Gridsure, a UK company, has created a very nice way to provide strong authentication. Strong authentication combines what you know (login, password) and what you have (something physical).
In the long list of strong authentication mechanisms we know Smartacards, tokens, and more recently we have seen products capable of using the “mobile phone” as a proof of identity (One Time Password sent via SMS, audio authentication, software installed on the device, etc..).
Gridsure has changed the notion of “what I have” by in fact “what I have in my brain”. In their logic, step one for you is to provide to the authentication server (inside the company) a drawing (they call it a pattern), for example a “Z”. Once you have provided this “pattern”, every time you connect Microsoft IAG, the login banner will contain a grid with numbers. The place of these numbers in the grid changes every time you connect.
How strong authentication works now ? The user will see the grid (with random number) and mentally put his “pattern” (something he HAS in his brain) on top of it. Without typing anything (no click on the grid) he will identify the “One Time Password” based on this temporary Grid.
Let’s take an example.
Step 1 (called provisioning phase), you (as a user of the solution) connect the Gridsure web server, and create your pattern. The application will show you a basic grid, with nice 123456789 (previous screenshot). In that example, my Pattern is a drawing like a “Z”, so I tell it to the provisioning system by selecting 1379. Now the Gridsure authentication server knows your secret and associate “My User Name” with “this Z pattern”. You share this secret with the authentication server, you in your brain, the server in his database !
Step 2 (in fact each time you connect Microsoft IAG), you will see on the authentication page 3 questions : your login, your password (if you want to do large SingleSingOn, it is better to also ask the password also) and the “One Time Password” that Gridsure authentication server will use.
This time, do not expect a 12345679 grid, all the numbers will be randomly positioned in the Grid. So visually you will need to peek the numbers, under your “grid”.
Let’s suppose that for this authentication, the Gridsure authentication server has generated a temporary grid like this. IAG will show you this drawing on the login banner :
As you can see our “Z” pattern will give us 3147 as the One Time Password for this session. This information will be sent by IAG to the authentication server, the server will verify that the OTP/Username/Grid is ok, and will validate authentication.
For sure, I took a very basic grid to illustrate their approach, but in reality the grid is a bit bigger. This makes sure that even if a hacker capture at the same time the screen (the grid) and the “OTP” - because there are multiple same numbers (X times 1, X times 2, ..) - he will not be able to guess the pattern by reverse engineering.
This “Gridsure” Strong Authentication does not require any hardware or software to be deployed, is very simple to understand, and I think it has a great potential for most of the users (employees, partners and even customers).
Of course you will not reach here the same level of security as PKI or hardware token, but you are very close, and definitely kill the risky “login/password” authentication approach to reach very high level of security.
In a next article, I will tell you how to connect IAG with Gridsure authentication server.
For more information about their technology, check their videos online: htttp://www.gridsure.com/about/about-gridsure.asp?ItemID=68
Notice that Microsoft IAG supports all kind of authentication, from all vendors. I personally don’t recommend such or such technology, I just share with you the pros and cons of solutions.
Recently, I have decided to evaluate BPOS (Business Productivity Online Services), the Hosted offer of Microsoft. Basically, I want to use Exchange to host my personnal mail (OWA and Antivirus/Antispam) and also use Sharepoint/MOSS.
With BPOS, you “rent” this strong service online, via Microsoft infrastructure.
Once your subsciption is ok, you need to add a CNAME DNS record in order to “redirect” traffic to the hosted service.
I bought my personal domain at Gandi, so had to do it via their administration interface.
I spent more than 3 weeks to undestand why this DNS record was not working. 2 different behaviors : in BPOS console I received an arror, saying that my domain cannot be verified 2) Ping fail diring name resolution.
After a lot of tests, I found that in fact it is due to Gandi administration cosole.
Check this :
Here you can see the console. The “…Microsoftonline.com” record is the one I needed. But look at the top, there is a shortcut(link) that says in french “interface de gestion de zone” (zone management interface). What is this ? as you can also see, it is talking about a “Gandi zone 2008”. I am confused ?
If you click this link you can discover that in fact, when you do a modification it creates sort of “temporary” configuration. If you stay at that level, this TEMP config is not acticated so your configuration is not working.
On the interface below, I had to explicitly click the “par defaut” (default) link to activate that “gandi zone 2008”.
This procedure is very strange.
Since I spent a few weeks, good to share that with the community.
A few days ago, I was working with Fadhel Ben Brahem, one of our IAG experts working for Dictao, a Microsoft Partner. IAG was implemented in a very complex LAN/Switches/LoadBalancer environnent.
The goal, the failure
The goal of our Proof Of Concept was to implement IAG and demonstrate SSO capabilities, especially Kerberos Constrained Delegation (KCD). This scenario is very common, and usually we install it in a short period of time.
Unfortunately we were facing connection problems and decided to activate IAG “internal” tracing, just to guess what was going on.
The methodology : tracing
The component in IAG – for Web Applications – that does all this job is called WHLFilter. Once turned in “deep tracing mode”, it generated a lot of useful information in order to see what is happening during the reverse proxy phase. Problems could be due to IAG’s configuration, but also generated by the global IT environment. The log will help us to find a clue.
WhlFilter will show us all the requests arriving, then what this filter will do, then the request that will leave IAG towards the web application.. then exactly the same on the way back.
In our scenario, because we want to provide SSO using KCD, it will also show us what it is doing to get the Kerberos ticket on behalf of the user, etc.
Log analysis
We quickly found in the trace something breaking. According to the filter a missing “connection: Keep alive” was missing, causing the filter to stop his job:
“32/13/2099 16:29:45.282 (tid: 00000CA8): CExtECB::Handle401StatusResponse - The browser does not use HTTP keep-alive. Filter is dropping down to basic scheme support *only*. (ExtECB=05AD5C58), (PFC=01180DA0)”
Back to the RFCs
If you look at the HTTP 1.1 RFC, keep-alive is described in details(http://www.w3.org/Protocols/HTTP/1.1/draft-ietf-http-v11-spec-01.html#Connection). Extract from the RFC : “10.9.1 Persistent Connections : The "keep-alive" keyword in a Connection header field allows the sender to indicate its desire for a persistent connection (i.e., a connection that lasts beyond the current request/response transaction). Persistent connections allow the client to perform multiple requests without the overhead of connection tear-down and set-up between each request. “
At this level, we understand what is keep-alive, but don’t really know why the filter is stopping his job.
In that RFC, we also have this comment “Connection header fields received in an HTTP/1.0 message, as would be the case if an older proxy mistakenly forwards the field…” which in fact lead us to the solution : HTTP/1.0.
If you look at this example, the HTTP GET explicitly says that it is using HTTP 1.1. In HTTP 1.1, this “connection =xxx” is expected by an application (web application, IAG , ..) supporting also that version of the HTTP protocol :
The problem, the solution
In our scenario, the request received by IAG was saying “I am HTTP 1.1” but without any indication about the “connection” status. So for IAG, this is not “RFC” compliant, and IAG assume that the session has been closed, and stop the conversation. This petty much what the WhlFilter log is saying, with the words of the programmer of that feature ;-)
Just for test, I turned my IE to use only HTTP1.0…
… and did the same capture. As you can see, the browser is now using HTTP 1.0 :
The conclusion here is that “something” between the client (with an HTTPWatch/fiddler trace we can see that when the request leaves the client, both HTTP 1.1 and “connection: keep-alive” are here) and the server (thanks to WhlFilter trace) is corrupting this dialog.
In our scenario security equipment between the two was generating this behavior, and once we changed the configuration, it worked correctly. More interesting, we detected this problem when we looked at KCD, but it was a wrong assumption. KCD was not involved at all in that, all HTTP requests are inspected by IAG, so potentially could be dropped due to that non compliant request.
This example is very nice to use IAG tracing capabilities, in order to highlight problems coming from the “outside” of IAG.
Thanks Fadhel for this efficient collaboration !
I recently upgraded my machine to Windows 7 RTM, and have decided to also install the next version of Virtual PC named “Windows Virtual PC (WVPC)”.
