NSD1180 How to Install Pledge Enrollment on Microsoft IIS 6.0... Fact Situation

Transcription

NSD1180 How to Install Pledge Enrollment on Microsoft IIS 6.0... Fact Situation
NSD1180 How to Install Pledge Enrollment on Microsoft IIS 6.0 Web Server
Fact
●
Nordic Edge One Time Password Server
●
Nordic Edge Pledge Client
●
Microsoft IIS 6.0
●
Revision History
Situation
This article describes the two different scenarios for enrolling users into the Pledge system:
●
Self Service
●
Centralized Administration, typically an IT-service desk
Self service and centralized administration can be configured for single profile or multiple profiles.
When is it necessary to enable multiple profile support? When end users have more than one device, multiple profile support should be enabled. For example, when a person has two different cellular phones or when using Pledge on a cellular and
Pledge on a PC.
Multiple profile support is available from OTP Server version 3 and later.
Prerequisites
●
Microsoft IIS 6.0
●
Microsoft .NET Framework 2.0 or later
●
The Pledge client (available at http://www.securethecloud.com/pledge/downloading-pledge/)
●
Nordic Edge One Time Password Server, configured for Pledge Enrollment (NSD1172)
●
A Nordic Edge Pledge Web Services account and password
●
Download PledgeEnrollment.zip (ver1.4)
Install and Configure the Pledge Enrollment Web Application on IIS 6.0
Follow the installation steps below:
●
Extract the file “PledgeEnrollment.zip” to an appropriate location on your hard drive, for
instance [drive:]/Inetpub/wwwroot/PledgeEnrollment
●
Open Internet Information Services (IIS) Manager for adding the application to an existing web
site
●
Right-click an existing Web Site and select New > Virtual Directory…
●
Click Next >
●
Enter an Alias
●
Click Next >
●
Enter your application path
●
Click Next >
●
Set permissions Read, Run script (such as ASP) and Execute (such as ISAPI applications or CGI). ●
Click Next >
●
Click Finish
●
Now, right-click the Pledge Enrollment Virtual Directory in the IIS Manager and choose Properties
●
Change the ASP.NET version to 2.0.x
●
Click OK ●
Restart IIS (perform an iisreset from a command line)
Configure Web.config - Configuration File for the Pledge Enrollment Web
Application
●
Open the xml file [drive:]/Inetpub/wwwroot/PledgeEnrollment/Web.config with Notepad.exe or
any other editor. Change the variable values to match your environment
Action
Variable
Value
Note
Keep/modify
otpServerHostaddress
"localhost"
The OTP Server IP
address
Keep/modify
otpServerPortNumber
"3100"
The OTP Server
portnumber
Keep/modify
attributeContainingOAT
"carLicense"
HKey
The name of the
attribute that contains
the Pledge key in the
user database
Keep
addKeyPrefix
"0x"
Use "0x" for backwards
compatible mode with
older versions of the
OTP Server
Keep/modify
multipleProfileSupport
"false"
True enables support for
multiple profiles
Keep/modify
nativeClientName
""
Used to communicate
the name of a native
client to One Time
Password Server via a
Nordic Edge API.
Modify
pledgeWSUserAccount
"pledgeUserAccount"
The Nordic Edge Pledge
Factory Web Service
user name
Modify
pledgeWSUserPassword
"pledgeUserAccountPass The Nordic Edge Pledge
word"
Factory Web Service
password
Keep/modify
groupAttributeName
"memberOf"
The LDAP attribute
name that contain the
group or role value
(memberOf for AD)
Keep/modify
supportGroupName
"Domain Admins"
The value of a CN that
contains the support
group. Must be the CN
value
Keep/modify
proxyURLport
""
URL and portnumber
to the proxy
server, http://
proxy.company.com:312
8
Keep/modify
proxyUser
""
Proxy user name (if any)
Keep/modify
proxyPassword
""
Password for the proxy
user name
Keep/modify
proxyDomain
""
Proxy domain
<appSettings> <!--OTP Server Configuration-->
<add key="otpServerHostaddress" value="localhost"/> <!--The OTP server IP address-->
<add key="otpServerPortNumber" value="3100"/> <!--The OTP Server portnumber-->
<add key="attributeContainingOATHKey" value="carLicense"/> <!--The name of the attribute that
contains the Pledge key in the user database-->
<add key="addKeyPrefix" value="0x"/> <!--Use 0x for backwards compatible mode with older versions
of the OTP Server-->
<add key="multipleProfileSupport" value="true"/><!--True enables support for multiple profiles -->
<add key="nativeClientName" value=""/><!-- Sets the native client name used by the OTP Server -->
<!--Nordic Edge Pledge Web Services-->
<add key="pledgeWSUserAccount" value="pledgeFactoryAccount"/> <!--The Nordic Edge Pledge
factory Web service user name-->
<add key="pledgeWSUserPassword" value="pledgeFactoryAccountPassword"/> <!--The Nordic Edge
Pledge factory Web service password-->
<!--Settings for Centralized Administration -->
<add key="groupAttributeName" value="memberOf"/> <!--The LDAP attribute name that contains the
group or role values (memberOf for AD).-->
<add key="supportGroupName" value="Domain Admins"/> <!--The value of a CN that contains the
support group. Must be the CN value-->
<!--Proxy settings (to be configured if proxy is used)-->
<add key="proxyURLport" value=""/><!--Example: value="http://proxy.company.com:3128" -->
<add key="proxyUser" value=""/><!--Example: value="proxyadmin" -->
<add key="proxyPassword" value=""/><!--Example: value="proxyPassword" -->
<add key="proxyDomain" value=""/><!--Example: value="proxyDomain -->
</appSettings>
Language Settings (in Web.config)
In the section below, “en-US” is the selected language.
