Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Solution OverviewSolution Overview
Confidential | © Copyright 2009 PistolStar, Inc. Confidential | © Copyright 2009 PistolStar, Inc.
Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this Presentation is strictly prohibited without explicit written approval from PistolStar, Inc.of this Presentation is strictly prohibited without explicit written approval from PistolStar, Inc.
Authentication Technologies for the Enterprise
Presented by: Presented by: Rob AxelrodRob AxelrodTechnotics, Inc.Technotics, Inc.
““Best Practices: Authentication Technologies Best Practices: Authentication Technologies That Address Usability, Security, Auditing and That Address Usability, Security, Auditing and Compliance”Compliance”
Confidential | © Copyright 2009 PistolStar, Inc. Confidential | © Copyright 2009 PistolStar, Inc.
Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this Presentation is strictly prohibited without explicit written approval from PistolStar, Inc.of this Presentation is strictly prohibited without explicit written approval from PistolStar, Inc.
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Introductions
Who is Technotics?Technotics can help to reduce the demands made on corporate information technologies systems by delivering world class architecture and solutions support. They provide professional services for all aspects of collaboration and messaging infrastructure in the enterprise.Who is PistolStar?PistolStar specializes in authentication technologies, providing software products that address organizations’ requirements for enhanced usability, security, auditing and compliance. Our solutions simplify application logons while providing IT staff with functionality to safeguard access, alert login threats, reduce password management and provide strong controls for regulatory compliance.
22
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Why do these two companies work together?Enhanced authentication solutions are often at the top of Technotics customers’ wish lists.The two organizations have teamed up to deliver high value solutions to our mutual customers What will be covered today?This seminar today addresses usability, security, and compliance in a real-world business context in the form of case studies.
33
Introductions (continued)
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
About PistolStar
Founded in 1999 as consulting company
Authority in Authentication Technologies
Reactive to customer driven requirements
More than 475 customers worldwide
44
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Dreaming of One Set of Credentials
The ideal end state for an organization:
For a user to log into Active Directory and once authenticated there, all underlying systems/applications would accept the user’s AD credentials.
A seamless solution that requires:
No changes to Active Directory or other systems’ directories.
No proprietary directories or credential stores.
No proprietary servers/appliances and no single point of failure.
55
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
A checklist for simplified application access:
Authenticate users against Active Directory
One password for user to remember
Uniform AD password policies for compliance
Reduce Help Desk calls
Achieve Single or Reduced Sign-On
Stronger Authentication
Seamless real-time access after forgotten password
Dreaming of One Set of Credentials (continued)
66
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Matrix for Authentication Technologies
Products/ApplicationsAuthentication
Protocols Platforms Benefits
Notes Kerberos AIX Security
Sametime NTLM Windows (32/64 bit) Compliance
Domino LDAP Linux Usability
Quickr Smartcards System i (AS/400) Audit
SharePoint CAC cards (X.509) Solaris
WebSphere Portal Passwords
Apache
Wiki
77
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Customer #1 – European Military Organization
Challenge: Easier way to recover Notes ID password to limit
support costs Streamline the process of distributing Notes ID for
workstation setup.
–Initial ID distribution had to be secure as well as easy and efficient.
88
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.99
Case Study #1: Military Customer (supported by IBM)
Products/ApplicationsAuthentication
Protocols Platforms Benefits
Notes Kerberos AIX Security
Sametime NTLM Windows (32/64 bit) Compliance
Domino LDAP Linux Usability
Quickr Smartcards System i (AS/400) Audit
SharePoint CAC cards (X.509) Solaris
WebSphere Portal Passwords
Apache
Wiki
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Customer #1: Military Customer (supported by IBM)
Solution: Store the user’s Notes ID in a (Domino) LDAP Server
and pull the ID out of that store during client setup. Use PistolStar’s SSO feature and have the
"stealth"/recovery copy of the user’s Notes ID, so if the user didn't have his/her password anymore, they could get the ID automatically back without the user knowing about it.
