Password Power 8.5 Solution Overview | Confidential © 2009 PistolStar, Inc. Solution Overview Confidential | © Copyright 2009 PistolStar, Inc. Any form

Password Power 8.5Password Power 8.5

Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.

Solution OverviewSolution Overview

Confidential | © Copyright 2009 PistolStar, Inc. Confidential | © Copyright 2009 PistolStar, Inc.

Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this Presentation is strictly prohibited without explicit written approval from PistolStar, Inc.of this Presentation is strictly prohibited without explicit written approval from PistolStar, Inc.

Authentication Technologies for the Enterprise

Presented by: Presented by: Rob AxelrodRob AxelrodTechnotics, Inc.Technotics, Inc.

““Best Practices: Authentication Technologies Best Practices: Authentication Technologies That Address Usability, Security, Auditing and That Address Usability, Security, Auditing and Compliance”Compliance”

Confidential | © Copyright 2009 PistolStar, Inc. Confidential | © Copyright 2009 PistolStar, Inc.

Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this Presentation is strictly prohibited without explicit written approval from PistolStar, Inc.of this Presentation is strictly prohibited without explicit written approval from PistolStar, Inc.



Introductions

Who is Technotics?Technotics can help to reduce the demands made on corporate information technologies systems by delivering world class architecture and solutions support. They provide professional services for all aspects of collaboration and messaging infrastructure in the enterprise.Who is PistolStar?PistolStar specializes in authentication technologies, providing software products that address organizations’ requirements for enhanced usability, security, auditing and compliance. Our solutions simplify application logons while providing IT staff with functionality to safeguard access, alert login threats, reduce password management and provide strong controls for regulatory compliance.

22



Why do these two companies work together?Enhanced authentication solutions are often at the top of Technotics customers’ wish lists.The two organizations have teamed up to deliver high value solutions to our mutual customers What will be covered today?This seminar today addresses usability, security, and compliance in a real-world business context in the form of case studies.

33

Introductions (continued)



About PistolStar

Founded in 1999 as consulting company

Authority in Authentication Technologies

Reactive to customer driven requirements

More than 475 customers worldwide

44



Dreaming of One Set of Credentials

The ideal end state for an organization:

For a user to log into Active Directory and once authenticated there, all underlying systems/applications would accept the user’s AD credentials.

A seamless solution that requires:

No changes to Active Directory or other systems’ directories.

No proprietary directories or credential stores.

No proprietary servers/appliances and no single point of failure.

55



A checklist for simplified application access:

Authenticate users against Active Directory

One password for user to remember

Uniform AD password policies for compliance

Reduce Help Desk calls

Achieve Single or Reduced Sign-On

Stronger Authentication

Seamless real-time access after forgotten password

Dreaming of One Set of Credentials (continued)

66



Matrix for Authentication Technologies

Products/ApplicationsAuthentication

Protocols Platforms Benefits

Notes Kerberos AIX Security

Sametime NTLM Windows (32/64 bit) Compliance

Domino LDAP Linux Usability

Quickr Smartcards System i (AS/400) Audit

SharePoint CAC cards (X.509) Solaris

WebSphere Portal Passwords

Apache

Wiki

77



Customer #1 – European Military Organization

Challenge: Easier way to recover Notes ID password to limit

support costs Streamline the process of distributing Notes ID for

workstation setup.

–Initial ID distribution had to be secure as well as easy and efficient.

88


Solution Overview Solution Overview | Confidential| Confidential © 2009 PistolStar, Inc.© 2009 PistolStar, Inc.99

Case Study #1: Military Customer (supported by IBM)









Apache

Wiki



Customer #1: Military Customer (supported by IBM)

Solution: Store the user’s Notes ID in a (Domino) LDAP Server

and pull the ID out of that store during client setup. Use PistolStar’s SSO feature and have the

"stealth"/recovery copy of the user’s Notes ID, so if the user didn't have his/her password anymore, they could get the ID automatically back without the user knowing about it.

1010



Process #1:



Process #1: (continued)



Process #2:



Process #2: (continued)



Challenge: Smartcard access to Notes client via SSO Removing Domino HTTP password from person

documents to satisfy security and audit requirements and to minimize administration of passwords in multiple locations.

Leverage AD for application access to Lotus assets SSO for Domino web applications using native

Microsoft Kerberos functionality in the browser. SSO access to Sametime using Kerberos

1515

Customer #2 – Manufacturing Customer



Case Study #2: Manufacturing Customer









Apache

Wiki



The organization already had a large investment in multi factor authentication using smart cards to authenticate to Active Directory. This allowed Pistolstar to leverage this infrastructure to provide password-free strong authentication to the Notes client.

– Kerberos authentication with the OS at logon– Notes ID present on the workstation with 62 character

generated unique password unknown to the user– Pistolstar utilizes Kerberos connection to access AD

attributes to establish identity and unlock local ID

1717

Customer #2: Manufacturing CustomerSolution – Smart Cards



Leveraging the Eclipse framework PistolStar provisions an authentication plug-in into the Sametime client. This utilizes the Kerberos ticket to negotiate with the custom authentication interface on the Sametime server.

