Digipass Plug-In for IAS Administrator Reference - Vasco
Digipass Plug-In for IAS Administrator Reference - Vasco
Digipass Plug-In for IAS Administrator Reference - Vasco
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong><br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
<strong>Digipass</strong> Extension <strong>for</strong> Active Directory Users and Computers<br />
Administration MMC <strong>In</strong>terface<br />
<strong>IAS</strong><br />
Microsoft's <strong>In</strong>ternet Authentication Service<br />
SBR<br />
Funk Steel-Belted RADIUS<br />
Steel-Belted RADIUS<br />
A dm inistrator <strong>Reference</strong>
Disclaimer of Warranties and Limitations of Liabilities<br />
Disclaimer of Warranties and Limitations of Liabilities<br />
The Product is provided on an 'as is' basis, without any other warranties, or conditions, express<br />
or implied, including but not limited to warranties of merchantable quality, merchantability of<br />
fitness <strong>for</strong> a particular purpose, or those arising by law, statute, usage of trade or course of<br />
dealing. The entire risk as to the results and per<strong>for</strong>mance of the product is assumed by you.<br />
Neither we nor our dealers or suppliers shall have any liability to you or any other person or<br />
entity <strong>for</strong> any indirect, incidental, special or consequential damages whatsoever, including but<br />
not limited to loss of revenue or profit, lost or damaged data of other commercial or economic<br />
loss, even if we have been advised of the possibility of such damages or they are <strong>for</strong>eseeable;<br />
or <strong>for</strong> claims by a third party. Our maximum aggregate liability to you, and that of our dealers<br />
and suppliers shall not exceed the amount paid by you <strong>for</strong> the Product. The limitations in this<br />
section shall apply whether or not the alleged breach or default is a breach of a fundamental<br />
condition or term, or a fundamental breach. Some states/countries do not allow the exclusion<br />
or limitation or liability <strong>for</strong> consequential or incidental damages so the above limitation may<br />
not apply to you.<br />
Copyright<br />
© 2006 VASCO Data Security <strong>In</strong>c. All rights reserved.<br />
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in<br />
any <strong>for</strong>m or by any means, electronic, mechanical, photocopying, recording, or otherwise,<br />
without the prior written permission of VASCO Data Security <strong>In</strong>c.<br />
Trademarks<br />
VACMAN and <strong>Digipass</strong> are registered trademarks of VASCO Data Security <strong>In</strong>ternational <strong>In</strong>c.<br />
Microsoft and Windows are registered trademarks of Microsoft Corporation.<br />
All other trademarks are the property of their respective holders.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 2
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Table of Contents<br />
Table of Contents<br />
1 <strong>In</strong>troduction..........................................................................................................8<br />
1.1 Available <strong>Reference</strong> Guides.......................................................................................... 8<br />
2 Active Directory Schema....................................................................................... 9<br />
2.1 Schema Extensions.......................................................................................................9<br />
2.1.1 Added Object Classes............................................................................................... 9<br />
2.1.2 Added Attributes..................................................................................................... 9<br />
2.1.3 Added Permission Property Sets............................................................................... 11<br />
2.2 Active Directory Auditing............................................................................................12<br />
2.3 Custom Search Options...............................................................................................13<br />
2.3.1 Using the Custom Search........................................................................................ 13<br />
2.4 Sensitive Data Encryption...........................................................................................14<br />
2.4.1 Encrypted Data...................................................................................................... 14<br />
2.4.2 Which Encryption Algorithms can be used?................................................................ 14<br />
2.4.3 Exporting Encryption Settings.................................................................................. 14<br />
2.5 Active Directory Replication Issues............................................................................ 15<br />
2.5.1 Old Data Used After Attribute Modified...................................................................... 15<br />
2.5.1.1 Single <strong>Plug</strong>-<strong>In</strong> using more than one Domain Controller......................................................... 15<br />
2.5.1.2 <strong>Administrator</strong> and <strong>Plug</strong>-<strong>In</strong> using different Domain Controllers................................................ 16<br />
2.5.1.3 Multiple <strong>Plug</strong>-<strong>In</strong>s Using Different Domain Controllers............................................................ 16<br />
2.5.1.4 Two <strong>Administrator</strong>s Modifying the Same Attribute................................................................ 16<br />
2.5.2 Old Data Used Overwrites New Data......................................................................... 17<br />
2.5.3 Factors Affecting Replication Issues.......................................................................... 17<br />
2.5.4 Solutions and Mitigations........................................................................................ 18<br />
2.5.4.1 <strong>Digipass</strong> Cache................................................................................................................18<br />
2.5.4.2 Identification Threshold Setting......................................................................................... 19<br />
2.5.4.3 <strong>Administrator</strong> Connection Strategy.....................................................................................19<br />
2.5.4.4 Set a Preferred Server......................................................................................................20<br />
2.5.4.5 Use Preferred Server Only Option...................................................................................... 22<br />
3 Set Up Active Directory Permissions .................................................................. 23<br />
3.1 Permissions Needed by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>..................................................................... 23<br />
3.1.1 Giving Permissions to the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>....................................................................... 23<br />
3.2 Permissions Needed by <strong>Administrator</strong>s...................................................................... 24<br />
3.2.1 Domain <strong>Administrator</strong>s........................................................................................... 24<br />
3.2.2 Delegated <strong>Administrator</strong>s........................................................................................ 24<br />
3.2.3 Reduced-Rights <strong>Administrator</strong>s................................................................................ 24<br />
3.2.4 System <strong>Administrator</strong>s........................................................................................... 25<br />
3.3 Assign Administration Permissions to a User .............................................................25<br />
3.4 Multiple Domains........................................................................................................28<br />
3.4.1 Scenario 1 – Each <strong>IAS</strong> Server Handles One Domain.................................................... 28<br />
3.4.2 Scenario 2 – One <strong>IAS</strong> Server Handles All Domains...................................................... 28<br />
3.4.3 Scenario 3 - Combination........................................................................................ 29<br />
4 Backup and Recovery..........................................................................................30<br />
4.1 What Must be Backed Up............................................................................................ 30<br />
4.1.1 Configuration files.................................................................................................. 30<br />
4.1.2 Web Sites............................................................................................................. 31<br />
© 2006 VASCO Data Security <strong>In</strong>c. 3
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Table of Contents<br />
4.1.3 Audit Log Data...................................................................................................... 31<br />
4.1.3.1 Write to File.................................................................................................................... 31<br />
4.1.3.2 Write to Windows Event Log..............................................................................................31<br />
4.1.4 Active Directory..................................................................................................... 32<br />
4.1.4.1 Cold Backup....................................................................................................................32<br />
4.1.5 DPX files............................................................................................................... 32<br />
4.2 Recovery.................................................................................................................... 33<br />
5 Field Listings.......................................................................................................34<br />
5.1 User Property Sheet................................................................................................... 34<br />
5.2 <strong>Digipass</strong> Property Sheet............................................................................................. 36<br />
5.2.1 <strong>Digipass</strong> Application Tab......................................................................................... 36<br />
5.3 Policy Property Sheet................................................................................................. 37<br />
5.4 Component Property Sheet.........................................................................................44<br />
6 Licensing.............................................................................................................45<br />
6.1 How is Licensing Handled?......................................................................................... 45<br />
6.2 Licensing Parameters................................................................................................. 45<br />
6.2.1 Sample License File................................................................................................ 45<br />
6.3 View License <strong>In</strong><strong>for</strong>mation........................................................................................... 45<br />
6.4 Obtain a License Key <strong>for</strong> a Component........................................................................46<br />
6.5 Change IP Address..................................................................................................... 47<br />
7 Web Sites............................................................................................................48<br />
7.1 Customizing the Web Sites......................................................................................... 48<br />
7.2 CGI Program...............................................................................................................48<br />
7.2.1 Configuration Settings............................................................................................ 49<br />
7.3 Form Fields.................................................................................................................49<br />
7.3.1 User Self Management Web Site.............................................................................. 49<br />
7.3.1.1 Registration – Main Pages.................................................................................................49<br />
7.3.1.2 Registration – Challenge Page........................................................................................... 51<br />
7.3.1.3 Server PIN Change.......................................................................................................... 52<br />
7.3.1.4 Login Test – Main Page.....................................................................................................53<br />
7.3.1.5 Login Test – Challenge Page..............................................................................................54<br />
7.3.2 OTP Request Site................................................................................................... 54<br />
7.3.2.1 Request Page.................................................................................................................. 54<br />
7.4 Query String Variables................................................................................................55<br />
7.4.1 Failure/Error Handling............................................................................................ 55<br />
7.4.2 Query String Variable List....................................................................................... 56<br />
7.4.3 Return Code Listing................................................................................................ 57<br />
7.4.3.1 API Return Codes............................................................................................................ 57<br />
7.4.3.2 CGI Errors...................................................................................................................... 58<br />
7.4.3.3 <strong>In</strong>ternal Errors.................................................................................................................59<br />
8 Command line utilities.........................................................................................60<br />
8.1 DPADadmin Utility...................................................................................................... 60<br />
8.1.1 Extend Active Directory Schema............................................................................... 60<br />
8.1.1.1 Prerequisite <strong>In</strong><strong>for</strong>mation................................................................................................... 60<br />
8.1.1.2 Extend the Schema on the Schema Master..........................................................................61<br />
8.1.1.3 Extend the Schema on the <strong>IAS</strong> Server................................................................................61<br />
8.1.1.4 Command Line Syntax......................................................................................................61<br />
8.1.2 Check Schema Extensions....................................................................................... 62<br />
© 2006 VASCO Data Security <strong>In</strong>c. 4
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Table of Contents<br />
8.1.2.1 Prerequisite <strong>In</strong><strong>for</strong>mation................................................................................................... 62<br />
8.1.2.2 Check the Schema on the <strong>IAS</strong> Server................................................................................. 62<br />
8.1.2.3 Check the Schema on a Machine in the Domain to Check...................................................... 63<br />
8.1.2.4 Command Line Syntax......................................................................................................63<br />
8.1.3 Set Up <strong>Digipass</strong> Configuration Container in Domain..................................................... 63<br />
8.1.3.1 Prerequisite <strong>In</strong><strong>for</strong>mation................................................................................................... 63<br />
8.1.3.2 Set Up <strong>Digipass</strong> Configuration Container............................................................................. 63<br />
8.1.3.3 Command Syntax............................................................................................................ 64<br />
8.1.4 Assign <strong>Digipass</strong> Permissions to a Group..................................................................... 64<br />
8.1.4.1 Pre-requisites..................................................................................................................64<br />
8.1.4.2 Command Syntax............................................................................................................ 64<br />
9 Login Options......................................................................................................65<br />
9.1 Login Permutations.................................................................................................... 65<br />
9.1.1 Response Only - PAP.............................................................................................. 67<br />
9.1.2 Response Only – CHAP/MS-CHAP............................................................................. 68<br />
9.1.3 Challenge/Response............................................................................................... 68<br />
9.1.4 Virtual <strong>Digipass</strong>..................................................................................................... 69<br />
10 Configuration Settings........................................................................................ 70<br />
10.1 <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>................................................................................................................ 70<br />
10.1.1 Configuration GUI.................................................................................................. 70<br />
10.1.1.1 Enable <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>...........................................................................................................70<br />
10.1.1.2 Allow Passthrough........................................................................................................... 70<br />
10.1.1.3 Set Component Location...................................................................................................70<br />
10.1.1.4 Library Path.................................................................................................................... 70<br />
10.1.1.5 Turn Tracing On or Off......................................................................................................70<br />
10.1.1.6 Active Directory Settings.................................................................................................. 71<br />
10.1.1.7 Data Encryption...............................................................................................................73<br />
10.1.2 Configuration File................................................................................................... 75<br />
10.2 MDC............................................................................................................................ 78<br />
10.2.1 Required <strong>In</strong><strong>for</strong>mation............................................................................................. 78<br />
10.2.2 MDC Configuration GUI........................................................................................... 78<br />
10.2.2.1 Set <strong>IAS</strong> Server Connection Details..................................................................................... 78<br />
10.2.2.2 Modify Gateway Account Login Details................................................................................78<br />
10.2.2.3 Configure <strong>In</strong>ternet Connection Details................................................................................ 79<br />
10.2.2.4 Configure Tracing............................................................................................................ 79<br />
10.2.2.5 Import HTTP Gateway settings.......................................................................................... 80<br />
10.2.2.6 Edit Advanced Settings.....................................................................................................80<br />
10.2.2.7 Export HTTP Gateway settings...........................................................................................80<br />
10.2.2.8 Gateway Result Pages...................................................................................................... 81<br />
10.2.3 MDC Configuration File........................................................................................... 85<br />
10.2.4 Configuration Settings............................................................................................ 86<br />
10.3 CGI............................................................................................................................. 87<br />
11 How to troubleshoot............................................................................................88<br />
11.1 Enable Tracing............................................................................................................88<br />
11.2 <strong>In</strong>stallation Check...................................................................................................... 88<br />
11.2.1 <strong>In</strong>stallation Log File................................................................................................ 88<br />
11.2.2 Check file placement.............................................................................................. 88<br />
11.2.3 Registry Entries..................................................................................................... 89<br />
11.2.4 DLLs to be Registered............................................................................................. 90<br />
11.2.5 Check Permissions................................................................................................. 90<br />
11.2.6 <strong>IAS</strong> Server Registered in Active Directory Domain....................................................... 91<br />
© 2006 VASCO Data Security <strong>In</strong>c. 5
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Table of Contents<br />
11.2.7 Default Policy and Component Created...................................................................... 91<br />
11.3 Fix <strong>In</strong>stallation Errors.................................................................................................92<br />
11.3.1 Register <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>............................................................................................... 92<br />
11.4 View Audit <strong>In</strong><strong>for</strong>mation.............................................................................................. 92<br />
11.4.1 Windows Event Log................................................................................................ 92<br />
11.4.2 Audit log text file................................................................................................... 92<br />
11.5 Delete all <strong>Digipass</strong> Data from Active Directory........................................................... 93<br />
11.5.1 Run Delete Script on a Domain................................................................................ 93<br />
12 Audit Messages................................................................................................... 94<br />
12.1 Audit Message Listing.................................................................................................94<br />
12.2 Audit Message Fields.................................................................................................. 98<br />
13 Error and Status Codes......................................................................................100<br />
13.1 Error Code Listing..................................................................................................... 100<br />
13.2 Status Code Listing...................................................................................................102<br />
14 Technical Support............................................................................................. 105<br />
14.1 Support Contact <strong>In</strong><strong>for</strong>mation.................................................................................... 105<br />
© 2006 VASCO Data Security <strong>In</strong>c. 6
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Table of Contents<br />
<strong>In</strong>dex of Tables<br />
Table 1: Custom Object Classes........................................................................................................................9<br />
Table 2: Custom Object Attributes...................................................................................................................11<br />
Table 3: Custom Permission Property Sets....................................................................................................... 11<br />
Table 4: Custom Search options......................................................................................................................13<br />
Table 5: Encrypted Data Attributes..................................................................................................................14<br />
Table 6: User Fields.......................................................................................................................................35<br />
Table 7: <strong>Digipass</strong> Fields................................................................................................................................. 36<br />
Table 8: <strong>Digipass</strong> Application Fields................................................................................................................. 37<br />
Table 9: Policy Fields.....................................................................................................................................43<br />
Table 10: Component Fields........................................................................................................................... 44<br />
Table 11: License Parameters <strong>for</strong> <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>..................................................................................45<br />
Table 12: Configuration Settings <strong>for</strong> CGI Program............................................................................................. 49<br />
Table 13: Form Fields <strong>for</strong> Main Registration Page.............................................................................................. 50<br />
Table 14: Form Fields <strong>for</strong> Registration Challenge Page....................................................................................... 51<br />
Table 15: Form Fields <strong>for</strong> Server PIN Change Page............................................................................................ 52<br />
Table 16: Form Fields <strong>for</strong> Main Login Test Page.................................................................................................53<br />
Table 17: Form Fields <strong>for</strong> Login Test Challenge Page..........................................................................................54<br />
Table 18: Form Fields <strong>for</strong> OTP Request Page.....................................................................................................54<br />
Table 19: Query String Variable List................................................................................................................ 56<br />
Table 20: API Return Codes............................................................................................................................57<br />
Table 21: CGI Error Return Codes................................................................................................................... 58<br />
Table 22: <strong>In</strong>ternal Error Codes........................................................................................................................59<br />
Table 23: DPADadmin addschema Command Line Options..................................................................................62<br />
Table 24: DPADadmin checkschema Command Line Options...............................................................................63<br />
Table 25: DPADadmin setupdomain Command Line Options................................................................................64<br />
Table 26: DPADadmin setupaccess Command Line Options.................................................................................64<br />
Table 27: Login Permutations - Response Only PAP........................................................................................... 67<br />
Table 28: Login Permutations - Response Only CHAP......................................................................................... 68<br />
Table 29: Login Permutations – Challenge/Response......................................................................................... 68<br />
Table 30: Login Permutations – Virtual <strong>Digipass</strong>................................................................................................69<br />
Table 31: MDC Audit Message Variables...........................................................................................................83<br />
Table 32: Message Delivery Component Configuration Settings........................................................................... 87<br />
Table 33: Required Files.................................................................................................................................89<br />
Table 34: Registry Entries.............................................................................................................................. 90<br />
Table 35: DLLs to be Registered......................................................................................................................90<br />
Table 36: Permissions Required...................................................................................................................... 91<br />
Table 37: <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Registry Entries............................................................................................................. 92<br />
Table 38: Audit Messages List.........................................................................................................................97<br />
Table 39: Audit Message Fields....................................................................................................................... 99<br />
Table 40: Error Code List..............................................................................................................................102<br />
Table 41: Status Code List............................................................................................................................104<br />
© 2006 VASCO Data Security <strong>In</strong>c. 7
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> <strong>In</strong>troduction<br />
1 <strong>In</strong>troduction<br />
1.1 Available <strong>Reference</strong> Guides<br />
These <strong>Reference</strong> Guides are included with every VASCO product:<br />
Product Guide<br />
The Product Guide will introduce you to the features of this product and the various options<br />
you have <strong>for</strong> using it.<br />
<strong>In</strong>stallation Guide<br />
Use this guide when planning and working through an installation of the product.<br />
Getting Started<br />
To get you up and running quickly with a simple installation and setup of the product.<br />
<strong>Administrator</strong> <strong>Reference</strong><br />
<strong>In</strong>-depth in<strong>for</strong>mation required <strong>for</strong> administration of the product.<br />
Data Migration Tool Guide<br />
Takes you through a data migration from one VASCO product to another, using the VASCO<br />
Data Migration Tool.<br />
Help Files<br />
These accompany various utilities and the administration interfaces.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 8
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Active Directory Schema<br />
2 Active Directory Schema<br />
2.1 Schema Extensions<br />
The following tables document the changes made by the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> to the Active<br />
Directory schema.<br />
2.1.1 Added Object Classes<br />
Attribute Type Location Explanation<br />
vasco-UserExt Aux.<br />
Class<br />
vasco-DPToken Class Unassigned – Optional<br />
User record Extra VASCO attributes are added to an Active Directory<br />
