Mobile Authentication for a Web Site with a YubiKey NEO

I keep up with what gets posted on Channel 9 (lot’s of good stuff there), and a few months back I watched a demo which really is quite the smooth solution:
http://channel9.msdn.com/Shows/Web+Camps+TV/Benjamin-Soulier-Logs-into-a-Web-Site-Using-a-Bar-Code-and-Windows-Phone

What they show is how a normal web site presents a QR code for login, and when you scan the QR code with an app on your Windows Phone 8 device you are authenticated, and the web site refreshes it’s view to show that you are now logged in! (The web site is shown on a computer where there is no direct communications channel to or from the mobile device.) You gotta watch it to understand it. (Forward to around the 15-minute mark for the actual demo.)

Unfortunately there isn’t any sample code to follow the video, so you can’t just download a module and install in your own solution. While I don’t know the specifics of the implementation there were a few key words that got me thinking about how it could be done.

About a year ago I did two posts on a product called YubiKey:
http://mobilitydojo.net/2012/05/09/two-factor-authentication-on-mobile-devices/
http://mobilitydojo.net/2012/05/14/active-directory-federation-services-and-yubikeys/

Nice product, and I use it for some of my authentication needs, but I never got around to doing anything really snazzy with it. So I thought I’d see if the YubiKey could be used for a scenario similar to the one in the video.

Semi-long post, so you might want to grab a cup of coffee before going into the details. If you’re in a hurry just skip to the bottom of the post where there’s a video showing the end result :)

Read more

Programmatically Enrolling for Certificates from /CertSrv

I recently had a need for enrolling for certificates programmatically from a Microsoft CA, and had to investigate the options available to do so.

In my scenario I would receive a base64-encoded request so I did not have to build the actual request myself. It was just a matter of submitting this to the CA, and getting a base64-encoded certificate back.

NDES would be nicely suited for this task conceptually since it is meant for this type of scenario. However if the client generating the request is not following the SCEP rules it is not possible to submit directly to the NDES server, and you have to wrap the CSR and do some extra work on the server. This is not a bad solution, but with more overhead than I felt ready for right now.

The Microsoft CA also offers up web services for enrolling for certificates, and this would in theory also be an appropriate solution. It’s very flexible, although it turns out the documentation for the SOAP message you need to build is so-so. (You’ll be able to get it right; it just requires some digging on the interwebs.) I was almost there when testing it out, but the enrollment web services requires the template to be included in the CSR. (Enrollment Web Services must be installed on an Enterprise CA, and an Enterprise CA must use templates, and there’s no way I’m aware of to configure a default template.) Since I don’t generate the CSR myself this means I’d have to perform a procedure similar to the NDES approach to generate something the CA would approve of.

Read more

Understanding Windows Phone 8 MDM

I have previously mentioned Mobile Device Management (MDM) for Windows Phone 8 without really going into much detail other than acknowledging its existence. While I can’t go into every detail there is to know in this post either I thought I’d look into the API to try to provide a general understanding of how it works.

Microsoft has written some documentation on the low-level details in a pdf document:
http://download.microsoft.com/download%2F5%2FC%2F4%2F5C460CE2-3B0F-45CE-805D-1A3D5697639C%2FWP8_Enterprise_Device_Management_Protocol.pdf

This document is intended for developers trying to implement the MDM API, so it may or may not be exactly what you are looking for if you’re just trying to understand the high-level stuff. (The doc leaves out a few details so developers might not be able to cross the finish line based on this doc alone either.) You might want to skim the QA part of it though.

MDM is nothing new to the Windows Phone platform, or more correctly "Windows Mobile", as MDM sort of skipped a generation in the Microsoft world. MDM was a major part of the operating system in Windows Mobile 5 and onwards (obviously with plenty of changes between versions 5.0 and 6.5). In Windows Phone 7.x not so much… But we’re turning over a new leaf with version 8 and MDM has been reintroduced.

In the "old days" MDM was implemented based on a standard called OMA DM. If you’ve been around for a while you’ll recognize this as the attempt to standardize MDM across mobile operating systems. Nokia invested heavily in it for Symbian, but Apple didn’t exactly get onboard when iOS arrived and it sort of faded out of the picture. I’m not saying Apple is the reason for this – there were certainly issues with the standard itself as well contributing to the decline. But this is merely anecdotal stuff – it doesn’t matter in the bigger picture. The point I’m trying to make is that if you are familiar with OMA DM you understand the basics of how Windows Phone 8 does MDM since this has been carried forward.

Since we’re veering off course already – why are Microsoft using this "dead" standard for their new OS? Well, I’m not calling any shots inside Microsoft so I can’t give the specifics of their choices. If I were to guess it’s to reuse components they already had, and not re-invent the wheel. I’m guessing major parts of it has been copy-pasted on the client side from Windows Mobile 6.5, and on the server-side they could reuse some of the code from the System Center family. (Both SC Mobile Device Manager 2008 and SC Configuration Manager 2007.)

Read more

RSS for Posts RSS for Comments