Pulse Connect Secure Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
PPuubblliisshheedd DDaattee March, 2017
1.0 Document Revision
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 2
Pulse Secure, LLC
2700 Zanker Road, Suite 200
San Jose, CA 95134
http://www.pulsesecure.net
Pulse Secure assumes no responsibility for any inaccuracies in this document. Pulse Secure reserves the right
to change, modify, transfer, or otherwise revise this publication without notice.
Products made or sold by Pulse Secure or components thereof might be covered by one or more of the
following patents that are owned by or licensed to Pulse Secure: U.S. Patent Nos. 5,473,599, 5,905,725,
5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899,
6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
Copyright © 2017, Pulse Secure, LLC. All rights reserved.
Printed in USA.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 3
Contents
OVERVIEW ......................................................................................................................................................................................4
CONFIGURATION DETAILS .........................................................................................................................................................5
SETTING UP CONSTRAINED DELEGATION IN ACTIVE DIRECTORY SERVER ....................................................................................6 Create a Kerberos Constrained Delegation User account .....................................................................................6 Enable Delegation for the Created user account .....................................................................................................7
SETTING UP IIS SERVER FOR KCD ..............................................................................................................................................13 SETTING UP PULSE CONNECT SECURE FOR CONSTRAINED DELEGATION ....................................................................................17
Web SSO General Configuration ..................................................................................................................................17 Set up Constrained Delegation .....................................................................................................................................18 Setting up Client Certificate Authentication ...............................................................................................................19 Certificate Enforcement Configuration .......................................................................................................................20 Authorization Only access URL Configuration ...........................................................................................................21
TROUBLESHOOTING ...................................................................................................................................................................24 Successful ActiveSync Connection Using Constrained Delegation .......................................................................24 Synchronizing System Times .........................................................................................................................................24 Check the KCD User Account ........................................................................................................................................24 Check the Server Name ..................................................................................................................................................25 User account is Disabled ................................................................................................................................................25 Certificate CN Name and User Name Mismatch ......................................................................................................25 Invalid KCD Service List ...................................................................................................................................................25 User Account not Delegated .........................................................................................................................................25
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 4
Overview
Authorization-only access is similar to a reverse proxy. Typically, a reverse proxy is a proxy server that is
installed in front of web servers. All connections coming from the Internet addressed to one of the web servers
are routed through the proxy server, which may either deal with the request itself or pass the request wholly or
partially to the main web server.
With the ability to check for valid client side certificates IVE is now not only acting as a reverse proxy to the
desired resource but also ensuring that access to these resource is only if the user has a valid client certificate
that is issued by an IVE Trusted client CA.
Constrained delegation: The constrained delegation extension allows a service to obtain service tickets (under
the delegated users identity) to a subset of other services after it has been presented with a service ticket that
is obtained either through the TGS_REQ protocol, as defined in IETF RFC 1510, or in the protocol transition
extension.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 5
Configuration Details
• Setting up Constrained Delegation in Active Directory Server
• Setting up Pulse Connect Secure for Constrained Delegation
• Troubleshooting
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 6
Setting up Constrained Delegation in Active Directory Server
This section outlines how to set up Kerberos Constrained Delegation with the Pulse Secure Access product.
This involves setting up an account in the Active Directory, setting up the Server hosting the services and finally
configuring the Pulse Secure Access appliance.
• Create a Kerberos Constrained Delegation User account
• Enable Delegation for the Created user account
Create a Kerberos Constrained Delegation User account
In order to get Constrained Delegation to work there a User account has to be created. This account must have
the rights to do the Protocol Transition and Delegation. Essentially this is the account that has the rights to
request a Kerberos Ticket on behalf of a user signing in to the Pulse Connect Secure
1. Start by creating a new user in the Active Directory.
2. In this example the kcduser1 is created as the account to provide Constrained Delegation Access to
Exchange ActiveSync Server.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 7
Enable Delegation for the Created user account
Delegation is not enabled by default for a User account and need to be enabled. This involves the use of the
SETSPN from the command line.
