Pulse Connect Secure - Pulse Secure ... > Restrictions -> Certificate. Note: The above step is critical

  • View
    0

  • Download
    0

Embed Size (px)

Text of Pulse Connect Secure - Pulse Secure ... > Restrictions -> Certificate. Note: The above step is...

  • Pulse Connect Secure Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide

    PPuubblliisshheedd DDaattee March, 2017

    1.0 Document Revision

  • Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide

    © 2017 by Pulse Secure, LLC. All rights reserved 2

    Pulse Secure, LLC

    2700 Zanker Road, Suite 200

    San Jose, CA 95134

    http://www.pulsesecure.net

    Pulse Secure assumes no responsibility for any inaccuracies in this document. Pulse Secure reserves the right

    to change, modify, transfer, or otherwise revise this publication without notice.

    Products made or sold by Pulse Secure or components thereof might be covered by one or more of the

    following patents that are owned by or licensed to Pulse Secure: U.S. Patent Nos. 5,473,599, 5,905,725,

    5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899,

    6,552,918, 6,567,902, 6,578,186, and 6,590,785.

    Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide

    Copyright © 2017, Pulse Secure, LLC. All rights reserved.

    Printed in USA.

  • Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide

    © 2017 by Pulse Secure, LLC. All rights reserved 3

    Contents

    OVERVIEW ......................................................................................................................................................................................4

    CONFIGURATION DETAILS .........................................................................................................................................................5

    SETTING UP CONSTRAINED DELEGATION IN ACTIVE DIRECTORY SERVER ....................................................................................6 Create a Kerberos Constrained Delegation User account .....................................................................................6 Enable Delegation for the Created user account .....................................................................................................7

    SETTING UP IIS SERVER FOR KCD ..............................................................................................................................................13 SETTING UP PULSE CONNECT SECURE FOR CONSTRAINED DELEGATION ....................................................................................17

    Web SSO General Configuration ..................................................................................................................................17 Set up Constrained Delegation .....................................................................................................................................18 Setting up Client Certificate Authentication ...............................................................................................................19 Certificate Enforcement Configuration .......................................................................................................................20 Authorization Only access URL Configuration ...........................................................................................................21

    TROUBLESHOOTING ...................................................................................................................................................................24 Successful ActiveSync Connection Using Constrained Delegation .......................................................................24 Synchronizing System Times .........................................................................................................................................24 Check the KCD User Account ........................................................................................................................................24 Check the Server Name ..................................................................................................................................................25 User account is Disabled ................................................................................................................................................25 Certificate CN Name and User Name Mismatch ......................................................................................................25 Invalid KCD Service List ...................................................................................................................................................25 User Account not Delegated .........................................................................................................................................25

  • Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide

    © 2017 by Pulse Secure, LLC. All rights reserved 4

    Overview

    Authorization-only access is similar to a reverse proxy. Typically, a reverse proxy is a proxy server that is

    installed in front of web servers. All connections coming from the Internet addressed to one of the web servers

    are routed through the proxy server, which may either deal with the request itself or pass the request wholly or

    partially to the main web server.

    With the ability to check for valid client side certificates IVE is now not only acting as a reverse proxy to the

    desired resource but also ensuring that access to these resource is only if the user has a valid client certificate

    that is issued by an IVE Trusted client CA.

    Constrained delegation: The constrained delegation extension allows a service to obtain service tickets (under

    the delegated users identity) to a subset of other services after it has been presented with a service ticket that

    is obtained either through the TGS_REQ protocol, as defined in IETF RFC 1510, or in the protocol transition

    extension.

  • Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide

    © 2017 by Pulse Secure, LLC. All rights reserved 5

    Configuration Details

    • Setting up Constrained Delegation in Active Directory Server

    • Setting up Pulse Connect Secure for Constrained Delegation

    • Troubleshooting

  • Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide

    © 2017 by Pulse Secure, LLC. All rights reserved 6

    Setting up Constrained Delegation in Active Directory Server

    This section outlines how to set up Kerberos Constrained Delegation with the Pulse Secure Access product.

    This involves setting up an account in the Active Directory, setting up the Server hosting the services and finally

    configuring the Pulse Secure Access appliance.

    • Create a Kerberos Constrained Delegation User account

    • Enable Delegation for the Created user account

    Create a Kerberos Constrained Delegation User account

    In order to get Constrained Delegation to work there a User account has to be created. This account must have

    the rights to do the Protocol Transition and Delegation. Essentially this is the account that has the rights to

    request a Kerberos Ticket on behalf of a user signing in to the Pulse Connect Secure

    1. Start by creating a new user in the Active Directory.

    2. In this example the kcduser1 is created as the account to provide Constrained Delegation Access to

    Exchange ActiveSync Server.

  • Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide

    © 2017 by Pulse Secure, LLC. All rights reserved 7

    Enable Delegation for the Created user account

    Delegation is not enabled by default for a User account and need to be enabled. This involves the use of the

    SETSPN from the command line.

    1. Use the command: setspn -A HTTP/kcduser1 exchsrv2016\kcduser1

    NOTE: in this example exchsrv2016 is the Domain and kcduser1 is the user account we just created.

  • Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide

    © 2017 by Pulse Secure, LLC. All rights reserved 8

    2. This will enable the Delegation tab in the “KCDUser1” properties.

  • Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide

    © 2017 by Pulse Secure, LLC. All rights reserved 9

    3. Add the Services.

  • Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide

    © 2017 by Pulse Secure, LLC. All rights reserved 10

    4. Since this is “constrained” delegation there is a need to specify the “Services” this applies to. Select

    “Add”.

    5. Use the Users or Computers button to select the Computer hosting these services.

  • Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide

    © 2017 by Pulse Secure, LLC. All rights reserved 11

    6. In this example the Exchange ActiveSync Server(EAS) service is hosted on different server as the AD, so

    WIN2K12R2 is selected. This could have been any other Server in the Domain though.

  • Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Gui