Next Topic

Previous Topic

Book Contents

Delegated Trust Certificates

Passly (AuthAnvil) > Password Server > External Settings > Delegated Trust Certificates

There may be times when you wish to delegate trust from one appliance or application to your Password Server. When used, it allows a trusted application to access credential information on behalf of a user it has already authenticated. An example where this might be used is to allow an RMM tool or remote access application to collect the credentials to inject during a login without prompting the user to enter their credentials to the Password Server if they have already authenticated elsewhere.

Warning: Use this feature with care. If you are not careful, it becomes possible to misuse this feature without validating the identity of the caller. If in doubt, do NOT enable this feature, and ask your security team to review your needs.

Setting up delegated trust

Trust is established by the use of digital certificates. You will need to maintain a full X.509 certificate which holds the public and private key on your application/server, in a non-exportable form within the Windows Certificate Store. You will also need to import the equivalent public certificate into Password Server so it knows to trust your application/server.

Create the X.509 certificate for the Application/Server

The steps below rely on Microsoft’s makecert.exe cmd line tool. This is generally available in any of Microsoft’s SDKs. If you currently maintain your own Certificate Authority (CA) and have the ability to generate and issue your own certificates, you can do so instead of using tools like makecert. What follows is guidance for IT teams who may not have such infrastructure and need to generate their own self-signed certificates.

  1. Create a self-signed X509 cert. It is important that the hostname be resolvable via DNS as the "caller" to AuthAnvil.

    makecert -ss My -sky Exchange -pe -n "CN=hostname"

  2. Open up MMC as a standard user
  3. Select File > Add/Remove Snapin.
  4. Choose Certificates, click Add, then OK.
  5. Choose Personal > Certificates. You should see the certificate you generated there.
  6. Right click the certificate and select All Tasks > Export.
  7. Click Next, and select Yes, export the private key.
  8. Click Next twice. When prompted, select the Password checkbox and enter a password.
  9. Browse to store the PFX somewhere safe. Name it something like myPrivateDTcert.pfx.
  10. Continue to the end of the wizard and click Finish.

    Warning: This is your PUBLIC/PRIVATE keypair for the application/server. KEEP IT SAFE.

  11. Run the export wizard again. But this time select No, do not export the private key.
  12. Save the export as a Base64-encoded X.509 cert. Name it something like myPublicDTcert.cer.

    Warning: This is your PUBLIC key certificate used by Password Server.

Installing your private key into the Windows Certificate Store of the Application/Server

  1. Open up mmc as an administrator
  2. Select File > Add/Remove Snapin.
  3. Choose Certificates, and click Add. When prompted, select Computer account, and complete adding the snapin.
  4. Expand Trusted Root Certificate Authorities.
  5. Right click the Certificates folder in the left pane and select All tasks > Import.
  6. When prompted, browser for the PFX file. You may need to change the file type to see it.
  7. Click Next. Enter the password you used during the export. Make sure the Mark this key as exportable checkbox is turned OFF.
  8. Click Next several times until you get to the end of the wizard and click Finish. You have now imported your keypair.

Installing your public key into the Password Server

  1. Login to Password Server as an administrator.
  2. Navigate to the External Settings > Delegate Trust Certificates tab.
  3. Click the Add Delegated Trust Certificate button.
  4. Browse to select the PUBLIC certificate you previously created (*.cer).
  5. Click Install Certificate.

At this point you can now call into the delegated SOAP/XML web services using dtLogon() to establish trust, and then request credentials as appropriate. Please see the Scorpion Software Developer Center for more information.

At this point, your instance of Password Server can now accept requests via web services from your trusted host, using the certificate as the authenticator. This certificate must have a Common Name (CN) that matches both a forward and reverse lookup name resolution on the AuthAnvil system. In other words, if your DNS name for the system resolves to yourapp.contoso.com, then the CN should be CN=yourapp.contoso.com. Using the configured digital thumbprint of the certificate and its public key, AuthAnvil validates all requests and encrypts all responses using asymmetric encryption from that certificate.