I am using a lot the Microsoft IAG Virtual Lab (downloadable online) for my day to day work (demo, dev, …).
After attempting to start those Virtual Machines with WVPC (Ibiza is the IAG machine, Dallas is the DC/Exchange/MOSS one), I first encountered an Hybernation problem. It seem that WCPC do not like hybernation file generated by Virtual PC. I just renamed the hybernation file, and the Vmachine started. Problem 1 “solved”.
After the Virtual machine started, WVPC proposed me to UPDATE the “integration” component.
I of course responded positively, and it seem to worked. But, then the VM detected new “hardware” components, and did not find any driver for that. Looking at control Panel, I could clearly see a “unknown device in the USB controllers section. Also I had a strange side effect : mouse was moving slowly, something like if my machine was 100% CPU usage.
After a few tests, I finally did this :
- Add/remove program, and remove additions : Reboot
- In WVPC menu, install the addition. During the installation process, Windows 2003 R2 will detect this new hardware and will you to load Win2300 R2 CD 2. In fact nothing in CD 2, so load CD1 and it found the driver: Reboot.
After reboot, everything seem to be ok. WVPC shows me the good GUI, with addition installed, and USB options.
=> My conclusion is that “upgrade” do not work perfectly.
I hope this will help you !
On my blog, I have created a dedicated section (TAG = howTo-Filters) for IAG application filters. Every time I have to face a problem with a web application, I create a post on my blog, try to share the approach I used to identify the problem, and of course to fix it.
Check this link to get more details about application filters, and why sometimes web applications break through reverse proxy servers : http://blogs.technet.com/fesnouf/archive/tags/howTo-Filters/default.aspx
There is no official process to get an application filter. The only one I know is either ask to a partner, or (congratulation) propose the audience to learn how to do it.
In order to constatly add more advice on this particular part of IAG, I would like to ask for your help : Every time you encounter a problem with a Web Application, please send me an email.
I do not garantee that I will fix it, but will do my best, and want to use your material in order to propose more and more examples.
IMPORTANT : in the email you will send me, I must have several information in order to help you (otherwise investigation is impossible).
Here is the list :
- Email and contact name (You)
- Name and short description of what is that application, the name, the purpose, …
- Is it a localized application ? If so, which language are you using for the application, and what is the language of the client computer
- What is the internal FQDN used by a user to reach the application. For example : http://myapplication.internal.private. What is the external URL (with IAG) used ?
- What is the user experience : send me screenshots and a few explanation about the process to repro the problem.
Probably the most important now !
In order to understand the problem – because each application is different – I need a traffic capture with a tool called HTTPwatch. You can download it at : http://www.httpwatch.com/download/. If you don’t have a licence key, download the “BASIC EDITION” which is free, but will only capture the traffic (no analysis GUI).
Once HTTPWatch is installed, make sure that you follow this procedure :
CAPTURE 1 : your machine is on the LAN (without IAG). Clear your internet explorer cache (either with IE, or with the TOOLS section of HTTPwatch). Do the A to Z scenario until you reach the “problem”. If there are more than one “bad behavior”, continue your scenario in order to generate the other problems in the same capture. Once finished, save the trace, go to capture 1.
CAPTURE 2 : sometimes we need to compare the traffic without and with IAG. So you need to repro the same process (you must also clear the cache before you start second capture) but this time with IAG. Make sure that you are doing the same step by step pprocess as capture1, it will ease the debug.
Once you have that (filled out the questionaire, and attached the 2 traces), send that to me : fesnouf@microsoft.com
ONCE AGAIN, I DON’T GUARANTEE ANYTHING, but will do my best in order to help you and also share that with the community.
WARNING : if there are authentication pages in your application, please use login and password that cannot compromize your security. The capture will contain all the HTTP/HTTPs traffic, which means also the login and password you have used to reproduce this.
Let’s keep in touch !
Last year I had a lot of pleasure to work for the Central and Eastern Europe Region. I had the opportunity to visit several countries and collaborate with partners and customers. What a great experience.
This year I will be working for Middle East and Africa (MEA). What a great news !
If you are based in this region, do not hesitate to contact me if you have questions about security and identity in general.
In my day to day activity, I frequently have to discuss with customers and partners about technology around mobility and security.
In the last 4 weeks I had a lot of requests from customers in the context of H1N1 disease, this is why I created this post.
The main concern about this disease (I would say ‘all deseases’, but TV and Radio station talk a lot about H1N1) is that people could get infected and become sick, or could decide to not come to work just to prevent this risk (bus, subway, train, airports, …) : Lucky me, home working is part of Microsoft culture, so I will not hesitate a second if this happens, without impacting my day to day activity.
Check confirmed H1N1 cases per country here (WHO)
=> Click
This could have a severe impact on company’s organisation, especially if they are not ready to cope with such problem. I mean here, if they are not ready to propose “home working” to their employees to minimize the impact on their business.
Most of the big companies have already a mobility infrastructure, so they just need to extend it, which means more internet bandwidth, more “simultaneous connections”, and maybe more “hardware” authentication devices(token, smartcards, …).
But most of the companies don’t have such solution !
What are the solutions ?
At Microsoft, we have several mobility technologies. The one I am covering is Intelligent Application Gateway (IAG) : More info about IAG, click here.
I think this is a great solution for such project because :
- IAG is in fact an Appliance : it is pre-installed, pre-hardened, so you just rack the server, do minimum configuration and your remote access portal is ready
- IAG is our VPN/SSL solution, and having a “network layer” approach is the quickest way to propose such service. BUT, once the crisis is over, IAG is a strong “application layer” mobility solution. You will be able to implement more security features and so be able to enhance your security in general.
- The A to Z solution can be installed between 1/2 day to 2 days max. Then all your employees will have access to the company’s network, exactly the same way as it is when they are in the building. “Security policies” implement in IAG will prevent security risks.
- IAG support a wide range of authentication mechanisms, for the most complex/expensible (OTP, Smartcards), to the most recent ones : SMS OTP, Cell Phones, Grids, … Frequently customers are afraid because they want strong authentication and sometimes it is very expensible. A wide lit of IAG technology partners propose strong authentication solutions, but at a lower price and easy to deploy.
Appliances and Virtual Appliances
As I said previously the “IAG” solution is in fact an appliance. You buy a server will all the products pre-installed by Microsoft Product group.
There is also another way to implement IAG, called Virtual Appliance.
If you rather want to use your own hardware (due to SLA, services, spare, …), you just need to install on this machine Windows 2008/HyperV, and buy a “IAG Virtual Machine” . It comes as a single big file (The Virtual Machine), with exactly the same content as a normal Appliance. The only difference with this option is that you use the hardware machine you want.
What is the best moment to implement a mobility solution ?
In fact, now ;-)
We expect a lot of requests from customers in the next 2 months, so it would be great if you anticipate and implement such solution. Also, you will have time to inform your employees, train them, and make sure that everybody will be ready in case of emergency.
If you need more technical information, or if you want to locate the best partners to implement such solution in your country, send me an email and I will route you : fesnouf@microsoft.com
A few interesting links I found for people leaving in France :
By Lucimara Desiderá (MS Consultant, São Paulo) & Frédéric ESNOUF (MS Pre-sales IDA, Paris)
Introduction
Intelligent Application Gateway is a very powerful remote access solution which provides a wide range of technologies such as VPN, VPN/SSL, Port forwarding and Reverse Proxy for application publishing. It also provides endpoint access controls including mechanisms for client authentication, single-sign-on and a myriad of access policies. Next Generation, named Forefront Unified Access Gateway (UAG), will offer even more technologies, including Windows 7 SSTP and Windows 2008 R2 Direct Access.
