Oracle® Enterprise Single Sign-on Logon Manager Best Practices: Deploying ESSO-LM with the Windows Authenticator Version 2 Release 11.1.1.2.0 E20410-01 December 2010 Oracle Enterprise Single Sign-on Logon Manager Best Practices: Deploying ESSO-LM with the Windows Authenticator Version 2 Release 11.1.1.2.0 E20410-01 Copyright © 2010, Oracle. All rights reserved. The Programs (which include both the software and documentation) contain proprietary information; they are provided under a license agreement containing restrictions on use and disclosure and are also protected by copyright, patent, and other intellectual and industrial property laws. Reverse engineering, disassembly, or decompilation of the Programs, except to the extent required to obtain interoperability with other independently created software or as specified by law, is prohibited. The information contained in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. This document is not warranted to be error-free. Except as may be expressly permitted in your license agreement for these Programs, no part of these Programs may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose. If the Programs are delivered to the United States Government or anyone licensing or using the Programs on behalf of the United States Government, the following notice is applicable: U.S. GOVERNMENT RIGHTS Programs, software, databases, and related documentation and technical data delivered to U.S. Government customers are "commercial computer software" or "commercial technical data" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the Programs, including documentation and technical data, shall be subject to the licensing restrictions set forth in the applicable Oracle license agreement, and, to the extent applicable, the additional rights set forth in FAR 52.227-19, Commercial Computer Software--Restricted Rights (June 1987). Oracle USA, Inc., 500 Oracle Parkway, Redwood City, CA 94065. The Programs are not intended for use in any nuclear, aviation, mass transit, medical, or other inherently dangerous applications. It shall be the licensee's responsibility to take all appropriate fail-safe, backup, redundancy and other measures to ensure the safe use of such applications if the Programs are used for such purposes, and we disclaim liability for any damages caused by such use of the Programs. Oracle, JD Edwards, PeopleSoft, and Siebel are registered trademarks of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. The Programs may provide links to Web sites and access to content, products, and services from third parties. Oracle is not responsible for the availability of, or any content provided on, third-party Web sites. You bear all risks associated with the use of such content. If you choose to purchase any products or services from a third party, the relationship is directly between you and the third party. Oracle is not responsible for: (a) the quality of third-party products or services; or (b) fulfilling any of the terms of the agreement with the third party, including delivery of products or services and warranty obligations related to purchased products or services. Oracle is not responsible for any loss or damage of any sort that you may incur from dealing with any third party. 2 Table of Contents Introduction .................................................................................................................................................. 4 About This Guide ....................................................................................................................................... 4 Prerequisites ............................................................................................................................................. 4 Terms and Abbreviations .......................................................................................................................... 4 Accessing3B ESSO-LM Documentation ......................................................................................................... 4 Part 1: Understanding the Windows Authenticator .................................................................................... 5 Overview ................................................................................................................................................... 5 Understanding Credential Store Encryption ............................................................................................. 5 Understanding Credential Store Key Recovery ......................................................................................... 6 Recovery via Interactive Passphrase Prompt ........................................................................................ 6 Recovery via ESSO-LM Secondary Authentication API ......................................................................... 7 Custom Secondary Authentication Library ....................................................................................... 7 Oracle “Passphrase Suppression” Library ......................................................................................... 8 Understanding the GINA and Network Provider Components ................................................................. 9 Summary of Key Advantages of WinAuth v2 over WinAuth v1 .............................................................. 10 Part 2: Installing, Configuring, and Migrating to Windows Authenticator Version 2 ................................. 11 Installing WinAuth v2 .............................................................................................................................. 12 Migrating a WinAuth v1 Installation to WinAuth v2 ............................................................................... 13 Configuring WinAuth v2 for Credential Store Key Management via Windows DPAPI ........................... 14 Configuring WinAuth v2 for Recovery via Interactive Passphrase Prompt ............................................ 16 Configuring WinAuth v2 for Recovery via Secondary Authentication API .............................................. 18 Recovery via Custom Secondary Authentication Library .................................................................... 18 Recovery via the Oracle “Passphrase Suppression” Library ............................................................... 19 Resetting the User-Provided Passphrase Answer ................................................................................... 20 Enabling WinAuth v2 Strong Authentication Device Support ................................................................ 21 3 Introduction About This Guide This document describes the differences between the Windows Authenticator (WinAuth) version 1 and version 2, the advantages of WinAuth v2 over WinAuth v1, and the best practices for deploying WinAuth v2 on new and existing environments. Prerequisites Readers of this document should have a thorough understanding of ESSO-LM deployment and configuration, as well as cryptography topics and concepts such as key-based encryption, the Windows Data Protection API (DPAPI), and Windows operating system and Active Directory security. Terms and Abbreviations The following table describes the terms and abbreviations used throughout this guide: Term or Abbreviation Description ESSO-LM Oracle Enterprise Single Sign-on Logon Manager ESSO-PR Oracle Enterprise Single Sign-on Password Reset Agent ESSO-LM client-side software Console E SSO-LM Administrative Console WinAuth v1 Windows Authenticator version 1 WinAuth v2 Windows Authenticator version 2 DPAPI Windows Data Protection API Accessing3B ESSO-LM Documentation We continually strive to keep ESSO-LM documentation accurate and up to date. For the latest version of this and other ESSO-LM documents, visit http://download.oracle.com/docs/cd/E15624_01/index.htm. 4 Part 1: Understanding the Windows Authenticator Overview In order to authenticate a user and grant access to stored credentials, ESSO-LM offers a number of authentication methods implemented as authenticator plug-ins, with the most common method being a user name and password. On Active Directory environments, ESSO-LM supports this authentication method through its Windows Authenticator (WinAuth) v1/v2 plug-ins. Because the management of the credential store key is implemented in WinAuth v2 in a more robust and comprehensive way than in WinAuth v1, Oracle recommends deploying WinAuth v2 in place of WinAuth v1 as a best practice; Oracle will eventually phase out WinAuth v1 in favor of WinAuth v2 for this reason. Understanding Credential Store Encryption When the user enrolls with ESSO-LM for the first time, ESSO-LM generates a credential store key, which is then securely managed by WinAuth v1/v2. WinAuth v1 relies on local machine keysets to encrypt the credential store key (generated during first-time enrollment with ESSO-LM). The encrypted credential store key is kept in the local machine’s registry, and is also passed between the Agent and the repository (after being encrypted with a different, randomly generated authenticator key). If you log on to a machine different from the machine on which original enrollment for your user account took place, the Agent will encrypt your