1. Use the command: setspn -A HTTP/kcduser1 exchsrv2016\kcduser1
NOTE: in this example exchsrv2016 is the Domain and kcduser1 is the user account we just created.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 8
2. This will enable the Delegation tab in the “KCDUser1” properties.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 9
3. Add the Services.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 10
4. Since this is “constrained” delegation there is a need to specify the “Services” this applies to. Select
“Add”.
5. Use the Users or Computers button to select the Computer hosting these services.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 11
6. In this example the Exchange ActiveSync Server(EAS) service is hosted on different server as the AD, so
WIN2K12R2 is selected. This could have been any other Server in the Domain though.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 12
7. Now review the settings and Apply / OK these settings.
You are now finished setting up the Active Directory part of the configuration.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 13
Setting up IIS Server for KCD
In order to get Constrained Delegation to work, Internet Information Server (IIS) Manager, has to be enabled
with windows integrated authentication in the server where Exchange ActiveSync Server(EAS) is installed.
1. Access Internet Information Server(IIS) Manager->Computer Name->Sites->Default Web Site->Microsoft-
Server-ActiveSync->Authentication.
2. Enable “Windows Authentication” and “Basic Authentication”.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 14
3. Select Providers to allow to “Negotiate” for Windows Authentication.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 15
4. Access Internet Information Server(IIS) Manager->Computer Name->Sites->Exchange Back End->Microsoft-
Server-ActiveSync->Authentication.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 16
5. Enable “Windows Authentication” and “Basic Authentication”.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 17
Setting up Pulse Connect Secure for Constrained Delegation
• Web SSO General Configuration
• Set up Constrained Delegation
• Setting up Client Certificate Authentication
• Certificate Enforcement Configuration
• Authorization Only access URL Configuration
This section covers the steps required to enable Constrained Delegation to the previous defined application,
Exchange ActiveSync Server (EAS) for any user connecting via the Pulse Connect Secure
Web SSO General Configuration
1. Start by setting up the Users > Resource Policies > Web > General.
Enable Kerberos SSO and add a Realm Definition. The Realm referred to is the Kerberos Realm. This is
normally the same as the DNS Domain. In this example EXCHSRV2016.COM
The Site Name field only applies, and can only be used, if your Active Directory is set up with Sites.
An Active Directory site object represents a collection of Internet Protocol (IP) subnets, usually constituting a
physical Local Area Network (LAN). Multiple sites are connected for replication by site link objects.
Sites are used in Active Directory to enable clients to discover network resources (printers, published shares,
domain controllers) that are close to the physical location of the client, reducing network traffic over Wide Area
Network (WAN) links as well as to optimize replication between domain controllers. This is also true for
Kerberos so this filed would allow you to define the specific Site Name you wish to discover the KDC in. For
each Kerberos realm, there can be only one site defined in the Pulse SA. In other words, it is not possible to
have two entries of the same Kerberos realm but different site names. The site name should be the site that
this Pulse SA resides in. If the box is deployed in Paris, the site name should be the site name of Paris, etc.
The purpose of Kerberos pattern list is to match hosts with realms when they are in “disjoint namespaces”.
What it means is that the DNS domain name of a host is not a Kerberos realm.
Finally the KDC filed. In here you can define the KDC, normally the same as the Active Directory, but this is
optional, since the SA will look up the service and find the KDC for the Realm and Site, if defined by using LDAP
to the Active Directory.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 18
Set up Constrained Delegation
1. The next step is to set up the Constrained Delegation. The first thing needed is to create the Service
List. This is done by uploading a text file with the servers listed.
Open up Notepad or similar program and create a file with the server name(s).
2. Select Edit.
3. Select New Service List.
4. Select the text file you just created. After the file is uploaded you can select OK and close the Services
List dialogue.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 19
Now the Constrained Delegation can be completed.
5. Start by setting a Label. Next pick the Realm in the drop down box. This will be the Realms defined in
the previous step so in this example EXCHSRV2016.COM
Define the Principal Account and Password. This is the account you created for Constrained Delegation
in the Active Directory earlier in this guide. Make sure you type the password correctly as defined in the
AD
6. Finally select the Service List defined previously.
Setting up Client Certificate Authentication
1. Go to Configuration -> Certificates -> Trusted Client CAs and import the client CA certificate which has
issued the end user client certificates.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 20
2. Go to the role that will be mapped to the sign-in policy (e.g. Users role). Navigate to Users -> General -
> Restrictions -> Certificate.
