blackshield id quickstart guide...loading active directory/ad lds schema ldf files to load the...

BlackShield ID™

QUICKStart Guide

Integrating Active Directory Lightweight

Services

© 2010 CRYPTOCard Corp. All rights reserved. http://www.cryptocard.com

QUICKStart Guide BlackShield ID Authenticating On-line Identities

Trademarks

CRYPTOCard, CRYPTO‐Server, CRYPTO‐Web, CRYPTO‐Kit, CRYPTO‐Logon, CRYPTO‐VPN, CRYPTO‐MAS, BlackShield ID are either registered trademarks or trademarks of CRYPTOCard Inc.

Microsoft Windows and Windows XP/2000/2003/2008/NT are registered trademarks of Microsoft Corporation. All other trademarks, trade names, service marks, service names, product names, and images mentioned and/or used herein belong to their respective owners.

Publication History

Date Description Version

August 9, 2010 Initial release 1.0

Solution Overview

Summary

Product Name Active Directory Lightweight Directory Service

AD LDS Server Side Software Active Directory Lightweight Directory Service

AD LDA Client Side Software N/A - Solution is server based only

Pre-Requisites System must be joined to a domain

CRYPTOCard Product Requirements

CRYPTOCard BlackShield ID Professional 2.x +

Support Token types KT-1, KT-2, KT-4, KT-5, RB-1, MP-1

Server OS Windows 2008 R2 x64

Server Type Member Server

i


Table of Content

Active Directory Lightweight Directory Services Installation ................................................................................ 1

Creating an instance ........................................................................................................................................ 1

Preparing AD LDS Schema Synchronization .......................................................................................................... 4

Active Directory Schema Analyzer Overview .................................................................................................. 4

Launching and using “ADSchemaAnalyzer” utility .......................................................................................... 4

Loading Active Directory/AD LDS Schema LDF Files .............................................................................................. 7

Loading AD LDS Synchronization Schema LDF Files ........................................................................................ 8

Editing/Customizing AD LDS Synchronization Config File ...................................................................................... 9

Creating AD LDS Synchronization Config File .................................................................................................. 9

Option 1 ........................................................................................................................................................... 9

Option 2 ......................................................................................................................................................... 10

Installing custom AD LDS Synchronization Config File .................................................................................. 12

First time Synchronization ............................................................................................................................. 13

Disabling SSL Authentication in AD LDS ............................................................................................................. 13

Creating AD LDS User for BlackShield ID ............................................................................................................ 16

Configuring AD LDS to auto synchronize ............................................................................................................ 19

ADAM Multi Domain Support ............................................................................................................................ 20

Creating an OU for additional Domains ........................................................................................................ 20

Create an OU within the existing AD LDS instance for the second domain information ............................... 20

Displaying Currently Loaded Configurations ................................................................................................. 21

Batch File Example ........................................................................................................................................ 21

Configuring BlackShield to use AD LDS proxy user ............................................................................................. 22

Caveats ............................................................................................................................................................ 22

ii


Active Directory Lightweight Directory Services Installation

Microsoft Active Directory Lightweight Directory Services (formerly Microsoft Active Directory Application Mode) is part of Windows 2008 R2. To install Active Directory Lightweight Directory Services (AD LDS) go to:

1. Launch Server Manager 2. Select Roles on the left pane 3. Click Add Roles on the right pane 4. When the wizard spawns, click Next 5. Place a checkmark in Active Directory Lightweight Directory Services 6. Click Add Required Features, then Next, and Next again 7. Click Install

Creating an instance

The following instructions are used to create an instance (virtual LDAP domain) which BlackShield will use to query its user information from. The user information is populated into your instance from your main LDAP server (Active Directory).

To create a new AD LDS instance:

• Click Start • Select All Programs • Select Administrative Tools • Then select Active Directory Lightweight Directory Services Setup Wizard • The Active Directory Lightweight Directory Services Setup Wizard will spawn. Click next to

begin creating new AD LDS instance.

On the Setup Options dialogue, to create “A unique instance” or replicate the information from an existing AD LDS instance.

