Adding Certificate Based Authentication Repository

TAC supports certificate-based authentication where the administrator can configure TAC sites to check for certificates in endpoints when the user accesses the site.

Certificate-based authentication is a strong way of protecting login access from malicious devices or from stolen  user credentials. An intruder may try to get access to the site using  stolen credentials or by man-in-the-middle attack.  By enabling certificate-based authentication, users must  have a valid  certificate issued by a trusted certificate authority, assigned by the organization in order to access secure  site. Additionally, certificate-based authentication in TAC provides two layers  of protection. Previously, user credential prompt for login TAC is looking for a valid  certificate in the user endpoint and if it is present in the trusted certificate authority of the client endpoint, user will be allowed to enter his credentials. Otherwise, the access will be denied.

Further, TAC not only checks the presence of a certificate to identify a safe access request, but it also looks deeply into the parameters of the certificate to authenticate the most secure  way to identify safe endpoints.

To enable  certificate-based authentication, you need  to add  it as an authentication method into the Authentication and Authorization list and to the Site as the authentication server.

Do the following to add  certificate based  authentication:

1.   Open  Authentication and  Authorization Servers  window under Configuration menu inTAC Configuration Manager.

2. In the Authentication and Authorization Servers window, click Add.

3. In the Configure Authentication and Authorization Servers  window, in the General section, select Certificate as the type of authentication.

4.   In the Name field, enter a friendly name.

5.   In the Configuration section,  add  valid  CA certificate issued by a trusted certificate authority.

a.   Click Change in CA certificate field and add  CA certificate.

b.   Optionally, administrator can add  an SSL bridging certificate where client may need  to connect  to backend server.  This certificate must  be a .pfx certificate. Click Change in the SSL Bridging cert field to add  SSL certificate.

c.   Configure what parameters to check to validate the certificate, such as certifica- tion revocation, check certificate usage,  CRL refresh and CRL download timeout. Select appropriate settings to meet your  enterprise requirement.

Next, select what to do if certificate validation failed from the On Certificate Error field. You may select just to close the connection immediately or send HTTP 403 error  on the client browser.

Here, if you select “close connection” the user will not get any notification and  it just fails to connect to the site; the user will not get TAC login screen. Even if you have multiple authentica- tion type selected including certificate, TAC will first check for certificate and if it is valid,  only other  authentication servers will be performing the authentication. This mechanism in TAC secures your  corporate access in a great way.

In some cases, the certificate check could  be optional and  does not necessarily require a certificate check. To make certificate check an optional method select “Is optional in multi-factor authentication” checkbox.  Then if you have multiple authentication servers configured including certificate, and if a client does not present with  certificate, then the certificate check will be ig- nored and authentication using  other  respective authentication method configured.

Important: When  using  certificate authentication for a site that shares the same IP:Port value with  another site that doesn’t use certificate-based authentication, SSL binding will be switched to server  name  indication mode,  which  might have compatibility issues with  older  browsers. If SNI is not desired, make sure a site with  certificate-based authentication is using  unique IP or Port.