Version 12

    Author’s Note: For Orion Core 2016 and older, please go here.

     

    PURPOSE: Setup Smart Card Authentication in compliance with DISA STIG Compliance rules on authentication and security.

              Orion uses Self Signed SSL by default, which satisfies IIS 8.5 web server secure encrypted... . This guide is to walk-through setup to use a Domain Certificate or from Root CA, and setup and troubleshoot Smart Card Authentication Setup and Login. This also covers some additional steps needed for Single Sign on for Smart Card Authentication.

     

    PREREQUISITES: Please make sure that you have the following setup prior to this document.

      • Designed For Windows Server 2012 R2, and 2016
      • Orion Additional Web Server or Main Solarwinds Server. I have my Smart Card authentication on an Additional Web Server, and standard authentication on my main server (that I turn off or limit access).
      • Login to the Orion Web Console, Add Active Directory accounts or Groups with Smart Card User before setting these changes. Once all steps are enabled, the Admin account will not be able to login.
      • Solarwinds Server should be on the domain/forest the Smart Card Users are authenticating. (use IIS Client Certificate Mapping option later on)
      • Smart Card authentication is actively working in the environment.
      • TLS 1.2 is enabled. Enable TLS 1.2 in Orion Platform products(seebelow)

                        Restart is required for change to take effect. Run the following in PowerShell, then reboot system: (IIS Website already configured for STIG) IIS 8.5 web server session IDs must be sent to the client using TLS.

                         Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name "DisabledByDefault" -value 0

         Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -Name "Enabled" -value 1

         Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server"

     

    Browsers Tested: (works unless noted)

    • Google Chrome
    • Microsoft Edge
    • Microsoft Internet Explorer
    • Mozilla Firefox (does not work for me, I get a blank screen)
    • Opera
    • Vivaldi

     

     

    PHASE 1: Create SSL Certificate

    Note: Skip to Phase 2 if the certificate for the system has been created.

    The IIS 8.5 web server must perform RFC 5280-compliant certification path validation.

     

    Create the certificate in IIS

         IIS SHA1 certificate creation. Please create a certificate

    Go into IIS:

      1. Go into Start> Control Panel> Administrative Tools> Internet Information Services (IIS) Manager
      2. Select the Server
      3. Select Server Certificates
        • Self Signed: How to: Configure an IIS-hosted WCF service with SSL | Microsoft Docs
        • Create a Domain Certificate (if you have a valid CA in the Domain, use this option)
          1. On the Right under Actions, Select Create Domain Certificate.
          2. Enter Common Name
            • This should be the hostname, fully qualified domain name, or name that will become a DNS CNAME that the users will connect.

            • A short name is possible, if you have a CNAME record in the DNS Server to resolve the short name to the Solarwinds Server.

            • The Common Name is required to match the name of the Web URL for all functions to work and for the site to be considered safe and trusted.

          3. Fill in Organization, Organizational Unit, City, State and Country. This just needs information filled in, does not need to be factually correct.
          4. Select Next
          5. Select the Select button and select the Certificate Authority.
          6. If you do not see anything to select, please create a Self-Signed Certificate.
          7. Enter a Friendly Name
            • This name will be accessed under Set Web Server Certificate’s Step 8 and every-time you run the Configuration Wizard on Website.

     

    Create Certificate using Microsoft Management Console method (SHA256 Support)

    To be in compliance with STIG production IIS 8.5 web server must utilize SHA2 encryption for the Machine Key.  Use this method, then use the link to enable 256.

    Note: If you want to setup for SHA256, Please use other online guides for setup of Certificate Authority Certificate template for IIS in sha 256.

         Quick Run down:

      1. Run as a User with Certificate Creation abilities, Run Command Prompt as another User and login, enter MMC     
      2. In the Microsoft Management Console, Select File> Add/Remove Snap-In, Double click Certificates, Computer Account, select Local Computer, Finish.
      3. Click Certificates> Local Computer> Personal> Certificates.
      4. Right Click in the white space on the Right, select All Tasks> Request New Certificate.
      5. Select Next> Active Directory Enrollment Policy, Next
      6. Expand the Web Server Template (or custom Template with Application policies: Server Authentication) Select Properties.
      7. Enter a Friendly Name
        1. Go into Personal> Request a new Personal Certificate.
        2. Select the Certificate Template you created to create a new certificate.
        3. Once it is created, you will now be able to select it as a Certificate in IIS and follow below.

