Solved

smart card and token for windows login

Posted on 2013-12-23
7
63 Views
Last Modified: 2016-07-12
We are currently in process of implementing smart card windows login , we need to have a secondary login using token (Ex. RSA) in case an employee forget/lose his smart card
 
what is the possibility to have token as a secondary login and how to switch between smart card login and token
0
Comment
Question by:zulfiqar43111
  • 4
7 Comments
 
LVL 61

Assisted Solution

by:btan
btan earned 134 total points
Comment Utility
Likely you need the fallback plan to be fronted by some sort of "intelligent" proxy such that it is able to execute the plan according. I see maybe can leverage on Application delivery controller (ADC which is also at same time load balancer capable) such as F5 APM, or Forefront TMG (or ISA) or the Cisco ACS like type of approach.

I dont think you can indicate fallback via the active directory on Windows login account beside having back to login via user/password out of windows box, which is more of a downgrade...RSA OTP can also in part of windows login gina as most enterprise has used it, but likely you need to cater for Enterprise SSO (recall there is IBM Tivoli and Oracle IDM) which is part of a identity mgmt suite

Pls see the below:

(F5 APM for AAA servers and it is able to has flexibility to configure various authentication means using policy editor. But it tends to work with your org IDM provider )
http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/apm_config_server_auth.html
http://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm_config_10_2_0/apm_config_creatingpolicies.html

(see "Methods for validation of client credentials" onwards, e.g. If authentication fails, Forefront TMG provides the server's failure notice to the client. If the server requires a different type of credentials, Forefront TMG triggers an alert. Also 2nd link talks on SecurID and ISA)

http://technet.microsoft.com/en-us/library/cc995255.aspx
http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Why-how-implement-SecurID-Authentication.html

(see the HA configuration but for your case of user fallback maybe too tedious to do it specific to single user, I was thinking maybe ACS can act as directory to check and fallback according to user mapping - need to explore further on 2nd link's "Unknown user policy External database Mapping RSA")
https://supportforums.cisco.com/thread/2197001
http://www.security-solutions.co.za/cisco-CSACS-1113-SE-4.2-RSA-Authentication-Manager-Integration-Configuration-Example.html#_Toc299535938
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 66 total points
Comment Utility
I don't think you've thought this through, why does a user need two logins? With active directory there are no secondary passwords or fall-backs, it's the users password or nothing. You can use tokens to be the passwords or authenticators like Yubikey's standard token, it is basically a USB device that replays a password when you want it to. Place the USB in, put the cursor in the password field, click a button on the USB device and it "types" the password in. It's almost 100% universal. That is the only thing I can think of using, the yubikey would have the same password they user knows however, so it's only going to work as a backup not an alternate.
I think I don't understand the question really, I can't picture this fallback working for anything. But I'm a security guy and that sounds like bad bad bad security.
-rich
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
This is more like having the user recovery if he/she forget their password too, self service reset of password. There are many means to have it and likewise if PIN is forgotten and not due to backend outage or errors, user has to bear the ownership to recover via helpdesk as per norm, this is similar to revoke those expired cert or token is spoilt. I do agree there shouldnt be so many login especially for OS, it is either smartcard or the normal username/passwd but as shared it is security downgrade. Go for maintaining the change mgmt process in user awareness and resiliency in backend. Appl login can varied but not OS (including preboot) login as that is the critical juncture to access all possible service vai the machine
0
 
LVL 61

Accepted Solution

by:
btan earned 134 total points
Comment Utility
Actually I am thinking the question is better answer as just install it as another credential provider based on provider e.g. For RSA SecurID (OTP token) has its own software and the other Smartcard provider will also have another software (cum token driver and Crypto provider). Depending on which hardware used by user on login through the tile selected will authenticated against the smartcard or token.  The provider can be filtered as well. Look at the RSA suggestion
Navigate to Start --- > Run --- >. "gpedit.msc" > Computer Configuration > Policies > Administrative Templates > Classic Administrative Templates > RSA Desktop > Credential Provider Filter Settings
This can be accomplished by enabling the exclusion on third-party credential providers. You can leave all the rest of credential providers as not configured which is a default setting.
Exclude the Microsoft Password Credential Provider =Not configured
Exclude the RSA Credential Provider for disconnect auth =Not configured
Exclude the RSA Smart Card Credential Provider =Not configured
Exclude the Third-party Credential Providers = Enabled
https://community.rsa.com/docs/DOC-46090

As whole, it should be viable to answer the query.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Can I suggest that the below are consider for the solution.
http://#ID:41704627 (tile based selection by user)
http://#ID:39737492 (another means using a proxy to manage which login approach)
htto://#ID:39743465 (another form factor)

This is in understand it is not asking for multifactor authentication e.g. not to restrict only with 2nd factor as well as not asking for HA configuration. But more of user is able to use either smartcard or token if I read it correctly
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now