Authentication and Encryption in ProjectWise [FAQ]
LogicalandNon-SSODomainusercredentials WebPartsdoesnotprovidedany encryption isusedwhenaforLogicalandNon-Domain user isloggingintoWELwithoutusingcredentials,thecredentialsarepassedinplaintextfromyourwebbrowsertotheProjectWiseWebPartsServerifTLS/ SSL ? Itusesstandardbase64-encodingisnotenabled.The EncryptionofcredentialsfromtheWebPartservertotheIntegrationServerishandledthesamewayasProjectWiseExplorercredentials(seebelow). SSODomain user namecredentials SSOcredentialhandlingdependsontheconfigurationofthebrowsertheuser is passedwithcleartextusingandtheIISserverhostingtheWebPartssite. Base64BydefaultIIS is typicallyreferredset to asuseNegotiateandNTLMsecurityproviderstoexchange an encodingschemenotencryptionencryptedtoken. ItisTheNegotiateproviderwillattempttouse a verytrivialencodingKerberosfirst and isnotconsideredsecurewillfailbacktoNTLMifKerberosfails. Theexactstrength of encryption is used whenauserisloggingintoWELwithusingSSL? Ituses128bitencryption for the usernametokenwilldependontheproviderused and passwordsthatarepassedoverwhatlevelsofencryption the wireclient’sbrowsersupportsandwhatversionsofWindows/IIS/ActiveDirectoryyouarerunning. ThestrengthBydefaultonserver2008andlatermostolderandweakerforms of NTLMandKerberosencryptionaredisabledhoweveritispossibletore-enablethese.Pleaseexamineyoudomainandserversettingstodetermine the SSLsessionbetweenaexactencryptionlevelprovided. Thisonlyappliestocredentialsfromyourweb browser andtotheProjectWiseWebPartsServer.EncryptionofcredentialsfromtheWebPartServertotheIntegration server dependsonishandled the strengthsamewayasProjectWiseExplorercredentials(seebelow). NavigationandFileTransfer WebPartsdoesnotprovidedanyencryption of navigationorfiletransfertrafficbetween the sessionkeythatclientandwebserverifTLS/SSL is generatedduringsessionnegotiationnotenabled. This isasymmetrickeyusedonlyapplies to encryptnavigation and decryptdataexchangedbythefiletransferfromyourweb browser andtotheProjectWiseWebParts server. BrowsersEncryptionofnavigation and serversusuallynegotiatefiletransferfrom the strongestmutuallysupportedsessionWebPartservertotheIntegrationServer/StorageAreaServerishandledthesamewayasProjectWiseExplorernavigationandfiletransfer(seebelow).Thismeansthatif WithTLS/SSLenabled EnablingTLS/SSLforthewebsitehostingProjectWiseWebPartsdoesnotchangeanyoftheaboveinformationHOWEVERitdoesencapsulateallcommunicationbetween the user 'sbrowser and yourWebthe server bothsupports128-bitSSLsessions,in a 128-bitsessionisestablished.Iftheuser'sbrowseronlysupports40-bitTLS/ SSL sessions,thena40-bitencrypted sessionisestablishedevenifyourWebserversupports128-bitsessions. Theexactstrength of the encryption is used whenauserislogginginfromProjectWiseExplorerusingaWindowsaccountfromwilldependon the domaintologintokeylengthof the datasource? UsingNTLMauthenticationcertificateused and the encryption method.Kerberosauthenticationisalsoalgorithms supported ,butneitherNTLMnorKerberosareusedforencryption.WithoutseparatelyactivatedSSLencryption(betweenby the client and the server),onlysomemostsensitivepartsofsomemessagesareencryptedbyRC4algorithm(using128bitkeys)server. ThatisdoneindependentlyofPleaseexamineyoucertificateandserversettingstodetermine the authenticationprotocolexactencryptionlevelprovided. ThisonlyappliestotrafficfromyourwebbrowsertotheProjectWiseWebPartsServer.Encryption of encryptionisusedwhenausercredentialsfromtheWebPartServertotheIntegrationserver is loggingintohandledthesamewayasProjectWisecredentials(seebelow). LogicalandNon-SSODomainusercredentials Both Logical andNon-SSOdomainusersarehandledthesame, ProjectWise accountExplorerusesRSA1024 to logintoexchangeaSecretKeywhichisusedtoencrypt the datasource? ItencryptedusingRC4algorithm(usernameandpassword using 128bitkeys)3DES. Using128bitencryptionDatabaseandDomainusersagainstActiveDirectoryusingaMicrosoftAPI. SSODomainusercredentials WhendoingSSOProjectWiseExplorerwilltrytouseKerberosandfailbacktoNTLMtogetanencryptedtoken from the certificateserverinyournetworkdomainforauthentication. The keysarevalidatedIntegrationServervalidatesthetokenagainstthedomainusingaMicrosoftAPI.EncryptionfortheAPIcallisgoverned by ActiveDirectory. Theexactstrengthofencryptionusedfor the servertokenwilldependontheproviderusedandwhatlevelsofencryptiontheclientandserversOSsupportsandwhatversionsofActiveDirectoryyouare runningcertificateserver. Itstillusesport5800Bydefaultonserver2008andlatermostolderandweakerformsofNTLMandKerberosencryptionaredisabledhoweveritispossibletore-enablethese. IwouldreferPleaseexamineyoudomainandserversettings to thisasdetermine the "ProjectWiseSecureConnection"whennottalkingaboutWELusingHTTPSexactencryptionlevelprovided.SSLisawellknowstandard Navigation and ourconnectionFileTransfer ProjectWiseexplorerdoesnotprovidedanyencryptionofnavigationorfiletransfertrafficbetweentheclientandserverifTLS/SSL