Professional Documents
Culture Documents
Introduction............................................................................................................. ..3
Two-Factor Authentication............................................................................ ............4
How RSA SecurID Works................................................................................... .......4
RSA ACE/Server.............................................................................................. .....4
RSA ACE/Agent.............................................................................................. ......5
RSA SecurID Authenticators........................................................ ..........................5
MIS and RSA SecurID....................................................................................... .......5
Conclusion................................................................................................. ..............15
Introduction
Microsoft® Mobile Information Server 2002 (MIS) provides secure access to
internal resources and services for wireless device users. Using MIS, your
company’s users can access resources, such as their Microsoft Exchange 2000
mailboxes, anywhere, anytime on a range of devices. The flexibility that MIS
provides, however, comes with the need for enhanced security for your corporate
intranet.
If you already deployed MIS or you plan to deploy MIS and you use
RSA ACE/Server to manage authentication policies for your network, you can use
the RSA SecurID solution to authenticate users who will use MIS to browse their
Exchange data with Outlook® Mobile Access.
This paper explains the RSA SecurID solution and describes how to use the
RSA SecurID solution to authenticate users to MIS servers on the intranet. This
paper covers the following topics:
• Two-factor authentication
• How RSA SecurID works
• RSA SecurID and MIS
• Issues with the wireless authentication process
• Deploying RSA SecurID with MIS
For MIS documentation, see http://www.microsoft.com/miserver/support/.
For RSA SecurID documentation, see http://www.rsasecurity.com/.
To benefit from using RSA ACE/Server and RSA SecurID with MIS, you must
have a thorough understanding of how RSA SecurID and MIS work together.
This paper assumes that you are familiar with standard MIS concepts and
deployment topologies and that you have a basic understanding of
RSA ACE/Server and RSA SecurID. If you are unfamiliar with MIS,
RSA ACE/Server, or RSA SecurID, review the product documentation for both
products before implementing the scenario described in this paper.
Two-Factor Authentication
RSA Security also offers the RSA SecurID authenticators for providing two-factor
authentication. RSA SecurID authenticators are hardware devices that a user uses
to receive an automatically generated access code—a set of constantly changing
numbers. Users enter the access code in combination with their assigned PIN to
gain access to internal networks. A user’s PIN combined with an RSA access code is
referred to as a passcode. Using passcodes to authenticate to a network or
resource is an acceptable substitute for smart card and PKI two-factor
authentication. This RSA SecurID solution is especially useful because the currently
available wireless devices, such as cell phones and personal digital assistants
(PDAs), do not offer PKI solutions for two-factor authentication. RSA provides
several different types of RSA SecurID authenticators. For more information about
the various RSA SecurID authenticators, visit the RSA Web site at
http://www.rsasecurity.com/products/securid/index.html.
The RSA SecurID solution helps you manage authentication policies for your
internal network and enhance the security of your internal network authentication
process. To take advantage of the enhanced security offered by the RSA two-factor
authentication process, you must deploy an RSA ACE/Server computer and an
RSA ACE/Agent and then distribute the RSA SecurID authenticators to your users.
The RSA solution requires the following products:
•RSA ACE/Server
•RSA ACE/Agent
For more information about the products offered by RSA, see the RSA Web site at
http://www.rsasecurity.com/.
RSA ACE/Server
The RSA ACE/Server computer is an authentication server that manages the
authentication process for your users. For more information about RSA ACE/Server,
see the RSA Web site at
http://www.rsasecurity.com/products/securid/datasheets/dsace50.html.
If you already deployed an RSA ACE/Server computer in your organization, you can
easily add the remaining components of the RSA SecurID solution.
When you use the RSA ACE/Agent to protect the In virtual directory, MIS performs
no authorization using the user alias. Access to the Web content is performed as
the configured access user, not as the individual user who authenticated using
RSA SecurID. However, the RSA SecurID solution ensures that only authenticated
users may get access to the Web content.
Important You must select only the In, OMA, and OMA55 virtual
directories as the directories that you will protect with the
RSA ACE/Agent. If you select other MIS virtual directories, certain MIS
features, such as Server ActiveSync® and Outlook Mobile Access
notifications, will stop functioning.
•Hardware tokens
•Software tokens
•Key fobs
•Smart cards
These hardware and software authenticators work with the RSA security products
to authenticate your users to your internal network or resource. For more
information about RSA SecurID authenticators, see the RSA Web site at
http://www.rsasecurity.com/products/securid/tokens.html.
MIS allows your users to access their Exchange information on Wireless Application
Protocol (WAP) devices. When your users authenticate on a WAP device, MIS
authenticates the user by verifying account information on the domain controllers.
When you deploy MIS, an important deployment step is to decide which security
topology to use for your wireless accounts. MIS allows several different security
topologies for WAP browsing. These security topologies allow you to create
auxiliary accounts for your users to browse Exchange data. When you deploy MIS
with RSA SecurID, you use a different installation procedure that does not require
you to specify a security topology. Instead, you use a special user account model
that uses the Access User account in conjunction with the account information on
the RSA ACE/Server computer you deployed in your organization.
