Transcription
iPad authentication with Symantec MPKI and ActiveSync connectionsLab IC L23DescriptionAt the end of this lab,you should be able toiPad authentication lab using Symantec's MPKI certificates forauthentication through an Active Sync connection. Use Symantec Managed PKI Service to stronglyauthenticate users and secure the communicationbetween their mobile device and a Microsoft Exchangeserver using the ActiveSync protocol In this lab, you will perform the following exercisesoPKI Administrator - Enroll for Symantec ManagedPKI Service Free TrialoPKI Administrator - Administer and configure theservice to issue Client Authentication certificateand configuration payload that enable a mobiledevice to connect to Microsoft Exchange mailboxusing ActiveSyncoEnd User - Enroll and install the ActiveSynccertificate/configurationoEnd User – Connect to your Exchange mailbox
NotesURLs needed for this labohttp://www.symantec.com/theme.jsp?themeid free-trial –Symantec Managed PKI Service Free TrialEnroll for a free Test Drive accountohttp://mailinator.com/ - Mailinator – Free, disposable email.Use internet email service when enrolling for your free trial account to receive theemail to pick-up your PKI Administrator certificate, and to receive the end-userenrollment email sent to the mobile device.If you have your own internet accessible email account, you areencouraged to use it instead.(If mailinator.com is not responding, you can also try http://www.yopmail.com nager/ Symantec PKI ManagerAccess your MPKI account as PKI Administrator Microsoft Exchange ActiveSync Hostmail.ua.tso-cloud.comLAB AGENDALab Exercise 1: PKI Administrator - Enroll for Symantec Managed PKI Service Free TrialQuick, easy and free access to the Symantec Managed PKI Service online.Lab Exercise 2: PKI Administrator - Configure your MPKI account for mobile device ActiveSynccertificate use-caseConfigure ActiveSync certificate profile for target device Select the Secure Sign-in certificate template Configure the Delivery Method (iOS) and Enrollment Method to include the enrollment code in the email Set the client ActiveSync configuration to use with the certificate.Send ActiveSync certificate enrollment email to end-user Add the user to PKI Manager Enroll the user for the ActiveSync certificate profile for their deviceLab Exercise 3: End-user - Certificate enrollment, installation, configuration and usageDevice certificate enrollment, profile installation and configurationAccess your Exchange mailboxDiscuss the Microsoft Exchange server side configurationTrust the Issuing CAMap certificate to domain user accountSee MPKI ActiveSync.pdf (Downloadable from PKI Manager Resources.)Appendix A – Removing the iOS ProfileSymantec VISION 2013Lab Guide - IC L232 of 20
LAB LAYOUTSymantec CloudManaged PKIPKIAdministratorPKI ManagerCertificate ServicesInternetEnrollmentcodeSCEP ServerWeb Services Tablet UserActiveSync enrollment link SCEP request &ActiveSync profile certificate1Symantec VISION 2013Lab Guide - IC L233 of 20
Lab Exercise 1: PKI Administrator - Enroll for SymantecManaged PKI Service Free Trial1PKI Administrator - Register forSymantec Managed PKI Service TestDriveLogin to Windows 7User: pkiadminOpen a web browser and go to:http://www.symantec.com/theme.jsp?themeid free-trialClick the link “Get Started”.Symantec VISION 2013Lab Guide - IC L234 of 20
Fill out the entire form.Once you have submitted the registration form,you will be sent an email to pick-up your PKIAdministrator certificate.* Choose an email address that you can retrieveemail from the internet. It is recommended thatyou use your own internet accessible emailaccount, if you have one.If you do not have you own email account, it isrecommended that you use a free@mailinator.com email address.If using mailinator.com, choose something uniquefor your administrator email address.For example“VISION2013 yourFirstName lastInitial @mailinator.com”I.e., “VISION2013LanceH@mailinator.com”Retrieve your email to pick-up andinstall your PKI AdministratorcertificateIf using a mailinator.com email account, use yourweb browser to go to http://mailinator.com/ andlogin using the email address you chose in theprevious step.Open the email subject “Test Drive accountapproved”.Symantec VISION 2013Lab Guide - IC L235 of 20
In the email body, click on the link labeled,“Go to the link below to get your certificate:”Wait for the page to load completely and clickInstall CertificateFor this lab, the PIN has already been set.Enter the PIN: 123456Symantec VISION 2013Lab Guide - IC L236 of 20
Do not interrupt the browser while generating thekey-pair and installing your certificate.When prompted, install the Symantec ManagedPKI Infrastructure Test Drive Root CA.Close the Symantec PKI Client dialog.On the certificate installation success page, clickLog in now.(“Log in now” is the Symantec Test Drive PKIManager anager/ )Welcome to the PKI Manager dashboard.Symantec VISION 2013Lab Guide - IC L237 of 20
