locked
Forefront UAG portal with Entrust two factor authentication RRS feed

  • Question

  • Hello,

    In our environment when authenticating UAG portal against AD everything works perfectly, the portal and published applications (Sharepoint, Outlook etc.). Now we are adding Entrust two factor authentication in to provide SMS OTP to clients.

    We currently have it configured so that UAG sends RADIUS authentication request to Entrust, which in turn asks from AD whether user exists and password is okay (first factor authentication). Then Entrust returns challenge, enter OTP (second factor authentication). User receives OTP and enters it here and user can enter the portal just fine.

    However this is where we ran into problems. None of the applications will work but just show "User does not have permission to enter folder" etc. I reckon that the reason for this behavior is that UAG cannot, in any phase of the authentication, cache the credentials to be used in application authentication. We can circumvent this by changing the published application to use AD authentication but this would require client to enter user/pass once more.

    Is there any possibility to use, instead of all Entrust authentication, for example AD for first factor and caching the credentials (without mixing RADIUS and Entrust into this) and then if that is successful ask Entrust to perform second factor authentication.

    - Jesse

     

    Wednesday, January 4, 2012 3:37 PM

All replies

  • Hi Jesse

    I assume at first you were using AD-repository for portal authentication and used the same repository for applications (Authentication-tab). When you have Entrust -repository as first authentication method in UAG, have you tried postpostvalidate -script which could inject username and password to AD-repository? By doing that you could have users authenticate to Entrust (OTP) and UAG would pass username and password to AD-repository and applications that need AD-credentials.

    I think there is an example in Internet but if not i can send one for you.

    -teemu

     


    br -teemu
    Wednesday, January 11, 2012 9:15 PM
  • Teemu,

    Could you send a link to the example you mentioned?  I'm currently in the same boat as Jesse and this sounds like this may be an appropriate solution for us.

    Thanks,

    - Alberto

    Friday, January 13, 2012 5:42 PM
  • We currently have it configured so that UAG sends RADIUS authentication request to Entrust, which in turn asks from AD whether user exists and password is okay (first factor authentication). Then Entrust returns challenge, enter OTP (second factor authentication). User receives OTP and enters it here and user can enter the portal just fine.

     

    We also had this issue. Took us all day to figure it out today. We tried and tried but could not get it to work in the way you describe above.

    To get it to work you have to have two authentication methods set - The first Active Directory and the 2nd IdentityGuard (In that order), but you also have to edit the logon page, as when you set Authentication to "Users authenticate to each server" and "Authentication to each server with the same username", you will be prompted to fill in a field for IdentityGuard which is not required, as it is a challenge\response. If it was a virtual or physical token you wouldn't have a problem.

    The workaround is documented in an Entrust document called Technical Integration Guide for Entrust? IdentityGuard 9.1 and Microsoft Intelligent Application Gateway (IAG) 2007. Starts on page 29 under the heading "To configure Entrust IdentityGuard second-factor and Active Directory authentication."

    I made a couple of small changes to get it to work: (I have read elsewhere that changing the login.asp name screws things up)

    1) Copied the \InternalSite\Login.asp to \InternalSite\CustomSite\Login.asp

    2) Opened \CustomSite\Login.Asp and located the first occurrence of the line that starts with "for 

    each repository_name"

    3) Followed step 3) as they describe.

    4) Confirm step 4) as they describe.

    5) Save Login.Asp

    6) Login to UAG Manager, click configure your trunk settings and Update your Authentication tab and make sure Active Directory is set 1st and IdentityGuard set 2nd in authentication servers. Also make sure you enable "Users authenticate to each server" and "Authentication to each server with the same username". And lastly update the "user logon page" and "on-the-fly logon page" fields to /CustomUpdate/Login.asp

    7) Click OK

    8) And lastly as they describe make sure "In Entrust IdentityGuard, ensure that the VPN server definition for UAG has the first-factor authentication method set to “No First-Factor Authentication”. This is because we no are not passing any credentials to Active Directory.

    I also found a similar document called Technical Integration Guide for Entrust IdentityGuard 9.3 and Microsoft Forefront Unified Access Gateway (UAG) 2010. Looks to be updated for the UAG, but if you follow the instructions above it will work flawlessly.