With IAG, all the Web Applications are published via the reverse proxy mechanism. This makes the platform able to see what data is transported and take “actions” when needed, for example, rewrite HTML links in the page transforming internal names, such as http://finance.internal.private/logo.Gif, into internet names such as https://finance.mypublicname.com/logo.Gif)
However, “Web Applications” have evolved and are not composed of simply static “HTML” pages anymore. Most of the Web applications contain executable code which produces changes on content/behavior at execution time. Therefore, publishing such web applications could fail when using a reverse proxy (whatever kind of type/brand). Reverse proxies can successfully rewrite HTML links in a page, but what if links come on non-expected places (code)?
What is the technical problem here? Well, if in this page you have a piece of code, this means that the “rendering” of this page, done by the browser on the client-side, will be partially generated by this code, and this code could in fact contain hard coded variables that refer to the internal names. The result is that once the page is rendered by the browser (remember, user is connected on the internet, out of the company network) some of the links remain “internal links”, causing the browser to fail to connect. Sometimes, errors will appear when the user will click a link. But most of the time, it will generate random errors depending on the framework used by the developer.
What can be done to fix that? Most of the reverse proxies do not have advanced mechanism to fix that. Their “engine” is coded to change only HTML code, and extending that is usually proposed via the SDK and requires C++ advanced skills. With IAG, the “engine” to do this job is already available for IT Pros, and it is called “ApplicationWrapping/SRA”. With this, you can pretty much change everything in the flow of data: header, HTML, javascript, java, etc. Anything can be “changed” for any kind of reason. This engine just ask a configuration file, based on XML, and using a macro language described in the IAG advanced admin guide.
Recently, Microsoft released the Office Communicator Web Access R2 (CWA). Unfortunately, publishing this application causes the behavior we presented above. For a reason we don’t know (but we will know why in this post), CWA R2 was not working through IAG.
Lucimara and Frédéric had the opportunity to collaborate on this case, and fix the problem. This article is base on this experience and course we will explain how to fix this problem. Additionally, we want to share with you the methodology we used, and the actions taken in IAG.
The symptom
When we started testing the CWA application published through IAG we noticed the strange behavior shown below: first some missing pictures on the login page and then, an error code 1‑0‑400:
The methodology
The methodology to analyze and fix this kind of behavior is in fact simple. We need to capture the HTTP traffic and look at the transaction. By looking at the HTTP traffic we need to identify:
· what the problem is and where it occurs,
· the reason why it is breaking,
· and then, how to fix that using IAG “Appwrap/SRA” engines.
The role of IAG here will be to change “things” causing the problem, but our role (IT Pros) is to tell IAG what to change, and that is the “human” job in this problem.
We definitely advise you to use HTTP analyzers (rather than network analyzers such as Wireshark or Netmon) to capture such traffic. Tools such as “HttpWatch” or Fiddler are excellent.
So now that we know what to do, let’s reproduce the problem, and capture the traffic.
The problem
In this example, we used HttpWatch to capture the HTTP traffic. By looking at the capture, we can quickly identify a problem:
On this screenshot, you can see that the first five HTTP requests (in the yellow square numbered “1”) worked fine. We can verify that because in the result column, those GET requests generated HTTP status code “200”, which means success.
At a certain moment (request 6) we can see that the requests resulted in error (in this case it is a message regarding name resolution problems).If you look at the HTTP requests that fails (in red square numbered “2”), you can see that the URL requested by IE is not the “internet” name anymore (the one used to reach IAG), but the “internal” application URL. So now that we know the problem, let’s try to understand exactly why it happens.
Searching for the cause
The first error occurs when IE tries to download a file called “detailbar_up_hover.gif”. We can clearly see that in the URL.
So what we tried to do to identify the source of the problem is to locate the “thing” that previously told IE to download this file, which could be in Web either an HTML tag (but we know that reverse proxy can correctly re-write such link) or a piece of code downloaded previously.
What we do here is just search (using the HttpWatch “find” tool) the word “detailbar_up_hover.gif“, from the failing request in the upward direction.
With this approach, we can find a request and a response containing such “string”. Here is what we get :
Request :
GET /whalecom754aec20c6043b78fe481a84322ae50e153495e7/whalecom1/cwa/client/Resource.aspx?param=1-2-13825|2-2-5|4-2-17409 HTTP/1.1
If we look this time at the response to this request (which is pretty much “give me the content of resource.aspx file”), we can find some javascript code containing variables that contains strings to internal names. This is not good!
Why reverse proxy don’t change that? Just because they are programmed to analyze HTML code only, and look only for “HREF” Tags. It is quite impossible to “extend” a reverse proxy to do better than this (it usually requires C++ code, and a lot of work).
Here is an extract of the “resource.aspx” page, with the code causing our problem :
|
<EXTRACT>
var L_Menu_UpArrow = "https://ocs-cwa.fabrikam.com/cwa/Client/3.5.6907.0000/Loc/Image/detailbar_up_hover.gif";var L_Menu_DownArrow = "https://ocs-cwa.fabrikam.com/cwa/Client/3.5.6907.0000/Loc/Image/detailbar_down_hover.gif";var L_Presence_FreeImg = "https://ocs-cwa.fabrikam.com/cwa/Client/3.5.6907.0000/Loc/Image/presence_icons/online.png";var L_Presence_IdleFreeImg = "https://ocs-cwa.fabrikam.com/cwa/Client/3.5.6907.0000/Loc/Image/presence_icons/idle.png";var L_Presence_BusyImg = "https://ocs-cwa.fabrikam.com/cwa/Client/3.5.6907.0000/Loc/Image/presence_icons/busy.png";var L_Presence_IdleBusyImg = "https://ocs-cwa.fabrikam.com/cwa/Client/3.5.6907.0000/Loc/Image/presence_icons/idlebusy.png" <END EXTRACT>
|
So now we know the cause of the problem: CWA R2 is using javascript that generates HTTP GET to the application, and IAG does not re-write these links by default. And then, what we need to do is to instruct IAG to correctly replace these strings, which will generate correct links after javascript execution on the client-side.
How to fix that
We are now entering the final step of the solution. As we said before, IAG contains an “engine” capable of modifying anything. We just need to tell it what to do, by means of his language.
In this CWA R2 scenario we will ask to do a basic “search and replace” of the HTML code when the request is “ GET Resource.aspx “.
To do so, we need to create a configuration file for the IAG portal in the TRUNK publishing CWA R2. If you are not familiar with such config, it may seem a bit complex at the first time, but as soon as you do it once, then later is easier.
Here is the step by step procedure to configure IAG:
1) Go to C:\Whale-Com\e-Gap\von\conf\WebSites\<Portal>\Conf directory
2) Create a “CustomUpdate” directory. We will place our configuration file here.
3) Create a file named “WhlFiltAppWrap_HTTPS.xml” (this names means that we configure the ApplicationWraping Engine, for HTTPs (client/Portal) connections).
4) Copy the text below in this file :
<APP_WRAP ver="3.0" id="RemoteAccess_HTTPS.xml">
<MANIPULATION>
<DATA_CHANGE>
<URL case_sensitive="false">.*/Resource\.aspx.*</URL>
<SAR>
<!-- SEARCH https://yourApplication.internal.name -->
<SEARCH encoding="base64">BASE64 ENCONDING for the internal name</SEARCH>
<!-- REPLACE WITH https://yourportal.external.name -->
<REPLACE encoding="base64" using_variables="false">BASE64 ENCONDING for the external name </REPLACE>
</SAR>
</DATA_CHANGE>
</MANIPULATION>
</APP_WRAP>
IMPORTANT: Here there are a few things that you have to update:
· Put your URL for the internal name in the “Search”
· Put your URL for the internet name in the “Replace”. This URL has to contain the external FQDN, including the “HOST ADDRESS TRANSLATION (HAT)” of the CWA R2 application (ex: whalecom754ae…).
· Once these values are ok, you need to encode them in “BASE64” (you can use an online tool like http://webnet77.com/cgi-bin/helpers/base-64.pl to proceed that)
After the appropriate substitutions, your code will look like this:
Now you can save the file. A good tip would be to double click this XML file. Internet explorer will “render” it and validate if the file is correct (from a pure XML point of view). Otherwise, IAG will not use it, and will not warn you. It will just not work.
