Configuring Microsoft Active Directory back-end authentication

With Microsoft Active Directory you have two options:

• If only a single domain controller with one domain is used, the back-end server record can be registered on OneSpan Authentication Server Appliance. This record will be used to retrieve the back-end server during user authentications. For more information, see Single domain with single domain controller.
• If multiple domains and/or multiple domain controllers are used, back-end server records can be searched for using the Global Catalog server. This requires the Global Catalog server settings to be configured in OneSpan Authentication Server Appliance. For more information, see Multiple domains: Global Catalog server setup.

For more information about the concepts of both setups, refer to the OneSpan Authentication Server Appliance Product Guide.

Enabling Microsoft Active Directory back-end authentication

When the Active Directory back-end server is to be authenticated via the LDAP protocol, the LDAP back-end server needs to be configured. After setting up SSL on the LDAP back-end server, export a certification authority (CA) certificate.

To export a CA certificate

1. Launch the Windows Certification Authority application. This is typically launched via Start > Administrative Tools > Certification Authority on most Windows servers.
2. Right-click a certification authority, and select Properties.
3. In the Properties dialog, click View Certificate.
4. In the Certificate dialog, switch to the Details tab, and click Copy to File. The Certificate Export Wizard appears.
5. In the Certificate Export Wizard, click Next.
6. Select DER encoded binary X.509 (.CER) and click Next.
7. Specify the path and name of the CA certificate file and click Next.
8. Click Finish.

When you have exported the CA certificate, you need to convert it to an ASCII-armored certificate file (usually with a .pem file extension) using openssl, and store it in OneSpan Authentication Server Appliance.

To convert the exported CA certificate

• Use the following command to convert the CA certificate:

  openssl x509 -inform DER -outform PEM -in certname.cer –out certname.pem

  where certname is the name of the CA certificate.

  The certificate is now converted to the PEM file format and can be imported using the OneSpan Authentication Server Appliance Configuration Tool (see  Adding trusted root certification authority (CA) bundles).

Now you need to enable Microsoft Active Directory back-end authentication and upload the certificate.

To enable Microsoft Active Directory back-end authentication

1. In the OneSpan Authentication Server Appliance Configuration Tool, navigate to Authentication Server > Authentication Back-Ends.
2. Select Enabled for the Microsoft Active Directory back-end server.
3. Select a certification authority (CA) certificate from the AD SSL Certificate list in the Microsoft Active Directory section. The AD SSL Certificate list contains all valid and trusted CA certificates that were imported using the Certificate Management tab.
4. Click SAVE.

Single domain with single domain controller

A single domain controller setup requires the following configuration:

• Activating Microsoft back-end authentication in the Configuration Tool.
• Configuring the DNS server in the Configuration Tool.
• Adding a Microsoft Active Directory back-end server record in the OneSpan Authentication Server Administration Web Interface.
• Adjusting the authentication policy settings in the OneSpan Authentication Server Administration Web Interface.
• Configuring a client record and assigning the policy in the OneSpan Authentication Server Administration Web Interface.

Although it is not mandatory, we recommend to use the AD domain controller as the DNS server to avoid issues with Microsoft SPN implementation. For more information about aspects requiring attention when configuring this setup, see  LDAP back-end authentication setup issues.

Additional configuration is needed when OneSpan Authentication Server Appliance cannot connect directly to the IP address of the AD domain controller (for example with NAT). For more information, see  Troubleshooting.

To configure the AD domain controller (with the DNS server role) as the DNS server for OneSpan Authentication Server Appliance

1. Launch the OneSpan Authentication Server Appliance Configuration Tool and enter your credentials (see  Accessing OneSpan Authentication Server Appliance Configuration Tool and OneSpan Authentication Server Administration Web Interface).
2. Select Settings > Network.

