BeyondInsight

Authentication Guide

Version 6.3 – April 2017

Revision/Update Information: April 2017
Software Version: BeyondInsight 6.3
Revision Number: 0

CORPORATE H EADQUARTERS
5090 N. 40th Street
Phoenix, AZ 85018
Phone: 1 818-575-4000

COPYRIGHT NOTICE
Copyright © 2017 BeyondTrust Software, Inc. All rights reserved.
The information contained in this document is subject to change without notice.
No part of this document may be photocopied, reproduced or copied or translated in any manner to another
language without the prior written consent of BeyondTrust Software.
BeyondTrust Software is not liable for errors contained herein or for any direct, indirect, special, incidental or
consequential damages, including lost profit or lost data, whether based on warranty, contract, tort, or any other
legal theory in connection with the furnishing, performance, or use of this material.
All brand names and product names used in this document are trademarks, registered trademarks, or trade names
of their respective holders. BeyondTrust Software is not associated with any other vendors or products mentioned
in this document.
Contents

Contents

Introduction 5
Documentation for BeyondInsight 5
Contacting Support 5

Creating User Groups in BeyondInsight 6

Creating a User Group 6
Creating an Active Directory User Group 6
Creating an LDAP Directory User Group 7
User Group Permissions 8
Access Levels 10
Permissions Required for Configuration Options 10

Configuring a Claims-Aware Web Site 12

Create a BeyondInsight User Group 12
Adding Relying Party Trust 12
Setting up Claim Rules 13
Supported Federation Service Claim Types 14
Claims Aware SAML 14

Configuring Ping Identity and Password Safe 17

Configuring okta and Password Safe 23

UVM Smart Card Authentication 32

Enabling Remote Desktop 32
Self-Signed Certificates 32
WebServer Certificate 33
Create a Certificate Request 33
Submit Request to Local CA 38
Copy the WebServer Certificate to the UVM 39
Replace the Self-Signed Certificate 41
Change the Web Service Certificate in BeyondInsight 43
Export the Root Certificate 45
Export Subordinate CA 46
Import the Root and Subordinate Certs on the UVM 47
Configure Smart Card Authentication in BeyondInsight 49
Troubleshooting 50
Configure an http CDP 50
Verify Permissions for the Cert Publishers Group 53
Allow Double Escaping 55

Configuring Authentication 56

Configuring Two Factor Authentication 57

Configuring Two Factor Authentication 57

User Guide 3 © 2017. BeyondTrust Software, Inc.

Contents

Configuring the RADIUS Server 57

Setting up the User Account 58
Configuring Smart Card Authentication 59

Troubleshooting 60

User Guide 4 © 2017. BeyondTrust Software, Inc.

Introduction

Introduction
This guide provides detailed instructions and procedures for using BeyondInsight.
This section includes the document conventions, list of documentation for the product, and where to get additional
product information.

Documentation for BeyondInsight

The complete BeyondInsightdocumentation set includes the following:
• BeyondInsight Installation Guide
• BeyondInsight User Guide
• BeyondInsight Analytics and Reporting User Guide
• Third Party Integration Guide
If you are working with any of the BeyondInsight modules, refer to the product documentation for additional
information about that module.

Contacting Support
For support, go to our Customer Portal then follow the link to the product you need assistance with.
The Customer Portal contains information regarding contacting Technical Support by telephone and chat, along
with product downloads, product installers, license management, account, latest product releases, product
documentation, webcasts and product demos.

Telephone
Privileged Account Management Support
Within Continental United States: 800.234.9072
Outside Continental United States: 818.575.4040

Vulnerability Management Support

North/South America: 866.529.2201 | 949.333.1997
+ enter access code

All other Regions:

Standard Support: 949.333.1995
+ enter access code
Platinum Support: 949.333.1996
+ enter access code

Online
http://www.beyondtrust.com/Resources/Support/

User Guide 5 © 2017. BeyondTrust Software, Inc.

Creating User Groups in BeyondInsight

Creating User Groups in BeyondInsight

The Retina CS authentication and authorization process consists of specifying:
l Authentication type as Retina CS
l User account options
l Password parameters

Retina CS authentication provides native Retina CS authentication with users who are managed exclusively by
Retina CS. You can also add Active Directory users or groups and apply Retina CS authentication.
To allow a user to log in using Retina CS authentication, the user account must reside in the Retina CS database.

Creating a User Group

To create a user group:
1. Select the Configure tab then select the Accounts tab.
Select the button to change the view between all users and all groups.