Once the file is good and on place, you need to activate the IAG configuration. Don’t forget to mark the checkbox “Apply changes made to external configuration settings” otherwise IAG will not treat the customization.
As you can see, the structure of the configuration is based on XML. Tags such as “App_wrap”,”Manipulation”, etc… are in fact the IAG/ApplicationWrapping macro language and is described in detailed in the IAG advanced administration guide.
Note: here we used appwrap technology. Another one called SRA could be also used since it has a specific function called ADD_SIGNATURE that can add the HAT part of the application in the URL (Versus hard coded one with appwrap), making the solution more generic. We wanted to make this article simple, so we will investigate SRA in another article.
Conclusion
By publishing a Web Application via a reverse proxy approach (versus network/tunneling approach), we can provide a lot of security features. It is especially important when we publish applications that contain very valuable data that we want to protect (against cyber criminals)
IAG provide all the reverse proxy features, and also a strong re-writing engine called AppWrap that can change everything in the HTTP traffic. This makes sure that applications breaking in reverse proxy will work as expected.
CWA R2 was a very nice example, because it was easy to fix. Some application can be more complex to fix, but the basic methodology remains the same.
Microsoft IAG (Intelligent Application Gateway) is a powerful “mobility” gateway capable of providing remote access to different kind of people: employees, partners, customers, …
It introduces several approaches to provide this mobility:
· “Reverse proxy”: this is the most common scenario, for Web applications. This is the strongest approach since IAG can do a lot of inspections, and provide “application layer” security to cope with cyber criminals attacks.
· “Port forwarder”: technology dedicated to TCP applications (called Legacy applications in IAG). It provides “sort of VPN/SSL” but without virtual NIC and private IP. The very nice thing with that approach is that if you have a malicious agent (unfortunately) on the client-machine, since there is not “IP connectivity” with the company, this bad guy cannot enter attack your network. He will never enter the “port forwarder tunnel”.
· “VPN/SSL” called “network connector”: this is the same approach as other VPN/SSL solution on the market, you see a virtual NIC, and you get a private IP. Your machine is then virtually plugged on the company’s network, and you have access to the company’s network like all the other machines on the physical LAN. Mostly a solution when remote machine are “corporate/managed” ones.
Let’s put aside for a second the scenario where you want to plug that remote machine on the network (VPN, VPN/SSL), and let’s focus on web application publishing (reverse proxy) approach which is the purpose of this article.
When you publish an application with IAG, you use a wizard where you can select the application you want to publish. By default, you have in the GUI a long list of business applications: all Microsoft products of course (including MOSS, OWA, …) but also non Microsoft products such as Lotus notes, SAP, …
Figure 1 - IAG GUI, add an application
For such “business” applications, it takes 3 seconds to publish through IAG, and then you can leverage all the good security features in the product such as strong HTTP firewalling, workstation inspection, security policies, …
What if the application is not in this list?
When you publish an application that is not in the list, you can use a generic template called “Generic Web App”. For most of the web application, this standard template will just work fine. Unfortunately, some of them will fail. Symptoms can be different depending on the application: broken links, error messages on the page, … Let’s see why we have this behavior.
Back to the basics: what is a “web” application?
When we say “Web” we quickly have in mind the notion of HTML.
With HTML language, we tell the browser what to do such as display text, change the font and size, put in bold… but also can add some clickable links to provide access to other pages, etc.
Once this HTML page is rendered by the browser, we have a nice page displayed and understandable by a user. Here is a screenshot taken from Microsoft Expression. You can see on the top the HTML code, and in the bottom the result when it is rendered by the browser:
Figure 2 - HTML page once rendered by a browser
In this example you have several basic HTML tags such as one used to display text, add pictures, add links, but in bold or change the color.
What is the challenge?
But that “HTML-only” approach was nice 10 years ago when internet started to grow. Nowadays technology is different and more complex. We still have HTML that rules the structure of the page, but we have a lot of other technologies injected in this HTML page: javascript, java, Silverlight, etc.
What is the most important to illustrate the purpose of this article in the previous screenshot is the link to www.microsoft.com. In HTML you create a link by using an “HREF” HTML tag.
In a web publish scenario, all the reverse proxy (including IAG) will change the internal URL (for example http://financeApplication.internal.private) into something compatible with the internet (https://financeapplication.company.com), because they are able to understand HTML, and because HTML structure is predictable. We call this “link translation”.
So when the page will go through the reverse proxy, an internal engine in the Rproxy will “modify” the HTML page, to make it compatible with reverse proxy publishing and update the links from “internal names” to “internet names”. It will work perfectly.
But nowadays, the page can contain lot more than HTML code. It can also contain javascript code and this code that can do pretty much anything (in fact what the programmer want to do with it). More than that, most of the “javascript” developers now base their coding on top of a “javascript framework” (Here is a page that lists a lot of Javascript framework: http://edevil.wordpress.com/2005/11/14/javascript-libraries-roundup/).
So what is the problem here? Well, in HTML reverse proxy just have to locate “HREF” tags in the page and update the links, but what if the page is generating this link via a javascript, or more frequently, what if the code is generating itself the HTTP GET ? Here is a fake example of code located in a demp HTML page:
In this example, the “HTTPGet” Javascript function will generate an HTTP get on an URL composed by 3 variables and 2 hardcoded strings. The “value” passed to this function will be “http://financeApplication.internal.private”, but it will be “calculated” on the client-side once the browser will render this page. This means that the reverse proxy will be blind, will not be able to analyze this code, just because he is not able to identify it, and so will not change anything : this code will fail through a reverse proxy.
How to fix that with IAG?
First of all, I have bad news and good news for you.
The bad news is that usually we want computers and software to do “magic” for us, which is in our scenario “fix the problem yourself Mr Reverse Proxy”. This is the bad news since it is not possible, just because the source of the problem is the way that the developer is coding his page, and this is not “predictable”. A “dumb machine/software” cannot do that if we cannot teach it how to do so.
The good news is that IAG can help you a lot to fix that problem. It will not provide “magic”, but a strong engine that will give you the appropriate tools to make that reverse proxy access working. How ?
Step 1 of the solution will be your job IT People. You will need to capture HTTP traffic (using products such as HTTPwatch or Fiddler) and locate the problem, I mean here the URL which contains the code that cause the problem.
Step 2, when you know where it is breaking, you will tell IAG what to search and what to change in this page when this page goes through it, in our example the Javascript. You will update this Javascript to make this application “reverse proxy publishable” (Uggly) which means in our example update this part of the code :
90 % of the job is yours IT People: ability to capture, analyze and identify what is breaking. The remaining part will be only to tell IAG what to do to fix the problem.
In fact, you will tell IAG’s engine called “ApplicationWrapping/SRA” via a configuration file (XML) how to fix that, pretty much what to “search” in the page and what to “replace”.
How hard it is to fix that ?
The problem (code breaking with reverse proxy) we are facing is in fact pretty challenging for most of the IT people. The reason is that you can be an expert in network but not in development, and vice versa. And such problem requires a bit of experience in both areas.
When you face such problem, you will need to analyze the traffic in order to understand how works the HTTP traffic (GET, POST.. error code, cookies) and also have some basic notion of dev (very basic) just to feel not afraid about what you see.
The first experience you will get on this will be hard, especially if you want to learn everything alone. I would definitely advise you to talk to someone trained to do such thing, and go through a course. Usually after a 1 day training (where we re-introduce HTTP, Scripting, how to capture traffic, how to configure IAG) you feel better, and you have discovered the “application layer” world where most of the challenges are nowadays, and where most of the security risks are located (cyber criminality).
Based on my experience, most of the applications breaking take a few minutes/Hours to get fixed. On the opposite, some others are very big and complex, and will take days, but they are rare. At the end of the day, do you have the choice ? if you don’t fix this, you need to have a “network layer” approach (VPN or VPN/SSL) then security will be lower, and you will not provide access to partners and customers with such approach.
