Good analysis of TCP/IP Protocol
Wednesday, June 23, 2010
Tuesday, June 1, 2010
Two Factor Authentication (PhoneFactor) and Siteminder
Enterprises are protecting the most sensitive information using another authentication mechanism in addition to just username and password. I worked recently with PhoneFactor who is a vendor of a software that provides 2nd factor authentication.
We use CA Siteminder for our application security purposes. Integrating PhoneFactor with Siteminder looks easy but we took a little time to figure it out.
Test URL: http://finance.domain.com/SuperSecure
Phone Factor AD Group: PF_AD_Group
Requirement: When ever a user in PF_AD_Group tries to access http://finance.domain.com/SuperSecure, Siteminder should send authentication request (RADIUS) to PhoneFactor software. PhoneFactor should call user, match the voiceprint to complete the 2nd factor. For users who are not in PF_AD_Group, PhoneFactor does not need to perform 2nd factor authentication.
- Setup PhoneFactor to receive RADIUS auth requests from Siteminder
- In Siteminder
- Setup PhoneFactor_AS Authentication Scheme
RADIUS Server Template
RADIUS Server IPADDRESS
Port
SharedSecret
- Setup PhoneFactorLDAP_UD
SERVER: PhoneFactor Server
- For Domain finance.domain.com
Add userDirectory PhoneFactorLDAP_UD (use this directory for Authentication)
Add userDirectory LDAP_UD (use this directory for Authorization)
For realm /SuperSecure
Use PhoneFactor_AS as Authentication Scheme
in Advanced -> Directory Mapping -> Map PhoneFactorLDAP_UD & LDAP_UD to perform authentication and authorization respectively.
(If applications require authorization and mapping is set to default, then PhoneFactor will just authenticate and send back the response. Siteminder will reject access and give an error as TimedOut. Or sometimes PhoneFactor will continuously call the user.)
We use CA Siteminder for our application security purposes. Integrating PhoneFactor with Siteminder looks easy but we took a little time to figure it out.
Test URL: http://finance.domain.com/SuperSecure
Phone Factor AD Group: PF_AD_Group
Requirement: When ever a user in PF_AD_Group tries to access http://finance.domain.com/SuperSecure, Siteminder should send authentication request (RADIUS) to PhoneFactor software. PhoneFactor should call user, match the voiceprint to complete the 2nd factor. For users who are not in PF_AD_Group, PhoneFactor does not need to perform 2nd factor authentication.
- Setup PhoneFactor to receive RADIUS auth requests from Siteminder
- In Siteminder
- Setup PhoneFactor_AS Authentication Scheme
RADIUS Server Template
RADIUS Server IPADDRESS
Port
SharedSecret
- Setup PhoneFactorLDAP_UD
SERVER: PhoneFactor Server
- For Domain finance.domain.com
Add userDirectory PhoneFactorLDAP_UD (use this directory for Authentication)
Add userDirectory LDAP_UD (use this directory for Authorization)
For realm /SuperSecure
Use PhoneFactor_AS as Authentication Scheme
in Advanced -> Directory Mapping -> Map PhoneFactorLDAP_UD & LDAP_UD to perform authentication and authorization respectively.
(If applications require authorization and mapping is set to default, then PhoneFactor will just authenticate and send back the response. Siteminder will reject access and give an error as TimedOut. Or sometimes PhoneFactor will continuously call the user.)
Tuesday, May 25, 2010
Siteminder webagent on Windows 2008 x64
For Windows 2008 R1 x64, the 64bit version of Siteminder Webagent does not work very well incase you want to protect apps with ASP.NET 1.1. I wasted too much time trouble shooting this and websites with ASP.NET 2.0 would work without any issue.
Siteminder ISAPI6webagent.DLL would not fire for ASP.NET 1.1 applications.
As a test, I installed Siteminder x32 bit Webagent on the 64bit server, the issue was resolved. ASP.NET 1.1 and 2.0 applications both worked.
Webagent used is available for download here.
-*ftp://ftp.ca.com/pub/SiteMinder/SMIIS/WebAgent/6.0SP5/CRs/cr-35/
Siteminder ISAPI6webagent.DLL would not fire for ASP.NET 1.1 applications.
As a test, I installed Siteminder x32 bit Webagent on the 64bit server, the issue was resolved. ASP.NET 1.1 and 2.0 applications both worked.
Webagent used is available for download here.
-*ftp://ftp.ca.com/pub/SiteMinder/SMIIS/WebAgent/6.0SP5/CRs/cr-35/
Monday, May 24, 2010
Error 1606
Just got this error while I was trying to install a software on Windows 2008 x64 bit Server, and got the below error
"Error 1606. Could not access network location %SystemDrive%\inetpub\wwwroot\"
How to fix this?
modify both locations in registry using regedit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp\PathWWWRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\InetStp\PathWWWRoot
modify appropriately
"%SystemDrive%\inetpub\wwwroot" to "D:\inetpub\wwwroot".
"Error 1606. Could not access network location %SystemDrive%\inetpub\wwwroot\"
How to fix this?
modify both locations in registry using regedit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp\PathWWWRoot
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\InetStp\PathWWWRoot
modify appropriately
"%SystemDrive%\inetpub\wwwroot" to "D:\inetpub\wwwroot".
Subscribe to:
Posts (Atom)