Since this is the first time through AD LDS, select “A unique instance”, and then click Next.

Figure 1

Active Directory Lightweight Directory Service (AD LDS) Integration 1


On the Instance Name page, provide a name for the instance. Choose a name that will be easily recognizable as it will be used when creating the Windows service.

In this instance, “BlackShield” will be used as the instance name. Provide a Description for the instance name.

Click Next to continue.

Figure 2

By default, LDAP and LDAPS use port 389 and 636 respectively. If the default LDAP ports have been modified, please change the port numbers accordingly.

Click Next to continue

Note: If installation is performed on a domain controller, or a second AD LDS is being created then the ports will default to 50000 and 50001 respectively.

Figure 3

On the Application Directory Partition page. Then select Yes, create an application directory partition.

Create a partition with the name in the following syntax:

DC=blackshield,dc=domain,dc=com

e.g.: DC=blackshield,dc=intel,dc=com)


Figure 4



On the File Locations page, verify the default file location is acceptable.

After verifying, click Next to continue.

Figure 5

On the Service Account Selection page, select the Network service account radio button.


Figure 6

On the AD LDS Administrators page, select Currently logged on user DOMAIN\Administrator


Figure 7



On the Importing LDIF Files page, select the following:

MS‐InetOrgPerson.LDF

MS‐User.LDF

MS‐UserProxy.LDF


Click Next again to create the AD LDS instance.

Click Finish once the instance has been created.

Figure 8

Preparing AD LDS Schema Synchronization

The previous steps will have created and prepared your AD LDS instance to accept LDAP information. During the setup of the AD LDS instance, you told it to load 3 LDF files. These 3 LDF files provide the AD LDS instance information pertaining to particular LDAP object classes, attributes and help it understand as to what its default schema should look like. However, the three provided LDF files do not provide ALL needed information. You are required to use a utility provided by Microsoft called ADSchemaAnalyzer.

Active Directory Schema Analyzer Overview

ADSchemaAnalyzer is a utility that will analyze your current LDAP schema and then analyze what is currently in the local AD LDS schema. It will create an LDF file with all the missing object classes and attributes in AD LDS so that your synchronization can be performed successfully.

Launching and using “ADSchemaAnalyzer” utility

To start the ADSchemaAnalyzer, launch a command prompt and navigate to:

C:\Windows\ADAM

Then type in:

ADSchemaAnalyzer

The AD DS/LDS Schema Analyzer will appear.

Figure 9



In the AD DS/LDS Schema Analyzer click on File.

Then select Load target schema…

Figure 10

Enter in the following information for your Active Directory Server:

Server:[port] – IP or DNS of Active Directory:Port

Username – Username (ex. Administrator)

Password – Password for user

Domain – Domain name (ex. Intel.com)

Under Bind type, select Secure.

Under Server type, select AD DS/LDS.

Click OK when all the information has been entered.

Figure 11

At the bottom of the AD DS/LDS Schema Analyzer, the application is attempting to load the AD schema and all its attributes.

The base schema must now be loaded. Figure 12



In the AD DS/LDS Schema Analyzer, click on File.

Then select Load base schema…

Figure 13

Enter in the following information for the local AD DS/LDS instance:

Server:[port] – 127.0.0.1:389

Under Bind type, select Secure.

Under Server type, select Auto.

Click OK when all the information has been entered.

Figure 14

For the local AD DS/LDS instance, Only the server & port are required.

After clicking the Ok button, the application will compare the two schemas and once it is finished, it will display “Done completing schema”.

Figure 15



Within the AD DS/LDS Schema Analyzer, click on the Schema menu.

Then select Mark all non‐present elements as included

Note: A pop up will appear display the total amount of “non‐presents elements were marks as included”.

Figure 16

Within the AD DS/LDS Schema Analyzer:

Click on the File

Then select Create LDIF file...

In the Save As window, provide a name for the LDF file. Provide the file with a recognizable name as will be used in the next section. Save the LDF file in the default directory.