Keep in mind that most the “IAG” certified partners are trained on this and can help to fix the problem, or help you to ramp up on such approach.
Learn by example
I personally had to face several applications like that in my day to day activity. Every time I can, I provide some feedback in my blog. Go to my blog (http://blogs.technet.com/fesnouf/) and click the “howTo-Filters” tag for examples.
Lucky me, I am working for a company where mobility is truly part of the way we work. When I joined Microsoft, they gave me a “package” of technologies that I use every day. Check this picture:
· A Laptop: running Windows 7 for now 6 month (I love Win7), strong enough to run Virtual Machines.
· A Cell phone running Windows 6.5 and a BT headset (I hate fines when I am in my car ;-)
· A .net smart cart for authentication, but also used to sign documents with RMS.
· A 3G USB key used to reach the internet even if there is no Wifi connection around, via 3G networks (cell phone infrastructure)
· A VOIP headset
· A conference POD also connected to our VOIP system
On the other side of the virtual Wire (internet) we can access to all Microsoft products that makes mobility totally true today thanks to these technologies:
· I personally use a lot IAG/UAG to reach all of our internal web applications. My favorite is of course “vacations”, but we have around 200 of them including Microsoft and non Microsoft products.
· RPC over HTTP and OWA for messaging, and soon I will move to the windows 2008 “Direct Access” technology (Windows 7)
· Communicator for chat, presence, and also VOIP
· Live meeting for presentation, support and audio conferencing
With all these features, I can say that as a pre-sales technical person, I can cover 9 countries (last year Central and Eastern Europe, and this year Middle East and Africa), talk to my customer with reduced costs (VOIP), provide remote presentations (Live Meeting), provide remote assistance and implement “Proof of Concept”, without even having to travel. Last year I just had to travel twice for IDA events in Poland and Russia, all the other actions were “remote”.
I thought that it could be interesting to share that with you, because such technology seem “scifi” when you don’t have them, but becomes really important as soon as you can experience all the good things it brings.
This mobility package is definitely linked to my day to day activity, as an IT Person, covering a large region. But it is important also to notice also all the good things that mobility in general can bring in other scenarios, for both companies and citizens. Here is a list of few real live examples :
· Ability to do home working if your job is compatible with, most of the time partial home working is always possible.
· Ability to cope with private life constraints: sick kids, etc…
· Traffic Jam: I am based in Paris, and if I want to be at 9 in my office, it takes me 2H30. If I can be there at 11H00 it will take only 40 mn. So if my agenda is compatible, I usually do home working between 8 to 10 (mostly emails, telephone calls, …) then I jump in my car. With that approach I am more efficient, and I lower the costs and nobody can even notice (I mean customers).
· Weather problems : snow, rain, ice,
· And more !
So YES, mobility is a very nice thing for the companies, but also for all citizens. Of course it requires a bit of change in the management style, but technology speaking it is very mature. Good thing working at Microsoft, we have all the products required to provide such service in our portfolio and they know how to co-work together, so my communicator can talk to my sharepoint (people presence for example), I can organize my Live Meeting in Outlook, etc.
WARNING : As you know, the world is fighting with the Flu (keywords : ). Some countries are currently fighting with it, some other expect acceleration in September or October 2009. One of the good things to prevent your employees to be infected would be to provide them some of these technologies. Based on my experience, most of the people have Cell phones, but what is missing is the ability to access company’s applications.
Some of the companies have already implemented technologies to provide such service (VPN, VPN/SSL, Terminal Server, etc) so now it is just a matter of coordination and your ability to have sufficient internet bandwidth. But still most of the companies don’t have such service, especially small and medium-sized ones.
If you read this post and don’t have such service, here is my free advice to fix that problem as soon as possible, and be prepared to that major constraint:
· Implement a mobility Box, such as Microsoft IAG:
o Good thing with IAG is that it is an appliance (preinstalled, pre-hardened). So you rack it, provide an IP, create a portal and 15 mn later it is up and running. Available as “Appliance” or “Virtual Appliace” (Hour hardware, HyperV in the middle).
o It provide all the technologies you need: VPN/SSL (easier/quicker way to provide mobility), reverse proxy & port forwarder (stronger in terms of security, slower to implement), … It is not intrusive, and prevent some discussion with network/security people who like to work in project mode.
o It can (I would say it has to) be easily combine with strong authentication, including the smartest one such as One Time Password, etc. Cool thing is that newest technologies do not require hardware tokens, so lower costs, and easy to deploy.
· Make sure that you upgrade your internet line to cope with the traffic : would recommend to change bandwidth for minimum September/October/November if you are in the north (winter arriving, flu likes cold weather)
· Train/inform your users about how to connect and how to use it : create a flyer, send email, …
IAG is preinstalled pre-hardened, and can be implemented either as an appliance (hardware + IAG image preloaded) or as a virtual appliance (Your hardware, an IAG Virtual Machine, both talking to each other via Win2008/HyperV technology).
THE VERY NICE THING is that this kind of service can be implemented in less than 2 days, with all security requirements. It is also important to notice that such “remote access” solution is not that expensive. It has a cost of course, but compared with the service (and the loss you may have if your employees our stuck at home) it is very interesting.
Most of the Microsoft Gold Partners are trained and ready to install quickly such technology… later when the crisis will be out, you will have time to go into a “project” process to leverage such technology, enhance the implementation, implement “application layer security”, etc. All these features are in IAG, you just need time to discover during a second phase.
If you want more information, ping me and I will route you to the appropriate person depending on where you are located (fesnouf@microsoft.com).
Go “mobile” !
GEMALTO authentication server is called Protiva. It is a global authentication solution which can especially provide OTP (One Time Password) authentication.
The integration is very simple since the protocol used between IAG and Protiva server is Radius, so we just need to change a few things.
Step 1 : In IAG, create a Radius Repository and also create an AD repository called “ADRepository” (can be other name)
Step 2 : Add an OTP field to the IAG’s authentication page
First, we want to add an “OTP” field in IAG authentication banner. To do so, create a <Trunk><0/1>loginForm.inc in customupdate.
Content of this file will be this :
| <%
If IsSessionAuthenticated(g_cookie) = false Then
%>
<TR>
<TD Class="ParamText">OTP :</TD>
<TD><INPUT Class="ParamTextbox" TYPE="password" ID="j_password" NAME="j_password" maxlength="8" ></TD>
</TR>
<%
Else
End If %> |
As you can see we add a new “field” called J_PASSWORD.
Step 3: Saves the password, before Radius authentication
Before authentication take place, we “save” the password value in a server session variable. This is because during IAG/Protiva discussion, we use Radius protocol and radius know only 2 fields : login and password. It does not know OTP field. To transport login/password and OTP, we will concatenate the OTP+Password, and send it in the Radius “password” field.
Prevalidate.inc
| <%
session("password1")=password If IsSessionAuthenticated(g_cookie) = false Then password=request("j_password")+password Else End If %> |
Step 4 : Ask IAG to authenticate also towards AD
The postpostvalidate event take place occurs “after” authentication is successful. What we do here is just preload in memory, for a repository called “ADRepository”. As you can see here, we preload the “user_name” of the user, and also load user password via the variable we have created in “Prevalidate” event.
PostPostValidate.inc
| <% AddSessionUser g_cookie,user_name,session("password1"),"ADRepository" %> |
Step 5 : IAG’s URL Set
IAG’s firewall will refused by default any kind of parameter sent to validate.asp (IAG authentication page) if they are not explicitly specified. Because we added a new “J_password” field, we need to add this new value.
In IAG console, rule set, add this “j_password” variable for validate.asp.
Activate the configuration with the checkbox, and it will work fine.
Optional 1: display Protiva in the list of authentication types
By default, “protiva server” does not appear in the list of directories, just because it works on top of Radius.
If for any reason (pre-sales, internal reason) you want to have it in the list, you can do this tiny modification.
