Hello there!

Need Help? We are right here!

Support Icon
miniOrange Email Support
success

Thanks for your Enquiry. Our team will soon reach out to you.

If you don't hear from us within 24 hours, please feel free to send a follow-up email to info@xecurify.com

Search Results:

×

Windows Security - A complete guide to secure your windows infrastructure


This guide provides an introduction into some of the key solutions provided by the miniOrange Single Sign On server to secure your Windows infrastructure, some of them being able to authenticate into connected applications after you are logged in to your Windows domain, adding a 2nd layer of authentication when you are gaining access to protected resources through a VPN or a Remote desktop server, etc.

In any of the above cases, LDAP is a significant aspect since it has the advantage of consolidating the information for an entire organization into a central repository. miniOrange provides a wide range of solutions for LDAP, such as LDAP Proxy/Gateway, ​Support for multiple Active Directories as user stores, Active Directory Sync with the miniOrange server, etc.


Connect with External Source of Users


miniOrange provides user authentication from various external sources, which can be Directories (like ADFS, Microsoft Active Directory, OpenLDAP, AWS etc), Identity Providers (like Microsoft Entra ID, Okta, AWS), and many more. You can configure your existing directory/user store or add users in miniOrange.



Windows Authentication for SSO into connected applications hosted cloud/on-premise

Overview

You are logged in to your Windows system, and you want to log in to an application, say a on-premise app like SharePoint or a cloud app like GSuite. Don't you get tired of logging in to each application with the same credentials every single time? Trust us, we can make it effortless for you.

miniOrange provides a solution which, once you are logged in to Windows, lets you Single Sign On into connected applications hosted both in the cloud and on-premise, given the applications are configured within the domain for SSO. You can configure intranet portals or applications like Google Apps, Office 365, etc. that will log you in automatically when you try to access them.

NTLM / Kerberos Authentication Mechanism

Windows Challenge/Response (NTLM) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems.

The Kerberos protocol defines how clients interact with a network authentication service. Clients obtain tickets from the Kerberos Key Distribution Center (KDC), and they present these tickets to servers when connections are established. Kerberos tickets represent the client's network credentials.

Windows authentication uses either Kerberos authentication or NTLM authentication, depending upon the client and server configurations. This document follows the example of an use case in which NTLM is the best choice - The applications are deployed on Windows Servers joined to the Active Directory domain. i.e) A whole Microsoft Active Directory setup exists.

miniOrange SSO Solution

miniOrange SSO server allows you to login to your applications without re-entering your credentials after you authenticate yourself into the Windows domain.

miniOrange achieves this by, installing a component on the Windows Server that, basically acts as an Identity Provider. When the user tries to access a cloud application like Salesforce, the request is sent to the miniOrange SSO Server which in turn asks the miniOrange SAML module installed in the Windows machine if the user can be logged in, and performs SSO based on the response from the module.

This, involves 3 steps basically:

  1. Enable Windows Authentication and configure SSO applications of interest in the Windows Machine.
  2. Installing the miniOrange SAML module in Windows and configuring it with the miniOrange SSO server.
  3. Add the miniOrange SAML module ( installed on the Windows Machine ) as an Identity Source in the miniOrange SSO server

1. Steps to configure SSO into connected applications in Windows

Setup IIS for Windows Authentication.

  • Step 1: Setup IIS for Windows Authentication.

    1. Open up command prompt in Administrative mode.

    2. Execute the following command on it:

    setspn -a HTTP/## Server FQDN## ##Domain Service Account##

    3. Open up Active Directory Users and Computers.

    4. Search for the service account which was used to create the Service Principal Name(SPN).

    5. Navigate to the Delegation tab.

    6. Select Trust this user for delegation to any service (Kerberos only).

    Setup IIS for Windows Authentication

    7. Click Apply.

    8. Open up IIS Manager.

    9. Select the site which you want to apply Windows Authentication to.

    10. Select the Application Pool for that website. Right click on it a select Advanced Settings.

    11. Use Custom Account and set the account as the service account for which delegation was enabled. You would need to enter the password of the service account as well.

