kunal kodkani senior consultant microsoft corporation
TRANSCRIPT
Strong Authentication with Smart cards using ILM(CLM)Kunal KodkaniSenior ConsultantMicrosoft Corporation
Agenda
Need for Strong Authentication
Microsoft ILM Solution Approach
Smart card Deployment Challenges
ILM 2007(CLM) Architecture
ILM 2007(CLM) Configuration
Demo – Smart card lifecycle management and strong authentication
Questions?
The need for Strong Authentication…
Strong Authentication Why Strong Authentication?
Traditional Username & Password not enough to protect identityEasy to guess“Sticky note”/wallet best friend
Results in…
Source: http://www.ft.com/cms/s/0/9fd9fc98-cae8-11dc-a960-000077b07658.html
Strong AuthenticationWhat Strong Authentication Provides
Multi factor authenticationSomething you have (Certificate)Something you know (secret PIN)
Strong Private Key protectionUsers keys stored in a cryptographic deviceUser keys protected by PIN User keys protected with biometrics
Non repudiation and digital signature capabilitiesAchieve legal and regulatory requirementsProtects people and business identity
Smart Cards
Interactive logonClient authenticationRemote logonWireless authenticationSecure Email
Smart card is a device that stores data, including certificates, public keys, and private keys
InteractiveLogon
InteractiveLogon
SecureE-mail
SecureE-mail
CodeSigningCode
Signing
ClientAuthentication
ClientAuthentication
CustomApplications
CustomApplications
Remote AccessAuthentication
Remote AccessAuthentication
Smart card usageWhat are smart cards?
Enhanced Security for:
Smart card Deployment Challenges
Business Considerations
Lost, stolen or forgotten smart cards
Smart card personalization requirements
Centralized to highly distributed scenarios
Deployment of smart card middleware
Technical Considerations
Establishing a strong issuance process
Integrating user / device provisioning
Driving end user acceptance
Reducing the help desk burden
Microsoft ILM 2007(CLM) is designed to address the challenges associated with certificate and smart card issuance and lifecycle management.
Microsoft's Approach to IDAPlatform Components
MicrosoftOffice Windows Web
Portals CardSpace
Extensibility
20+ Connectors WS-*
ILM PartnersIDAManagementCapabilities
User andDeveloperExperiences
Platform TechnologiesActive Directory Domain Services (AD DS)Active Directory Certificate Services (AD CS)Active Directory Federation Services (AD FS)Active Directory Rights Management Services (AD RMS)Active Directory Lightweight Directory Services (AD LDS)
DirectoryServices
StrongAuthentication
FederatedIdentity
InformationProtection
Microsoft SolutionFocus Areas
IdentityLifecycle
Mgmt
Extensibility
ILM PartnersIDAManagementCapabilities
AD Domain Services
AD Federation Services
AD Rights Management Services
AD CertificateServices
BizTalk .NET Visual Studio ILM SDK
PlatformComponents
AD Lightweight Dir Services
Smart CardLogonSmart CardLogon
SoftwareCode SigningSoftwareCode Signing
IP SecurityIP Security
EncryptingFile SystemEncryptingFile System
Secure E-mailSecure E-mail
InternetAuthenticationInternetAuthentication
802.1x802.1x
Active DirectoryCertificate Services
Active DirectoryCertificate Services
SoftwareRestriction PolicySoftwareRestriction Policy
DigitalSignaturesDigitalSignatures
UsersUsers
ComputersComputers
ServicesServices
Certificate-Enabled Applications Accounts that use cert-enabled Applications
Active Directory Certificate ServicesUse Case
Support for centralized, decentralized and self-service scenarios
User self-service capabilities to help reduce helpdesk burden
Configurable policy-based workflows for common tasks
Enroll / renew / updatePersonalize smart cardRecover / smart card replacementIssue temporary / duplicate smart cardRevoke / retire / disable smart card
Detailed auditing and reporting capabilities