On IAG, go in C:\Whale-Com\e-Gap\von\conf\CustomUpdate, create (or modify) repositorytype.xml
Add this description, which means for IAG a new “type” of repository.
| <RepositoryTypes> <RepositoryType> <Type>Gemalto Protiva(Radius)</Type> <BaseType>RADIUS</BaseType> <Info> <GUIType>RADIUS</GUIType> <ProtocolType>UDP</ProtocolType> <WhaleType>RADIUS</WhaleType> </Info> </RepositoryType> </RepositoryTypes> |
As you can see it is still Radius, but “Gemalto Protiva” will appear in the list.
You must exit IAG console, and re-run it after activation (with checkbox) to see this new repository in the list.
Optional 2 : SA Server configuration
C:\Program Files\Gemalto\SAServer\AuthenticationServer\webapps\saserver\WEB-INF\classes\authserver.config
Locate these fields
authuser.attr.dsuid=userPrincipalName
authuser.attr.dsuid=sAMAccountName
… update value based on your scenario (long or short name).
Introduction
Since IAG SP2, Kerberos Constrained Delegation (KCD) it handled at IAG level (not anymore at ISA level). Even if KCD logic remains the same, the approach to trace and troubleshoot is now different. The purpose of this document is to give you the approach and tool to trace the KCD flow.
Tools: We will use 2 ways to deep trace this :
· A protocol analyser : I advise you to use Wireshark since Netmon has some limitation tracing Kerberos authentication in HTTP.
· A registry key to activate logging on IAG’s component named “WhlFilter” in IAG.
Implement KCD
KCD has to be configured :
· On IAG
· In Active Directory, on IAG’s machine account (authorize delegation, authorize HTTP application to request delegation, declare SPNs (applications) authorized for delegation)
· On the application itself : set appropriate parameters to support and handle the Kerberos ticket
Trace with WhlFilter (introduction)
Whlfilter is the component plugged into IIS. This is the one that will act as the entry point in IAG, and do the “reverse proxy” job.
By tracing this discussion, we will see HTTP traffic going through IAG, and also all kind of event that may occur. For KCD, we will be able to see HTTP 401 errors, ticket requests, etc.
To activate whlFilter logs, please follow this procedure :
- On the IAG machine, open regedit and browse HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\von\UrlFilter
- Locate the LogFlag value (should be 0 by default, which mean no trace at all) and set it to 4 (maximum).
A few seconds later, the Whlfilter component start to chat, and fill out the log.
Check this directory to see this log :
C:\Whale-Com\e-Gap\von\conf\WebSites\<trunkname>\logs
You should see a file <month><day>_WhlFilter.log (eg. 0701_WhlFilter.log). It can take up to 60 seconds to be created (IAG checks the reg key every minute).
Tip : before activating the registry key, save all the logs in this dectory, and make this directory empty. It is easyer to see only relevant log files.
Here is an example of what you can see in the trace : IAG is trying to get aKerberos TGS for the user but it fails. In fact the IAG machine is not even in the AD domain, which is mandatory to make KCD work (Kerberos constraint) :
| ---------- KERB.TXT <DATE>06:53:39.845 (tid: 00000698): HTTPAuth::CKerberosHandler::Negotiate - Function starting point (PFC=01182D00) (ExtPFC=072D0D58) (ExtECB=02813DA0) <DATE>06:53:39.845 (tid: 00000698): HTTPAuth::CKerberosHandler::Negotiate - Migrating conversation state to support Kerberos (PFC=01182D00) (ExtPFC=072D0D58) (ExtECB=02813DA0) <DATE>06:53:39.845 (tid: 00000698): HTTPAuth::CKerberosHandler::AuthConverse - Trying to acquire credentials for user: [first.second@emea.yourcompany.intra] (PFC=01182D00) (ExtPFC=072D0D58) (ExtECB=02813DA0) <DATE>06:53:39.845 (tid: 00000698): HTTPAuth::CKerberosHandler::AuthConverse - ERROR: Could not acquire credentials for user: [first.second@emea.yourcompany.intra] - Protocol Transition failed! (PFC=01182D00) (ExtPFC=072D0D58) (ExtECB=02813DA0) <DATE>06:53:39.845 (tid: 00000698): HTTPAuth::CKerberosHandler::Negotiate - conversation failed, reseting state (PFC=01182D00) (ExtPFC=072D0D58) (ExtECB=02813DA0) <DATE>07:01:42.942 (tid: 00000AA8): HTTPAuth::CKerberosHandler::Negotiate - Function starting point (PFC=01182AB0) (ExtPFC=072D0AF0) … |
As you can see all traces about kerberos contain the “CKerberosHandler” keyword. Once you have the log file, if you want to quickly extract “kerberos” relevant lines, in command line, you can use the following syntax.: find /I "kerberos" kerbOnly.txt. This Kerbonly.TXT will contain only lines with this keyword.
Example 2 : IAG successfully acquired a TGS from the Kerberos Key Distribution Center (KDC) which is a DC in Microsoft infrastructure. Once it is acquired it will send it to the published application in the HTTP Get command/authorization.
| 28/10/2008 17:40:29.961 (tid: 000003C0): HTTPAuth::CKerberosHandler::Negotiate - Function starting point (PFC=010D8460) (ExtPFC=01891D00) (ExtECB=0262B008) 28/10/2008 17:40:29.961 (tid: 000003C0): HTTPAuth::CKerberosHandler::Negotiate - Migrating conversation state to support Kerberos (PFC=010D8460) (ExtPFC=01891D00) (ExtECB=0262B008) 28/10/2008 17:40:29.961 (tid: 000003C0): HTTPAuth::CConversationState::Reset: Reseting (basic) conversation state at 03805B10. (PFC=010D8460) (ExtPFC=01891D00) (ExtECB=0262B008) 28/10/2008 17:40:29.961 (tid: 000003C0): HTTPAuth::CConversationState::~CConversationState: destroying state at 03805B10 28/10/2008 17:40:29.961 (tid: 000003C0): HTTPAuth::CConversationState::Reset: Reseting (basic) conversation state at 03805B10. (PFC=00000000) (ExtPFC=00000000) (ExtECB=00000000) 28/10/2008 17:40:29.961 (tid: 000003C0): CSessionManagerObject::GetSessionParam(A26AA1F8-B74C-411C-8FDC-E8BCB68346B4, 1, CertificateUPN): returned alexandreg@yourOthercompany.com. 28/10/2008 17:40:29.961 (tid: 000003C0): HTTPAuth::CUPNExtractor::RetrieveUPN - Updating UPN in SessionContext: [alexandreg@yourOthercompany.com] (PFC=010D8460) (ExtPFC=01891D00) (ExtECB=0262B008) 28/10/2008 17:40:29.961 (tid: 000003C0): HTTPAuth::CKerberosHandler::AuthConverse - Trying to acquire credentials for user: [alexandreg@yourOthercompany.com] (PFC=010D8460) (ExtPFC=01891D00) (ExtECB=0262B008) 28/10/2008 17:40:29.961 (tid: 000003C0): HTTPAuth::CLSAServerConnection::GetLsaConnectionHandle - Connection to LSA server established successfully. 28/10/2008 17:40:29.981 (tid: 000003C0): HTTPAuth::CCredentialsExtractor::S4U2Self - User token retrieved successfully (PFC=010D8460) (ExtPFC=01891D00) (ExtECB=0262B008) 28/10/2008 17:40:29.981 (tid: 000003C0): HTTPAuth::CCredentialsExtractor::AcquireCredentailsHandle - Credentials acquired successfully (PFC=010D8460) (ExtPFC=01891D00) (ExtECB=0262B008) 28/10/2008 17:40:29.981 (tid: 000003C0): HTTPAuth::CKerberosHandler::AuthConverse - Credentials for user: [alexandreg@yourOthercompany.com] acquired successfully (PFC=010D8460) (ExtPFC=01891D00) (ExtECB=0262B008) 28/10/2008 17:40:29.981 (tid: 000003C0): HTTPAuth::CSPNExtractor::RetrieveSPN - Retrieved SPN [HTTP/exactwss.yourOthercompany.com] (PFC=010D8460) (ExtPFC=01891D00) (ExtECB=0262B008) 28/10/2008 17:40:29.981 (tid: 000003C0): HTTPAuth::CSSPINegStep::ProcessNegStep - QuerySecurityPackageInfo successful - max token size is 12128 bytes (PFC=010D8460) (ExtPFC=01891D00) (ExtECB=0262B008) 28/10/2008 17:40:29.981 (tid: 000003C0): HTTPAuth::CSSPINegStep::ProcessNegStep - InitializeSecurityContext successful (PFC=010D8460) (ExtPFC=01891D00) (ExtECB=0262B008) 28/10/2008 17:40:29.981 (tid: 000003C0): HTTPAuth::CSSPINegStep::ProcessNegStep - UUEncoding response BLOB -- 40 bytes long (PFC=010D8460) (ExtPFC=01891D00) (ExtECB=0262B008) 28/10/2008 17:40:29.981 (tid: 000003C0): HTTPAuth::CSSPINegStep::ProcessNegStep - Negotiation step complete, need more data: yes (PFC=010D8460) (ExtPFC=01891D00) (ExtECB=0262B008) 28/10/2008 17:40:29.981 (tid: 000003C0): HTTPAuth::CKerberosHandler::Negotiate - Building authorization header (PFC=010D8460) (ExtPFC=01891D00) (ExtECB=0262B008) |
In this example, IAG has the TGS, but it does not mean that it will work. If the application is not supposed to accept Kerberos or does not accept the TGS, it will fail. The only message you get from a user perspective, is “not authorized”.
