You can configure the Web Console to authenticate using smart cards or multi-factor authentication and also customize the branding with your own logo and application title.
You can start the Web Console from any computer, iOS device, or Android device running a Web browser. To start the Console, specify the appropriate URL in your Web browser address field. For example, if you installed the Web component on the HOUserver computer, type https://HOUserver/draclient in the address field of your Web browser.
NOTE:To display the most current account and Microsoft Exchange information in the Web Console, set your Web browser to check for newer versions of cached pages at every visit.
You can define a time increment for the Web Console to log out automatically after inactivity or set it to never log out automatically.
To configure Auto Logout in the Web Console, navigate to Administration > Configuration > Auto Logout.
You can configure one of three options in the Web Console to define DRA server connection options when logging in. Once configured, the connection configuration is the same for both administrators and assistant administrators in the Options drop-down panel when logging in to the Web Console.
Always use the default DRA server location (Always)
Never use the default DRA server location (Never)
Only use the default DRA server location if it is selected (Only If Selected)
The behavior for each option, when logging in, is described below:
|
Connection Configuration |
Login Screen - Options |
Connection Option Descriptions |
|---|---|---|
|
Always |
None |
Option configurations are disabled |
|
Never |
Use automatic discovery |
Finds a DRA server automatically; no configuration options are available |
|
Connect to a specific DRA server |
The user configures the server and port |
|
Connect to a server that manages a specific domain |
The user provides a managed domain and chooses a connection option:
|
|
Only If Selected |
Use automatic discovery |
Finds a DRA server automatically; no configuration options are available |
|
Connect to the default DRA server |
The default server is selected and the DRA server configuration is disabled |
|
Connect to a specific DRA server |
The user configures the server and port |
|
Connect to a server that manages a specific domain |
The user provides a managed domain and chooses a connection option:
|
To configure the DRA Server connection in the Web Console, navigate to Administration > Configuration > DRA Server Connection.
The configuration for the REST Service connection includes setting a default server location and a connection timeout, in seconds. You can configure one of three options in the Web Console to define REST Service connection options when logging in. Once configured, the connection configuration is the same for both administrators and assistant administrators in the Options drop-down panel when logging in to the Web Console.
Always use the default REST Service location (Always)
Never use the default REST Service location (Never)
Only use the default REST Service location if it is selected (Only If Selected)
The behavior for each option, when logging in, is described below:
|
Connection Configuration |
Login Screen - Options |
Connection Option Descriptions |
|---|---|---|
|
Always |
None |
Option configurations are disabled |
|
Never |
Use automatic discovery |
Finds a REST server automatically; no configuration options are available |
|
Connect to a specific REST server |
The user configures the server and port |
|
Connect to a REST server in a specific domain |
The user provides a managed domain and chooses a connection option:
|
|
Only If Selected |
Use automatic discovery |
Finds a REST server automatically; no configuration options are available |
|
Connect to the default REST server |
The default REST server is selected and the REST server configuration is disabled |
|
Connect to a specific REST server |
The user configures the server and port |
|
Connect to a REST server in a specific domain |
The user provides a managed domain and chooses a connection option:
|
To configure the REST Service connection in the Web Console, navigate to Administration > Configuration > REST Service Connection.
This section contains information for configuring Smart Card Authentication, Windows Authentication, and multi-factor authentication using Advanced Authentication integration.
To configure the Web Console to accept a user based on the client credentials from his or her smart card you must configure Internet Information Services (IIS) and the REST services configuration file.
IMPORTANT:Make sure the certificates on the smart card are also installed in the root certificate store on the web server because IIS has to be able to find certificates that match those that are on the card.
Install authentication components on the web server.
Start the Server Manager.
Click Web Server (IIS).
Go to the Role Services section and click Add Role Services.
Go to the Security role services node and select Windows Authentication and Client Certificate Mapping Authentication.
Enable authentication on the web server.
Start IIS Manager.
Select your web server.
Find the Authentication icon under the IIS section and double-click it.
Enable “Active Directory Client Certificate Authentication” and “Windows Authentication”.
Configure the DRA client.
Select your DRA client.