Extensibility to support additional authentication technologies including one time password (OTP) devices, physical access cards & biometrics
Tightly integrated with Active Directory and Certificate Services
ILM 2007(CLM) FunctionalitySmart Card & Certificate Lifecycle Management
ILM 2007(CLM) FunctionalitySmart Card & Certificate Lifecycle Management
ILM Product Roadmap
Today
Identity Synchronization
User Provisioning
Certificate Lifecycle Management
Smartcards & Certificates
ILM “2”
User Management
AccessManagement
Credential Management
PolicyManagement
Integrated User Experiences
Spans User, Credential, Access and Policy Management
Built on a Common Foundation
Connectors
Delegation
Workflow
Logging
Web Service API
ILM 2007(CLM) ArchitectureCertificate & Smart Card Lifecycle Management
ILM 2007(CLM) ArchitectureCertificate & Smart Card Lifecycle Management
MicrosoftIdentityLifecycle Manager
Microsoft CA’s
End User
Physical Architecture
SQLAD
E-mail ILM Policy Module
ILM Exit Module
Internet Explorer
ILM Browser Control
ILM AD Integration
ILM Web App
Internet Information Server
Component Architecture
Microsoft Certificate Authority
Smart Card Middleware
ILM 2007(CLM) ArchitectureKey Solution ComponentsILM 2007(CLM) ArchitectureKey Solution Components
ILM 2007 Server
Central component of ILM architecture
Web based ASP.NET application
Web based user interface for manager and subscriber access
Provides management services to Windows 2003 and 2008 CA’s
Can support multiple CA’s simultaneously
Stores all ILM management information in a Microsoft SQL Server database
ILM 2007Server
Microsoft CA’s
Physical Architecture
SQLAD
ILM 2007Client
ILM 2007(CLM) ArchitectureKey Solution ComponentsILM 2007(CLM) ArchitectureKey Solution Components
ILM 2007Server
Microsoft CA’s
Physical Architecture
SQLAD
Microsoft Certificate Services
Tightly integrated with Windows Server 2003 and Windows Server 2008 Certificate Services
ILM Policy Modules - determine whether certificate requests received by the CA should be approved, denied or marked as pending. Also allows for:
Certificate subject/SAN customizationSupport for non-ILM generated requests
ILM Exit Modules - provide post-processing after a certificate has been issued
ILM 2007Client
ILM 2007(CLM) ArchitectureKey Solution ComponentsILM 2007(CLM) ArchitectureKey Solution Components
ILM 2007Server
Microsoft CA’s
Physical Architecture
SQLAD
Active Directory
Tightly integrated with Active Directory for user authentication and definition of user permissions
Requires minor Active Directory schema extension to support objects / privileges required by ILM
Enables ILM to leverage administrative and management models configured within an existing Active Directory environment
Enables organizations to leverage investments in their existing AD environments:
Centralized to highly distributed scenarios
Multiple domains and forests
ILM 2007Client
ILM 2007(CLM) ArchitectureKey Solution ComponentsILM 2007(CLM) ArchitectureKey Solution Components
ILM 2007Server
Microsoft CA’s
Physical Architecture
SQLAD
SQL ServerUsed as repository for all certificate and smart card management information including:
Profile templates
Audit logs of all ILM activities
ILM does not require a dedicated SQL Server database
Supports SQL Server running in clustered environments for high availability scenarios
Supports clustering, mirroring, log shipping
ILM 2007Client
ILM 2007(CLM) ArchitectureKey Solution ComponentsILM 2007(CLM) ArchitectureKey Solution Components
ILM 2007 API’sProvisioning API - enables custom applications to access smart card and certificate management workflows with ILM
Notification API - used to initiate custom code modules based on specific ILM events including:
Distribution of one time passwords to devices such as cell phones
Initiate provisioning of account information to other applications. E.g. Physical Access