     

     

    PHASE 2: Setup IIS for SSL and AD authentication

    You have 2 options, use IIS or the Configuration Wizard. If you do not need to run the Configuration Wizard, skip B.

     

     

    A: Set Certificate using Configuration Wizard

    This is preferred if you setup the certificate prior to the Configuration Wizard running. I usually create the certificate before I install by Additional Web Server. When running through the installation. I can then test that I can browse the site before all of the steps below

    1. Select Enable HTTPS
    2. Select the Certificate Name of the Server, make sure you see the check-mark.
    3. Let the Configuration wizard run
    4. Test to make sure that the site is accessible normally
    5. Setup AD Account Users/Groups

     

     

    B: Set Certificate using IIS

    How to: Configure an IIS-hosted WCF service with SSL | Microsoft Docs

        

    If you have already installed the application and want to just set the certificate in IIS:

      1. Go into Control Panel> Advanced Tools> IIS Manager.
      2. Expand out the Server and Sites.
      3. Select Solarwinds NetPerfMon
      4. Right Click and select Edit Bindings
      5. Select Add
      6. Add/Change Type to https (you can remove http)
      7. IP Address should be set to All Unassigned
      8. Port 443
        • Note: You may be required to enter the Fully Qualified name into the Host Name field. This is due to GPO requirement set.
        • Note: Do not select Require Server Name Identification, it can block login. Do not change unless known its required to be set, instructed, or exhausted all other causes to login failure.
      9. SSL Certificate select the certificate Friendly Name

     

     

    Phase 3: Secure the Site for User/Certificate Authentication Access

    Estimated Time: 15 minutes.

    This is where the implementation occurs. Using the Certificate Generated, we are now setting the Website and requiring Windows Authentication.

    • Add Client Certificate Authentication
      1. Open the Server Manager, select Add New Role/Feature, expand out Web Server role services.
      2. Add the Security role, Client Certificate Mapping Authentication, let it install.
    • Setup Windows Authentication in IIS
      • Note you will be setting authentication 2 times, Global and Site Level.
      1. Go into Control Panel> Advanced Tools> IIS Manager.
      2. Expand out out the Server Name
      3. (Server Name Level) Select Authentication:
        • Enable Active Directory Client Certificate Authentication
        • Disable Anonymous, Forms.
        • Enable Windows Authentication
          • In the Actions Tab when Windows Authentication is selected, select Advanced Settings. Change Extended Protection to Required, select OK.
          • Select Providers. Select Negotiate, select Remove, then OK.
      4. (Site Level) Expand the Sites folder to SolarWindsNetPerfMon, select Authentication.
        • Disable Anonymous Authentication.
          • When a user goes to the site, and the card is prompted. When Disabled & SSL set to Require, if user attempts to login, they see the smart card popup and hit cancel, the page fails with 403 Forbidden. If you want to have the login screen as a fallback, keep enabled.
        • Disable Forms Authentication.Note: If your environment requires forms authentication, attempt these configuration changes with forms authentication enabled.
        • Enable Windows Authentication.

     

    • Enable the force Smart Card function:
      1. Click the SolarWinds NetPerfMon Site view.
      2. Select SSL Settings.

     

    • Permissions for IIS to see the Certificate. Network Service needs to read the certificate.
      • Menu bar will fail to load if this is not followed:
      1. Run as a User with Computer Certificate modification abilities, Run Command Prompt as another User and login, enter MMC    
      2. In the Microsoft Management Console, Select File> Add/Remove Snap-In, Double click Certificates, Computer Account, select Local Computer, Finish.
      3. Click Certificates> Local Computer> Personal> Certificates.
      4. Right Click the Computer Certificate you are using, select All Tasks> Manage Private Keys.
      5. In the Security Tab, select Add.
      6. Change to From this location: select Locations.... then select local computer name
      7. Enter Network Service, select Check Names, select OK.
      8. Select OK,
      9. Select Network Service, reduce Permission to Read.
    • Reset IIS and start testing.
      • Open Command Prompt, enter IISRESET
      • Open multiple browsers and start testing Smart Card Logon

     

    Final: Ensuring this all works.

