Use WPM to create a Website Recording with Certificate Authentication for Availability

Version 2

    WPM Certificate Authentication

     

    Web Performance Monitor and authenticating sites that require certificate authentication.

     

     

    Preface

    When asked about Web Performance Monitor and the ability monitor Smart Card Authentication based websites to test the availability, there are a couple of things to consider before getting started.

     

    Web Performance Monitor handles sites that requires a system where a certificate is handed off to a Website from a System logged in authenticated user, presenting the certificate to state who they say they are in order to proceed through authentication. This is sometimes called PKI, PIV, CAC Card, Smart Card, or Certificate based Authentication.

     

    There is some confusion as to Web Performance Monitor and Smart Cards.

    • Web Performance Monitor cannot physically utilize a physical Smart Card and Reader in order to check a transaction.
      • This would require that there be a Smart Card Created and inserted at all times, 1 per agent deployed.
      • Security does not, usually, want to create physical identification cards for non-existent personnel.
    • In order for Web Performance Monitor to see certificate authenticated sites, WPM would need a Certificate created specifically for the WPM Player Users in order to authenticate successfully.
      • Domain Service Account. (Local authentication is possible, but domain will be the easiest due to Domain Trust relationships that need to exist)
      • WPM Player Service account gets a certificate created to authenticate into the site(s) that are being tested.
        • WPM Player has to authenticate to the system first to bring up any site, so the certificate is secured and stored under those WPM Accounts.
      • Certificate only authentication. Certificate PIN authentication is not supported.
      • WPM only needs to authenticate and view the various pages. Permissions on the sites monitored should be tuned so that security concerns are mitigated (read only access, no sensitive or mission critical data accessible to the WPM Accounts)

     

     

    Overview

    This covers the ability to setup a Web Performance Monitor Web player to login with a certificate, impersonating as an account to ensure access is working and available.

     

    Environment Requirements

    • WPM 2.0.1 and later  (SEUM 1.5 supported through the manual Domain Account setup Process)
      • Synthetic End User Monitor (SEUM) was the previous name of Web Performance Monitor (WPM). SEUM is seen in directories and account naming.
    • A WPM player(s) that is on the domain, or local account that can login to a site with a certificate.
    • 1 Account at a minimum, up to 7 accounts can be used. Accounts used for the WPM player during playback. Certificate will be assigned to these accounts.
      • Usually this means Service accounts and creating soft certificates for each account.
    • Ability to create certificates from the Certificate Authority.

     

    Process Overview

    • Create Certificate Template to only handle Client Authentication.
      • Multiple authentication and signings are not permitted, (it won't see them) which is why a template may have to be created.
    • Access the systems the Player will be running on:
      • Setup Certificate 1 per user
      • Setup WPM to use the Domain Accounts

     

    Scenario Assumptions

    • Certificate Authority is Microsoft Windows Server 2003 R2 or higher (system Tested)
    • You have access to the Certificate Authority to create the correct template to create the certificate properly (original test)
    • You have a site already utilizing Smart Card / Certificate Authentication (tested on IIS7)

     

    Create the Certificate Template from the Certificate Authority Server

    • Requires access to create Certificate Template, only for Client Authentication
    • Requirement to create a certificate for a user
    1. Go into the Certificate Authority Application
    2. Under the CA Server, Select Certificate Templates
      • We need a template that only does Client Authentication
    3. Right Click, select New> template to issue
    4. Select Authenticated Session, OK.
    5. Authenticated Session is now on the list.
    6. Creating the certificate will happen later.

     

     

     

    WPM Recorder/Player Overview

    WPM Recorder

    1. A transaction is recorded.
    2. If a page requests a client certificate, the recorder displays a dialog displaying certificate selection.
    3. The user creating the recording: Select the certificate and the name, issuer, and other identification data is saved into the recording.
      • The certificate itself is not stored if it cannot export the private key.

    WPM Player

    1. When the recording is played back, WPM handles the certificate request when a certificate is requested by a page.
      • The player tries to find an existing certificate that matches the information stored in the recording.
    2. If a matching certificate is found, it is sent to the page. If a matching certificate is not found, the request is canceled which usually ends with an Access Denied response from the page.

    Note: The certificate must installed and present on every player machine the transaction is running on, if it was not able to include the certificate in the recording (access the certificate's private key).

     

     

    Install the WPM Recorder/Player. Each has a different installer.

    • Recorder <OrionServerIP>/Orion/SEUM/Installers/TransactionRecorder.exe
    • Player <OrionServerIP>/Orion/SEUM/Installers/PlaybackPlayer.exe

     

     

    Creating the certificate for the WPM Recorder & Players

    1. Go to the System that you want running the Web Transactions from (both Recorder and Players)
    2. Login as the user you are creating the certificate under
    3. Go to Start> Run> MMC. OK.
    4. Select File> Add/Remove Snap-in
    5. Select Certificates. It should show as Certificates - Current User
    6. Select OK
    7. Expand Certificates - Current User > Personal> Certificates
    8. Right Click on the Right side and select All Tasks> Request new Certificate.
    9. Next
    10. Active Directory Enrollment Policy, Next
    11. Authenticated Sessions, Enroll.
    12. Finish. Certificate is now created as that logged in users full name. It will have only Client Authentication.