SQL API - enables developers to access ILM functionality by writing to the external_requests table in the SQL Server database
Additional ILM extensibility:
Custom validators for external data validation during enrollment process
ILM 2007Server
Microsoft CA’s
Physical Architecture
SQLAD
ILM 2007Client
ILM 2007(CLM) ArchitectureKey Solution ComponentsILM 2007(CLM) ArchitectureKey Solution Components
Microsoft CA’s
Physical Architecture
SQLAD
ILM 2007Server
ILM 2007Client
ILM 2007(CLM) Client
Used for smart card communications and profile management
Runs on Windows XP SP2 (or later) and Windows Vista
Users access ILM portal via IE v6.0 or higher
Uses ActiveX control to integrate with smart card via BaseCSP or PKCS#11 compliant middleware
Provides additional client side functionality
On-line updates for certificate profilesOff-line smart card PIN unblocking
ILM 2007(CLM) ArchitectureKey Solution ComponentsILM 2007(CLM) ArchitectureKey Solution Components
Microsoft CA’s
Physical Architecture
SQLAD
ILM 2007Server
ILM 2007Client
Smart Card MiddlewareBinds the smart card, card driver and management infrastructure required to manage the cards
ILM 2007 supports 2 middleware standards:
PKCS#11 - widely implemented but not always consistently across smart card vendorsMicrosoft BaseCSP - robust, smaller footprint and consistent approach for all card vendors
BaseCSP compliant smart cards (*):
Gemalto’s .NET smart cardHID’s Crescendo smart card
PKCS#11 compliant smart cards / middleware (*):
Axalto Client Software (ACS) v5.2Gemplus GemSafe v4.2 SP3AET SafeSign v2.2Aladdin eToken RTE v3.65Siemens HiPath SIcurity Card API v3.1.026IAS Middleware version 1.03
(*) – Supported by ILM 2007 FP1
ILM 2007(CLM) ConfigurationRoles
Role Description
Subscriber
Can perform a limited number of functions against their own certificates or smart cardsHas access to the CLM Subscriber Portal
Manager
Performs management functions for a group of subscribersHas access to the CLM Manager Portal
ILM 2007(CLM) Configuration RolesILM 2007(CLM) Configuration Roles
ManagersAdministrators granted permissions to:
Perform ILM management functionsManage groups of end usersApprove self-service requests
SubscribersEnd users that require smart card and certificate services including:
Smart Card LogonSecure EmailWireless LAN Access etc.
ILM SubscriberWeb Portal
ILM ManagerWeb Portal
ILM 2007Server
ActiveDirectory
MS SQLServer
Enterprise CA
Subscribers
Managers
RolesCreation of an AD Group(s)
Associating ILM permissions with that group
Benefit is flexibility to support a wide range of deployment scenarios
ILM supports 2 types of roles
ILM 2007(CLM) ConfigurationPermissionsILM 2007(CLM) ConfigurationPermissions
ILM SubscriberWeb Portal
ILM ManagerWeb Portal
ILM 2007Server
ActiveDirectory
MS SQLServer
Enterprise CA
Subscribers
Managers
PermissionsEnable delegation of responsibilities & sophisticated role management
Roles determine permissions to perform certificate management functions
Configured using standard Active Directory permission management tools
Extended to include CLM permissions
CLM Audit
CLM Enrollment Agent
CLM Request Enroll
CLM Request RenewCLM Request RevokeCLM Request Unblock Smart Card
Registration Model Self-Service Workflow Example
Subscriber Executes Request and Certificate is Issued
Manager Approval Required?
No
Yes
• Data collection• Data validation• Manager approval(s) prior to
request execution
• Data collection• Data validation• Manager approval(s) prior to
request execution
May involve:
LOWLOW LOW -- MEDLOW -- MED MEDMED MED -- HIGHMED -- HIGH HIGHHIGH
Subscriber Initiates Certificate Request
Subscriber Responds to Data Collection
Manager Approves Request for Certificate
Registration Model Delegated Workflow Example
Manager1 Initiates Certificate Request
Manager1 Responds to Data Collection
OTS Distributed by E-mail to Subscriber
Approval Required?