Figure 17

Loading Active Directory/AD LDS Schema LDF Files

To load the custom LDF file that was created in the previous section, a command will be required to be executed from the command prompt within the ADAM directory.

On the AD LDS system, launch a command prompt and navigate to:

C:\Windows\ADAM

Then issue the following command:

ldifde -i -s localhost -c CN=Configuration,DC=X #ConfigurationNamingContext -f (custom LDF filename).ldf



Note: The (custom LDF filename).ldf is to be replaced to the filename of the LDF file that was created in the previous section.

After executing the command, it will show the following text output:

Connecting to "localhost"

Logging in as current user using SSPI

Importing directory from file "(custom LDF filename).ldf"

Loading entries....................................

Note: Loading entries make take a while depending on how many attributes are being loaded.

Once the command has complete, a message in the command line as follows. (Number of entries may be vary)

Figure 18

Loading AD LDS Synchronization Schema LDF Files

To load the custom LDF file that was created in the previous section, a command will be required to be executed from the command prompt within the ADAM directory.

On the AD LDS system, launch a command prompt and navigate to:

C:\Windows\ADAM

Then issue the following command:

ldifde -i -s localhost -c CN=Configuration,DC=X #ConfigurationNamingContext -f MS-AdamSyncMetaData.ldf

After executing the command, it will show the following text output:

Connecting to "localhost"

Logging in as current user using SSPI

Importing directory from file "MS‐AdamSyncMetaData.ldf"

Loading entries.....



Once the command has complete, a message in the command line as follows. (Number of entries may be vary)

Figure 19

Editing/Customizing AD LDS Synchronization Config File

AD LDS requires a special file in order to determine the information it should synchronize from LDAP. In a nutshell, this file will ultimately contain connection information to the target LDAP server, and the destination AD LDS instance. It will also contain information as to what attributes will be synchronized.

Creating AD LDS Synchronization Config File

This section will provide steps on how to create an AD LDS Synchronization file. The file that will be created will indicate to AD LDS the objects and attributes that will be synchronized from an LDAP server. This file is loaded into AD LDS using a special command, and then is used by any subsequent automated synchronization.

There are two options to creating a customized AD LDS Synchronization file. First option is to copy the MS‐AdamSyncConf.xml and modify the necessary information or second option is to copy the Sample AD LDS Synchronization XML Config File in Section 4.1.2, modify the necessary information, and save it to a file.

Option 1

The MS‐AdamSyncConf.xml file is located in c:\Windows\ADAM. Make a copy of the file to the desktop, and open the file with a text editor.

There are 6 lines that are required to be modified within the synchronization file. The lines are:

Your-DC-hostname Hostname of Active Directory Server (ensure it’s resolvable by DNS)

dc=yourdomain,dc=com

Instance path of Active Directory tree (Ex. dc=intel,dc=com)

Administrator

Username of user who has Domain Administrative privileges

yourdomain.com Domain name of Active Directory (Ex. intel.com)



dc=blackshield,dc=cryptocard,dc=com

Local AD LDS instance (See Figure 14 on page 6 for local AD LDS DN)

dc=yourdomain,dc=com Remote LDAP Distinguished Name (Active Directory Server

An optional but non critical line that can be modified is the description.

Here is Microsoft's explanation of the values in the event the above explanation is not adequate or is not clear. The following is taken out of the ADAM quick start guide produced by Microsoft.

SeattleDC1 Replace the value of with the name of the source Active Directory domain controller

dc=fabrikam,dc=com

Replace the value of with the distinguished name of the source domain

administrator.

Replace the value of with the name of an account in the Domain Admins group of the source domain

fabrikam.com. Replace the value of with the fully qualified name of the source domain

o=microsoft,c=US. Replace the value of with the name of the partition of the target ADAM instance

dc=fabrikam,dc=com Replace the value of with the base distinguished name of the source domain

Option 2

Copy the AD LDS Synchronization XML Config file below into a notepad. Then modify the following section’s below that is in bold. For more information and explanation, please see previous section.