2. Click + in the User Groups pane.

3. Select Group from the list.
4. Enter a name and description for the user group.
5. Select the Active check box to activate the user group. Otherwise, clear the check box and activate later.
6. Select the permissions and access levels.
7. Select the Smart Rules and access levels to the rules.
8. Click Create.
9. Create and add user accounts.

Creating an Active Directory User Group

Active Directory group members can log on to the management console and perform tasks based on the
permissions assigned to the group.
Note: Active Directory users must log on to the management console at least once to receive email notifications.
The group can authenticate against either a domain or domain controller.
To create an Active Directory user group:
1. Select the Configure tab then select the Accounts tab.
2. Click + in the User Groups pane.

User Guide 6 © 2017. BeyondTrust Software, Inc.

Creating User Groups in BeyondInsight

3. Select Active Directory Group from the list.

If detected, a domain name is automatically populated in the Domain or Domain Controller box.
4. Enter the name of a domain or domain controller.

5. Select the Use SSL check box to use a secure connection when accessing Active Directory. You must turn on
SSL authentication in the Configuration tool. See Using SSL for Active Directory Queries.
6. Click Credentials.
a. Click Add.
b. Enter the credential for the domain or DC.
c. Click Test to ensure the credential can successfully authenticate with the domain or DC.
d. Click OK.
7. After you enter domain or DC and credential information, click Search.
A list of Security Groups in the selected domain is displayed.
For performance reasons, a maximum of 250 groups from Active Directory is retrieved. The default filter is an
asterisk (*) which is a wildcard filter that returns all groups. Use the group filter to refine the list.
8. Set a filter on the groups that will be retrieved. (Optional).
Example filters:
a* (returns all group names that start with a)
*d (returns all group names that end with d)
*sql* (returns all groups that contain 'sql' in the name)
9. Click OK.
10. Enter a name and description for the user group.
11. Select the Active check box to activate the user group. Otherwise, clear the check box and activate later.
12. Select the permissions and access levels.
13. Select the Smart Rules and access levels to the rules.
14. Click Create.

Creating an LDAP Directory User Group

To create an LDAP user group:
1. Select the Configure tab, and select Accounts.
2. In the User Groups pane, select + and select LDAP Directory Group.
3. Select the Credentials button and enter the credential details and select OK.

User Guide 7 © 2017. BeyondTrust Software, Inc.

Creating User Groups in BeyondInsight

4. Enter the server address and hit Go.

5. To filter the groups, enter key words in the group filter or use a wildcard.
6. Select OK.
7. Provide the Group Membership Attribute & Account Naming Attribute before selecting Create Group.

User Group Permissions

Permissions must be assigned cumulatively. For example, if you want a BeyondInsight administrator to manage only
Configuration Compliance scans, then you must assign Read and Write for the following permissions:
Asset Management, Benchmark Compliance, Reports Management, Scan - Job Management, Scan Management.
The following table provides information on the permissions that you can assign to your user groups.

User Guide 8 © 2017. BeyondTrust Software, Inc.

Creating User Groups in BeyondInsight

Permission Name Apply Read and Write to…

Sign in to the console, generate reports, and subscribe to
reports.
After you create a user group, go to the Configure tab in the
Analytics and Reporting
reporting console and run the process daily cube job.
Data between the management console and the reporting cube
must be synchronized.
Create Smart Rules; edit or delete on the Asset Details window;
Asset Management
create Active Directory queries; create address groups
Attribute Management Add, rename, delete attributes when managing user groups.
Provides access to the Audit Manager tab under the Configure
Audit Manager
tab in the management console.
Audit Viewer Use the Audit Viewer in the Analytics and Reporting console.
Benchmark Compliance Configure and run benchmark compliance scans.
BeyondInsight Login Access the BeyondInsight management console.
Add and change credentials when running scans and deploying
Credential Management
policies.
Provides access to the dashboard on the BeyondInsight
Dashboard
management console.
Deployment Activate the Deploy button.
File Integrity Monitoring Work with File Integrity rules.
Provides access to the Licensing folder in Analytics & Reporting
License Reporting (MSP reports, PowerBroker Windows, PowerBroker Mac true-
up reports, and Assets Scanned report).
Allows the user to manually enter ranges for Scans and
Manual Range Entry Deployments rather than being restricted to Smart Groups.
The specified ranges must be within the selected Smart Group.
Change the application options settings (such as, account lockout
Option Management
and account password settings).
Patch Management Use Patch Management module.
PowerBroker for Unix & Linux Use the PowerBroker Servers module.
Activates access to the PowerBroker for Windows features,
PowerBroker for Windows including PBW asset details and the exclusions page on the
Configure tab.
Activate the protection policy feature.
Protection Policy Management User groups can deploy policies, and manage protection policies
on the Configure tab.