User record via an 'auxiliary class' vasco-UserExt on the<br />
User class.<br />
Assigned – with User<br />
record<br />
The vasco-DPToken class is used to store <strong>Digipass</strong><br />
attributes. It is also a container, in which vasco-<br />
DPApplication records <strong>for</strong> that <strong>Digipass</strong> are stored.<br />
Upon assignment to a User, the <strong>Digipass</strong> record is stored<br />
in the same location as the User.<br />
vasco-DPApplication Class Within <strong>Digipass</strong> record This class is used to store <strong>Digipass</strong> Application attributes,<br />
such as Server PIN and expected OTP length.<br />
vasco-Policy Class <strong>Digipass</strong> Configuration<br />
Container<br />
vasco-Component Class <strong>Digipass</strong> Configuration<br />
Container<br />
vasco-BackEndServer Class <strong>Digipass</strong> Configuration<br />
Container<br />
Table 1: Custom Object Classes<br />
2.1.2 Added Attributes<br />
Name Class<br />
vasco-SerialNumber vasco-DPToken<br />
vasco-TokenType vasco-DPToken<br />
vasco-ApplicationNames vasco-DPToken<br />
vasco-ApplicationTypes vasco-DPToken<br />
vasco-Link<strong>Vasco</strong><strong>Digipass</strong>ToUserExt vasco-DPToken<br />
vasco-TokenAssignedDate vasco-DPToken<br />
vasco-GracePeriod vasco-DPToken<br />
vasco-EnableBVDP vasco-DPToken<br />
vasco-BVDPExpiryDate vasco-DPToken<br />
vasco-BVDPUsesLeft vasco-DPToken<br />
vasco-DirectAssignOnly vasco-DPToken<br />
vasco-AdditionalAttribute vasco-DPToken<br />
vasco-SerialNumber vasco-DPApplication<br />
vasco-ApplicationName vasco-DPApplication<br />
vasco-ApplicationNumber vasco-DPApplication<br />
vasco-ApplicationType vasco-DPApplication<br />
Policy attributes. Attributes will commonly be shared via<br />
inheritance.<br />
Component attributes include the License Key <strong>for</strong> <strong>IAS</strong><br />
<strong>Plug</strong>-<strong>In</strong> Components.<br />
<strong>In</strong><strong>for</strong>mation required <strong>for</strong> connection to back-end servers.<br />
This class is not used with the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>, but<br />
is included <strong>for</strong> compatibility with other VASCO products.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 9
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Active Directory Schema<br />
Name Class<br />
vasco-DPBlob vasco-DPApplication<br />
vasco-Active vasco-DPApplication<br />
vasco-LinkUserExtTo<strong>Vasco</strong><strong>Digipass</strong> vasco-UserExt<br />
vasco-LinkUserExtToUser vasco-UserExt<br />
vasco-StaticPassword vasco-UserExt<br />
vasco-LocalAuth vasco-UserExt<br />
vasco-BackEndServerAuth vasco-UserExt<br />
vasco-Disable vasco-UserExt<br />
vasco-Profile <strong>Vasco</strong>-UserExt<br />
vasco-CreateTime <strong>Vasco</strong>-UserExt<br />
vasco-ModifyTime <strong>Vasco</strong>-UserExt<br />
vasco-ID vasco-BackEndServer<br />
vasco-Protocol vasco-BackEndServer<br />
vasco-Domain vasco-BackEndServer<br />
vasco-Priority vasco-BackEndServer<br />
vasco-ConfigurationValue vasco-BackEndServer<br />
vasco-ID vasco-Component<br />
vasco-Location vasco-Component<br />
vasco-Link<strong>Vasco</strong>PolicyTo<strong>Vasco</strong>Policy vasco-Component<br />
vasco-Protocol vasco-Component<br />
vasco-ConfigurationValue vasco-Component<br />
vasco-PublicKey <strong>Vasco</strong>-Component<br />
vasco-AdditionalAttribute vasco-Policy<br />
vasco-EnableBVDP vasco-Policy<br />
vasco-LocalAuth vasco-Policy<br />
vasco-BackEndAuth vasco-Policy<br />
vasco-ApplicationNames vasco-Policy<br />
vasco-ID vasco-Policy<br />
vasco-Description vasco-Policy<br />
vasco-DUR vasco-Policy<br />
vasco-Autolearn vasco-Policy<br />
vasco-StoredPasswordProxy vasco-Policy<br />
vasco-AssignmentMode vasco-Policy<br />
vasco-AssignSearchUpOUPath vasco-Policy<br />
vasco-GracePeriod vasco-Policy<br />
vasco-AllowedApplType vasco-Policy<br />
vasco-AllowedDPTypes vasco-Policy<br />
vasco-Protocol vasco-Policy<br />
vasco-Domain vasco-Policy<br />
vasco-GroupList vasco-Policy<br />
vasco-GroupCheckMode vasco-Policy<br />
vasco-OneStepChalResp vasco-Policy<br />
© 2006 VASCO Data Security <strong>In</strong>c. 10
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Active Directory Schema<br />
Name Class<br />
vasco-OneStepChalLength vasco-Policy<br />
vasco-OneStepChalCheckDigit vasco-Policy<br />
vasco-BVDPMaximumDays vasco-Policy<br />
vasco-BVDPMaximumUses vasco-Policy<br />
vasco-PINChangeAllowed vasco-Policy<br />
vasco-SelfAssignSeparator vasco-Policy<br />
vasco-ChallengeRequestMethod vasco-Policy<br />
vasco-ChallengeRequestKeyword vasco-Policy<br />
vasco-PrimaryVDPRequestMethod vasco-Policy<br />
vasco-PrimaryVDPRequestKeyword vasco-Policy<br />
vasco-BackupVDPRequestMethod vasco-Policy<br />
vasco-BackupVDPRequestKeyword vasco-Policy<br />
vasco-ITimeWindow vasco-Policy<br />
vasco-STimeWindow vasco-Policy<br />
vasco-EventWindow vasco-Policy<br />
vasco-SyncWindow vasco-Policy<br />
vasco-IThreshold vasco-Policy<br />
vasco-SThreshold vasco-Policy<br />
vasco-CheckChallenge vasco-Policy<br />
vasco-OnLineSG vasco-Policy<br />
vasco-Chk<strong>In</strong>actDays vasco-Policy<br />
vasco-LinkPolicyToParentPolicy vasco-Policy<br />
vasco-LinkPolicyToChildPolicy vasco-Policy<br />
vasco-LinkPolicyToComponent vasco-Policy<br />
Version-Number vasco-Policy<br />
Table 2: Custom Object Attributes<br />
2.1.3 Added Permission Property Sets<br />
Property sets have been created <strong>for</strong> typical groups of permissions required <strong>for</strong> administration<br />
tasks.<br />
Property Set Applicable<br />
Object<br />
Actions Allowed<br />
<strong>Digipass</strong> Assignment Link <strong>Digipass</strong> Assign and unassign <strong>Digipass</strong> <strong>for</strong> <strong>Digipass</strong> User accounts.<br />
<strong>Digipass</strong> Application Data <strong>Digipass</strong><br />
Application<br />
<strong>Digipass</strong> record functions.<br />
<strong>Digipass</strong> User Account <strong>In</strong><strong>for</strong>mation User Modify <strong>Digipass</strong> User in<strong>for</strong>mation.<br />
<strong>Digipass</strong> User Account to User Link User Link and unlink <strong>Digipass</strong> Users. This is also required when<br />
assigning <strong>Digipass</strong> to linked <strong>Digipass</strong> User records.<br />
<strong>Digipass</strong> User Account Stored Password User Read and modify the stored password <strong>for</strong> a <strong>Digipass</strong> User.<br />
Table 3: Custom Permission Property Sets<br />
© 2006 VASCO Data Security <strong>In</strong>c. 11
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Active Directory Schema<br />
2.2 Active Directory Auditing<br />
Active Directory auditing may be configured to record access and modifications to custom<br />
objects used by the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>. If you currently have default auditing enabled, it<br />
might include already include actions on custom objects. See these Microsoft articles <strong>for</strong><br />
in<strong>for</strong>mation on turning on and configuring auditing:<br />
Windows 2000<br />
http://support.microsoft.com/?kbid=314955<br />
Windows 2003<br />
http://support.microsoft.com/?kbid=814595<br />
The basic process you will need to follow is:<br />
1. Select a scope <strong>for</strong> the the auditing (eg. Domain Root).<br />
2. Select a Windows User or Windows Group (eg. Everyone or Domain <strong>Administrator</strong>s)<br />
3. Select the object classes to audit (eg. <strong>Digipass</strong> objects) – if required<br />
4. Select the permissions which should be audited (eg. Read, Write, Delete, Create)<br />
What Should I Audit?<br />
This will depend on what you need to audit. For example, if you wanted to record all <strong>Digipass</strong><br />
assignments in the domain, you might set up auditing in the Domain Root <strong>for</strong> Everyone, with<br />
the <strong>Digipass</strong> Assignment Link property set.<br />
See the topic <strong>for</strong> more in<strong>for</strong>mation on custom objects and permission property sets created<br />
<strong>for</strong> the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 12
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Active Directory Schema<br />
2.3 Custom Search Options<br />
The <strong>Digipass</strong> Extension adds functionality to the Active Directory Users and Computers snap-in<br />
which allows searching <strong>for</strong> specific <strong>Digipass</strong> and <strong>Digipass</strong> User records throughout a domain, or<br />
within the limits of a delegated administrator's permissions. This functionality is especially<br />
useful where unassigned <strong>Digipass</strong> have been allocated to various Organizational Units.<br />
The table below displays the custom search attributes available <strong>for</strong> <strong>Digipass</strong> User accounts and<br />
<strong>Digipass</strong> records.<br />
Object Type Available Search attributes Location (tab)<br />
Users, Contacts and Groups <strong>Digipass</strong> Assignment Link Advanced<br />
<strong>Digipass</strong> Back-End Authentication Advanced<br />
<strong>Digipass</strong> Local Authentication Advanced<br />
<strong>Digipass</strong> RADIUS Profile Advanced<br />
<strong>Digipass</strong> User Account Disabled Advanced<br />
<strong>Digipass</strong> User Account Locked Advanced<br />
<strong>Digipass</strong> User to User Link Advanced<br />
<strong>Digipass</strong> Serial Number From <strong>Digipass</strong><br />
Table 4: Custom Search options<br />
Serial Number To <strong>Digipass</strong><br />
<strong>Digipass</strong> Type <strong>Digipass</strong><br />
Application Name <strong>Digipass</strong><br />
Application Type <strong>Digipass</strong><br />
<strong>Digipass</strong> Assignment <strong>Digipass</strong><br />
Reserved <strong>Digipass</strong><br />
Backup Virtual <strong>Digipass</strong> Enabled Advanced<br />
2.3.1 Using the Custom Search<br />
This set of instruction shows the sort of use to which the <strong>Digipass</strong> custom search options can<br />
be put, and the basic steps required <strong>for</strong> a search.<br />
1. Right-click on the Organisational Unit to search in.<br />
2. Click on Find...<br />
3. Select the object type from the Find drop down list.<br />
4. If you are searching on advanced attributes (see table above):<br />
a. Click on the Advanced tab.<br />
b. Click on Field and select the attribute from the list (<strong>for</strong> User attributes, click on Field<br />
-> User -> attribute).<br />
5. Enter the search criteria.<br />
Note<br />
When a search is run with a <strong>Digipass</strong> Application criteria set, only <strong>Digipass</strong><br />
records with that Application set to Active will be returned.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 13
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Active Directory Schema<br />
Either exact text or wildcards should be used – the Search is per<strong>for</strong>med on whole words only,<br />
not partial words.<br />
Example<br />
A search <strong>for</strong> <strong>Digipass</strong> records run with only the following text entered into the Serial Number<br />
field, would return these results:<br />
0097 No records returned<br />
0097* All <strong>Digipass</strong> with serial number starting with 0097<br />
0097987654 <strong>Digipass</strong> with serial number 0097987654 only<br />
*76 All <strong>Digipass</strong> with serial number ending in 76<br />
2.4 Sensitive Data Encryption<br />
Sensitive data is encrypted by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> using an embedded key. If needed, this<br />
encryption may be strengthened by adding a custom key in the Configuration GUI. The<br />
embedded and custom keys are subjected to a logical XOR process to produce a new key<br />
derived from both.<br />
Note<br />
Encryption settings must be set be<strong>for</strong>e importing <strong>Digipass</strong>.<br />
2.4.1 Encrypted Data<br />
Attribute Class<br />
vasco-DPBlob vasco-DPApplication<br />
vasco-StaticPassword vasco-UserExt<br />
vasco-SharedSecret vasco-Component<br />
Table 5: Encrypted Data Attributes<br />
2.4.2 Which Encryption Algorithms can be used?<br />
AES<br />
blowfish<br />
cast5<br />
3DES<br />
3DES with 3 keys<br />
2.4.3 Exporting Encryption Settings<br />
Encryption settings may be exported to a password-protected text file from the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
Configuration GUI. This file may then be loaded to other <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> modules.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 14
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Active Directory Schema<br />
2.5 Active Directory Replication Issues<br />
Active Directory replication is not instantaneous. <strong>In</strong>tra-site replication is usually quite fast,<br />
especially under Windows Server 2003, but changes on one Domain Controller may still take<br />
several minutes to be replicated to other Domain Controllers. <strong>In</strong>ter-site replication may be<br />
quite slow – an hour or more between replications is common.<br />
Replication occurs when more than one Domain Controller exists in a domain.<br />
2.5.1 Old Data Used After Attribute Modified<br />
The time period between replications becomes a problem where in<strong>for</strong>mation is changed on one<br />
Domain Controller (<strong>for</strong> example, a <strong>Digipass</strong> User's Server PIN is reset), but old in<strong>for</strong>mation is<br />
used on another Domain Controller be<strong>for</strong>e the changed in<strong>for</strong>mation has been replicated to it.<br />
There are a few scenarios where this may occur. These are listed below:<br />
2.5.1.1 Single <strong>Plug</strong>-<strong>In</strong> using more than one Domain Controller<br />
A single <strong>Plug</strong>-<strong>In</strong> may make a change to a record, have to switch to another Domain Controller,<br />
and read the same record – where the change has not yet been applied.<br />
Example<br />
A User logs in with an OTP, and the <strong>Plug</strong>-<strong>In</strong> connects to DC-01 to retrieve and update the<br />
<strong>Digipass</strong> data. The connection to the DC-01 fails soon after login, be<strong>for</strong>e replication has<br />
occurred. The User needs to log in again, and the <strong>Plug</strong>-<strong>In</strong> connects to DC-02 this time. The<br />
User can log in using the same OTP as the last login – the login should fail (OTP replay) but<br />
instead succeeds, because DC-02 does not yet know that the OTP has been previously used.<br />
Time DC-01 DC-02<br />
8:32 Replication occurs<br />
8:34 User logs in with OTP 10457920.<br />
The <strong>Plug</strong>-<strong>In</strong> records the use of the OTP in<br />
the <strong>Digipass</strong> record.<br />
8:35 Connection to DC-01 is broken, and <strong>Plug</strong>-<strong>In</strong><br />
switches to DC-02.<br />
8:35 User retries login using same OTP<br />
10457920. The login succeeds where it<br />
should have failed (OTP replay).<br />
The <strong>Plug</strong>-<strong>In</strong> records the use of the OTP in<br />
the <strong>Digipass</strong> record.<br />
8:37 Replication occurs<br />
<strong>Digipass</strong> record changes are replicated between DC-01 and DC-02.<br />
The example timeline above shows the sequence of events.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 15
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Active Directory Schema<br />
2.5.1.2 <strong>Administrator</strong> and <strong>Plug</strong>-<strong>In</strong> using different Domain Controllers<br />
The administrator may not be connected to the same Domain Controller (via the<br />
Administration <strong>In</strong>terfaces) as the <strong>Plug</strong>-<strong>In</strong>.<br />
Example<br />
An administrator changes a User's Server PIN through the Active Directory Users and<br />
Computers extension, which is connected to DC-01. The <strong>Plug</strong>-<strong>In</strong> connects to DC-03. The User<br />
attempts a login using the new PIN, which fails because DC-03 is not yet aware of the<br />
change of Server PIN.<br />
Time DC-01 DC-03<br />
9:02 Replication occurs<br />
9:03 <strong>Administrator</strong> changes a User's Server PIN<br />
from 1234 to 9876.<br />
9:04 User attempts to log in using new PIN<br />
(9876) and the login fails.<br />
9:05 Replication occurs<br />
<strong>Digipass</strong> record changes are replicated between DC-01 and DC-03.<br />
The example timeline above shows the sequence of events.<br />
2.5.1.3 Multiple <strong>Plug</strong>-<strong>In</strong>s Using Different Domain Controllers<br />
Multiple <strong>Plug</strong>-<strong>In</strong>s may connect to different Domain Controllers in a domain or site.<br />
Example<br />
A User changes their own PIN during a login through a <strong>Plug</strong>-<strong>In</strong> which connects to DC-01. The<br />
server on which the <strong>Plug</strong>-<strong>In</strong> is installed becomes unavailable, and the User attempts another<br />
login via the <strong>Plug</strong>-<strong>In</strong> on a backup server, which connects to DC-02. The login fails because<br />
DC-02 is not yet aware of the change of Server PIN.<br />
Time DC-01 DC-02<br />
11:54 Replication occurs<br />
11:55 User changes their Server PIN from 1234 to<br />
9876 during login.<br />
The <strong>Plug</strong>-<strong>In</strong> records the PIN change in the<br />
<strong>Digipass</strong> record.<br />
11:57 User attempts to log in using new PIN<br />
(9876) and the login fails.<br />
11:59 Replication occurs<br />
<strong>Digipass</strong> record changes are replicated between DC-01 and DC-02.<br />
The example timeline above shows the sequence of events.<br />
2.5.1.4 Two <strong>Administrator</strong>s Modifying the Same Attribute<br />
Two administrators attempt to modify the same attribute on a single User account or <strong>Digipass</strong><br />
record within the same replication interval. The later modification will overwrite the earlier<br />
when replication occurs.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 16
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Active Directory Schema<br />
2.5.2 Old Data Used Overwrites New Data<br />
The problems above are exacerbated when the old in<strong>for</strong>mation used on the second Domain<br />
Controller is updated based on the old in<strong>for</strong>mation. As the updated record on the second<br />
Domain Controller now has a later modification date, the end result is that the changed<br />
in<strong>for</strong>mation on the first Domain Controller is overwritten incorrectly.<br />
Example<br />
An administrator connects to DC-01 and sets a User's PIN from '1234' to '9876'. The User<br />
logs in through the <strong>Plug</strong>-<strong>In</strong>, which connects to DC-02. The User enters the new Server PIN<br />
and his One Time Password. However, the PIN set on DC-01 has not yet been replicated to<br />
DC-02, so because the PIN entered does not match the old PIN still recorded in the <strong>Digipass</strong><br />
record on DC-02, the login fails.<br />
Because the Policy setting of Identification Threshold is in use, his login failure is written<br />
back to the <strong>Digipass</strong> record. When replication occurs, the <strong>Digipass</strong> record on DC-02 has the<br />
latest modification date – and is copied to DC-01, wiping out the original PIN setting made<br />
by the administrator. Both DC-01 and DC-02 now consider '1234' to be the correct Server<br />
PIN <strong>for</strong> the <strong>Digipass</strong>.<br />
Time DC-01 DC-02<br />
10:45 Replication<br />
10:46 <strong>Administrator</strong> changes User's PIN from 9876<br />
to 1234.<br />
10:48 User login (with new PIN of 1234) fails.<br />
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> writes failure in<strong>for</strong>mation to<br />
<strong>Digipass</strong> record.<br />
10:50 Replication<br />
Active Directory finds last instance of the <strong>Digipass</strong> blob having been modified.<br />
Active Directory overwrites DC-01 <strong>Digipass</strong> record with DC-02 <strong>Digipass</strong> record.<br />
The example timeline above shows how the problem can occur.<br />
The problem shown in the example above may also occur in a Force PIN Change set by an<br />
administrator.<br />
2.5.3 Factors Affecting Replication Issues<br />
A number of factors determine the likelihood and severity of the Active Directory issues<br />
described:<br />
Redundancy and load-balancing settings <strong>for</strong> the <strong>Plug</strong>-<strong>In</strong><br />
There are a number of <strong>Plug</strong>-<strong>In</strong> configuration settings which may affect replication issues:<br />
Preferred Server<br />
The <strong>Plug</strong>-<strong>In</strong> will attempt to connect to the named Domain Controller, rather than simply<br />
polling the domain <strong>for</strong> an available Domain Controller.<br />
Preferred Server Only<br />
The <strong>Plug</strong>-<strong>In</strong> may be restricted to connecting only to the Domain Controller named in the<br />
above setting. If this is enabled, the <strong>Plug</strong>-<strong>In</strong> will not switch to any other Domain<br />
Controller, so it will never retrieve data older than its own.<br />
Max. Bind Lifetime<br />
© 2006 VASCO Data Security <strong>In</strong>c. 17
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Active Directory Schema<br />
The maximum bind lifetime controls how long the <strong>Plug</strong>-<strong>In</strong> will stay connected to a<br />
Domain Controller be<strong>for</strong>e polling the domain <strong>for</strong> a Domain Controller connection.<br />
Replication <strong>In</strong>terval<br />
<strong>In</strong> Windows 2000, the intra-site replication interval can be configured – the default is 5<br />
minutes. On Windows Server 2003, the intra-site replication interval is not configurable, but is<br />
set to approximately 15 seconds, as replication is much more efficient.<br />
<strong>In</strong>ter-site replication is fully configurable on both Windows 2000 and Windows Server 2003.<br />
The longer the replication interval, the more likelihood of these problems occuring.<br />
Number of Domain Controllers in the Site<br />
Each Domain Controller regularly requires replication with all other local Domain Controllers.<br />
As this is done sequentially, it will affect the amount of time between replications.<br />
2.5.4 Solutions and Mitigations<br />
2.5.4.1 <strong>Digipass</strong> Cache<br />
The <strong>Digipass</strong> cache collects <strong>Digipass</strong> records as they are modified, and keeps them in memory<br />
<strong>for</strong> a certain length of time. A newer entry from the cache is always used in preference to an<br />
older record from Active Directory. The cache age should be a little longer than the typical<br />
replication interval. The default is 10 minutes (600 seconds).<br />
This option will help in problems caused by a single <strong>Plug</strong>-<strong>In</strong> accessing more than one Domain<br />
Controller in a domain – see 2.5.1.1 Single <strong>Plug</strong>-<strong>In</strong> using more than one Domain<br />
Controller). It will not affect the scenarios of multiple <strong>Plug</strong>-<strong>In</strong>s or a Administration <strong>In</strong>terface<br />
being connected to a different Domain Controller to the <strong>Plug</strong>-<strong>In</strong>.<br />
If you calculate that your typical replication interval will be more than ten minutes, the cache<br />
age may be increased by modifying the Blob-Cache Max-Age setting in the configuration file<br />
(\bin\dpiasext.xml):<br />
<br />
<br />
<br />
<br />
<br />
<br />
A large cache may slow down processing slightly <strong>for</strong> the <strong>Plug</strong>-<strong>In</strong>, so monitor per<strong>for</strong>mance to<br />
check the impact caused after modifying the cache age.<br />
Warning<br />
If the <strong>Plug</strong>-<strong>In</strong> is installed on a member server, this server must be closely<br />
time-synchronised with the Domain Controller(s). If the server is not timesynchronised,<br />
the Policy may select an older record when comparing records in<br />
the <strong>Digipass</strong> cache with those on the Domain Controller.<br />
If the <strong>Plug</strong>-<strong>In</strong> is installed on a Domain Controller, time-synchronisation is assumed.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 18
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Active Directory Schema<br />
2.5.4.2 Identification Threshold Setting<br />
Reconsider use of the Identification Threshold setting in the relevant Policy(s). The User<br />
Lock setting may be used instead in most cases (see and <strong>for</strong> more in<strong>for</strong>mation on these two<br />
settings). Discontinuing use of the Identification Threshold setting will avoid the scenario<br />
shown in 2.5.2 Old Data Used Overwrites New Data,<br />
where a failed login overwrites an<br />
administrator's modification.<br />
2.5.4.3 <strong>Administrator</strong> Connection Strategy<br />
The option exists in the Active Directory Users and Computers <strong>Plug</strong>-<strong>In</strong> to connect to a specific<br />
Domain Controller in a domain. An administrator should select the same Domain Controller as<br />
used by the <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> urgent administration tasks likely to be affected by this issue – <strong>for</strong><br />
example, resetting a User's Server PIN so they may login while on the phone to the<br />
administrator.<br />
To connect to a specific Domain Controller, right-click on the domain and select Connect to<br />
Domain Controller...<br />
© 2006 VASCO Data Security <strong>In</strong>c. 19
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Active Directory Schema<br />
2.5.4.4 Set a Preferred Server<br />
This option decreases some replication problems, as the <strong>Plug</strong>-<strong>In</strong> will be primarily connected to<br />
the Domain Controller named as its Preferred Server. This gives less opportunity <strong>for</strong> loadbalancing,<br />
however.<br />
If the <strong>Plug</strong>-<strong>In</strong> is installed on a Domain Controller, the Preferred Server will not need to be set<br />
<strong>for</strong> that domain, as the <strong>Plug</strong>-in will normally select that Domain Controller <strong>for</strong> connections.<br />
To set a Preferred Server <strong>for</strong> a domain:<br />
1. Open the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Configuration GUI (Start -> Programs -> VASCO -> <strong>Digipass</strong><br />
<strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> -> Configuration GUI).<br />
2. Click on the Active Directory Connections tab.<br />
3. If the domain is the Configuration Domain, click on Edit...<br />
If the domain is in the Domains list, select the domain name and click on Edit...<br />
If the domain is not in the Domains list, click on Add...<br />
4. Enter the Fully Qualified Domain Name <strong>for</strong> the domain in the FQDN field.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 20
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Active Directory Schema<br />
5. Enter the name of the Domain Controller in the Preferred Server field.<br />
This name should be the first part of the FQDN <strong>for</strong> the Domain Controller, eg. dc01<br />
from dc01.support.vasco.com.<br />
6. Enter any other in<strong>for</strong>mation required.<br />
7. Click on OK.<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will now always connect to the Preferred Server when it is available.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 21
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Active Directory Schema<br />
2.5.4.5 Use Preferred Server Only Option<br />
<strong>In</strong> some cases this setting may be enabled. As it <strong>for</strong>ces the <strong>Plug</strong>-<strong>In</strong> to use the same Domain<br />
Controller at all times. It will eliminate load-balancing and any fail-over <strong>for</strong> the <strong>Plug</strong>-<strong>In</strong>,<br />
though, so is not normally recommended.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 22
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Set Up Active Directory Permissions<br />
3 Set Up Active Directory Permissions<br />
3.1 Permissions Needed by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> runs inside Microsoft's <strong>In</strong>ternet Authentication Service, which runs as a<br />
Service. The Service runs as the 'Local System' account rather than as a named user account.<br />
There<strong>for</strong>e, when connecting to Active Directory, the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> connects as the computer<br />
account, not a user account. The permissions that it has within Active Directory are the<br />
permissions of the computer account.<br />
An important exception to this occurs if you install <strong>IAS</strong> and the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> onto a Domain<br />
Controller. Any Service running as 'Local System' on a Domain Controller has all possible<br />
permissions to that Domain. <strong>In</strong> this case, no additional setup of permissions is required.<br />
There<strong>for</strong>e, the rest of this section applies to the case where <strong>IAS</strong> is not on the Domain<br />
Controller.<br />
When you register <strong>IAS</strong> in Active Directory, this adds the computer account to the built-in 'RAS<br />
and <strong>IAS</strong> Servers' group in the Domain. This built-in group has the permissions required by <strong>IAS</strong><br />
itself within Active Directory, but it does not have the extra permissions required by the <strong>IAS</strong><br />
<strong>Plug</strong>-<strong>In</strong>.<br />
<strong>In</strong> order to function correctly, the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> requires the following permissions in Active<br />
Directory, that are not granted to the 'RAS and <strong>IAS</strong> Servers' by default:<br />
Read access to the <strong>Digipass</strong> Configuration Container<br />
Read access to all User accounts (or at least, all who might need to be authenticated by<br />
the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>)<br />
Write access to the new attributes that are added to the User class <strong>for</strong> the <strong>Digipass</strong> <strong>Plug</strong>-<br />
<strong>In</strong> <strong>for</strong> <strong>IAS</strong> (these are in the auxiliary class vasco-UserExt)<br />
Full control over all <strong>Digipass</strong> (vasco-DPToken) and <strong>Digipass</strong> Application (vasco-<br />
DPApplication) objects<br />
Create and delete permission <strong>for</strong> <strong>Digipass</strong> (vasco-DPToken) objects in Organizational<br />
Units and containers (specifically the <strong>Digipass</strong>-Pool and Users containers)<br />
3.1.1 Giving Permissions to the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
During installation, these additional permissions are granted to the 'RAS and <strong>IAS</strong> Servers'<br />
group automatically.<br />
There is also a manual way to grant these permissions, by running the 'setupaccess' command<br />
at the command prompt:<br />
dpadadmin.exe setupaccess -group “RAS and <strong>IAS</strong> Servers”<br />
See 8.1 DPADadmin Utility <strong>for</strong> more in<strong>for</strong>mation on the setupaccess command.<br />
As mentioned above, this is not necessary if <strong>IAS</strong> is installed onto a Domain Controller.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 23
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Set Up Active Directory Permissions<br />
3.2 Permissions Needed by <strong>Administrator</strong>s<br />
3.2.1 Domain <strong>Administrator</strong>s<br />
Domain <strong>Administrator</strong>s already have all required permissions within their Domain.<br />
3.2.2 Delegated <strong>Administrator</strong>s<br />
The term 'Delegated <strong>Administrator</strong>s' is used here to refer to administrators who have been<br />
delegated control over an Organizational Unit. Generally speaking, they have administrative<br />
control over the user and computer accounts within their Organizational Unit.<br />
See the <strong>Digipass</strong> Records topic in the Product Guide <strong>for</strong> more in<strong>for</strong>mation on possible<br />
approaches to delegating <strong>Digipass</strong> administration.<br />
By default, these administrators will be able to view the <strong>Digipass</strong> User Account data <strong>for</strong> their<br />
users and the <strong>Digipass</strong> that are located within their Organizational Unit. However, they will not<br />
be able to modify any of that data or assign <strong>Digipass</strong>.<br />
If you wish to delegate responsibility <strong>for</strong> all <strong>Digipass</strong>-related administration within an<br />
Organizational Unit, the following additional permissions are required by the Delegated<br />
<strong>Administrator</strong>:<br />
Within the scope of the Organizational Unit, write permission to the new attributes that<br />
are added to the User class <strong>for</strong> the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> (these are in the auxiliary<br />
class vasco-UserExt) – you can add write permissions <strong>for</strong> each individual Property Set or<br />
