Configuring OneSpan Authentication Server for Active Directory back-end authentication via LDAP

Defining the organizational structure

To configure OneSpan Authentication Server for Active Directory back-end authentication via LDAP, you need to define an organizational structure consisting of domains and organizational units in OneSpan Authentication Server. This is done with the Administration Web Interface via ORGANIZATION > Add domain.

Afterward define an Active Directory server in the Administration Web Interface via BACK-END > Register Active Directory Back-End. This opens the Create new Microsoft Active Directory Back-End Server page where you can supply the required information.

Configuring SSL for back-end authentication (via Active Directory)

When using Microsoft Active Directory with OneSpan Authentication Server for back-end authentication, the back-end server should be configured accordingly. As such, if Active Directory is configured to communicate via SSL, then OneSpan Authentication Server must also be configured to use SSL with Active Directory.

This involves the following steps:

1. Generating and exporting the required certification authority (CA) certificate.
2. Converting the CA certificate and importing it into OneSpan Authentication Server.

To configure SSL for Active Directory back-end authentication via LDAP and export the enterprise root CA certificate

1. If not already available, install Certificate Services on the LDAP back-end server.

   This is a Windows component, and should be available on your Windows operating system installation media.

2. Generate an enterprise root CA certificate.

   You may need to wait several minutes to allow the domain controllers to enroll for domain controller certificates.

3. After setting up SSL on the LDAP back-end server, export the CA certificate:

   1. Start the Windows Certification Authority application (typically via Start > Administrative Tools > Certification Authority).
   2. Right-click a certification authority (CA) and select Properties from the context menu.
   3. In the Properties window, click View Certificate.
   4. In the Certificate window, switch to the Details tab and click Copy to File.
   5. In the Certificate Export wizard, click Next.
   6. Select DER encoded binary (.CER) and click Next.
   7. Specify the path and name of the CA certificate file and click Next.
   8. Click Finish to export the certificate.

After exporting the certificate, convert and import it to OneSpan Authentication Server, depending on your platform.

To convert a DER-encoded certificate and import it to OneSpan Authentication Server

1. Convert the binary DER-encoded certificate file (.cer) to an ASCII-armored certificate file (.pem) using the following command:

   openssl x509 ‑inform DER ‑outform PEM ‑in certname.cer ‑out certname.pem

   where certname is the name of the self-signed CA certificate.

   OneSpan Authentication Server ships with a specific version of the OpenSSL utility. We recommend that you use this version for any procedures involving the openssl command.

   By default, this specific version of OpenSSL is located in %PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\bin on Windows and in /opt/vasco/ias/bin on Linux, respectively.

2. Depending on your platform, do one of the following:

   • If you are using Ubuntu Server:

     1. Change the extension of the certificate file to .crt and copy it to the CA certificate store:

        mv certname.pem certname.crt

        cp certname.crt /usr/local/share/ca-certificates

     2. Update the CA certificate store:

        update-ca-certificates

   • If your are using another Linux distribution or Microsoft Windows:

     1. Obtain the hash of the .pem file:

        openssl x509 ‑noout ‑hash ‑in certname.pem

     2. Rename certname.pem to hashvalue.0, where hashvalue is the hash value calculated by the openssl command.

        For example, if the hash result is 54321, the file name would be 54321.0.

     3. Copy the renamed certificate file (hashvalue.0) to the following location, depending on the platform:

        • /etc/ssl/certs (Linux)
        • %PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\certs (Windows, default).
     4. On Linux, ensure that the run user of OneSpan Authentication Server can access the certificate file. If required, change access rights and/or file ownership with the chmod and chown commands.

3. Restart the OneSpan Authentication Server service or daemon, respectively.

   The new certificate files are read only when the service/daemon starts.

Enabling nested groups for Windows group check

OneSpan Authentication Server supports the concept of nested groups for Windows group checks in the context of Active Directory. This method of grouping allows for a simplified administration of domain trees. For more information about nested groups, refer to the Microsoft documentation.

To enable nested groups for Windows group check

1. Open the Administration Web Interface.
2. Navigate to POLICIES >List.
3. Select the respective policy.
4. Navigate to the User tab and click EDIT.
5. Set Nested Groups to Yes.

Enabling nested groups can cause performance issues in OneSpan Authentication Server in the following cases:

• There are too many groups in one domain.
• Active Directory is not optimally configured. For more information, refer to the Microsoft documentation.

Nested groups are disabled (No) by default. The value is inherited from the Base Policy policy.

When upgrading to a newer version of OneSpan Authentication Server, the administrator must re-add local domain groups.