    1. Use Internet Explorer, Chrome, Firefox in this order. I flip between the 3 to ensure compatibility.
    2. Navigate to the Orion SSL website. Use https://<SSLCertificateFriendlyName>/
    3. You will see a Certificate Popup (based on SSL Settings), select the User Certificate.
    4. It should then prompt for Card & PIN
      • If you encounter any Errors here, see Below.
    5. You are now in the Web Console as the User.
    6. You should now be at the Summary Screen. If issues, check Browser configuration before jumping to the end.

     

    General Browser Configuration

    When Diagnosing more general user issues, please follow this guide to help to ensure that the site is tied to the correct security, and that the system is being authenticated properly

    Note: Not every Browser works the same. Based on setup and security, Internet Explorer may be best for one area, Chrome for another, Firefox in a lab. Certain security rules cause havoc on authentication, so be warned.

     

    Google Chrome, Opera, Vivaldi, Microsoft Internet Explorer & Edge:

    Change settings In Browser:

    1. IE 11: Select the  Gear Icon at the Top Right, select Internet Options.
    2. Select the Security Tab
    3. Promote the site to Trusted for better security
      1. Select Trusted Sites
      2. Select Sites
      3. Enter in the URL, or *.Domain
      4. Select Add
      5. Select Close
    4. Select Custom Level
      1. Scroll about 2/3 the way to "Don't prompt for client certificate when only one certificate exists"
        • Select Enable
      2. Scroll to the bottom, last option is User Authentication.
        • To auto-select the only certificate with the currently logged in User. (use Run As Different User on the Browser to select another certificate)
          • Select Automatic Logon with current user name and password
        • For Multiple Certificates, so that the User can select between a choice of certificates.
          • Select Prompt for User name and Password
    5. Refresh or restart browser. You may need to Clear Cache and/or SSL State for the change to take effect.

     

    Setup through Group Policy Application:    

         Path: Computer Configuration\ Polices\ Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page

      • Select Site to Zone Assignment List
        • Set to enabled
          • Set ValueName *.domain
          • Set Value 2

     

         SubPath: Trusted Sites Zone     (Value 2 in "Select Site to Zone Assignment List" means trusted site)

      • Don't prompt for client certificate selection when only one certificate exists.
        • Enabled, Enable
      • Logon Options
        • Enabled
          • To auto-select the only certificate with the currently logged in User. (use Run As Different User on the Browser to select another certificate)

            • Select Automatic Logon with current user name and password

          • For Multiple Certificates, so that the User can select between a choice of certificates.

            • Select Prompt for User name and Password

     

    Mozilla Firefox: (no guarantee that this will work)

    • Screen may be blank. Try another browser to see if it works. Internet Explorer First.

    In Browser

    1. In the Firefox address bar, enter about:config.
    2. A warning will show up, select "I accept the risk"
    3. In the Filter field, enter security.enterprise_roots.enabled
    4. Double-click the Preference Name listed security.enterprise_roots.enabled, it should change from False to True
    5. Close the Window
    • Note: You can just refresh the page, and authentication will occur as normal, no restart was required

    Group Policy: Customizing Firefox Using Group Policy | Firefox for Enterprise Help

     

     

    Optional, Additional Configuration

    Default Alert & Report URL Change

    Note: Technically Optional: SQL Server database change to reflect SSL enabled and new URL

    Note: Only for when the URL is not the fully qualified name of the Server.

     

    Cause: The issue is that the URL link goes to the Hostname, not the FQDN Name the Certificate Uses. This section remediates this problem.

     

    Solarwinds Server or SQL Studio Manager.

