Knowledgebase : Axidian Certiflow > Axidian Certiflow common questions

Question:
What amount of data is stored in Active Directory (for EA/ESSO and Indeed CM) or SQL (for Indeed CM) per user?

Answer:
Indeed EA/ESSO
The amount of data depends on the number of registered authenticators for each user and total size of all SSO templates loaded.
The amount of data may vary depending on the authenticator used.
Say, the amount of data for a single authenticator of Smart card + PIN type is 2 Kb, whereas for Palm authenticator (using Palm Secure biometric scanner) the amount of data is 20 Kb.

The ESSO settings take up approximately 1 Kb per user. To determine the data amount for SSO templates, it is necessary to sum up the size of all template files to be used.
Average size of a template is about 50 Kb.

Indeed CM
The amount of data per user is defined by number of issued certificates, backup copies of their private keys (if any) and photo file size.

Example:
Indeed CM user profile with two certificates takes up approximately 8.5 Kb. Note that there is a backup copy of private key for each of the certificates.
If only one certificate is issued, including a backup copy of private key, then the profile would take up 4.8 Kb approximately.
User photo resides in Active Directory, though it does not belong to CM profile. The amount of data it takes up is equal to photo file size.
If Microsoft SQL is used as data storage, then the user photo size is not counted for.

This article deals with various methods of user authentication in enterprise web resources.
The screenshots used in the article are made with IE11 and IIS10.

Username and password authentication
This is the most simple and the most evident method. The server prompts for user identification before allowing for access:

You have to enter the credentials of a user that is allowed to access the application. If correct, logon is performed.
It is not convenient to enter the password each time you login to the application. The username can be “remembered” by the application, if the corresponding checkbox is activated. The method described next allows to avoid entering even the password.

Authentication without username and password
If you do not feel like entering password, then, the whole thing should be organized so that the password is entered automatically. To do so, proceed as follows:
In the IE settings, open Internet Options -> Security. Then select the zone the site belongs to. This usually is Internet zone; however, you can add the site to Local Intranet zone or to Trusted sites.

Then, still in the Security tab, it is necessary to set security level for the zone: Custom Level... In the security settings window, User Authentication section set Automatic logon with current user name and password:


Save the changes. From now on, the prompt for credentials should not appear during login procedure.

Authentication by user certificate
Since Indeed CM allows for management of authentication devices (smart cards and USB tokens) and writing certificates to them, then why not authenticate with smart card?

For that, the site IIS should have SSL configured. To use authentication with smart card, the following settings should be set in IIS:

  • Require SSL
  • Client certificates: Accept or Require.

If Accept is used, then both authentication by username and password, and by user certificate is possible.

If Require is used, then authentication by user certificate is the only variant possible.



Now it is necessary to set up your browser for authentication by smart card. Add the site to Local Intranet zone, then switch to security settings and select Automatic logon only in Intranet zone.

Problem:
When a smart card with Microsoft CA certificates on it is connected to a workstation, the certificates are not registered with the user private storage in Certificates snap in.

Solution:
Make sure that the Certificate Propagation Service is enabled and running at the user workstation. This service is responsible for copying of RSA certificates to the storage.
For more details on this and other settings of certificates and smart cards in Windows please see the following article: Smart Card Group Policy and Registry Settings.

Question:

Error when running PowerShell scripts: File cannot be loaded because the script is disabled.

Answer:

To enable working with PowerShell scripts, enter the following command: set-executionpolicy unrestricted

To disable Powershell scripts, enter the following command: set-executionpolicy restricted

Question: 
How a document is signed with a certificate when Indeed AirKey is used?

Answer:
To sign a document with digital signature, the document (a letter, file etc.) in question is hashed at first by standard means Microsoft Base CSP at the client side (user workstation). The document hash is sent to the AirKey Enterprise server to sign. The AirKey does not perform any operations with the document itself. The AirKey server performs digital signing and data decryption operations that require private key. In case of Indeed AirKey Enterprise, the certificate private key always resides in the Indeed AirKey Enterprise data storage (Microsoft SQL database or Active Directory) that the server interacts with. HTTPS protocol is used for connection between the client and AirKey Enterprise server. The operations that do not require private key and can be performed with public key only, are executed in Microsoft Base CSP at the client side.