if appropriate, grant 'Write All Properties' permission<br />
Within the scope of the Organizational Unit, full control over all <strong>Digipass</strong> (vasco-<br />
DPToken) and <strong>Digipass</strong> Application (vasco-DPApplication) objects<br />
Create and delete permission <strong>for</strong> <strong>Digipass</strong> (vasco-DPToken) objects within the<br />
Organizational Unit<br />
If the Delegated <strong>Administrator</strong> should be allowed to assign <strong>Digipass</strong> from the <strong>Digipass</strong><br />
Pool to their users, they need:<br />
the Delete <strong>Digipass</strong> objects permission in the <strong>Digipass</strong>-Pool container<br />
Write All Properties permission on <strong>Digipass</strong> objects in the <strong>Digipass</strong>-Pool container<br />
If the Delegated <strong>Administrator</strong> should be allowed to move unassigned <strong>Digipass</strong> back to<br />
the <strong>Digipass</strong>-Pool, they need the Create <strong>Digipass</strong> objects permission in the <strong>Digipass</strong>-Pool<br />
container<br />
3.2.3 Reduced-Rights <strong>Administrator</strong>s<br />
The term 'Reduced-Rights <strong>Administrator</strong>' is used here to refer to administrators who are<br />
granted permissions to per<strong>for</strong>m only selected <strong>Digipass</strong>-related administration tasks. They may<br />
be granted these permissions within the scope of the whole Domain, or only within an<br />
Organizational Unit.<br />
An example is a Helpdesk operator who is permitted to troubleshoot <strong>Digipass</strong> operations, but<br />
not to assign/unassign <strong>Digipass</strong> to/from users.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 24
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Set Up Active Directory Permissions<br />
By default, all users have read access to everything in the Active Directory. The modification<br />
permissions that can be granted to this kind of administrator are:<br />
Write permission <strong>for</strong> any of three Property Sets on the <strong>Digipass</strong> User Account fields:<br />
<strong>Digipass</strong> User Account <strong>In</strong><strong>for</strong>mation – all attributes except those covered by the other<br />
two Property Sets<br />
<strong>Digipass</strong> User Account Link – the link attribute used to share a <strong>Digipass</strong> between two<br />
user accounts<br />
<strong>Digipass</strong> User Account Stored Password – the Stored Password attribute<br />
Write permission <strong>for</strong> any individual properties on <strong>Digipass</strong> objects, except <strong>for</strong> one<br />
Property Set that is defined to control the <strong>Digipass</strong> assignment link<br />
Write permission <strong>for</strong> any individual properties on <strong>Digipass</strong> Application objects, except <strong>for</strong><br />
one Property Set that is defined to include the <strong>Digipass</strong> 'blob' that is required <strong>for</strong> any<br />
administrative operation such as Reset PIN, Test, Set Event Counter, etc.<br />
Create and delete permission on <strong>Digipass</strong> and <strong>Digipass</strong> Application objects<br />
If the administrator should be allowed to move <strong>Digipass</strong>, they need:<br />
the Delete <strong>Digipass</strong> objects and Create <strong>Digipass</strong> objects permissions in the relevant<br />
Domain and/or Organizational Unit<br />
Write All Properties permission on <strong>Digipass</strong> objects<br />
Note that this can be necessary <strong>for</strong> assigning <strong>Digipass</strong> to users, because a move from<br />
one location to another is controlled by permissions to delete from the source and create<br />
in the destination<br />
3.2.4 System <strong>Administrator</strong>s<br />
The term 'System <strong>Administrator</strong>' is used here to refer to an administrator who will be<br />
responsible <strong>for</strong> management of the Component and Policy records, rather than <strong>Digipass</strong> User<br />
Accounts and <strong>Digipass</strong>. They need permissions within the <strong>Digipass</strong> Configuration Container to<br />
create, modify and delete Policy (vasco-Policy) and Component (vasco-Component) objects.<br />
<strong>In</strong> practice, System <strong>Administrator</strong>s can typically be given full control over the <strong>Digipass</strong>-<br />
Configuration container. If you wish to grant more limited permissions, this can be handled<br />
with the standard Active Directory permissions on these objects within the scope of the<br />
container.<br />
3.3 Assign Administration Permissions to a User<br />
Note<br />
This example assumes that the administrator's User account has read<br />
permissions <strong>for</strong> all User records already.<br />
To grant permissions to manage <strong>Digipass</strong> records, you will need to follow these steps:<br />
1. Right-click on the Organizational Unit in which to assign permissions.<br />
2. Select Delegate Control... from the right-click menu.<br />
The Delegate Control Wizard will be displayed.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 25
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Set Up Active Directory Permissions<br />
3. Select the User or Windows Group to assign permissions.<br />
4. Click on OK.<br />
5. Select the Delegate Common Tasks option button.<br />
6. Select Create, Delete and Manage <strong>Digipass</strong> from the list.<br />
7. Click on Next.<br />
8. Click on Finish.<br />
If you wish to grant permissions to modify <strong>Digipass</strong> User Account properties, you will need to<br />
follow these steps:<br />
9. Select View -> Advanced Features from the main menu.<br />
10. Right-click on the Organizational Unit in which to assign permissions.<br />
11. Select Properties from the right-click menu.<br />
12. Click on the Security tab.<br />
13. Click on the Advanced button.<br />
The Advanced Security Settings window will be displayed.<br />
14. Click on Add...<br />
15. Type the username of the User to assign the permissions to and click OK.<br />
16. Click on the Properties tab.<br />
17. Select User Objects from the Apply onto drop down list.<br />
18. Select the required permissions from:<br />
19. Click on OK.<br />
20. Click on OK.<br />
21. Click on OK.<br />
Write <strong>Digipass</strong> User Account <strong>In</strong><strong>for</strong>mation<br />
Write <strong>Digipass</strong> User Account Link<br />
Write <strong>Digipass</strong> User Account Stored Password<br />
If the administrator requires permissions to take <strong>Digipass</strong> out of the <strong>Digipass</strong> Pool <strong>for</strong><br />
assignment, you will need to follow these steps:<br />
22. Right-click on the <strong>Digipass</strong> Pool.<br />
23. Select Properties from the right-click menu.<br />
24. Click on the Security tab.<br />
25. Click on the Advanced button.<br />
The Advanced Security Settings window will be displayed.<br />
26. Click on Add...<br />
27. Select the User account.<br />
28. Click on OK.<br />
29. Click on the Object tab.<br />
30. Select Child objects only from the Apply onto drop down list.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 26
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Set Up Active Directory Permissions<br />
31. Tick the Allow box <strong>for</strong>:<br />
32. Click on OK.<br />
33. Click on Add...<br />
Delete <strong>Digipass</strong> Objects<br />
Create <strong>Digipass</strong> Objects (if you wish to allow the administrator to move <strong>Digipass</strong><br />
records into the <strong>Digipass</strong> Pool)<br />
34. Select the User account.<br />
35. Click on OK.<br />
36. Click on the Object tab.<br />
37. Select <strong>Digipass</strong> objects from the Apply onto drop down list.<br />
38. Tick the Allow box <strong>for</strong> Write All Properties.<br />
39. Click on OK.<br />
40. Click on OK.<br />
41. Click on OK.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 27
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Set Up Active Directory Permissions<br />
3.4 Multiple Domains<br />
When using the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> with multiple domains, extra steps must be followed to ensure<br />
that both the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> and administrators have permissions sufficient to access required<br />
data. The main issues are:<br />
The <strong>Digipass</strong> Configuration Container is only in one Domain. All <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>s need<br />
read access to this container, even when they are in a different Domain. Cross-<br />
Domain access <strong>for</strong> administrators is a less likely requirement however.<br />
If an <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> handles users and <strong>Digipass</strong> in more than one Domain, they need to<br />
be granted the necessary permissions in all the necessary Domains.<br />
<strong>In</strong> this manual, we will handle cross-Domain permissions using a combination of Domain<br />
Local and Domain Global groups. It is possible in a 'native' mode Domain to use Universal<br />
groups, but these are not recommended in Windows 2000 due to replication issues. The<br />
replication efficiency has been improved in Windows Server 2003, however Universal<br />
groups are still not used as commonly as Domain Local/Global groups.<br />
Three possible scenarios <strong>for</strong> multiple domain setup are outlined below:<br />
3.4.1 Scenario 1 – Each <strong>IAS</strong> Server Handles One Domain<br />
Each <strong>IAS</strong> server handles only the domain in which it is a member.<br />
<strong>In</strong>stall <strong>IAS</strong> in each domain (the result will be at least as many <strong>IAS</strong> servers as domains).<br />
Give each <strong>IAS</strong> server access to the <strong>Digipass</strong> Configuration Domain:<br />
Domain Global Group(s)<br />
For each domain (apart from the <strong>Digipass</strong> Configuration Domain) -<br />
1. Create a Domain Global group<br />
2. Add the <strong>IAS</strong> server(s) to the Domain Global group (check which machines are in the<br />
'RAS and <strong>IAS</strong> Servers' group to ensure the correct additions)<br />
Domain Local group<br />
<strong>In</strong> the <strong>Digipass</strong> Configuration Domain -<br />
3. Create or use an existing Domain Local group.<br />
4. Give the Domain Local group full read access to the <strong>Digipass</strong> Configuration Container.<br />
5. Add the Domain Global Group from each other domain to the Domain Local group.<br />
3.4.2 Scenario 2 – One <strong>IAS</strong> Server Handles All Domains<br />
<strong>IAS</strong> servers in one domain handle all domains. The <strong>Digipass</strong> Configuration Container should be<br />
located in the domain to which the <strong>IAS</strong> servers belong.<br />
Give the necessary access to User and <strong>Digipass</strong> data:<br />
Domain Global group<br />
<strong>In</strong> the <strong>IAS</strong> server Domain -<br />
© 2006 VASCO Data Security <strong>In</strong>c. 28
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Set Up Active Directory Permissions<br />
1. Create a Domain Global group.<br />
2. Add the <strong>IAS</strong> servers to the Domain Global group (check which machines are in the<br />
'RAS and <strong>IAS</strong> Servers' group to ensure the correct additions).<br />
Domain Local groups<br />
For each other Domain -<br />
3. Create a Domain Local group.<br />
4. Give the Domain Local group the required permissions (run the setupaccess command<br />
- See 8.1 DPADadmin Utility <strong>for</strong> more in<strong>for</strong>mation).<br />
5. Add the Domain Global group from the <strong>IAS</strong> Domain to the Domain Local group.<br />
3.4.3 Scenario 3 - Combination<br />
This scenario represents more complex setups, where a combination of steps from Scenarios 1<br />
and 2 will be required. Use the steps given in the first two scenarios as a guide <strong>for</strong> what you<br />
will need to do <strong>for</strong> the combination scenario.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 29
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Backup and Recovery<br />
4 Backup and Recovery<br />
This section explores the measures that <strong>Administrator</strong>s can undertake in backing up and<br />
recovering VASCO datafiles in the event of a system failure.<br />
Note<br />
This section does not cover backup of executables and system files. <strong>In</strong> the<br />
event of a catastrophic failure these can be restored or reinstalled from the<br />
original distribution media.<br />
Once the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> is installed and operational, backups should be made of important files<br />
and data.<br />
Any time changes are made to the system, file backups may need to be per<strong>for</strong>med again.<br />
These changes include, but are not limited to:<br />
Changing any configuration settings including the IP address of an <strong>IAS</strong> server<br />
Adding/removing a Component<br />
Modifying a Policy<br />
4.1 What Must be Backed Up<br />
Configuration files <strong>for</strong> <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> and Message Delivery Component<br />
User Self-Management Web Site pages and graphics (if customized)<br />
Virtual <strong>Digipass</strong> OTP Request Web Site pages and graphics (if customized)<br />
Audit Log data<br />
Active Directory<br />
DPX files (except <strong>for</strong> demo <strong>Digipass</strong>)<br />
Important Note<br />
The <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> installation includes a DPX directory containing<br />
sample DPX files <strong>for</strong> demo <strong>Digipass</strong>. These do not need to be backed up.<br />
However, if you have copied the DPX files <strong>for</strong> your real <strong>Digipass</strong> into that<br />
directory, ensure you still have the original files (normally on floppy disk). If<br />
you no longer have the DPX file(s) stored elsewhere, it is very important that<br />
you take a backup.<br />
4.1.1 Configuration files<br />
The configuration files <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> and Virtual <strong>Digipass</strong> Message Delivery Component<br />
can be copied from the bin directory (by default C:\Program Files\VASCO\<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong><br />
<strong>IAS</strong>\bin) to a secure location.<br />
The files to be copied are:<br />
dpiasext.xml – keep backups from all <strong>IAS</strong> servers.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 30
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Backup and Recovery<br />
mdcconfig.xml – a backup of one working file is sufficient.<br />
Tip<br />
Save the files above with an extension that describes the server from which the<br />
file(s) were backed up. This makes it easier and quicker to locate the correct file<br />
during recovery.<br />
4.1.2 Web Sites<br />
<strong>In</strong> some cases, the web pages and graphics provided with the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> the User<br />
Self Management Web Site and Virtual <strong>Digipass</strong> OTP Request Web Site will have been<br />
customized to suit the organization’s colors/languages/themes/etc.<br />
If these web pages and graphics have been modified, it is important to have a backup stored<br />
in a secure location away from the production server. This will allow the web site to be<br />
restored <strong>for</strong> the look and feel of the organization.<br />
To back up the web site pages and graphics, you can copy the html, js, and gif files to another<br />
location. If the site is highly modified, or the location of the files on disk is not known, contact<br />
your web administrator <strong>for</strong> further guidance.<br />
Note<br />
Maintaining the directory structure will make restoration of the site, if required,<br />
quicker and easier.<br />
4.1.3 Audit Log Data<br />
If your organization requires that the Audit Log data be archived, the method required will<br />
depend on the audit settings.<br />
4.1.3.1 Write to File<br />
Ensure you make copies of all files contained in the directory into which the audit log files are<br />
written. By default this will be \Log, however it may have been configured to<br />
another location. Check the audit configuration settings if you are unsure.<br />
4.1.3.2 Write to Windows Event Log<br />
By default, Event Log entries are written to the Application log. However, you can configure<br />
the entries to be written to another log. Check the audit configuration if you are unsure.<br />
Important Note<br />
The Event Log may be configured with a maximum size. When this size is<br />
reached, the oldest entries may be overwritten by new ones. To check this,<br />
view the Properties of the log in the Event Viewer. If older entries will be<br />
overwritten, you will need to archive them be<strong>for</strong>e that occurs.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 31
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Backup and Recovery<br />
To archive an Event Log:<br />
1. Select Start -> Settings -> Control Panel.<br />
2. Double-click on Administrative Tools.<br />
3. Double-click on Event Viewer.<br />
4. Right-click on Application (or the correct log, if not Application).<br />
5. Click on Save log file as...<br />
6. Select a path and enter a filename.<br />
7. Select a file <strong>for</strong>mat from the Type drop down list.<br />
8. Click on the Save button.<br />
Note<br />
The Audit Log data is not required <strong>for</strong> system recovery purposes but may<br />
contain useful data in the event of a server failure.<br />
4.1.4 Active Directory<br />
4.1.4.1 Cold Backup<br />
<strong>In</strong> most cases the server running <strong>IAS</strong> will belong to an Active Directory domain consisting of<br />
several Domain Controllers. Replication should automatically occur between Domain<br />
Controllers, providing simple data backup.<br />
It is highly recommended, however, that you per<strong>for</strong>m a cold backup of the System State Data,<br />
which includes the Active Directory repository. This will allow recovery if data is corrupted and<br />
then replicated. For more in<strong>for</strong>mation about backing up and restoring System State Data, refer<br />
to Windows Help on your Domain Controller and enter 'backing up data, System State data' in<br />
the index tab. <strong>In</strong> particular, this should be per<strong>for</strong>med on the <strong>Digipass</strong> Configuration Domain<br />
and any other Domains containing <strong>Digipass</strong> User accounts and/or <strong>Digipass</strong> records.<br />
Additional in<strong>for</strong>mation can be found at:<br />
http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/enus/distsys/part1/dsgch09.mspx<br />
4.1.5 DPX files<br />
The DPX files are normally provided on a floppy disk, which can be stored securely as a<br />
backup. If you prefer another method of archive, copy the files to your preferred location. It is<br />
important to keep the DPX file transport keys secure and preferably in a separate location to<br />
the DPX files themselves.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 32
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Backup and Recovery<br />
4.2 Recovery<br />
The recovery process <strong>for</strong> <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> data requires the following procedure. Some<br />
assumptions have been made <strong>for</strong> these instructions:<br />
Assumptions:<br />
Active Directory is still valid and operational.<br />
Steps:<br />
Up-to-date backups of the configuration files <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> are available.<br />
1. Rebuild the server with your operating system SOE, using the same IP address as<br />
be<strong>for</strong>e, in the same Domain as be<strong>for</strong>e.<br />
2. Retrieve your backup copy of the dpiasext.xml file.<br />
3. Reinstall the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> on the server, ensuring you are logged in as a<br />
domain administrator. The same settings as those chosen in the previous installation<br />
should be selected, except that the This is not the first <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> to be<br />
installed checkbox on the Active Directory Prerequisites screen should be ticked.<br />
4. Tick the Use an evaluation license checkbox (the existing <strong>Digipass</strong> data in Active<br />
Directory contains all necessary licensing in<strong>for</strong>mation, which will be retrieved when the<br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> is operational).<br />
5. At the end of the installation, you will be prompted to select a license activation<br />
method. Select Just Continue.<br />
Be<strong>for</strong>e you restart the machine, carry out the following:<br />
6. Restore the backup copy of the configuration file dpiasext.xml into the same directory.<br />
7. Restore any customised files <strong>for</strong> the web sites (see and <strong>for</strong> more in<strong>for</strong>mation).<br />
After restarting the machine:<br />
8. Check that you can view <strong>Digipass</strong>-specific in<strong>for</strong>mation in the Administration MMC<br />
<strong>In</strong>terface and <strong>Digipass</strong> Extension <strong>for</strong> Active Directory Users and Computers.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 33
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Field Listings<br />
5 Field Listings<br />
5.1 User Property Sheet<br />
Field Name in<br />
Administration<br />
<strong>In</strong>terfaces<br />
New Password<br />
Confirm Password<br />
Description<br />
These fields are used to modify the static password that is stored in the <strong>Digipass</strong> User<br />
account. If they are left blank, no modification is made.<br />
Local Authentication Specifies whether authentication requests <strong>for</strong> the User account will be handled by the <strong>IAS</strong><br />
<strong>Plug</strong>-<strong>In</strong> using Local Authentication (see the Authenticating Users section in the Product<br />
Guide <strong>for</strong> more details on Local Authentication and Back-End Authentication).<br />
Normally, this field will be Default, meaning that the Policy applicable to the authentication<br />
request determines the setting. This field on the <strong>Digipass</strong> User account is used to override<br />
the Policy setting <strong>for</strong> special cases.<br />
When Local Authentication is used, there are two factors that determine whether <strong>Digipass</strong><br />
authentication is used – any Policy restrictions on <strong>Digipass</strong> Types and/or Applications that<br />
can be used and whether the <strong>Digipass</strong> User account has any assigned <strong>Digipass</strong> that meet the<br />
restrictions. For example, if the Policy requires a DP300 and the User just has a DP700, they<br />
cannot use <strong>Digipass</strong> authentication under that Policy.<br />
Options:<br />
Back-End<br />
Authentication<br />
Default Use the setting of the effective Policy.<br />
None The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will not carry out Local Authentication <strong>for</strong> this User<br />
account. They may be handled using Back-End Authentication, or not<br />
handled at all by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
<strong>Digipass</strong>/Password The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will always carry out Local Authentication <strong>for</strong> this User,<br />
using <strong>Digipass</strong> authentication if possible, otherwise the static password.<br />
Back-End Authentication may also be utilized.<br />
<strong>Digipass</strong> Only the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will always carry out Local Authentication <strong>for</strong> this User,<br />
using <strong>Digipass</strong> authentication. If <strong>Digipass</strong> authentication is not possible,<br />
the user cannot log in. Back-End Authentication may also be utilized.<br />
Specifies whether authentication requests <strong>for</strong> the User account will be handled by the <strong>IAS</strong><br />
<strong>Plug</strong>-<strong>In</strong> using Back-End Authentication (see the Authenticating Users section in the<br />
Product Guide <strong>for</strong> more details on Local Authentication and Back-End Authentication).<br />
Normally, this field will be Default, meaning that the Policy applicable to the authentication<br />
request determines the setting. This field on the <strong>Digipass</strong> User account is used to override<br />
the Policy setting <strong>for</strong> special cases.<br />
Options:<br />
Default Use the setting of the effective Policy.<br />
None Back-End Authentication will not be used.<br />
If Needed The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will utilize Back-End Authentication but only in certain<br />
cases:<br />
Dynamic User Registration<br />
Self-Assignment<br />
Password Autolearn<br />
Requesting a Challenge or Virtual <strong>Digipass</strong> OTP, when the Request<br />
Method includes a Password<br />
Static password authentication, when verifying a Virtual <strong>Digipass</strong><br />
password-OTP combination or during the Grace Period<br />
Always The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will utilize Back-End Authentication <strong>for</strong> every<br />
authentication request.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 34
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Field Listings<br />
Field Name in<br />
Administration<br />
<strong>In</strong>terfaces<br />
Description<br />
Disabled Specifies whether a <strong>Digipass</strong> User account is enabled or disabled. If disabled, authentication<br />
<strong>for</strong> the User will be rejected by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
This attribute will be set to disabled and made read-only if the Active Directory User account<br />
is disabled or expired. Otherwise, this attribute will be editable.<br />
Locked Specifies whether a <strong>Digipass</strong> User account is locked or not. If locked, authentication <strong>for</strong> the<br />
User will be rejected by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
The Locked indicator is normally set automatically when the User exceeds a certain number<br />
of failed authentication attempts. The User Lock Threshold is set in the Policy.<br />
Linked User Account It is possible to share <strong>Digipass</strong> between different User accounts, by linking User accounts<br />
together. This feature is intended <strong>for</strong> the case where one person, such as an administrator,<br />
has multiple User accounts. If their accounts are linked, there is no need to give more than<br />
one <strong>Digipass</strong> to that person.<br />
This feature is used by assigning the <strong>Digipass</strong> to one User account, then linking all the other<br />
User accounts <strong>for</strong> the person to the one that has the <strong>Digipass</strong>.<br />
If a User is linked to another User, their Linked User Account field will show the Active<br />
Directory DN (Distinguished Name) of the linked User. The DN shows the full address within<br />
Active Directory of the linked User, <strong>for</strong> example:<br />
CN=Test User,OU=Admin,OU=Europe,DC=vasco,DC=dom<br />
<strong>In</strong> this example, the linked User is called Test User and they are located in an Organizational<br />
Unit Admin, which is inside another Organizational Unit Europe in the vasco.com domain.<br />
Read-only.<br />
RADIUS Profiles NOTE: Not applicable to the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
<strong>In</strong>cluded <strong>for</strong> compatibility with other VASCO products, eg. <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> Funk.<br />
Created On The date and time that the <strong>Digipass</strong> User account was created. Read-only.<br />
Last Modified On The date and time that the <strong>Digipass</strong> User account was last modified. Read-only.<br />
Assigned <strong>Digipass</strong> list This lists all <strong>Digipass</strong> that are assigned to the User. For each <strong>Digipass</strong>, the list of active<br />
Applications is given with the Application Type indicated in brackets(). For example:<br />
0058384426 RESP_ONLY(RO), CHALLENGE(CR)<br />
<strong>In</strong> this example line, the <strong>Digipass</strong> with Serial Number 0058384426 has two active<br />
Applications: one Response Only Application RESP_ONLY and one Challenge/Response<br />
Application CHALLENGE.<br />
If the User does not have any <strong>Digipass</strong> assigned directly, but is linked to another User to use<br />
their <strong>Digipass</strong> (see Linked User Account), the linked User's <strong>Digipass</strong> list is shown with the<br />
Serial Numbers in square brackets (eg. [0058384426]).<br />
When a <strong>Digipass</strong> in the list is selected, the remainder of the property sheet tab indicates<br />
values from the corresponding <strong>Digipass</strong> record.<br />
Read-only.<br />
Table 6: User Fields<br />
© 2006 VASCO Data Security <strong>In</strong>c. 35
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Field Listings<br />
5.2 <strong>Digipass</strong> Property Sheet<br />
Field Name in<br />
Administration<br />
<strong>In</strong>terfaces<br />
Description<br />
<strong>Digipass</strong> Type The type of <strong>Digipass</strong> represented by the <strong>Digipass</strong> record (eg. DP300).<br />
Reserve <strong>for</strong> <strong>In</strong>dividual<br />
Assignment<br />
When used, this option prevents the <strong>Digipass</strong> from being assigned using the Auto-Assignment<br />
feature. It also prevents it from being assigned by an administrator who uses the 'Assign next<br />
available...' option in the assignment dialog.<br />
Assigned to User User ID of the <strong>Digipass</strong> User account that the <strong>Digipass</strong> is assigned to, if it is assigned.<br />
Read-only.<br />
Date Assigned The date and time when the <strong>Digipass</strong> was assigned to its current User.<br />
Read-only.<br />
Grace Period End The date on which the Grace Period will expire, or did expire, <strong>for</strong> this <strong>Digipass</strong>. If the date<br />
shows today's date or be<strong>for</strong>e, the Grace Period has already expired. If it is blank, there is no<br />
Grace Period.<br />
Enable Backup VDP Specifies whether and how the Backup Virtual <strong>Digipass</strong> feature can be used <strong>for</strong> this <strong>Digipass</strong>.<br />
Note that in order <strong>for</strong> the Backup Virtual <strong>Digipass</strong> feature to function, it must also be<br />
activated in the DPX file <strong>for</strong> the <strong>Digipass</strong>.<br />
Normally, this field will be Default, meaning that the Policy applicable to the authentication<br />
request determines the setting. This field on the <strong>Digipass</strong> record is used to override the Policy<br />
setting <strong>for</strong> special cases.<br />
Options:<br />
Default Use the setting of the effective Policy.<br />
No Backup Virtual <strong>Digipass</strong> is not permitted.<br />
Yes - Permitted Backup Virtual <strong>Digipass</strong> is permitted, but not mandatory.<br />
The Enabled Until date is not applicable when using this<br />
option, but the Uses Remaining count is.<br />
Yes – Time Limited Backup Virtual <strong>Digipass</strong> is permitted, but not mandatory.<br />
Both the Enabled Until date and the Uses Remaining count<br />
will be in effect.<br />
Yes - Required Backup Virtual <strong>Digipass</strong> is mandatory. This may be useful if the<br />
User may have lost the <strong>Digipass</strong>, to prevent it from being used<br />
until they have found it again.<br />
The Enabled Until date is not applicable when using this<br />
option, but the Uses Remaining count is.<br />
Enabled Until The date on which the Backup Virtual <strong>Digipass</strong> feature may no longer be used, provided that<br />
the effective Enable Backup VDP setting is Yes – Time Limited (it is ignored otherwise).<br />
If this date is blank, it will be set automatically the first time that the User requests a Backup<br />
Virtual <strong>Digipass</strong> OTP, using the Backup Virtual <strong>Digipass</strong> Time Limit defined in the Policy.<br />
Once this date has expired, it requires administrator intervention either to extend it or to<br />
reset it to blank <strong>for</strong> the next time that the User needs to use Backup Virtual <strong>Digipass</strong>.<br />
Uses Remaining The remaining number of times that the Backup Virtual <strong>Digipass</strong> feature may be used <strong>for</strong> this<br />
<strong>Digipass</strong>. Once this number has reached zero, Backup Virtual <strong>Digipass</strong> can no longer be used<br />
with this <strong>Digipass</strong>, unless the administrator increases it or resets it to blank.<br />
If this number is blank and there is a Backup Virtual <strong>Digipass</strong> Max. Uses/User defined in<br />
the Policy, it will be set automatically the first time that the User requests a Backup Virtual<br />
<strong>Digipass</strong> OTP, based on the Max. Uses/User.<br />
Created On The date and time that the <strong>Digipass</strong> was created. Read-only.<br />
