Pulse Connect Secure - Pulse Secure...> Restrictions -> Certificate. Note: The above step is critical for certificate enforcement, without which we may see unexpected behaviors. 3

Pulse Connect Secure Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide

PPuubblliisshheedd DDaattee March, 2017

1.0 Document Revision

Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide

© 2017 by Pulse Secure, LLC. All rights reserved 2

Pulse Secure, LLC

2700 Zanker Road, Suite 200

San Jose, CA 95134

http://www.pulsesecure.net

Pulse Secure assumes no responsibility for any inaccuracies in this document. Pulse Secure reserves the right

to change, modify, transfer, or otherwise revise this publication without notice.

Products made or sold by Pulse Secure or components thereof might be covered by one or more of the

following patents that are owned by or licensed to Pulse Secure: U.S. Patent Nos. 5,473,599, 5,905,725,

5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899,

6,552,918, 6,567,902, 6,578,186, and 6,590,785.


Copyright © 2017, Pulse Secure, LLC. All rights reserved.

Printed in USA.



Contents

OVERVIEW ......................................................................................................................................................................................4

CONFIGURATION DETAILS .........................................................................................................................................................5

SETTING UP CONSTRAINED DELEGATION IN ACTIVE DIRECTORY SERVER ....................................................................................6 Create a Kerberos Constrained Delegation User account .....................................................................................6 Enable Delegation for the Created user account .....................................................................................................7

SETTING UP IIS SERVER FOR KCD ..............................................................................................................................................13 SETTING UP PULSE CONNECT SECURE FOR CONSTRAINED DELEGATION ....................................................................................17

Web SSO General Configuration ..................................................................................................................................17 Set up Constrained Delegation .....................................................................................................................................18 Setting up Client Certificate Authentication ...............................................................................................................19 Certificate Enforcement Configuration .......................................................................................................................20 Authorization Only access URL Configuration ...........................................................................................................21

TROUBLESHOOTING ...................................................................................................................................................................24 Successful ActiveSync Connection Using Constrained Delegation .......................................................................24 Synchronizing System Times .........................................................................................................................................24 Check the KCD User Account ........................................................................................................................................24 Check the Server Name ..................................................................................................................................................25 User account is Disabled ................................................................................................................................................25 Certificate CN Name and User Name Mismatch ......................................................................................................25 Invalid KCD Service List ...................................................................................................................................................25 User Account not Delegated .........................................................................................................................................25



Overview

Authorization-only access is similar to a reverse proxy. Typically, a reverse proxy is a proxy server that is

installed in front of web servers. All connections coming from the Internet addressed to one of the web servers

are routed through the proxy server, which may either deal with the request itself or pass the request wholly or

partially to the main web server.

With the ability to check for valid client side certificates IVE is now not only acting as a reverse proxy to the

desired resource but also ensuring that access to these resource is only if the user has a valid client certificate

that is issued by an IVE Trusted client CA.

Constrained delegation: The constrained delegation extension allows a service to obtain service tickets (under

the delegated users identity) to a subset of other services after it has been presented with a service ticket that

is obtained either through the TGS_REQ protocol, as defined in IETF RFC 1510, or in the protocol transition

extension.



Configuration Details

• Setting up Constrained Delegation in Active Directory Server

• Setting up Pulse Connect Secure for Constrained Delegation

• Troubleshooting



Setting up Constrained Delegation in Active Directory Server

This section outlines how to set up Kerberos Constrained Delegation with the Pulse Secure Access product.

This involves setting up an account in the Active Directory, setting up the Server hosting the services and finally

configuring the Pulse Secure Access appliance.

• Create a Kerberos Constrained Delegation User account

• Enable Delegation for the Created user account

Create a Kerberos Constrained Delegation User account

In order to get Constrained Delegation to work there a User account has to be created. This account must have

the rights to do the Protocol Transition and Delegation. Essentially this is the account that has the rights to

request a Kerberos Ticket on behalf of a user signing in to the Pulse Connect Secure

1. Start by creating a new user in the Active Directory.

2. In this example the kcduser1 is created as the account to provide Constrained Delegation Access to

Exchange ActiveSync Server.