With this Access User account model, a special user account called the Message
Processor handles browse requests. The Message Processor account has special
permissions to resources, such as Exchange mailboxes. For more information about
the Access User account and the various security topologies in MIS, see MIS Help.
When your users attempt to authenticate to an MIS server, the RSA ACE/Agent
checks to see if the authentication request contains a cookie with their
authenticated user account name. If the cookie is not present, the RSA ACE/Agent
prompts the user for his or her account name and passcode. After the user enters
the account name and passcode, the RSA ACE/Agent verifies this information with
the RSA ACE/Server computer. If the RSA ACE/Server computer authenticates the
user, the RSA ACE/Agent provides a cookie for the user to use.
Important For RSA SecurID to work properly, the WAP gateway, the
carrier, and the devices that the users are using must support cookies.
2. RSA ACE/Agent checks for cookie The RSA ACE/Agent receives a request
for a Web server; the RSA ACE/Agent checks for a cookie containing the user
name and passcode. If the cookie is not present, the user is prompted for a
user name and RSA SecurID passcode.
4. MIS server processes request The MIS server takes the user name from
the cookie for the request and accesses the appropriate Exchange 2000
mailbox.
The RSA ACE/Server database, which contains the details of the user accounts
from Active Directory® directory service, provides the authentication. After the
RSA ACE/Server computer authenticates the user, the MIS server allows the user
to browse the Exchange data to which he or she requested access.
Uninstall MIS
If you already deployed MIS in your organization, and you want to use
RSA SecurID, you must uninstall all of the MIS servers and any MIS components,
and then reinstall MIS using the RSA SecurID Setup option. You will no longer need
computers dedicated as domain controllers to hold special account information
because the RSA ACE/Server computer will contain and manage all the user
account information.
Important You must close System Manager before you remove MIS
from a server. Uninstall will fail if System Manager is open when you try to
remove MIS.
When you reinstall MIS, Active Directory instance data, such as which security
topology you chose, will be replaced with the new information that is required for
the RSA SecurID Setup option.
If you already installed MIS in your network, proceed to the “Install MIS Using RSA
SecurID Setup” section later in this document.
Before you install MIS for the first time in your network, you must prepare your
network environment. To prepare your network environment, you must run MIS
ForestPrep and MIS DomainPrep. Running MIS ForestPrep updates Active Directory
with the schema changes and instance data that MIS requires. These changes are
permanent and cannot be undone. For more information about running ForestPrep,
see Mobile Information Server Help.
You also need to run MIS DomainPrep in every domain that will contain an MIS
server. Running MIS DomainPrep creates instance data for the domain, such as
system accounts and MIS security groups used at the domain level by MIS.
Note: DomainPrep will not recognize other security groups that might
have permission to modify the domain, such as Enterprise Administrators.
You must run DomainPrep as a user who is a member of the Domain
Admins security group.
After you run ForestPrep, you can run DomainPrep in every domain that will
contain an MIS server.
To run DomainPrep
1. Insert the Mobile Information Server 2002 CD into the computer’s CD-ROM
drive.
2. Open a command prompt: click Start, click Run, type CMD, and then press
ENTER.
3. At the command prompt, type e:\Setup /vDOMAINPREP=1, where e: is the
CD-ROM drive, and then press ENTER.
4. A dialog box appears that asks you to verify the domain update. Click OK to
update the domain.
5. On the ENTEVENTSOURCE Account page, in the Password box, type a
password that the ENTEVENTSOURCE account will use. Re-type the password in
the Confirm New Password box, and then click Next.
6. On the Message Processor page, in the Password box, type a password that
the Message Processor account will use. Re-type the password in the Confirm
New Password box, and then click Next.
7. On the HTTP Connectors page, in the Password box, type a password that
the HTTPConnector account will use. Re-type the password in the Confirm
New Password box, and then click Next.
8. When the Installation Wizard Completed page appears, click Finish.
9. In addition to running DomainPrep, you must add the Microsoft Mobility Admins
group to the Account Operators group in each domain that will have an MIS
server. After you run DomainPrep, add Microsoft Mobility Admins to the Account
Operators group in the domain.
After you prepare your Active Directory Forest and Domain, configure the
network as necessary for your deployment scenario. For more information
about how to configure your network environment, including topology
considerations; enabling support for Exchange 5.5; and securing your internal
network for browse, notification, and synchronization traffic, see Mobile
Information Server Help.
After you prepare your network environment, you can install MIS using the RSA
SecurID Setup option. Before you proceed with deploying MIS, make sure you have
a thorough understanding of the deployment options available with MIS Setup,
Because you will deploy MIS using the special RSA SecurID Setup, MIS Setup
assumes that you already deployed an RSA ACE/Server computer in your internal
network to manage your authentication policies.
