Configuring device and server authentication

You specify the device and server authentication in the Sentry configuration when you create a Sentry profile in Admin > Sentry. Click Add Sentry Profile or edit an existing Sentry profile.

Select one of the following:

ActiveSync with basic auth: Only for Sentry for ActiveSync. Sentry passes through the user name and password provided by the device user.
ActiveSync and/or AppTunnel with certificates: Select if you plan to use Identity certificates (X.509) for device authentication. Pass through is the only option available for server authentication
ActiveSync and/or App Tunnel with Kerberos: Select if you plan to use Kerberos to authenticate the device to the server.

If you do device authentication with Identity certificates, you can specify different server authentication types for the ActiveSync configuration and for each AppTunnel service. For example, you can specify Pass Through for the ActiveSync server and Kerberos Constrained Delegation (KCD) for the servers listed for an AppTunnel service.

Procedure 

1. Obtain the certificates required for your implementation.
2. In Admin > Sentry, click Add Sentry Profile or edit an existing Sentry profile.
3. For Authentication select one of the following authentication options, depending on your implementation:
- ActiveSync with basic auth

See ActiveSync with basic auth and pass through for next steps.

- ActiveSync and/or AppTunnel with group certificates

See Authentication using a group certificate and pass through for next steps.

- ActiveSync and/or AppTunnel with Identity Certificate

See Authentication using a SCEP Identity certificate and pass through for next steps.

OR

See Authentication using an Identity certificate and Kerberos constrained delegation for next steps.

ActiveSync with basic auth and pass through

If you select ActiveSync with basic auth for authentication, then Standalone Sentry passes through the user name and password provided by the device user. No additional configuration on MobileIron Cloud is required.

Authentication using a group certificate and pass through

If you select ActiveSync and/or AppTunel with certificates, additional configuration fields display for Authentication.

For device authentication with group certificate, Pass Through is the only option available for server authentication.

To complete the configuration:

1. In the Standalone Sentry profile with ActiveSync and/or AppTunnel with certificates, in Global Settings, for Device Authentication Mode, select Use a single certificate for 2-factor auth (basic + cert).
2. Click Upload Certificate.

Additional fields are displayed.

3. Enter the Certificate name and Password for the certificate.
4. Upload the certificate (usually a .cer or PKCS 12 file) you trust.
5. Click Save.
NOTE: Though certificate is uploaded, it does not persist until you click Save.
6. If you want to validate the certificates presented by the device against the Certificate Revocation List (CRL) published by the CA, then select Check Certificate Revocation List (CRL).
NOTE:  
- CRL check should be enabled only if the certificate chain presented by the device or the Trusted-Front-End to Standalone Sentry contains information to download CRL over HTTP.
- Only HTTP- and HTTPS-based CRLs are supported. Some CAs create LDAP-based CRLs by default that will not work with Sentry.
- For CRL validation to work, Sentry requires network connectivity to the CRL Distribution Point (CDP), usually the CA that issued the certificate, through an HTTP or HTTPS port.
7. Server Authentication defaults to Pass Through in any service, ActiveSync or AppTunnel, that you configure.
8. Click Save.

The Sentry restarts.

Authentication using a SCEP Identity certificate and pass through

If you select ActiveSync and/or AppTunel with certificates, additional configuration fields display for Authentication. This section describes the configuration when you choose Use SCEP Identity to authenticate the device to the Sentry and Sentry uses Pass Through for authenticating the device to the ActiveSync server or a backend resource.

Before you begin 

You must have completed the steps described in Configuring authentication using SCEP Identity (MobileIron Cloud only).

Procedure 

1. In the Standalone Sentry profile with ActiveSync and/or AppTunnel with certificates, in Global Settings, for Device Authentication Mode, select SCEP Identity.
2. Select the App Identity Certificate Configuration for the Identity certificate you want devices to use to authenticate with Sentry.
3. If you want to validate the certificates presented by the device against the Certificate Revocation List (CRL) published by the CA, then select Check Certificate Revocation List (CRL).
NOTE:  
- CRL check should be enabled only if the certificate chain presented by the device or the Trusted-Front-End to Standalone Sentry contains information to download CRL over HTTP.
- Only HTTP- and HTTPS-based CRLs are supported. Some CAs create LDAP-based CRLs by default that will not work with Sentry.
- For CRL validation to work, Sentry requires network connectivity to the CRL Distribution Point (CDP), usually the CA that issued the certificate, through an HTTP or HTTPS port.
4. Server Authentication defaults to Pass Through in any service, ActiveSync or AppTunnel, that you configure.
5. Click Save.