    Advanced Setting for Windows Authentication

    12. Navigate to the Authentication section for the website.

    13. Enable Windows Authentication and disable Anonymous Authentication.

    Enable Windows Authentication and disable Anonymous Authentication

    14. In the Configuration Editor, search for system.webServer/security/authentication/windowsAuthentication.

    15. Set useKernelMode as False and useAppPoolCredentials as True

    Set useKernelMode

    16. Click Apply.

    17. Open up Internet Explorer and open Internet Options.

    18. Add the FQDN of IIS Server to the list of sites in Local Intranet.

    19. Select Custom Level for the Security Zone. In the list of options, select Automatic Logon only in Intranet Zone.

    Security Setting: Local Intranet Zone

  • Step 2: Configure the on-premise SAML Module with the miniOrange Self Service Console

    You will be installing a SAML module on the IIS Server joined to the Windows Domain. And this module will be responsible for identifying if the user who is logged in Windows can be logged in to connected applications as well, within the domain.
    When the user is trying to access a cloud application, say Salesforce for example, the request is received by miniOrange which forwards the request to this SAML module installed on-premise, which determines if the user can be auto-logged in, and sends the response accordingly.


    1. Put in the URLs in the samlsso.php in the SAML Module.

    Configure the on-premise SAML Module with miniOrange

    Parameter Value
    ACS URL Of the format: https://auth.miniorange.in/moas/endusersamlresponse
    Issuer The hostname of the server
    Audience https://auth.miniorange.in/moas

    2. Save the file.

  • Step 3: Configure the miniOrange on-premise SAML Module as an Identity Source in miniOrange

    1. Login to the admin dashboard.

    2. Navigate to Identity Providers in the left navigation bar.

    Configure miniOrange on-prem SAML module as an Identity source

    3. Click on Add Identity Source.

    Click on Add Identity Source

    4. Add a SAML Identity Source in miniOrange with the details of the on-premise SAML Module.

    Parameter Value
    IdP Entity ID / Issuer As set in the above step
    SAML SSO Login URL Of the format http://< hostname_of_server >/saml/samlsso.php
    X.509 Certificate The SP Certificate in the SAML Module
    Add detail in SAML Identity Source

    5. Save the Identity Source and make it as the Default Identity Source by clicking on Make Default.

    Make as Default Identity Source

2. Solutions pertaining to LDAP

  1. miniOrange LDAP Gateway / Sync Tool

  2. Why LDAP Gateway?

    • LDAP with non public IP - This can be very beneficial if your aim is single sign on but your LDAP exists within your intranet with a non public IP. You can still authenticate your site (which could be anywhere outside your network) and with the help of this two part plugin (plugin + gateway) you can authenticate against your LDAP and achieve single sign on.
    • Secure calls using HTTPS - All remote calls happen through an encrypted channel.
    • Setup LDAP configuration once and access from multiple sites - You only need to setup your LDAP configuration once and you can access from multiple sites, thereby achieving ease of use.
    • Your LDAP stays secure since its behind your firewall.
    • Cloud based LDAP authentication system - This means that the libraries that are needed to authenticate against your LDAP/AD is not PHP based so it can support a much larger variety of LDAP.

    How does LDAP Gateway work?

    miniOrange gateway is a small piece of software that can reside on a shared machine. It wont need its own machine and our customers generally install it on any server thats already in the DMZ.

    Click here for more.

    How does LDAP Gateway Work

    Steps for configuring miniOrange LDAP Gateway/Sync Tool

    Click here to see the steps for configuring the miniOrange LDAP Sync Tool.
    • Step 1: Set external properties file.

      This is used to set an external properties file which Tomcat uses to read and write the LDAP configuration. To set the external properties file, follow the steps below:

      1. Open up the catalina.bat(catalina.sh in Linux servers) if the Tomcat installation.

      2. Add the following line below # ----- Execute The Requested Command -------------------------------------

      Linux
      JAVA_OPTS="$JAVA_OPTS-Dexternal.properties.file=/home/user/application.properties

      Windows
      set JAVA_OPTS=%JAVA_OPTS%-Dexternal.properties.file=C:\Users\user\Documents\application.properties

      3. Save the file.

      4. Restart Tomcat.

    • Step 2: Setup LDAP Connection in LDAP Gateway.

      This step is required to setup the LDAP Connection on the Gateway. Follow the steps below:

      1. Login into the miniOrange LDAP Gateway.

      2. Navigate to the Configure Keys​ section.

      3. Set the Customer ID ​and Token Key of the miniOrange account and click on Save.

      4. Navigate to the LDAP Configurations ​section. Click on Edit ​for the default LDAP Configuration.

      5. Add the following configuration details. Click on Save​.

      Setup LDAP Connection in LDAP Gateway

    • Step 3: Configure Scheduled Sync.

