NSD1180 How to Install Pledge Enrollment on Microsoft IIS 6.0... Fact Situation
Transcription
NSD1180 How to Install Pledge Enrollment on Microsoft IIS 6.0... Fact Situation
NSD1180 How to Install Pledge Enrollment on Microsoft IIS 6.0 Web Server Fact ● Nordic Edge One Time Password Server ● Nordic Edge Pledge Client ● Microsoft IIS 6.0 ● Revision History Situation This article describes the two different scenarios for enrolling users into the Pledge system: ● Self Service ● Centralized Administration, typically an IT-service desk Self service and centralized administration can be configured for single profile or multiple profiles. When is it necessary to enable multiple profile support? When end users have more than one device, multiple profile support should be enabled. For example, when a person has two different cellular phones or when using Pledge on a cellular and Pledge on a PC. Multiple profile support is available from OTP Server version 3 and later. Prerequisites ● Microsoft IIS 6.0 ● Microsoft .NET Framework 2.0 or later ● The Pledge client (available at http://www.securethecloud.com/pledge/downloading-pledge/) ● Nordic Edge One Time Password Server, configured for Pledge Enrollment (NSD1172) ● A Nordic Edge Pledge Web Services account and password ● Download PledgeEnrollment.zip (ver1.4) Install and Configure the Pledge Enrollment Web Application on IIS 6.0 Follow the installation steps below: ● Extract the file “PledgeEnrollment.zip” to an appropriate location on your hard drive, for instance [drive:]/Inetpub/wwwroot/PledgeEnrollment ● Open Internet Information Services (IIS) Manager for adding the application to an existing web site ● Right-click an existing Web Site and select New > Virtual Directory… ● Click Next > ● Enter an Alias ● Click Next > ● Enter your application path ● Click Next > ● Set permissions Read, Run script (such as ASP) and Execute (such as ISAPI applications or CGI). ● Click Next > ● Click Finish ● Now, right-click the Pledge Enrollment Virtual Directory in the IIS Manager and choose Properties ● Change the ASP.NET version to 2.0.x ● Click OK ● Restart IIS (perform an iisreset from a command line) Configure Web.config - Configuration File for the Pledge Enrollment Web Application ● Open the xml file [drive:]/Inetpub/wwwroot/PledgeEnrollment/Web.config with Notepad.exe or any other editor. Change the variable values to match your environment Action Variable Value Note Keep/modify otpServerHostaddress "localhost" The OTP Server IP address Keep/modify otpServerPortNumber "3100" The OTP Server portnumber Keep/modify attributeContainingOAT "carLicense" HKey The name of the attribute that contains the Pledge key in the user database Keep addKeyPrefix "0x" Use "0x" for backwards compatible mode with older versions of the OTP Server Keep/modify multipleProfileSupport "false" True enables support for multiple profiles Keep/modify nativeClientName "" Used to communicate the name of a native client to One Time Password Server via a Nordic Edge API. Modify pledgeWSUserAccount "pledgeUserAccount" The Nordic Edge Pledge Factory Web Service user name Modify pledgeWSUserPassword "pledgeUserAccountPass The Nordic Edge Pledge word" Factory Web Service password Keep/modify groupAttributeName "memberOf" The LDAP attribute name that contain the group or role value (memberOf for AD) Keep/modify supportGroupName "Domain Admins" The value of a CN that contains the support group. Must be the CN value Keep/modify proxyURLport "" URL and portnumber to the proxy server, http:// proxy.company.com:312 8 Keep/modify proxyUser "" Proxy user name (if any) Keep/modify proxyPassword "" Password for the proxy user name Keep/modify proxyDomain "" Proxy domain <appSettings> <!--OTP Server Configuration--> <add key="otpServerHostaddress" value="localhost"/> <!--The OTP server IP address--> <add key="otpServerPortNumber" value="3100"/> <!--The OTP Server portnumber--> <add key="attributeContainingOATHKey" value="carLicense"/> <!--The name of the attribute that contains the Pledge key in the user database--> <add key="addKeyPrefix" value="0x"/> <!--Use 0x for backwards compatible mode with older versions of the OTP Server--> <add key="multipleProfileSupport" value="true"/><!--True enables support for multiple profiles --> <add key="nativeClientName" value=""/><!-- Sets the native client name used by the OTP Server --> <!--Nordic Edge Pledge Web Services--> <add key="pledgeWSUserAccount" value="pledgeFactoryAccount"/> <!--The Nordic Edge Pledge factory Web service user name--> <add key="pledgeWSUserPassword" value="pledgeFactoryAccountPassword"/> <!--The Nordic Edge Pledge factory Web service password--> <!--Settings for Centralized Administration --> <add key="groupAttributeName" value="memberOf"/> <!--The LDAP attribute name that contains the group or role values (memberOf for AD).--> <add key="supportGroupName" value="Domain Admins"/> <!--The value of a CN that contains the support group. Must be the CN value--> <!