Configuring device and server authentication
You specify the device and server authentication in the Sentry configuration when you create a Sentry profile in Admin > Sentry. Click Add Sentry Profile or edit an existing Sentry profile.
Select one of the following:
|
•
|
ActiveSync with basic auth: Only for Sentry for ActiveSync. Sentry passes through the user name and password provided by the device user. |
|
•
|
ActiveSync and/or AppTunnel with certificates: Select if you plan to use Identity certificates (X.509) for device authentication. Pass through is the only option available for server authentication |
|
•
|
ActiveSync and/or App Tunnel with Kerberos: Select if you plan to use Kerberos to authenticate the device to the server. |
If you do device authentication with Identity certificates, you can specify different server authentication types for the ActiveSync configuration and for each AppTunnel service. For example, you can specify Pass Through for the ActiveSync server and Kerberos Constrained Delegation (KCD) for the servers listed for an AppTunnel service.
Procedure
|
1.
|
Obtain the certificates required for your implementation. |
|
2.
|
In Admin > Sentry, click Add Sentry Profile or edit an existing Sentry profile. |
|
3.
|
For Authentication select one of the following authentication options, depending on your implementation: |
|
-
|
ActiveSync with basic auth
|
See ActiveSync with basic auth and pass through for next steps.
|
-
|
ActiveSync and/or AppTunnel with group certificates
|
See Authentication using a group certificate and pass through for next steps.
|
-
|
ActiveSync and/or AppTunnel with Identity Certificate
|
See Authentication using a SCEP Identity certificate and pass through for next steps.
OR
See Authentication using an Identity certificate and Kerberos constrained delegation for next steps.
ActiveSync with basic auth and pass through
If you select ActiveSync with basic auth for authentication, then Standalone Sentry passes through the user name and password provided by the device user. No additional configuration on MobileIron Cloud is required.
Authentication using a group certificate and pass through
If you select ActiveSync and/or AppTunel with certificates, additional configuration fields display for Authentication.
For device authentication with group certificate, Pass Through is the only option available for server authentication.
To complete the configuration:
|
1.
|
In the Standalone Sentry profile with ActiveSync and/or AppTunnel with certificates, in Global Settings, for Device Authentication Mode, select Use a single certificate for 2-factor auth (basic + cert). |
|
2.
|
Click Upload Certificate. |
Additional fields are displayed.
|
3.
|
Enter the Certificate name and Password for the certificate. |
|
4.
|
Upload the certificate (usually a .cer or PKCS 12 file) you trust. |
|
NOTE:
|
Though certificate is uploaded, it does not persist until you click Save. |
|
6.
|
If you want to validate the certificates presented by the device against the Certificate Revocation List (CRL) published by the CA, then select Check Certificate Revocation List (CRL). |
|
-
|
CRL check should be enabled only if the certificate chain presented by the device or the Trusted-Front-End to Standalone Sentry contains information to download CRL over HTTP. |
|
-
|
Only HTTP- and HTTPS-based CRLs are supported. Some CAs create LDAP-based CRLs by default that will not work with Sentry. |
|
-
|
For CRL validation to work, Sentry requires network connectivity to the CRL Distribution Point (CDP), usually the CA that issued the certificate, through an HTTP or HTTPS port. |
|
7.
|
Server Authentication defaults to Pass Through in any service, ActiveSync or AppTunnel, that you configure. |
The Sentry restarts.
Authentication using a SCEP Identity certificate and pass through
If you select ActiveSync and/or AppTunel with certificates, additional configuration fields display for Authentication. This section describes the configuration when you choose Use SCEP Identity to authenticate the device to the Sentry and Sentry uses Pass Through for authenticating the device to the ActiveSync server or a backend resource.
Before you begin
You must have completed the steps described in Configuring authentication using SCEP Identity (MobileIron Cloud only).
