The Year in Tailored Authentication: Diverse Cases, Unique Solutions

The Wisdom of Smart Cards

Henkel KGaA, a global consumer products and technologies company based in Dusseldorf, Germany, was planning an enterprise-wide smart card deployment to its 38,000 employees and wanted to enable single sign-on to Lotus Notes, Domino and Sametime. The company wanted its employees to use smart cards instead of their Active Directory password to log into Windows, then launch Notes without entering another password. They also wanted users to have single sign-on access to Domino servers via the Web, no longer using the HTTP password and Person Document. In addition, it was critical they accomplish access with a high level of security, using a stronger authentication method.

PistolStar configured Password Power to achieve single sign-on to Lotus Notes via smart card login to Windows and single sign-on to Domino and Sametime, all using the Kerberos authentication protocol. Kerberos integrates with Active Directory to enable single sign-on and provides an additional layer of security because it does not send passwords over the network.

As a result, Henkel’s users avoid repeated passwords prompts and no longer need to replace, recover or recertify the Notes ID. There’s also support for users when roaming. Administrators minimize management of passwords in multiple locations and no longer deal with forgotten password scenarios. Stronger authentication is achieved via Kerberos and removing the Domino HTTP password from Person Documents helps with meeting security and audit requirements.

Smarter, More Secure Access via CAC Cards

A U.S. military organization sought to have each of its 75,000 users use their x.509 CAC (Common Access Card) to access Lotus Sametime, authenticating against a global LDAP account. The organization had a complex Active Directory environment and it didn’t want to manage Sametime logons through the Domino Directory, however it did have an IBM Tivoli LDAP server that front-ended a global directory containing all the users. The primary goal was to have all logins (including Web programs) tied to the CAC card.

Because the CAC card has the user’s full identity on it, the organization wanted all users to be able to login with the CAC and not have to enter a username and password. However, it did want users to have the option of using a username and password if necessary.

PistolStar configured Password Power to intercept the logon in Sametime, go out to the LDAP Directory, validate the user’s identity and then present the identity to Sametime --- a sophisticated tactic since there is no native functionality for smart cards in Sametime.

To provide the option of using a password and username instead of the CAC card, PistolStar developed a client-side Eclipse plug-In that overrides the default login screen for Sametime Connect and asks the user if they want to login with their CAC card or username/password.

As a result, the organization was able to fully automate its login processes and eliminate repeated password prompts by allowing the user to login with their CAC card. Security is enhanced due to the stronger authentication provided by the CAC/smart card, which ensures the organization is compliant with government regulations and policies.

Portal Access & Self-Service Passwords via Active Directory

The Hibernian Group, an insurance company based in Ireland, has a Domino-based portal for which they had two requirements: Login to the portal using the Active D irectory password, managing the Active Directory password through the portal (via the Web), and self-service Active Directory password reset via HTTPS.

PistolStar’s Web Set Password offers browser-based authentication and self-service password management capabilities, allowing users to reset their HTTP or Active Directory password on their own using challenge question/response functionality. For administrators, Web Set Password provides numerous configurable authentication and password features, enabling them to meet security objectives and compliance requirements by ensuring stronger and more secure authentication.

PistolStar added the Active Directory password reset capability to Web Set Password specifically for the Hibernian Group, and has since made it a standard product feature that serves as an alternative to the HTTP password reset. PistolStar enabled Web Set Password to communicate via LDAP (which is Active Directory in this case) as well as via native Domino when the user performs the challenge/response sequence for password resets. Therefore, the Active Directory password change occurs on the backend in LDAP. Backend agents were created to manage user accounts in LDAP/Active Directory.

By enabling the alternative of authenticating via Active Directory to access the Domino-based portal and providing browser and portal-based self-service, Web Set Password helps increase usability for Hibernian Group’s users and administrators. Administrators also benefit from a significant reduction in Help Desk calls regarding forgotten passwords. With Web Set Password’s password security functionality, such as strike-out limits, password expiration and password strength validation, and its ability to audit user login activity, administrators achieve the bonus benefits of optimizing security and maintaining compliance.

When Security & Control are Paramount to Usability

The Copenhagen Trial Unit (CTU), an organization in Denmark conducting clinical research, had numerous security concerns due to unknown and untrusted workstations that were running Lotus Notes and accessing the server. The organization wanted to record all failed attempts to logon to Lotus Notes, which cannot be done in native Notes, and to lockout the user after three failed attempts to enter their password correctly. CTU wanted to require that the locked-out users as well as users who forgot their password call the Help Desk to proceed and/or perform password recovery.

With Password Power, PistolStar developed an extension that intercepts the password entered by the user and redirects it to the Domino server for authentication against the HTTP password (instead of allowing it to go directly to the Notes ID). Therefore, if the user makes a failed login attempt, the server records it; if the user strikes out, the server locks them out. Each login attempt, whether it is successful or fails, is recorded on the server in a Notes database.

When the user has authenticated successfully, encrypted attributes are obtained from the Domino server via HTTP and used to unlock the Notes ID and obtain the password, which is unknown to even the user. The user never needs to interact directly with the Notes ID file.

Therefore, with this tailored solution, PistolStar met the customer’s requirements for increased security, compliance and auditing. Because the importance of securing the authentication process, achieving access control and auditing user login activity was so essential, it overrode any need for usability.

Reducing Logins With Multiple, Diverse Applications

A global company providing enterprise and manufacturing resource planning software and services to the world’s leading manufacturers engaged PistolStar for several projects, one involving multiple logins.

The company had several external Websites, including an active customer support site. Because of the various directories and applications running on the site, each user had several identities which required six different logins, therefore the company wanted to reduce the number of logins. The three main directories included Lotus Domino, Apache and ATG Knowledge, a customer and knowledge management solution.

With Password Power, PistolStar tailored a solution providing single sign-on to Apache and ATG as well as to Domino by authenticating with Active Directory credentials. Shortly after implementing this new plug-in, the company added another application, Daisy, for which PistolStar developed another plug-in enabling single sign-on.

The company now offers single sign-on to four key systems on its customer support site. A portal is now also set up on the site where customers have a front-end login. With the implementation of the Password Power single sign-on plug-ins, the company’s customers have no password prompts to access those systems and experience reduced sign-on overall across the site.

With Password Power, users only need to remember and change one password - their Active Directory password. With the company’s employee portal, users had to login again to access links inside the portal, however Password Power now allows them to access Domino applications directly via single sign-on.

By implementing PistolStar’s Password Power Plug-Ins, including customized plug-ins supporting specific applications, the company was able to provide reduced or single sign-on for its users, unify password policies and reduce password-related Help Desk calls by 50-65%.