CAC installation for Solarwinds

When trying to install CAC authentication on SolarWinds Orion 2019 core document does not help.  Can anyone help me to use the document-Setup Smart Card (CAC/PKI) User Authentication and STIG Securing for Orion 2017.1+. most of the information on this document is for legacy IIS8.5 not IIS10. 

I already have my AD/Root CA cert on server yet find the location to make changes to allow CAC does not apply to this document.

I am running a Windows 2016 server with ALL STIGs up to date. 

Parents
  • I did not see this before.

    Excerpts from my doc (same for pollers) minus the web piece. substitute .net 4.6 with the correct version, I am in the process of updating my docs.

    1. File Permission changes 

    The following Operating System Changes were made for the web to work, ensure hidden folders can be viewed:  

    • C:\Windows\Temp 
    •  NETWORK SERVICE (added with full control) local account 
    •  authenticated users (added with full control) local account 
    • Local Service (added with full control per case support case #00608416 Deployment Health Tab) 
    • System added with full control per case support case #00608416 Deployment Health Tab) 
    • o     
    • C:\ProgramData\Microsoft\Crypto 
    • NETWORK SERVICE  (added with full control) local account 
    • authenticated users (added with full control) local account 
    • C:\ProgramData\SolarWinds 
    • NETWORK SERVICE  (added with full control) local account, after SolarWinds is installed 
    • authenticated users (added with full control) local account, after SolarWinds is installed 

    NOTE:  The above changes were made based off this document: https://support.solarwinds.com/Success_Center/Network_Performance_Monitor_ (NPM)/Orion_Web_Console_response_is_slow.  

    1. Configure IIS 

    Below are the pre and post IIS configurations that are required for SolarWinds Management Server 

    1. OS Role and Feature changes to Windows 2016 

    The roles and features of the OS are modified for IIS in the following ways: 

    • Server Roles 
    • Web Server (IIS) changed (8 of 43) to (19 of 43) 
    • Web Server change to (17 of 34) 
    • Common HTTP Features (4 of 6) No change 
    • Health and Diagnostics Changed from  (1 of 6) to(3 of 6)  
    • Logging Tools 
    • Request Monitor 
    • Performance changed to (1 of 2) to ( 2 of 2) 
    •  Dynamic Content Compression 
    • Security changed (1 of 9)  to (4 of 9) 
    • Client Certificate Mapping Authentication 
    • IIS Client Certificate Mapping Authentication 
    • Windows Authentication 
    • Application Development (0 of 11)to (4 of 11) 
    • .Net Extensibility 4.6 (with management tools) 
    • ASP.NET 4.6 (with management tools) 
    • ISAPI Extensions 
    • ISAPI Filters 
    • FTP Server No changes and is not installed 
    • Management Tools changed from (1 of 7) to (2 of 7) 
    • IIS Management Compatibility Changed form (0 of 4) to (1 of 4) 
    • IIS 6 Metabase Compatibility 
    • Features: Because of adding the role some of the changed features will be added as part of those. This document will * the features that are added by role changes. No* indicates that it was manually added outside the Roles change 
    • .Net Framework 4.6 Features changed (2 of 7) to (3 of 7) 
    •  ASP.NET 4.6 * 
    • Message Queuing changed (0 of 7) to (1 of 7) 
    • Message Queuing Services changed (0 of 6) to (1 of 6) 
    • Message Queuing Server 
    • Not always required but a better practice to reboot 
    1. IIS Manager Settings 

    The following configurations are modified using the IIS Manager GUI. Where ever possible changes will be applied globally meaning in the connections dropdown list on the server name rather than a specific web site. There may be times specific configurations are required as designated by IIS. See graphic below for graphic portrayal of “global”: throughout IIS references. 

     

    PIC removed for security reasons

     

    1. IIS Global Settings 

    This section describes the global settings in the IIS Manager GUI for both .net and IIS. The baseline for no changes is compared to the PaaS Image that was received. This documents any changes to that image. 

    NOTE:  The first time modifying IIS Manager a pop up will appear asking “do you want to get started with Microsoft Web Platform to stay connected with latest Web Platform Components?  Select “no” and Do not show this message.  This tries to go to the internet and cause a long delay before you can do anything. 