Subscriber Executes Request, and Certificate is Issued
No
Yes
LOWLOW LOW -- MEDLOW -- MED MEDMED MED -- HIGHMED -- HIGH HIGHHIGH
• Approval by a different manager
• Data collection• E-mail notification• Distribution of one-time
secrets (OTSs)
• Approval by a different manager
• Data collection• E-mail notification• Distribution of one-time
secrets (OTSs)
May require:
Manager2 Approves Request for Certificate
Registration Model Centralized Workflow Example
LOWLOW LOW -- MEDLOW -- MED MEDMED MED -- HIGHMED -- HIGH HIGHHIGH
• Smart cards are issued from central location
• Card can be shipped ready-to-use or blocked
• Request can be initiated by the Subscriber or Manager
• Smart cards are issued from central location
• Card can be shipped ready-to-use or blocked
• Request can be initiated by the Subscriber or Manager
Manager Receives Request for Certificate or Smart Card
Manager Issues Smart Card or Subscriber Certificates
Subscriber Receives Card and PIN Ready to Use or imports PFX file with password
Smart Card and PIN or PFX file and password is Distributed to Subscriber
Registration ModelIn-Person-Proofing Workflow Example
Subscriber Arrives at Issuance Office
Manager Verifies Subscriber’s Identity
Subscriber Receives Smart Card Ready to Use
Manager Issues Smart Card and Subscriber Certificates
• Manager validates identity of CS during a face-to-face session
• Data is collected during a face-to-face session
• Issuance cannot take place without data collection input
• Manager validates identity of CS during a face-to-face session
• Data is collected during a face-to-face session
• Issuance cannot take place without data collection input
LOWLOW LOW -- MEDLOW -- MED MEDMED MED -- HIGHMED -- HIGH HIGHHIGH
ILM 2007(CLM) ConfigurationProfile Templates
. . .EnrollmentEnrollmentEnrollEnroll EnrollmentEnrollmentRecoverRecover EnrollmentEnrollmentRevokeRevoke
Certificate Templates
Management Policies
Profile Template
Smart card ProfileDetails
ILM 2007(CLM) ConfigurationProfile Templates – Certificate Templates
Certificate Templates
Profile Template
CA with CLM modules installed
• Only a single CA can issue a specific certificate template for use in a profile template
• A profile template can contain different certificate templates issued by multiple CAs
• Only a single CA can issue a specific certificate template for use in a profile template
• A profile template can contain different certificate templates issued by multiple CAs
CA with CLM modules installed
ILM 2007(CLM) ConfigurationProfile Templates – Management Policies(Workflows)
Management Policy Description
Enroll Policy Governs requests for a new profile or smart card
Duplicate PolicyCreates an exact duplicate of an issued profile or smart card. The existing card is marked as the primary card, but the duplicate is fully functional
Renew PolicyRenews all certificates in a profile when the expiration period is reached. Certificates are renewed with new key pairs, and key history is maintained
Reinstate Policy Reinstates a profile or smart card that was temporarily revoked
Recover on Behalf Allows a user to recover a profile or smart card issued to another user
Online UpdatesAutomates the update of profiles or smart cards for certificate content change, certificate template inclusion and certificate expiration
ILM 2007(CLM) ConfigurationProfile Templates – Management Policies(Workflows)
Management Policy Description
Replace Policy Allows recovery of a profile if a smart card is lost or stolen
Disable Policy Allows a certificate on a smart card to be terminated before expiration
Retire Policy Revokes all certificates on a smart card and can remove all data from the smart card, allowing its re-use
Unblock Policy Defines the workflows for unblocking smart cards due to incorrect PIN entry or for cards shipped with a CLM-set PIN
Temporary Cards Policy
Allows temporary smart cards to be issued in the event a user does not bring the smart card to the office
Offline Unblock Defines the workflow for unblocking BaseCSP smart cards offline
ILM 2007(CLM) ConfigurationProfile Templates – Smart card configuration
What card vendor?Initialize card?Card reuse?Secure key loading?Install CA certificate?Certificate label textMax # of certificates Admin PIN optionsUser PIN optionsEnable Smart Card Printing
Smart Card Profile Template Configuration
demo
ILM 2007(CLM) ConfigurationProfile Template – Smart card printing
Choose a supported printerDatacard SP35Datacard SP55Datacard SP75
Install Pre-Requisite Softwareat printing station
.NET Framework 2.0Smart card CSP and middleware/mini-driverCertificate Lifecycle Manager ClientDatakey ID Works® 5.1 Enterprise Identification SoftwareBulk Issuance Client
SP35
SP55
SP75
ILM 2007(CLM) ConfigurationProfile Templates - Other Items