Enable Delegation for the Created user account

Delegation is not enabled by default for a User account and need to be enabled. This involves the use of the

SETSPN from the command line.

1. Use the command: setspn -A HTTP/kcduser1 exchsrv2016\kcduser1

NOTE: in this example exchsrv2016 is the Domain and kcduser1 is the user account we just created.



2. This will enable the Delegation tab in the “KCDUser1” properties.



3. Add the Services.



4. Since this is “constrained” delegation there is a need to specify the “Services” this applies to. Select

“Add”.

5. Use the Users or Computers button to select the Computer hosting these services.



6. In this example the Exchange ActiveSync Server(EAS) service is hosted on different server as the AD, so

WIN2K12R2 is selected. This could have been any other Server in the Domain though.



7. Now review the settings and Apply / OK these settings.

You are now finished setting up the Active Directory part of the configuration.



Setting up IIS Server for KCD

In order to get Constrained Delegation to work, Internet Information Server (IIS) Manager, has to be enabled

with windows integrated authentication in the server where Exchange ActiveSync Server(EAS) is installed.

1. Access Internet Information Server(IIS) Manager->Computer Name->Sites->Default Web Site->Microsoft-

Server-ActiveSync->Authentication.

2. Enable “Windows Authentication” and “Basic Authentication”.



3. Select Providers to allow to “Negotiate” for Windows Authentication.



4. Access Internet Information Server(IIS) Manager->Computer Name->Sites->Exchange Back End->Microsoft-

Server-ActiveSync->Authentication.



5. Enable “Windows Authentication” and “Basic Authentication”.



Setting up Pulse Connect Secure for Constrained Delegation

• Web SSO General Configuration

• Set up Constrained Delegation

• Setting up Client Certificate Authentication

• Certificate Enforcement Configuration

• Authorization Only access URL Configuration

This section covers the steps required to enable Constrained Delegation to the previous defined application,

Exchange ActiveSync Server (EAS) for any user connecting via the Pulse Connect Secure

Web SSO General Configuration

1. Start by setting up the Users > Resource Policies > Web > General.

Enable Kerberos SSO and add a Realm Definition. The Realm referred to is the Kerberos Realm. This is

normally the same as the DNS Domain. In this example EXCHSRV2016.COM

The Site Name field only applies, and can only be used, if your Active Directory is set up with Sites.

An Active Directory site object represents a collection of Internet Protocol (IP) subnets, usually constituting a

physical Local Area Network (LAN). Multiple sites are connected for replication by site link objects.

Sites are used in Active Directory to enable clients to discover network resources (printers, published shares,

domain controllers) that are close to the physical location of the client, reducing network traffic over Wide Area

Network (WAN) links as well as to optimize replication between domain controllers. This is also true for

Kerberos so this filed would allow you to define the specific Site Name you wish to discover the KDC in. For

each Kerberos realm, there can be only one site defined in the Pulse SA. In other words, it is not possible to

have two entries of the same Kerberos realm but different site names. The site name should be the site that

this Pulse SA resides in. If the box is deployed in Paris, the site name should be the site name of Paris, etc.

The purpose of Kerberos pattern list is to match hosts with realms when they are in “disjoint namespaces”.

What it means is that the DNS domain name of a host is not a Kerberos realm.

Finally the KDC filed. In here you can define the KDC, normally the same as the Active Directory, but this is

optional, since the SA will look up the service and find the KDC for the Realm and Site, if defined by using LDAP

to the Active Directory.



Set up Constrained Delegation

1. The next step is to set up the Constrained Delegation. The first thing needed is to create the Service

List. This is done by uploading a text file with the servers listed.

Open up Notepad or similar program and create a file with the server name(s).

2. Select Edit.

3. Select New Service List.

4. Select the text file you just created. After the file is uploaded you can select OK and close the Services

List dialogue.



Now the Constrained Delegation can be completed.