Last Modified On The date and time that the <strong>Digipass</strong> was last modified. Read-only.<br />
Table 7: <strong>Digipass</strong> Fields<br />
5.2.1 <strong>Digipass</strong> Application Tab<br />
© 2006 VASCO Data Security <strong>In</strong>c. 36
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Field Listings<br />
Field Name in<br />
Administration<br />
<strong>In</strong>terfaces<br />
Application Type The type of <strong>Digipass</strong> Application:<br />
RO – Response Only<br />
CR – Challenge/Response<br />
SG – Signature<br />
Description<br />
Active This field can be used to deactivate an Application, so that it cannot be used.<br />
Attribute/Value list This list indicates various internal settings of the <strong>Digipass</strong> Application.<br />
Created On The date and time that the <strong>Digipass</strong> Application was created. Read-only.<br />
Last Modified On The date and time that the <strong>Digipass</strong> Application was last modified. Read-only.<br />
Table 8: <strong>Digipass</strong> Application Fields<br />
5.3 Policy Property Sheet<br />
Note: Changes to Policy settings will not take effect until <strong>IAS</strong> is restarted.<br />
Field Name in<br />
Administration<br />
<strong>In</strong>terfaces<br />
Description<br />
Description This description can be entered to record the purpose of the Policy.<br />
<strong>In</strong>herits from Policy Contains the Name of the Policy from which settings will be inherited, referred to as the<br />
'parent Policy'. Settings are inherited individually, depending on the value in the Policy field;<br />
they inherit the parent Policy value in the following cases:<br />
Choice lists/radio buttons – if the selected value is Default<br />
Text fields – if the field is blank<br />
Numeric fields – if the field is blank (not 0)<br />
List fields – if the list is empty<br />
The Show Effective Policy Settings... button can be used to display the result of<br />
inheriting settings combined with settings on the current Policy.<br />
Local Authentication Specifies whether authentication requests using the Policy will be handled by the <strong>IAS</strong> <strong>Plug</strong>-<br />
<strong>In</strong> using Local Authentication (see the Authenticating Users section in the Product<br />
Guide <strong>for</strong> more details on Local Authentication and Back-End Authentication).<br />
When Local Authentication is used, there are two factors that determine whether <strong>Digipass</strong><br />
authentication is used – any Policy restrictions on <strong>Digipass</strong> Types and/or Applications that<br />
can be used and whether the <strong>Digipass</strong> User account has any assigned <strong>Digipass</strong> that meet<br />
the restrictions. For example, if the Policy requires a DP300 and the User just has a DP700,<br />
they cannot use <strong>Digipass</strong> authentication under that Policy.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
None The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will not carry out Local Authentication under this<br />
Policy. They may be handled using Back-End Authentication, or not<br />
handled at all by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
<strong>Digipass</strong>/Password The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will always carry out Local Authentication under this<br />
Policy, using <strong>Digipass</strong> authentication if possible, otherwise the static<br />
password. Back-End Authentication may also be utilized.<br />
<strong>Digipass</strong> Only the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will always carry out Local Authentication under this<br />
Policy, using <strong>Digipass</strong> authentication. If <strong>Digipass</strong> authentication is not<br />
possible, the user cannot log in. Back-End Authentication may also<br />
be utilized.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 37
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Field Listings<br />
Field Name in<br />
Administration<br />
<strong>In</strong>terfaces<br />
Back-End<br />
Authentication<br />
Description<br />
Specifies whether authentication requests using the Policy will be handled by the <strong>IAS</strong> <strong>Plug</strong>-<br />
<strong>In</strong> using Back-End Authentication (see the Authenticating Users section in the Product<br />
Guide <strong>for</strong> more details on Local Authentication and Back-End Authentication).<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
None Back-End Authentication will not be used.<br />
If Needed The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will utilize Back-End Authentication but only in<br />
certain cases:<br />
Dynamic User Registration<br />
Self-Assignment<br />
Password Autolearn<br />
Requesting a Challenge or Virtual <strong>Digipass</strong> OTP, when the<br />
Request Method includes a Password<br />
Static password authentication, when verifying a Virtual<br />
<strong>Digipass</strong> password-OTP combination or during the Grace Period<br />
Always The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will utilize Back-End Authentication <strong>for</strong> every<br />
authentication request.<br />
Back-End Protocol Specifies the protocol to be used <strong>for</strong> Back-End Authentication.<br />
There is currently only one option:<br />
Windows Authentication using the Windows operating system.<br />
Created On The date and time that the Policy was created. Read-only.<br />
Last Modified On The date and time that the Policy was last modified. Read-only.<br />
Dynamic User<br />
Registration<br />
Specifies whether the Dynamic User Registration (DUR) feature is enabled <strong>for</strong> the Policy.<br />
If this feature is used, when the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> receives an authentication request <strong>for</strong> a User<br />
<strong>for</strong> the first time and Back-End Authentication is successful, it will create a <strong>Digipass</strong> User<br />
account automatically. If DUR is used in conjunction with Auto-Assignment, a <strong>Digipass</strong><br />
will be assigned to the new User account immediately.<br />
Password Autolearn Specifies whether the Password Autolearn feature is enabled <strong>for</strong> the Policy. This feature<br />
enables the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> to update the password stored in the <strong>Digipass</strong> User account when<br />
Back-End Authentication is successful.<br />
<strong>In</strong> <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> it is normally not necessary to store the password in the<br />
<strong>Digipass</strong> User account, so this feature is not typically used.<br />
Stored Password Proxy Specifies whether the Stored Password Proxy feature is enabled <strong>for</strong> the Policy. This<br />
feature can be used in conjunction with the Back-End Authentication Always setting and<br />
the Password Autolearn feature, so that even though a Back-End Authentication check is<br />
done every login, it is done using the password stored in the <strong>Digipass</strong> User account, so the<br />
User does not have to enter it during their login unless it has just changed.<br />
<strong>In</strong> <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> it is normally not necessary to per<strong>for</strong>m a Back-End<br />
Authentication check at each login, so this feature is not typically used.<br />
Default Domain The default Domain in which the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> should look <strong>for</strong> and create <strong>Digipass</strong> User<br />
accounts, if a Domain is not specified by the login credentials.<br />
If the User logs in with the User-Principal-Name <strong>for</strong>mat (eg. testuser@vasco.com) or the<br />
NT4 style <strong>for</strong>mat (eg. VASCO\testuser), the Default Domain is not used. However, if they<br />
log in with just a UserId (eg. testuser), the Default Domain will be used if specified.<br />
<strong>In</strong> the case that no Domain is implied by the login credentials and there is no Default<br />
Domain, the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will search in its Configuration Domain.<br />
Must be the fully qualified domain name.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 38
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Field Listings<br />
Field Name in<br />
Administration<br />
<strong>In</strong>terfaces<br />
Description<br />
User Lock Threshold This indicates the number of consecutive failed login attempts that will cause a <strong>Digipass</strong><br />
User account to become Locked. For example, if the User Lock Threshold is 3, the account<br />
will become Locked on the third failed login attempt. Unlocking the account requires<br />
administrator action.<br />
Note that not all kinds of login failure will result in locking. For example, if the UserId is<br />
incorrect or the account is Disabled, the failure would not count towards the lock threshold.<br />
Locking is used mainly <strong>for</strong> incorrect OTPs and static passwords.<br />
Windows Group Check<br />
(radio buttons)<br />
Specifies whether and how the Windows Group Check feature is to be used. This feature<br />
is typically used <strong>for</strong> a staged deployment of <strong>Digipass</strong> when the Auto-Assignment method<br />
is used. It can also be used when only some Users are required to use <strong>Digipass</strong> or when<br />
only some Users will be permitted access and they have to use <strong>Digipass</strong>.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
Authenticate all groups Do not use the Windows Group Check feature.<br />
Authenticate listed groups, pass<br />
others through<br />
Authenticate listed groups, reject<br />
others<br />
Use the Windows Group Check so that any Users who<br />
are not in one of the listed groups are ignored by the<br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
Use the Windows Group Check so that any Users who<br />
are not in one of the listed groups are rejected by the<br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
Group List This lists the names of the Windows Groups to be checked according to the Windows Group<br />
Check radio button setting. There are some important limitations of this check:<br />
Certain built-in Active Directory groups such as Domain Users and Everyone will not<br />
be checked. The check is intended to be used with a new group created specifically <strong>for</strong><br />
this purpose.<br />
Nested group membership will not be detected by the check.<br />
There is no Domain qualifier <strong>for</strong> a group. The named group must be created in each<br />
Domain where User accounts exist that need to be added to the group.<br />
Assignment Mode Specifies the method of automated <strong>Digipass</strong> Assignment that will be used <strong>for</strong> this Policy, if<br />
any. There are two methods, Auto-Assignment and Self-Assignment.<br />
Auto-Assignment is used in conjunction with Dynamic User Registration (DUR). When<br />
DUR occurs, the next available <strong>Digipass</strong> is assigned to the new <strong>Digipass</strong> User account. A<br />
Grace Period is set <strong>for</strong> the <strong>Digipass</strong> according to the Grace Period setting in the Policy.<br />
Self-Assignment is typically used with DUR also, but if the <strong>Digipass</strong> User accounts are<br />
created first by the administrator, DUR is not necessary. <strong>In</strong> the Self-Assignment mode, a<br />
User is able to assign themselves a <strong>Digipass</strong> by entering the Serial Number, a valid OTP<br />
from the <strong>Digipass</strong> and their static password. There is no Grace Period associated with Self-<br />
Assignment, because the User has to use the <strong>Digipass</strong> to per<strong>for</strong>m Self-Assignment.<br />
<strong>In</strong> both cases, any Applicable <strong>Digipass</strong> restrictions <strong>for</strong> the Policy apply. For example, it will<br />
not be permitted to self-assign a DP300 if the Policy restricts <strong>Digipass</strong> Types to DPGO3 and<br />
DPGO1. <strong>In</strong> addition, if the User already has a <strong>Digipass</strong> assigned that meets the Policy<br />
restrictions, they will not be able to self-assign another <strong>Digipass</strong>.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
Auto-Assignment Use the Auto-Assignment method.<br />
Self-Assignment Use the Self-Assignment method.<br />
Neither Do not use either method of automated assignment.<br />
Grace Period Default time period (in days) to give Users between Auto-Assignment of a <strong>Digipass</strong> and<br />
the date they must start using their <strong>Digipass</strong> to login. Be<strong>for</strong>e that time they can still use a<br />
static password (unless the Local Authentication setting is <strong>Digipass</strong> Only). However, the<br />
first time that an OTP is used to log in, the Grace Period is ended at that point if it has not<br />
already ended.<br />
This setting does not affect manual assignment by an administrator.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 39
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Field Listings<br />
Field Name in<br />
Administration<br />
<strong>In</strong>terfaces<br />
Description<br />
Serial No. Separator The character (or short sequence of characters) that will be included at the end of the<br />
<strong>Digipass</strong> Serial Number during a Self-Assignment login. It allows the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> to easily<br />
recognise that a Self-Assignment attempt is being made and extract the Serial Number<br />
from the credentials.<br />
Search Upwards in Org.<br />
Unit hierarchy<br />
This controls the search scope <strong>for</strong> an available <strong>Digipass</strong> <strong>for</strong> Auto-Assignment or <strong>for</strong> a<br />
specific <strong>Digipass</strong> <strong>for</strong> Self-Assignment.<br />
This setting does not affect manual assignment by an administrator.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
No The search scope is only the Organizational Unit in which the User<br />
account belongs.<br />
Yes The search will start in the User account's Organizational Unit, but if<br />
necessary it will then move upwards through the Organizational Unit<br />
hierarchy until it reaches the top. At the top, the <strong>Digipass</strong>-Pool<br />
container will be searched. See the Location of <strong>Digipass</strong> Records<br />
topic in the Product Guide <strong>for</strong> more in<strong>for</strong>mation.<br />
Application Names The Policy can specify a restriction on which <strong>Digipass</strong> Applications may be used when it is<br />
effective. If the list is empty, there is no restriction. If there are one or more entries, they<br />
will indicate the Application Names that are permitted.<br />
Application Type The Policy can restrict which <strong>Digipass</strong> Application Type (eg. Response Only,<br />
Challenge/Response) may be used when it is effective.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
No Restriction <strong>Digipass</strong> Application Type is not restricted.<br />
Response Only Only <strong>Digipass</strong> Applications of Type RO (Response Only) may be used.<br />
Challenge/Response Only <strong>Digipass</strong> Applications of Type CR (Challenge/Response) may be<br />
used.<br />
<strong>Digipass</strong> Types The Policy can specify a restriction on which <strong>Digipass</strong> Types may be used when it is<br />
effective. If the list is empty, there is no restriction. If there are one or more entries, they<br />
will indicate the <strong>Digipass</strong> Types that are permitted.<br />
Allow PIN change Specifies whether <strong>Digipass</strong> Users will be allowed to change their Server PIN during logins<br />
to which the current Policy applies. Normally this setting is enabled, but it can be used to<br />
prevent PIN changes if required.<br />
1-Step<br />
Challenge/Response –<br />
Permitted<br />
1-Step<br />
Challenge/Response –<br />
Challenge Length<br />
1-Step<br />
Challenge/Response –<br />
Add Check Digit<br />
Controls whether 1-step Challenge/Response logins will be enabled <strong>for</strong> the current Policy<br />
and, if so, where the challenge should originate.<br />
Note that 1-step Challenge/Response is not applicable in a RADIUS environment.<br />
Options:<br />
Default<br />
No 1-step Challenge/Response may not be used.<br />
Yes – Server<br />
Challenge<br />
1-step Challenge/Response may be used provided that the<br />
authentication server that verifies the response generated the<br />
challenge.<br />
Yes – Any Challenge 1-step Challenge/Response may be used with any random challenge.<br />
Specifies the length of the challenge (excluding a check digit) which should be generated <strong>for</strong><br />
1-step Challenge/Response logins.<br />
A check digit may be added to the geneated challenge. This allows the <strong>Digipass</strong> to more<br />
quickly identify invalid Challenges.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 40
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Field Listings<br />
Field Name in<br />
Administration<br />
<strong>In</strong>terfaces<br />
2-Step<br />
Challenge/Response –<br />
Request Method<br />
2-Step<br />
Challenge/Response –<br />
Request Keyword<br />
Primary Virtual <strong>Digipass</strong><br />
– Request Method<br />
Primary Virtual <strong>Digipass</strong><br />
– Request Keyword<br />
Backup Virtual <strong>Digipass</strong><br />
– Enable Backup VDP<br />
Description<br />
The method by which a User has to request a 2-step Challenge/Response login.<br />
This is the only mode of Challenge/Response available in a RADIUS environment.<br />
The 'request' is made in the password field during login. The request will be ignored if the<br />
User does not have a Challenge/Response-capable <strong>Digipass</strong> assigned.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
None Do not use 2-step Challenge/Response.<br />
Keyword Use the Request Keyword. For Challenge/Response, this is<br />
permitted to be blank.<br />
Password Use the static password.<br />
KeywordPassword Use the Request Keyword followed by the static password. No<br />
separator characters or whitespace should be between them.<br />
PasswordKeyword Use the static password followed by the Request Keyword. No<br />
separator characters or whitespace should be between them.<br />
Defines the Keyword that a User must enter to request a 2-step Challenge/Response login,<br />
if a method using a Keyword is selected in the Request Method.<br />
For Challenge/Response, this is permitted to be blank.<br />
The method by which a User has to request a Primary Virtual <strong>Digipass</strong> login.<br />
The 'request' is made in the password field during login. The request will be ignored if the<br />
User does not have a Primary Virtual <strong>Digipass</strong> assigned.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
None Do not use Primary Virtual <strong>Digipass</strong>.<br />
Keyword Use the Request Keyword. For Primary Virtual <strong>Digipass</strong>, this is not<br />
permitted to be blank.<br />
Password Use the static password.<br />
KeywordPassword Use the Request Keyword followed by the static password. No<br />
separator characters or whitespace should be between them.<br />
PasswordKeyword Use the static password followed by the Request Keyword. No<br />
separator characters or whitespace should be between them.<br />
Defines the Keyword that a User must enter to request a Primary Virtual <strong>Digipass</strong> login, if a<br />
method using a Keyword is selected in the Request Method. For Primary Virtual <strong>Digipass</strong>,<br />
this is not permitted to be blank.<br />
Specifies whether and how the Backup Virtual <strong>Digipass</strong> feature can be used when this Policy<br />
is effective. Note that in order <strong>for</strong> the Backup Virtual <strong>Digipass</strong> feature to function, it must<br />
also be activated in the DPX file <strong>for</strong> the <strong>Digipass</strong>.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
No Backup Virtual <strong>Digipass</strong> is not permitted.<br />
Yes -<br />
Permitted<br />
Yes – Time<br />
Limited<br />
Yes -<br />
Required<br />
Backup Virtual <strong>Digipass</strong> is permitted, but not mandatory.<br />
The Time Limit is not applicable when using this option, but the Max.<br />
Uses/User limit is.<br />
Backup Virtual <strong>Digipass</strong> is permitted, but not mandatory.<br />
Both the Time Limit and the Max. Uses/User limit will be in effect.<br />
Backup Virtual <strong>Digipass</strong> is mandatory.<br />
The Time Limit is not applicable when using this option, but the Max.<br />
Uses/User limit is.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 41
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Field Listings<br />
Field Name in<br />
Administration<br />
<strong>In</strong>terfaces<br />
Backup Virtual <strong>Digipass</strong><br />
– Time Limit<br />
Backup Virtual <strong>Digipass</strong><br />
– Max. Uses/User<br />
Backup Virtual <strong>Digipass</strong><br />
– Request Method<br />
Backup Virtual <strong>Digipass</strong><br />
– Request Keyword<br />
Identification Time<br />
Window<br />
Description<br />
When the Enable Backup VDP setting is Yes – Time Limited, the Time Limit setting<br />
indicates the number of days <strong>for</strong> which the Backup Virtual <strong>Digipass</strong> feature may be used by<br />
a User, once they start using it.<br />
The Backup Virtual <strong>Digipass</strong> Enabled Until setting on the <strong>Digipass</strong> record will be set<br />
automatically the first time that the User requests a Backup Virtual <strong>Digipass</strong> OTP, using the<br />
Time Limit defined in the Policy. Once this date has expired, it requires administrator<br />
intervention either to extend it or to reset it to blank <strong>for</strong> the next time that the User needs<br />
to use Backup Virtual <strong>Digipass</strong>.<br />
Note that if a User has more than one <strong>Digipass</strong> capable of Backup Virtual <strong>Digipass</strong>, they will<br />
have a separate limit <strong>for</strong> each one.<br />
The maximum number of uses of the Backup Virtual <strong>Digipass</strong> feature permitted <strong>for</strong> each<br />
User, if they do not have a specific limit set <strong>for</strong> them.<br />
If the Backup Virtual <strong>Digipass</strong> Uses Remaining on the <strong>Digipass</strong> record is blank and<br />
there is a Max. Uses/User limit defined in the Policy, the Uses Remaining will be set<br />
automatically the first time that the User requests a Backup Virtual <strong>Digipass</strong> OTP.<br />
Once the Uses Remaining has reached zero, Backup Virtual <strong>Digipass</strong> can no longer be used<br />
with this <strong>Digipass</strong>, unless the administrator increases it or resets it to blank.<br />
Note that if a User has more than one <strong>Digipass</strong> capable of Backup Virtual <strong>Digipass</strong>, they will<br />
have a separate limit <strong>for</strong> each one.<br />
The method by which a User has to request a Backup Virtual <strong>Digipass</strong> login.<br />
The 'request' is made in the password field during login. The request will be ignored if the<br />
User does not have a <strong>Digipass</strong> assigned that is activated <strong>for</strong> the Backup Virtual <strong>Digipass</strong><br />
feature, or if other Policy or <strong>Digipass</strong> settings do not permit Backup Virtual <strong>Digipass</strong> use.<br />
Options:<br />
Default Use the setting of the parent Policy.<br />
None Do not use Backup Virtual <strong>Digipass</strong>.<br />
Keyword Use the Request Keyword. For Backup Virtual <strong>Digipass</strong>, this is not<br />
permitted to be blank.<br />
Password Use the static password.<br />
KeywordPassword Use the Request Keyword followed by the static password. No<br />
separator characters or whitespace should be between them.<br />
PasswordKeyword Use the static password followed by the Request Keyword. No<br />
separator characters or whitespace should be between them.<br />
Defines the Keyword that a User must enter to request a Backup Virtual <strong>Digipass</strong> login, if a<br />
method using a Keyword is selected in the Request Method. For Backup Virtual <strong>Digipass</strong>,<br />
this is not permitted to be blank.<br />
Controls the maximum number of time steps' variation allowable between a <strong>Digipass</strong> and<br />
the authentication server during login. This only applies to time-based Response Only and<br />
Challenge/Response Applications.<br />
The Dynamic Time Window option may be used to allow more variation according to the<br />
length of time since the last successful login.<br />
If this setting is not specified at all, there is an inbuilt default value of 20.<br />
Signature Time Window Controls the maximum number of time steps' variation allowable between a <strong>Digipass</strong> and<br />
the authentication server during Digital Signature verification. This only applies to timebased<br />
Signature Applications.<br />
If this setting is not specified at all, there is an inbuilt default value of 24.<br />
Signature Applications are not currently used in RADIUS environments.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 42
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Field Listings<br />
Field Name in<br />
Administration<br />
<strong>In</strong>terfaces<br />
Description<br />
<strong>In</strong>itial Time Window Controls the maximum allowed time variation allowable between a <strong>Digipass</strong> and the<br />
authentication server, the first time that the <strong>Digipass</strong> is used. The time is specified in hours.<br />
This <strong>In</strong>itial Time Window is also used directly after a Reset Application operation, which<br />
can be used if it appears that the internal clock in the <strong>Digipass</strong> has drifted too much since<br />
the last successful login.<br />
This only applies to time-based Applications.<br />
<strong>In</strong> either case, after the first successful login, the <strong>In</strong>itial Time Window is no longer active.<br />
If this setting is not specified at all, there is an inbuilt default value of 6.<br />
Event Window Controls the maximum number of events' variation allowable between a <strong>Digipass</strong> and the<br />
authentication server during login that uses an event-based Application.<br />
If this setting is not specified at all, there is an inbuilt default value of 20.<br />
Identification Threshold Specifies the number of consecutive failed authentication attempts allowed be<strong>for</strong>e the<br />
<strong>Digipass</strong> Application is locked from future authentication attempts.<br />
This locking mechanism is separate from the User Lock Threshold and is normally not<br />
necessary. It only applies when a single <strong>Digipass</strong> Application can be used <strong>for</strong> a login, either<br />
because the User only has one <strong>Digipass</strong> with one Application, or because the Policy<br />
restrictions narrow the list down to one <strong>Digipass</strong> Application. If Policy restrictions are used<br />
in this way, the Identification Threshold can be used to lock a User out of one kind of login<br />
(eg. a VPN) while still permitting them to use another kind (eg. Wireless).<br />
If this setting is not specified at all, this feature is not used.<br />
Signature Threshold Specifies the number of consecutive failed Digital Signature authentication attempts allowed<br />
be<strong>for</strong>e the <strong>Digipass</strong> Application is set to be locked from future authentication attempts.<br />
If this setting is not specified at all, this feature is not used.<br />
Signature Applications are not currently used in RADIUS environments.<br />
Max. Days Since Last<br />
Use<br />
This setting specifies the maximum number of days <strong>for</strong> which a <strong>Digipass</strong> Application can go<br />
unused <strong>for</strong> authentication. After this limit, authentication will be rejected until an<br />
admnistrator per<strong>for</strong>ms a Reset Application operation.<br />
If this setting is not specified at all, this feature is not used.<br />
Challenge Check Mode This setting is <strong>for</strong> advanced control over time-based Challenge/Response authentication.<br />
The value 1 should be used <strong>for</strong> standard RADIUS challenge/response. This is the inbuilt<br />
default value if the setting is not specified at all.<br />
0 No check is made. This is necessary <strong>for</strong> 1-step Challenge/Response.<br />
1 The challenge presented <strong>for</strong> verification must be the last one that was<br />
generated specifically <strong>for</strong> that <strong>Digipass</strong>. This is the normal mode of operation<br />
in 2-step Challenge/Response.<br />
2 The challenge presented <strong>for</strong> verification is ignored; the last one that was<br />
generated specifically <strong>for</strong> that <strong>Digipass</strong> is used. This is rarely applicable.<br />
3 Only one verification is permitted per time step. This option only applies to<br />
time-based Challenge/Response. This is a method of avoiding a potential<br />
replay of a captured response if the same challenge comes up again in the<br />
same time step.<br />
4 If the same challenge and response are presented <strong>for</strong> verification twice in a<br />
row during the same time step, they are rejected. This is an advanced method<br />
of avoiding a potential replay of a capture challenge/response.<br />
Online Signature Level This setting is <strong>for</strong> advanced control of Digital Signature authentication, and is not applicable<br />
currently.<br />
Signature Applications are not currently used in RADIUS environments.<br />
Table 9: Policy Fields<br />
© 2006 VASCO Data Security <strong>In</strong>c. 43
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Field Listings<br />
5.4 Component Property Sheet<br />
Field Name in<br />
Administration<br />
<strong>In</strong>terfaces<br />
Description<br />
Component Type The type of Component represented by the record.<br />
Options:<br />
RADIUS Client<br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
Funk SBR <strong>Plug</strong>-<strong>In</strong><br />
Location The IP address or name of the machine represented by the record. For a <strong>Plug</strong>-<strong>In</strong>, it must be<br />
the licensed IP address; <strong>for</strong> a RADIUS Client, it must be the NAS-IP-Address or NAS-Identifier<br />
values sent in the RADIUS requests.<br />
Policy The name of the Policy that should be used <strong>for</strong> authentication requests from the Component.<br />
Protocol The network protocol used by the Component to communicate with the authentication server.<br />
This is not applicable to the RADIUS <strong>Plug</strong>-<strong>In</strong>s at this stage.<br />
Shared Secret The RADIUS Shared Secret <strong>for</strong> the Component.<br />
This is not used by the RADIUS <strong>Plug</strong>-<strong>In</strong>s.<br />
TCP Port TCP port to send to the Component.<br />
This is not applicable to the RADIUS <strong>Plug</strong>-<strong>In</strong>s.<br />
Created On The date and time that the Component was created. Read-only.<br />
Last Modified On The date and time that the Component was last modified. Read-only.<br />
Table 10: Component Fields<br />
© 2006 VASCO Data Security <strong>In</strong>c. 44
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Licensing<br />
6 Licensing<br />
6.1 How is Licensing Handled?<br />
VASCO products are licensed per <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component record in the <strong>Digipass</strong> Configuration<br />
Container(s). A license key file is created <strong>for</strong> each <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> installed, and the license key is<br />
loaded into the data store using the Administration MMC <strong>In</strong>terface.<br />
6.2 Licensing Parameters<br />
Parameter Value<br />
Product The name of the VASCO product. eg. <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong><br />
Component The type of Component licensed. eg. RADIUS<br />
Version Current version number of the licensed VASCO product.<br />
Location The IP address or DNS name <strong>for</strong> the machine represented by the Component record.<br />
Company The name of your company.<br />
Username Your name.<br />
SerialNo The serial number <strong>for</strong> the VASCO product.<br />
Generated The date and time that the license file was generated.<br />
Expires Used <strong>for</strong> evaluation license only – expiry date.<br />
Signature Encrypted combination of the above parameters.<br />
Table 11: License Parameters <strong>for</strong> <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong><br />
6.2.1 Sample License File<br />
----- VASCO PRODUCT LICENCE -----<br />
Product=<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong><br />
Component=<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
Version=1.0<br />
Expires=2005/06/19 02:40:32 GMT<br />
Location=test.vasco.com<br />
Company=<strong>Vasco</strong> Data Security<br />
Username=Mr Mark J Eaton<br />
SerialNo=8174F715E0<br />
Generated=2005/05/20 02:40:32 GMT<br />
----- SIGNATURE -----<br />