User Guide 9 © 2017. BeyondTrust Software, Inc.

Creating User Groups in BeyondInsight

Permission Name Apply Read and Write to…

Reports Management Run scans, create reports, create report category.
Scan - Audit Groups Create, delete, update and revert Audit Group settings.
Activate Scan and Start Scan buttons.
Scan - Job Management Activates Abort, Resume, Pause and Delete on the Job Details
page.
Scan - Policy Manager Activate the settings on the Edit Scan Settings view.
Scan - Port Groups Create, delete, update and revert Port Group settings.
Delete, edit, duplicate, and rename reports on the Manage
Report Templates.
Scan Management
Activate New Report and New Report Category.
Activate Update button on the Edit Scan Settings view.
Session Monitoring Use the Session Monitoring features.
Ticket System View and use the ticket system.
Mark a ticket as Inactive. The ticket no longer exists when
Ticket System Management
Inactive is selected.
User Accounts Management Add, delete, or change user groups and user accounts.
View audit details for management console users. Configure tab,
User Audits
User Audits window.
Select to prevent users from setting exclusions.
Vulnerability Exclusions
For more information, see Excluding Vulnerabilities.

Access Levels

Access Level Description

Neither Read nor Write check boxes are selected.
No Access
Users can only view the dashboard and corresponding views.
Read Users can view selected areas, but cannot change information.
Read and Write Users can view and change information for the selected area.

Permissions Required for Configuration Options

Configure tab option Permission

Everyone can access.
Accounts Users without User Account Management permission can only edit
their user record.
Active Directory Queries Asset Management

User Guide 10 © 2017. BeyondTrust Software, Inc.

Creating User Groups in BeyondInsight

Configure tab option Permission

Address Groups Asset Management
Attributes Asset Management
Benchmark Management Benchmark Compliance
Connectors Asset Management, BeyondInsight Login
Organizations User Accounts Management
Patch Management Patch Management
Password Safe Connections Member of the built-in BeyondInsight Administrators group
PBW Module BeyondInsight Login, PowerBroker for Windows
Protection Policies Everyone can access
Scan Options Scan Management
SCCM Patch Management
Services Member of the built-in BeyondInsight Administrators group
User Audits User Audits
Workgroups User Accounts Management

User Guide 11 © 2017. BeyondTrust Software, Inc.

Configuring a Claims-Aware Web Site

Configuring a Claims-Aware Web Site

You can configure a claims-aware web site to bypass the current BeyondInsight logon page and authenticate against
any configured Federated Service that uses SAML 2.0 to issue claims.
The claims aware website is configured to redirect to a defined Federation Service through the web.config. Upon
receiving the required set of claims, the user will then be redirected to the existing BeyondInsight website. At that
point, it is determined if the user has the appropriate group membership to log in given the claims associated with
them.
If users attempting to access BeyondInsight have group claims matching a user group defined in BeyondInsight, and
that user group has the BeyondInsight Login permission, the user will bypass the BeyondInsight logon screen. If the
user is new to BeyondInsight, they will be created in the system using the same claims information. The user will
also be added to all groups, as defined in the group claim information, which match in BeyondInsight that they are
not already a member of.
If the user is not a member of at least one group defined in BeyondInsight, or that user group does not have the
BeyondInsight Logon permission, they will be redirected to the BeyondInsight logon page.

Create a BeyondInsight User Group

Create a BeyondInsight user group and ensure the group is assigned the permission, BeyondInsight Login.

Adding Relying Party Trust

After BeyondInsight is installed, metadata is created for the claims-aware web site. Use the metadata to configure
the relying party trust on the Federation Services instance.
The metadata is located in the following directory:
[Install path]\eEye Digital Security\Retina CS\WebSiteClaimsAware\FederationMetadata\2007-06\
When selecting a Data Source in the Add Relying Party Trust Wizard, select the FederationMetadata.xml that was
generated during the install:

User Guide 12 © 2017. BeyondTrust Software, Inc.

