To secure the end user can not get!
[1945007EinigeOrganisationen] use a security-hardened operating system image. Across the US government this is called a STIG application. Recently I came across an interesting roadblock while working with a client a problem in storefront with a DoD CAC (Smart Card) to resolve application. The user was presented with a message that they could not log into the use of smart card.
to contain the problem investigation
storefront a new Delivery Services logs, which is in the Windows Event Viewer. I show them to be very helpful in troubleshooting storefront, and a welcome improvement over the web interface. However, in this case, there were not too many references to the problem. I discovered the following when troubleshooting:
- Smart card authentication work on the test.aspx page (CTX139201). However, this page reads limited information from the certificate. Of Design
- There was no error in the delivery service log
- briefings showed the complete subject of the CAC. For CAC the SubjectAltName is what should be used to map the user to AD.
- storefront to start setting, as permitted to work a domain administrator smart card logon, but was not allowed.
a smart card user AD mapping
user mapping is called S4U done by storefront about a kerberos extension. To run kerberos, the account of the applicant must be a member of the Windows Authorization Access group in AD. By default, the storefront services are set Register as a network service. This means storefront is using the computer account. In some high-security environments specific user rights restrictions or group membership restrictions, the façade computer account is removed to prevent a member of this group. The fact that the facade begins service as a domain administrator, Fixed issue is to support as the possible cause that helped.
solve the problem
Examining the membership of the Windows Authorization Access group showed that neither the facade computer account or a group in which it was a member, had been added to the group. If the group membership has "authenticated users", it includes a valid domain computer account connected. Since it was just a storefront server in this environment, the customer decided the problem, start by added account the storefront computer and the Storefront Services reset as a network service. In a larger environment, it would be advantageous for Storefront server to create an AD group and add this group to the Windows Authorization Access. Then update the build documentation for storefront belong to add the computer account to this group when a new server is created.
If you encounter other problems in your secure environment storefront and smart card are involved, please leave a comment and let me know.
0 Komentar