3:302C02147A48E891E0745D<br />
6866E0A08DDB7D6AF092BFCD<br />
27021474601702D4FCE5B500<br />
D76354022F048EDB159B62<br />
----- END LICENCE -----<br />
6.3 View License <strong>In</strong><strong>for</strong>mation<br />
To view the license in<strong>for</strong>mation <strong>for</strong> a specific Component:<br />
1. Open the Administration MMC <strong>In</strong>terface.<br />
2. Click on the Components node.<br />
The Component List will be displayed in the Result pane.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 45
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Licensing<br />
3. Double-click on the required Component record.<br />
The Component property sheet will be displayed.<br />
4. Click on the License Key Details... button.<br />
The License Key Details window will be displayed.<br />
6.4 Obtain a License Key <strong>for</strong> a Component<br />
Note<br />
An active internet connection is required to obtain a License Key.<br />
1. Open the Administration MMC <strong>In</strong>terface.<br />
2. Click on the Components node.<br />
The Component List will be displayed in the Result pane.<br />
3. Double-click on the required Component record.<br />
The Component property sheet will be displayed.<br />
4. Click on the License Key Details... button.<br />
The License Key Details window will be displayed.<br />
5. Click on the Request License Key... button.<br />
A browser window will be opened, with the VASCO Licensing site loaded. Any required<br />
in<strong>for</strong>mation which the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> has will be entered as the site is loaded.<br />
6. Enter any other required in<strong>for</strong>mation in the browser window.<br />
7. Click on the Request License Key button in the browser window.<br />
A download of your license key file should begin. Keep note of where you save the<br />
file, and its name.<br />
8. Once the download is complete, go back to the Administration MMC <strong>In</strong>terface and the<br />
License Key Details window.<br />
9. Click on the Load License Key... button.<br />
10. Browse to the download location and select the license key file.<br />
11. Click on Open.<br />
A message window will display the success or failure of loading the license key into the<br />
data store.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 46
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Licensing<br />
6.5 Change IP Address<br />
To change the IP address <strong>for</strong> a <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> server:<br />
1. Create a new Component record <strong>for</strong> the server, using the new IP address <strong>for</strong> the<br />
location.<br />
2. Request and download a License Key <strong>for</strong> the new Component record.<br />
3. Load the License Key into the new Component record.<br />
4. Test that the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> works with the new IP address and Component record.<br />
5. Delete the old Component record.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 47
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Web Sites<br />
7 Web Sites<br />
7.1 Customizing the Web Sites<br />
It is anticipated that you may want to customize the web pages that are provided by default,<br />
<strong>for</strong> the following kinds of reason:<br />
to change the colours and graphics to match your corporate colours/logos.<br />
to integrate the pages into a larger web site. For example, you may wish to control the<br />
pages using a sub-menu within the overall site menu.<br />
to modify the navigation in such a way that you believe would suit your users better. For<br />
example, you may wish to have a failure page that just reports failure, without the <strong>for</strong>m<br />
fields to try again, which gives troubleshooting hints.<br />
The sites are both designed to permit extensive customization, provided that you post the right<br />
data to the CGI program. This section provides the instructions and reference material that<br />
you require to successfully customize the site. It is assumed that the reader will have some<br />
web development knowledge.<br />
You can change any cosmetic part of the web pages. You can even write completely new web<br />
pages, provided that you provide the correct posted <strong>for</strong>m fields to the CGI program, and<br />
interpret the query string variables correctly. You do not need to use plain HTML pages –<br />
server scripting languages such as PHP or ASP, or any other way of generating HTML, can be<br />
used.<br />
7.2 CGI Program<br />
A single CGI script is used <strong>for</strong> both the User Self Management Web Site and the OTP Request<br />
Site. The functionality provided depends on the Site.<br />
For each function, the CGI program carries out the following actions:<br />
Read and validate the input. This input is gathered from:<br />
Configuration settings from the registry<br />
Form variables posted<br />
Send an authorisation request to the <strong>IAS</strong> Server (provided that there were no validation<br />
errors) and interpret the response. Requests are sent to the Server using the RADIUS<br />
protocol. A component identifier Self-Mgt Site will indicate in the Audit Console which<br />
audit messages relate to requests from the User Self-Management Web Site or OTP<br />
Request Site.<br />
(OTP Request Site only) Send a request to the Message Delivery Component to send an<br />
OTP to the User's mobile phone via text message.<br />
Output the HTML to direct the user to the page that will indicate success or failure, or<br />
display a challenge. This is achieved by returning the HTML <strong>for</strong> a basic ‘please wait’ page<br />
with a ‘meta-refresh’ instruction to go directly to the appropriate page. The meta-refresh<br />
will happen immediately, but on a slow link you may notice the intermediate page.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 48
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Web Sites<br />
The CGI program cannot be customized. Its behaviour is controlled by the configuration<br />
settings and the posted <strong>for</strong>m variables. The configuration settings are listed below; the posted<br />
<strong>for</strong>m variables are specified in the Customizing the Web Site section.<br />
7.2.1 Configuration Settings<br />
Various configuration settings are used by the CGI program to locate the <strong>IAS</strong> server(s) and to<br />
enable tracing. These can be modified using the Start->Programs menu option “User CGI<br />
Configuration”.<br />
The configuration settings are stored in the Windows Registry, at the path:<br />
HKEY_LOCAL_MACHINE\Software\VASCO\User CGI<br />
Name Type Value Default<br />
Trace-Mask Number<br />
(DWORD)<br />
Used to enable internal tracing levels. <strong>In</strong> general, just use these<br />
values:0 = no tracingFFFFFFFF (hexadecimal) = full tracing<br />
Trace-File String Full path and filename of output file <strong>for</strong> internal tracing. NB: the<br />
file will be created if it is missing, but not the directory.<br />
Source-IP-<br />
Address<br />
Server1-IP-<br />
Address<br />
Server1-Port Number<br />
(DWORD)<br />
Server2-IP-<br />
Address<br />
Server2-Port Number<br />
(DWORD)<br />
String Source IP address to bind to when sending API requests, if any<br />
(only required if there are multiple IP addresses on the<br />
machine).eg. 10.9.255.7<br />
0<br />
<br />
<br />
String IP address of primary <strong>IAS</strong> Server. eg. 10.2.255.45 127.0.0.1<br />
API port of primary <strong>IAS</strong> Server (in general, this should not be<br />
changed from the default).<br />
20003<br />
String IP address of backup <strong>IAS</strong> Server, or blank if there is no backup. <br />
Table 12: Configuration Settings <strong>for</strong> CGI Program<br />
7.3 Form Fields<br />
API port of backup <strong>IAS</strong> Server (in general, this should not be<br />
changed from the default)<br />
7.3.1 User Self Management Web Site<br />
7.3.1.1 Registration – Main Pages<br />
20003<br />
User Registration (UR), <strong>Digipass</strong> Assignment (DA) and Password Synchronization (PS) are all<br />
implemented using a single invocation of the CGI program. This permits them to be carried out<br />
either separately or in any combination. You can choose to separate them in your customized<br />
web site or keep them together as you prefer.<br />
If Challenge/Response or a Virtual <strong>Digipass</strong> is used, the user will enter their User ID, static<br />
password and Serial Number into the main page without a <strong>Digipass</strong> Response. They will be<br />
directed to a challenge page, which is specified in the next topic, in which they should enter<br />
either a Response to the challenge or the OTP sent to their mobile phone. The following table<br />
applies only to the main page.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 49
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Web Sites<br />
The following posted <strong>for</strong>m fields must be used on the main page, according to the particular<br />
function and other conditions specified below:<br />
Form Field Name Visible<br />
Label<br />
(Default)<br />
Value(s) Required?<br />
dpcgi_operation “register” <strong>for</strong> User Registration, <strong>Digipass</strong> Assignment or<br />
Password Synchronization.<br />
dpcgi_success_page Relative or absolute URL of web page to go to if the<br />
function is successful.<br />
dpcgi_fail_page Relative or absolute URL of web page to go to if the<br />
function fails.<br />
dpcgi_challenge_page Relative or absolute URL of web page to go to if a<br />
challenge is returned <strong>for</strong> the user.<br />
UR PS DA<br />
Y Y Y<br />
Y Y Y<br />
Y Y Y<br />
(4) (1)<br />
dpcgi_userid UserId UserID in the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. Y Y Y<br />
dpcgi_password Password Static password. Y Y Y<br />
dpcgi_serialno Serial<br />
Number<br />
dpcgi_response <strong>Digipass</strong><br />
Response<br />
<strong>Digipass</strong> serial number. Y<br />
<strong>Digipass</strong> response (without static PIN if there is one). (5) (2)<br />
dpcgi_newpin New PIN New static PIN (<strong>for</strong> Go 1/Go 3). (3)<br />
dpcgi_confirmpin Confirm New<br />
PIN<br />
Confirm the new static PIN. (3)<br />
dpcgi_usecombinedpwd “True” to send the password, serial number, response<br />
and PIN to the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> in one attribute.<br />
“False” to send the contents of the password field<br />
Table 13: Form Fields <strong>for</strong> Main Registration Page<br />
(1) If any users may self-assign a Challenge/Response <strong>Digipass</strong>, provide this <strong>for</strong>m field.<br />
(2) If any users may self-assign a Response Only <strong>Digipass</strong>, provide this <strong>for</strong>m field.<br />
(3) If any users may self-assign a Response Only <strong>Digipass</strong> which uses a static PIN at the<br />
beginning of the response (eg. Go 1/Go 3), where the <strong>Digipass</strong> are initialized with no<br />
initial static PIN, they have to enter a new PIN the first time they use the <strong>Digipass</strong>. If they<br />
are self-assigning the <strong>Digipass</strong>, that means that they have to enter the new PIN and<br />
confirm it during the self-assignment process. They can do this by adding the new PIN<br />
twice at the end of the <strong>Digipass</strong> Response, however it may be more user-friendly to<br />
provide these two separate <strong>for</strong>m fields.<br />
(4) If any users have a Challenge/Response application or a Primary Virtual <strong>Digipass</strong>, include<br />
this field.<br />
(5) If any users have a Response Only application, include this field.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 50
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Web Sites<br />
7.3.1.2 Registration – Challenge Page<br />
The Registration challenge page will be used <strong>for</strong> <strong>Digipass</strong> Challenge/Response or Virtual<br />
<strong>Digipass</strong>. The user enters their response to the challenge, to complete the registration process.<br />
The following posted <strong>for</strong>m fields must be used on the challenge page:<br />
Form Field<br />
Name<br />
Visible<br />
Label<br />
(Default)<br />
Value(s) Required?<br />
dpcgi_operation “register” <strong>for</strong> User Registration, <strong>Digipass</strong> Assignment or<br />
Password Synchronization.<br />
dpcgi_success_page Relative or absolute URL of web page to go to if the<br />
function is successful.<br />
dpcgi_fail_page Relative or absolute URL of web page to go to if the<br />
function fails.<br />
dpcgi_userid UserId UserID in the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. Y<br />
dpcgi_response <strong>Digipass</strong><br />
Response<br />
<strong>Digipass</strong> response or Virtual <strong>Digipass</strong> OTP. Y<br />
dpcgi_challenge Challenge <strong>Digipass</strong> challenge returned to the user. Y<br />
Table 14: Form Fields <strong>for</strong> Registration Challenge Page<br />
Note<br />
If you make dpcgi_challenge a visible <strong>for</strong>m field, ensure that it is not<br />
modifiable. An alternative is to make it a hidden <strong>for</strong>m field, while also<br />
displaying the challenge in HTML text rather than as a <strong>for</strong>m field.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 51<br />
Y<br />
Y<br />
Y
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Web Sites<br />
7.3.1.3 Server PIN Change<br />
The PIN Change function is only applicable <strong>for</strong> <strong>Digipass</strong> Response Only where a Server PIN is<br />
entered at the start of the response (eg. Go 1/Go 3).<br />
The following posted <strong>for</strong>m fields must be used on the PIN Change page:<br />
Form Field<br />
Name<br />
Visible Label<br />
(Default)<br />
Value(s) Required?<br />
dpcgi_operation “changepin” <strong>for</strong> PIN Change. Y<br />
dpcgi_success_page Relative or absolute URL of web page to go to if the<br />
function is successful.<br />
dpcgi_fail_page Relative or absolute URL of web page to go to if the<br />
function fails.<br />
dpcgi_userid UserId UserID in the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. Y<br />
dpcgi_response <strong>Digipass</strong> Response <strong>Digipass</strong> response (without static PIN if there is one). Y<br />
dpcgi_currentpin Current PIN Current static PIN to be changed. (6)<br />
dpcgi_newpin New PIN New static PIN. Y<br />
dpcgi_confirmpin Confirm New PIN Confirm the new static PIN. Y<br />
Table 15: Form Fields <strong>for</strong> Server PIN Change Page<br />
(6) If the <strong>Digipass</strong> has had its Server PIN reset by the administrator, because the user has<br />
<strong>for</strong>gotten it, there is no current Server PIN to enter here. <strong>In</strong> all other cases, the current<br />
Server PIN must be provided to permit the PIN change.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 52<br />
Y<br />
Y
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Web Sites<br />
7.3.1.4 Login Test – Main Page<br />
If a Challenge/Response application or Primary Virtual <strong>Digipass</strong> is used, the user will enter just<br />
their UserId (and maybe password) into the main page without a <strong>Digipass</strong> Response. If using<br />
the Backup Virtual <strong>Digipass</strong>, they will need to enter the trigger specified in server settings<br />
(password and/or a Keyword) into the password field.<br />
They will be directed to a challenge page, specified in the next topic. The following table<br />
applies only to the main page.<br />
The following posted <strong>for</strong>m fields must be used on the main page:<br />
Form Field<br />
Name<br />
Visible Label<br />
(Default)<br />
Value(s) Required?<br />
dpcgi_operation “testlogin” <strong>for</strong> Login Test. Y<br />
dpcgi_success_page Relative or absolute URL of web page to go to if the<br />
function is successful.<br />
dpcgi_fail_page Relative or absolute URL of web page to go to if the<br />
function fails.<br />
dpcgi_challenge_page Relative or absolute URL of web page to go to if a<br />
challenge is returned <strong>for</strong> the user.<br />
dpcgi_userid UserId UserID in the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. Y<br />
dpcgi_response <strong>Digipass</strong> Response <strong>Digipass</strong> response (with static PIN if there is one). (8)<br />
Table 16: Form Fields <strong>for</strong> Main Login Test Page<br />
(7) If any users have a Challenge/Response <strong>Digipass</strong>, a Primary <strong>Digipass</strong> or use the Backup<br />
Virtual <strong>Digipass</strong> feature, provide this <strong>for</strong>m field.<br />
(8) If any users have a Response Only <strong>Digipass</strong>, provide this <strong>for</strong>m field.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 53<br />
Y<br />
Y<br />
(7)
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Web Sites<br />
7.3.1.5 Login Test – Challenge Page<br />
The user enters their response to the challenge or the OTP sent to their mobile phone to<br />
complete the login test.<br />
The following posted <strong>for</strong>m fields must be used on the challenge page:<br />
Form Field<br />
Name<br />
Visible Label<br />
(Default)<br />
Value(s) Required?<br />
dpcgi_operation “testlogin” <strong>for</strong> Login Test. Y<br />
dpcgi_success_page Relative or absolute URL of web page to go to if the<br />
function is successful.<br />
dpcgi_fail_page Relative or absolute URL of web page to go to if the<br />
function fails.<br />
dpcgi_userid UserID User ID in the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. Y<br />
dpcgi_response <strong>Digipass</strong> Response <strong>Digipass</strong> response. Y<br />
dpcgi_challenge Challenge <strong>Digipass</strong> challenge returned to the user. Y<br />
Table 17: Form Fields <strong>for</strong> Login Test Challenge Page<br />
Note<br />
If you make vmcgi_challenge a visible <strong>for</strong>m field, make sure that it is not<br />
modifiable. An alternative is to make it a hidden <strong>for</strong>m field, while also<br />
displaying the challenge in HTML text rather than as a <strong>for</strong>m field.<br />
7.3.2 OTP Request Site<br />
7.3.2.1 Request Page<br />
The request page must contain the following fields:<br />
Name Type<br />
Username text Visible<br />
Password Password Visible<br />
dpcgi_operation “VDPrequest” Hidden<br />
dpcgi_vdp_success_page Name of “OTP was sent” Page Hidden<br />
dpcgi_vdp_fail_page Name of “OTP not sent” Page Hidden<br />
dpcgi_vdp_wrongtoken_page Name of “Not a Virtual <strong>Digipass</strong>” Page Hidden<br />
Table 18: Form Fields <strong>for</strong> OTP Request Page<br />
© 2006 VASCO Data Security <strong>In</strong>c. 54<br />
Y<br />
Y
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Web Sites<br />
7.4 Query String Variables<br />
The query string variables that are passed to the web pages by the CGI program are mainly<br />
concerned with status and error reporting. There is also a variable that is used to pass a<br />
challenge to the pages that display one.<br />
7.4.1 Failure/Error Handling<br />
There are three main groups of failures that can occur, which should be handled in a different<br />
manner. <strong>In</strong> all cases there is a numeric error code, however in some cases there is an auxiliary<br />
code and message such as the return code and message from the VACMAN Controller. The<br />
main error codes will be assigned in three separate ranges, so that the web pages can identify<br />
which category of error is returned.<br />
API return codes – these are returned by the VASCO API used to make the<br />
authentication request to the Server. <strong>In</strong> some cases there will be an auxiliary code and<br />
message.<br />
CGI errors – these errors are detected by the CGI program, mainly when the web pages<br />
are not providing or en<strong>for</strong>cing the posted <strong>for</strong>m fields correctly. These will not generally<br />
have an auxiliary code and message, but it is possible.<br />
<strong>In</strong>ternal errors – these are technical errors that ‘should not occur’. <strong>In</strong> some cases there<br />
will be an auxiliary code and message.<br />
The intention of using this code-based scheme is to allow translation and customization of the<br />
messages. The main error code will be translated into a message by the web pages<br />
themselves. The pages can also translate the auxiliary code into a message, <strong>for</strong> the VACMAN<br />
Controller codes, but normally, the pages would not know how to translate it into a message,<br />
and should display the auxiliary message as provided.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 55
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Web Sites<br />
7.4.2 Query String Variable List<br />
The following table indicates which variables are used <strong>for</strong> the User Self Management Web Site<br />
and OTP Request Site, and the required conditions:<br />
Variable Value Condition Used by Site<br />
result 0 Successful authentication request Both<br />
Unsuccessful authentication request Both<br />
CGI or internal error occurred Both<br />
challenge Challenge returned by API User Self<br />
Management Web<br />
Site only<br />
auxcode <br />
<br />
auxmsg <br />
<br />
Table 19: Query String Variable List<br />
Examples:<br />
success: /vmsite/success.html?result=0<br />
Unsuccessful authentication request due to<br />
Controller rejecting password<br />
CGI or internal error occurred, where another<br />
error code is relevant<br />
Unsuccessful authentication request due to<br />
Controller rejecting password<br />
CGI or internal error occurred, where an error<br />
message is relevant<br />
invalid <strong>Digipass</strong> response due to code replay:<br />
/vmsite/fail.html?result=1000&auxcode=2&auxmsg=Code+Replay+Attempt<br />
challenge: /vmsite/challenge.html?challenge=738453<br />
© 2006 VASCO Data Security <strong>In</strong>c. 56<br />
Both<br />
Both<br />
Both<br />
Both
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Web Sites<br />
7.4.3 Return Code Listing<br />
<strong>In</strong> the following tables, the Message is the one that is provided by the standard web pages that<br />
we install.<br />
7.4.3.1 API Return Codes<br />
The following codes are the ones that in normal cases might be returned:<br />
Code Message Auxiliary<br />
Code/<br />
Message?<br />
Notes<br />
-1 Error during request to Server N We are unable to distinguish the error from the<br />
client side of the API – the administrator would<br />
have to look at the Audit Console.<br />
Table 20: API Return Codes<br />
© 2006 VASCO Data Security <strong>In</strong>c. 57
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Web Sites<br />
7.4.3.2 CGI Errors<br />
Code Message Auxiliary<br />
Code/<br />
Message?<br />
-100 Only the POST method is permitted N<br />
-101 No dpcgi_operation was posted N<br />
-102 An invalid dpcgi_operation was posted N<br />
-103 dpcgi_challenge_page cannot be used <strong>for</strong> this operation N<br />
-104 dpcgi_password cannot be used <strong>for</strong> this operation N<br />
-105 dpcgi_serialno cannot be used <strong>for</strong> this operation N<br />
-106 dpcgi_currentpin cannot be used <strong>for</strong> this operation N<br />
-107 dpcgi_newpin cannot be used <strong>for</strong> this operation N<br />
-108 dpcgi_confirmpin cannot be used <strong>for</strong> this operation N<br />
-109 dpcgi_challenge cannot be used <strong>for</strong> this operation N<br />
-110 dpcgi_success_page must be entered <strong>for</strong> this operation N<br />
-111 dpcgi_fail_page must be entered <strong>for</strong> this operation N<br />
-112 dpcgi_userid must be entered <strong>for</strong> this operation N<br />
-113 dpcgi_password must be entered <strong>for</strong> this operation N<br />
-114 dpcgi_response must be entered <strong>for</strong> this operation N<br />
-115 dpcgi_newpin must be entered <strong>for</strong> this operation N<br />
-116 dpcgi_confirmpin must be entered <strong>for</strong> this operation N<br />
-117 A <strong>Digipass</strong> Response is required to assign a <strong>Digipass</strong> N<br />
-118 A New PIN can only be set when assigning a <strong>Digipass</strong> N<br />
-119 Enter the new PIN in the New PIN and Confirm New PIN fields N<br />
-120 The New PIN and Confirm New PIN fields have different values N<br />
-121 A challenge was returned, but there is no dpcgi_challenge_page N<br />
-122 Unknown parameter N<br />
-123 The Content-Length passed in was invalid N<br />
-124 vmcgi_serialno must be entered <strong>for</strong> this operation N<br />
Table 21: CGI Error Return Codes<br />
© 2006 VASCO Data Security <strong>In</strong>c. 58
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Web Sites<br />
7.4.3.3 <strong>In</strong>ternal Errors<br />
Code Message Auxiliary<br />
Code/<br />
Message?<br />
-1000 Cannot read Trace-Mask configuration setting Y<br />
-1001 Cannot read Trace-File configuration setting Y<br />
-1002 Cannot open Trace-File Y<br />
-1003 Cannot read Source-IP-Address configuration setting Y<br />
-1004 Cannot read Server1-IP-Address configuration setting Y<br />
-1005 Cannot read Server1-Port configuration setting Y<br />
-1006 Cannot read Server2-IP-Address configuration setting Y<br />
-1007 Cannot read Server2-Port configuration setting Y<br />
-1008 <strong>In</strong>valid configuration setting Source-IP-Address Y<br />
-1009 <strong>In</strong>valid configuration setting Server1-IP-Address Y<br />
-1010 <strong>In</strong>valid configuration setting Server1-Port Y<br />
-1011 <strong>In</strong>valid configuration setting Server2-IP-Address Y<br />
-1012 <strong>In</strong>valid configuration setting Server2-Port Y<br />
-1013 Cannot read HTTP request data N<br />
-1014 Request to Server not completed Y<br />
-1015 Cannot read Self-Management Site registry key Y<br />
-1016 The specified Source-IP-Address is not on this machine N<br />
-1017 Cannot read Trace-Header configuration setting Y<br />
-1018 <strong>In</strong>valid configuration setting Trace-Header Y<br />
Table 22: <strong>In</strong>ternal Error Codes<br />
© 2006 VASCO Data Security <strong>In</strong>c. 59
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Command line utilities<br />
8 Command line utilities<br />
8.1 DPADadmin Utility<br />
8.1.1 Extend Active Directory Schema<br />
The addschema command is used to create all the Active Directory Schema extensions, if<br />
they are not already there. Each element will be checked individually to see if it is already<br />
there and if not, will be added.<br />
This command is intended to be run manually by a domain administrator be<strong>for</strong>e the main<br />
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> installation is run, as recommended by Microsoft.<br />
It may be necessary to go through an approval process in your company be<strong>for</strong>e running this<br />
command, as it involves changes to Active Directory Schema. You may also need to have<br />
another administrator run the command <strong>for</strong> you, possibly in another part of your network. This<br />
depends on your company’s structure and rules <strong>for</strong> Active Directory control.<br />
8.1.1.1 Prerequisite <strong>In</strong><strong>for</strong>mation<br />
Schema Master Machine<br />
This command may technically be run on any Windows 2000, XP or 2003 machine, however it<br />
needs to contact the Domain Controller which has the Schema Master role. There can be only<br />
one Domain Controller in the Forest with that role. It may be simplest to run the command<br />
directly on the Schema Master, to avoid any potential connectivity or permission issues.<br />
Warning<br />
Warning: If you are passing the credentials to the command in the<br />
parameters, and you are not running the command on the Schema Master,<br />
check that you do not have any shares on the Schema Master open. This will<br />
cause the command to fail.<br />
Domain <strong>Administrator</strong> Account<br />
<strong>In</strong> order to successfully update the Schema, you must know the username and password of a<br />
Domain <strong>Administrator</strong> account that is able to log into the Schema Master. You must either run<br />
the command while logged in as that user, or pass the credentials to the command in the<br />
parameters. The Domain <strong>Administrator</strong> must have permission to extend the Schema – they<br />
must be a member of the Schema Admins group in the Forest-Root-Domain (the first Domain<br />
created in the Forest).<br />
Schema Changes Allowed<br />
By default, Active Directory does not permit Schema extensions to be made. There is a registry<br />
setting that must be changed to allow extensions. If this is not already set, VMADUTIL will ask<br />
you whether it should change the setting itself or not. If you click on Yes, it will change the<br />
setting itself, make the extensions then change it back again.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 60
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Command line utilities<br />
If you would prefer to change the setting manually, log into the Schema Master and change<br />
the value of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\<br />
Parameters\Schema Update Allowed registry key to 1, adding it as a value of type<br />
DWORD if it does not already exist. Alternatively, if the Schema Manager MMC snap-in is<br />
installed on the machine, this can be used to enable or disable Schema extensions.<br />
If you have disabled the Schema extensions after removing a previous installation in the<br />
Forest, reactivate them be<strong>for</strong>e using this command. This can be done using the Schema<br />
Manager MMC snap-in used to deactivate them.<br />
8.1.1.2 Extend the Schema on the Schema Master<br />
1. Log into the Schema Master as a member of the Schema <strong>Administrator</strong>s group.<br />
2. Copy dpadadmin.exe onto the Schema Master<br />
3. Open a command prompt in the location to which it was copied.<br />
4. Type:<br />
dpadadmin addschema<br />
5. If DPADadmin detects that Schema extensions are not currently permitted, it will<br />
prompt you whether to enable them or not. Enter y to enable them, or n to cancel.<br />
The progress and success/failure of the command will be displayed in the command prompt<br />
window. If there was a failure, it can be run again after the problem has been rectified.<br />
8.1.1.3 Extend the Schema on the <strong>IAS</strong> Server<br />
1. Open a command prompt and navigate to the installation’s bin directory by typing:<br />
2. Type:<br />
cd \bin<br />
dpadadmin addschema –master schema_master –u user_name –p password<br />
3. See 8.1.1.4 Command Line Syntax <strong>for</strong> more details regarding the required<br />
parameters.<br />
4. If VMADUTIL detects that Schema extensions are not allowed, it will prompt you to<br />
enable them. Enter y to enable them, or n to cancel.<br />
The progress and success/failure of the command will be displayed in the command prompt<br />
window. If there was a failure, it can be run again after the problem has been rectified.<br />
8.1.1.4 Command Line Syntax<br />
dpadadmin addschema [–master schema_master] [–u user_name [–p password]] [-q]<br />
© 2006 VASCO Data Security <strong>In</strong>c. 61
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Command line utilities<br />
Option Description<br />
-master Fully qualified name of the Domain Controller with the Schema Master role. This option may be<br />
omitted if the command is run directly on the Schema Master.<br />
-u User name of a Domain <strong>Administrator</strong> in the Schema <strong>Administrator</strong>s group. This option may be<br />
omitted if you are logged into the machine as that Domain <strong>Administrator</strong> when you run the command.<br />
-p Password of the Domain <strong>Administrator</strong>. This option may be omitted if you are logged in as that Domain<br />
<strong>Administrator</strong> or if they have a blank password.<br />
-q Quiet mode, will not output commentary text.<br />
Table 23: DPADadmin addschema Command Line Options<br />
DPADadmin addschema Command Sample<br />
dpadadmin addschema –master dc1.vasco.com –u schema_admin –p sa_password<br />
8.1.2 Check Schema Extensions<br />
This command is called from the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> installation program to check that all<br />
the Active Directory Schema extensions have been applied. Each element is checked<br />
individually to see if it is already there, but it will not be added if not.<br />
It is not practical <strong>for</strong> the installation program to check that the Schema extensions have been<br />
replicated to all parts of the Domain Forest. The check will be restricted to checking the<br />
<strong>Digipass</strong> Configuration Domain, since that needs to have the Schema extensions be<strong>for</strong>e<br />
anything else.<br />
<strong>In</strong> a complicated, multi-site Domain Forest structure, where long delays may occur be<strong>for</strong>e the<br />
Schema extensions have been fully replicated around the Forest, you may have to wait a while<br />
be<strong>for</strong>e you use the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. You can run this command manually a number of times,<br />