5. Start by setting a Label. Next pick the Realm in the drop down box. This will be the Realms defined in

the previous step so in this example EXCHSRV2016.COM

Define the Principal Account and Password. This is the account you created for Constrained Delegation

in the Active Directory earlier in this guide. Make sure you type the password correctly as defined in the

AD

6. Finally select the Service List defined previously.

Setting up Client Certificate Authentication

1. Go to Configuration -> Certificates -> Trusted Client CAs and import the client CA certificate which has

issued the end user client certificates.



2. Go to the role that will be mapped to the sign-in policy (e.g. Users role). Navigate to Users -> General -

> Restrictions -> Certificate.

Note: The above step is critical for certificate enforcement, without which we may see unexpected behaviors.

3. Select the option “Only allow users with a client-side certificate….” as shown in the above screenshot.

Save changes.

Certificate Enforcement Configuration

1. On the PCS go to Configuration -> Security ->SSL Options. Scroll down to the setting “Require client

certificate on these ports”.

2. Select the port to which this setting is to be applied.



In our example we have selected an external virtual port (e.g. ExtVirtualPort). Save changes

Note: We have not selected the option “Enable client certificate on the external port”. This means that if

an access request to the URL arrives on the external port, the request will be declined by the PCS

device. PCS device will only accept traffic to URL (https://activesynctest.com) on the external virtual

port.

In the above example ensure that https://activesynctest.com resolves to the external virtual port IP

address of the SA device.

Authorization Only access URL Configuration

1. Create a new authorization only sign-in policy.

2. Provide a virtual host name (e.g. activesynctest.com) that end users will use in order to access the



protected (authorization) only URL.

3. Enter the backend resource URL (e.g. https://outlook.lab.net); select a role that will be applied to users

who use this access mechanism. Save changes.

4. Enable “Allow ActiveSync Traffic Only” option to configure KCD label.

Note: ActiveSync with KCD feature can be enabled only when “Allow ActiveSync Traffic Only”.

SSO General Resource Policy configured in above section will display in KCD label.

5. Choose the Kerberos Constrained Delegation label and Username template.

Note: Username template can be of following format “<certDN.CN>” or <certAttr.altName.UPN>.



6. Click on save changes.



Troubleshooting

If you experience problems with Certificate based ActiveSync using Kerberos Constrained Delegation, there are

a few things you can check/verify with below set of logs.

Successful ActiveSync Connection Using Constrained Delegation

Following set of logs are logged for a successful ActiveSync Connection using Kerberos Constrained Delegation

2016-12-06 20:24:51 - cl62 - [172.21.16.160] exchsrv2016\qauser()[Users] - Device record created for user

exchsrv2016\qauser to obtain Authorization Only access. (activesync_id=LGMCYxsI0AP9duEr_AM, user-agent=)

2016-12-06 20:24:51 - cl62 - [127.0.0.1] System()[] - Web SSO: Fetched Kerberos TGT Ticket Client:

[email protected], Server: krbtgt/[email protected], auth 12/06/16

20:24:28, start 12/06/16 20:24:28, end 12/07/16 06:24:28, renew 12/31/69 16:00:00, current 12/06/16 20:24:51

2016-12-06 20:24:52 - cl62 - [127.0.0.1] System()[] - Web SSO: Fetched Kerberos S4U2Self Ticket Client:

[email protected], Server: [email protected], auth 12/06/16 20:24:28, start 12/06/16

20:24:28, end 12/07/16 04:44:28, renew 12/31/69 16:00:00, current 12/06/16 20:24:52, Flags reserved: 0,

forwardable: 1, forwarded: 0, proxiable: 0, proxy: 0, may_postdate: 0, postdated: 0, invalid: 0, renewable: 0,

initial: 0, pre_authent: 1, hw_authent: 0, transited_policy_checked: 0, ok_as_delegate: 0, anonymous: 0

2016-12-06 20:24:52 - cl62 - [127.0.0.1] System()[] - Web SSO: Fetched Kerberos Service Ticket via Constrained