     

     

     

    WPM Recorder Setup: Creating the Transaction.

    1. Login to WPM Recorder
    2. Run the Transaction Recording and browse to the page to authenticate.
    3. Under Choose a Digital Certificate select the Certificate in Question.
      1. If the certificate cannot be exported with the Private Key, this message will appear
      2. This means that you must install the certificate on each WPM Player individually.
        1. (See Remote System Player will be running on.)
        2. WPM1.png
    4. Site should then log you in Successfully.

     

     

    WPM Player Setup: Assign the Account Credentials to access the Certificate

    Note: 

    • Recommended
      1. This may vary for each player depending on the environment. 
      2. This is required because each worker process handles different transactions at different times.
      3. Less Users means less possible transactions that could be played simultaneously.
    • Only Domain Accounts are supported in this Tool.
    • If tool fails, see Manually Adding Domain Accounts to WPM Player
    • All passwords are automatically encrypted after the agent service is started. With XML, you cannot use an illegal character in the username and password fields, such as the following three: &, ', "

     

    1. Navigate to the SolarWinds install director (C:\Program Files (x86)\SolarWinds\Orion\SEUM\Player)
    2. Launch SolarWinds.SEUM.AgentDomainConfigurationTool.exe.
    3. Check the box next to 'Enable domain accounts for playbacks'
    4. Fill in the Domain name, Username, and Password for each account in the fields as seen below:
      • You must use the Accounts you created certificates for an installed the certificates for those accounts on the system you are running this tool.
    5. Click Validate, and then save. 
    6. Restart the WPM Playback services

    WPM2.png

     

     

     

    (Optional) WPM Player Setup: Manually Adding Domain Accounts to WPM Player

    Notes:

    • This portion of the KB applies to WPM version 1.5 and higher.
    • WPM Player services must run in the same domain as the domain used for the user accounts.
      • It could be possible it can run on a different domain if a trust is established, or the same username/ password for the service account is used on both sides.
    • Number of given domain accounts must be higher or equal to the number of worker processes
    • Running the WPM Domain tool resulted in an error, which will not let you set the Users. Use this Guide to Resolve this error.
    • Domain Accounts can be enabled by providing domain credentials in the agent service configuration file.
    • All passwords are automatically encrypted after the agent service is started. With XML, you cannot use an illegal character in the username and password fields, such as the following three: &, ', "

     

    1. Navigate to the SolarWinds.SEUM.Agent.Service.exe.config file located in the install location of the SEUM player C:\ProgramFiles(x86)\SolarWinds|Orion\SEUM\Player.
    2. Locate the element agentConfiguration numWorkerProcesses= “7”.
    3. Under this line add domainAccounts domain=”domain.name”.
      1. WPM3.png
    4. Add the list of available domain accounts
      1. WPM4.png
    5. Changes are not reflected until the AgentSettings.dat has been reset

     

                             SEE Reset AgentSettings.dat under Troubleshooting

     

     

    (Optional) WPM Player Setup: Manually Adding Local Accounts to WPM Player

    Note:

    • This portion of the KB applies to WPM version 1.5 and higher.
    • WPM Player service account should have the same username/password as the remote webserver.
    • You will be utilizing Local Accounts (preferably the built in SEUM-User-)
    • Set one password for Local Accounts

     

    Setup the SEUM Accounts to use a new password

    1. Go into the Control Panel> Users
    2. Select Manage Users
    3. Select the SolarWinds-SEUM-Users

    The same password for all SolarWinds-SEUM-Users is preferred for the configuration step.

     

    Configure the WPM Player Services to use the new passwords for SolarWinds-SEUM-Users

      1. Navigate to the SolarWinds.SEUM.Agent.Service.exe.config file located in the install location of the SEUM player C:\ProgramFiles(x86)\SolarWinds|Orion\SEUM\Player.
      2. Look for <agentConfiguration
      3. Update the following fields to what you want specified.

    workerUserGroup="SolarWinds-SEUM-Users"

    workerUserNamePrefix="SEUM-User-"

    workerUserPasswordOverride=""

    1. Save the file.
    2. Changes are not reflected until the AgentSettings.dat has been reset

    SEE Reset AgentSettings.dat under Troubleshooting

     

     

    (Optional)  Export/Import the certificate

    Not officially needed, but available as a reference

    Export the certificate

    1. Right Click> All Tasks> Export.
    2. Cancel if it asks for reader.
    3. Select Next
    4. No to Private Key
      1. Select Yes if you are able to. This will ease Certificate Deployment as WPM can store the Certificate
    5. DER as .cer
    6. Select Location, Save.

     

    Import Certificate on the Recorder/Player System

    1. Copy to the system the player and recorder that we are using.
    2. Login as that user.
    3. Double Click on Certificate
    4. Select Current User, Next.
    5. Place all Certificate in the following Store> Browse, select Personal; Next.
    6. Finish, OK.