      Follow the steps below to configure the scheduled sync

      1. Navigate to the Scheduler​ section.

      2. Set the Sync Interval​ in hours​. This determines the number of hours after which the scheduled sync will run. In typical setups, it is 24 hours​.

      3. Set the Sync time​ in HH:mm ​format. This determines the time of the day in which the first scheduled sync will run. Click on Save​.

      Configure Scheduled Sync

      The scheduled sync will now run at the set time.

    • Step 4: Configure external LDAP Gateway in miniOrange.

      Follow the steps below to configure the LDAP Gateway in miniOrange Admin Console:

      1. Navigate to the miniOrange Admin Console. Login with your miniOrange credentials.

      2. Navigate to the User Stores​ section.

      3. Click on Add User Store.

      4. Select the type as AD/LDAP​ and set Store LDAP Configuration On-Premise.

      Configure external LDAP Gateway in miniOrange

      Set the miniOrange Gateway URL​.

      Select Activate LDAP​.

      Click on Save​.

    miniOrange LDAP Gateway/Sync Tool

    The miniOrange LDAP Gateway Sync tool acts as an intermediary between an on-premise Active Directory/LDAP Server and miniOrange Cloud-based service.
    It allows for the following functionalities:

    • Authentication against on-premise Active Directory/LDAP from cloud-based applications.
    • Scheduled sync of users from LDAP to miniOrange.
    • Password sync operations from miniOrange to on-premise LDAP.

    miniOrange LDAP Gateway/Sync Tool

    The miniOrange LDAP Gateway Sync tool acts as an intermediary between an on-premise Active Directory/LDAP Server and miniOrange Cloud-based service. It allows for the following functionalities:

    • Authentication against on-premise Active Directory/LDAP from cloud-based applications.
    • Scheduled sync of users from LDAP to miniOrange.
    • Password sync operations from miniOrange to on-premise LDAP.

    Steps for configuring miniOrange LDAP Gateway/Sync Tool

  3. Support for multiple Active Directories as user stores for the purpose of SSO

  4. This lets you configure multiple Active Directories in miniOrange for authentication, and which Active Directory is to be used for authentication into which application.​​Eg, ​You can configure AD1, AD2,....ADN​ ​as an authentication source for apps. With this, users in all these directories will be able to single sign on into all the apps.

  5. LDAP Proxy

  6. LDAP as a proxy acts as a middleware layer between the LDAP client, eg. ​​any​​​CMS ( Wordpress for eg.) and the Active Directory, the LDAP Directory Server.​​
    LDAP Proxy resides in the DMZ between a cloud-based application and an internal LDAP and is responsible for forwarding LDAP requests from the application to the on-premise server. This allows the application to access the proxy for LDAP integration and the internal directory remains unexposed within the network.

3. 2 Factor Authentication for VPN Login

Overview

If you are using a Virtual Private Network ( VPN ) to allow your users to connect over a public network, enhancing the security becomes a concern since users gain access to sensitive digital assets. miniOrange can be of great value here by providing 2-factor Authentication on top of VPN Authentication. This secures the access to protected resources instead of relying on only the VPN username / password.

What is RADIUS?

Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol that provides client authentication and authorization. It enables remote access servers to communicate with a server to authenticate users and authorize their access to the requested system or service.

  1. RADIUS Client - The RADIUS client is typically a NAS ( Network Access Server ) which is responsible for passing user information to designated RADIUS servers, and then based on the response which is returned, authenticates or rejects login to the user.

  2. RADIUS Server - RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all configuration information necessary for the client to authenticate the user. A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.

  3. Authentication Protocols - The RADIUS server checks that the information is correct using authentication schemes such as PAP, CHAP, MS-CHAP, MS-CHAPv2, EAP, EAP-TLS, EAP-TTLS and EAP-PEAP.

  4. Security - Transactions between the client and RADIUS accounting server are authenticated through the use of a shared secret, which is never sent over the network.

  5. Authentication Protocols and Password Compatibility

  6. Clear-text NT hash(ntlm_auth) MD5 hash Salted MD5 hash SHA1 hash Salted SHA1 hash Unix Crypt
    PAP
    CHAP
    Digest
    MS-CHAP
    PEAP
    EAP-MSCHAPv2
    Cisco LEAP
    EAP-GTC
    EAP-MD5
    EAP-SIM
    EAP-TLS


4. miniOrange 2FA for VPN Login

miniOrange accomplishes this by acting as a RADIUS server, that accepts the username/password of the user entered as a RADIUS request, validates the user against the user store as Active Directory ( AD ), prompts him for the 2-factor authentication and either grants/revokes access based on the input by the user.