1010
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.1111
Process #1:
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.1212
Process #1: (continued)
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.1313
Process #2:
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.1414
Process #2: (continued)
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Challenge: Smartcard access to Notes client via SSO Removing Domino HTTP password from person
documents to satisfy security and audit requirements and to minimize administration of passwords in multiple locations.
Leverage AD for application access to Lotus assets SSO for Domino web applications using native
Microsoft Kerberos functionality in the browser. SSO access to Sametime using Kerberos
1515
Customer #2 – Manufacturing Customer
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.1616
Case Study #2: Manufacturing Customer
Products/ApplicationsAuthentication
Protocols Platforms Benefits
Notes Kerberos AIX Security
Sametime NTLM Windows (32/64 bit) Compliance
Domino LDAP Linux Usability
Quickr Smartcards System i (AS/400) Audit
SharePoint CAC cards (X.509) Solaris
WebSphere Portal Passwords
Apache
Wiki
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
The organization already had a large investment in multi factor authentication using smart cards to authenticate to Active Directory. This allowed Pistolstar to leverage this infrastructure to provide password-free strong authentication to the Notes client.
– Kerberos authentication with the OS at logon– Notes ID present on the workstation with 62 character
generated unique password unknown to the user– Pistolstar utilizes Kerberos connection to access AD
attributes to establish identity and unlock local ID
1717
Customer #2: Manufacturing CustomerSolution – Smart Cards
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Leveraging the Eclipse framework PistolStar provisions an authentication plug-in into the Sametime client. This utilizes the Kerberos ticket to negotiate with the custom authentication interface on the Sametime server.
–Provides password-free authentication with Sametime
Utilizing PistolStar’s DSAPI filter HTTP requests for authentication are negotiated to use the Kerberos protocol with the browser client.
1818
Customer #2: Manufacturing CustomerSolution – Sametime/Domino
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Customer’s Sametime environment has approximately 75,000 users.
Project is to tie the log-in of Sametime to their AD account to fully automate the log-in process and eliminate all prompts by letting the user log-in with their smart card. The directory that Sametime authenticates against is a pass-through authentication through a Tivoli LDAP server to a universal directory that contains records for all user accounts.
The challenge will be that there is no one definitive AD tree in the organization, but rather a plethora of different ones. The goal is to have all log-ins (WEB and other programs) tied into the smart card.
1919
Customer #3: Military Customer
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.2020
Case Study #3: Military Customer
Products/ApplicationsAuthentication
Protocols Platforms Benefits
Notes Kerberos AIX Security
Sametime NTLM Windows (32/64 bit) Compliance
Domino LDAP Linux Usability
Quickr Smartcards System i (AS/400) Audit
SharePoint CAC cards (X.509) Solaris
WebSphere Portal Passwords
Apache
Wiki
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Two key requirements for the Domino-based portal Use AD passwords to login to Domino Reduce help desk calls by allowing self-service
Active Directory password resets via HTTPS
2121
Case Study #4: Insurance Customer (Hibernian Group)
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.2222
Case Study #4: Insurance Customer (Hibernian Group)
Products/ApplicationsAuthentication
Protocols Platforms Benefits
Notes Kerberos AIX Security
Sametime NTLM Windows (32/64 bit) Compliance
Domino LDAP Linux Usability
Quickr Smartcards System i (AS/400) Audit
SharePoint CAC cards (X.509) Solaris
WebSphere Portal Passwords
Apache
Wiki
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.2323
Case Study #4: Insurance Customer (Hibernian Group)
Solution Description– Implement existing product Web Set Password with
enhancements (later rolled into the core product)
– Enabling WSP to communicate via LDAP in addition to native Domino in real time
– Configure challenge response questions for user self-service
– Set up back-end agents to manage user accounts on AD utilizing LDAP
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Goal:
1. Log failed Logon attempts to Lotus Notes (record each strike)
2. Lockout Lotus Notes User after 3 failed attempts to enter their password correctly- A Locked-out User will be required to call Help Desk
3. Password recovery- A forgotten password will require a call to the Help Desk
2424
Case Study #5: Health Care Customer(Copenhagen Trial Unit)
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.2525
Products/ApplicationsAuthentication
Protocols Platforms Benefits
Notes Kerberos AIX Security
Sametime NTLM Windows (32/64 bit) Compliance
Domino LDAP Linux Usability
Quickr Smartcards System i (AS/400) Audit
SharePoint CAC cards (X.509) Solaris
WebSphere Portal Passwords
Apache
Wiki
Case Study #5: Health Care Customer(Copenhagen Trial Unit)
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Technical Overview:
The Notes authentication event is intercepted by the Pistolstar extension and the credentials are redirected to a Domino web agent for authentication against the HTTP password
Each attempt (successful or failed) is logged on the server in a Notes database
Once a user has been successfully authenticated, encrypted attributes are pulled back from the Domino server via HTTP
The Notes ID is then unlocked using these encrypted attributes Subsequent to this, the user never needs to interact directly with the Notes ID
file (in fact they can’t interact with it even if they want to)
2626
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Requirements:
-The PistolStar Plug-In needs to be installed and registered within each User’s Lotus Notes Client.