BlackShield AD LDS Sync File

object

Your-DC


Administrator

yourdomain.com

dc=blackshield,dc=cryptocard,dc=com


(objectClass=*)

extensionName

displayNamePrintable

flags

isPrivelegeHolder

msCom-UserLink

msCom-PartitionSetLink

reports

serviceprincipalname

accountExpires

adminCount

primarygroupid

userAccountControl

codePage

countryCode

logonhours

lockoutTime

0



0

Once all changes have been made, please save the file to C:\Windows\ADAM, with a .xml extension. Please provide a name that is recognizable as the xml file will be used in the next section.

Installing custom AD LDS Synchronization Config File

The following instruction will explain how to install the custom configuration file that was created in the previous section. The custom configuration file should be placed in C:\Windows\ADAM.

Launch a command prompt and navigate to:

C:\Windows\ADAM

Then type in the following command:

ADAMSync /install localhost:389 %windir%\ADAM\(custom sync filename).xml

After running the command, the prompt will move to the next line and display Done.



Note: If there is a second XML file to add a second domain, then please use the same command above, but specify the appropriate file name.

First time Synchronization

After installing the custom XML configuration file, a sync must occur between the LDAP Server specified in the custom XML config file to the AD LDS instance. The following instructions in this section will require the creation of a directory to store a sync file, and then running the command to start the sync.

A directory needs to be created for the AD LDS synchronizations logs. Create a directory on the C:\ drive named ADLDS‐Logs.

Launch a command prompt and navigate to:

C:\Windows\ADAM

Then type in the following command:

ADAMSync /fs localhost:389 "dc=blackshield,dc=cryptocard,dc=com" /log C:\ADLDS-Logs\sync.log

Note: (Optional) Additional Domain:

... "OU=Domain2,dc=cryptoserver,dc=sparks,dc=com" /log C:\ADAMLogs\syncDomain2.log

Synchronization of data Active Directory to the newly created AD LDS instance can take from 5 minutes to 5 hours depending on how many users exist within Active Directory. Please monitor the AD LDS Sync log in C:\ADLDS‐Logs\sync.log as it can grow in size rapidly and cause low disk space.

Disabling SSL Authentication in AD LDS

By default, SSL authentication is enabled AD LDS. The instructions in this section will show how to disable SSL authentication into AD LDS. This is needed to allow BlackShield to bind (authenticate) to the AD LDS instance without requiring a certificate. To disable SSL authentication, the ADSI Edit tool will be needed.



Note: If SSL authentication is required to access an AD LDS instance from a remote system, then please skip this section. Please also note that AD LDS should have a valid certificate loaded.

To launch the ADSI Edit tool go to:

Start | All Programs | Administrative Tools | ADSI Edit

In the ADSI Edit Application:

Right click on ADSI Edit on the left pane

Select Connect to …

Figure 20

In the Connection Settings window, perform the following:

Select the Select a well known Naming Context radio button, and select Configuration in the dropdown menu.

Select the Select or type a domain or sever: (Server | Domain [:port]) radio button, and then enter in localhost:389 in the field below.

Enter in a name for the connection settings. (Ex Local AD LDS Instance)

Click OK button

Figure 21

In the ADSI Edit application, expand the newly added object, and then:

Expand CN=Configuration,CN=

Then Expand CN=Services

Then Expand CN=Windows NT

Right click on CN=Directory Service

Select Properties

Figure 22



Note: Refresh the ADSI Edit application if the expand button does not show up.

In the CN=Directory Service Properties Window scroll down and fine the msDS‐Other‐Settings attribute, and highlight it.

Then select Edit

Figure 23

Select RequireSecureProxyBind=1 under the Values section.

Select the Remove button.

The RequireSecureProxyBind=1 value is then goes to Value to add field. Change the value from 1 to 0.

Click the Add button.

Click OK.

Figure 24



Creating AD LDS User for BlackShield ID

With the AD LDS instance configured, a user must now be created so when BlackShield connects to the AD LDS instance. The user will be created as a user that is part of the AD LDS instance. This user is outside of the synchronization that is occurring between the source Active Directory and destination AD LDS instance.

