SETUP SMART CARD (CAC/PKI) USER AUTHENTICATION FOR ORION WEB CONSOLE

Version 2

    Author’s Note: This is for Orion Core 2017.1 and higher. For older versions, please go here.

     

    PURPOSE: Orion uses Self Signed SSL by default. This guide is to walkthrough setup to use a Domain Certificate or from Root CA, and setup and troubleshoot Smart Card Authentication Setup and Login. This also covers some additional steps needed for Single Sign on for Smart Card Authentication.

     

    RESOLUTION: Follow these steps to enable Smart Card authentication

                Designed For Windows Server 2012, 2012 R2, and 2016.

     

    Browsers Tested:

    • Internet Explorer
    • Mozilla Firefox
    • Google Chrome

     

    PREREQUISITES: Please make sure that you have the following setup prior to this document.

      1. Add at least 1 Active Directory account to the Web Console before attempting. Once all steps are enabled, the Admin account will not be able to login.
      2. Automatic Logon is enabled, or you run through the Setup Configuration Wizard for the next use steps.

    Note: After this KB is enabled, please remember that the next time that you run the configuration Wizard, in the Website Settings select Skip HTTP Binding. If you forget to do this (this is included in the documentation below), Secure the Site for Authentication Access and Phase II will need to be redone.

     

    PHASE I: SSL CERTIFICATE SETUP

    Go into IIS:

      1. Go into Start> Control Panel> Administrative Tools> Internet Information Services (IIS) Manager
      2. Select the Server
      3. Select Server Certificates

    Create a Domain Certificate (if you have a valid CA in the Domain, use this option)

      1. On the Right under Actions, Select Create Domain Certificate.
      2. Enter Common Name
          • This should be the hostname or the fully qualified name that the users will connect.
          • A short name is possible, if you have a CNAME record in the DNS Server to resolve the short name to the Solarwinds Server.
          • The Common Name is required to match the name of the Web URL for all functions to work and for the site to be considered safe and trusted.
      3. Fill in Organization, Organizational Unit, City, State and Country. This just needs information filled in, does not need to be factually correct.
      4. Select Next
      5. Select the Select button and select the Certificate Authority.
        1. If you do not see anything to select, please create a Self-Signed Certificate.
      6. Enter a Friendly Name
        1. This name will be accessed under Set Web Server Certificate’s Step 8 and every-time you run the Configuration Wizard on Website.

     

     

    Set Web Server Certificate    

    After having completed the Domain Certificate Steps

      1. In IIS, expand out the Server and Sites.
      2. Select Solarwinds NetPerfMon
      3. Right Click and select Edit Bindings
      4. Select Add
      5. Change Type to https
      6. IP Address All Unassigned
      7. Port 443
      8. SSL Certificate select the certificate Friendly Name

    Secure the Site for Authentication Access

      1. Expand the Sites folder to SolarWinds NetPerfMon.
      2. Under IIS, select Authentication.
      3. Disable Anonymous Authentication.
      4. Disable Forms Authentication.Note: If your environment requires forms authentication, attempt these configuration changes with forms authentication enabled.
      5. Enable Windows Authentication.
      6. Click the back button on the top of the screen to return to the SolarWinds NetPerfMon Home view.
      7. This is must be setup for Certificate Selection to be seen when accessing the Website
        • Click SSL or SSL Settings.
        • Click Require SSL.
        • Click Required under Client Certificates, then apply at the top Right.
      8. Use https://<SSLCertificateFriendlyName>/Orion/Login.aspx to navigate to the Orion SSL website.
        1. If a certificate error is showing up, or you see a Red X, the name of the certificate does not match the url entered. Click on the Certificate and the "Issued To:" will tell you the URL to use.
        2. If the Certificate shows as a Lock in Internet Explorer or Green in Chrome and Firefox, you are good to go.
      9. After you select the Certificate and login, you will notice that the login screen may still show up. This is because Automatic Windows Logon needs to enabled.
        1. After logging in, go into Settings> Web Console Settings, Windows Account Login set to enable automatic login, then select Submit.

     

     

    Optional: SQL Server database change to reflect SSL enabled and new URL

    Note: Only for when the URL is not the fully qualified name of the Server

      1. Log on to your Orion server.
      2. Click Start > All Programs > SolarWinds Orion > Advanced Features > Database Manager. (elevated privileges are required to access this application)
      3. Click Add Default Server.
      4. Expand your Orion database in the left pane. Default Database names will be SolarwindsOrion or NetPerfMon.
      5. Right-click the Websites table, and then click Query Table.
      6. Select Execute.
      7. Next you are going to reference back to the SSL Certificate Friendly Name, this name will go into the <ServerName> Field.
        1. If you do not know, do not update this column.
      8. Replace the default query with the following query:UPDATE dbo.Websites SET ServerName=’<ServerName>’, Port=’443’ SSLEnabled=1 WHERE Type=’primary’
      9. Click Execute Query.
      10. Right click on the Websites Table again and select Query Table, and Select Execute query.
      11. Make sure that the Server Name appears as correct, and a Port is set and if SSL is to be required that it is set to 1.
      12. Now you will restart the Solarwinds Information Service v3 so that the Alerting and Reporting System will utilize this new URL for all actions. The Orion Web Link in the start menu will be updated at this same time.
      13. Click Start > All Programs > SolarWinds Orion > Advanced Features > Orion Service Manager.
      14. Select Solarwinds Information Service v3, and select Restart or Stop then Start.