Step by step process
IAG/KCD involves : a client, IAG, an application, and also a kerberos infrastructure.
It is important to understand each step of the transaction, in order to know where to search :
1) client access a web app via IAG : tool=HTTPwatch or Fillder
2) Web App answers “401 error, negociate” (it can also accept NTLM depending on the config) : Tool : WhlFilter
3) IAG intercept this 401 error, and check if SSO is requested on this application (Web Setting TAB, “automatically reply to application-specific..” checkbox). Tool=WhlFilter.
4) KCD is specified for authentication, and a SPN has been also indicated by administrator. Tool : IAG configuration console
5) IAG contacts a KDC, and request a ticket on behalf of the user, for that specific SPN. Tool : Protocol analyzer and WhlFilter
6) KDC generates (or fail) a ticket for this user, this SPN. Tool : network analyzer or whlfilter.
7) IAG received this ticket, and reply to the application “401”error. It resends a HTTP GET (or POST) with this time an “authorization” header which contains the TGS. Tool : whlFilter.
8) Application receives this TGS, and authenticate the user. Tool : application itself.
What if it “fails” ? Depending on the step, tools and approach are different.
No TGS requested by IAG
IAG will request a TGS “only” if it receives a 401 error from the Web Application, and only if IAG is set to provide SSO.
Make sure that the 401 error contains this “negociate” option. If not, check application configuration, without this trigger IAG will not do the job.
IAG ask a ticket, but it fails
Trace all the traffic leaving the IAG machine towards Domain Controlers (they run the Kerberos KDC service).
With the protocol analyzer you can see the REQUEST (REQ) and the (RESPONSE). Check in the response the error code, it will tell you what is going on if it fails.
Most of the time, there is a configuration error in the AD for KDC : check the IAG account machine, verify that KCD is authorized, that application is authorized, that the SPNs are correctly configured.
WhlFilter trace is nice here, but looking at the frames we can clearly see Kerberos protocol, and error code. Then loop with online information (SDK, articles) that will explain what the error is.
TGS is received, Application authentication fails
You need to capture the traffic between IAG and the web application.
With protocol analyzer, you need to use HTTP to be able to debug this, HTTPs will cipher the data so impossible to investigate.
Use WhlFilter if it is HTTPs.
Locate all the “HTTP Get”. Locate the ones that contain in the HTTP header an “authorization” field, this is where authentication is located.
With Wireshark, click the + sign, this will give you de details or the authorization. It may contain clear text, NTLM or Kerberos.
We need to see Kerberos there, and we can see the different information of the TGS.
Check the name of the user, the SPN, … and make sure that the published application is waiting for the same information.
If TGS is sent correctly but authorization fail, this is an application configuration problem. Make sure that the parameters in the TGS are the one expected by the application, especially the SPN.
Conclusion
Kerberos is very wide, you may encounter other scenario.. but this is the most common ones.
By default, IAG is capable of detecting a wide range of software on the client side. What happen if the software I want to check is not in the list ?
I had that constraint with one of my partners, Skyrecon
Here is the methodology we used :
1) asked the partner to create a VBS that will do the checks and will display at the end the result (wscript.echo “XXX”)
2) implement this script in IAG, replace the “Wscript.echo” by “RESULTS”
=> If you are not familiar about how to extend client-side analysis in IAG, check this post :click
Here is the script that we have implemented. WARNING : this script is not supported and is supplied AS IS :
Script Sample
'**********************************************
'** authors
'** Skyrecon :fbonneville@skyrecon.com
'** Microsoft :fesnouf@microsoft.com
'** V1.5 : SUPPLIED AS IS
'**********************************************
Dim isdebug
'set this variable to true if you want to run the VBS on a workstation, will use "wscript.echo" functions
isdebug=False
'Vars for IAG
Dim StormShield_running
StormShield_running = False
Dim StormShield_installed
StormShield_installed = False
Dim StormShield_version
StormShield_version = False
If isdebug=True then
wscript.echo "IAG/StormShield detection script version 1.0"
End If
strVersion = "4.802"
strProcess = "Srservice.exe"
strProcess2 = "Framework.exe"
If isdebug=True Then
wscript.echo "Check StormShield registry keys"
End If
Const HKEY_CLASSES_ROOT = &H80000000
strComputer = "."
Set oReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
'Retrieve StormShield Working Dir From the Registry
strKeyPath = "CLSID\{57E31333-9DE9-49ad-9B65-9DAE61FBFFE3}\Agent\Service\Process0"
strValueName = "WorkingDir"
oReg.GetStringValue HKEY_CLASSES_ROOT,strKeyPath,strValueName,strWrkDir
If isdebug=true then
wscript.echo "Working directory is " &strWrkDir
End If
strKeyPath = "CLSID\{57E31333-9DE9-49ad-9B65-9DAE61FBFFE3}"
strValueName = "Version_id"
oReg.GetStringValue HKEY_CLASSES_ROOT,strKeyPath,strValueName,strValue
If strValue > 0 Then
If isdebug=true then
wscript.echo "Registry key exists (" & StrValue & ") => StormShield_installed=True, Now check version " & strVersion
End If
StormShield_installed=True
Else
If isdebug=true then
wscript.echo "Reg key is missing => StormShield_installed=false"
End If
StormShield_installed=False
End If
'Check StormShield Version
'====================
Function ReadTextFileTest
Const ForReading = 1, ForWriting = 2, ForAppending = 8
Dim fso, f, Msg
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile( strWrkDir & "\conf\version.sro", ForReading)
ReadTextFileTest = f.Read(10)
End Function
If ReadTextFileTest <> strVersion Then
If isdebug=true then
wscript.echo StrVersion & "Current version is not correct (" & StrVersion & ") => StormShield_version=False"
End If
StormShield_version=False
Else
If isdebug=true Then
wscript.echo "Current version is correct (" & StrVersion & ") => StormShield_version=True Now check " & StrProcess
End If
StormShield_version=True
End If
'Check If StormShield is running
'=======================
Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set colProcesses = objWMIService.ExecQuery _
("Select * from Win32_Process Where Name = '" & strprocess & "'")
If colProcesses.Count > 0 Then
If isdebug=True then
wscript.echo StrProcess & " is Running, Now check " & StrProcess2
End If
Set colProcesses = objWMIService.ExecQuery ("Select * from Win32_Process Where Name = '" & strprocess2 & "'")
If colProcesses.Count > 0 Then
If isdebug=True Then wscript.echo StrProcess2 & " => StormShield_running=True"
End If
StormShield_running=True
Else
If isdebug=true then
wscript.echo StrProcess2 & " => StormShield_running=False"
End If
StormShield_running=False
End If
Else
If isdebug=true then
wscript.echo StrProcess2 & " is not Running => StormShield_running=False"
End If
StormShield_running=False
End If
If isdebug=true then
WScript.Echo "Installed = " & StormShield_installed
WScript.Echo "Running = " & StormShield_running
WScript.Echo "Currentversion = " & StormShield_version
ELSE
Results("StormShield_installed")= StormShield_installed
Results("StormShield_running")= StormShield_running
Results("StormShield_version")= StormShield_version
END IF
‘<END OF THE SCRIPT>
Comments
As you can see at the end, we just put in remark the “wscript.echo” created by the developper of the script (skyrecon) and use the RESULTS function to send this variables/values back to IAG server.
