Skip to main content

Configuration Example: SSA Login Assistant with VPN

This configuration example walks through a set of technical details for the installation of Self Service Anywhere (SSA) using the Login Assistant (SKA) with a VPN. This example also includes an example of how this was accomplished for a sample client.

Requirements

This configuration example assumes that:

  • Bravura Security Fabric and the Connector Pack are installed.

Set up RODC (optional)

Unless an organization is allowing for connectivity to a read-write domain controller (RWDC), one or more read-only domain controllers (RODCs) should be set up for security.

  • You can use dcselect and dcdiscovery to provide a list of applicable DCs to be used.

  • Ensure that there is sufficient speed of replication between all nodes in the AD forest. It is possible that you can run into a timing issue between the update of the password in Bravura Security Fabric , and its access on the RODC.

  • The PDC emulator master receives preferential replication of password changes within the domain. As password changes take time to replicate across all the domain controllers in an Active Directory domain, the PDC emulator master receives notification of password changes immediately, and if a logon attempt fails at another domain controller, that domain controller will forward the logon request to the PDC emulator master before rejecting it.

For more information see the following Microsoft resources:

Configure the local reset extension

This example shows you how to configure the Local Reset Extension to function using the Chrome web browser.

Tasks completed in this Example are:

  • Configuring the Bravura Security Fabric change passwords module.

  • Configuring the cgilocalr.cfg script.

  • Installing the Local Reset Browser Extension for Chrome.

  • Installing the native browser extension on a user’s workstation.

    Many organizations deploy software packages via Group Policies. Bravura Security Fabric local reset extensions can be distributed in the same manner. It is recommended that you talk with your system administrator to discuss this installation.

See Local Reset Extension: Resetting cached credentials for details.

Configure the Change passwords (PSS) module to use cgilocalr

  1. Log in to the Bravura Security Fabric as superuser.

  2. Click Manage the system > Modules > Change passwords (PSS) .

  3. Set S STATUS EXT to cgilocalr.exe and click Update.

    36478.png
Copy and edit the configuration file

To set up Login Assistant for remote users, configure the local reset extension, cgilocalr:

  1. As an administrator, log into your Bravura Pass application server.

  2. Copy the cgilocalr.cfg file from the samples directory.

  3. Open the copy in the script directory for editing.

  4. Add the following section and replace "MY_AD_TARGET" and "MY_AD_DOMAIN" accordingly for the Active Directory target ID and domain name:

    # Example: Generic Control - Windows Cached Credential Update. (via rundll32.exe)
  "targetid" "MY_AD_TARGET" = {
    "control" "generic" = {
      "id" = "pslocalr";
         
      "arguments" = "ResetCachedPassword2 %HID_ENCRYPTED_DATA%";
      "attributes" "" = {
        "logonDomain" = "MY_AD_DOMAIN";
      };
    };
  };

  5. Save the modified cgilocalr.cfg file in the script directory.

Install the Local Reset Browser Extension on Chrome

  1. On a Windows Workstation, log in as an end user. In this example, the user ID is ABBIEL .

  2. Open the Chrome browser on the Windows Workstation.

  3. Navigate to http://< Bravura Pass Server IP address>/default .

  4. Log in to the Front-end (PSF) as ABBIEL .

  5. Click Change passwords to reset the password the target system that is configured to use the local reset extension. In this example this is AD .

  6. On the Results page, locate the Results column.

    The AD target account password reset will work, but the cached credential reset will not.

    Note the results column addition for the AD target system: Local Reset Extension Status: Disconnected Install chrome extension .

  7. For the AD account, click the Install chrome extension link.

    A new browser tab appears with the Bravura Security Browser Extension in the Chrome web store..

  8. Click Add to Chrome.

  9. Click Add extension.

  10. Click X to close the sync notification.

  11. Close all Chrome browser windows.

Install the native extension

  1. Open the Chrome browser on the Windows Workstation.

  2. Navigate to http://< Bravura Pass Server IP address>/default .

  3. Log in to the Front-end (PSF) as ABBIEL .

  4. Click Change passwords to reset the password the target system that is configured to use the local reset extension. In this example this is AD .

  5. On the Results page, locate the Results column.

    The AD target account password reset will work, but the cached credential reset will not.