ILM(CLM) Bulk Issuance ClientCard accompanying letter printingSecure PIN sheet printingData Collection and ValidationKiosk page functionality for Temporary card issuingEncryption history for encryption certificates
Integrated User and Smart Card provisioning
demo
Smart Card Lifecycle Management
demo
Smart Card LogonSmart Card Logon
User Logon ExperienceUser inserts smart card into desktop / laptop smart card reader
Windows Logon User Interface (UI) recognizes a smart card has been inserted
Windows Logon UI prompts user for their smart card Personal Identification Number (PIN)
PIN received -- smart card certificate is used to initiate Kerberos logon to Windows network
User session may be configured to lock or automatically log-off if the smart card is removed
Windows Logon UI promptfor smart card PIN
Network
SQL Server Active Directory /Domain Controller
ILM 2007Server
CertificateAuthority
`
Smart CardLogon
Smart Card LogonThe role ILM plays …Smart Card LogonThe role ILM plays …
ILM 2007 is central to providing management capabilities
Configure the smart card to support smart card logon
Configure and manage all certificates stored on smart card
Enroll users and user accounts with smart cards
Manage smart card personalization / printing process
Manage the smart cards once users are enrolled
Unblock a user’s smart card
ILM 2007 provides detailed reporting capabilities
Enrollment requests / approval tracking reports
Smart card configuration reports
Smart card deployment / tracking reports
Certificate usage / expiry reports
Certificate revocation list reports
Secure EmailSecure Email
User ExperienceOnce users have enrolled for S/MIME certificates - they are downloaded to their workstation
S/MIME certificates can be stored locally on their workstation or on a Smart Card
Certificates also published to AD for lookup of public key information to encrypt emails
Once enrolled - users can access Outlook email encryption and signing functionality
Email encrypted in the S/MIME mail format and can not be read by intermediary parties
Network
SQL Server Active Directory /Domain Controller
ILM 2007Server
CertificateAuthority
`
SecureEmail
EmailServer
User Scenario
Microsoft Certificate Services is configured to issue S/MIME encryption and signing certificates
Microsoft Exchange is used as the messaging platform
Microsoft Outlook is used as the email client
Outlook 2003 and Outlook 2007 are both supported
Enables digital signing capabilities
Secure EmailThe role ILM plays …Secure EmailThe role ILM plays …
ILM 2007 is central to providing management capabilities
Configure the smart card to support smart card logon
Enroll users and user accounts with smart cards
Enroll users for S/MIME certificates
Manage the smart cards / certificates once users are enrolled
Ability to recover encrypted email
ILM 2007 provides detailed reporting capabilities
Enrollment requests / approval tracking reports
Smart card configuration reports
Smart card deployment / tracking reports
Certificate usage / expiry reports
Microsoft ILM Website - www.microsoft.com/ilm
Datasheets
Whitepapers
Flash Demo
ILM / ISV Partners
Microsoft IDA Website - www.microsoft.com/ida
Identity & Access Solution Areas
IDA Solution Brochures
IDA ISV / Systems Integration Partners
IDC Identity IO Whitepaper
Additional ResourcesAdditional Resources
Your MSDN resourcescheck out these websites, blogs & more!
PresentationsTechDays: www.techdays.chMSDN Events: http://www.microsoft.com/switzerland/msdn/de/presentationfinder.mspxMSDN Webcasts: http://www.microsoft.com/switzerland/msdn/de/finder/default.mspx
MSDN EventsMSDN Events: http://www.microsoft.com/switzerland/msdn/de/events/default.mspxSave the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin
MSDN Flash (our by weekly newsletter)Subscribe: http://www.microsoft.com/switzerland/msdn/de/flash.mspx
MSDN Team BlogRSS: http://blogs.msdn.com/swiss_dpe_team/Default.aspx
Developer User Groups & CommunitiesMobile Devices: http://www.pocketpc.ch/Microsoft Solutions User Group Switzerland: www.msugs.ch.NET Managed User Group of Switzerland: www.dotmugs.chFoxPro User Group Switzerland: www.fugs.ch
Your TechNet resourcescheck out these websites, blogs & more!
PresentationsTechDays: www.techdays.ch
TechNet EventsTechNet Events: http://technet.microsoft.com/de-ch/bb291010.aspx Save the date: Tech•Ed 2009 Europe, 9-13 November 2009, Berlin
TechNet Flash (our by weekly newsletter)Subscribe: http://technet.microsoft.com/de-ch/bb898852.aspx
Schweizer IT Professional und TechNet BlogRSS: http://blogs.technet.com/chitpro-de/
IT Professional User Groups & CommunitiesSwissITPro User Group: www.swissitpro.ch NT Anwendergruppe Schweiz: www.nt-ag.ch PASS (Professional Association for SQL Server): www.sqlpass.ch
Save the date for tech·days next year!
7. – 8. April 2010Congress Center Basel
Classic Sponsoring Partners
Media Partner
Premium Sponsoring Partners