Types of 2FA Authentications with RADIUS

The 2-factor authentication can be of two types depending on the VPN clients.

  • VPN Clients that support RADIUS Challenge.
  • In this case, there are two requests. The initial one is with the user's username/password that is validated against the credentials stored in Active Directory. After the first request sends a success response, a challenge request is sent to validate the 2-factor authentication of the user( for eg, in the case of OTP Over Email, an One Time Passcode is sent to the user's email ). The user validates the second factor after which he is granted access to the application.

    VPN Clients that support RADIUS Challenge

    Authentication methods that can be used:

    • All Authentication methods supported by miniOrange. Software Token, Push Notification, OTP over Email to name a few.

    RADIUS Clients that support this authentication type:

    • OpenVPN
    • Palo Alto
  • VPN Clients that do not support RADIUS Challenge.
  • Further down, there are two types of authentication in this:

    1. The user enters the username + password and after validation, he is prompted for the 2-factor authentication code in the next screen.
    2. The user is prompted for the 2-factor authentication in the initial login screen along with his username and password.

    In both of the above cases, miniOrange accepts the request and validates the username/password first and then the 2-factor code entered by the user.

    VPN Clients that do not support RADIUS Challenge

    Authentication methods that can be used:

    1. Soft Token
    2. OUT OF BAND EMAIL
    3. OUT OF BAND SMS

    RADIUS Clients that support this authentication type:

    1. AWS AD Connector
    2. Palo Alto

Steps to configure 2FA for VPN Login

  1. Steps to configure your RADIUS Client with miniOrange

  2. Click here to see the detailed steps.
    • Step 1: Add the Radius Client in miniOrange

      1. Login to the admin dashboard.

      2. Navigate to Apps >> Manage Apps in the left navigation bar.

      Login to the miniOrange dashboard. Select App and manage App

      3. Click on Configure Apps.

      Click on Configure Apps

      4. Go to Radius applications tab and select Radius Server app. Click on Add App button.

      Select Radius App

      5. Enter the radius Client Name, Client IP and Shared Secret which you will need to configure in radius client as well.

      Enter Radius Client Details

      6. Click on Save button.

    • Step 2: Setup LDAP authentication

      1. Go to User Stores menu and click on Add User Store button.

      select user store

      Add User Store

      2. Configure your LDAP settings.

      Enter user store details

      3. Make sure to keep the below options enabled.

      Save User Store

      4. Click on Save.

      5. After you save, click on Test Configuration to verify your LDAP settings

      Test configuration

    • Step 3: Enable 2 factor authentication

      1. Go to Policies tab and click on App Authentication Policy.

      Enable 2FA

      2. Go to Add Policy tab and add policy for application added in step 1.

      Save 2FA

    • Step 4: Configure RADIUS client

      You can configure your radius client with details below:

      Radius Server IP / Host : IP or domain name of server where you have installed miniOrange.

      Server Port : 1812

      Shared Secret : Configured in Step 1.

  3. Steps to configure the miniOrange RADIUS Server with your RADIUS Client

  4. The configuration at the RADIUS client's side depends on the VPN Client. OpenVPN has been demonstrated as an example here.

    Click here to see the detailed steps.

      1. Login to the OpenVPN admin dashboard.

      OpenVPN admin dashboard

      2. Navigate to Authentication >> General in the left navigation bar. Select RADIUS and save the settings.

      Navigate to Authentication General

      3. Navigate to Authentication >> RADIUS in the left navigation bar. Select PAP as the RADIUS authentication method.
      In the RADIUS Settings below, enter the Radius Server IP / Host as the IP or domain name of server where you have installed miniOrange, Server Port as 1812 and Shared Secret configured in the previous step.

      Navigate to Authentication Radius

      4. Click on Save Settings.

  5. Demonstration of miniOrange 2FA for VPN Login

  6. This is how the actual VPN login with 2FA works.

      1. Connect to OpenVPN by entering the hostname of the server.

      Connect to OpenVPN

      2. Enter your AD username & password and click on Connect.

      Enter your AD username & password

      3. Now, you are prompted for the 2-factor authentication code. Enter the code and click on Continue.

      Enter 2-factor authentication code

      4. After successful validation, you are connected.

      successful validation, you are connected


    Popular RADIUS Clients miniOrange integrates with:

    • Palo Alto

      The users enter their AD credentials to log in to Palo Alto, the Radius Client, and after the username/password validation, an One Time Passcode is sent to the user's mobile number. The user enters the One Time passcode received, which is validated by miniOrange to gain/deny access to the user.