specifying a different Domain to check each time, if you want to be sure that the Schema<br />
extensions have finally reached all the necessary Domains. This will include all the Domains in<br />
which Active Directory Users of interest to the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> may be located.<br />
8.1.2.1 Prerequisite <strong>In</strong><strong>for</strong>mation<br />
Domain <strong>Administrator</strong><br />
Ensure that you know the username and password of a Domain <strong>Administrator</strong> in the Domain<br />
that will be checked <strong>for</strong> the Schema extensions (normally the <strong>Digipass</strong> Configuration Domain).<br />
8.1.2.2 Check the Schema on the <strong>IAS</strong> Server<br />
1. Open a command prompt and go to the installation’s bin directory by typing:<br />
2. Type<br />
cd \bin<br />
dpadadmin checkschema –domain domain_name –u user_name –p password.<br />
3. See the VMADUTIL checkschema Command Line Syntax section <strong>for</strong> more details<br />
regarding the parameters.<br />
The progress and success/failure of the command will be displayed in the command prompt<br />
window.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 62
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Command line utilities<br />
8.1.2.3 Check the Schema on a Machine in the Domain to Check<br />
1. Log into the machine as a Domain <strong>Administrator</strong> in that Domain.<br />
2. Copy dpadadmin.exe onto the machine and open a command prompt in the location<br />
to which it was copied.<br />
3. Type:<br />
dpadadmin checkschema<br />
The progress and success/failure of the command will be displayed in the command prompt<br />
window.<br />
8.1.2.4 Command Line Syntax<br />
dpadadmin checkschema [–domain domain_name] [–u user_name [–p password]] [-q]<br />
Option Description<br />
-domain Name of the Domain in which you wish to check the Schema extensions. This option may be omitted if<br />
the command is run directly on a machine belonging to that Domain.<br />
-u User name of a Domain <strong>Administrator</strong> in this Domain. This option may be omitted if you are logged into<br />
the machine as that Domain <strong>Administrator</strong> when you run the command.<br />
-p Password of the Domain <strong>Administrator</strong>. This option may be omitted if you are logged in as that Domain<br />
<strong>Administrator</strong> or if they have a blank password.<br />
-q Quiet mode, will not output commentary text.<br />
Table 24: DPADadmin checkschema Command Line Options<br />
DPADadmin checkschema Command Sample<br />
dpadadmin checkschema –domain mdd.vasco.com –u mdd_admin –p mdd_password<br />
8.1.3 Set Up <strong>Digipass</strong> Configuration Container in Domain<br />
This command sets up the <strong>Digipass</strong> Configuration Container in the specified domain.<br />
8.1.3.1 Prerequisite <strong>In</strong><strong>for</strong>mation<br />
Domain <strong>Administrator</strong><br />
You must be logged into the machine as a Domain Admin in the target domain.<br />
8.1.3.2 Set Up <strong>Digipass</strong> Configuration Container<br />
1. Log into the machine as a Domain <strong>Administrator</strong> in that Domain.<br />
2. Copy dpadadmin.exe onto the machine and open a command prompt in the location<br />
to which it was copied.<br />
3. Type:<br />
dpadadmin setupdomain -config<br />
The progress and success/failure of the command will be displayed in the command prompt<br />
window.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 63
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Command line utilities<br />
8.1.3.3 Command Syntax<br />
dpadadmin setupdomain [-config] [-domain ] [-q]<br />
Option Description<br />
-config OPTIONAL. Specifies that this is the <strong>Digipass</strong> Configuration Domain, so the <strong>Digipass</strong>-Configuration<br />
container must be created.<br />
-domain<br />
<br />
OPTIONAL. Specifies the FQDN of the domain to set up. If omitted, the domain to which the current<br />
machine belongs will be used.<br />
-q OPTIONAL. Specifies that quiet mode should be used.<br />
Table 25: DPADadmin setupdomain Command Line Options<br />
DPADadmin setupdomain Command Sample<br />
dpadadmin setupdomain -config -q<br />
8.1.4 Assign <strong>Digipass</strong> Permissions to a Group<br />
This command assigns <strong>Digipass</strong>-specific permissions to a Windows group, applicable at the<br />
domain root and downwards. The permissions assigned are:<br />
Full read access to everything in the domain<br />
Full control over vasco-DPToken objects<br />
Full control over vasco-DPApplication objects<br />
Full write access to vasco-UserExt auxiliary objects<br />
8.1.4.1 Pre-requisites<br />
You must be logged into the machine as a Domain Admin in the target domain.<br />
8.1.4.2 Command Syntax<br />
dpadadmin.exe setupaccess -group [-domain ] [-q] [-c] [-c]<br />
Option Description<br />
-group MANDATORY. Specify the name of the group to assign the permissions. Double-quotes are<br />
required if there are any spaces.<br />
-domain OPTIONAL. Specify the fully-qualified domain name <strong>for</strong> the domain to which the group or<br />
user belongs. If omitted, the domain to which the current machine belongs will be used.<br />
-q OPTIONAL. Specify that quiet mode should be used.<br />
-c OPTIONAL. Add the local computer to the group named.<br />
Table 26: DPADadmin setupaccess Command Line Options<br />
DPADadmin setupdomain Command Sample<br />
dpadadmin.exe setupaccess -group “RAS and <strong>IAS</strong> Servers” -q<br />
© 2006 VASCO Data Security <strong>In</strong>c. 64
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Login Options<br />
9 Login Options<br />
9.1 Login Permutations<br />
The in<strong>for</strong>mation required to be entered during a login will vary according to the configuration<br />
settings of the relevant Policy, the login method, and any actions to be per<strong>for</strong>med during the<br />
login.<br />
Login Methods<br />
The login methods specified are:<br />
Response Only<br />
Challenge/Response<br />
Virtual <strong>Digipass</strong> - Primary or Backup<br />
Login Actions<br />
A User may be allowed to do these things during a login:<br />
Set their Server PIN – on first use or after a PIN reset.<br />
Change their Server PIN.<br />
<strong>In</strong><strong>for</strong>m the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> that their static password <strong>for</strong> the back-end authenticator – eg.<br />
Windows - has been modified.<br />
Per<strong>for</strong>m a Self-Assignment <strong>for</strong> a <strong>Digipass</strong> in their possession.<br />
Login Variables<br />
The variables which a User may need to enter, in order to do one of the above functions are<br />
listed below. The code or word used to designate each variable in the following tables is<br />
included in brackets.<br />
One Time Password (OTP)<br />
Password (Password)<br />
Server PIN (PIN)<br />
Serial Number of their <strong>Digipass</strong> (Serial No)<br />
Serial Number Separator (Sep.)<br />
Request Keyword (Keyword)<br />
Policy Settings<br />
The Policy settings which will affect the variables required in logins are:<br />
Stored Password Proxy<br />
If this attribute is set to Enabled, each User's password must be kept up to date in the<br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. This is typically achieved by enabled Password Autolearn.<br />
Serial Number Separator<br />
If a Serial Number Separator is specified, the User may enter their <strong>Digipass</strong> serial<br />
number exactly as it appears on the back of their <strong>Digipass</strong> (or in the documentation<br />
© 2006 VASCO Data Security <strong>In</strong>c. 65
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Login Options<br />
provided to the User), including dashes. If a Serial Number is not specified, the <strong>Digipass</strong><br />
serial number must be padded to 10 characters, with all non-numerical characters<br />
removed.<br />
Back-End Authentication<br />
<strong>In</strong> the following login permutations tables, 'Back-End Authentication Required' means<br />
that the Back-End Auth. attribute is set to Always or If Needed.<br />
Password Autolearn<br />
If the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> is in<strong>for</strong>med of a User's password change, the new password will only<br />
be recorded by the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> if Password Autolearn is enabled in the relevant Policy.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 66
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Login Options<br />
9.1.1 Response Only - PAP<br />
Server PIN<br />
Required<br />
No Server<br />
PIN<br />
Required<br />
Login Type Existing PIN?<br />
Serial Number<br />
Separator?<br />
Stored Password Proxy On<br />
OR<br />
No Back-End Authentication<br />
Password Field Contents<br />
Normal login Yes N/A PIN+OTP Password+PIN+OTP<br />
Stored Password Proxy Off<br />
AND<br />
Back-End Authentication Required<br />
Set PIN No N/A OTP+NewPIN+NewPIN Password+OTP+NewPIN+NewPIN<br />
Change PIN Yes N/A PIN+OTP+NewPIN+NewPIN Password+PIN+OTP+NewPIN+NewPIN<br />
Changed Password Yes N/A Password+PIN+OTP Password+PIN+OTP<br />
Set PIN and Changed Password No N/A Password+OTP+NewPIN+NewPIN Password+OTP+NewPIN+NewPIN<br />
Change PIN and Changed Password Yes N/A Password+PIN+OTP+NewPIN+NewPIN Password+PIN+OTP+NewPIN+NewPIN<br />
Self-Assignment 1<br />
Yes Yes SerialNo+Sep.+Password+PIN+OTP SerialNo+Sep.+Password+PIN+OTP<br />
No SerialNo+Password+PIN+OTP SerialNo+Password+PIN+OTP<br />
No Yes SerialNo+Sep.+Password+OTP+NewPIN+NewPIN SerialNo+Sep.+Password+OTP+NewPIN+NewPIN<br />
No SerialNo+Password+OTP+NewPIN+NewPIN SerialNo+Password+OTP+NewPIN+NewPIN<br />
Normal login N/A N/A OTP Password+OTP<br />
Changed Password N/A N/A Password+OTP Password+OTP<br />
Self-Assignment N/A Yes SerialNo+Sep.+Password+OTP SerialNo+Sep.+Password+OTP<br />
Table 27: Login Permutations - Response Only PAP<br />
Examples<br />
No SerialNo+Password+OTP SerialNo+Password+OTP<br />
Self-Assignment of a GO 1 <strong>Digipass</strong> with no existing Server PIN and Serial Number Separator set to '::'.<br />
3-179-0987::pA192ss086382012341234<br />
Self-Assignment of a GO 3 <strong>Digipass</strong> with no Server PIN required and no Serial Number Separator set.<br />
0031790987pA192ss0863820<br />
1 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be padded to 10 characters with preceding zeroes.<br />
© 2005 VASCO Data Security <strong>In</strong>c. 67
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Login Options<br />
9.1.2 Response Only – CHAP/MS-CHAP<br />
The table below assumes that Stored Password Proxy is enabled, or Backend Authentication is<br />
not in use.<br />
Login Type Server PIN<br />
Required?<br />
Normal login Yes PIN+OTP<br />
No OTP<br />
Table 28: Login Permutations - Response Only CHAP<br />
9.1.3 Challenge/Response<br />
Challenge/Response is supported with PAP only.<br />
Login Type Serial Number<br />
Separator?<br />
Request<br />
Method<br />
Password Field Contents<br />
2-Step Challenge/Response<br />
Stored<br />
Password<br />
Proxy Off<br />
AND<br />
Back-End<br />
Auth.<br />
Required Pre-Challenge Response<br />
Normal login N/A Keyword Yes Keyword Password+OTP<br />
Changed<br />
Password<br />
Self-<br />
Assignment 2<br />
No Keyword OTP<br />
Password N/A Password OTP<br />
Keyword-Password N/A Keyword+Password OTP<br />
Password-Keyword N/A Password+Keyword OTP<br />
N/A Keyword N/A Keyword Password+OTP<br />
Password N/A Password OTP<br />
Keyword-Password N/A Keyword+Password OTP<br />
Password-Keyword N/A Password+Keyword OTP<br />
Yes N/A N/A SerialNo+Sep.+Password OTP<br />
No N/A N/A SerialNo+Password OTP<br />
Table 29: Login Permutations – Challenge/Response<br />
2 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be<br />
padded to 10 characters with preceding zeroes.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 68
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Login Options<br />
9.1.4 Virtual <strong>Digipass</strong><br />
Login<br />
Type<br />
Normal<br />
login<br />
Changed<br />
Password<br />
Request<br />
Method<br />
2-step login 3<br />
Two 1-step logins 4<br />
Step 1 Step 2 Step 1 Step 2<br />
Keyword Keyword Password+OTP Keyword Password+OTP<br />
Password Password OTP Password Password+OTP<br />
Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP<br />
Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP<br />
Keyword Keyword Password+OTP Keyword Password+OTP<br />
Password Password OTP Password Password+OTP<br />
Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP<br />
Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP<br />
Table 30: Login Permutations – Virtual <strong>Digipass</strong><br />
3 2-step logins are compatible with PAP only<br />
4 Two 1-step logins may be used with any protocol compatible with the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 69
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
10 Configuration Settings<br />
10.1 <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
10.1.1 Configuration GUI<br />
A Graphical User <strong>In</strong>terface (GUI) is available <strong>for</strong> use in configuring the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. To open<br />
the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Configuration GUI, click on the Start Button and select Programs -> VASCO<br />
-> <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> Configuration.<br />
10.1.1.1 Enable <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
Enable the plug-in within <strong>IAS</strong>.<br />
1. Tick the Enabled checkbox.<br />
2. Click on Apply.<br />
10.1.1.2 Allow Passthrough<br />
Allow the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> to pass the static password to <strong>IAS</strong> <strong>for</strong> checking after it has checked the<br />
One Time Password. This option is not required <strong>for</strong> typical usage.<br />
1. Tick the Allow Passthrough checkbox.<br />
2. Click on Apply.<br />
10.1.1.3 Set Component Location<br />
1. Enter the location of the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component which will be generating audit<br />
messages in the Component Location field.<br />
2. Click on Apply.<br />
10.1.1.4 Library Path<br />
The Library Path setting tells the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> where to find the LDAP library file.<br />
1. Enter the path and name of the LDAP library file (typically \bin).<br />
2. Click on Apply.<br />
10.1.1.5 Turn Tracing On or Off<br />
1. Select a Tracing option.<br />
2. To send tracing output to a text file, enter a path and filename <strong>for</strong> the tracing file into<br />
the File Name field. The file path entered must be the full absolute path.<br />
Click on the Apply button.<br />
Note<br />
If the File Name field is left blank or the file path does not exist, the <strong>IAS</strong> <strong>Plug</strong>-<br />
<strong>In</strong> will not output tracing. If the file does exist, tracing will be appended to the<br />
file. If the path is valid but the file does not exist, it will be created.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 70
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
10.1.1.6 Active Directory Settings<br />
To view Active Directory settings, open the configuration GUI and click on the Active Directory<br />
tab.<br />
Configuration Domain<br />
The configuration domain is the main Active Directory domain which the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> should<br />
use <strong>for</strong> User authentications, and the domain in which the <strong>Digipass</strong> Configuration Container is<br />
located. This domain will be set automatically during the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> installation.<br />
To set the default domain:<br />
1. Click on the Edit... button next to the Configuration Domain field.<br />
The Domain window will be displayed.<br />
2. Enter the fully qualified domain name <strong>for</strong> the configuration domain into the Name<br />
field.<br />
3. If required, enter the name of the server in the domain to which the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
should connect, in the Preferred Server field.<br />
4. Tick the Preferred Server Only checkbox to limit the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> to connecting only<br />
to that server in the configuration domain.<br />
5. Enter the server port to use in making encrypted connections (SSL) to the<br />
configuration domain into the Encrypted Server Port field.<br />
6. Enter the server port to use in making unencrypted connections to the configuration<br />
domain into the Unencrypted Server Port field.<br />
7. Tick the Encrypt checkbox to use an encrypted connection (using SSL) from the <strong>IAS</strong><br />
<strong>Plug</strong>-<strong>In</strong> to Active Directory, or leave the checkbox unticked to leave the connection<br />
unencrypted. Note that SSL is not used when the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> is on a Domain<br />
Controller and connects to Active Directory using that.<br />
8. Enter the maximum amount of time (in minutes) that the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> should stay<br />
connected to a server be<strong>for</strong>e re-synching in the Max Bind Lifetime field.<br />
9. Click on OK.<br />
10. Click on Apply.<br />
Domains List<br />
The Domains list contains the names of all other domains that the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> may need to<br />
use in User authentications. Note that this list is only needed if you wish to configure how the<br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will connect to the other domains – if a domain is not in the list, it will still try to<br />
connect to it.<br />
Add a Domain<br />
To add a domain to the Domains List:<br />
1. Click on the Add... button.<br />
The Domain window will be displayed.<br />
2. Enter the fully qualified domain name <strong>for</strong> the domain into the Name field.<br />
3. If required, enter the name of the server in the domain to which the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
should connect, in the Preferred Server field.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 71
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
4. Tick the Preferred Server Only checkbox to limit the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> to connecting only<br />
to that server in the domain.<br />
5. Enter the server port to use in making encrypted connections (SSL) to the default<br />
domain into the Encrypted Server Port field.<br />
6. Enter the server port to use in making unencrypted connections to the default domain<br />
into the Unencrypted Server Port field.<br />
7. Tick the Encrypt checkbox to use an encrypted connection (using SSL) from the <strong>IAS</strong><br />
<strong>Plug</strong>-<strong>In</strong> to Active Directory, or leave the checkbox unticked to leave the connection<br />
unencrypted.<br />
8. Enter the maximum amount of time (in minutes) that the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> should stay<br />
connected to a server in the domain be<strong>for</strong>e re-synching in the Max Bind Lifetime<br />
field.<br />
9. Click on OK.<br />
10. Click on Apply.<br />
Modify a domain record in the Domains List<br />
To modify in<strong>for</strong>mation <strong>for</strong> a domain in the Domains List:<br />
1. Select the domain to be modified from the Domains List.<br />
2. Click on the Edit... button.<br />
3. Modify the required in<strong>for</strong>mation.<br />
4. Click on OK.<br />
5. Click on Apply.<br />
Delete a domain record from the Domains List<br />
To remove a domain record from the Domains List:<br />
1. Select the domain to be deleted from the Domains List.<br />
2. Click on the Delete button.<br />
3. The record will be deleted.<br />
Auditing<br />
To configure auditing <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>, add at least one auditing plug-in to the Methods list.<br />
To view or edit auditing settings, click on the Auditing tab in the Configuration GUI.<br />
Add an Audit Method<br />
1. Click on the Add... button.<br />
2. Select a <strong>Plug</strong>-in type from the drop down list.<br />
3. Click on OK.<br />
The <strong>Plug</strong>in window will be displayed.<br />
4. Enter a name to use <strong>for</strong> display purposes in the Display Name field.<br />
5. Tick the Enabled checkbox to enable auditing to this plug-in.<br />
6. Tick the Fail on Error checkbox if you want the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> to return an error if it fails<br />
to record an auditing message.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 72
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
7. Tick the Unhandled Only checkbox if messages should only be logged by this<br />
auditing plug-in if they have not been previously logged by any other plug-in.<br />
8. Select one or more audit message types to be logged by this plug-in:<br />
Error<br />
Warning<br />
<strong>In</strong><strong>for</strong>mation<br />
Success<br />
Failure<br />
9. Enter other required in<strong>for</strong>mation.<br />
10. Click on OK.<br />
11. Click on Apply.<br />
Edit an Audit Method<br />
1. Select an auditing plug-in from the Methods list.<br />
2. Click on the Edit... button.<br />
The <strong>Plug</strong>-<strong>In</strong> window will be displayed.<br />
3. Make the required changes.<br />
4. Click on OK.<br />
5. Click on Apply.<br />
Delete an Audit Method<br />
1. Select an auditing plug-in from the Methods list.<br />
2. Click on the Delete button.<br />
The record will be deleted.<br />
10.1.1.7 Data Encryption<br />
See 2.4 Sensitive Data Encryption <strong>for</strong> more in<strong>for</strong>mation on encryption in the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
To modify encryption settings <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>:<br />
1. Click on the Active Directory tab.<br />
2. Click on Configure Encryption Settings.<br />
The Configure Encryption Settings window will be displayed.<br />
3. Enter the custom encryption key in the Storage Key field.<br />
4. Select an encryption algorithm from the Cipher Name drop down list.<br />
5. Click on OK.<br />
Export Encryption Settings<br />
1. Click on the Active Directory tab.<br />
2. Click on Configure Encryption Settings.<br />
The Configure Encryption Settings window will be displayed.<br />
3. Click on Export...<br />
4. Browse to the desired directory.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 73
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
5. Enter a file name to export the settings to.<br />
6. Click on OK.<br />
7. Enter a password.<br />
8. Click on OK.<br />
Import Encryption Settings<br />
1. Click on the Active Directory tab.<br />
2. Click on Configure Encryption Settings.<br />
The Configure Encryption Settings window will be displayed.<br />
3. Click on Import...<br />
4. Browse to the encryption settings file.<br />
5. Click on OK.<br />
6. Enter the required password.<br />
7. Click on OK.<br />
See 2.4 Sensitive Data Encryption <strong>for</strong> more in<strong>for</strong>mation on encryption in the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>.<br />
To modify encryption settings <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>:<br />
1. Click on the Active Directory tab.<br />
2. Click on Configure Encryption Settings.<br />
The Configure Encryption Settings window will be displayed.<br />
3. Enter the custom encryption key in the Storage Key field.<br />
4. Select an encryption algorithm from the Cipher Name drop down list.<br />
5. Click on OK.<br />
Export Encryption Settings<br />
1. Click on the Active Directory tab.<br />
2. Click on Configure Encryption Settings.<br />
The Configure Encryption Settings window will be displayed.<br />
3. Click on Export...<br />
4. Browse to the desired directory.<br />
5. Enter a file name to export the settings to.<br />
6. Click on OK.<br />
7. Enter a password.<br />
8. Click on OK.<br />
Import Encryption Settings<br />
1. Click on the Active Directory tab.<br />
2. Click on Configure Encryption Settings.<br />
The Configure Encryption Settings window will be displayed.<br />
3. Click on Import...<br />
© 2006 VASCO Data Security <strong>In</strong>c. 74
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
4. Browse to the encryption settings file.<br />
5. Click on OK.<br />
6. Enter the required password.<br />
7. Click on OK.<br />
10.1.2 Configuration File<br />
The Configuration GUI <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> writes to an .xml file named dpiasext.xml in the<br />
install/bin directory. It is possible to edit this file directly instead of using the Configuration<br />
GUI, but is not recommended.<br />
Example Configuration File<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
© 2006 VASCO Data Security <strong>In</strong>c. 75
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
© 2006 VASCO Data Security <strong>In</strong>c. 76
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
© 2006 VASCO Data Security <strong>In</strong>c. 77
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
10.2 MDC<br />
10.2.1 Required <strong>In</strong><strong>for</strong>mation<br />
To configure gateway settings you will need:<br />
Gateway details:<br />
OR<br />
Protocol to use in connecting to the gateway.<br />
An address string and port to use in connecting to the gateway.<br />
The path and filename of a certificate file, if required.<br />
The required Query String.<br />
The Query Method (GET or POST) required by the gateway.<br />
A customized configuration file ordered from your VASCO supplier. This will need to be<br />
imported using the Configuration GUI.<br />
Username and password <strong>for</strong> the gateway account.<br />
10.2.2 MDC Configuration GUI<br />
A Graphical User <strong>In</strong>terface (GUI) is available <strong>for</strong> use in configuring the MDC. To open the MDC<br />
Configuration GUI, click on the Start Button and select Programs -> VASCO -> <strong>Digipass</strong><br />
<strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> -> Message Delivery Component Configuration.<br />
Note<br />
The MDC must be restarted after any change is made in the Configuration GUI.<br />
10.2.2.1 Set <strong>IAS</strong> Server Connection Details<br />
Set the <strong>IAS</strong> Server IP address and port.<br />
1. Modify the Server IP Address if needed.<br />
2. Change the Port number <strong>for</strong> the server if needed.<br />
10.2.2.2 Modify Gateway Account Login Details<br />
The MDC needs a Username and password <strong>for</strong> the gateway in order to send text messages<br />
through it.<br />
1. Modify the Username if needed.<br />
2. Change the Password and Confirm Password fields if required.<br />
The Password and Confirm Password fields must contain identical data.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 78
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
10.2.2.3 Configure <strong>In</strong>ternet Connection Details<br />
Enable or disable the use of an HTTP Proxy and enter details if required.<br />
1. Enable or disable the use of the HTTP Proxy by ticking or clearing the Use HTTP Proxy<br />
checkbox.<br />
2. If required, enter an IP address, port and timeout <strong>for</strong> the HTTP Proxy.<br />
3. Enter a maximum number of internet connections to allow in the Max. Connections<br />
field.<br />
10.2.2.4 Configure Tracing<br />
The MDC makes use of a trace file to record in<strong>for</strong>mation about events that occur on the<br />
system, <strong>for</strong> use in troubleshooting. This could include generic in<strong>for</strong>mation, changing<br />
conditions, or problems and errors that have been encountered.<br />
The level of tracing that the MDC employs depends on its configuration settings.<br />
Caution<br />
Enabling Full Tracing should only be done <strong>for</strong> troubleshooting purposes. There<br />
are no limits set on the size of the tracing file, so if the option is left on too<br />
long on a high-load system the file may dramatically slow down or crash<br />
Windows, due to excessive I/O or filling up the hard drive. This is not highly<br />
likely <strong>for</strong> MDC, but should be considered.<br />
Because there are no size limitations set on the trace file, it is not recommended that you have<br />
tracing permanently enabled. If your system is set up with Basic Tracing always enabled,<br />
ensure that the file size does not cause problems by deleting or archiving it whenever it gets<br />
too large.<br />
Basic tracing includes:<br />
Critical error/warning messages [CRITC]<br />
Major error/warning messages [MAJOR]<br />
Minor error/warning messages [MINOR]<br />
Configuration messages [CONFG]<br />
Full tracing includes:<br />
Critical error/warning messages [CRITC]<br />
Major error/warning messages [MAJOR]<br />
Minor error/warning messages [MINOR]<br />
Configuration messages [CONFG]<br />
<strong>In</strong><strong>for</strong>mational messages [INFOR]<br />
Data tracing messages [DATA]<br />
Debugging messages (useful <strong>for</strong> support purposes) [DEBUG]<br />
Security messages, messages that may contain security sensitive data [SECUR]<br />
© 2006 VASCO Data Security <strong>In</strong>c. 79
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
Turn Tracing On or Off<br />
1. Select a Tracing option.<br />
2. If you have selected Basic Tracing or Full Tracing, enter a path and filename <strong>for</strong> the<br />
tracing file into the File Name field.<br />
The file path entered must be the full absolute path.<br />
Note<br />
If the File Name field is left blank or the file path does not exist, the MDC will<br />
not output tracing. If the file does exist, tracing will be appended to the file. If<br />
it does not exist, it will be created.<br />
10.2.2.5 Import HTTP Gateway settings<br />
Import a customized configuration file ordered from your VASCO supplier, containing the<br />
configuration details <strong>for</strong> your gateway needed by the MDC.<br />
1. Click on the Gateway Settings tab.<br />
2. Enter a name <strong>for</strong> the gateway.<br />
3. Click on Import Settings.<br />
4. Select a file from the Browse window.<br />
5. Click on OK.<br />
The import progress will be displayed.<br />
6. Click on OK.<br />
10.2.2.6 Edit Advanced Settings<br />
1. Click on the Gateway Settings tab.<br />
2. Ensure that the Edit Advanced Settings checkbox is ticked.<br />
3. Select a protocol to use in connecting to the gateway from the Protocol drop down list<br />
(typically HTTP).<br />
4. Enter an address string to use in connecting to the gateway in the Address field.<br />
5. Enter a port in the Port field (typically 80 <strong>for</strong> HTTP connections).<br />
6. Enter the path and filename of a certificate file if required.<br />
7. Modify the Query String field if required.<br />
Example Query String:<br />
username=[acc_user]&password=[acc_pwd]&device=[otp_dest]&network=tgsm&message=<br />
[otp_msg]<br />
8. Select a Query Method according to what the gateway requires (typically POST).<br />
10.2.2.7 Export HTTP Gateway settings<br />
Once you have entered the necessary gateway configuration in<strong>for</strong>mation into the Configuration<br />
GUI, you may wish to export the settings into a file <strong>for</strong> backup purposes or to transfer to<br />
another <strong>IAS</strong> server.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 80
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
1. Click on the Gateway Settings tab.<br />
2. Ensure that the Edit Advanced Settings checkbox is ticked.<br />
3. Click on Export Settings.<br />
4. Select a directory from the Browse window.<br />
5. Enter a filename.<br />
6. Click on OK.<br />
The export progress will be displayed.<br />
10.2.2.8 Gateway Result Pages<br />
A result page is returned by the gateway service when a text message is submitted by the GET<br />
or POST methods. This page would normally be a HTML <strong>for</strong>matted page containing specific<br />
error codes and/or additional messages <strong>for</strong> success/failure.<br />
Three types of result messages are generally categorized as:<br />
<strong>In</strong><strong>for</strong>mation<br />
Success of message delivery (the message has been accepted by the server)<br />
Warning<br />
The submission/delivery failed, but it is most likely a specific error only affecting this User.<br />
The User’s login will fail on the first step. Possible causes are:<br />
Error<br />
Phone number invalid<br />
Temporary gateway failure<br />
Error(s) occurred while attempting delivery. This means that the delivery failed <strong>for</strong> a particular<br />
User, but the error might be affecting all Users. <strong>In</strong> this case, the User’s login will fail<br />
immediately. Possible such errors are:<br />
Account data incorrect (Account User or password wrong)<br />
Account credit expired (<strong>for</strong> a pre-paid gateway account)<br />
Communication error with gateway (network error)<br />
Other permanent gateway errors<br />
Audit Console Logging<br />
A gateway result page can be recognized by key words and phrases, and an alternate message<br />
created <strong>for</strong> logging to the audit console whenever the result is received. Variables can be<br />
extracted from the result page and used in the log message to provide extra in<strong>for</strong>mation.<br />