Configuring a Claims-Aware Web Site

Setting up Claim Rules

Note: Claims rules can be defined in a number of different ways. The examples provided are simply one way of
pushing claims to BeyondInsight. As long as the claims rules are configured to include at least one claim of
outgoing type Group and a single outgoing claim of type Name, then BeyondInsight has enough
information to potentially grant access to the site to the user.
The following example illustrates a claim that would be sent based on the group membership. The Outgoing Claim
Value must be a BeyondInsight user group.

User Guide 13 © 2017. BeyondTrust Software, Inc.

Configuring a Claims-Aware Web Site

Supported Federation Service Claim Types

Mapping to
Outgoing Claim Type Outgoing Claim Type BeyondInsight
User Detail
Group
http://schemas.xmlsoap.org/claims/Group Required
membership
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Required User name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname Optional Surname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Optional First name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress Optional Email address

Claims Aware SAML

The following procedure shows you how to set up a claims aware web site using the Windows Identity Foundation
(WIF) SDK.

User Guide 14 © 2017. BeyondTrust Software, Inc.

Configuring a Claims-Aware Web Site

1. Start the Windows Identity Foundation Federation Utility.

2. On the Welcome page, browse to and select the web.config file for BeyondInsight Claims Aware site.
The Application URI should automatically populate.

3. Click Next.
4. Select Using an existing STS.
5. Enter Root URL of Claims Issuer or STS ( https://adfsaccount.adatum.com )

6. Select Test location.

FederationMetadata.xml will be downloaded

User Guide 15 © 2017. BeyondTrust Software, Inc.

Configuring a Claims-Aware Web Site

7. Click Next.
8. Select a STS signing certificate option, and then click Next.
9. Select an encryption option, and then click Next.
10. Select the appropriate claims, and then click Next.
11. Review the settings on the Summary page, and then click Finish.

User Guide 16 © 2017. BeyondTrust Software, Inc.

Configuring Ping Identity and Password Safe

Configuring Ping Identity and Password Safe

1. Log on to Ping Identity admin portal.
2. Select New SAML Application.

3. Enter an Application Name and Description.

4. Set Category to Other.
5. Click Continue to Next Step.

User Guide 17 © 2017. BeyondTrust Software, Inc.

Configuring Ping Identity and Password Safe

6. Configure Assertion Consumer Service (ACS)

https://ServerURL/eEye.RetinaCSSAML/saml/AssertionConsumerService.aspx
7. Configure Entity ID
https://ServerURL/eEye.RetinaCSSAML
8. Set Single Logout Binding Type to Redirect.
9. Upload Primary Verification Certificate (use sp.cer from \WebSiteSAML\Certificates).
10. Click Continue to Next Step.

User Guide 18 © 2017. BeyondTrust Software, Inc.

Configuring Ping Identity and Password Safe

11. Add attributes:

– Group (Required) set as literal. This must match the group created in BeyondInsight.
– Name (Required)
– Email (Optional)
– Surname (Optional)
– GivenName (Optional)
12. Click Save & Publish.

User Guide 19 © 2017. BeyondTrust Software, Inc.

Configuring Ping Identity and Password Safe

13. Download the signing certificate.

14. Download SAML Metadata.
15. Click Finish.

User Guide 20 © 2017. BeyondTrust Software, Inc.

Configuring Ping Identity and Password Safe

16. Copy the signing certificate to BeyondInsight server and save it in this location:
C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\Certificates
17. Rename the certificate to: “pingone.cer”
18. Copy private certificate with key to:
C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\Certificates
19. Open the saml.config file:
C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\saml.config
20. In Notepad,
– edit the ServiceProvider Name:
https://ServerURL/eEye.RetinaCSSAML

User Guide 21 © 2017. BeyondTrust Software, Inc.

Configuring Ping Identity and Password Safe

– edit PartnerIdentityProvider Name: entityID from metadata

https://pingone.com/idp/yourPingIDName
– edit LocalCertificateFile
"Certificates\CertificateName.pfx"
– edit LocalCertificatePassword
"password"
– edit SingleSignOnServiceUrl: SingleSignOnService Location from metadata
https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=yourPingidpid
19: Save the saml.config file.

21. Open the web.config file:

C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\web.config
22. In Notepad, edit PartnerIdP value: entityID from metadata
https://pingone.com/idp/yourPingIDName
23. Save the web.config file.

User Guide 22 © 2017. BeyondTrust Software, Inc.

Configuring okta and Password Safe

Configuring okta and Password Safe

1. Log on to the okta admin portal.
2. Click Add Application.

3. Click Create New App.

4. Select SAML 2.0 as the sign in method.

5. Click Create.

User Guide 23 © 2017. BeyondTrust Software, Inc.