    • ASP.NET 
    • .Net Authorization Rules: no changes 
    • .NET Compilation: No changes 
    • .NET Error Pages: No changes 
    • .NET Globalization: No changes 
    • .NET Trust Levels: No changes 
    • Application Settings: No changes 
    • Connection Strings: No changes 
    • Machine Key: No changes 
    • Pages and Controls: No changes 
    • Providers: No Changes 
    • Session State: no changes 
    • SMTP E-mail: No changes 
    • IIS  
    • Authentication (post SolarWinds installation change and after first logon) (Required for PKI and SSO) 
    • Enable Active Directory Client Certificate for Authentication 
    • Disable Anonymous Authentication 
    • Enable Windows Authentication 
    • Compression: No changes 
    • Default Document: No changes 
    • Directory Browsing: No changes 
    • Error Pages: No changes 
    • Handler Mappings: No changes  
    • HTTP Response Headers: No changes 
    • ISAPI and CGI restrictions: No changes 
    • ISAPI Filters: No changes 
    • Logging: Use Local time for file naming 
    • MIME Types: No changes 
    • Modules: no changes 
    • Output Caching: No changes 
    • Request Filtering:  
    • File Name Extension Tab: No items were changed from true to false. The list below was changed from False to True. Failure to do this and SolarWinds does not work and cannot be configured, this is a PRE-REQ; 

    NOTE: If a setting needs to change from false to true, remove the false and re-add to allow. The only two items in the list set to true by the default build are is “.” And “.html” 

    • .woff2 
    • .woff 
    • .template 
    • .svg 
    • .sitemap 
    • .png 
    • .master 
    • .js 
    • .jpg 
    • .ico 
    • .gif 
    • .css 
    • .cs 
    • .config 
    • .axd 
    • .aspx 
    • .asmx 
    • .ashx 
    • .ascx 

    NOTE:  The above changes were made based off these documents: https://thwack.solarwinds.com/docs/DOC-187924 and https://support.solarwinds.com/Success_Center/Network_Performance_Monitor_(NPM)/IIS_handler_mapping_requirements 

    •  No Changes to any other tabs 
    • Server Certificates: Add the requested cert Pre-req  
    • Worker Processes: No change 
    • Management 
    • Configuration Editor: after cert should be: 
    • Section: system.webServer/security/access 
    • Deepest Path: MACHINE/WEBROOT/APPHOST 
    • sslFlags: Ssl,SslNegotiateCert,SslRequireCert,Ssl128 
    • Feature Delegation: No changes 
    • Shared Configuration: No changes 
    1. Application Pools 

    The default applications pools can be verified before install. The SolarWinds created app pool cannot be verified or modified until post installation. The list below shows the changes from baseline or the configuration of the new applications: 

    • .NET V4.5 (default install) no changes 
    • .NET v4.5 Classic (default install) no changes 
    • DefaultAppPool (default install) no changes 
    • SolarWinds Orion Application Pool: Changes are based from the DefaultAppPool 
    • Process Model 
    • Idle Time-Out (minutes) 0 
    • Recycling (only changes are shown below) 
    • Private Memory Limit (KB) from 250000 to 1,200,000 
    • Virtual Memory Limit (KB) from 500000 to 2,400,000 
    • Regular Time Interval 0 

    My no changes in the IS configurations comes from a standard build based on the DISA release of Windows with IIS.

    If its not to late I hope this helps.

Reply
  • I did not see this before.

    Excerpts from my doc (same for pollers) minus the web piece. substitute .net 4.6 with the correct version, I am in the process of updating my docs.

    1. File Permission changes 

    The following Operating System Changes were made for the web to work, ensure hidden folders can be viewed:  

    • C:\Windows\Temp 
    •  NETWORK SERVICE (added with full control) local account 
    •  authenticated users (added with full control) local account 
    • Local Service (added with full control per case support case #00608416 Deployment Health Tab) 
    • System added with full control per case support case #00608416 Deployment Health Tab) 
    • o     
    • C:\ProgramData\Microsoft\Crypto 
    • NETWORK SERVICE  (added with full control) local account 
    • authenticated users (added with full control) local account 
    • C:\ProgramData\SolarWinds 
    • NETWORK SERVICE  (added with full control) local account, after SolarWinds is installed 
    • authenticated users (added with full control) local account, after SolarWinds is installed 

    NOTE:  The above changes were made based off this document: https://support.solarwinds.com/Success_Center/Network_Performance_Monitor_ (NPM)/Orion_Web_Console_response_is_slow.  

    1. Configure IIS 

    Below are the pre and post IIS configurations that are required for SolarWinds Management Server 

    1. OS Role and Feature changes to Windows 2016 

    The roles and features of the OS are modified for IIS in the following ways: 

    • Server Roles 
    • Web Server (IIS) changed (8 of 43) to (19 of 43) 
    • Web Server change to (17 of 34) 
    • Common HTTP Features (4 of 6) No change 
    • Health and Diagnostics Changed from  (1 of 6) to(3 of 6)  
    • Logging Tools 
    • Request Monitor 
    • Performance changed to (1 of 2) to ( 2 of 2) 
    •  Dynamic Content Compression 
    • Security changed (1 of 9)  to (4 of 9) 
    • Client Certificate Mapping Authentication 
    • IIS Client Certificate Mapping Authentication 
    • Windows Authentication 
    • Application Development (0 of 11)to (4 of 11) 
    • .Net Extensibility 4.6 (with management tools) 
    • ASP.NET 4.6 (with management tools) 
    • ISAPI Extensions 
    • ISAPI Filters 
    • FTP Server No changes and is not installed 
    • Management Tools changed from (1 of 7) to (2 of 7) 
    • IIS Management Compatibility Changed form (0 of 4) to (1 of 4) 
    • IIS 6 Metabase Compatibility 
    • Features: Because of adding the role some of the changed features will be added as part of those. This document will * the features that are added by role changes. No* indicates that it was manually added outside the Roles change 
    • .Net Framework 4.6 Features changed (2 of 7) to (3 of 7) 
    •  ASP.NET 4.6 * 
    • Message Queuing changed (0 of 7) to (1 of 7) 
    • Message Queuing Services changed (0 of 6) to (1 of 6) 
    • Message Queuing Server 
    • Not always required but a better practice to reboot 
    1. IIS Manager Settings 