To start the Ldp application, launch a command prompt and navigate to:

C:\Windows\ADAM

Then type in:

Ldp

The Ldp application will appear.

Figure 25

In the Ldp application Click on Connection

Then select Connect…

Figure 26

In the Server field, enter in localhost.

Then click on the OK button.

Figure 27



In the Ldp application Click on Connection

Then select Bind…

Figure 28

Under the Bind type section, select Bind as currently logged on user.

If Encrypt traffic after bind is checked off, please remove the checkmark.

Click the OK button

Figure 29

After clicking the OK button, the right pane, will output at the bottom.

The last line should read:

Authenticated as: Domain\Username

Figure 30



In the Ldp application, Click on View, then select Tree.

Click the dropdown menu BaseDN field and select DN of the AD LDS Instance. See Figure 14 on page 6 for more information.

Click the OK button.

Figure 31

Figure 32

In the Ldp instance, select Browse.

Then select Add child.

Figure 33

Enter in the following in the DN field:

cn=adamproxy,dc=blackshield,dc=cryptocard,dc=com

Under Edit Entry, enter in the information in there respective fields:

Attribute: ObjectClass

Values: userProxy

Click the Enter button.

Note: the cn=adamproxy within the DN field is the user that is being created.

Figure 34



Open up a command prompt and type in:

whoami /user

The command prompt will display the username, along with the user’s SID. Copy the SID as it will be needed to be added as an attribute in the Add Child window.

Figure 35

In Edit Entry section of the Add Child window, enter in the information in there respective fields:

Attribute: ObjectSID

Values: S‐1‐5‐21‐140381145‐1539809123‐3681150278‐500

Click the Enter button

Figure 36

Once the ObjectSID attribute and its value has been added into the Entry List, click the Run button.

Configuring AD LDS to auto synchronize

To have AD LDS auto synchronize based on a schedule, a batch file will need to be created either through Scheduled Task or the AT command.

Add the following command into the batch file to automate the sync:

ADAMSync /sync localhost:389 "DC=blackshield,DC=cryptocard,DC=com" /log C:\adamlogs\autoSync.log

A time interval will need to be set within Scheduled Task or using the AT command on how often you would like this command to run. In turn, this is specifying how often AD LDS will synchronize user information from LDAP to the AD LDS instance.

[Optional Second Domain]



ADAMSync /sync localhost:389 "OU=Domain2,DC=cryptoserver,DC=Domain,DC=com" /log C:\adamlogs\autoSync.log

Note: ADAMSync /sync localhost:389 "OU=Domain2,DC=cryptoserver,DC=Domain,DC=com" /log C:\adamlogs\autoSyncDomain2.log must have an associated XML synchronization file installed prior to telling it to sync pointing to the OU=Domain2 as a .

ADAM Multi Domain Support

It may come to a point where AD LDS will be required to connect to more than 1 Active Directory domain. This can be achieved by manually loading in a separate synchronization XML file into the ADAM instance which is configured to pull information from a second domain.

Creating an OU for additional Domains

An OU needs to be created with the AD LDS instance and then information will be synced to the OU.

Create an OU within the existing AD LDS instance for the second domain information

Open ADAM ADSI Edit

Connect to the Distinguished Name (DN) of your AD LDS instance:

(ex. DC=blackshield,DC=cryptocard,DC=com)

Right click the base DN (top of the domain) and select New | Object

Select OrganizationalUnit

Give the OU a name of Domain2

In the second domain's XML synchronization file, edit the:

OU=Domain2,dc=blackshield,dc=cryptocard,dc=com

Note: A second MS‐AdamSyncConf.xml will need to be created with the new settings pointed at a new domain referencing a of the new ADAM instance 'Domain2' OU. Name the second XML file MS‐AdamSyncConf2.xml.

Edit other settings within the second XML file as needed.

For example, when the second XML file is installed using the command:

ADAMSync /install localhost:389 %windir%\ADAM\MS‐AdamSyncConf2.xml

It loads in what it should be synchronizing for one particular domain.