The Indeed CM system consists of a set of web services that are deployed at the Microsoft Internet Information Services platform. The system resilience is provided for by IIS capabilities: several servers can be combined into a cluster and work as one, distributing the load between themselves.

All servers are set up to use one and the same data storage and the same user directory (or directories).
The users utilize a single address to connect to the server cluster. Therefore, failure of one server does not affect the system operation in any way.

Useful links describing the load balancing configuration: 
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725691(v=ws.11)
https://www.iis.net/downloads/microsoft/application-request-routing

When deploying Indeed CM, you have to set up the usage of service account certificates to work with certification authorities (CA).

Indeed CM server needs a certificate to interact with CA. The server “communicates” with CA using this certificate, i.e. sends requests for certificates, publishes revoked certificate lists etc. The certificate is issued for the user account with CA privileges sufficient to integrate to Indeed CM.

Indeed CM server is an ASP.NET application. To use a certificate to connect to CA, the certificate should reside in the local maсhine store, even though the certificate is issued to a user.
This complies with Microsoft recommendations on using certificates in ASP.NET:

Question:
Please specify your recommendations for provision of Indeed CM and EA/ESSO server resilience. Is it efficient to backup the servers and what components need to be backed up?
Please advise the best course of action in case of, say, server failure.

Answer:
The Indeed EA/ESSO and Indeed CM system store all the data (settings, licenses, authenticators, ESSO data, devices and policies) in the dedicated storage. 
In Indeed EA/ESSO, the storage is the Active Directory, for Indeed CM - it is either Active Directory or Microsoft SQL. 
We highly recommend to backup the storage first of all. With Active Directory, it is necessary to backup the Indeed Identity container and all of its sub-containers. With MS SQL, it is necessary to backup the whole of database. The backup copies can be created with any suitable software tool.

The Indeed EA/ESSO and CM server processes user requests and extracts/places data from/to the storage. No critical data is stored at the server, provided that encryption key files used to access the storage, reside at some protected storage, not at EA/ESSO/CM servers.

Thus, if a EA/ESSO/CM server fails, the users automatically switch to another available one. Moreover, you always can deploy a new server rather quickly.
For Indeed СМ, it is recommended to set up a cluster using Microsoft IIS. Then the users could make use of other servers using the same web service address.

It is required to deploy Internet Information Services role with a certain set of modules on the server before installing Indeed Enterprise Management Console and Indeed Certificate Manager. Microsoft .NET is to be installed as well. Sequence of installation operations is also of importance.

Here is an abstract from the Indeed EMC/Indeed CM installation manual:

● Internet Information Services 7.0 and higher with the following modules:

  • Static Content
  • HTTP Redirection
  • ASP.NET
  • .NET Extensibility
  • ISAPI Extensions
  • ISAPI Filters
  • Basic Authentication
  • Windows Authentication
  • IIS Management Console

● Microsoft .NET 4.5 and higher (Microsoft .NET 4.5 is to be installed after IIS component installation and configuration when deploying an Indeed EMC/Indeed CM server).

As our experience suggests, there is a significant chance of error when performing preliminary operations (IIS and Microsoft .NET installation) in manual mode. An error can be made in module selection or in sequence of installation operations. This results in incorrect operation of Indeed web application and time-consuming error elimination.

To avoid these problems, we have developed a set of MS PowerShell scripts that allow to perform Internet Information Services role installation and configuration in automatic mode in compliance with requirements for correct operation of Indeed web applications.

The archive with scripts can be downloaded here.

The archive contains two scripts:

  1. Script to deploy the IIS on Windows Server 2008/2008R2 (Indeed.EMC.CM.IIS.Install.MSServer2008.ps1 file in Server2008 folder).
  2. Script to deploy the IIS on Windows Server 2012/2012R2/2016 (Indeed.EMC.CM.IIS.Install.MSServer2012.ps1 file in Server2012-2016 folder)

It is necessary to allow script execution on server to run the scripts. For explanation of how to do this please refer to: Using PowerShell scripts.