is not basedonitenabled. WithTLS/ SSL withenabled(SecureConnection=1) EnablingTLS/SSLfora ProjectWise Explorer?Arethereserverdoesnotchange any portconfigurationchanges? UsingProjectWiseinsecuremodeencryptsof the datafromProjectWiseExplorertoaboveinformationHOWEVERitdoesencapsulateallcommunicationbetween the application server .TheconfigurationisdoneonwithSecureConnection=1and the servernexthopinaTLS/SSLencryptedsession. The encryptionkeysarehandledbythecertificate‘nexthop’couldbeProjectWiseExplorer,ProjectWiseWebParts server . OnlywhenusingthePWsecureconnectionServer(Integration,Gateway,Caching). ProjectWisecommunicatesoneserveratatime to provide the backenddatabasethroughODBC.mostflexibilityindeploying ProjectWisewillusewhateveristhetypeofconnectionyouhavesetup. For exampleMSSQLServerpassinguser/passwordincleartext.YoucanusethemostuserssettingSecureConnection=1fortheirpublicfacing Server NetworkUtilityissufficienthoweverifyourequireotherconnects to enableSSLbe encryption overallenablednetworklibraries.SQLServer2000you can thenusetheSSLtoencryptalldatatransmittedoverenableSecureConnection=1on any networklibrarybetweenserverneeded.ToenableSecureConnection=1on a SQLServer2000client(ProjectWiseApplicationServer)andgivenserveryouwillneedtoobtain a certificateforthat serverrunningSQLServer2000. The exactstrengthofthe encryption level,40-bitversus128-bit,dependsusedwilldepend on the levelkeylength of thecertificateusedandthe encryption algorithms supported by the WindowsoperatingsysteminvolvedaswellclientandtheserverOS. FormaximumsecurityitisrecommendedthatPleaseexamine you useMicrosoftintegratedauthenticationforthedatabaseconnection ProjectWiseworkswithanActiveDirectorymodelinbothMixedcertificate and Nativemodeserversettingstodeterminetheexactencryptionlevelprovided.ProjectWiseAuthenticationServer ThereisasmallperformancecosttoenablingTLS/SSLthat will pullinformationfromtheDomaincontrollerdepend on usersserverload and groupswithinADprocessingpower. OnceinProjectWisetheWhilemost users authenticatefromthePWapplicationserverdon’tseeameaningfulimpactwhenenablingTLS/SSLifitisfound to thedomaincontrollercauseissues in AD. PortwhenusingTLS/SSL EnablingTLS/SSLdoesnotchange the Database? Forportusedby ProjectWise WindowsUserswedoNOTstorethepasswordinthedatabase.Thehoweveryoucanchangeport ProjectWise AuthenticationServerbringstheusernamesfromthedomainintothedatabasewheretheyarestoreduses in theDS_SIDtable.Itthenpopulates the usernamesDMSKrnlconfig to anyvalid,unusedporton the dms_usertableserver.Whentheuserauthenticatesinto DatabaseCommunication ProjectWise Applicationmakesuses a callstandardODBCinterfaceformakingallcalls to the domaincontrollerinrealtimetoauthenticatedatabasewhichisnotencryptedbydefault.BothMicrosoftSQLServerandOracleprovide the userabilitytoenableTLS/SSLencryptionatthislayer. For thisreasonwedonotstoreProjectWiseWindowsaccountsinthemoreinformationcontactyour database vender.Theactualpasswordsnotstored UserPasswords in the database.InthePWlogical ForProjectWiseLogical user caseonly,aMD5hashof the passwordspassword is stored sothatasaSHA1hash.ForWindowsuserswedonotstoreanypasswordfor the plaintext userpasswordcannotberecovered. Notdirectly,ProjectWisewillworkwithandWin2003ActiveDirectoryusingKerberos. Authentication usingKerberosofdomainusers is supported. IfnotusingSSLitusesBase64encodingandEncryptionfor the passwordisencodedusingthat.ForamoresecuremethoditAPIcall is recommendedtouseSSLwithinthewebenvironmentgovernedbyActiveDirectory. ProjectWise TechNotes And FAQs Bentley Technical Support KnowledgeBase Bentley's Technical Support Group requests that you please confine any comments you have on this Wiki entry to this "Comments or Corrections?" section. THANK YOU! Applies To Product(s): ProjectWise Version(s): All Environment: N/A Area: N/A Subarea: N/A Original Author: Bentley Technical Support Group Whattypeof
EncryptionforProjectWiseWebParts
Whattype
Whattype
Whattype
Encryptionfor ProjectWise Explorerusinga
WhattypeofencryptionisusedwhenauserTheencrypteddata is logginginusingSSLonsentto the ProjectWiseApplicationIntegration Server wherewhichdecryptsitandvalidatesLogicalusersagainst the datasourcesarepublished(Running ProjectWise insecuremode)?
CanIenable
Doesthefilegetencryptedusingorcouldbeanother ProjectWise whenbeingtransferredoverthewire?
WhattypeofsecureWeonlyencrypt communication happenswhencommunicatingwiththedatabase?
HowdoesProjectWiseworkwithActiveDirectory?
DoesProjectWisestoremyPasswordsyourenvironmentyoumaywanttolook in to3rdpartyVPNsolutions.
ProjectWise ,theDatabase
DoesProjectWisesupportKerberos?
Ifaccomplishedbycalling a userlogsinfromtheWELclientusinghisNTaccounthowdoesProjectWisedealwiththepasswordsentoverMicrosoftAPItovalidatewhatevercredentialsortoken the wireuserpresentsatlogin. Againwhatprotocolareweusing?
See Also
External Links
Comments or Corrections?