Note: The above step is critical for certificate enforcement, without which we may see unexpected behaviors.
3. Select the option “Only allow users with a client-side certificate….” as shown in the above screenshot.
Save changes.
Certificate Enforcement Configuration
1. On the PCS go to Configuration -> Security ->SSL Options. Scroll down to the setting “Require client
certificate on these ports”.
2. Select the port to which this setting is to be applied.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 21
In our example we have selected an external virtual port (e.g. ExtVirtualPort). Save changes
Note: We have not selected the option “Enable client certificate on the external port”. This means that if
an access request to the URL arrives on the external port, the request will be declined by the PCS
device. PCS device will only accept traffic to URL (https://activesynctest.com) on the external virtual
port.
In the above example ensure that https://activesynctest.com resolves to the external virtual port IP
address of the SA device.
Authorization Only access URL Configuration
1. Create a new authorization only sign-in policy.
2. Provide a virtual host name (e.g. activesynctest.com) that end users will use in order to access the
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 22
protected (authorization) only URL.
3. Enter the backend resource URL (e.g. https://outlook.lab.net); select a role that will be applied to users
who use this access mechanism. Save changes.
4. Enable “Allow ActiveSync Traffic Only” option to configure KCD label.
Note: ActiveSync with KCD feature can be enabled only when “Allow ActiveSync Traffic Only”.
SSO General Resource Policy configured in above section will display in KCD label.
5. Choose the Kerberos Constrained Delegation label and Username template.
Note: Username template can be of following format “<certDN.CN>” or <certAttr.altName.UPN>.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 23
6. Click on save changes.
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 24
Troubleshooting
If you experience problems with Certificate based ActiveSync using Kerberos Constrained Delegation, there are
a few things you can check/verify with below set of logs.
Successful ActiveSync Connection Using Constrained Delegation
Following set of logs are logged for a successful ActiveSync Connection using Kerberos Constrained Delegation
2016-12-06 20:24:51 - cl62 - [172.21.16.160] exchsrv2016\qauser()[Users] - Device record created for user
exchsrv2016\qauser to obtain Authorization Only access. (activesync_id=LGMCYxsI0AP9duEr_AM, user-agent=)
2016-12-06 20:24:51 - cl62 - [127.0.0.1] System()[] - Web SSO: Fetched Kerberos TGT Ticket Client:
[email protected], Server: krbtgt/[email protected], auth 12/06/16
20:24:28, start 12/06/16 20:24:28, end 12/07/16 06:24:28, renew 12/31/69 16:00:00, current 12/06/16 20:24:51
2016-12-06 20:24:52 - cl62 - [127.0.0.1] System()[] - Web SSO: Fetched Kerberos S4U2Self Ticket Client:
[email protected], Server: [email protected], auth 12/06/16 20:24:28, start 12/06/16
20:24:28, end 12/07/16 04:44:28, renew 12/31/69 16:00:00, current 12/06/16 20:24:52, Flags reserved: 0,
forwardable: 1, forwarded: 0, proxiable: 0, proxy: 0, may_postdate: 0, postdated: 0, invalid: 0, renewable: 0,
initial: 0, pre_authent: 1, hw_authent: 0, transited_policy_checked: 0, ok_as_delegate: 0, anonymous: 0
2016-12-06 20:24:52 - cl62 - [127.0.0.1] System()[] - Web SSO: Fetched Kerberos Service Ticket via Constrained
Delegation: Client: [email protected], Server:
HTTP/[email protected], auth 12/06/16 20:24:28, start 12/06/16 20:24:28, end
12/07/16 04:44:28, renew 12/31/69 16:00:00, current 12/06/16 20:24:52
Synchronizing System Times
Kerberos authentication requires that system time is synchronized. Kerberos rejects any authentication
requests from a system or client whose time is not within the specified maximum clock skew of the Kerberos
server. Because each ticket is embedded with the time it was sent to a principal, hackers cannot resend the
same ticket at a later time to attempt to be authenticated to the network. The client also rejects tickets from a
Kerberos server if its clock is not within the maximum clock skew set during network authentication service
configuration. The default value is 300 seconds (five minutes) for the maximum clock skew.