–Provides password-free authentication with Sametime

Utilizing PistolStar’s DSAPI filter HTTP requests for authentication are negotiated to use the Kerberos protocol with the browser client.

1818

Customer #2: Manufacturing CustomerSolution – Sametime/Domino



Customer’s Sametime environment has approximately 75,000 users.

Project is to tie the log-in of Sametime to their AD account to fully automate the log-in process and eliminate all prompts by letting the user log-in with their smart card. The directory that Sametime authenticates against is a pass-through authentication through a Tivoli LDAP server to a universal directory that contains records for all user accounts.

The challenge will be that there is no one definitive AD tree in the organization, but rather a plethora of different ones. The goal is to have all log-ins (WEB and other programs) tied into the smart card.

1919

Customer #3: Military Customer



Case Study #3: Military Customer









Apache

Wiki



Two key requirements for the Domino-based portal Use AD passwords to login to Domino Reduce help desk calls by allowing self-service

Active Directory password resets via HTTPS

2121

Case Study #4: Insurance Customer (Hibernian Group)












Apache

Wiki




Solution Description– Implement existing product Web Set Password with

enhancements (later rolled into the core product)

– Enabling WSP to communicate via LDAP in addition to native Domino in real time

– Configure challenge response questions for user self-service

– Set up back-end agents to manage user accounts on AD utilizing LDAP



Goal:

1. Log failed Logon attempts to Lotus Notes (record each strike)

2. Lockout Lotus Notes User after 3 failed attempts to enter their password correctly- A Locked-out User will be required to call Help Desk

3. Password recovery- A forgotten password will require a call to the Help Desk

2424

Case Study #5: Health Care Customer(Copenhagen Trial Unit)











Apache

Wiki

Case Study #5: Health Care Customer(Copenhagen Trial Unit)



Technical Overview:

The Notes authentication event is intercepted by the Pistolstar extension and the credentials are redirected to a Domino web agent for authentication against the HTTP password

Each attempt (successful or failed) is logged on the server in a Notes database

Once a user has been successfully authenticated, encrypted attributes are pulled back from the Domino server via HTTP

The Notes ID is then unlocked using these encrypted attributes Subsequent to this, the user never needs to interact directly with the Notes ID

file (in fact they can’t interact with it even if they want to)

2626



Requirements:

-The PistolStar Plug-In needs to be installed and registered within each User’s Lotus Notes Client.

-Domino LDAP service must be enabled on the server.

-Create mail-in database on the Domino server running the Router. Optionally, replicate the Audit Log emails to the Domino Application server.

Notes ID lockoutLDAP

2727



Domino_ATG SSO Project:

Use a perl approach for creating our SSO cookies. It would only require slight changes on your Apache server and would be a browser-independent solution for SSO to Domino after authenticating to Apache. The process will be completely transparent to end users and they will not need to install any client-side software.

2828

Case Study #6: Technology Customer (QAD)











Apache

Wiki




Description:

Apache is the primary interface for authentication Authentication occurs against an LDAP server If required, the PistolStar perl script will generate a PistolStar SSO token

which will then be encrypted and passed to the user as a session cookie. Any subsequent requests by that user to a Domino server use the

PistolStar cookie/token which will be interpreted by the PistolStar DSAPI filter.

3030



Assumptions:- The Apache server and all customer-facing Domino servers are part of the "qad.com" domain and referenced as such in the browser- The Apache server is running on Linux on x86 hardware- Client browsers must have cookies enabled

3131



Project Description – Wiki SSO

In addition to the Apache and Domino SSO requirements the customer had also implemented a Wiki (Daisy) that they required single sign-on.

Solution Description:

Using the existing token that was generated by the initial logon and script a modification was made to the Daisy logon form to detect the presence of the token.

If the token was found to be present, a perl script would be called to decrypt the credentials and populate the login fields and submit the form.

3232




Requirements:

Daisy will be configured to authenticate against Active Directory. All users' Active Directory usernames & passwords will be kept

in sync with Domino LDAP. The code changes will only be supported on the "login.xsl" page. The Daisy URL requested by the user is accessible via

Javascript from the "login.xsl" page. Daisy's error page should be customized by QAD to redirect to

the "login.xsl" page for streamlined SSO and an optimal user experience.

3333



PistolStar Tailored Solutions

Business Processes Tailoring solutions using PistolStar existing framework PistolStar’s software suite is a tried-and-tested framework that will deliver the most effective security and compliance solutions for your particular organization. With an extensive set of technical capabilities across a wide range of platforms, PistolStar security experts enable you to build a comprehensive security and compliance infrastructure that is tailored to your authentication requirements and your particular environment. Enterprise-ready Define Framework Solution delivery

3434



Features Lotus Provides

What about features Lotus provides in their releases?

Not Enterprise Ready Features for the masses

A checkbox

3535



Final Q & A

For more information, see

PistolStar at booth #433

3636

Documents

Password Power 8.5 Solution Overview | Confidential © 2009 PistolStar, Inc. Solution Overview Confidential | © Copyright 2009 PistolStar, Inc. Any form