Find the Authentication icon under the IIS section and double-click it.
Enable “Windows Authentication” and disable “Anonymous Authentication”.
Enable SSL and client certificates on the DRA client.
Find the SSL Services icon under the IIS section and double-click it.
Select Require SSL and select Require under Client certificates.
HINT:If the option is available, select Require 128-bit SSL.
Configure the REST services web application.
Select your REST services web application.
Find the Authentication icon under the IIS section and double-click it.
Enable “Windows Authentication” and disable “Anonymous Authentication”.
Enable SSL and client certificates on the REST services web application.
Find the SSL Services icon under the IIS section and double-click it.
Select Require SSL and select Require under Client certificates.
HINT:If the option is available, select Require 128-bit SSL.
Configure the WCF web service file.
Select your REST services web application and switch to Content View.
Locate the .svc file and right-click it.
Select Switch to Features View.
Find the Authentication icon under the IIS section and double-click it.
Enable “Anonymous Authentication” and disable all other authentication methods.
Edit the REST services configuration file.
Use a text editor to open the C:\inetpub\wwwroot\DRAClient\rest\web.config file.
Locate the <authentication mode="None" /> line and delete it.
Uncomment the lines specified below:
Below the <system.serviceModel> line:
<services>
<service name="NetIQ.DRA.DRARestProxy.RestProxy">
<endpoint address="" binding="webHttpBinding" bindingConfiguration="webHttpEndpointBinding"
name="webHttpEndpoint" contract="NetIQ.DRA.DRARestProxy.IRestProxy" />
</service>
</services>Below the <serviceDebug includeExceptionDetailInFaults="false"/> line:
<serviceAuthorization impersonateCallerForAllOperations="true" />
<serviceCredentials>
<clientCertificate>
<authentication mapClientCertificateToWindowsAccount="true" />
</clientCertificate>
</serviceCredentials>Above the <serviceHostingEnvironment multipleSiteBindingsEnabled="true" /> line:
<bindings>
<webHttpBinding>
<binding name="webHttpEndpointBinding">
<security mode="Transport">
<transport clientCredentialType="Certificate" />
</security>
</binding>
</webHttpBinding>
</bindings>Save the file and restart the IIS server.
To enable Windows authentication on the Web Console you must configure Internet Information Services (IIS) and the REST services configuration file.
Open IIS Manager.
In the Connections pane, locate the REST Services web application and select it.
In the right pane, go to the IIS section and double-click Authentication.
Enable Windows Authentication and disable all of the other authentication methods.
Use a text editor to open the C:\inetpub\wwwroot\DRAClient\rest\web.config file and locate the <authentication mode="None" /> line.
Change "None" to "Windows" and save the file.
Restart the IIS server.
Advanced Authentication Framework (AAF) is our premier software package that lets you move beyond a simple user name and password to a more secure way of protecting your sensitive information using multi-factor authentication.
Advanced Authentication supports the following communication protocols for security:
TLS 1.2 (default setting), TLS 1.1, TLS 1.0
SSL 3.0
Multi-factor authentication is a method of computer access control that requires more than one method of authentication from separate categories of credentials to verify a user's identity.
There are three types of authentication categories, or factors:
Knowledge. This category requires you to know a specific piece of information, such as a password or activation code.
Possession. This category requires you to have an authenticating device such as a smart card or smartphone.
Body. This category requires you to use a part of your anatomy, such as your fingerprint, as the method of verification.
Each authentication factor contains at least one authentication method. An authentication method is a specific technique that you can use to establish a user's identity, such as by using a finger print or requiring a password.
You can consider an authentication process strong if it uses more than one type of authentication method—for instance, if it requires a password and a fingerprint.
Advanced Authentication supports the following authentication methods:
LDAP password
Remote Authentication Dial-In User Service (RADIUS)
Smartphone
HINT:The Smartphone method requires the user to download an iOS or Android app. For more information, see the Advanced Authentication - Smartphone Applications User Guide, which is available from the NetIQ Documentation Web site.
Use the information in the following sections to configure the Web Console to use multi-factor authentication.
