This document describes how to integrate Microsoft’s Direct Access 2012 configured for VPN Access with HOTPin.
DirectAccess in Windows Server 2012 helps IT offer users seamless, more secure access to corporate data from virtually any Internet connection.
HOTPin provides two-factor, strong authentication for remote access and cloud solutions (such as SSL VPN, IPSec VPN and Web authentication) from any device, without the complication of deploying hardware tokens or smartcards.
Two-Factor authentication is provided by the use of (your PIN and your Phone/SMS/Email/Desktop Software to receive the one time passcode)
HOTPin is designed as an easy to deploy and use technology. It integrates directly into Microsoft’s Active Directory and negates the need for additional user security databases. HOTPin consists of two core elements: a RADIUS server and authentication server. The authentication server is directly integrated with LDAP or Active Directory in real time.
All notes within this integration guide refer to this type of approach.
The equipment used for the integration process is listed below
- Celestix DAX appliance
- HOTPin HSA or HOTPin Software
- Enterprise Certificate Authority Server
It is expected that Direct Access 2012 has already been configured and is functioning correctly. Shown below is an example DirectAccess infrastructure:.
To create and deploy a certificate template used to sign OTP certificate requests
- On the Start screen, type certtmpl.msc, and then press ENTER.
- In the Certificate Templates Console, in the details pane, right-click the Computer template, and click Duplicate Template.
- On the Properties of New Template dialog box, on the Compatibility tab, in the Certification Authority list, click Windows Server 2012, and in the Resulting changes dialog box click OK. In the Certificate recipient list click Windows 8/ Windows Server 2012, and in the Resulting changes dialog box click OK.
- On the Properties of New Template dialog box, click the General tab.
- On the General tab, in Template display name, type DAOTPRA. Set the Validity period to 2 days, and set the Renewal Period to 1 day. If the Certificate Templates warning is displayed, click OK.
- Click the Security tab, and then click Add.
- On the Select Users, Computers, Service Accounts, or Groups dialog box, click Object Types. On the Object Types dialog box, select Computers, and then click OK. In the Enter the object names to select box, type EDGE1, click OK, and in the Allow column, select the Read, Enroll, and Autoenroll check boxes. Click Authenticated Users, select the Read check box under the Allow column, and clear all other check boxes. Click Domain Computers, and uncheck Enroll under the Allow column. Click Domain Admins and Enterprise Admins and click Full Control under the Allow column for both. Click Apply.
- Click the Subject Name tab, and then click Build from this Active Directory information. In the Subject name format: list select DNS name, make sure that the DNS name box is checked, and click Apply.
- Click the Extensions tab, select Application Policies and then click Edit. Remove all existing application policies. Click Add, and on the Add Application Policy dialog box, click New, enter DA OTP RA in the Name: field and 22.214.171.124.4.1.3126.96.36.199 in the Object identifier: field, and click OK. On the Add Application Policy dialog box, click OK. On the Edit Application Policies Extension, click OK. On the Properties of New Template dialog box, click OK.
To create and deploy a certificate template for OTP certificates issued by the corporate CA
- In the Certificate Templates Console, in the details pane, right-click the Smartcard Logon template, and click Duplicate Template.
- On the Properties of New Template dialog box, on the Compatibility tab in the Certification Authority list, click Windows Server 2012, and in the Resulting changes dialog box, click OK. In the Certificate recipient list click Windows 8/ Windows Server 2012, and in the Resulting changes dialog box click OK.
- On the Properties of New Template dialog box, click the General tab.
- On the General tab, in Template display name, type DAOTPLogon. In Validity period, in the drop-down list, click hours, on the Certificate Templates dialog box, click OK, and make sure that the number of hours is set to 1. In Renewal period, type 0.
Note: In situations where the CA server is a Windows Server 2003 computer, then the template must be configured on a different computer. This is due to the fact that setting the Validity period in hours is not possible when running Windows versions prior to 2008/Vista. If the computer that you use to configure the template does not have the Certification Service role installed, or it is a client computer, then you may need to install the Certificate Templates snap-in. For more information on this subject refer http://technet.microsoft.com/en-us/library/cc732445.aspx
- Click the Security tab, select Authenticated Users, in the Allow column, and select the Read and Enroll check boxes. Click OK. Click Full Control under the Allow column. Click Domain Admins and Enterprise Admins, and click Full Control under the Allow column for both. Click Apply.
- Click the Subject Name tab, and then click Build from this Active Directory information. In the Subject name format: list select Fully distinguished name, make sure that the User principal name (UPN) box is checked, and click Apply.