Verify the time on the AD, Server and PCS to make sure the skew is less than 5 minutes. A strong suggestion is
to use NTP to avoid this issue.
User Access Logs:
2016-10-19 10:40:07 - ive - [127.0.0.1] System()[] - Fetch Kerberos TGT for user kcduser, realm
EXCHSRV2016.COM failed: Clock out of sync with KDC 10.209.114.213
Check the KCD User Account
Another common mistake is that the username/password for the Constrained Delegation account in the AD
does not match the configuration in the PCS Constrained Delegation settings. Verify and re-enter the password
to make sure.
User Access Logs:
2016-12-06 20:29:57 - cl62 - [172.21.16.160] exchsrv2016\qauser()[Users] - Device record created for user
exchsrv2016\qauser to obtain Authorization Only access. (activesync_id=LGMCYxsI0AP9duEr_AM, user-agent=)
2016-12-06 20:29:57 - cl62 - [127.0.0.1] System()[] - Fetch Kerberos TGT for user kcduser, realm
EXCHSRV2016.COM failed: Credential validation failed against 10.209.114.213
Configure Certificate Based ActiveSync with Kerberos Constrained Delegation: How-To Guide
© 2017 by Pulse Secure, LLC. All rights reserved 25
Check the Server Name
Verify that the server you have defined in the Service List, the SSO Resource Policy and the AD user Delegation
settings is the correct one and that it can be resolved via DNS.
Test to resolve the server name from the PCS by using Maintenance > Troubleshooting > Tools > Commands >
NSLookup tool
User account is Disabled
2016-12-06 20:49:45 - cl62 - [172.21.16.160] exchsrv2016\qauser()[Users] - Device record created for user
exchsrv2016\qauser to obtain Authorization Only access. (activesync_id=LGMCYxsI0AP9duEr_AM, user-agent=)
2016-12-06 20:49:45 - cl62 - [127.0.0.1] System()[] - Web SSO: Fetched Kerberos TGT Ticket Client:
[email protected], Server: krbtgt/[email protected], auth 12/06/16
20:49:22, start 12/06/16 20:49:22, end 12/07/16 06:49:22, renew 12/31/69 16:00:00, current 12/06/16 20:49:45
2016-12-06 20:49:45 - cl62 - [127.0.0.1] System()[] - Fetch Kerberos TGS for user qauser, TGT user kcduser,
realm EXCHSRV2016.COM, host win2k12r2.exchsrv2016.com failed: Constrained Delegation TGS fetch error:
Clients credentials have been revoked
Note: If the user account is disabled in backend AD server. User account will be valid until the Kerberos ticket
validity period in PCS.
Certificate CN Name and User Name Mismatch
If the CN in the client certificate and username mismatch, following logs will be logged in user access logs.
2016-12-06 20:54:47 - cl62 - [172.21.16.160] 172.21.16.160()[Users] - Username obtained from Certificate
Template [leema] is different from Username [exchsrv2016%5Cqauser] configured in mail client
Invalid KCD Service List
If the service list added under the PCS resource policy is invalid following logs will be logged when user makes
an ActiveSync connection.
2016-12-07 00:44:48 - cl62 - [127.0.0.1] System()[] - SSO Error: Constrained Delegation host mismatch: host
win2k12r2.exchsrv2016.com, service list test2k12.child1.exchsrv2016.com
User Account not Delegated
If the user account is enabled with the following option “Account is sensitive and cannot be delegated”,
ActiveSync connection will fail with following logs in PCS.
2016-12-07 01:16:30 - cl62 - [127.0.0.1] System()[] - Fetch Kerberos TGS for user qauser, TGT user kcduser,
realm EXCHSRV2016.COM, host win2k12r2.exchsrv2016.com failed: Constrained Delegation TGS fetch error:
KDC can't fulfill requested option.
Top Related