Solved

smart card and token for windows login

Posted on 2013-12-23
7
90 Views
Last Modified: 2016-07-12
We are currently in process of implementing smart card windows login , we need to have a secondary login using token (Ex. RSA) in case an employee forget/lose his smart card
 
what is the possibility to have token as a secondary login and how to switch between smart card login and token
0
Comment
Question by:zulfiqar43111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
7 Comments
 
LVL 63

Assisted Solution

by:btan
btan earned 134 total points
ID: 39737492
Likely you need the fallback plan to be fronted by some sort of "intelligent" proxy such that it is able to execute the plan according. I see maybe can leverage on Application delivery controller (ADC which is also at same time load balancer capable) such as F5 APM, or Forefront TMG (or ISA) or the Cisco ACS like type of approach.

I dont think you can indicate fallback via the active directory on Windows login account beside having back to login via user/password out of windows box, which is more of a downgrade...RSA OTP can also in part of windows login gina as most enterprise has used it, but likely you need to cater for Enterprise SSO (recall there is IBM Tivoli and Oracle IDM) which is part of a identity mgmt suite

Pls see the below:

(F5 APM for AAA servers and it is able to has flexibility to configure various authentication means using policy editor. But it tends to work with your org IDM provider )
http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/apm_config_server_auth.html
http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/apm_config_creatingpolicies.html

(see "Methods for validation of client credentials" onwards, e.g. If authentication fails, Forefront TMG provides the server's failure notice to the client. If the server requires a different type of credentials, Forefront TMG triggers an alert. Also 2nd link talks on SecurID and ISA)

http://technet.microsoft.com/en-us/library/cc995255.aspx
http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Why-how-implement-SecurID-Authentication.html

(see the HA configuration but for your case of user fallback maybe too tedious to do it specific to single user, I was thinking maybe ACS can act as directory to check and fallback according to user mapping - need to explore further on 2nd link's "Unknown user policy External database Mapping RSA")
https://supportforums.cisco.com/thread/2197001
http://www.security-solutions.co.za/cisco-CSACS-1113-SE-4.2-RSA-Authentication-Manager-Integration-Configuration-Example.html#_Toc299535938
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 66 total points
ID: 39743465
I don't think you've thought this through, why does a user need two logins? With active directory there are no secondary passwords or fall-backs, it's the users password or nothing. You can use tokens to be the passwords or authenticators like Yubikey's standard token, it is basically a USB device that replays a password when you want it to. Place the USB in, put the cursor in the password field, click a button on the USB device and it "types" the password in. It's almost 100% universal. That is the only thing I can think of using, the yubikey would have the same password they user knows however, so it's only going to work as a backup not an alternate.
I think I don't understand the question really, I can't picture this fallback working for anything. But I'm a security guy and that sounds like bad bad bad security.
-rich
0
 
LVL 63

Expert Comment

by:btan
ID: 39743482
This is more like having the user recovery if he/she forget their password too, self service reset of password. There are many means to have it and likewise if PIN is forgotten and not due to backend outage or errors, user has to bear the ownership to recover via helpdesk as per norm, this is similar to revoke those expired cert or token is spoilt. I do agree there shouldnt be so many login especially for OS, it is either smartcard or the normal username/passwd but as shared it is security downgrade. Go for maintaining the change mgmt process in user awareness and resiliency in backend. Appl login can varied but not OS (including preboot) login as that is the critical juncture to access all possible service vai the machine
0
 
LVL 63

Accepted Solution

by:
btan earned 134 total points
ID: 41704627
Actually I am thinking the question is better answer as just install it as another credential provider based on provider e.g. For RSA SecurID (OTP token) has its own software and the other Smartcard provider will also have another software (cum token driver and Crypto provider). Depending on which hardware used by user on login through the tile selected will authenticated against the smartcard or token.  The provider can be filtered as well. Look at the RSA suggestion
Navigate to Start --- > Run --- >. "gpedit.msc" > Computer Configuration > Policies > Administrative Templates > Classic Administrative Templates > RSA Desktop > Credential Provider Filter Settings
This can be accomplished by enabling the exclusion on third-party credential providers. You can leave all the rest of credential providers as not configured which is a default setting.
Exclude the Microsoft Password Credential Provider =Not configured
Exclude the RSA Credential Provider for disconnect auth =Not configured
Exclude the RSA Smart Card Credential Provider =Not configured
Exclude the Third-party Credential Providers = Enabled
https://community.rsa.com/docs/DOC-46090

As whole, it should be viable to answer the query.
0
 
LVL 63

Expert Comment

by:btan
ID: 41704633
Can I suggest that the below are consider for the solution.
http://#ID:41704627 (tile based selection by user)
http://#ID:39737492 (another means using a proxy to manage which login approach)
htto://#ID:39743465 (another form factor)

This is in understand it is not asking for multifactor authentication e.g. not to restrict only with 2nd factor as well as not asking for HA configuration. But more of user is able to use either smartcard or token if I read it correctly
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question