The script for 2008/2008R2 server installs Microsoft .NET 4.5 as well (the installation package of the component resides in the script folder).

Script execution format is as follows:

  • Script to deploy the IIS on Windows Server 2008/2008R2:

          .\Indeed.EMC.CM.IIS.Install.MSServer2008.ps1

  • Script to deploy the IIS on Windows Server 2012/2012R2/2016:

          .\Indeed.EMC.CM.IIS.Install.MSServer2012.ps1

Example of script execution on Windows Server 2012

Immediately after starting

During operation

The script has finished operating

Problem:
The certificate written to a card with Indeed CM is displayed as untrusted in Windows Server 2008R2/2012/2012R2, Windows 7SP1, Windows 8/8.1

Solution: 
Probably, the length of certificate private key is less than 1024 bits.
Currently, Windows considers such keys to be untrusted: http://support.microsoft.com/kb/2661254/en

Question:
The certificate used to work with CA is about to expire. How should I update it properly?

Answer:
The certificate update procedure depends on the certification authority used. Below are the examples for Microsoft Enterprise CA certificates.

Microsoft Enterprise CA 
The most quick and convenient method is re-issue of the certificate using the IndeedCM.CertEnroll.MsCA.exe utility.
Perform the following procedure:

1. Run the CertEnroll.MsCA.exeutility at Indeed CM server with /e <service username> <password> parameter using the account with local administrator privileges, where:

  • service username is the name of service account used to work with certification authorities (serviceca)
  • password is the password of the said account.

Example: IndeedCM.CertEnroll.MsCA.exe /e serviceca password1

Utility execution result is like the following:

DumpVariantStringWorker: 0: "Microsoft Enhanced Cryptographic Provider v1.0"
DumpVariantStringWorker: 1: “Microsoft Base Cryptographic Provider v1.0"
DumpVariantStringWorker: 2: “Microsoft Base DSS Cryptographic Provider"
CA: w2k3e.demo.local\MSCA ’EnrollmentAgent’ certificate has been enrolled successfully.

2. If the request is to be approved of by CA operator, the utility prompts to accept the request and continue operation, indicating the request ordinal number and the name of key container:

CA: w2k3e.demo.local\MSCA
Certificate request is pending.
Request id: 27
Container name: lr-EnrollmentAgent-175d9490-7481-4a29-b567-503d39747354
Please accept request and then install certificate.

3. After the request is approved of, you need to execute a command to install the certificate into storage.
To do so run the CertEnroll.MsCA.exe utility with /i <service username> <password> <requestId> <containerName> parameter, where:

  • service username is the name of service account used to work with certification authorities (serviceca)
  • password is the password of the said account.
  • requestId is the ordinal number of the certificate request.
  • containerName is the name of the key container.

Example: IndeedCM.CertEnroll.MsCA.exe /e serviceca password1 27 lr-EnrollmentAgent-175d9490-7481-4a29-b567-503d39747354

Utility execution result is like the following:

CA: w2k3e.demo.local\MSCA
Certificate has been installed successfully.

4. You can also specify the name of certificate template (Enrollment Agent), if required, as well as certification authority to address (if there are several ones deployed).

Example:CertEnroll.MsCA.exe /e service password /t=”EnrollmentAgent” /c=”WS2008R2.test.local\Indeed-CA”

As a result of utility execution, the certificate storage of the computer with Indeed CM server installed should have a certificate with Enrollement Agent role. The said certificate should feature an exportable private key and set up privileges to manage the private key of service user account. 

You can also issue a new certificate with Certificates snap in. The procedure is described in the Indeed CM installation and configuration manual, System settings to use Microsoft certification authority - > Certificate issue using the Certificates snap in.

Note that smart card usage in terminal sessions is limited to cards connected to client workstation. Smart cards connected to terminal server cannot be used in terminal session. This is limitation of terminal service.
In some cases, you have to install smart card drivers both to server and client. Mind that option of card local resource usage must be enabled on the terminal client.
The smart card itself has to be connected to client workstation, since it is the method of user personal authentication.