Hello Everyone ,
Today we are gonna discuss on How to utilise windows Virtual Smart Card to Authenticate to BIGIP using CLIENT Authentication with LDAP
Prerequisites :
LDAP Server
Microsoft active directory
Security groups created in Microsoft Active directory
Active Directory Certificate services enabled
OCSP Responder service on Microsoft server ( For Demo I was using 2012 server)
TPM ( Trusted platform module enabled on Windows 10 client)
vSmart Card created using tpvscmanager
certmgr.msc
Make the AD ready , Create the OU , Groups , Users and whatever the remote directory required , From my end , I have created the directory structure in the following way
Domain is LDAPS test.com
Create a Domain certificate which we will be using to sign the client certificate using ADCS , The same can be seen from the below article
Creating an OCSP responder on Microsoft server
- Go to server manager --> Roles -->ADCS --->Enable OCSP responder service
- Server will prompt you for restart and accept it
- Go to tools---> Online responder configuration ->Revocation configuration , Select the certificate that can be used to revoke
- Before that , we may need to create the certificate for the OCSP responder , For that Go to MMC.exe ---> ADD/Remove snap in ---> Add certificate templates --> Duplicate the OCSP responder template and create a new template from that
- Go to Advanced properties and enable nonce support which is important for this kind of authentication
- Create a DNS entry for the OCSP from your DNS management and add the A record , I have created the URL ocsp.ldapstest.com and mapped an A record
Now the next step would be enabling the Virtual smart card for Cert authentication
- Go to run and type tpm.exe on the windows client , Check if the tpm is enabled which is a prerequisite for the Virtual smart card to be registered
- Once verified go to command prompt with administrator role and type the following command ( The windows client has to be domain joined)
tpmvscmgr.exe create /name TestVSC /pin default /adminkey random /generate
- you can see the similar output
- Now smart card token is created
- Now its time to enroll the certificate
- For that go to the AD server --> MMC.exe--> ADD / Remove snap IN --->Certificate templates---> Check for smart card authentication template--->Duplicate the template --->configure the template properties accordinly
- From command line execute gpupdate /force to update the group policy so that the template is seen on the client
- On the windows 10 client which is domain joined Go to run--> Type certmgr.msc ---> go to personal ---> Request new certifcate--> use the smart card logon template to create the cert and a new cert will be created
- This certificate will be used for authentication
BIGIP configuration :
Host is the LDAP server IP or hostname , Port 636 for ldaps communication , Remote directory tree is the directory tree on AD , BInd is the configuration of LDAP bind , SSL enabled for ldaps communication and SSL certifcicate is the root certificate to trust the certificate provided by the LDAP domain
- Login name will be Value picked from the certificate that the LDAP sees for authentication
- Login attribute is the one used by the BIGIP to communicate with LDAP for Microsoft AD it has to be sAMAccountName ( Not Case insensitive )
- Login filter is the regex to identify the value , You can use the same
- Client certificate common name to validate the certificate provided by the client and validate against the Login filter , Here it is common name
- OCSP has to be enabled and the respective OCSP server needs to be mentioned in the. below format
How the process happens ?
- Client request for the IP address or hostname of the BIGIP device
- BIGIP on identifying the Remote authentication type as client cert ldap returns the response to input the certificate just like mentioned below
- After choosing the certificate , we need to input the PIN which is entered during Vsmart card generation
- Then the client certificate will be presented to the BIGIP where BIGIP will be sending the same to the OCSP responder by extracting the serial number and placing it in the OCSP request
- The OCSP responder will then validate the request and the serial number and will be providing the status in the OCSP response , Kindly check below
OCSP request
OCSP Response
- Once the certificate is considered good , The BIGIP extracts the Login attribute section and creates the filter with the login attribute and speaks to LDAP server to validate the credentials
- If the credentials are correct , The user will be prompted with a banner to login
Jun 6 02:54:08 ltm-ve-autobvt-dut-vmware-manual-1.local info nslcd[19414]: nslcd: [38e6d1] <authz="Users"> DEBUG: nslcd_pam_authz("Users","httpd","","10.144.109.124","")
Jun 6 02:54:08 ltm-ve-autobvt-dut-vmware-manual-1.local info nslcd[19414]: nslcd: [38e6d1] <authz="Users"> DEBUG: myldap_search(base="DC=ldapstest,DC=com", filter="(&(sAMAccountName=*)(sAMAccountName=*Users*))")
Jun 6 02:54:08 ltm-ve-autobvt-dut-vmware-manual-1.local info nslcd[19414]: nslcd: [38e6d1] <authz="Users"> DEBUG: ldap_result(): CN=Distributed COM Users,CN=Builtin,DC=ldapstest,DC=com
Jun 6 02:54:08 ltm-ve-autobvt-dut-vmware-manual-1.local info nslcd[19414]: nslcd: [38e6d1] <authz="Users"> DEBUG: myldap_search(base="DC=ldapstest,DC=com", filter="(&(objectClass=shadowAccount)(uid=Users))")
Jun 6 02:54:08 ltm-ve-autobvt-dut-vmware-manual-1.local debug httpd[19424]: pam_ldap(httpd:account): nslcd authorisation; user=Users
Jun 6 02:54:08 ltm-ve-autobvt-dut-vmware-manual-1.local info nslcd[19414]: nslcd: [38e6d1] <authz="Users"> DEBUG: ldap_result(): end of results (0 total)
On accepting "ok" BIGIP will be logged in
This is how we will be achieving BIGIP Authentication using Client certificate and LDAP using virtual smart cards