3. Specify the DNS server(s) configuration settings.

   

   Figure: Configuring Active Directory domain controllers for OneSpan Authentication Server Appliance

4. Click SAVE.

To add an Active Directory back-end server record in the OneSpan Authentication Server Administration Web Interface

If Enable SSL is selected, the format for the security principal ID is the DN, e.g:

cn=Administrator, cn=Users, dc=vasco, dc=com

If Enable SSL is not selected, the format for the security principal ID is the sAM Account Name, e.g. Administrator.

1. Log on to the OneSpan Authentication Server Administration Web Interface (see  Accessing OneSpan Authentication Server Appliance Configuration Tool and OneSpan Authentication Server Administration Web Interface).
2. Select BACK-END > Register Active Directory Back-End.

3. Fill in the necessary fields. Note the following points for the relevant fields:

   • Location: If SSL is enabled, enter the fully qualified domain name (FQDN) or host name of the back-end server. Without SSL, you can also enter the IP address of the back-end server.
   • Entering a value in the Timeout box is mandatory.
   • For more information about these settings, refer to the OneSpan Authentication Server Appliance Administrator Reference.
   • 
     
   • 
     
   
   

4. Click Create.

To adjust the authentication policy settings, follow the same instructions as provided for RADIUS back-end authentication (see  Configuring RADIUS back-end authentication), using Microsoft Active Directory instead of RADIUS as the back-end protocol.

To create a client record and assign the policy, follow the same instructions as provided for RADIUS back-end authentication (see  Configuring RADIUS back-end authentication).

Multiple domains: Global Catalog server setup

In this setup, multiple domain controllers are present. Instead of creating back-end records for each server, a simpler method is used to configure the Global Catalog server settings in the OneSpan Authentication Server Administration Web Interface. This setup requires the following configuration:

• Activating Microsoft back-end authentication in the Configuration Tool.
• Configuring the DNS server in the Configuration Tool.
• Configuring the Global Catalog server settings.
• Configuring the authentication policy settings.
• Configuring a client record and assigning the policy.

When using the Global Server catalog, no back-end server record is required in the OneSpan Authentication Server Administration Web Interface.

For more information about the Global Catalog server setup, refer to the OneSpan Authentication Server Appliance Product Guide, Section "Back-end authentication".

For more information about activating Microsoft Active Directory back-end server authentication in the Configuration Tool, see Enabling Microsoft Active Directory back-end authentication.

For more information about configuring AD domain controllers (with the DNS server role) as DNS servers for OneSpan Authentication Server Appliance in the OneSpan Authentication Server Appliance Configuration Tool, see Single domain with single domain controller.

Although it is not mandatory, we recommend to use the AD domain controller as the DNS server to avoid issues with Microsoft SPN implementation. For more information about aspects requiring attention when configuring this setup, see  LDAP back-end authentication setup issues.

The following configuration enables OneSpan Authentication Server Appliance to use information in the Global Catalog server to retrieve the correct domain controller whenever LDAP Active Directory back-end authentication is required. For information about setting up a Global Catalog server, refer to the Microsoft product documentation.

To configure the Global Catalog server on OneSpan Authentication Server Appliance

1. Log on to the OneSpan Authentication Server Administration Web Interface (see  Accessing OneSpan Authentication Server Appliance Configuration Tool and OneSpan Authentication Server Administration Web Interface).
2. Select BACK-END > Settings.

3. Fill in the necessary fields. Note the following points for the corresponding fields:

   • The value of the Global Catalog Location box is the IP address or DNS name of the domain controller acting as the Global Catalog server.
   • The default value of Global Catalog Port is 3268. This value may be adapted to correspond to your setup.
   • Principal ID and Principal Password are credentials with read access to the Global Catalog server.
4. Click Create.

To adjust the authentication policy settings, follow the same instructions as provided for RADIUS back-end authentication (see  Configuring RADIUS back-end authentication), using Microsoft Active Directory instead of RADIUS as the back-end protocol.

To create a client record and assign the policy, follow the same instructions as provided for RADIUS back-end authentication (see  Configuring RADIUS back-end authentication).