Administrator - Configure your2 PKIMPKI account for mobile deviceActiveSync certificate use-caseUsing your web browser, login to PKI Managerand click the Tasks icon for Manage CertificateProfiles.Click Add certificate profiles.Select Production Mode and click Continue.Choose the Certificate template,Client Authentication (Test Drive)and click Continue.Symantec VISION 2013Lab Guide - IC L238 of 20
Enter a Certificate friendly name,“iOSActiveSync”,and change the Enrollment Method to iOS.Click Continue to change the enrollment method.Select “Authentication method:” EnrollmentCode,then check the box: “Include enrollment code aspart of the URL in the enrollment email.”And Save.Click Continue to save this certificate profile.Click Edit, to set the device configuration.Symantec VISION 2013Lab Guide - IC L239 of 20
Configure the ActiveSync settings, and clickSave.Account Name:Vision 2013 IC L23Exchange host:mail.ua.tso-cloud.comCertificate profile configuration is complete.Symantec VISION 2013Lab Guide - IC L2310 of 20
Add the user to PKI ManagerClick the Tasks icon for Manage users.Click Add users.Select the radio button for Add: A single userAnd enter the Seat ID.For this lab we will set the user’s Seat ID as theirWindows domain Universal Principal Name(UPN).This UPN value will also be included in thecertificate SubjectAltName and is used byActiveSync to map the domain user’s mailbox.Use one of the domain users 1 thru 10 that areavailable in the lab domain:user1@ua.tso-cloud.com, user2@ua.tso-cloud.com,user3@ua.tso-cloud.com, user4@ua.tso-cloud.com,user5@ua.tso-cloud.com, user6@ua.tso-cloud.com,user7@ua.tso-cloud.com, user8@ua.tso-cloud.com,user9@ua.tso-cloud.com, user10@ua.tso-cloud.comClick Continue.Symantec VISION 2013Lab Guide - IC L2311 of 20
Enter the user’s First Name, Last Name, Email*,(Do not the checkbox for “I want to enroll the user for a certificate”,as this will be performed in the next step.)and click Continue.*The email should be sent to an address where itcan be read from the end-user device using theweb browser and internet email.You can use your own internet accessible emailaccount.If you do not have your own email account, you canuse a mailinator.com(free, disposable email) address.Choose your own unique email address, so that youcan find your enrollment email.E.g.,“VISION2013USER yourFirstName lastInitial @mailinator.com”I.e., “VISION2013USERLanceH@mailinator.com”Add user is complete.Symantec VISION 2013Lab Guide - IC L2312 of 20
Enroll the user for the ActiveSync certificateprofile for their deviceClick Enroll user for a certificate.Select the appropriate Certificate profile for theend-user’s device, “iOSActiveSync” and clickContinue.Set “Other Name (UPN):” value to the samedomain user that you chose for the Seat ID andleave Email blank.Check the box “Have the system send theenrollment email to the user. The email will besent to ”And click Continue.Click Done.The enrollment request email is now sent and ispending pickup.Symantec VISION 2013Lab Guide - IC L2313 of 20
End-user - Certificate enrollment,3 installation,configuration and usageOn the iOS device, use the web browser toretrieve the email from your account.If you are using mailinator, go to mailinator.comwebsite.Enter the username portion of your email addressin Check your Inbox! and click Go!E.g., “VISION2013USERLanceH”Open the email subject “Enroll for yourcertificate”.In the email body, click the link to the start thecertificate enrollment.(Note: For mailinator.com, clicking Charset: UTF-8 willconvert the URL to a clickable hyperlink.)Symantec VISION 2013Lab Guide - IC L2314 of 20
Click to Continue the certificate enrollmentprocess.Click Continue to install the profile and certificate.You are prompted to install the SymantecMangaged PKI profile.Click Install.Symantec VISION 2013Lab Guide - IC L2315 of 20
At the verification pop-up, click Install Now.(If your device is PIN protected you will need to grant accessby entering your device PIN.)If prompted to install and trust the “SymantecManaged PKI Online Test Drive Root”certificate,click Install Now.Wait for “Installing Profile”, “Generating Key”,“Enrolling Certificate”.“Profile Installed”Click Done.Symantec VISION 2013Lab Guide - IC L2316 of 20
Access the Exchange mailboxClick Mail.Symantec VISION 2013Lab Guide - IC L2317 of 20
Discuss the Microsoft Exchangeserver side configurationTrust the Issuing CASee MPKI ActiveSync.pdf(Downloadable from PKI Manager Resources.)Map certificate to domain user accountSymantec VISION 2013Lab Guide - IC L2318 of 20
AppendixA Removing the iOS ProfileOpen Settings General ProfilesSelect the profile you wish to remove, “Vision2013 iOS ActiveSync”.Click Remove.At the verification pop-up, click Remove.(If your device is PIN protected you will need to grant accessby entering your device PIN.)Symantec VISION 2013Lab Guide - IC L2319 of 20
Symantec VISION 2013Lab Guide - IC L2320 of 20
Symantec VISION 2013 Lab Guide - IC L23 7 of 20 Do not interrupt the browser while generating the key-pair and installing your certificate. When prompted, install the Symante