Configuring okta and Password Safe

6. Enter an application name.

7. Click Next.

User Guide 24 © 2017. BeyondTrust Software, Inc.

Configuring okta and Password Safe

8. Enter Single sign on URL

https://ServerURL/eEye.RetinaCSSAML/saml/AssertionConsumerService.aspx
9. Select the check box Use this for Recipient and Destination URL.
10. Enter Audience URI (SP Entity ID)
https://ServerURL/eEye.RetinaCSSAML
11. Select okta username from the Application username menu.

User Guide 25 © 2017. BeyondTrust Software, Inc.

Configuring okta and Password Safe

12. Add attributes:

– Group (required) set as literal. This must match the group created in BeyondInsight.
– Name (required)
– Email (Optional)
– Surname (optional)
– GivenName (Optional)
13. Click Next.

User Guide 26 © 2017. BeyondTrust Software, Inc.

Configuring okta and Password Safe

14. Select appropriate settings for okta support and click Finish.

User Guide 27 © 2017. BeyondTrust Software, Inc.

Configuring okta and Password Safe

15. Click View Setup Instructions.

User Guide 28 © 2017. BeyondTrust Software, Inc.

Configuring okta and Password Safe

16. Copy the Identity Provider Single Sign-On URL. Save the value to be used in step 21.
17. Copy the Identity Provider Issuer. Save the value to be used in next step 21.
18. Click Download Certificate and save this on the BeyondInsight server in
C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\Certificates
19. Rename the certificate to “okta.cer”.

User Guide 29 © 2017. BeyondTrust Software, Inc.

Configuring okta and Password Safe

20. Open the saml.config file:

C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\saml.config
21.  In Notepad, edit ServiceProvider Name:
– edit PartnerIdentityProvider Name: Identity Provider Issuer from step 17.
– edit SingleSignOnServiceUrl: Identity Provider Single Sign-On URL from step 16.
– edit SingleLogoutServiceUrl: Identity Provider Single Sign-On URL from step 16.
22. Save the saml.config file.

User Guide 30 © 2017. BeyondTrust Software, Inc.

Configuring okta and Password Safe

23. Open the web.config file:

C:\Program Files (x86)\eEye Digital Security\Retina CS\WebSiteSAML\web.config
24. In Notepad, edit the PartnerIdP value: Identity Provider Issuer from step 17.
25. Save the web.config file.

User Guide 31 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

UVM Smart Card Authentication

Smart Cards can be used to authenticate a Password Safe User. This guide was written with the understanding that
you have a working knowledge of PKI, Certificate Based Authentication, and IIS. 
After your UVM has been configured by following the UVM Getting Started Guide, you will need to follow the steps
below to enable the use of Smart Cards with Password Safe.

Enabling Remote Desktop

You must verify Remote Desktop is configured.
To do this:
1. Open a web browser and go to https://yourUVMsIPaddress/Diagnostics or
https://yourUVMSservername/Diagnostics from any desktop.
2. Log on using the credentials you configured during setup.
3. Click the Appliance Options tab.
4. Ensure the Enable Remote Desktop check box is selected.

5. You can now close the browser.

Self-Signed Certificates
On the UVM, self-signed certificates were created for Client Authentication and Server Authentication during
configuration. These certificates were placed in the Personal Certificates Store, and will show as “Issued By”
eEyeEmsCA.
However, to authenticate using Smart Cards, BeyondInsight will need to use a WebServer certificate that was
issued from the local Certificate Authority (CA).
To view the self-signed certificates:
1. Remote Desktop to the UVM.
2. Log on using the username and password that was created during the configuration of the UVM.
3. Once logged on, open MMC and add the Certificates Snap-in for the Local Computer account.
4. Under Certificates (Local Computer) you can browse to Personal > Certificates to view the current certificates.

User Guide 32 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

WebServer Certificate
You must replace the self-signed certificate with a domain certificate. Because the UVM is not part of your domain,
you need to Create a Certificate Request and get it to the local CA manually.

Create a Certificate Request

To do this:
1. Open IIS on the UVM.

User Guide 33 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

2. Select the name of your Web Server.

User Guide 34 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

3. Double-click the Server Certificates icon.

4. Select Create Certificate Request.

User Guide 35 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

5. Go through the Create Request wizard.

a. Fill out the Distinguished Name Properties, and click Next.

b. Select your Cryptographic Service Provider Properties, click Next.