The Sentry restarts.

Authentication using an Identity certificate and Kerberos constrained delegation

This section describes the configuration when you choose Identity Certificate to authenticate the device to the Sentry and Kerberos for how Sentry authenticates the device to the ActiveSync server or backend resource.

Note The Following:  

For ActiveSync, Sentry supports Kerberos authentication only with Microsoft Exchange Servers.
If you are configuring tunneling to a DFS server, in the Kerberos distribution center, map the SPN of the CIFS service domain to one of its domain controllers. See Configuring Kerberos authentication for DFS.
Kerberos initialization in Standalone Sentry occurs only during tomcat start up. Standalone Sentry obtains the ticket-granting ticket (TGT) during Kerberos initialization. If the initialization fails during tomcat start up, Standalone Sentry automatically continues to retry until a service ticket from the KDC is received. The retry interval starts at one minute and maxes out at one-hour intervals. Failed initialization attempts are reported with a WARN level log in Standalone Sentry System Manager in Monitoring. To manually initialize Kerberos, use the debug command, debug sentry kerberos init. The command has no impact if Kerberos initialization has already been completed.

Before you begin 

You must have set up your Kerberos environment. See Authentication Using Kerberos Constrained Delegation on the MobileIron Support site.

NOTE: The Authentication Using Kerberos Constrained Delegation document has setup instruction on MobileIron Core also. Please ignore the setup instruction for MobileIron Core.

Procedure 

1. In the Standalone Sentry profile with ActiveSync and/or AppTunnel with Kerberos, in Global Settings, for Device Authentication Mode, select Use SCEP Identity.
2. Select the App Identity Certificate Configuration for the Identity certificate you want devices to use to authenticate with Sentry.
3. If you want to validate the certificates presented by the device against the Certificate Revocation List (CRL) published by the CA, then select Check Certificate Revocation List (CRL).
NOTE:  
- CRL check should be enabled only if the certificate chain presented by the device or the Trusted-Front-End to Standalone Sentry contains information to download CRL over HTTP.
- Only HTTP- and HTTPS-based CRLs are supported. Some CAs create LDAP-based CRLs by default that will not work with Sentry.
- For CRL validation to work, Sentry requires network connectivity to the CRL Distribution Point (CDP), usually the CA that issued the certificate, through an HTTP or HTTPS port.
4. In the Kerberos section, add Realm and Key Distribution Center (KDC).
- Realm:The Kerberos administrative domain with CIFS sahres. The realm is usually the company domain name, in all uppercase characters.
- Key Distribution Center: The Key Distribution Center is the network service that supplies session tickets and temporary session keys. This is generally the Active Directory domain controller host name.
5. Click Next to enter or update Sentry Server Configuration information.
6. Click Next to add or edit a service and configure server authentication.
7. For Server Authentication for a service, ActiveSync or AppTunnel that you configure, select Kerberos.

When you select Kerberos for Server Authentication, Specific destinations (reverse proxy) is selected by default. The Derive Service Principal Name (SPN) from fully qualified Server Name option appears.

If you select All Destinations (forward proxy), the Certificate Field Mapping section also appears. Click + Add to add an entry for certificate mapping.

Item

Description

Derive Service Principal Name (SPN) from fully qualified Server Name

Select to derive the Service Principal Name of the KCD from the FQDN of the ActiveSync server.

When you select forward proxy, SPN is automatically derived from the FQDN of the ActiveSync server. Therefore, this option is not available when you select forward proxy.

Certificate Field Mapping

Specify the certificate fields that Standalone Sentry can use to derive users’ UPN and Realm for Kerberos authentication.

a. Select the field from which Standalone Sentry will derive the User UPN or User DN.
NOTE: For WP8.1 devices, for User UPN, select either DNS Name or RFC 822 Name, and for User DN select Certificate Subject.
b. For each corresponding field selected, select User UPN or User DN.
NOTE: This field is required in a cross-realm Kerberos environment.
8. If you selected reverse proxy, then you must also add the FQDN and port for the allowed servers.

This must be the FQDN of the backend resource. Wildcards are not supported. If you did not select Derive Service Principal Name (SPN) from fully qualified Server Name, then you must also add the SPN.

9. Click Next, then Click Save

Standalone Sentry restarts when the profile is pushed to Standalone Sentry.