-Domino LDAP service must be enabled on the server.
-Create mail-in database on the Domino server running the Router. Optionally, replicate the Audit Log emails to the Domino Application server.
Notes ID lockoutLDAP
2727
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Domino_ATG SSO Project:
Use a perl approach for creating our SSO cookies. It would only require slight changes on your Apache server and would be a browser-independent solution for SSO to Domino after authenticating to Apache. The process will be completely transparent to end users and they will not need to install any client-side software.
2828
Case Study #6: Technology Customer (QAD)
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.2929
Products/ApplicationsAuthentication
Protocols Platforms Benefits
Notes Kerberos AIX Security
Sametime NTLM Windows (32/64 bit) Compliance
Domino LDAP Linux Usability
Quickr Smartcards System i (AS/400) Audit
SharePoint CAC cards (X.509) Solaris
WebSphere Portal Passwords
Apache
Wiki
Case Study #6: Technology Customer (QAD)
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Description:
Apache is the primary interface for authentication Authentication occurs against an LDAP server If required, the PistolStar perl script will generate a PistolStar SSO token
which will then be encrypted and passed to the user as a session cookie. Any subsequent requests by that user to a Domino server use the
PistolStar cookie/token which will be interpreted by the PistolStar DSAPI filter.
3030
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Assumptions:- The Apache server and all customer-facing Domino servers are part of the "qad.com" domain and referenced as such in the browser- The Apache server is running on Linux on x86 hardware- Client browsers must have cookies enabled
3131
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Project Description – Wiki SSO
In addition to the Apache and Domino SSO requirements the customer had also implemented a Wiki (Daisy) that they required single sign-on.
Solution Description:
Using the existing token that was generated by the initial logon and script a modification was made to the Daisy logon form to detect the presence of the token.
If the token was found to be present, a perl script would be called to decrypt the credentials and populate the login fields and submit the form.
3232
Case Study #6: Technology Customer (QAD)
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Requirements:
Daisy will be configured to authenticate against Active Directory. All users' Active Directory usernames & passwords will be kept
in sync with Domino LDAP. The code changes will only be supported on the "login.xsl" page. The Daisy URL requested by the user is accessible via
Javascript from the "login.xsl" page. Daisy's error page should be customized by QAD to redirect to
the "login.xsl" page for streamlined SSO and an optimal user experience.
3333
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
PistolStar Tailored Solutions
Business Processes Tailoring solutions using PistolStar existing framework PistolStar’s software suite is a tried-and-tested framework that will deliver the most effective security and compliance solutions for your particular organization. With an extensive set of technical capabilities across a wide range of platforms, PistolStar security experts enable you to build a comprehensive security and compliance infrastructure that is tailored to your authentication requirements and your particular environment. Enterprise-ready Define Framework Solution delivery
3434
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Features Lotus Provides
What about features Lotus provides in their releases?
Not Enterprise Ready Features for the masses
A checkbox
3535
Password Power 8.5Password Power 8.5
Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.
Final Q & A
For more information, see
PistolStar at booth #433
3636