User Guide 36 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

c. Enter a File Name.  Browse to where you would like the file placed.

d. Click Finish.
6. The file created, when opened, should look something like this:

User Guide 37 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

Submit Request to Local CA

Now that the Certificate Request is created, you need to submit the request to the local CA.
Note: This method might vary depending on your organization.
1. From a workstation or server that is part of your domain, place the file somewhere that you will know the
path.
2. Open up a Command Prompt as an Administrator with a user that has the appropriate credentials.
Note:  For the following command you will need to know the name of your domain WebServer Certificate
Template. The default is WebServer.
3. Type the following command: 
certreq -submit -attrib “CertificateTemplate:WebServer” “C:\Folder\file.txt”
Where “C:\Folder\file.txt” is the path of the file we just created.

4. When the command is executed, you will be prompted to select a CA from the Certification Authority List to
send the request to. This will be the CA that will issue the certificate.

User Guide 38 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

5. Enter a name for the newly issued certificate, and select a file location.

Copy the WebServer Certificate to the UVM

Now that an issued domain WebServer certificate is created, you must go back to the UVM and replace the self-
signed certificate. The certificate must be on UVM.
1. Open IIS again.

User Guide 39 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

2. Double-click the Server Certificates icon.

3. Select Complete Certificate Request.

User Guide 40 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

4. Browse to locate the certification authority’s response, and give it a Friendly name.

5. The certificate has been added to the Server Certificates in IIS, and in the Personal Certificates Store of the
UVM.
However, the self-signed cert must be replaced.

Replace the Self-Signed Certificate

To replace the self-signed cert:
1. Click the Default Web Site.

User Guide 41 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

2. Click the SSL Bindings icon.

3. Select https and select Edit.

User Guide 42 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

4. At the bottom you will see the currently assigned SSL certificate. Either click the Select button and then select
the Domain Issued certificate and click OK, or use the dropdown menu. 

5. Click Close on the Site Bindings dialog box. At this time, you can exit out of IIS.

Change the Web Service Certificate in BeyondInsight

Now that the correct certificate is applied in IIS, you must change the Web Service certificate that BeyondInsight is
using.
To do this:
1. Open the BeyondInsight Configuration tool.

User Guide 43 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

2. Scroll to Web Service.

3. From the SSL Certificate menu, select the Domain Issued certificate.
4. Click Apply.

User Guide 44 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

Export the Root Certificate

The UVM is not part of the domain. To trust the certificate just configured, you must add the local Certificate
Authority certificate in a couple places. More than likely, the certificate is already on every workstation/server
connected to the domain.
Note: This method might vary depending on your organization.
1. From a workstation or server that is part of your domain open mmc, and add the Certificates Snap-In.
2. Under Certificates, go to Trusted Root Certification Authorities > Certificates.
3. Right-click the root CA, then select All Tasks > Export.

4. The Certificate Export Wizard starts.

a. Click Next.
b. Leave the default of DER encoded binary X.509 (.CER).
c. Click Next.
d. Specify a file name for the CA certificate, and click Next.
e. Review the settings and click Finish.

User Guide 45 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

Export Subordinate CA
If you have a Subordinate CA, you will need to export that also.
1. To get the Subordinate CA’s certificate, go to Intermediate Certification Authorities > Certificates. 
2. Right-click the Subordinate CA, then select All Tasks > Export.

3. The Certificate Export Wizard starts.

4. Go through the wizard as you did in step 4 above.

User Guide 46 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

Import the Root and Subordinate Certs on the UVM

Now you must import those certs on the UVM.
To do this:
1. Open mmc, and add the Certificates Snap-In.
2. Under Certificates, go to Trusted Root Certification Authorities > Certificates.
3. Right-click the Certificates store and go to All Tasks > Import.

4. The Certificate Import Wizard starts.

a. Click Next.
b. Browse to the Root CA certificate.
c. Click Next.
d. Ensure Place all certificates in the following store is selected.
e. The Certificate store should be “Trusted Root Certification Authorities”.

User Guide 47 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

Now the Root and Subordinate CA certificates need to be imported to Intermediate Certification Authorities >
Certificates store using the same method as above.

User Guide 48 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

5. Make sure you are placing the certificates in the right store.

Configure Smart Card Authentication in BeyondInsight

Now that a domain issued certificate is configured for the UVM, the last step is log on to BeyondInsight and enable
Smart Cards.
To do this:
1. Open your web browser.
2. Enter the URL, https://<servername>/eEye.RetinaCS.Server.
3. Log on to BeyondInsight using an account that can make changes to the BeyondInsight Configuration.
4. Go to the Configuration tab.
5. Select the Authentication tab.
6. Select the Enable Smart Cards check box.