    The following configurations are modified using the IIS Manager GUI. Where ever possible changes will be applied globally meaning in the connections dropdown list on the server name rather than a specific web site. There may be times specific configurations are required as designated by IIS. See graphic below for graphic portrayal of “global”: throughout IIS references. 

     

    PIC removed for security reasons

     

    1. IIS Global Settings 

    This section describes the global settings in the IIS Manager GUI for both .net and IIS. The baseline for no changes is compared to the PaaS Image that was received. This documents any changes to that image. 

    NOTE:  The first time modifying IIS Manager a pop up will appear asking “do you want to get started with Microsoft Web Platform to stay connected with latest Web Platform Components?  Select “no” and Do not show this message.  This tries to go to the internet and cause a long delay before you can do anything. 

    • ASP.NET 
    • .Net Authorization Rules: no changes 
    • .NET Compilation: No changes 
    • .NET Error Pages: No changes 
    • .NET Globalization: No changes 
    • .NET Trust Levels: No changes 
    • Application Settings: No changes 
    • Connection Strings: No changes 
    • Machine Key: No changes 
    • Pages and Controls: No changes 
    • Providers: No Changes 
    • Session State: no changes 
    • SMTP E-mail: No changes 
    • IIS  
    • Authentication (post SolarWinds installation change and after first logon) (Required for PKI and SSO) 
    • Enable Active Directory Client Certificate for Authentication 
    • Disable Anonymous Authentication 
    • Enable Windows Authentication 
    • Compression: No changes 
    • Default Document: No changes 
    • Directory Browsing: No changes 
    • Error Pages: No changes 
    • Handler Mappings: No changes  
    • HTTP Response Headers: No changes 
    • ISAPI and CGI restrictions: No changes 
    • ISAPI Filters: No changes 
    • Logging: Use Local time for file naming 
    • MIME Types: No changes 
    • Modules: no changes 
    • Output Caching: No changes 
    • Request Filtering:  
    • File Name Extension Tab: No items were changed from true to false. The list below was changed from False to True. Failure to do this and SolarWinds does not work and cannot be configured, this is a PRE-REQ; 

    NOTE: If a setting needs to change from false to true, remove the false and re-add to allow. The only two items in the list set to true by the default build are is “.” And “.html” 

    • .woff2 
    • .woff 
    • .template 
    • .svg 
    • .sitemap 
    • .png 
    • .master 
    • .js 
    • .jpg 
    • .ico 
    • .gif 
    • .css 
    • .cs 
    • .config 
    • .axd 
    • .aspx 
    • .asmx 
    • .ashx 
    • .ascx 

    NOTE:  The above changes were made based off these documents: https://thwack.solarwinds.com/docs/DOC-187924 and https://support.solarwinds.com/Success_Center/Network_Performance_Monitor_(NPM)/IIS_handler_mapping_requirements 

    •  No Changes to any other tabs 
    • Server Certificates: Add the requested cert Pre-req  
    • Worker Processes: No change 
    • Management 
    • Configuration Editor: after cert should be: 
    • Section: system.webServer/security/access 
    • Deepest Path: MACHINE/WEBROOT/APPHOST 
    • sslFlags: Ssl,SslNegotiateCert,SslRequireCert,Ssl128 
    • Feature Delegation: No changes 
    • Shared Configuration: No changes 
    1. Application Pools 

    The default applications pools can be verified before install. The SolarWinds created app pool cannot be verified or modified until post installation. The list below shows the changes from baseline or the configuration of the new applications: 

    • .NET V4.5 (default install) no changes 
    • .NET v4.5 Classic (default install) no changes 
    • DefaultAppPool (default install) no changes 
    • SolarWinds Orion Application Pool: Changes are based from the DefaultAppPool 
    • Process Model 
    • Idle Time-Out (minutes) 0 
    • Recycling (only changes are shown below) 
    • Private Memory Limit (KB) from 250000 to 1,200,000 
    • Virtual Memory Limit (KB) from 500000 to 2,400,000 
    • Regular Time Interval 0 

    My no changes in the IS configurations comes from a standard build based on the DISA release of Windows with IIS.

    If its not to late I hope this helps.

Children
No Data