     

     

    Phase II: Testing to make sure it all works.

      1. Open a browser on your workstation to the URL.
      2. Enter a domain/User that was already added in Orion
      3. You should now be at the Summary Screen.

     

    Troubleshoot Issues

     

    Configuration Wizard Reports Web Request for /Orion/Login.aspx failed

     

    The Configuration Wizard will from here on erroneously report Web Request for /Orion/Login.aspx failed. Ignore this message in Configuration Wizard, it still works. This is due to the Authentication and SSL change in Phase I setup.

     

    If you believe that this is an issue, you can go into C:\ProgramData\SolarWinds\Logs\Orion\ConfigurationWizard.log. Search for Web Request for /Orion/Login.aspx failed. The same line may report No connection could be made because the target machine actively refused it 127.0.0.1:80, this means that Port 80 http is not available. You can enable Port 80 http to have this error disappear.

     

    From Phase I:

        • If you are seeing the following problems, these are all related to the SSL Certificate Friendly Name not matching the URL, or there is no CA trust. Please re-create the certificate to match the URL that all users will be connecting.
          • Internet Explorer: Red X, There is a problem with this website’s security certificate.
          • Google Chrome: Your Connection is not private message
          • Firefox: Untrusted Connection or Your Connection is Untrusted
        • If the SSL Certificate shows as invalid or has a Red X, Export to PDF and Reports may not function correctly. Friendly Name needs to match URL.

    If you only see a white screen after these steps, you may have missed some steps. Please refer back to Require SSL and change it back to Ignore. The Web Console will load as before.

       

      From Phase II          

       

           If the user cannot select the Certificate or it does not prompt, it is due to browser settings Internet Explorer:

          1. Select the Alt Key to bring up the Menu (IE 10 and newer), then select File> Properties
          2. Look for Zone, this is needed for Step 5
          3. Select the Gear or Settings> Internet Options
          4. Select the Security Tab
          5. Select the Zone that was seen in Step 2 and select Custom Level.
            1. You can promote the site to Trusted for better security
              1. Select Trusted Sites
              2. Select Sites
              3. Select Add
              4. Select Close
          6. Scroll to the bottom, last option is User Authentication.
            1. If the User only has 1 certificate and wants it auto-selected. This will login the account that they are logged on the OS with.
              1. Select Automatic Logon with current user name and password
            2. If the User wants to select and have a choice for certificates.
              1. Select Prompt for User name and Password
          7. Refresh or restart browser. You may need to clear cache for the change to take effect.

      Mozilla Firefox: (only needed if it fails)

          1. In the Firefox address bar, enter about:config.
          2. In the Filter field, enter network.automatic-ntlm-auth.trusted-uris.
          3. Double-click the Preference Name listed (network.automatic-ntlm-auth.trusted-uris)
          4. In the Enter string value window, enter a comma-separated list of the URLs of the Orion Web Consoles to which you want to enable AD access, as shown in the following: https://OrionServer1,http://OrionServer2,https://OrionWANMonitor
          5. Click OK.Note: You may need to restart Firefox for this configuration to take effect.

                          These instructions are adapted from "Enabling NTLM Authentication (Single Sign-On) in Firefox". Everyone else can login except for a few usersUser is required Interactive Logon for this system.                        If the user sees the above Error, Group Policy has blocked the user from accessing the System. IIS leverages the same Authenticate access as if a user was logging into the system.

        1. Open up Group Policy Manager, whether on the System Directly or through GPO
        2. Go into Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\
        3. Check Security Settings to ensure that accounts are not denied Login Access
        4. Other Interactive Login Errors can be referenced back to the Event Log on the Solarwinds Server and the Event ID. Use this Microsoft Page to identify what setting is causing the issue based on the Event ID or Message. Interactive Logon Tools and Settings: Logon and Authentication

       

      After I enter my PIN, I get prompted for my account Login for Username Password.

                Enable Windows Account Automatic Logon.

                Go into Settings> Web Console Settings> Windows Account Login set to Enable Automatic Login; Select Submit at the bottom.

                If you repeat the above step after running the Configuration Wizard, follow the steps under Setup Configuration Wizard for the next use.