Displaying Currently Loaded Configurations

To display the currently loaded ADAM synchronization files perform the following:

Open a command prompt and navigate to:

C:\Windows\ADAM

Enter the following command:

AdamSync /list localhost:389

It should list something similar to this:

C:\WINDOWS\ADAM>ADAMSync /list localhost:389

Listing configuration files:

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐

|‐> "DC=blackshield,DC=CRYPTOCard,DC=com": BlackShield Sync

|‐> "OU=Domain2,DC=blackshield,DC=cryptocard,DC=com": BlackShield Sync

Done.

Note: If you want ADAM to synchronize information from both domains at a given time interval, you will need to ensure that all needed XML files have been loaded and have been both told to do a full sync /fs.

Batch File Example

Example:

Line 1 ADAMSync /sync localhost:389 "DC=blackshield,DC=cryptocard,DC=com" /log C:\adamlogs\autoSyncDomain1.log

Line 2 ADAMSync /sync localhost:389 "OU=Domain2,DC=blackshield,DC=cryptocard,DC=com" /log C:\adamlogs\autoSyncDomain2.log

Line Explanations

Line 1 This line synchronizes changes from Domain 1 into ADAM top DN

Line 2 This line synchronizes changes from Domain 2 into ADAM Domain2 OU



Configuring BlackShield to use AD LDS proxy user

Now that AD LDS has been configured, it is now time to configure BlackShield to connect to the AD LDS instance for the user source.

During the user source configuration, provide the IP/DNS name of the AD LDS system, NOT the AD DC system.

This is to be done at the LDAP Configurations screen.

Figure 37

In the LDAP Credentials screen, enter in cn=adamproxy in the User DN

Click the dropdown menu and select the Base DN of the AD LDS instance

(eg. dc=blackshield,dc=cryptocard,dc=com)

Place a checkmark in Append Base DN to User DN

Enter in the Password for the user. (Please see Figure 34 through Figure 36 beginning on page 18)

Figure 38

Note: For more detailed installation instructions, please take a look at the BlackShield ID Administrator Manual at: http://www.cryptocard.com.

Caveats

If multiple domains are being synchronized to a single AD LDS instance, than the container names must be unique. When importing users within the same Container name, AD LDS will rename the container to a random name. If a user (eg. JDoe) exists in two domains, with the same username, and within the same container name, than one of the username must be changed (eg. JDoe2) so that bother users will be synchronized to the AD LDS instance.

It is recommended that a separate Container be created within AD LDS when synchronizing data from the second domain. This is to indicate within the synchronization XML file that the BASE DN is within the


http://www.cryptocard.com/



newly created container. This will allow two completely separate sets of LDAP information easily stored within AD LDS.

eg. An OU has been created within AD LDS called 'Domain2'. In the second domain XML file, the base DN that will be used is CN=Domain2,DC=blackshield,DC=cryptocard,DC=com)

Note: A user that exists in AD LDS can never use their Microsoft static password to authenticate against BlackShield. Usernames must be unique if multiple domains are synchronized to an AD LDS instance. Then the users will be displayed properly within BlackShield ID.

Active Directory Lightweight Directory Services InstallationCreating an instance

Preparing AD LDS Schema SynchronizationActive Directory Schema Analyzer OverviewLaunching and using “ADSchemaAnalyzer” utility

Loading Active Directory/AD LDS Schema LDF FilesLoading AD LDS Synchronization Schema LDF Files

Editing/Customizing AD LDS Synchronization Config FileCreating AD LDS Synchronization Config FileOption 1 Option 2

Installing custom AD LDS Synchronization Config FileFirst time Synchronization

Disabling SSL Authentication in AD LDSCreating AD LDS User for BlackShield IDConfiguring AD LDS to auto synchronizeADAM Multi Domain SupportCreating an OU for additional DomainsCreate an OU within the existing AD LDS instance for the second domain information

Displaying Currently Loaded ConfigurationsBatch File Example

Configuring BlackShield to use AD LDS proxy userCaveats

blackshield id quickstart guide...loading active directory/ad lds schema ldf files to load the...

Documents