Delegation: Client: [email protected], Server:

HTTP/[email protected], auth 12/06/16 20:24:28, start 12/06/16 20:24:28, end

12/07/16 04:44:28, renew 12/31/69 16:00:00, current 12/06/16 20:24:52

Synchronizing System Times

Kerberos authentication requires that system time is synchronized. Kerberos rejects any authentication

requests from a system or client whose time is not within the specified maximum clock skew of the Kerberos

server. Because each ticket is embedded with the time it was sent to a principal, hackers cannot resend the

same ticket at a later time to attempt to be authenticated to the network. The client also rejects tickets from a

Kerberos server if its clock is not within the maximum clock skew set during network authentication service

configuration. The default value is 300 seconds (five minutes) for the maximum clock skew.

Verify the time on the AD, Server and PCS to make sure the skew is less than 5 minutes. A strong suggestion is

to use NTP to avoid this issue.

User Access Logs:

2016-10-19 10:40:07 - ive - [127.0.0.1] System()[] - Fetch Kerberos TGT for user kcduser, realm

EXCHSRV2016.COM failed: Clock out of sync with KDC 10.209.114.213

Check the KCD User Account

Another common mistake is that the username/password for the Constrained Delegation account in the AD

does not match the configuration in the PCS Constrained Delegation settings. Verify and re-enter the password

to make sure.

User Access Logs:



2016-12-06 20:29:57 - cl62 - [127.0.0.1] System()[] - Fetch Kerberos TGT for user kcduser, realm

EXCHSRV2016.COM failed: Credential validation failed against 10.209.114.213



Check the Server Name

Verify that the server you have defined in the Service List, the SSO Resource Policy and the AD user Delegation

settings is the correct one and that it can be resolved via DNS.

Test to resolve the server name from the PCS by using Maintenance > Troubleshooting > Tools > Commands >

NSLookup tool

User account is Disabled



2016-12-06 20:49:45 - cl62 - [127.0.0.1] System()[] - Web SSO: Fetched Kerberos TGT Ticket Client:

[email protected], Server: krbtgt/[email protected], auth 12/06/16

20:49:22, start 12/06/16 20:49:22, end 12/07/16 06:49:22, renew 12/31/69 16:00:00, current 12/06/16 20:49:45

2016-12-06 20:49:45 - cl62 - [127.0.0.1] System()[] - Fetch Kerberos TGS for user qauser, TGT user kcduser,

realm EXCHSRV2016.COM, host win2k12r2.exchsrv2016.com failed: Constrained Delegation TGS fetch error:

Clients credentials have been revoked

Note: If the user account is disabled in backend AD server. User account will be valid until the Kerberos ticket

validity period in PCS.

Certificate CN Name and User Name Mismatch

If the CN in the client certificate and username mismatch, following logs will be logged in user access logs.

2016-12-06 20:54:47 - cl62 - [172.21.16.160] 172.21.16.160()[Users] - Username obtained from Certificate

Template [leema] is different from Username [exchsrv2016%5Cqauser] configured in mail client

Invalid KCD Service List

If the service list added under the PCS resource policy is invalid following logs will be logged when user makes

an ActiveSync connection.

2016-12-07 00:44:48 - cl62 - [127.0.0.1] System()[] - SSO Error: Constrained Delegation host mismatch: host

win2k12r2.exchsrv2016.com, service list test2k12.child1.exchsrv2016.com

User Account not Delegated

If the user account is enabled with the following option “Account is sensitive and cannot be delegated”,

ActiveSync connection will fail with following logs in PCS.

2016-12-07 01:16:30 - cl62 - [127.0.0.1] System()[] - Fetch Kerberos TGS for user qauser, TGT user kcduser,

realm EXCHSRV2016.COM, host win2k12r2.exchsrv2016.com failed: Constrained Delegation TGS fetch error:

KDC can't fulfill requested option.

Documents

Pulse Connect Secure - Pulse Secure...> Restrictions -> Certificate. Note: The above step is critical for certificate enforcement, without which we may see unexpected behaviors. 3