03 - Configure CCP - Logs-&-Locks

CyberArk does a good job at covering the install at a high-level [CyberArk's Client Auth Configuration](https://docs.cyberark.com/credential-providers/latest/en/content/ccp/configure_ccpwindows.htm#ConfigureClientAuthenticationwithclientcertificates) Will start from the same place, adding IIS Roles and will continue on where they left off ## 3.1 Folder Permissions 1. Log into your CCP Machine > [!warning] 🤔 > Not sure what "Default User" is being referenced in CyberArk's Documentation so I'll share my permissions on that same folder *c:/inetpub/wwwroot/AIMWebService* 2. Give the default user access to the AIMWebService folder under - Read and execute - List folder contents - Read ![[FilePermissionsons.png]] > [!NOTE] No changes were made *LAB-CCP\Users - has identical permissions as the IIS_IUSRS.* All other permissions were standard ## 3.2 Install the client certificate mapping authentication roles 1. Go to Server Manager > Add Roles and Features. Click Next. 2. Select Server Roles, and under Web Server (IIS) > Web Server > Security, install the following: 1. Client certificate mapping authentication 2. IIS Client certificate mapping authentication ![[AddIISRoles01.png]] ## 3.3 IIS Configuration 💡Starting here is where we began to address the gaps 💡 After the roles are installed CA's Instructions direct you to create a PEM file, containing all CCP client auth certs and move it to the CCP Machine with very little instruction afterwards. I wouldn't suggest moving everything to one PEM file, managing that long term would be a pain. 1. Open IIS -> Default Web Site -> AIMWebService - Configuration Editor ![[IIS-ConfigurationEditor.png]] 2. In the Section block navigate to the below 1. system.webServer/security/authentication/clientCertificateMappingAuthentication 1. Set Enabled = True ![[Pasted image 20250422104428.png]] 3. In the Section block navigate to the below > [!Tip]- OnetoOneMappings & ManytoOneMappings > CyberArk Recommends One-to-OneMappings, and generally they're slightly more secure. But in this guide I will use Many-to-OneMappings because if you do chose to bind the client certificates to a user(s) it can become difficult to manage if only set to a single user and can create a single point of failure > > In this lab I chose to not associate a user directly to the certificate and leave UserName and PW blank when adding the rule 1. system.webServer/security/authentication/iisClientCertificateMappingAuthentication 2. Set **enabled** = True 3. **ManyToOneMappings** -> Click the the ![[Pasted image 20250418104659.png]] ![[SystemWebIISClientAuth.png]] ![[ManytoOneMappings.png]] 4. Click Add ![[AddManytoOneMappings.png]] 5. Fill out the properties - `description = "Can be anything"` - `enabled = True` - `name = "Can be anything"` - `password - leave empty` - `permissionMode = Allow` - `rule = Will cover this in the next step` - `userName = leave empty` 1. Rules -> Click the ![[Screenshot 2025-04-18 at 10.46.46 AM.png]] ![[AddRuleManytoOneMappings.png]] 6. This opens a similar window (Window Inception). 1. Click Add and create a new rule. 2. Fill out the properties based on your client certificate. Certificate example properties image is below 3. Properties - `certificateField = Issuer` - `certificateSubField = CN` - `compareCaseSensitive = True (Optional)` - `matchCriteria = clab-DC01-CA` ![[AddedRuleConfiguration.png]] ![[Client Certificate.png]] 7. Close the previous panes until you are back at the Configuration Editor Panel 1. Click Apply ![[ConfigurationEditorClickApply.png]] ## 3.4 IIS SSL Settings These can be tailored to your exact needs for testing I usually set it to the following 1. Open IIS -> Default Site -> AIMWebService -> SSL Settings ![[Screenshot 2025-04-22 at 4.41.00 PM.png]] 2. Adjust settings ![[Screenshot 2025-04-22 at 4.30.22 PM.png]] In a production environment I would set it as below ![[Screenshot 2025-04-22 at 4.44.06 PM.png]] ## 3.5 IIS Authentication 1. Open IIS -> Default Site -> AIMWebService -> Authentication ![[Screenshot 2025-04-24 at 12.41.49 PM 1.png]] ![[Screenshot 2025-04-24 at 12.42.05 PM.png]] > [!Tip] Authentication Settings > This configuration works because no other API calls are being made with different authentication methods. Just be sure to adjust accordingly if you have other applications authenticating with different methods