IAG is able to inspect your workstation and then later, per application, verify if you are compatible with the security policy.
For example, you want to make sure that only “corporate” machine can access ApplicationA, but everybody (of course after authentication) can access applicationB… etc.
You can go even deeper, and specify that for applicationA, download is authorized only if “bitlocker” is installed on the machine.
Workstation analysis and security policy is one of the most important feature when talking about “application layer” (versus network layer) security.
But what if you want to test something that IAG cannot check by default ? What if you want to test a security software that is not part of the supported applications ? No hurry, it will take a mn with IAG.
The procedure below shows you the A to Z procedure to extend IAG. The first “extra check” you add requires a few customization, but then the other just take a few seconds, so don’t be afraid by the things to do the first time.
BASICS
Workstation analysis is initiated by an ActiveX/Java executed on the client machine. In fact, this client downloads a “Visual Basic Script” file which contains all the functions that will generate this > 200 checks.
So if you want to extend client-side analysis, you just need to create your own VBS, and add the appropriate code that will gather the information you want to secure your application.
In this example below, we want to test if a registry key is present on a machine. This is a frequent request from customer, for example to determine if it is a corporate machine.
THE SCRIPT (Sample)
On the IAG machine, go in "/InternalSite/scripts/CustomUpdate" directory. Put you script here (MyScriptName.vbs for example). Here is a demo code :
On Error Resume Next
‘You gather the information you want, here a registry key
bExist=Whale.Registry.RegKeyExist(rkHKEY_LOCAL_MACHINE,"SOFTWARE\TestKey")
if Err=0 And bExist then
'Results command wil create a session variable
Results("IsACorporateMachine")=True
‘This command will add a line in the client-side trace, if tracing is set to true.
Whale.DebugEcho "Key is there, this is a corp machine"
else
Results("IsACorporateMachine")=False
Whale.DebugEcho "Key is NOT there, this is NOT a corp machine"
end if
As you can see, the VBS is pretty standard except:
· IAG client-side component exposes via COM some functions. You have an example here with “whale.registry.regKeyExist”.
· “Whale.debugEcho” is used to generate tracing in the “client-side” log, very important for debug/performance purposes.
· “results” function is in fact the function that will send the result of your analysis back to IAG. This function will add a “variable” in the analysis result, and will also return the “value” of this variable.
At this level, the script is here but IAG does not know that it has to add it in the global analysis process. We need to change a configuration file to do so.
1) Go in InternalSite/inc/CustomUpdate
2) Create a file called <trunk_name><0 for HTTP, 1 for HTTPS>Detect.inc
3) In this detect.inc, add this :
<%
g_scriptList.add "/InternalSite/scripts/CustomUpdate/MyScriptName.vbs", "this string does not really matter"
%>
This piece of code just adds your VBS in the global analysis process.
You need to activate the configuration via IAG console, and do not forget to check the “checkbox”.
At this level, workstation analysis will take place.
Firewall rule
This new “customupdate/myscriptname.vbs” has to be added in the firewall, otherwise IAG will block it. Go in ruleset and add a line for this file.
Display custom Variables in IAG GUI, policy section
client-side is ok now, workstation will take place.
We have still one thing to change. We want this variable to appear in the IAG console, so you can add it in your security policies.
Create a file names von/conf/CustomUpdate/PolicyTemplate.xml. Put this content in it. If you have more than 1 variable just duplicate the POLICY XML section. The "NAME" tag will be the name displayed in the GUI. The ID is the name you are using in your custom script.
<Policies>
<Policy>
<Name>This is the name that shows up in the editor</Name>
<ID>This_is_the_variable_name_you_used_in_the_script</ID>
<Type>0</Type>
<Value>DefaultValueGoesHere</Value>
<Description></Description>
<Section>Variables\Where\ItShould\Show\Up\In\The\Editor</Section>
</Policy>
</Policies>
Once you have done this, go in IAG console and activate the configuration with the checkbox. Now, you MUST EXIT IAG console, and re-execute it : IAG will refresh the list of variables only when it starts.
What happen if I want to test other things ?
As I said in the beginning, the first time you extend IAG, there are several things to do.
For the next ones, it is quicker :
1) Just change the VBS (all your tests MUST be in 1 single VBS), and use “RESULTS” function to add more variable in the analysis
2) Update policytemplate.XML to display those variables in the GUI
You want to go further ?
Best thing to do if you want to go deeper is to check the script that is supplied by default in IAG (and updated every time there is an UPDATE, or a SERVICE PACK).
Edit this file : C:\Whale-Com\e-Gap\von\InternalSite\WhaleDetection.vbs
Based on this example you will be able to detect many aspects of the workstation and then secure access to applications and data.
You are all set !
When you connect IAG for the first time a “client” (in fact a bunch of sub components) are installed on the machine (there are other ways to install the client than online install). Later they will be loaded when needed when you connect IAG, or load application that are tagged as “high secure”.
For example one of these sub components (ActiveX or Java) will analyze the workstation, another one will clean out the cache even if the machine crashes… etc.
But why tracing the client-side?
Here is a good from the field example: I had several times feedback from customers or partners that it is very slow to see the IAG login page. It is the case when IAG is used as a mobility gateway, but it is even more frequent when using IAG internally, as a “portal/SSO” system.
Tracing Browser HTTP traffic will not help since IAG client is not going though the browser to connect IAG server, so you are just blind if you use this method.
Activating “client-side” tracing helps to understand what IAG client-side components are doing, and of course understand why it is slow. Most of the case, problems are due to the infrastructure itself.. and most of the time, it is due to DNS slow response time, or Certificate CRL problems. Once you know what the problem is, you just have to fix it and it works just great.
Here is the procedure to activate the tracing on the IAG client-side (tracing pure “browser” HTTP traffic is done using tools such as HTTP watch or fiddler).
On the workstation itself (not the server, since we trace the client-side), go in : C:\Program Files\Whale Communications\Client Components\3.1.0
Edit the file called Ctrace.XML.
Below you can see an extract of this file, and look at the line which contains “Iexplore.exe”.
Change the values in yellow below. Here you activate the trace, and also specify the location of the log files.
| <ClientTraces> <Configurations> <!-- Internet Explorer hosts both Endpoint Detection and Components Manager --> <Configuration name="IExplore.exe" debugOutput="true" outputPath="C:\temp\Ctrace" enabled="true"> <TraceReporter reporter="EndpointDetection" level="xheavy"/> <TraceReporter reporter="ComponentsManager" level="xheavy"/> |
Of course in this example, you need to create this “c:\temp\ctrace directory”, where the log will be generated.
Once finished, save the file and execute CTRACE.EXE located in the same directory. This “execute” will in fact activate the trace.
Configuration is finished. Next time you run your browser and connect Iag, the “client-side” of IAG will create a log and dump a lot of things.
What is in this log ?
There are in fact a lot of stuff in this file, all the things that the developers wanted to trace.
The method I usually use is to look at the fist column (it is a ; delimited file). This column is the date/time, so I usually look at the time, PAGE DOWN X times until I see a significant time different (half a second or more). Then I look at the lines causing this “slow” response time.
Good tracing !