Procedure
|
1.
|
In the Standalone Sentry profile with ActiveSync and/or AppTunnel with certificates, in Global Settings, for Device Authentication Mode, select SCEP Identity. |
|
2.
|
Select the App Identity Certificate Configuration for the Identity certificate you want devices to use to authenticate with Sentry. |
|
3.
|
If you want to validate the certificates presented by the device against the Certificate Revocation List (CRL) published by the CA, then select Check Certificate Revocation List (CRL). |
|
-
|
CRL check should be enabled only if the certificate chain presented by the device or the Trusted-Front-End to Standalone Sentry contains information to download CRL over HTTP. |
|
-
|
Only HTTP- and HTTPS-based CRLs are supported. Some CAs create LDAP-based CRLs by default that will not work with Sentry. |
|
-
|
For CRL validation to work, Sentry requires network connectivity to the CRL Distribution Point (CDP), usually the CA that issued the certificate, through an HTTP or HTTPS port. |
|
4.
|
Server Authentication defaults to Pass Through in any service, ActiveSync or AppTunnel, that you configure. |
The Sentry restarts.
Authentication using an Identity certificate and Kerberos constrained delegation
This section describes the configuration when you choose Identity Certificate to authenticate the device to the Sentry and Kerberos for how Sentry authenticates the device to the ActiveSync server or backend resource.
Note The Following:
|
•
|
For ActiveSync, Sentry supports Kerberos authentication only with Microsoft Exchange Servers. |
|
•
|
Kerberos initialization in Standalone Sentry occurs only during tomcat start up. Standalone Sentry obtains the ticket-granting ticket (TGT) during Kerberos initialization. If the initialization fails during tomcat start up, Standalone Sentry automatically continues to retry until a service ticket from the KDC is received. The retry interval starts at one minute and maxes out at one-hour intervals. Failed initialization attempts are reported with a WARN level log in Standalone Sentry System Manager in Monitoring. To manually initialize Kerberos, use the debug command, debug sentry kerberos init. The command has no impact if Kerberos initialization has already been completed. |
Before you begin
You must have set up your Kerberos environment. See Authentication Using Kerberos Constrained Delegation on the MobileIron Support site.
|
NOTE:
|
The Authentication Using Kerberos Constrained Delegation document has setup instruction on MobileIron Core also. Please ignore the setup instruction for MobileIron Core. |
Procedure
|
1.
|
In the Standalone Sentry profile with ActiveSync and/or AppTunnel with Kerberos, in Global Settings, for Device Authentication Mode, select Use SCEP Identity. |
|
2.
|
Select the App Identity Certificate Configuration for the Identity certificate you want devices to use to authenticate with Sentry. |
|
3.
|
If you want to validate the certificates presented by the device against the Certificate Revocation List (CRL) published by the CA, then select Check Certificate Revocation List (CRL). |
|
-
|
CRL check should be enabled only if the certificate chain presented by the device or the Trusted-Front-End to Standalone Sentry contains information to download CRL over HTTP. |
|
-
|
Only HTTP- and HTTPS-based CRLs are supported. Some CAs create LDAP-based CRLs by default that will not work with Sentry. |
|
-
|
For CRL validation to work, Sentry requires network connectivity to the CRL Distribution Point (CDP), usually the CA that issued the certificate, through an HTTP or HTTPS port. |
|
4.
|
In the Kerberos section, add Realm and Key Distribution Center (KDC). |
|
-
|
Realm:The Kerberos administrative domain with CIFS sahres. The realm is usually the company domain name, in all uppercase characters. |
|
-
|
Key Distribution Center: The Key Distribution Center is the network service that supplies session tickets and temporary session keys. This is generally the Active Directory domain controller host name. |
|
5.
|
Click Next to enter or update Sentry Server Configuration information. |
|
6.
|
Click Next to add or edit a service and configure server authentication. |
|
7.
|
For Server Authentication for a service, ActiveSync or AppTunnel that you configure, select Kerberos. |
When you select Kerberos for Server Authentication, Specific destinations (reverse proxy) is selected by default. The Derive Service Principal Name (SPN) from fully qualified Server Name option appears.
If you select All Destinations (forward proxy), the Certificate Field Mapping section also appears. Click + Add to add an entry for certificate mapping.
|
8.
|
If you selected reverse proxy, then you must also add the FQDN and port for the allowed servers. |
This must be the FQDN of the backend resource. Wildcards are not supported. If you did not select Derive Service Principal Name (SPN) from fully qualified Server Name, then you must also add the SPN.
|
9.
|
Click Next, then Click Save |
Standalone Sentry restarts when the profile is pushed to Standalone Sentry.