Result Page Rules<br />
The result page rule patterns use the following syntax:<br />
[Var-Name1] [] [Var-Name2] …<br />
© 2006 VASCO Data Security <strong>In</strong>c. 81
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
Where the template is constructed in the following way:<br />
: a character string which must be matched in the page returned by the<br />
gateway. Note that multiple can appear in a single template, but they<br />
must not be overlapping. Matching is case-sensitive.<br />
[]: Omits a variable part of the result page between two segments, when<br />
matching a template. This can be useful to ignore arbitrary data or time/date data in the<br />
returned web page.<br />
[Var-Namex]: Describes a segment of the result page between two <br />
segments or at the end of the result page, which will be written to a variable. Usually<br />
this will be data that can provide more detailed in<strong>for</strong>mation why a particular message<br />
submission has failed. The variable name inside the [] brackets can then be used as part<br />
of the audit message template to create a meaningful message.<br />
Example<br />
If the server returns the following result page<br />
“Submission successful at 10:00, 11/11/02, status: 00 - message delivery in<br />
progress.”<br />
<strong>for</strong> successful transmission, or<br />
“Submission unsuccessful at 10:05, 11/11/02, status: 47 – number too short”<br />
<strong>for</strong> an unsuccessful submission, then the following result page rules can be configured:<br />
Message Rule Name: Success<br />
Message Rule Pattern: successful at [DateTime], status: [Status] – [Message]<br />
Variables retrieved: DateTimeStatusMessage<br />
Message Rule Name: Warning<br />
Message Rule Pattern: unsuccessful at [DateTime], status: 47 – [Message]<br />
Variables retrieved: DateTimeMessage<br />
Message Rule Name: Error<br />
Message Rule Pattern: unsuccessful at [DateTime], status: [status] – [Message]<br />
Variables retrieved: DateTimeStatusMessage<br />
No Match Available If no Rule matches a Result page returned, an error will be logged to the<br />
Audit Console, reporting that the result page returned from the gateway could not be matched.<br />
Ordering Rules The order of the result page template in the configuration data can be used to<br />
match more specific messages first and finally catch any “other” message, which the gateway<br />
might send.<br />
Audit message template<br />
Once a result page template a matched, a corresponding audit message is constructed with the<br />
variables retrieved from the result page rule.<br />
The message template will use the following syntax:<br />
© 2006 VASCO Data Security <strong>In</strong>c. 82
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
[VAR-Name1] [Var-Name2] …<br />
: a character string which will appear literally in the constructed audit<br />
message.<br />
[Var-Namex]: Variable which is derived from the matched variables from the<br />
corresponding result page template.<br />
The following variables are predefined and can be used in the audit message template:<br />
[otp_dest] The destination address (a mobile phone number) the OTP was sent to.<br />
[otp_msg] The message that was submitted. This variable will also contain the OTP, so should not be used <strong>for</strong> the<br />
construction of audit messages.<br />
[acc_user] Account name <strong>for</strong> the gateway.Not recommended <strong>for</strong> use in audit messages.<br />
[acc_pwd] Account password <strong>for</strong> the gateway.Not recommended <strong>for</strong> use in audit messages.<br />
[Username] the User ID of the User requesting the OTP<br />
Table 31: MDC Audit Message Variables<br />
Examples of variable use:<br />
<strong>In</strong>sufficient credit on account [acc_user] when sending to [username]<br />
Message not sent to User "[Username]"/[otp_dest]. Gateway reported: [message]<br />
Modify a Gateway Result Message Rule<br />
Ensure that the Edit Advanced Settings checkbox on the Gateway Settings tab is ticked.<br />
1. Click on the Gateway Results tab.<br />
2. Select a Rule to modify.<br />
3. Click on Edit.<br />
4. Make any required changes.<br />
5. Click on OK.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 83
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
Add a Gateway Result Message Rule<br />
1. Click on the Gateway Results tab.<br />
2. Click on Add.<br />
3. Enter a descriptive name <strong>for</strong> the Rule in the Description field.<br />
4. Enter the full text or a partial match of the text displayed by the gateway in the<br />
Matching Pattern field.<br />
5. Select an Audit Message Level <strong>for</strong> the Rule.<br />
Each level of message will be displayed with a different color background in the Audit<br />
Console.<br />
<strong>In</strong>fo – normal<br />
Warning – yellow<br />
Error – red<br />
6. Enter the message text you wish the User to see into the Message Text field.<br />
7. Click on OK.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 84
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
10.2.3 MDC Configuration File<br />
The MDC Configuration GUI writes to an .xml file named MDCConfig.xml in the install/bin<br />
directory. It is possible to edit this file directly instead of using the MDC Configuration GUI.<br />
Example Configuration File<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Caution<br />
The configuration file is UTF8 encoded. Non-UTF8 encoded characters should<br />
not be added to the configuration file, or it will not load.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 85
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
10.2.4 Configuration Settings<br />
The table below lists the options, their default values, and a brief explanation of each.<br />
Option<br />
Name<br />
General tab<br />
Config.<br />
GUI Field<br />
Server/ IP Server IP<br />
Address<br />
Default<br />
Value<br />
<br />
Notes<br />
This string is the IP address of the local server. It needs to correspond<br />
with the licensing as well as the IP address configured <strong>for</strong> the<br />
server.Data type: String with valid IP4 address or hostname that can be<br />
resolved through DNS<br />
Server/ Port Port 20003 This integer is the TCP/IP port on which the local server is listening.<br />
Must correspond with the <strong>IAS</strong> server settings.Data type: <strong>In</strong>teger with<br />
valid Port address (1-65535)<br />
Gateway/<br />
ProxyIP<br />
Gateway/<br />
ProxyPort<br />
Gateway/<br />
Timeout<br />
Gateway/<br />
MaxConnecti<br />
ons<br />
Tracing/<br />
TraceFile<br />
Tracing/<br />
TraceMask<br />
Gateway-<br />
Acnt/<br />
Username<br />
Gateway-<br />
Acnt/<br />
Password<br />
Proxy IP IP address of the HTTP proxy used by the MDC to contact the HTTP<br />
gateway. This can be used when the firewall settings do not allow a<br />
direct connection.Empty - no proxy being used.Data type: String with<br />
valid IP4 address<br />
Port Port number to contact the HTTP proxy on.Must be supplied if the<br />
ProxyIP setting is used.Data type: <strong>In</strong>teger with valid Port address (1-<br />
65535)<br />
Proxy<br />
Timeout<br />
Max<br />
Connections<br />
30 Time in seconds that the MDC will wait on a response from the<br />
HTTP/gateway.Data type: integer<br />
10 Maximum allowed number of concurrent connections to the HTTP<br />
gateway.Data type: <strong>In</strong>teger (1-100)<br />
File Name The file that tracing output should be written to.None – no tracing.Data<br />
type: String<br />
Tracing 0 The tracemask specifies how much tracing is done.0 – no tracing1 –<br />
basic tracing2 – full tracingData type: <strong>In</strong>teger<br />
(General<br />
tab)Usernam<br />
e<br />
Gateway Settings tab<br />
Gateway/<br />
Description<br />
Gateway/<br />
HTTPMethod<br />
Gateway/<br />
URL<br />
(General<br />
tab)Password<br />
& Confirm<br />
Password<br />
Gateway<br />
Name<br />
Query<br />
Method<br />
Protocol and<br />
Address<br />
<br />
<br />
Sets the account Username the HTTP gateway. The given value will be<br />
used as content <strong>for</strong> the variable [acc_User] in the query string.Data<br />
type: String<br />
Sets the account password the HTTP gateway. The given value will be<br />
used as content <strong>for</strong> the variable [acc_pwd] in the query string.Data<br />
type: String<br />
This is an in<strong>for</strong>mational field, naming or describing the HTTP gateway. It<br />
can be set to provide a description <strong>for</strong> a particular service, but is ignored<br />
by the MDC.Data type: String<br />
POST Designates either the GET or POST method <strong>for</strong> use in transferring<br />
account and message data to the HTTP/HTTPS gateway.Data type:<br />
String (“GET” or “POST”)<br />
<br />
Required parameter.Sets the URL to the HTTP gateway. The address<br />
should not contain any variables, but is should contain the protocol<br />
identifier.Note: the protocol identifier of “https://” can be used to SSLencrypt<br />
the link between the MDC and the HTTP gateway. <strong>In</strong> this case it<br />
is required to specify a filename where the server certificates can be<br />
found.Data type: String<br />
© 2006 VASCO Data Security <strong>In</strong>c. 86
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Configuration Settings<br />
Option<br />
Name<br />
Gateway/<br />
HTTPQuery<br />
Gateway/<br />
CertFile<br />
Config.<br />
GUI Field<br />
Default<br />
Value<br />
Query String <br />
Certificate<br />
File<br />
Gateway Results tab<br />
Results/<br />
Resultnn/<br />
Name<br />
Results/<br />
Resultnn/<br />
Pagematch<br />
Results/<br />
Resultnn/<br />
MsgType<br />
Results/<br />
Resultnn/<br />
Message<br />
.\curl-cabundle.crt<br />
Notes<br />
Required parameter.Defines the query string which will be submitted to<br />
the http server, either using POST or GET (as specified by HttpGw-<br />
Method). This string must contain all required variables that are<br />
expected by the HTTP gateway. Contained in the query string must be<br />
the following parameters which will be set by the MDC be<strong>for</strong>e submitting<br />
the query:<br />
[acc_user] specifies the account name <strong>for</strong> the gateway which will be<br />
used to submit the in<strong>for</strong>mation§<br />
[acc_pwd]password <strong>for</strong> the gateway account specified by the<br />
[Username] parameters§<br />
[otp_msg]specifies the part of the query string, where the OTP message<br />
will be substituted§<br />
[otp_dest]specifies the part of the query string, where the destination<br />
<strong>for</strong> the OTP (usually the mobile phone number) will be substituted.The<br />
query string should also incorporate any other parameters which might<br />
be expected by the gateway.Example:Data type: String<br />
When using the HTTPS protocol, the server certificate file is used to<br />
authenticate the message gateway and to derive the data encryption<br />
keys. It can contain either one or multiple server certificates.The file<br />
needs to be PEM-encoded,X.509 compliant certificate.It can be created<br />
by exporting the required Root CA from any browser (eg. <strong>In</strong>ternet<br />
Explorer) using the base-64 <strong>for</strong>mat - equivalent to PEM.Data type:<br />
String<br />
Description Name of this entry, as displayed by the MDC Configuration GUI. This<br />
field has no functional meaning.Data type: String<br />
Matching<br />
Pattern<br />
Audit<br />
Message<br />
Level<br />
Message<br />
Text<br />
<br />
Result Page Template to match the result page returned by the HTTP<br />
service. If this template is matched, the corresponding audit message is<br />
composed and returned to the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Audit message.Data type:<br />
String<br />
2 Type of message to appear in the audit log:0 INFO – in<strong>for</strong>mational<br />
message (login on)1 WARNING – warning message (login fails)2<br />
ERROR – error message (login fails)Data type: <strong>In</strong>teger (0-2)<br />
<br />
Table 32: Message Delivery Component Configuration Settings<br />
10.3 CGI<br />
Audit Message Template <strong>for</strong> the message to be compiled and sent back<br />
to the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>. The message is returned as <strong>In</strong><strong>for</strong>mation, Warning or<br />
Error, depending on the MsgType parameter in the same section.<br />
<strong>In</strong>cludes [variable] options.Data type: String<br />
See 7.2.1 Configuration Settings <strong>for</strong> VASCO CGI configuration settings and location.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 87
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> How to troubleshoot<br />
11 How to troubleshoot<br />
11.1 Enable Tracing<br />
1. Set the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> to tracing.<br />
2. Restart <strong>IAS</strong>.<br />
3. Attempt a login.<br />
4. Check the trace file <strong>for</strong> in<strong>for</strong>mation on the start-up conditions of the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> and of<br />
the login attempt.<br />
11.2 <strong>In</strong>stallation Check<br />
The in<strong>for</strong>mation in this section will enable you to check that various files have been installed in<br />
the correct locations and registered (where required), and Windows registry entries have been<br />
created and the correct values inserted.<br />
11.2.1 <strong>In</strong>stallation Log File<br />
Check the log file created during the installation of the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>. The log file<br />
should be found in \install.log.<br />
Example Log Entries<br />
File successfully created<br />
CreateDirectory: "C:\Program Files\VASCO\<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>\Bin" (1)<br />
File: overwriteflag=0, allowskipfilesflag=2, name="aal3ad30.dll"<br />
File: wrote 2416640 to "C:\Program Files\VASCO\<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>\Bin\aal3ad30.dll"<br />
DLL could not be registered<br />
Error registering DLL: Could not load dpmmccom.dll<br />
11.2.2 Check file placement<br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
File Name Location<br />
dpiasext.dll \Bin<br />
dpiasext.xml \Bin<br />
Administration MMC <strong>In</strong>terface<br />
dpmmc.dll \Bin<br />
dpmmcpol.dll \Bin<br />
dpmmccom.dll \Bin<br />
dpmmc.msc \Bin<br />
dpwxlib.dll \Bin<br />
Admin_MMC_<strong>In</strong>terface_Help.chm \Doc<br />
<strong>Digipass</strong> Extension <strong>for</strong> Active Directory Users and Computers<br />
dpextaduc.dll \Bin<br />
© 2006 VASCO Data Security <strong>In</strong>c. 88
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> How to troubleshoot<br />
AD_Extension_Help.chm \Doc<br />
VACMAN Controller<br />
aal2sdk.dll \Bin<br />
Demo <strong>Digipass</strong><br />
demo.dpx \DPX<br />
demogo1.dpx<br />
demovdp.dpx<br />
CGI Configuration <strong>In</strong>terface<br />
dpcgicfg.exe \Bin<br />
User Self Management Web Site<br />
*.html \UserSite<br />
usercgi.exe \UserSite\CGI<br />
*.gif \UserSite\Images<br />
Message Delivery Component<br />
mdcserver.exe \Bin<br />
mdccfg.exe \Bin<br />
libcurl.dll \Bin<br />
libeay32.dll \Bin<br />
libssl32.dll \Bin<br />
mdcconfig.xml \Bin<br />
curl-ca-bundle.crt \Bin<br />
OTP Request Site<br />
*.html \VDPSite<br />
vdpcgi.exe \VDPSite\CGI<br />
*.gif \VDPSite\Images<br />
Version <strong>In</strong><strong>for</strong>mation<br />
version.txt <br />
Table 33: Required Files<br />
11.2.3 Registry Entries<br />
General<br />
Registry Key Path\Name Value Notes<br />
HKEY_LOCAL_MACHINE\Software\VASCO Data<br />
Security\<strong>In</strong>stallDirectory<br />
HKEY_LOCAL_MACHINE\Software\VASCO Data<br />
Security\<strong>In</strong>stalledProducts\<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong><br />
<strong>IAS</strong><br />
HKEY_LOCAL_MACHINE\Software\VASCO Data<br />
Security\<strong>In</strong>stalledComponents\<br />
HKEY_LOCAL_MACHINE\Software\VASCO Data<br />
Security\<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>\Version<br />
<strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
Typically c:\program files\VASCO\<strong>Digipass</strong><br />
<strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong><br />
1 1 = installed<br />
0 = not installed<br />
If the Pack has been incorrectly installed, the<br />
key will typically be missing rather than having<br />
a value of 0.<br />
Check the recorded version numbers <strong>for</strong><br />
various components.<br />
1.0.0. Version number <strong>for</strong> the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong><br />
<strong>IAS</strong>.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 89
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> How to troubleshoot<br />
Registry Key Path\Name Value Notes<br />
HKEY_LOCAL_MACHINE\System\<br />
CurrentControlSet\Services\AuthSrv\<br />
Parameters\ExtensionDLLs<br />
HKEY_LOCAL_MACHINE\System\<br />
CurrentControlSet\Services\AuthSrv\<br />
Parameters\AuthorizationDLLs<br />
Administration MMC <strong>In</strong>terface<br />
HKEY_LOCAL_MACHINE\Software\VASCO Data<br />
Security\MMC Admin <strong>In</strong>terface\ApiLibrary<br />
HKEY_LOCAL_MACHINE\Software\VASCO Data<br />
Security\MMC Admin <strong>In</strong>terface\DialogLibrary<br />
HKEY_LOCAL_MACHINE\Software\VASCO Data<br />
Security\MMC Admin <strong>In</strong>terface\HelpFile<br />
\Bin\<br />
dpiasext.dll<br />
\Bin\<br />
dpiasext.dll<br />
\Bin\<br />
aal3ad30.dll<br />
\Bin\<br />
dpwxlib.dll<br />
\Doc\<br />
Admin_MMC_<strong>In</strong>terfa<br />
ce_Help.chm<br />
<strong>Digipass</strong> Extension <strong>for</strong> Active Directory Users and Computers<br />
HKEY_LOCAL_MACHINE\Software\VASCO Data<br />
Security\AD U&C Extension\ApiLibrary<br />
HKEY_LOCAL_MACHINE\Software\VASCO Data<br />
Security\AD U&C Extension\DialogLibrary<br />
HKEY_LOCAL_MACHINE\Software\VASCO Data<br />
Security\AD U&C Extension\HelpFile<br />
Message Delivery Component<br />
HKEY_LOCAL_MACHINE\System\CurrentContr<br />
olSet\Services\EventLog\Application\VDPMDC\<br />
EventMessageFile<br />
HKEY_LOCAL_MACHINE\System\CurrentContr<br />
olSet\Services\EventLog\Application\VDPMDC\<br />
TypesSupported<br />
Table 34: Registry Entries<br />
Note<br />
\Bin\<br />
aal3ad30.dll<br />
\Bin\<br />
dpwxlib.dll<br />
\Doc\<br />
AD_Extension_Help.<br />
chm<br />
\Bin\<br />
mdcserver.exe<br />
1 1 = EVENTLOG_ERROR_TYPE<br />
See 7.2.1 Configuration Settings <strong>for</strong> VASCO CGI configuration settings in<br />
the Windows registry.<br />
11.2.4 DLLs to be Registered<br />
These DLLs need to be registered with Windows in order <strong>for</strong> the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> to<br />
work correctly. See <strong>for</strong> in<strong>for</strong>mation on registering them manually.<br />
DLL Location<br />
dpmmc.dll \Bin<br />
dpmmcpol.dll \Bin<br />
dpmmccom.dll \Bin<br />
dpextaduc.dll \Bin<br />
Table 35: DLLs to be Registered<br />
11.2.5 Check Permissions<br />
© 2006 VASCO Data Security <strong>In</strong>c. 90
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> How to troubleshoot<br />
Directory or File Permission(s) required Notes<br />
User Self Management Web Site (IIS)<br />
/dpselfservice/cgi execute<br />
\UserSite\CGI\usercgi.exe<br />
OTP Request Site (IIS)<br />
/requestotp/cgi execute<br />
execute This is required on Windows Server<br />
2003 only.<br />
\VDPSite\CGI\vdpcgi.exe execute This is required on Windows Server<br />
2003 only.<br />
Table 36: Permissions Required<br />
11.2.6 <strong>IAS</strong> Server Registered in Active Directory Domain<br />
Check that the <strong>IAS</strong> server is registered in the relevant Active Directory domain(s):<br />
1. Open Active Directory Users and Computers.<br />
2. Click on Users.<br />
A list of Windows Users and Groups will be displayed in the Result pane.<br />
3. Double-click on the RAS and <strong>IAS</strong> Servers group.<br />
4. Check that the <strong>IAS</strong> server is listed in the group members.<br />
If the <strong>IAS</strong> Server is not registered in the domain:<br />
1. Log on to the <strong>IAS</strong> server with an administrator account <strong>for</strong> the domain.<br />
2. Open <strong>In</strong>ternet Authentication Service.<br />
3. Right-click on <strong>In</strong>ternet Authentication Service.<br />
4. Click on Register Server in Active Directory.<br />
The Register <strong>In</strong>ternet Authentication Service in Active Directory window will be<br />
displayed.<br />
5. Click OK.<br />
11.2.7 Default Policy and Component Created<br />
A default Policy and a Component <strong>for</strong> the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> should have been created during the<br />
installation. If they have not been created, the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> will not process authentication<br />
requests.<br />
Note<br />
These steps should only be followed if the Policies and Components have not<br />
been modified since installation.<br />
To check that Policies and Components were created successfully during installation:<br />
1. Open the Administration MMC <strong>In</strong>terface.<br />
2. Click on the Policies node.<br />
A Policy named 'Base Policy' should be included in the Policies List.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 91
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> How to troubleshoot<br />
3. Click on the Components node.<br />
4. Check that a Component named <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> is included in the Components List.<br />
5. Double-click on the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component record.<br />
The Component Properties window will be displayed.<br />
6. Base Policy should be selected in the Policy drop down list.<br />
11.3 Fix <strong>In</strong>stallation Errors<br />
11.3.1 Register <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
If they do not currently exist, create the following registry entries under the<br />
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AuthSrv\Parameters key:<br />
Name Type Data<br />
AuthorizationDLLs REG_MULTI_SZ \Bin\dpiasext.dll<br />
ExtensionDLLs REG_MULTI_SZ \Bin\dpiasext.dll<br />
Table 37: <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Registry Entries<br />
11.4 View Audit <strong>In</strong><strong>for</strong>mation<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> can generate audit messages and save them either to the Windows Event Log<br />
or a text file. Your audit settings in the Administration MMC <strong>In</strong>terface will determine where<br />
you should look <strong>for</strong> each type of audit message.<br />
11.4.1 Windows Event Log<br />
Filter <strong>for</strong> audit messages from the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> by:<br />
1. Click on View -> Filter...<br />
2. Select <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> from the Event Source drop down list.<br />
3. Click on OK.<br />
11.4.2 Audit log text file<br />
The audit log file name and location is configured in the Administration MMC <strong>In</strong>terface.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 92
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> How to troubleshoot<br />
11.5 Delete all <strong>Digipass</strong> Data from Active Directory<br />
<strong>Digipass</strong>-specific in<strong>for</strong>mation is not removed from Active Directory when the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong><br />
<strong>for</strong> <strong>IAS</strong> is uninstalled from a computer.<br />
A custom VB script is available which will strip all in<strong>for</strong>mation related to the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> from a<br />
domain. The data removed includes:<br />
<strong>Digipass</strong>-Configuration container if present<br />
Policy and Component records in container<br />
<strong>Digipass</strong>-Pool container if present<br />
<strong>Digipass</strong> records in container<br />
<strong>Digipass</strong>-Reserve container if present<br />
<strong>Digipass</strong> records in container<br />
All <strong>Digipass</strong> in the domain, including all <strong>Digipass</strong> Applications.<br />
Search <strong>for</strong> all <strong>Digipass</strong> User Accounts and delete them<br />
Each <strong>Digipass</strong> User account is deleted by searching <strong>for</strong> Active Directory Users with the<br />
vasco-CreateTime attribute set (indicating that a <strong>Digipass</strong> User account has been created<br />
<strong>for</strong> that User). All vasco-UserExt attributes on the Active Directory User are reset.<br />
Note<br />
The script must be run in each domain from which data is to be removed.<br />
11.5.1 Run Delete Script on a Domain<br />
1. Get dpDeleteAll.vbs file from the CD \Windows\Utilities\VBScript directory and copy to<br />
the computer where you will run the command.<br />
2. Open cmd prompt, logged in as domain admin in the domain required.<br />
3. Enter the following:<br />
'cscript dpDeleteAll.vbs [] [-v]'<br />
If the machine does not belong to the target domain, specify the domain name<br />
If you want record-by-record progress display, specify -v (verbose mode).<br />
Example<br />
cscript dpDeleteAll.vbs dm3.vasco.com -v<br />
© 2006 VASCO Data Security <strong>In</strong>c. 93
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Audit Messages<br />
12 Audit Messages<br />
To set up auditing in the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong>, see 10.1.1.6<br />
12.1 Audit Message Listing<br />
Message<br />
Code<br />
Auditing.<br />
Description Notes<br />
E000001 A system error has occurred. This message is used whenever there is a general<br />
processing error. It will contain full details of the error.<br />
E001001 The <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> failed to start up. The <strong>Plug</strong>-<strong>In</strong> encountered a fatal error on startup such as an<br />
invalid or missing configuration file.<br />
E001002 The <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> has been <strong>for</strong>ced<br />
into the disabled state.<br />
E002001 The Active Directory AAL3 library failed<br />
to initialize.<br />
E002002 The <strong>Digipass</strong> Authentication library<br />
failed to initialize.<br />
E009001 An error occurred in the Virtual <strong>Digipass</strong><br />
Message Delivery Component.<br />
E012001 The RADIUS Profile was not found in<br />
Funk SBR.<br />
W004001 A connection attempt to Active<br />
Directory failed.<br />
W005001 A connection to Active Directory has<br />
terminated due to an error.<br />
W009001 Virtual <strong>Digipass</strong> One Time Password<br />
delivery failed.<br />
W010001 A blank password was used <strong>for</strong> Back-<br />
End Authentication, as Stored Password<br />
Proxy is disabled and the user did not<br />
enter a static password.<br />
The <strong>Plug</strong>-<strong>In</strong> has started up, but is in a disabled state in<br />
which it will not process authentication requests. This is<br />
typically due to a license problem (an invalid or missing<br />
License Key in the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component record); an<br />
invalid Component Location setting in the configuration<br />
file; or a missing <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> Component record.<br />
The Active Directory 'AAL3' library encountered a fatal<br />
error on initialization, eg. invalid configuration settings in<br />
the configuration file.<br />
The 'Authentication' library encountered a fatal error on<br />
initialization, eg. invalid configuration settings in the<br />
configuration file.<br />
The MDC encountered an error during the process of<br />
submitting a request to the HTTP gateway and interpreting<br />
the response. This may indicate a configuration problem <strong>for</strong><br />
the gateway or connectivity issues. The audit message may<br />
contain further details from the gateway.<br />
Not applicable to <strong>IAS</strong>.<br />
An attempt to connect to an Active Directory Domain<br />
Controller failed. This may occur because: the Domain<br />
Controller is unavailable <strong>for</strong> some reason such as<br />
rebooting; the Domain Controller is too busy temporarily to<br />
service the connection; or there are DNS or networking<br />
problems.<br />
An established connection to an Active Directory Domain<br />
Controller has broken. This may occur because: the<br />
Domain Controller suddenly becomes unavailable <strong>for</strong> some<br />
reason such as rebooting; the Domain Controller becomes<br />
too busy temporarily to service the connection; or there<br />
are DNS or networking problems.<br />
The MDC could not successfully deliver a text message via<br />
the HTTP gateway. The audit message should contain<br />
further details from the gateway.<br />
This message only occurs when the Back-End<br />
Authentication setting is Always.<br />
When Stored Password Proxy is disabled, the <strong>IAS</strong> <strong>Plug</strong>-<br />
<strong>In</strong> does not pass on the password stored in the <strong>Digipass</strong><br />
User Account to Windows <strong>for</strong> Back-End Authentication. If a<br />
User does not enter their password as well as their OTP,<br />
the login will fail because their password has not been<br />
provided to Windows.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 94
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Audit Messages<br />
Message<br />
Code<br />
W011001 A Backup Virtual <strong>Digipass</strong> quota of uses<br />
has been finished.<br />
W011002 No <strong>Digipass</strong> was found to assign to a<br />
new <strong>Digipass</strong> User Account <strong>for</strong> Auto-<br />
Assignment.<br />
W011003 A <strong>Digipass</strong> User Account has become<br />
locked.<br />
I001001 The <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> has started up<br />
successfully.<br />
I002001 The Active Directory AAL3 library has<br />
been initialized successfully.<br />
I002002 The <strong>Digipass</strong> Authentication library has<br />
been initialized successfully.<br />
I003001 The <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> has shut down.<br />
I004001 A connection attempt to Active<br />
Directory was successful.<br />
I005001 A connection to Active Directory has<br />
been terminated normally.<br />
I005002 A connection to Active Directory has<br />
been timed out <strong>for</strong> load-balancing.<br />
I006001 A RADIUS Access-Request has been<br />
received.<br />
I007001 A RADIUS Access-Accept has been<br />
issued.<br />
I007002 A RADIUS Access-Challenge has been<br />
issued.<br />
I007003 A RADIUS Access-Reject has been<br />
issued.<br />
I008001 A <strong>Digipass</strong> has been moved <strong>for</strong><br />
assignment to a user.<br />
I008002 A user-to-user link has been removed<br />
due to assignment of a <strong>Digipass</strong>.<br />
I009001 A Virtual <strong>Digipass</strong> One Time Password<br />
has been delivered.<br />
Description Notes<br />
BVDP Uses Remaining has just been decremented to 0<br />
<strong>for</strong> a <strong>Digipass</strong>. The User will not be able to use that<br />
<strong>Digipass</strong> <strong>for</strong> Backup Virtual <strong>Digipass</strong> logins until the Uses<br />
Remaining is increased or cleared.<br />
No available <strong>Digipass</strong> were found <strong>for</strong> Auto-Assignment.<br />
This may be because: there were no unassigned <strong>Digipass</strong><br />
in the right location; the unassigned <strong>Digipass</strong> did not<br />
con<strong>for</strong>m to Policy restrictions; the unassigned <strong>Digipass</strong><br />
were Reserved <strong>for</strong> individual assignment.<br />
The location in which the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> searches <strong>for</strong> available<br />
<strong>Digipass</strong> records can be controlled to some extent using<br />
the Search Upwards in Org. Unit hierarchy setting.<br />
A User just exceeded the User Lock Threshold of failed<br />
logins and their <strong>Digipass</strong> User Account is now Locked.<br />
<strong>Administrator</strong> action is required to unlock the account.<br />
Configuration details are given in the audit message.<br />
The Active Directory 'AAL3' library has completed<br />
initialization. Configuration details are given in the audit<br />
message.<br />
The 'Authentication' library has completed initialization.<br />
Configuration details are given in the audit message.<br />
An established connection to an Active Directory Domain<br />
Controller has ended with a normal disconnection.<br />
An established connection to an Active Directory Domain<br />
Controller has been ended <strong>for</strong> load-balancing purposes.<br />
Periodically the connections will be dropped and new ones<br />
established, in case there is a less busy Domain Controller<br />
available. The time period is defined by the configuration<br />
setting Max-Bind-LifeTime in the file, in minutes.<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> has received an Access-Request. The audit<br />
message will indicate what action will be taken as well as<br />
key details of the request.<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> has accepted an Access-Request. Note<br />
