Setup SSL and Enable Smart Card (CAC/PKI) User Authentication for Orion Web Console (Legacy)

Version 9

    Author's Note: This documentation is valid for Orion Core 2010.1 to Orion Core 2016.2. This document Legacy is not being maintained.

     

    For Orion Core 2017.1, please see SETUP SMART CARD (CAC/PKI) USER AUTHENTICATION FOR ORION WEB CONSOLE . SSL configuration has been built into the Configuration Wizard in Orion 2017.1, new document has new changes.

     

    PURPOSE: This a Start to Finish how to setup SSL for Self Signed, Domain Certificate or from Root CA, and setup and troubleshoot Smart Card Authentication Setup and Login.

     

    ISSUE: The Orion web console needs to first setup SSL on the Web Console for Secure connection.

     

    RESOLUTION: Follow these steps to enable Smart Card authentication

                Designed For Windows Server 2008 R2, 2012, and 2012 R2.

     

    PREREQUISITES: Please make sure that you have the following setup prior to this document

        1. Add at least 1 Active Directory account to the Web Console before attempting. Once all steps are enabled, the Admin account will not be able to login.
        2. Automatic Logon is enabled, or you run through the Setup Configuration Wizard for the next use steps.

    Note: After this KB is enabled, please remember that the next time that you run the configuration Wizard, in the Website Settings select Skip HTTP Binding. If you forget to do this (this is included in the documentation below), Secure the Site for Authentication Access and Phase II will need to be redone.

     

    Phase I: SSL Certificate Setup

     

    Go into IIS:

        1. Go into Start> Control Panel> Administrative Tools> Internet Information Services (IIS) Manager
        2. Select the Server
        3. Select Server Certificates

    Create a Domain Certificate (if you have a valid CA in the Domain, use this option)

        1. On the Right under Actions, Select Create Domain Certificate.
        2. Enter Common Name (should be the hostname or the fully qualified name that the users will connect)
          1. Should be the hostname or the fully qualified name that the users will connect
          2. Required to match the name of the Web URL for all functions to work
        3. Fil in Organization, Organizational Unit, City, State and Country. This information does not need to be perfectly correct.
        4. Select Next
        5. Select the Select button and select the Certificate Authority.
          1. If you do not see anything to select, please create a Self-Signed Certificate.
        6. Enter a Friendly Name
          1. This name will be accessed under Set Web Server Certificate’s Step 8.

          Create a Self-Signed Certificate (select if the system is not on the domain)

        1. On the Right under Actions, Select Create Self-Signed Certificate.
        2. Enter Friendly Name
          1. Should be the hostname or the fully qualified name that the users will connect
          2. Note that Self-Signed will almost always show a certificate issue, due to a lack of a trust relationship
    Set Web Server Certificate

    Having completed the Self-Signed or Domain Certificate Steps

        1. In IIS, expand out the Server and Sites.
        2. Select Solarwinds NetPerfMon
        3. Right Click and select Edit Bindings
        4. Select Add
        5. Change Type to https
        6. IP Address All Unassigned
        7. Port 443
        8. SSL Certificate select the certificate Friendly Name

    Secure the Site for Authentication Access

        1. Expand the Sites folder to SolarWinds NetPerfMon.
        2. Under IIS, select Authentication.
        3. Disable Anonymous Authentication.
        4. Disable Forms Authentication.
          Note: If your environment requires forms authentication, attempt these configuration changes with forms authentication enabled.
        5. Enable Windows Authentication. (may be enabled already)
        6. Click the back button on the top of the screen to return to the SolarWinds NetPerfMon Home view.
        7. Click SSL or SSL Settings.
        8. Click Require SSL.
        9. Click Required under Client Certificates, then apply at the top Right.
        10. In Internet Explorer, click Tools -> Internet Options, and then add the Orion web site to the Local Intranet and Trusted Sites.
        11. Set browser to Orion https target
        12. Use https://<SSLCertificateFriendlyName>/Orion/Login.aspx to navigate to the Orion SSL website.
          1. If a certificate error is showing up, or you see a Red X, the name of the certificate does not match the url entered. Click on the Certificate and the "Issued To:" will tell you the URL to use.
          2. If the Certificate shows as a Lock in Internet Explorer or Green in Chrome and Firefox, you are good to go.
        13. After you select the Certificate and login, you will notice that the login screen may still show up. This is because Automatic Windows Logon needs to enabled.
          1. After logging in, go into Settings> Web Console Settings, Windows Account Login set to enable automatic login, then select Submit.

     

     

    Phase II: SQL Server database change to reflect SSL enabled and new URL

    Configure the Orion database to allow SSL

    Known Issue Note: Orion Core 2015.1.3 currently has a bug where if you run the Configuration Wizard on Web Console, or if you upgrade or add a module the original non-SSL site will re-enabled (steps 1-14 below)

        1. Log on to your Orion server.
        2. Click Start > All Programs > SolarWinds Orion > Advanced Features > Database Manager. (elevated privileges are required to access this application)
        3. Click Add Default Server.
        4. Expand your Orion database in the left pane. Default Database names will be SolarwindsOrion or NetPerfMon.
        5. Right-click the Websites table, and then click Query Table.
        6. Select Execute.
        7. Next you are going to reference back to the SSL Certificate Friendly Name, this name will go into the <ServerName> Field.
          1. If you do not know, do not update this column.
        8. Replace the default query with the following query:
          UPDATE dbo.Websites SET ServerName=’<ServerName>’, Port=’443’ SSLEnabled=1 WHERE Type=’primary’
        9. Click Execute Query.
        10. Right click on the Websites Table again and select Query Table, and Select Execute query.
        11. Make sure that the Server Name appears as correct, and a Port is set and if SSL is to be required that it is set to 1.
        12. Now you will restart the Solarwinds Information Service v3 so that the Alerting and Reporting System will utilize this new URL for all actions. The Orion Web Link in the start menu will be updated at this same time.
        13. Click Start > All Programs > SolarWinds Orion > Advanced Features > Orion Service Manager.
        14. Select Solarwinds Information Service v3, and select Restart or Stop then Start.