User Guide 49 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

Troubleshooting
If you receive a 403 Forbidden error like the one below, more than likely this has to do with your CRL Distribution
Points (CDP).
Even though the certificate is trusted, Password Safe has to be able to verify that your user certificate is not on the
Certificate Revocation List. By default, a copy of the CRL and the Delta CRL are kept in Active Directory, locally on
the CA, and usually on a file share. However, none of those options will work because the UVM is not joined to a
domain. In order for the UVM to successfully download the CRL and Delta CRL, an http CDP will have to be
configured.

Configure an http CDP

Note: This method might vary depending on your organization.

User Guide 50 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

The easiest way to accomplish this is to enable Directory Browsing for the CertEnroll Virtual Directory in IIS on the
CA. If the virtual directory is not present, you can create one.
1. Open IIS on the Subordinate CA.
2. Navigate to the CertEnroll Virtual Directory.

3. Double-click the Directory Browsing icon.

4. Click Enable.

5. Now you must create the CDP. To do this open mmc, and add the Certificate Authority snap-in.
6. Right-click the CA server name, and select Properties.
7. Select the Extensions tab.

User Guide 51 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

8. Click Add and create http CDP. It should look something like this:
http://<ServerDNSName>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
9. Ensure the following check boxes are selected:
– Include in CRLs. Clients use this to find Delta CRL Locations
– Include in the CDP extension of issued certificates

User Guide 52 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

Verify Permissions for the Cert Publishers Group

You must verify that the Cert Publishers group in Active Directory has the correct permission to post the CRL and
Delta CRL to the CertEnroll folder.
1. Navigate to the CertEnroll directory.
The default path is: C:\Windows\System32\certsrv\CertEnroll
2. Right-click the CertEnroll folder and select Properties.
3. Click the Sharing tab.
4. Click Advanced Sharing.
5. Select Permissions.
6. Verify that the Cert Publishers group is listed, and that it has Change and Read permissions.

User Guide 53 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

7. Click OK twice to return to the CertEnroll Properties.

8. Click the Security tab.
9. Verify that the Cert Publishers group is listed, and that it has at least Modify access.

User Guide 54 © 2017. BeyondTrust Software, Inc.

UVM Smart Card Authentication

Allow Double Escaping

The last thing to do is allow double escaping. This is required for the Delta CRL to work properly.
To do this:
1. Open a Command Prompt as an Administrator with a user that has the appropriate credentials on the
Subordinate CA.
2. Make the working directory C:\Windows\System32\inetsrv
3. Run the following command:
C:\Windows\System32\inetsrv\Appcmd set config "Default Web Site"
/section:system.webServer/Security/reque¬stFiltering -allowDoubleEscaping:True
4. You will need to restart IIS after this command is executed.

User Guide 55 © 2017. BeyondTrust Software, Inc.

Configuring Authentication

Configuring Authentication
You can use set up Smart Card authentication or two-factor authentication using a RADIUS server.

User Guide 56 © 2017. BeyondTrust Software, Inc.

Configuring Two Factor Authentication

Configuring Two Factor Authentication

Configuring Two Factor Authentication
You can configure two-factor authentication to log on to the following: PowerBroker Password Safe, BeyondInsight
Analytics and Reporting, and BeyondInsight management console.
After you set up two-factor authentication, your BeyondInsight users must log on to any of your BeyondInsight
modules using the two-factor authentication method.
To set up two factor authentication, you must:
• Configure the RADIUS server
• Select two-factor authentication settings for the user

Configuring the RADIUS Server

You can configure more than one RADIUS server.
To configure a RADIUS Server:
1. In the BeyondInsight management console, click the Configure tab.
2. Click the Authentication tab.
3. Select RADIUS, and then select the + sign.
4. Set the following:
– Alias - Name used to represent the RADIUS server instance in Password Safe and will be displayed in the
RADIUS server grid. This name must be unique.
– Filter - Select a filter that will be used to determine if this RADIUS server instance should be used. If you
select one of the domain filters you must enter a Filter Value.
– Filter Value - Enter a value that will identify the domain. This should be a domain or comma separated list
of domains depending on the setting selected in Filter. When the Filter selected is All User, All Local Users,
or All Domain Users the Filter Value is not required.
– Host - Enter the DNS name or the IP address for your RADIUS server.
– Authentication Port - The listening port for the RADIUS server to receive authentication requests. The
default port is 1812.
– Authentication Request Timeout - The period of time that Password Safe will wait for a response from
the RADIUS server before the request times out. The default value is 10 seconds.
– Shared Secret - Enter the shared secret that is configured on your RADIUS server.
– Initial Request - The value passed to the RADIUS server on the first authentication request. Select from
the following:
– Forward User Name and Token
– Forward User Name and Password
– Forward User Name and Token - This is the default setting.
– Initial Prompt - The first message that displays to the user when they log on to the application. This
setting is available only when Forward User Name and Token is selected.