Notes
• To use RSA SecurID with MIS, you must have an ACE/Server computer
already installed in your internal network.
• When you deploy MIS using the special RSA SecurID Setup, the only
option you will not have is which type of wireless accounts you will
use.
1. Insert the Mobile Information Server 2002 CD into the CD-ROM drive.
2. Open a command prompt: click Start, click Run, type CMD, and then press
ENTER.
5. On the Licensing Agreement page, read the End User License Agreement. If
you agree, select I accept the terms in the license agreement, and then
click Next.
6. On the per-seat Licensing Agreement page, if you accept the terms of the
license agreement, select I have read and accept the terms in the license
agreement, and then click Next.
7. On the Product Identification page, type the 25-digit CD key. You can find
the CD key on the back of the product CD case. Click Next.
8. On the Component Selection page, select the MIS components you want to
install. If you have previously deployed MIS, install the same components that
you used in your previous deployment.
11. If you see the HTTP Connectors page, in Password, type the password that
was specified for the HTTPConnector account during DomainPrep. The
HTTPConnector account is a system account used by MIS. Click Next.
MIS begins the installation process with the options you selected.
After you install the MIS server using RSA SecurID Setup, you must install the
RSA ACE/Agent on the MIS server for the RSA SecurID authenticators to work. The
RSA ACE/Agent v5.0 for Windows software uses the RSA ACE/Agent’s Web access
authentication to set RSA SecurID protection on the MIS resources (the In, OMA
and/or OMA55 virtual directories) that you make available to your users.
To access a free download or order a CD of the RSA ACE/Agent software, see the
RSA Security Inc. Web site at http://www.rsasecurity.com/go/win2000.html
The RSA ACE/Agent is now installed on your MIS server. You must now configure
your MIS server to use the RSA ACE/Agent to protect the IIS virtual directories
that you want the RSA ACE/Agent to protect.
After you install the RSA ACE/Agent on the MIS server, you must activate the
RSA ACE/Agent to protect the IIS virtual directories that you will make available to
your users.
To activate the RSA ACE/Agent to protect the MIS IIS virtual directories
1. Log on to the MIS server with an account that has Administrator permissions on
the local computer.
2. In the Internet Services Manager Microsoft Management Console (MMC)
snap-in, right-click Default Web Site, click Properties, and then click the
RSA SecurID tab.
3. Click to select Enable RSA Web Access Authentication Feature set on this
server, and then click Apply.
4. Make sure that the Protect this resource check box is cleared, and then click
OK.
WARNING Do not select Protect this resource. If you select this
check box, certain MIS features, such as Server ActiveSync and Outlook
Mobile Access notifications, will stop functioning.
5. Stop and restart the IIS Web publishing service.
If you want to protect the OMA55 and In virtual directories, follow the previous
procedure for both virtual directories.
After you protect the In, OMA, and OMA55 virtual directories, you can proceed
with configuring your MIS server as explained in the MIS product documentation.
To use the RSA SecurID authenticator to enter passcodes, your uses must
understand how passcodes are generated so they can use the two-factor
authentication process. After you deploy the RSA ACE/Agent with MIS, distribute
the RSA SecurID authenticators and then describe in detail how users must use the
RSA SecurID authenticators to access MIS.
Instructions describing the logon process are included with the RSA ACE/Agent
software. The document is located in the following location:
%Systemroot%\system32\aceclnt\rsa.pin.doc
For more information about logging on with RSA SecurID authenticators, see the
online tutorial available at
http://www.rsasecurity.com/products/securid/demos/SecurIDTour/RSASecurIDTour.
html
Conclusion
Using RSA SecurID with MIS greatly enhances the security of authenticating to a
network resource with WAP 1.x devices. When requests for information come in
from the Internet, the RSA ACE/Server, RSA ACE/Agent, and the MIS server work
together with the user, his or her device, and his or her RSA SecurID authenticator
to provide secure access to your internal network.
Combined with security solutions such as Secure Sockets Layer (SSL), Internet
Protocol security (IPSec), and Microsoft Internet Security and Acceleration Server
(ISA) as a front-end server, RSA SecurID enhances the security of your internal
network.
Additional Resources
For more information:
http://www.microsoft.com/miserver/
http://www.rsasecurity.com
http://www.rsasecurity.com/products/securid/datasheets/dsace50.html
http://www.rsasecurity.com/products/securid/demos/SecurIDTour/RSASecurIDTour.
html
Did this paper help you? Please give us your feedback. On a scale of 1 (poor) to
5 (excellent), how would you rate this paper?
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS
TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give
you any license to these patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and
events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo,
person, place or event is intended or should be inferred.
Microsoft, Active Directory, ActiveSync, Outlook, and Windows are either registered trademarks or trademarks of Microsoft Corporation in
the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.