      1. Log on to your Orion server.
      2. Click Start > All Programs > SolarWinds Orion > Advanced Features > Database Manager. (elevated privileges are required to access this application)
      3. Click Add Default Server.
      4. Expand your Orion database in the left pane. Default Database names will be SolarwindsOrion or NetPerfMon.
      5. Right-click the Websites table, and then click Query Table.
      6. Select Execute.
      7. Next you are going to reference back to the SSL Certificate Friendly Name, this name will go into the <ServerName> Field.
        1. If you do not know, do not update this column.
      8. Replace the default query with the following query:
        • UPDATE Websites SET FQDN='', ServerName='', Port='443', SSLEnabled=1 WHERE Type='primary'
      9. Click Execute Query.
      10. Right click on the Websites Table again and select Query Table, and Select Execute query.
      11. Make sure that the Server Name appears as correct, and a Port is set and if SSL is to be required that it is set to 1.
      12. Make sure to Restart the Service Solarwinds Information Service v3 so that the Alerting and Reporting System will utilize this new URL for all actions. The Orion Web Link in the start menu will be updated at this same time.
      13. Click Start > All Programs > SolarWinds Orion > Advanced Features > Orion Service Manager.
      14. Select Solarwinds Information Service v3, and select Restart or Stop then Start.
      15. You can verify by selecting the Orion Web Console link under Start.

     

    General Troubleshooting

     

    Configuration Wizard Reports Web Request for /Orion/Login.aspx failed

     

    The Configuration Wizard used to erroneously report Web Request for /Orion/Login.aspx failed. This should have been resolved with the Ignore this message in Configuration Wizard, it still works. This is due to the Authentication and SSL change.

         -Ignore this message

                        However, If you believe that this is an issue, you can go into C:\ProgramData\SolarWinds\Logs\Orion\ConfigurationWizard.log. Search for Web Request for /Orion/Login.aspx failed. The same line may report No connection could be made because the target machine actively refused it 127.0.0.1:80, this means that Port 80 http is not available because that was the port set in Configuration Wizard. Rerun the Configuration Wizard, select SSL for the website, ensure it is Port 443 and the error should be gone.

     

     

    Smart Card Issues with User authentication accessing the login site:

    When Troubleshooting, it is best to use Internet Explorer. IE gets all CA information from the Domain, it usually is set to automatically authenticate with the logged in user. This covers User Authentication issues and nuances based on the various settings available.

    Note: This is a ever growing area, as you stray away from the default configuration, these nuance issues have been identified as different settings were changed and tested.

     

    • I attempt to login like the instructions stated, why am I not authenticating through?

              So this is where you need to make sure that IIS is not denying you, AND the OS or Group Policy is not blocking the account authentication.  User is Required Interactive Logon for this system. Please see Solarwinds NetPerfMon Website IIS Error Code Reference Guide

    • I get a popup for AD authentication, or I go to the Login screen and see the Login page but with the Solarwinds Logo as an X.
      • Currently Login is set as Automatic Login only in Intranet Zone. Change to Automatic Login with Current User Name and Password.
    • I have multiple certificates on my card, I selected my other user account I am not logged in with, but it shows the account I am logged it with?
      • Run as a Different User when running the browser and log in as that user. Browser security settings setup above deny this action.
    • User cannot select the certificate popup/PIN Password?
      • Which Browser is used to login?
      • Did you Enable Phase 3?
      • Test with Internet Explorer. Check your browser to see if it has its own CertificateAuthoritative area outside of the OS. Firefox does this.
    • After I enter my PIN, I get prompted for my account Login again.
      • Windows Account Automatic Logon is not Enabled, Enable Automatic Windows Authentication under Settings> Web Console Settings.
      • Prompt for Username and Password is selected. This is due to the AD handshake with IIS.
      • Timeout for saving credentials. I have to enter in my PIN every 15 minute for security.
    • Possible Error when setting up accounts:
    • If a certificate error is showing up, or you see a Red X, the name of the certificate does not match the url entered, or HSTS is not enabled (SSL Required, new security in browsers). Click on the Certificate and the "Issued To:" will tell you the URL to use.
    • No Menu Bar issue persists, run the following PowerShell (in command prompt, type powershell) Commands to add the registry settings for TLS 1.2:

    Set-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name "SchUseStrongCrypto" -value 2

    Get-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319"

    Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\HTTP\Parameters" -Name "MaxFieldLength" -value 65534

    Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Services\HTTP\Parameters" -Name "MaxRequestBytes" -value 65534

    Get-ItemProperty -Path "HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319"