    Note the results column addition for the AD target system: Local Reset Extension Status: Disconnected Install native extension .

  6. On the password reset result page, click the Install native extension link to download the installer.

    The browser-extension-win-x86.msi is downloaded.

  7. Close all Chrome browser tabs.

  8. On the Windows Workstation, click the Start menu icon.

  9. Search for and locate the Command Prompt application.

  10. Right-click the Command Prompt application and click Run as administrator.

    Click Yes if you are asked to confirm that you want to allow this app to make changes to your device.

  11. On the command line, type cd C:\Users\demo-admin\Downloads and press Enter.

  12. Type browser-extension-win-x86.msi on the command line and press Enter .

  13. Click Run.

  14. Click Next .

  15. Check the box for I accept the terms in the License Agreement.

  16. Click Next .

  17. Click radio button for Install for all users of this machine.

  18. Click Next .

  19. Click Typical.

  20. Click Install.

  21. Click Next .

  22. Click Finish.

    The Local Reset Extension has now been successfully installed for the users of the Windows Workstation.

Test the configuration

To test the installation and configuration, change a user's password and ensure a success message appears on the results page.

  1. Log in to the Windows Workstation with the Local Reset Extension installed with a user’s domain account.

  2. Open the Chrome browser.

  3. Navigate to the Bravura Pass URL.

  4. Log in to Bravura Pass as the user.

  5. Click Change passwords.

  6. On the Change passwords page, enter a New password and Confirm the password.

  7. Click Change passwords.

    This will display the Results page that shows the addition: Local Reset Extension Status: Processed .

    The user’s password has now been changed. With Local Reset Extension installed, their previously cached password on the Windows Workstation will also update to match the new password.

Configure Login Assistant

This example shows you how to install the Login Assistant client software and set up the help account on a local workstation.

This example includes the following tasks:

  • Copy the SKA files from the Bravura Pass server to the Windows Workstation.

  • Install Login Assistant on the Windows Workstation.

  • Use a silent installer to install on all machines.

Requirements

In order to create the help accounts and install the software on Windows workstations, you must launch the appropriate Windows Installer package using elevated privileges. See all Windows requirements .

Run the installer on a Windows Workstation

Bravura Pass provides installer packages to create the help account and install the required software on users’ workstations for Windows client workstations version 8 and newer (ska.msi, or ska-x64.msi for 64-bit systems).

  1. Copy the ska.msi installer, or ska-x64.msi installer for 64-bit systems, from the addon directory on the Bravura Pass server to a scratch directory (C:\temp) on the local workstation or to a publicly accessible share.

  2. Run the installer on a workstation to test the configuration using a GUI.

    For this example:

    • The URL is a dedicated internal IP address that is only available through the VPN.

    • The “help” account that is used for the Kiosk is a local account with a random password.

      You may want, for testing, to assign a password that you know.

      Remember that the SKA (Secure Kiosk Account) has no privileges on Windows; it only triggers wifi and VPN connection if needed, and opens a kiosk browser that connects only to the Bravura Pass URL configured.On closing that browser, the account is logged out automatically.

    • For the VPN connection, this example uses Palo Alto Networks GlobalProtect VPN service;

      • Connection Program: PowerShell.exe

      • Connection Arguments: & 'C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe';Start-Service PanGPS

      • Disconnection Program: net

      • Disconnection Arguments: stop pangps

      • User ID: Entered, but not used

      • Password: Entered, but not used

      • Timeout: 10

      • Retries: 10

This example uses machine-based certification for the credentials to the VPN, which does not require a username and password for the configuration.

Use a silent installer

Once the settings above are validated use a silent installer to push out the setting to all of the user machines. This example uses the following command:

msiexec /i ska-x64.msi ADDLOCAL=SKA,CREDPROV URL="http://10.172.68.26/test/" RANDOM_HELPPASSWORD=1 HELPACCOUNT="help" REMOTESKAACCESSENABLED=1 USEVPN=1 VPN_CONNECT_PROGRAM="PowerShell.exe" VPN_CONNECT_CMDLINE="& 'C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe';Start-Service PanGPS" VPN_DISCONNECT_PROGRAM="net" VPN_DISCONNECT_CMDLINE="stop pangps" VPN_USER=myvpnuser VPN_PASSWORD=myvpnpassword VPN_TIMEOUT=10 VPN_RETRIES=10 IMAGEFILE="tile.bmp" ADMIN_USERNAME=".\Administrator" ADMIN_PASSWORD="***" /quiet /l*v install-ska.log

The administrator credentials listed about would need to be updated as appropriate. Additionally, the myvpnuser and myvpnpassword need to be updated appropriately.