     

    Troubleshooting

     

    • Reset AgentSettings.dat
      1. Remove the file, AgentSettings.dat – removing this file will also remove all configuration done by the Player settings tool. This file is located in "C:\ProgramData\Solarwinds\SEUM\Data"
      2. Restart Solarwinds WPM Playback Service and WPM Playback Proxy service.
        1. Accounts are recreated with password specified in the config file

     

    • Making sure the right type of Certificate is used
      • Is the Certificate installed on this system?
      • Is the Certificate not in WPM Service user's personal store
        • See the following Subjects Above:
          • Creating the certificate for the WPM Recorder & Players
          • Export/Import the certificate
      • Is it the right type of Certificate?
        • Open the certificate. Under the details Tab, check "Enhanced Key Usage".
          • It should only show "Client authentication (1.3.6.1.5.5.7.3.2)"
          • If not, see Create the Certificate Template from the Certificate Authority Server
            • If it does not only contain "Client Authentication" WPM will not see the certificate and does not know how to use it.

     

     

    • WPM does not show a pop-up to select a Certificate, only username and Password fields
      • Check in Internet Explorer to see if it prompts for a certificate
        • If IE works, then It seems to me like some permission/security issue.
          • Run the WPM recorder with recommended settings
      • The Certificate is not installed on this system
      • Certificate is not in user personal store
      • Open the certificate. Under the details Tab, check "Enhanced Key Usage".
        • It should only show "Client authentication (1.3.6.1.5.5.7.3.2)"
      • If it does not only contain "Client Authentication" WPM will not see the certificate and does not know how to use it.

     

    1. I can select Certificates, but Cannot See the Certificate required to authenticate to the site in WPM
      • The Certificate is not installed on this system
      • Certificate is not in user personal store
      • Open the certificate. Under the details Tab, check "Enhanced Key Usage".
        • It should only show "Client authentication (1.3.6.1.5.5.7.3.2)"
      • If it does not only contain "Client Authentication" WPM will not see the certificate and does not know how to use it.

     

    • Error "Number of available domain accounts is lower than maximal number of worker processes."
      1. Navigate to the SolarWinds.SEUM.Agent.Service.exe.config file located in the install location of the SEUM player C:\ProgramFiles(x86)\SolarWinds|Orion\SEUM\Player.
      2. Look for numWorkerProcesses
      3. Number of given accounts must be higher or equal to the number of worker processes
      4. Save, file. Restart Services.
    • Players are having problem authenticating automatically.

    If WPM Players are having authentication problems when playing back recordings, check whether the recorded web site uses Windows authentication for its login process. Some computer systems are set up to pass-through Windows credentials without prompting for a username and password, and if you create a recording on such a computer, the username and password required for the web site will not be saved with the recording. This may result in an authentication problem when the recording is played back on a different computer.

    To ensure that the Recorder always automatically authenticates with the logged in (*&(*& username and password for web sites protected by Windows authentication:

    1. Run the recorder under a local user account instead of a domain account.
    2. Select Enable Integrated Windows Authentication on the Advanced tab of IE Internet Options settings, you may also need to scroll to the bottom and also select . This option requires a restart of Internet Explorer.

              WPM5.png

     

     

    I cannot find what the problem is. How can I get enough information to properly assist Support to resolve this issue?

     

    1. Setup logging and download files from the WPM Players. (Use when Player transaction is not working)
      1. Go into Settings> WPM Settings> Manage Player Locations.
      2. Select the checkbox next to the player in question, select Edit.
      3. Expand out Troubleshooting.
      4. Change Log Level to VERBOSE
      5. Select Submit
      6. Wait at least 2x the polling cycle (default 5 minutes) to ensure we get at least 1 recording.
      7. Select the checkbox next to the player in question, select Edit.
      8. Expand out Troubleshooting.
      9. Select Generate New Diagnostics
      10. Wait for the file to become available, then select download.

     

    1. Enable logging for the WPM Player directly (use if #1 fails to set logging)
      1. Go to C:\Program Files (x86)\SolarWinds\Orion\SEUM\Player
      2. Select LogAdjuster.exe
      3. Change Options to VERBOSE.
      4. Select Apply, then Close.

     

    1. Enable logging for the WPM Recorder (Use when Recorder works, but Player is not working)
      1. Go to C:\Program Files (x86)\SolarWinds\Orion\SEUM\Recorder
      2. Select LogAdjuster.exe
      3. Change Options to VERBOSE.
      4. Select Apply, then Close.

     

    1. Enable logging for the WPM Server (Issue with the Web Console, the polling of data)
      1. Run Log Adjuster (by default at "C:\Program Files (x86)\SolarWinds\Orion\LogAdjuster.exe")
      2. Find WPM and select DEBUG (You need to select debug even if it is already selected)
      3. Verify that in whole WPM table selected value under column control is set to DEBUG
      4. Hit Apply  
      5. Run Orion Diagnostics  (by default at "C:\Program Files (x86)\SolarWinds\Orion\SolarwindsDiagnostics.exe")
      6. Press Start and save zip file.
      7. Provide this zip file to support in your support case.