IMPORTANT:While some of the steps in the following sections take place inside the Web Console, the majority of the multi-factor authentication configuration process requires access to the AAF. These procedures assume that you have already installed AAF and have access to AAF’s help documentation.
The first step in configuring the Web Console to use multi-factor authentication to add all of the Active Directory domains that contain the DRA administrators and assistant administrators managed by DRA to AAF. These domains are called repositories, and they contain the identity attributes of the users and groups that you want to authenticate.
Log in to the AAF administration portal with an administrator-level username and password.
Go to the left panel and click Repositories.
Click Add.
Fill out the form.
HINT:The LDAP type is AD.
HINT:Type an administrator-level username and password into the corresponding fields.
Click Add server.
Type the LDAP server’s IP address in the Address field.
Click Save.
Repeat Steps 3 through 7 for all other AD repositories managed by DRA.
For each repository listed on the Repositories page, click Sync now to sync it with the AAF server.
An authentication chain contains at least one authentication method. The methods in the chain will be invoked in the order in which they were added to the chain. In order for a user to be authenticated, the user must pass all methods in the chain. For example, you can create a chain that contains the LDAP Password method and the SMS method. When a user tries to authenticate using this chain she must first authenticate using her LDAP Password after which a text message will be sent to her mobile phone with a one-time password. After she enters the password all the methods in the chain will have been fulfilled and the authentication succeeds. An authentication chain can be assigned to a specific user or group.
To create an authentication chain:
Log in to the AAF administration portal with an administrator-level username and password.
Go to the left panel and click Chains. The right panel displays a list of the currently available chains.
Click Add.
Fill out the form. All fields are required.
IMPORTANT:Add the methods in the order in which they should be invoked—that is, if you want the user to enter an LDAP password first, add LDAP password to the chain first.
IMPORTANT:Make sure the Apply if used by endpoint owner switch is OFF.
Switch Is enabled to ON.
Type the names of the roles or groups to be subject to the authentication request in to the Roles & Groups field.
HINT:If you want the chain to apply to all users type all users in to the Roles & Groups field and select All Users from the resulting drop-down list.
Any user or group that you select will be added beneath the Roles & Groups field.
Click Save.
An authentication event is triggered by an application—in this case, the Web Console—that wants to authenticate a user. At least one authentication chain must be assigned to the event so that when the event is triggered, the methods in the chain associated with the event will be invoked in order to authenticate the user.
An endpoint is the actual device—such as a computer or a smartphone—that is running the software that triggers the authentication event. DRA will register the endpoint with AAF after you create the event.
You can use the Endpoints whitelist box to restrict access to an event to specific endpoints, or you can allow all endpoints to access the event.
To create an authentication event:
Log in to the AAF administration portal with an administrator-level username and password.
Go to the left panel and click Events. The right panel displays a list of the currently available events.
Click Add.
Fill out the form. All fields are required.
IMPORTANT:Make sure the Is enabled switch is ON.
If you want to restrict access to specific endpoints, go to the Endpoints whitelist section and move the targeted endpoints from the Available list to the Used list.
HINT:If there are no endpoints in the Used list, then the event will be available to all endpoints.
After you configure chains and events you can log into the Web Console as an administrator and enable Advanced Authentication.
Once authentication is enabled, every user will be required to authenticate through AAF before being given access to the Web Console.
IMPORTANT:Before enabling the Web Console you must already be enrolled in the authentication methods that the Web Console will use to authenticate users. See the Advanced Authentication Framework User Guide to learn how to enroll in authentication methods.
To enable Advanced Authentication, log in to the Web Console and navigate to Administration > Configuration > Advanced Authentication. Select the Enabled check box and configure the form according to the instructions provided for each field.
HINT:After you save the configuration, the endpoint will be created in AAF. To view or edit it, log on to the AAF administration portal with an administrator-level username and password and click Endpoints on the left pane.
Log on to the AAF administration portal with an administrator-level username and password and click Events on the left pane.
Edit each of the Web Console events:
Open the event for editing.
Go to the Endpoints whitelist section and move the endpoint that you created when you configured the Web Console from the Available list to the Used list. This will ensure that only the Web Console can use these events.
Click Save.