Get Microsoft Silverlight ForefrontSecurity.ORG Forefront Security Forum Website

ForefrontSecurity.org

The first place to share great minds

Latest News & Products

Latest Articles

Latest Screencasts

Latest Forum Entries

How to configure File Access SSO with KCD - PART1


Author: Idan Plotnik
Author Title: Security Engineer, Forefront MVP
Published: 10/10/2008 12:00:00 AM

>

How to Configure Remote File Access Single Sign On (SSO) with Kerberos Constrained Delegation (KCD) Before SP1 - PART 1

 

Author:  Idan (DeviceZ) Plotnik, Security Engineer, Forefront MVP

Date:  02/09/2008

 

Before you begin

 

If you don't any have prior experience with the Kerberos protocol (RFC 1510 - http://www.ietf.org/rfc/rfc1510.txt), please read this article from Wikipedia first Kerberos (Protocol) - http://en.wikipedia.org/wiki/Kerberos_protocol

If you have already knowledge with Kerberos Constrained Delegation (KCD), you can move forward to the next section.

If not! please read the upcoming short and exhaustive paper - What is Kerberos Constrained Delegation (KCD), how it works, and why it's good for me

Please watch the video before implementing File Access SSO (in the Screencasts section)

 

Important to know!

 

Microsoft IAG server is the only SSLVPN product in the market today that provide secure access to internal File Shares with Smart Card or OTP authentication, and also perform:

1.       FULL Single-Sign-On (SSO)

2.       FULL Audit trail of the end user to the back-end servers (IIS, SQL, AD etc ...)

3.       Granular Access Controls per users/groups

 

Prerequisites

 

1.       Microsoft Windows Server 2003 must run in Native mode for the domain in which Kerberos Constrained Delegation (KCD) is configured

2.       You must raise each domain controller's domain level to Windows Server 2003 Domain Functional Level

3.       You must configure KCD on your IAG server

 

Configuration Procedures

 

The following How-To document describe the procedures you need to perform to configure Single Sign On (SSO) for remote File Access

The following procedures must be implemented after you configure KCD on your IAG machine

Configure the Domain Controller. 3

Add File Access application to the portal 4

Configure the IIS server on the IAG server. In Part

Configure the ISA Server Publishing Rule. In Part

 

Configure the Domain Controller

 

1.       Go to your Domain Controller and open "Active Directory Users and Computer" (start->run->dsa.msc)

2.       Double click on the IAG computer account and navigate to Delegation tab and add the Computer Account (that you want to use its shares) and choose "cifs" service type

3.       Press Ok

 

Add File Access application to the portal

 

1.       Open the IAG Configuration manager

 

2.       Choose the relevant Trunk

 

3.       On the Applications section click "Add"

 

 

4.       Choose "File Access" in the "Built-in Services" section

 

5.       Press "Finish"

 

 

6.       Choose "Admin" in the tool bar

 

7.       Choose "File Access"

 

8.       You will see the following message that you are going to open NETBIOS from the ISA Server to the back-end network

 

9.       Press Ok

 

10.   The File Access administration window will open

 

11.   Please enter Domain Credentials in the following syntax Domain\User

 

 

12.   Choose the relevant Domain (if you have more than one domain)

 

13.   Press Apply

 

14.   Move forward to the "Servers" section

 

15.   Choose the relevant server

 

16.   Press Apply

 

Please continue reading part 2 of this document to finish the configuration procedures

If you have any issues with File Access and KCD please go to our Technical Forums in the following link: http://Forums.ForefrontSecurity.ORG

 

Thank you very much,

 

Idan (DeviceZ) Plotnik

Security Engineer, Forefront MVP

ForefrontSecurity.ORG