authentication to fail if CRL is not available Depending on number of requests, CRL checking could cause server load Puts server in DMZ, increases attack surface area – wfetch will show your SharePoint Version User’s account must be linked to their SmartCard user principal name User selecting certificate that does not contain UPN Rather intensive work for the server to handle certificates Requires Active Directory OCSP = Online Certificate Status Protocol CRL = Certificate Revocation List

29 Considerations - Option 2aInternet Security and Acceleration 2006 (ISA) Server Web Site Publishing with Constrained Kerberos Delegation Internal Windows Networking Infrastructure system utilizing Kerberos Users authenticate to their client machine using different account than SmartCard linked to their AD user object Eliminates internal prompting for SmartCard Increases the speed and security of user’s access Similar to ISA configuration for Exchange server:

30 Pitfalls – Option 2a Windows XP + Office 2007 requires a hot fix to allow for documents to open using ISA Increases authentication requirements for external facing or extranet systems User’s account must be linked to their SmartCard user principal name Multi-Forest trusts do not always work Reauthentication issues Only leverages Active Directory

31 Considerations - Option 2bIntelligent Application Gateway (IAG) Server Publishing Web Front End Server Similar to Option 2a (ISA Server), but better experience for the end user Stable session - Prevents constant requests for re-authorization using SmartCard Allows for NAP like capabilities Allows for mapping to something than AD The user logs in once and keeps the session until they log out. No need to re-authenticate IAG -

32 Pitfalls – Option 2b Additional hardware to maintain CostlyCurrent IAG is a hardware appliance IAG 2007 available as a virtual machine for demonstration purposes Future IAG will potentially be available as software and hardware IAG -> Forefront Unified Access Gateway (UAG) Costly Requires authenticating to IAG dashboard

33 Considerations - Option 3Custom Membership provider for SmartCard IIS or SSO/ISAPI filter handshakes with the SmartCard Does not require Active Directory: Can use LDAP, SQL Server, or another authentication provider Leaves options open for other user directories besides Active Directory.

34 Considerations - Option 3 (cont.)Custom SharePoint login page (using Forms Based Authentication) completes the login process seamlessly without user input Can optionally create user account on the fly, based on SmartCard credentials Can add in logic for account approval, different access levels based on SmartCard credentials, etc. Do not need user accounts provisioned before users log in for the first time—can create accounts on the fly based on SmartCard credentials. Can also add in logic to handle different types of users, approval processes, different permissions based on role, organization, etc.

35 Pitfalls – Option 3 Requires additional configuration in SharePointRequires custom development If requiring client certificate in IIS (instead of SSO or ISAPI filter), OCSP or CRL checking could cause authentication to fail if CRL is not available Must secure server if in DMZ Must add in appropriate security logic to custom login page

36 How do I configure a membership provider?1) Configure domain name and SSL certificate for web application 2) Implement Forms Based Authentication with SharePoint using appropriate membership and role provider (AD, LDAP, ASPNET, etc.) 3) Configure IIS to accept client certificates (or custom SSO) 4) Create custom login page for SharePoint _layouts folder 1) Keep in mind you’ll still need a web application that allows Windows integrated authentication—this is for admin access and SharePoint Designer access 2) Set up standard FBA configuration: Pt1: Pt2: Pt3: Can use AD, LDAP, ASPNET membership provider or your own custom membership provider. 3) Either have IIS handle client certificates or integrate with an SSO or other product that accepts client certificates and passes credentials to IIS/ASP.NET for use in the login page 4) Creating a custom login page for SharePoint:

37 What do I include in the custom login page?//Get client certificate and appropriate user ID HttpClientCertificate cert = Request.ClientCertificate; string userID; userID = cert.Get("[fieldname]"); //Create new user and add to Visitor role MembershipUser user = Membership.CreateUser(userID,[randomPassword],[ ]); Roles.AddUserToRole(userID, "Visitors"); //If user exists in membership provider, login using FBA if (Membership.GetUser(userID).UserName == userID) FormsAuthentication.RedirectFromLoginPage(userID, false); [fieldname] may be Subject Common Name (SubjectCN) from certificate, or another uniquely identifiable field from the users certificate. Can also create an ASP.NET web application to handle custom logic like user request form, ne user approval, user management, role assignment. For managing custom membership providers like the ASPNET membership provider, check out the CodePlex project:

38 Conclusions For SmartCard authentication to work properly, it relies heavily on the surrounding Windows networking infrastructure that it resides within SmartCard authentication can be done several different ways depending on the surrounding infrastructure SmartCards works well when the user base understands their responsibility in upholding IA.

39 Question and Answer

40 Contact Us Dan Usher Joel Ward [email protected] @usher Joel Ward @joelsef