     

    Gareth

     

    Tuesday, January 17, 2012 8:45 PM
  • Hi

    Couldn't find the right link. But i'm using below script to inject credentials to another repository which i can use for authentication if needed. I've used that same script in IAG 2007 to enable upn login. Actually the purpose of this script is to find corresponding samaccount name for upn user account.

    File should be place to /inc/Customupdate/portalname1postpostvalidate.inc

    You need to replace --begin config section-- with correct AD information. Script looks correct samaccount from AD and injects that to wanted repository.

    In the bottom there is ENTRUST and AD. ENTRUST repository is radius and AD is Active Directory repository where you inject credentials. They are repository names and case sensitive, if you fill in the to match yours this should work.

     

    <%

     '
     ' This file performs the following actions POST-authentication:
     '
     ' Determine and inject credentials for delegation via NTLM. Inject credentials into a separate repository
     ' for delegation.
     '
     ' -- begin config section --
     ldapSearchBaseDn = "DC=domain,DC=com"
     ldapSearchHost  = "server ipaddress"
     ldapSearchUser  = "username"
     ldapSearchPassword = "password"
     domain   = "domain"
     ' -- end config section --

     LIGHT_TRACE "CUSTOM: PostPostValidate.inc: START"

     ' set up globals
     upn   = Session("user_name1")
     password  = Session("password1")
     repository  = Session("repository1")

     LIGHT_TRACE "CUSTOM: PostPostValidate.inc: Trying to find user object for [" & u & "]"

     on error resume next
     Dim dso
     Dim oUser

     'IADsOpenDSObject
     Set dso = GetObject("LDAP:")
     Set oConnection1 = CreateObject("ADODB.Connection")
     oConnection1.Provider = "ADsDSOObject"
     oConnection1.Properties("User ID") = ldapSearchUser
     oConnection1.Properties("Password") = ldapSearchPassword
     oConnection1.Properties("Encrypt Password") = True
     oConnection1.Open "ADsDSOObject"

     Set rs = oConnection1.Execute("<LDAP://" & ldapSearchHost & "/" & ldapSearchBaseDn & ">;" &_
                  "(&(objectClass=user)(userPrincipalName=" & upn & "));" &_
                  "samAccountName,distinguishedName;" &_
                  "subtree")

     samAccountName = ""
     dn = ""
     if not rs.EOF then
      samAccountName = rs.Fields("samAccountName")
      dn  = rs.Fields("distinguishedName")
      LIGHT_TRACE "CUSTOM: PostPostValidate.inc: UPN: [" & user_name & "] has SAM Account Name: [" & samAccountName & "]"
     end if

     rs = Nothing
     oConnection1 = Nothing

     LIGHT_TRACE "CUSTOM: PostPostValidate.inc: Injecting AD credentials for AD user [" & ENTRUST & "]"
     AddSessionUser g_cookie, domain & "\" & samAccountName, password, "AD"

     LIGHT_TRACE "CUSTOM: PostPostValidate.inc END"

    %>


    br -teemu
    Wednesday, January 18, 2012 5:12 AM
  • That's good to know there is an alternative approach.

    Looks a little complicated for me! but might come in useful in the future.

    If you want to view the docs or a sample Login.asp, you can find them here:

     

    http://blocksandbytes.wordpress.com/2012/01/17/integrating-identityguard-otp-with-forefront-uag/

     

    Wednesday, January 18, 2012 7:40 PM
  • I think i'll try that once i got my test environment configured. But before that, if you have tried it, how UAG handles password change in that configuration? I'd guess password change is done against AD but is login page able to continue to challenge response after it. Mostly in my cases Entrust is configured to use ldaps so it is enable to change password. Of course one option is to allow login with expired password in Entrust.

    I red examples in your blog and Entrust guides and started to wonder about password change.

    -teemu


    br -teemu
    Wednesday, January 18, 2012 8:43 PM
  • short answer -- it worked fine.

    On advice from Entrust I've set Identityguard first to avoid denial of service attacks.

    Therefore AD credentials are only sent to a domain controller after user has succesfully answered their identityguard challenge. and if required they are prompted to change their password.

    No issues with this approach.

    I think to some users it will just appear like a delayed reaction!

    Thursday, January 19, 2012 10:30 AM