●
If culture is set to “sv-SE” and uiCulture to “sv-SE”, the language is set to Swedish.
●
If culture is set to “Auto” and uiCulture to “Auto”, the language is set by the browser language
settings.
NOTE: If Culture is set "true", Culture is set by the browser
<system.web>
<!-- <globalization enableClientBasedCulture="true" culture="Auto" uiCulture="Auto"/> -->
<!-- <globalization enableClientBasedCulture="true" culture="sv-SE" uiCulture="sv-SE"/> -->
<globalization enableClientBasedCulture="true" culture="en-US" uiCulture="en-US"/>
Run the Pledge Enrollment Application
There are two different pages, one page for self service administration and another page for
centralized administration. The centralized administration page is typically used by persons having
administrator privileges to enroll users into the Pledge system.
To test run the Pledge Enrollment application:
●
In IIS Manager: Right-click the Enroll.aspx and choose Browse
1. Scenario 1 - Self Service Enrollment
Users can enroll into the Pledge system with this page when they have been granted the write
permission into the ldap attribute (configured in Web.config) containing the Pledge key.
Fill in the form with user name and password.
When user have an old Pledge key (an old profile) and need a new one, select “Overwrite existing
key”.
Figure: The Enroll.aspx self service page
If multiple profile support is enabled, the following page will appear instead.
Figure: The Enroll.aspx self service page with multiple profile support
Figure: The user self service result page, displaying the user name and the Pledge profile ID
2. Scenario 2 - Centralized Administration
Enter administrator user name and password as well as the “Pledge user name”, which is the user
account name of the person to enroll into the Pledge system.
Figure: The SupportEnroll.aspx administration page
If multiple profile support is enabled, the following page will appear instead.
Figure: The SupportEnroll.aspx administration page (with multiple profile support)
If the logon is successful, a Pledge profile ID is created (see below). Note that a new link 'Create another Pledge profile' exists.
Figure: The admin result page displaying the user name and the Pledge profile ID.
Install and Test the Pledge Profile
To install the Pledge Profile:
●
Launch the Pledge Client
●
Add a new profile and enter the profile ID
●
Enter your PIN code (verification needed)
After this is done the new profile is ready to use.
To verify the Pledge profile ID use following test page to generate a One-Time Password from your
Pledge client:
Figure: The Pledge Profile Test page
Related Articles
NSD1172 Configuring One Time Password Server for Pledge Enrollment
NSD1173 Pledge Enrollment for Apache Tomcat
NSD1199 How to install Pledge Enrollment on Microsoft IIS 7.0 Web Server
Revision History
Pledge Enrollment 1.4, rev 4
10th januari 2011
- Directory for aspx pages was changed to the root directory instead of the pages directory
- Installation guide now shows adding the application to an existing IIS web site (instead of creating a
new IIS web site)
Pledge Enrollment 1.4, rev 3
23th december 2010
- Language and terminology corrections have been performed in the application and in
the solution document
Pledge Enrollment 1.4, rev 2
7th december 2010
- Default.aspx added
- Added VerifyUser.aspx. This page helps a service desk to confirm a user by phone. The user gives his
Pledge OTP that can be verified by the Service Desk
Pledge Enrollment 1.4, rev 1
7th november 2010
- Minor change: Improved error handling added
Pledge Enrollment 1.4
20th august 2010
- Multikey support added
- New info images added
- Confirmation boxes added
- Added the option to set a native Client Name (for developers) in the web.config
Pledge Enrollment 1.3
8th april 2010
- Added proxy settings for proxyuser, proxyuser password and proxy domain.
- NordicEdgePledgeEnrollment.dll renamed to NordicEdge.PledgeEnrollment.dll
Pledge Enrollment 1.2
- Version number 1.2 was never used
Pledge Enrollment 1.1
23rd februari 2010
- NordicEdgeOTP.dll v. 1.2.2 replaced with v.1.2.3 due to issue with international characters in user
name and password
3rd februari 2010
- Error message corrected in SupportEnroll.aspx: The name of the administrator was displayed in the
error message 'Profile already exist. ' instead of the Pledge user username 18th november 2009 - Proxy functionality added
Pledge Enrollment 1.0
13th november, 2009 - NSD documentation rewritten
- The PDF document Nordic Edge - Pledge Enrollment MS DotNET 1.0.pdf removed
October 2009, initial edition