     

    Phase III: Testing to make sure it all works.

        1. Open a browser on your workstation to the URL.
        2. Enter a domain/User that was already added in Orion
        3. You should now be at the Summary Screen.

     

    Extra Tasks: DoD standard we are tracking you and Banner Classification at the top.

     

    DoD Warning at the Login Screen

    1. Login in as Admin level user
    2. Go into Settings >Product Specific Settings/Web Console Settings>Site login text
    3. Here is the Text I use:

     

    You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions:

     

     

    The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations.

    At any time, the USG may inspect and seize data stored on this IS.

    Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose.

    This IS includes security measures (e.g., authorization and access controls) to protect USG interests--not for your personal benefit or privacy.

    Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, pyschotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

     

    Classification Banner at the top of the Page.

         At this moment we do not have any direct documentation as to how to modify the IIS Site to show UnClassified, Confidential, Secret Classified, TS/SCI for the DoD Banner at the top. I have had a few customers set DoD Classification Bar at the Top over the years, and when I receive information as to how this can be accomplished, this area will be updated.

     

     

    Troubleshoot Issues

     

    Configuration Wizard Reports Web Request for /Orion/Login.aspx failed

     

    The Configuration Wizard will from here on erroneously report Web Request for /Orion/Login.aspx failed. Ignore this message in Configuration Wizard, it still works. This is due to the Authentication and SSL change in Phase I setup.

     

    If you believe that this is an issue, you can go into C:\ProgramData\SolarWinds\Logs\Orion\ConfigurationWizard.log. Search for Web Request for /Orion/Login.aspx failed. The same line may report No connection could be made because the target machine actively refused it 127.0.0.1:80, this means that Port 80 http is not available. You can enable Port 80 http to have this error disappear.

     

    From Phase I:

        • If you are seeing the following problems, these are all related to the SSL Certificate Friendly Name not matching the URL, or there is no CA trust. Please re-create the certificate to match the URL that all users will be connecting.
          • Internet Explorer: Red X, There is a problem with this website’s security certificate.
          • Google Chrome: Your Connection is not private message
          • Firefox: Untrusted Connection or Your Connection is Untrusted
        • If the SSL Certificate shows as invalid or has a Red X, Export to PDF and Reports may not function correctly. Friendly Name needs to match URL.

     

    If you only see a white screen after these steps, you may have missed some steps. Please refer back to Require SSL and change it back to Ignore. The Web Console will load as before.

     

     

    From Phase III

               

    If the user cannot select the Certificate or it does not prompt, it is due to browser settings

     

    Internet Explorer:

        1. Select the Alt Key to bring up the Menu (IE 10 and newer), then select File> Properties
        2. Look for Zone, this is needed for Step 5
        3. Select the Gear or Settings> Internet Options
        4. Select the Security Tab
        5. Select the Zone that was seen in Step 2 and select Custom Level.
          1. You can promote the site to Trusted for better security
            1. Select Trusted Sites
            2. Select Sites
            3. Select Add
            4. Select Close
        6. Scroll to the bottom, last option is User Authentication.
          1. If the User only has 1 certificate and wants it auto-selected. This will login the account that they are logged on the OS with.
            1. Select Automatic Logon with current user name and password
          2. If the User wants to select and have a choice for certificates.
            1. Select Prompt for User name and Password
        7. Refresh or restart browser. You may need to clear cache for the change to take effect.

     

    Mozilla Firefox: (only needed if it fails)

        1. In the Firefox address bar, enter about:config.
        2. In the Filter field, enter network.automatic-ntlm-auth.trusted-uris.
        3. Double-click the Preference Name listed (network.automatic-ntlm-auth.trusted-uris)
        4. In the Enter string value window, enter a comma-separated list of the URLs of the Orion Web Consoles to which you want to enable AD access, as shown in the following:
          https://OrionServer1,http://OrionServer2,https://OrionWANMonitor
        5. Click OK.
          Note: You may need to restart Firefox for this configuration to take effect.

                        These instructions are adapted from "Enabling NTLM Authentication (Single Sign-On) in Firefox".

     

    Everyone else can login except for a few users

    User is required Interactive Logon for this system.

                            If the user sees the above Error, Group Policy has blocked the user from accessing the System. IIS leverages the same Authenticate access as if a user was logging into the system.

      1. Open up Group Policy Manager, whether on the System Directly or through GPO
      2. Go into Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
      3. Check Security Settings to ensure that accounts are not denied Login Access
      4. Other Interactive Login Errors can be referenced back to the Event Log on the Solarwinds Server and the Event ID. Use this Microsoft Page to identify what setting is causing the issue based on the Event ID or Message. Interactive Logon Tools and Settings: Logon and Authentication

     

     

    After I enter my PIN, I get prompted for my account Login for Username Password.

              Enable Windows Account Automatic Logon.

              Go into Settings> Web Console Settings> Windows Account Login set to Enable Automatic Login; Select Submit at the bottom.

              If you repeat the above step after running the Configuration Wizard, follow the steps under Setup Configuration Wizard for the next use.

     

     

    I cannot add any users to the Web Console. Our Domain is configured with enforcing Smart Card Logon for all Users and I cannot provide a Username or Password to search Active Directory.

    Please reference the following HotFix Link to resolve:

    Solarwinds Orion Core: Add Windows account to Web Console when "Force Smart Card logon" is setup on a Forest or Domain