Configure VPN on client side

This example uses an always-on VPN service that used a machine based certificate. It uses an existing local account that is currently working.

Note

This redacted example is based on a sample client; requirements are likely to be different for your environment.

  1. Export from regedit using the existing local account with a working set of the full Palo Alto configuration:

    HKEY_USERS\<GOOD_SID>\Software\Palo Alto Networks

  2. Look up the SID of the created “help” user account, using the command:

    wmic useraccount where name='help' get sid

  3. Update <GOOD_SID> to the correct SID throughout all levels of the exported registration file:

    Windows Registry Editor Version 5.00
[HKEY_USERS\<GOOD_SID>\Software\Palo Alto Networks]
[HKEY_USERS\<GOOD_SID>\Software\Palo Alto Networks\GlobalProtect]
[HKEY_USERS\<GOOD_SID>\Software\Palo Alto Networks\GlobalProtect\PanMSAgent]"DebugLevel"=dword:00000005"PanGPS"=dword:00000005"Client.DebugLevel"=dword:00000005"Service.DebugLevel"=dword:00000005"SearchOrder"=dword:00000001
[HKEY_USERS\<GOOD_SID>\Software\Palo Alto Networks\GlobalProtect\Recent File List]
[HKEY_USERS\<GOOD_SID>\Software\Palo Alto Networks\GlobalProtect\Settings]"ConfFromPortal"=dword:00001c2c"Configurations"=dword:00000002"LastUrl"="<***GATEWAY***>""LocalBioEnabled"=dword:00000000"LocalSSLEnabled"=dword:00000000"HipCheckInterval"=dword:0036ee80"UserOverrides"=dword:00000005"DisallowLocalAccess"=hex:66,61,6c,73,65"DisplayWelcome"=dword:00000001"DisplayTrafficBlockingMsg"=dword:00000001"OtherDisableStarted"=dword:00000000"agent-user-override-timeout"=dword:00000000"Configurations2"=dword:0000002f"OverrideMethod"="allowed""change-password-message"="""username"="""usertype"="""CredentialSaved"=hex:66,61,6c,73,65
[HKEY_USERS\<GOOD_SID>\Software\Palo Alto Networks\GlobalProtect\Settings\<***GATEWAY***>]"Configurations"=dword:00000002"HipCheckInterval"=dword:0036ee80"UserOverrides"=dword:00000005"DisplayWelcome"=dword:00000001"DisplayTrafficBlockingMsg"=dword:00000001"ConfFromPortal"=dword:00001c2c"Configurations2"=dword:0000002f"AuthTypes"=dword:00000010"OtherDisableStarted"=dword:00000000"agent-user-override-timeout"=dword:00000000"ssl-only-selection"=dword:00000000"OverrideMethod"="allowed""LatestCP"=""

  4. Import or merge the configuration into the registry of the laptop that needs to have access.

  5. Grant permission to the “help” account to be able to start the VPN service within the Kiosk.;

    1. Look up the current configuration for the service that needs to be updated using the following command run from an administrator level command prompt.

      sc sdshow pangps

    2. Prepare the new <newSDDL> that will be used, by adding (A;;RPWP;;;<GOOD_SID>) to the end, but before the “D:” section if it exists

    3. Reset the permission for the service using following command run from an administrator level command prompt.

      sc sdset pangps “<newSDDL>”

Test the implementation

At this point you should be able to test your implementation through a Kiosk reset

  1. Reboot your test device, and select to reset your password with the Kiosk tile

    The VPN should engage, and validate your connectivity. This will be noted in the message Found magic string in received response .

  2. Proceed to login.

  3. Reset the password, following all of the password policy rules.

    The password should be successfully reset, and the locally cached password should also have been reset.

In this section: