There may be times when you wish to delegate trust from one appliance or application to your AuthAnvil Password Server. When used, it allows a trusted application to access credential information on behalf of a user it has already authenticated. An example where this might be used is to allow an RMM tool or remote access application to collect the credentials to inject during a login without prompting the user to enter their credentials to the AuthAnvil Password Server if they have already authenticated elsewhere.
NOTE: Use this feature with care. If you are not careful, it becomes possible to misuse this feature without validating the identity of the caller. If in doubt, do NOT enable this feature, and ask your security team to review your needs.
Setting up delegated trust
Trust is established by the use of digital certificates.You will need to maintain a full X.509 certificate which holds the public and private key on your application/server, in a non-exportable form within the Windows Certificate Store. You will also need to import the equivalent public certificate into the AuthAnvil Password Server so it knows to trust your application/server. In this article we will do just that.
Create your X.509 certificate
If you currently maintain your own Certificate Authority (CA) and have the ability to generate and issue your own certificates, you can do so instead of using tools like makecert. What follows is guidance for IT teams who may not have such infrastructure and need to generate their own self-signed certificates.
The steps below rely on Microsofts makecert.exe cmd line tool. This is generally available in any of Microsofts SDKs.
- Create a self-signed X509 cert. It is important that the hostname be resolvable via DNS as the "caller" to AuthAnvil.
makecert -ss My -sky Exchange -pe -n "CN=hostname"
- Open up MMC as a standard user
- Select File > Add/Remove Snapin
- Choose Certificates, hit Add and then OK.
- Choose Personal > Certificates. You should see the cert you generated there.
- Right click the certificate and select All Tasks > Export.
- Click Next, and select Yes, export the private key.
- Click Next twice. When prompted, select the "Password" checkbox and enter a password.
- Browse to store the PFX somewhere safe. Name it something like myPrivateDTcert.pfx
- Continue to the end of the wizard and hit Finish.
SECURITY NOTE:This is your PUBLIC/PRIVATE keypair for your application server. KEEP IT SAFE.
- Run the export wizard again. But this time select "No, do not export the private key".
- Save the export as a Base64-encoded X.509 cert. Name it something like myPublicDTcert.cer
SECURITY NOTE:This is your PUBLIC key cert for your AuthAnvil Password Server.
Installingyour private key into the Windows Certificate Store
- Open up mmc as an administrator
- Select File > Add/Remove Snapin
- Choose Certificates, and hit Add. When prompted, select Computer account, and complete adding the snapin.
- Expand Trusted Root Certificate Authorities
- Right click on Certificates folder in the left pane and select All tasks > Import
- When prompted, browser for the PFX file. You may need to change the file type to see it.
- Hit Next. Enter the password you used during the export. Make sure the checkbox to Mark this key as exportable is turned OFF.
- Click Next several times until you get to the end of the wizard and hit Finish. You have now imported your keypair.
Installing your public key into the AuthAnvil Password Server
- Login to the AuthAnvil Password Server as an administrator.
- Click on the Admin->External Admin menu.
- Select the Delegated Trust Certificates tab.
- Click the Add Delegated Trust Certificate button.
- Browse to find the public certificate you previously created (*.cer), and select it.
- Click the Install Certificate button.
At this point, your AuthAnvil Password Server can now accept requests via web services from your trusted host, using the certificate as the authenticator.This certificate must have a Common Name (CN) that matches to both a forward and reverse lookup name resolution on the AuthAnvil system. In other words, if your DNS name for the system resolves to yourapp.contoso.com, then the CN should be CN=yourapp.contoso.com. Using the configured digital thumbprint of the certificate and its public key, AuthAnvil validates all requests and encrypts all responses using asymmetric encryption from that certificate.
At this point you can now call into the delegated SOAP/XML web services using dtLogon() to establish trust, and then request credentials as appropriate. Please see the Scorpion Software Developer Center for more information.
If you have any questions or need some help, we would be happy to assist. Open a case at kaseya.zendesk.com.