however that it is still possible that after the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong><br />
has accepted the request, <strong>IAS</strong> rejects it.<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> has issued a challenge, either<br />
Challenge/Response or Virtual <strong>Digipass</strong>.<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> has rejected an Access-Request.<br />
Upon assignment of a <strong>Digipass</strong> to a User, if the <strong>Digipass</strong> is<br />
not already in the same location (Organizational Unit) as<br />
the User, it is moved to that location.<br />
If a <strong>Digipass</strong> User Account is linked to another in order to<br />
share the <strong>Digipass</strong>, it must not have a <strong>Digipass</strong> assigned<br />
itself. If a <strong>Digipass</strong> is assigned, the link will be broken.<br />
The MDC successfully delivered a text message via the<br />
HTTP gateway, as reported by the gateway. The audit<br />
message may contain further details from the gateway.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 95
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Audit Messages<br />
Message<br />
Code<br />
Description Notes<br />
Note that depending on the gateway, it may still be<br />
possible <strong>for</strong> delivery to fail after the gateway has reported<br />
success.<br />
I010001 User authentication was not handled. The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> decided not to handle an authentication<br />
request due to Policy and/or <strong>Digipass</strong> User Account<br />
settings. The main reasons why this may occur are: the<br />
effective Local Authentication and Back-End<br />
Authentication settings were both None; the User failed<br />
the Windows Group Check, using the Authenticate listed<br />
groups, pass others through option.<br />
Note that the 'effective' settings are the effective settings<br />
of the Policy, unless the <strong>Digipass</strong> User Account overrides<br />
the Policy.<br />
I011001 A <strong>Digipass</strong> Grace Period has been ended<br />
by the use of a One Time Password.<br />
I011002 A Backup Virtual <strong>Digipass</strong> expiration<br />
date has been set due to the first<br />
request <strong>for</strong> a Virtual One Time<br />
Password.<br />
I011003 A Backup Virtual <strong>Digipass</strong> time limit has<br />
been expired by the use of the normal<br />
One Time Password.<br />
I011004 A Backup Virtual <strong>Digipass</strong> quota of uses<br />
has been set due to the first request <strong>for</strong><br />
a Virtual One Time Password.<br />
I011005 A <strong>Digipass</strong> User Account has been<br />
created using Dynamic User<br />
Registration.<br />
I011006 A new static password has been stored<br />
using Password Autolearn.<br />
I011007 A <strong>Digipass</strong> has been assigned to a new<br />
<strong>Digipass</strong> User Account using Auto-<br />
Assignment.<br />
I011008 A <strong>Digipass</strong> has been assigned to a<br />
<strong>Digipass</strong> User Account using Self-<br />
Assignment.<br />
I011009 A <strong>Digipass</strong> challenge has been issued<br />
<strong>for</strong> a Self-Assignment attempt.<br />
The first time that an assigned <strong>Digipass</strong> is used<br />
successfully to log in, if a Grace Period is still active, it is<br />
ended immediately. They must continue to use their<br />
<strong>Digipass</strong> to log in after that point.<br />
A User has requested a Backup Virtual <strong>Digipass</strong> OTP <strong>for</strong> the<br />
first time, when the effective Backup VDP Enabled<br />
setting is Yes – Time Limited and they did not already have<br />
an Enabled Until date set on their <strong>Digipass</strong>. At this time,<br />
they are given the Time Limit from the Policy by adding it<br />
to the current date.<br />
A User who has been using Backup Virtual <strong>Digipass</strong> has<br />
used their normal OTP login using the <strong>Digipass</strong> again.<br />
When the effective Backup VDP Enabled setting is Yes –<br />
Time Limited, using the normal OTP login ends their time<br />
limit immediately. This is done by setting the Enabled<br />
Until date on their <strong>Digipass</strong> to the current date.<br />
An administrator action is required to reset their Enabled<br />
Until date, if the User is to be allowed to use Backup<br />
Virtual <strong>Digipass</strong> again.<br />
A User has requested a Backup Virtual <strong>Digipass</strong> OTP <strong>for</strong> the<br />
first time, when the effective Backup VDP Max.<br />
Uses/User setting is greater than 0 and they did not<br />
already have a Uses Remaining date set on their<br />
<strong>Digipass</strong>. At this time, they are given the Max. Uses/User<br />
limit from the Policy.<br />
A <strong>Digipass</strong> User Account has been created automatically<br />
upon successful Back-End Authentication. This occurs<br />
when the Dynamic User Registration feature is enabled.<br />
A new static password has been stored in the <strong>Digipass</strong> User<br />
Account after successful Back-End Authentication. This<br />
occurs when the Password Autolearn feature is enabled.<br />
Upon creation of a new <strong>Digipass</strong> User Account through<br />
Dynamic User Registration, an available <strong>Digipass</strong> has<br />
been assigned to the new account automatically. This<br />
occurs when the Auto-Assignment feature is enabled.<br />
A User has successfully assigned a <strong>Digipass</strong> to themselves<br />
using the Self-Assignment feature.<br />
A User has obtained a challenge during an attempt to<br />
assign a <strong>Digipass</strong> to themselves using the Self-<br />
Assignment feature. <strong>In</strong> order to complete the assignment,<br />
they must provide the correct response to the challenge<br />
© 2006 VASCO Data Security <strong>In</strong>c. 96
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Audit Messages<br />
Message<br />
Code<br />
Description Notes<br />
from the <strong>Digipass</strong>.<br />
I011010 A user has changed their <strong>Digipass</strong> PIN. A User has changed their Server PIN during their login, or<br />
set it up on first use or after a PIN reset.<br />
S001001 A query <strong>for</strong> a single data object was<br />
successful.<br />
S001002 A query <strong>for</strong> a list of data objects was<br />
successful.<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> or an administrator has made a successful<br />
query to Active Directory <strong>for</strong> a single record. <strong>In</strong> the case of<br />
the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> this will be a search <strong>for</strong> its Component<br />
record; <strong>for</strong> an administrator it could be any single record<br />
query. The audit message has details of the record found.<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> or an administrator has made a successful<br />
query to Active Directory <strong>for</strong> some records. <strong>In</strong> the case of<br />
the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> this will be a search <strong>for</strong> a RADIUS Client<br />
Component record; <strong>for</strong> an administrator it could be any list<br />
query. The audit message has details of the records found<br />
but this may be truncated.<br />
S001003 A data object command was successful. An administrator has issued a successful data modification<br />
command such as an update of settings or one of the<br />
<strong>Digipass</strong> Application operations like Reset PIN. The audit<br />
message has details of the command and results.<br />
S002001 User authentication was successful. The 'Authentication' library has passed authentication <strong>for</strong> a<br />
request. Note however that the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> or <strong>IAS</strong> itself<br />
may still decide to reject the request ultimately.<br />
S002002 User authentication issued a challenge. The 'Authentication' library has issued a challenge <strong>for</strong> an<br />
authentication request, either Challenge/Response or<br />
Virtual <strong>Digipass</strong>.<br />
F001001 A query <strong>for</strong> a single data object failed. The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> or an administrator has made an<br />
unsuccessful query to Active Directory <strong>for</strong> a single record.<br />
<strong>In</strong> the case of the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> this will be a search <strong>for</strong> its<br />
Component record; <strong>for</strong> an administrator it could be any<br />
single record query. The audit message has basic details of<br />
the failure, but there should be a preceding E000001 with<br />
more details.<br />
F001002 A query <strong>for</strong> a list of data objects failed. The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> or an administrator has made an<br />
unsuccessful query to Active Directory <strong>for</strong> some records. <strong>In</strong><br />
the case of the <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> this will be a search <strong>for</strong> a<br />
RADIUS Client Component record; <strong>for</strong> an administrator it<br />
could be any list query. The audit message has basic<br />
details of the failure, but there should be a preceding<br />
E000001 with more details.<br />
F001003 A data object command failed. An administrator has issued an unsuccessful data<br />
modification command such as an update of settings or<br />
one of the <strong>Digipass</strong> Application operations like Reset PIN.<br />
The audit message has basic details of the failure, and<br />
there may be a preceding E000001 with more details.<br />
F002001 User authentication failed. The 'Authentication' library has failed authentication <strong>for</strong> a<br />
request. The audit message has details of the failure (see<br />
) and there may be a precedeing E000001 with error<br />
details.<br />
Table 38: Audit Messages List<br />
© 2006 VASCO Data Security <strong>In</strong>c. 97
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Audit Messages<br />
12.2 Audit Message Fields<br />
Display Name Description<br />
Area Area of code/functionality in which the audit event occurred. Eg. “Active Directory search”.<br />
Operation Operation being attempted/processed when the audit event occurred.<br />
Error Code Standard error code.<br />
Error Message Fixed error message corresponding to ERROR_CODE.<br />
Error Details Full dump of 'error stack'.<br />
Source Location Location of source of audit message, typically IP address or host name.<br />
Server Location When the server itself is not the source of the audit message, this is the location of the<br />
server (IP/host name).<br />
Client Location When the client itself is not the source of the audit message, this is the location of the client<br />
(IP/host name).<br />
Version Full version string. Eg. “2.5.2.0045”.<br />
Data Source Type of data source. Eg. “File”, “Registry”.<br />
Data Source Location Specific location of data source. Eg. <strong>for</strong> a File, the path/filename.<br />
Configuration Details Breakdown of configuration settings.<br />
Outcome Outcome of an attempt to do something. Eg. “Success”, “Failure”, “Challenge”.<br />
Reason Generally a short phrase indicating a reason <strong>for</strong> a failure.<br />
Characteristics Space-separated list of keywords indicating characteristics of interest. Eg. <strong>for</strong> a connection<br />
attempt, keywords such as “SSL” , “TCP”, “IPv6” may be useful.<br />
User ID UserID. Can be in various <strong>for</strong>mats, unless it refers to a <strong>Digipass</strong> User Account UserID, when<br />
it must be exact (SAM-Account-Name).<br />
Domain Domain name (FQDN).<br />
Credentials What kind of credential was offered <strong>for</strong> a connection/login attempt. Eg. “Password”, “None”.<br />
Session ID Session identifier.<br />
Serial No <strong>Digipass</strong> Serial No.<br />
Application <strong>Digipass</strong> Application Name.<br />
Request ID Any request identifier(s). Eg. a RADIUS packet ID.<br />
Password Protocol The way in which a password is encoded. Eg. “PAP”, “CHAP”, “MS-CHAP1”, “MS-CHAP2”.<br />
<strong>In</strong>put Details Breakdown of request parameters/attributes.<br />
Action <strong>In</strong>tended action to take <strong>for</strong> a request received. Eg. “Ignore”, “Process”.<br />
Output Details Breakdown of response parameters/attributes.<br />
Policy ID Name of Policy used to handle a request.<br />
Mobile No Mobile phone no. <strong>for</strong> sending a text message.<br />
From Location from which something is moved. Eg. an Active Directory location.<br />
To Location to which something is moved. Eg. an Active Directory location.<br />
User Link Identification of user to which another user is linked.<br />
Message This is used where something external (eg. the MDC) returns a message <strong>for</strong> auditing.<br />
Expiration Date Value of an expiry date such as Grace Period.<br />
Quota Value of a quota such as Backup Virtual <strong>Digipass</strong> Uses Remaining.<br />
Local Authentication Whether Local Authentication was done or not.<br />
Back-End<br />
Authentication<br />
If Back-End Authentication was done, the Back-End Protocol used, otherwise “None”.<br />
Object Name of data object of query/command.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 98
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Audit Messages<br />
Command Name of command.<br />
Fields The list of fields to be returned by the query, or 'All Fields'.<br />
RADIUS Profile Name of RADIUS Profile<br />
Table 39: Audit Message Fields<br />
© 2006 VASCO Data Security <strong>In</strong>c. 99
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Error and Status Codes<br />
13 Error and Status Codes<br />
This section lists the standard error and status codes with the associated messages.<br />
13.1 Error Code Listing<br />
Error<br />
Code<br />
0 (No error)<br />
Message Notes<br />
-1 An unspecified error occurred This error code may occur when a more specific error code is<br />
not available or was recorded separately.<br />
-2 The parameters supplied were invalid Parameters supplied to a function or command were invalid.<br />
-3 A memory error occurred Memory allocation failed. This is normally due to the system<br />
running low on memory.<br />
-10 A communications error occurred <strong>In</strong>ter-process or inter-component communication failed. This<br />
may also occur with communications to Active Directory or a<br />
database. This error is normally accompanied by further<br />
details.<br />
-11 A license error has occurred General-purpose license failure when a more specific code is<br />
not available or was recorded separately.<br />
-12 An operating system call failed A system call failed. This may include file handling, Active<br />
Directory Services <strong>In</strong>terface and other calls. It is normally<br />
accompanied by further details.<br />
-13 The object was not found An attempt was made to per<strong>for</strong>m an operation on an object,<br />
such as an Active Directory object, but the object did not exist.<br />
For example, this may occur when one administrator deletes a<br />
record that another administrator is about to update, when the<br />
update operation is attempted.<br />
-14 The object already exists An attempt was made to create an object, such as an Active<br />
Directory object, but the object already exists. For example,<br />
this may occur when two administrators try to create the same<br />
record at the same time.<br />
-15 The supplied buffer was of the<br />
incorrect size<br />
An internal data buffer was of insufficient length to hold the<br />
data required.<br />
-16 A version error has occurred A version mismatch has occurred. Further details in the error<br />
record will indicate what versions were mismatched.<br />
-17 The supplied data are invalid General-purpose error when input data to an operation is<br />
incorrect. Further details of the error will be recorded.<br />
-18 The object is invalid An attempt was made to per<strong>for</strong>m an operation upon an object<br />
type that was not recognized.<br />
-19 The command is invalid An attempt was made to per<strong>for</strong>m an operation using a<br />
command that was not recognized.<br />
-20 The object is in use An attempt was made to delete an object, such as an Active<br />
Directory object, but that object was in use.<br />
This may occur when you try to delete a Policy, but another<br />
Policy inherits from the one you are deleting, or a Component<br />
uses the Policy.<br />
-21 The operation is not supported General-purpose error when an operation is attempted on an<br />
object that does not support it. For example, an attempt is<br />
made to generate a Virtual <strong>Digipass</strong> OTP using a <strong>Digipass</strong> that<br />
is not enabled <strong>for</strong> Virtual <strong>Digipass</strong>.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 100
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Error and Status Codes<br />
Error<br />
Code<br />
Message Notes<br />
-22 An object error has occurred General-purpose error on an operation on an object. This<br />
should be supplemented with more specific details.<br />
-23 A required field was missing An operation was attempted without specifying one or more<br />
mandatory input fields.<br />
-30 The configuration is invalid The configuration data in the configuration file are invalid. The<br />
error record should indicate which specific data were invalid.<br />
-31 A type mismatch has occurred General-purpose error when one datatype is expected but a<br />
different datatype was provided.<br />
-32 One or more objects were not<br />
initialized<br />
<strong>In</strong>ternal initialization error. More specific error details will be<br />
recorded.<br />
-33 The cache is full An attempt was made to add an entry to a cache, but the<br />
cache has reached its configured maximum size.<br />
-34 The cache entry has reached the<br />
maximum reference count<br />
An attempt was made to retrieve an item from a cache, but the<br />
item was already in use and the configuration indicates a limit<br />
on the number of times an item can be retrieved from the<br />
cache at one time.<br />
-140 A <strong>Digipass</strong> error has occurred General-purpose failure of a <strong>Digipass</strong> operation such as OTP<br />
verification, Reset PIN, Unlock, etc. This is normally<br />
accompanied by a more specific error code and message from<br />
the VACMAN Controller library.<br />
-150 Delivery of the Virtual <strong>Digipass</strong> One-<br />
Time Password failed<br />
A Virtual <strong>Digipass</strong> OTP was generated successfully, but delivery<br />
by text message failed. A separate message will give more<br />
details about the failure.<br />
-200 The license has expired The License Key has an expiration date set, and the date has<br />
passed. A permanent License Key must be obtained.<br />
-201 The license data are invalid One of the details embedded into the License Key is invalid <strong>for</strong><br />
the Component in which it is being loaded. The Component will<br />
not be able to use the License Key. This may be IP address,<br />
Component Type, or any other detail that can be seen in the<br />
License Key text.<br />
-202 The License Key is corrupted The signature at the bottom of the License Key is invalid. This<br />
would typically occur if the License Key details were modified in<br />
any way.<br />
-250 Decryption has failed - no Storage Key<br />
is specified in the Encryption Settings<br />
-251 Decryption has failed - an incorrect<br />
Cipher is specified in the Encryption<br />
Settings<br />
-252 Decryption has failed - an incorrect<br />
Storage Key is specified in the<br />
Encryption Settings<br />
Some encrypted data has been created or modified using<br />
configured, rather than default, encryption settings. This error<br />
occurs when that data is read by a component that does not<br />
have configured encryption settings – the component is<br />
there<strong>for</strong>e unable to decrypt the data.<br />
It is necessary to configure the encryption settings in the<br />
component. See 2.4 Sensitive Data Encryption <strong>for</strong> more<br />
in<strong>for</strong>mation on encryption settings.<br />
Some encrypted data has been created or modified using<br />
differently configured encryption settings. This error occurs<br />
when that data is read by a component with configured<br />
encryption settings that use a different Cipher Name – the<br />
component is there<strong>for</strong>e unable to decrypt the data.<br />
It is necessary to make sure that the encryption settings in all<br />
components are identical. See 2.4 Sensitive Data Encryption<br />
<strong>for</strong> more in<strong>for</strong>mation.<br />
Some encrypted data has been created or modified using<br />
differently configured encryption settings. This error occurs<br />
when that data is read by a component with configured<br />
encryption settings that use a different Storage Key – the<br />
© 2006 VASCO Data Security <strong>In</strong>c. 101
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Error and Status Codes<br />
Error<br />
Code<br />
Table 40: Error Code List<br />
13.2 Status Code Listing<br />
Status<br />
Code<br />
0 No error<br />
<br />
Message Notes<br />
component is there<strong>for</strong>e unable to decrypt the data.<br />
It is necessary to make sure that the encryption settings in all<br />
components are identical. See 2.4 Sensitive Data Encryption<br />
<strong>for</strong> more in<strong>for</strong>mation.<br />
Message Notes<br />
<br />
The status codes from -1 downwards match the Error Codes<br />
above.<br />
1000 The credentials were invalid General-purpose failure due to invalid username or password,<br />
when a more specific status is unavailable.<br />
1002 The user failed the Windows Group<br />
Check<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> rejected an authentication request due to the<br />
Windows Group Check failing. This can occur when the<br />
effective Windows Group Check option is Authenticate listed<br />
groups, reject others.<br />
Note that the 'effective' setting is the effective setting of the<br />
Policy, unless the <strong>Digipass</strong> User Account overrides the Policy.<br />
1004 The challenge has expired A response to challenge has been given, but the expiration<br />
time <strong>for</strong> the challenge has expired. The default expiration time<br />
is one minute, however this can be configured in the<br />
configuration file VASCO/AAL3/Authlib/Challenge-Cache/Max-<br />
Age setting (in seconds).<br />
1005 The user does not have permission to<br />
per<strong>for</strong>m the specified action<br />
General-purpose failure of an administration command when<br />
the administrator does not have sufficient privileges to carry<br />
out the command.<br />
1007 The user account is locked The <strong>Digipass</strong> User Account is Locked. This is normally due to<br />
consecutive login failures, as determined by the Policy setting<br />
User Lock Threshold. Alternatively the administrator can<br />
actively lock the account.<br />
To unlock the User account, an administrator has to uncheck<br />
the Locked checkbox on the User record.<br />
1008 The One Time Password has already<br />
been used<br />
This status code occurs specifically when an OTP is rejected<br />
because it has already been used. It may also occur when the<br />
OTP has not been used but is older than the most recently used<br />
OTP.<br />
This can sometimes happen when an authentication request is<br />
re-sent automatically.<br />
1009 The user account is disabled The <strong>Digipass</strong> User Account is Disabled. This may be because<br />
the administrator has actively disabled the account, or because<br />
the corresponding Windows User account has become disabled<br />
or expired.<br />
1010 No user account was found An authentication request was rejected because no <strong>Digipass</strong><br />
User account was found and Local Authentication is required<br />
by the Policy.<br />
1011 The static password was incorrect As part of Local Authentication, verification of the static<br />
password failed.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 102
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Error and Status Codes<br />
Status<br />
Code<br />
Message Notes<br />
1012 The One Time Password was incorrect Verification of the OTP failed. More specific details may be<br />
found in the VACMAN Controller error code and message.<br />
1013 The challenge was invalid A response to a challenge was given, but the challenge was not<br />
the latest one issued <strong>for</strong> that <strong>Digipass</strong>. This is controlled by the<br />
Check Challenge Policy setting.<br />
1014 The <strong>Digipass</strong> Grace Period has expired A User attempted to log in with their static password, but their<br />
Grace Period had already expired. They have to use a <strong>Digipass</strong><br />
to log in.<br />
If they do not have their <strong>Digipass</strong> yet, the administrator will<br />
have to allow them more time by modifying the Grace Period<br />
End date on their <strong>Digipass</strong> record.<br />
1015 Backup Virtual <strong>Digipass</strong> is not allowed A User attempted to request a Backup Virtual <strong>Digipass</strong> OTP, but<br />
they were not permitted. This would normally occur when<br />
either:<br />
The effective Backup VDP Enabled setting is Yes – Time<br />
Limited, and the <strong>Digipass</strong> Backup VDP Enabled Until<br />
date is the current date or be<strong>for</strong>e.<br />
The <strong>Digipass</strong> Backup VDP Uses Remaining counter<br />
has reached 0.<br />
<strong>In</strong> both cases, administrator intervention is required to permit<br />
the User to continue to use Backup Virtual <strong>Digipass</strong>. The<br />
Enabled Until or Uses Remaining limits need to be increased<br />
to permit this.<br />
Note that the 'effective' setting is the effective setting of the<br />
Policy, unless the <strong>Digipass</strong> record overrides the Policy.<br />
1016 The <strong>Digipass</strong> is not available A User attempted Self-Assignment, but the <strong>Digipass</strong> they<br />
requested either could not be found within the search scope or<br />
was already assigned to someone else.<br />
This may occur because of a mistyped Serial Number.<br />
Otherwise, the search scope may be incorrect or the <strong>Digipass</strong><br />
may not be in the correct location to be made available to the<br />
User. See the Location of <strong>Digipass</strong> Records section in the<br />
Product Guide.<br />
1017 The user account has no mobile<br />
number <strong>for</strong> Virtual <strong>Digipass</strong><br />
1018 No password was supplied <strong>for</strong> a Virtual<br />
<strong>Digipass</strong> login<br />
A User requested a Primary or Backup Virtual <strong>Digipass</strong> OTP, but<br />
it could not be delivered because the User account had no<br />
mobile phone number. <strong>In</strong> Active Directory this is the first<br />
Mobile No. on the record.<br />
A User attempted a Virtual <strong>Digipass</strong> login, but did not enter a<br />
password in the second stage of the login. See 9.1.4 Virtual<br />
<strong>Digipass</strong> <strong>for</strong> more in<strong>for</strong>mation.<br />
1020 Local authentication failed General-purpose failure of Local Authentication when a more<br />
specific status code is not available. Additional in<strong>for</strong>mation<br />
should provide more specific details.<br />
1021 Back-end authentication reported that<br />
the password has expired<br />
Back-End Authentication (eg. Windows) failed because the<br />
password was correct but it has expired.<br />
1022 Back-end authentication failed Back-End Authentication (eg. Windows) failed. A specific<br />
error code and message will accompany this record.<br />
1030 The policy was invalid An authentication request was rejected because the applicable<br />
Policy had invalid settings or failed to load. This should not<br />
occur, but is possible due to the delay in Active Directory<br />
replication <strong>for</strong> example. The two main ways in which a Policy<br />
can become invalid are:<br />
One or more choice list settings are Default in the Policy,<br />
and its parent Policy if it has one.<br />
A circular chain of Policies has been created, <strong>for</strong> example:<br />
© 2006 VASCO Data Security <strong>In</strong>c. 103
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Error and Status Codes<br />
Status<br />
Code<br />
1031 The policy does not allow a selfassignment<br />
attempt<br />
1032 Hashed passwords cannot be verified<br />
by Windows<br />
Message Notes<br />
Policy A inherits from Policy B; Policy B inherits from<br />
Policy C; Policy C inherits from Policy A.<br />
The Policy must be fixed in order <strong>for</strong> authentication to be<br />
permitted using that Policy.<br />
A User attempted Self-Assignment, but it is not permitted<br />
under the Policy.<br />
An authentication request could not be processed successfully<br />
because Back-End Authentication using Windows was<br />
required, but the User's password was hashed. It is not<br />
possible to verify hashed passwords with Windows. This can<br />
occur when a CHAP-based protocol is used – this includes<br />
CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 and other more complex<br />
protocols that utilize a one-way hash of the password entered<br />
by the User.<br />
Note that the effective Back-End Authentication setting is<br />
the effective setting of the Policy, unless the <strong>Digipass</strong> User<br />
Account overrides the Policy.<br />
1033 A <strong>Digipass</strong> must be used The effective Local Authentication setting is <strong>Digipass</strong> Only<br />
and the User tried to log in with a static password.<br />
Note that the 'effective' setting is the effective setting of the<br />
Policy, unless the <strong>Digipass</strong> User Account overrides the Policy.<br />
1034 Challenge/Response is not supported<br />
by CHAP-based protocols<br />
1035 Challenge/Response is not supported<br />
by Windows 2000<br />
Challenge/Response is only supported in RADIUS using the PAP<br />
protocol. An attempt was made to generate a challenge using a<br />
CHAP-based protocol – this includes CHAP, MS-CHAP, MS-<br />
CHAP2, EAP-MD5 and other more complex protocols.<br />
This status code can only occur in the <strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong>.<br />
There is a product limitation on Windows 2000 only that<br />
Challenge/Response is not supported. It will occur if the User<br />
attempted to request a challenge.<br />
3001 A <strong>Digipass</strong> Challenge was returned This status code is the standard code when a challenge is<br />
issued and does not indicate any kind of error.<br />
5001 The user failed the Windows Group<br />
Check<br />
5002 Neither local nor back-end<br />
authentication was done due to policy<br />
and/or user settings<br />
Table 41: Status Code List<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> decided not to handle an authentication<br />
request due to the Windows Group Check failing. This can<br />
occur when the effective Windows Group Check option is<br />
Authenticate listed groups, pass others through.<br />
<strong>In</strong> this case, <strong>IAS</strong> will process the request itself using other<br />
authentication methods.<br />
Note that the 'effective' setting is the effective setting of the<br />
Policy, unless the <strong>Digipass</strong> User Account overrides the Policy.<br />
The <strong>IAS</strong> <strong>Plug</strong>-<strong>In</strong> decided not to handle an authentication<br />
request because the effective Local Authentication and<br />
Back-End Authentication settings were both None.<br />
<strong>In</strong> this case, <strong>IAS</strong> will process the request itself using other<br />
authentication methods.<br />
Note that the 'effective' settings are the effective settings of<br />
the Policy, unless the <strong>Digipass</strong> User Account overrides the<br />
Policy.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 104
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>IAS</strong> <strong>Administrator</strong> <strong>Reference</strong> Technical Support<br />
14 Technical Support<br />
If you encounter problems with a VASCO product please do the following:<br />
1. Read the 11 How to troubleshoot topic <strong>for</strong> help in discovering the source of your<br />
problem.<br />
2. Check if your problem is resolved in the FAQs section located at the following URL:<br />
www.vasco.com/support.<br />
3. If you do not find the in<strong>for</strong>mation you need in the FAQs, please contact the company<br />
that sold you the VASCO product.<br />
Only after doing steps 1 and 2, if your needs are still not completely met please contact<br />
VASCO support:<br />
14.1 Support Contact <strong>In</strong><strong>for</strong>mation<br />
E-mail<br />
support@vasco.com<br />
Website<br />
http://www.vasco.com/support/contacts.html<br />
Phone<br />
Australia +61 2 8920 9666 (Sydney)<br />
Belgium +32 2 456 98 10 (Brussels)<br />
Singapore +65 6 232 2727<br />
USA +1 508 366 3400 (Boston)<br />
© 2006 VASCO Data Security <strong>In</strong>c. 105