- Click the Server tab, select the Do not store certificates and requests in the CA database check box, clear the Do not include revocation information in issued certificates check box, and then on the Properties of New Template dialog box, click Apply.
- 8Click the Issuance Requirements tab, select the This number of authorized signatures: check box, set the value to 1. In the Policy type required in signature: list select Application policy, and in the Application policy list select DA OTP RA. On the Properties of New Template dialog box, click OK.
- Click the Extensions tab, and on Application Policies click Edit. Delete Client Authentication, keep SmartCardLogon, and click OK twice.
- Close the Certificate Templates Console.
- On the Start screen, type certsrv.msc, and then press ENTER.
- In the Certification Authority console tree, expand corp-APP1-CA-1, click Certificate Templates, right-click Certificate Templates, point to New, and click Certificate Template to Issue.
- In the list of certificate templates, click DAOTPRA and DAOTPLogon, and click OK.
- In the details pane of the console you should see the DAOTPRA certificate template with an Intended purpose of DA OTP RA and the DAOTPLogon certificate template with an Intended Purpose of Smart Card Logon, Client Authentication.
- Restart the services.
- Close the Certification Authority console.
- On the CA server, open an elevated command prompt. Type CertUtil.exe – SetReg DBFlags +DBFLAGS_ENABLEVOLATILEREQUESTS, and press ENTER.
- Leave the Command Prompt window open for the next step.
Configure HOTPin Server.
In the HOTPin Console click the Users, click New.
Create a user: DAProbeUser. For the PIN, you can set any PIN. This user account needs to be created for DA Probe and should not be used for anything else.
Configure DA as a Radius client.
Configure the DirectAccess server to support OTP authentication
Use this procedure to configure OTP for DirectAccess, and verify the configuration.
Configure OTP for DirectAccess
- On the DirectAccess server, open Server Manager, and click REMOTE ACCESS in the left pane.
- Right-click DAServer in the SERVERS pane, and select Remote Access Management.
- Click Configuration.
- In the DirectAccess Setup window, under Step 2 – Remote Access Server, click Edit.
- Click Next three times, and in the Authentication section select Two factor authentication and Use OTP, and ensure that Use computer certificates is checked. Verify that the root CA is set to CN=corp-APP-CA. Click Next.
- In the OTP RADIUS Server section, double-click the blank Server Name field.
- In the Add a RADIUS Server dialog, type HOTPin in the Server name field. Click Change next to the Shared secret field, and type the same password that you used when configuring the RADIUS clients on the HOTPin server in the New secret and Confirm new secret fields. Click OK twice, and click Next.
Note: If the RADIUS server is in a domain that is different than the Remote Access server, then the Server Name field must specify the FQDN of the RADIUS server.
- In the OTP CA Servers section select APP.corp.contoso.com, and click Add. Click Next.
- On the OTP Certificate Templates page click Browse to select a certificate template used for the enrollment of certificates that are issued for OTP authentication, and on the Certificate Templates dialog box select DAOTPLogon. Click OK. Click Browse to select a certificate template used to enroll the certificate used by the Remote Access server to sign OTP certificate enrollment requests, and on the Certificate Templates dialog box select DAOTPRA. Click Ok. Click Next.
- On the Remote Access Server Setup page click Finish, and click Finish on the DirectAccess Expert Wizard.
- On the Remote Access Review dialog box click Apply, wait for the DirectAccess policy to be updated, and click Close.
- On the Start screen, type powershell.exe, right-click powershell, click Advanced, and click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.
- In the Windows PowerShell window, type gpupdate /force and press ENTER.
- Close and reopen the Remote Access Management Console and verify that all OTP settings are correct.
Adding remote management server
In step 3 of DirectAccess ensure that you have included the Enterprise Certificate server.
Verify OTP Health on EDGE1 using DirectAccess Server Health Monitoring
- On EDGE1, open the Remote Access Management console.
- Click Operations Status.
- Verify that the status of OTP is Working.
To test OTP functionality from the External subnet on CLIENT
- On CLIENT, make sure that you are logged on as valid domain user account User.
- Click the Network connections icon in the notification area to access the DA Media Manager.
- Click Workplace Connection or any other name specified in the DA configuration, and click Continue.
- Press Control+Alt+Delete, and click the One-time password (OTP) tile.
- Key in your PIN & OTP and click OK. Wait for authentication to complete. The DirectAccess Workplace Connection status will now be Connected.
- Access any published application or intranet resource to verify connection to corporate resources.