    • OpenVPN

      The users enter their AD credentials and the 2FA code ( Software Token ) to log in to OpenVPN, the Radius Client, and after the username/password validation, are prompted for the 2-factor authentication. Post validation of 2nd factor, users are logged in to OpenVPN.

    • AWS AD Connector
    • FortiNet

      The users enter their AD credentials to log in to FortiNet, and after the username/password validation, an push notification is sent to the user's mobile, that he needs to accept to get logged in to AWS.

​2 Factor Authentication ​for Remote Desktop Service

Overview

​When users connect to a Remote Desktop Service, 2-factor authentication is essential to enforce high security protection of your business resources. Installing miniOrange 2-Factor Authentication for Windows Logon adds two-factor authentication to Windows login attempts over RDP.

miniOrange 2FA for Remote Desktop Service

The user initiates the login to Remote Desktop Service either through a Remote Desktop Client or via the RD Web login page from his browser, after which the RADIUS request is sent from the miniOrange RD Web component installed on the target machine to the miniOrange RADIUS server, which authenticates the user via Local AD, and after successful authentication, 2-factor authentication of the user is invoked. After the user validates himself, he is granted access to the Remote Desktop Service.

Types

A user can try to connect to RDS (Remote Desktop Services) via 2 ways :

  1. RDC - Remote Desktop Client: If the RemoteApp is launched through a Remote Desktop client application, the users validate their 2-factor authentication while they enter the username and password to get access to the resources. ( as this method doesn't support access-challenge response, only out of band authentication methods are supported ).
  2. RD WebAccess - RD login page via browser: If the desktop or RemoteApp is launched through a RD Web Login page, the initial user authentication is done from the machine's AD, after which miniOrange challenges the user for 2-factor authentication via a RADIUS challenge request. After the users correctly authenticate themselves, they get connected to their resources.

2FA for RDS via RD Web


How it works

  1. In this case, the user goes to RD Web login page from his browser to connect to the Remote Desktop Service.He enters his username and password, and on submission, the RADIUS request from RD Web component installed on target machine is sent to the miniOrange RADIUS server which authenticates the user via local AD in the target machine.
  2. Once authenticated, it sends a RADIUS challenge to RD Web, and the RD Web shows OTP screen on browser now. Once the user enters the One Time Passcode, the miniorange IdP verifies it and grants/denies access to the RDS.
  3. With this, after the user is connected to the Remote Desktop Service, the user can also gain access to published remote app icons on his browser screen, since the session has already been created for the user.
Window SSO: Flowchart

Authentication methods Supported

  1. One Time Passcode Over Email
  2. One Time Passcode Over SMS
  3. Google / miniOrange / Authy Authenticator Soft Token

Steps to configure 2FA for RDWeb

  1. Install the RD Web module provided by us. Unzip the module anywhere on your pc. C:/ for example.
  2. Take a backup copy of your C:/Windows/Web/RdWeb folder.
  3. Then open the RD Web module provided by us. Execute install.bat file. Once it is installed.
  4. Go to IIS Manager, Open Default Site -> Rd Web ->Pages.
  5. Open application settings, Change Radius Server IP and secret of IDP. Once that is configured.

Demonstration of user flow

1. User goes to the RD Web login page from his browser, and enters his username/password and clicks on Submit.

Demonstration of user flow: Image1

2.

Demonstration of user flow: Image2

2FA for RDS via Remote Desktop Client


How it works

  1. In this case, the user goes to RD Web login page from his browser to connect to the Remote Desktop Service.He enters his username and password, and on submission, the RADIUS request from RD Web component installed on target machine is sent to the miniOrange RADIUS server which authenticates the user via local AD in the target machine.
  2. Once authenticated, it sends a RADIUS challenge to RD Web, and the RD Web shows OTP screen on browser now. Once the user enters the One Time Passcode, the miniorange IdP verifies it and grants/denies access to the RDS.
  3. With this, after the user is connected to the Remote Desktop Service, the user can also gain access to published remote app icons on his browser screen, since the session has already been created for the user.

Authentication methods Supported

  1. Out of Band Email
  2. Out of Band SMS
  3. Push Notification

Want To Schedule A Demo?

Request a Demo
  



Our Other Identity & Access Management Products