User Guide 57 © 2017. BeyondTrust Software, Inc.

Configuring Two Factor Authentication

– Transmit NAS Identifiers - When the check box is selected, NAS identifiers are transmitted to permit
access. In some cases, a RADIUS server will not permit access if NAS identifiers are not transmitted.
In BeyondInsight, the attributes that are transmitted:
– NAS IP Address - This is the IP address where BeyondInsight is installed.
– NAS Identifier - This is the string BeyondInsight.
5. Click Create.

Setting up the User Account

Two-factor authentication can be configured for either a local BeyondInsight user account or an Active Directory
account.
To configure the user account.
1. In the BeyondInsight management console, click the Configure tab.
2. Click the Accounts tab.
3. Create the user account and configure the typical settings. See Creating User Accounts.
4. On the User Details page, select Radius from the Two Factor Authentication list.
5. From the Map Two Factor User list, select one of the options listed. The user type selected maps to a user on
the Radius server.
The options displayed in the list change depending on the user logging on. BeyondInsight users options:
– As Logged in - Uses the BeyondInsight user account logon.
– Manually Specified - Enter the user name that the user will log on as. Active Directory users options:
– SAM Account Name - Default value.
– Manually Specified - Enter the user name the user will use to log on.
– Alternate Directory Attribute - This can be any attribute from Active Directory. The attribute is set when
you configure the Radius server. See Configuring the Radius Server.
– Distinguished Name
– User Principal Name
The information for any of these is drawn from the Active Directory setting for the user account logging on.
Note: The following screen capture shows the options for Active Directory users.

User Guide 58 © 2017. BeyondTrust Software, Inc.

Configuring Two Factor Authentication

6. Click Update.

Configuring Smart Card Authentication

Your network must already be configured to use Smart Card technology to use this feature.
You can configure Smart Card authentication to log on to BeyondInsight and PowerBroker Password Safe. To turn
on Smart Card authentication:
1. Log on to BeyondInsight.
2. Click the Configure tab, and then click Authentication.
3. Select the Enable Smart Cards check box.
4. Optionally, you can select the Allow UPN Override On User check box.
This allows the user to log on using their Active Directory user account rather than the BeyondInsight local user
account.
Note: You must also select the Override Smart Card User check box and enter the UPN when you are
creating the local user account.
5. Click Save.

User Guide 59 © 2017. BeyondTrust Software, Inc.

Troubleshooting

Troubleshooting

Active Directory User Cannot Authenticate with BeyondInsight or Password Safe

Some Active Directory users might not be able to log on to BeyondInsight, Password Safe, or Analytics & Reporting.
• Authentication fails with a message: “The user name or password is incorrect. Please try again.” even if the
correct credentials are supplied.
• An error is logged in the frontend.txt associated with that login attempt, that includes “A local error occurred”
• The user is a member of more than 120 Active Directory groups.
The user cannot authenticate because the Kerberos token that is generated during authentication attempts has a
fixed maximum size.
See the following knowledge base article for more information:
https://support.microsoft.com/en-us/kb/327825
To resolve:
1. Start the Registry Editor on the BeyondInsight server.
2. Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
Note: If the Parameters key does not exist, create it now.
3. From the Edit menu, select New, and then select DWORD Value or DWORD (32-bit) Value.
4. Type MaxPacketSize, and then press ENTER.
5. Double-click MaxPacketSize, type 1 in the Value data box, select Decimal, and then click OK.
6. From the Edit menu, select New, and then click DWORD Value or DWORD (32-bit) Value.
7. Type MaxTokenSize, and then press ENTER.
8. Double-click MaxTokenSize, type 65535 in the Value data box, select Decimal, and then click OK.
9. Quit Registry Editor.
10. Restart the BeyondInsight server.

User Guide 60 © 2017. BeyondTrust Software, Inc.