--Proxy settings (to be configured if proxy is used)--> <add key="proxyURLport" value=""/><!--Example: value="http://proxy.company.com:3128" --> <add key="proxyUser" value=""/><!--Example: value="proxyadmin" --> <add key="proxyPassword" value=""/><!--Example: value="proxyPassword" --> <add key="proxyDomain" value=""/><!--Example: value="proxyDomain --> </appSettings> Language Settings (in Web.config) In the section below, “en-US” is the selected language. ● If culture is set to “sv-SE” and uiCulture to “sv-SE”, the language is set to Swedish. ● If culture is set to “Auto” and uiCulture to “Auto”, the language is set by the browser language settings. NOTE: If Culture is set "true", Culture is set by the browser <system.web> <!-- <globalization enableClientBasedCulture="true" culture="Auto" uiCulture="Auto"/> --> <!-- <globalization enableClientBasedCulture="true" culture="sv-SE" uiCulture="sv-SE"/> --> <globalization enableClientBasedCulture="true" culture="en-US" uiCulture="en-US"/> Run the Pledge Enrollment Application There are two different pages, one page for self service administration and another page for centralized administration. The centralized administration page is typically used by persons having administrator privileges to enroll users into the Pledge system. To test run the Pledge Enrollment application: ● In IIS Manager: Right-click the Enroll.aspx and choose Browse 1. Scenario 1 - Self Service Enrollment Users can enroll into the Pledge system with this page when they have been granted the write permission into the ldap attribute (configured in Web.config) containing the Pledge key. Fill in the form with user name and password. When user have an old Pledge key (an old profile) and need a new one, select “Overwrite existing key”. Figure: The Enroll.aspx self service page If multiple profile support is enabled, the following page will appear instead. Figure: The Enroll.aspx self service page with multiple profile support Figure: The user self service result page, displaying the user name and the Pledge profile ID 2. Scenario 2 - Centralized Administration Enter administrator user name and password as well as the “Pledge user name”, which is the user account name of the person to enroll into the Pledge system. Figure: The SupportEnroll.aspx administration page If multiple profile support is enabled, the following page will appear instead. Figure: The SupportEnroll.aspx administration page (with multiple profile support) If the logon is successful, a Pledge profile ID is created (see below). Note that a new link 'Create another Pledge profile' exists. Figure: The admin result page displaying the user name and the Pledge profile ID. Install and Test the Pledge Profile To install the Pledge Profile: ● Launch the Pledge Client ● Add a new profile and enter the profile ID ● Enter your PIN code (verification needed) After this is done the new profile is ready to use. To verify the Pledge profile ID use following test page to generate a One-Time Password from your Pledge client: Figure: The Pledge Profile Test page Related Articles NSD1172 Configuring One Time Password Server for Pledge Enrollment NSD1173 Pledge Enrollment for Apache Tomcat NSD1199 How to install Pledge Enrollment on Microsoft IIS 7.0 Web Server Revision History Pledge Enrollment 1.4, rev 4 10th januari 2011 - Directory for aspx pages was changed to the root directory instead of the pages directory - Installation guide now shows adding the application to an existing IIS web site (instead of creating a new IIS web site) Pledge Enrollment 1.4, rev 3 23th december 2010 - Language and terminology corrections have been performed in the application and in the solution document Pledge Enrollment 1.4, rev 2 7th december 2010 - Default.aspx added - Added VerifyUser.aspx. This page helps a service desk to confirm a user by phone. The user gives his Pledge OTP that can be verified by the Service Desk Pledge Enrollment 1.4, rev 1 7th november 2010 - Minor change: Improved error handling added Pledge Enrollment 1.4 20th august 2010 - Multikey support added - New info images added - Confirmation boxes added - Added the option to set a native Client Name (for developers) in the web.config Pledge Enrollment 1.3 8th april 2010 - Added proxy settings for proxyuser, proxyuser password and proxy domain. - NordicEdgePledgeEnrollment.dll renamed to NordicEdge.PledgeEnrollment.dll Pledge Enrollment 1.2 - Version number 1.2 was never used Pledge Enrollment 1.1 23rd februari 2010 - NordicEdgeOTP.dll v. 1.2.2 replaced with v.1.2.3 due to issue with international characters in user name and password 3rd februari 2010 - Error message corrected in SupportEnroll.aspx: The name of the administrator was displayed in the error message 'Profile already exist. ' instead of the Pledge user username 18th november 2009 - Proxy functionality added Pledge Enrollment 1.0 13th november, 2009 - NSD documentation rewritten - The PDF document Nordic Edge - Pledge Enrollment MS DotNET 1.0.pdf removed October 2009, initial edition