Digipass Plug-In for IAS Administrator Reference - Vasco

Digipass Plug-In for IAS 

IAS Plug-In 

Digipass Extension for Active Directory Users and Computers 

Administration MMC Interface 

IAS 

Microsoft's Internet Authentication Service 

SBR 

Funk Steel-Belted RADIUS 

Steel-Belted RADIUS 

A dm inistrator Reference

Disclaimer of Warranties and Limitations of Liabilities 

Disclaimer of Warranties and Limitations of Liabilities 

The Product is provided on an 'as is' basis, without any other warranties, or conditions, express 

or implied, including but not limited to warranties of merchantable quality, merchantability of 

fitness for a particular purpose, or those arising by law, statute, usage of trade or course of 

dealing. The entire risk as to the results and performance of the product is assumed by you. 

Neither we nor our dealers or suppliers shall have any liability to you or any other person or 

entity for any indirect, incidental, special or consequential damages whatsoever, including but 

not limited to loss of revenue or profit, lost or damaged data of other commercial or economic 

loss, even if we have been advised of the possibility of such damages or they are foreseeable; 

or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers 

and suppliers shall not exceed the amount paid by you for the Product. The limitations in this 

section shall apply whether or not the alleged breach or default is a breach of a fundamental 

condition or term, or a fundamental breach. Some states/countries do not allow the exclusion 

or limitation or liability for consequential or incidental damages so the above limitation may 

not apply to you. 

Copyright 

© 2006 VASCO Data Security Inc. All rights reserved. 

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in 

any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, 

without the prior written permission of VASCO Data Security Inc. 

Trademarks 

VACMAN and Digipass are registered trademarks of VASCO Data Security International Inc. 

Microsoft and Windows are registered trademarks of Microsoft Corporation. 

All other trademarks are the property of their respective holders. 

© 2006 VASCO Data Security Inc. 2

Digipass Plug-In for IAS Administrator Reference Table of Contents 

Table of Contents 

1 Introduction..........................................................................................................8 

1.1 Available Reference Guides.......................................................................................... 8 

2 Active Directory Schema....................................................................................... 9 

2.1 Schema Extensions.......................................................................................................9 

2.1.1 Added Object Classes............................................................................................... 9 

2.1.2 Added Attributes..................................................................................................... 9 

2.1.3 Added Permission Property Sets............................................................................... 11 

2.2 Active Directory Auditing............................................................................................12 

2.3 Custom Search Options...............................................................................................13 

2.3.1 Using the Custom Search........................................................................................ 13 

2.4 Sensitive Data Encryption...........................................................................................14 

2.4.1 Encrypted Data...................................................................................................... 14 

2.4.2 Which Encryption Algorithms can be used?................................................................ 14 

2.4.3 Exporting Encryption Settings.................................................................................. 14 

2.5 Active Directory Replication Issues............................................................................ 15 

2.5.1 Old Data Used After Attribute Modified...................................................................... 15 

2.5.1.1 Single Plug-In using more than one Domain Controller......................................................... 15 

2.5.1.2 Administrator and Plug-In using different Domain Controllers................................................ 16 

2.5.1.3 Multiple Plug-Ins Using Different Domain Controllers............................................................ 16 

2.5.1.4 Two Administrators Modifying the Same Attribute................................................................ 16 

2.5.2 Old Data Used Overwrites New Data......................................................................... 17 

2.5.3 Factors Affecting Replication Issues.......................................................................... 17 

2.5.4 Solutions and Mitigations........................................................................................ 18 

2.5.4.1 Digipass Cache................................................................................................................18 

2.5.4.2 Identification Threshold Setting......................................................................................... 19 

2.5.4.3 Administrator Connection Strategy.....................................................................................19 

2.5.4.4 Set a Preferred Server......................................................................................................20 

2.5.4.5 Use Preferred Server Only Option...................................................................................... 22 

3 Set Up Active Directory Permissions .................................................................. 23 

3.1 Permissions Needed by the IAS Plug-In..................................................................... 23 

3.1.1 Giving Permissions to the IAS Plug-In....................................................................... 23 

3.2 Permissions Needed by Administrators...................................................................... 24 

3.2.1 Domain Administrators........................................................................................... 24 

3.2.2 Delegated Administrators........................................................................................ 24 

3.2.3 Reduced-Rights Administrators................................................................................ 24 

3.2.4 System Administrators........................................................................................... 25 

3.3 Assign Administration Permissions to a User .............................................................25 

3.4 Multiple Domains........................................................................................................28 

3.4.1 Scenario 1 – Each IAS Server Handles One Domain.................................................... 28 

3.4.2 Scenario 2 – One IAS Server Handles All Domains...................................................... 28 

3.4.3 Scenario 3 - Combination........................................................................................ 29 

4 Backup and Recovery..........................................................................................30 

4.1 What Must be Backed Up............................................................................................ 30 

4.1.1 Configuration files.................................................................................................. 30 

4.1.2 Web Sites............................................................................................................. 31 



4.1.3 Audit Log Data...................................................................................................... 31 

4.1.3.1 Write to File.................................................................................................................... 31 

4.1.3.2 Write to Windows Event Log..............................................................................................31 

4.1.4 Active Directory..................................................................................................... 32 

4.1.4.1 Cold Backup....................................................................................................................32 

4.1.5 DPX files............................................................................................................... 32 

4.2 Recovery.................................................................................................................... 33 

5 Field Listings.......................................................................................................34 

5.1 User Property Sheet................................................................................................... 34 

5.2 Digipass Property Sheet............................................................................................. 36 

5.2.1 Digipass Application Tab......................................................................................... 36 

5.3 Policy Property Sheet................................................................................................. 37 

5.4 Component Property Sheet.........................................................................................44 

6 Licensing.............................................................................................................45 

6.1 How is Licensing Handled?......................................................................................... 45 

6.2 Licensing Parameters................................................................................................. 45 

6.2.1 Sample License File................................................................................................ 45 

6.3 View License Information........................................................................................... 45 

6.4 Obtain a License Key for a Component........................................................................46 

6.5 Change IP Address..................................................................................................... 47 

7 Web Sites............................................................................................................48 

7.1 Customizing the Web Sites......................................................................................... 48 

7.2 CGI Program...............................................................................................................48 

7.2.1 Configuration Settings............................................................................................ 49 

7.3 Form Fields.................................................................................................................49 

7.3.1 User Self Management Web Site.............................................................................. 49 

7.3.1.1 Registration – Main Pages.................................................................................................49 

7.3.1.2 Registration – Challenge Page........................................................................................... 51 

7.3.1.3 Server PIN Change.......................................................................................................... 52 

7.3.1.4 Login Test – Main Page.....................................................................................................53 

7.3.1.5 Login Test – Challenge Page..............................................................................................54 

7.3.2 OTP Request Site................................................................................................... 54 

7.3.2.1 Request Page.................................................................................................................. 54 

7.4 Query String Variables................................................................................................55 

7.4.1 Failure/Error Handling............................................................................................ 55 

7.4.2 Query String Variable List....................................................................................... 56 

7.4.3 Return Code Listing................................................................................................ 57 

7.4.3.1 API Return Codes............................................................................................................ 57 

7.4.3.2 CGI Errors...................................................................................................................... 58 

7.4.3.3 Internal Errors.................................................................................................................59 

8 Command line utilities.........................................................................................60 

8.1 DPADadmin Utility...................................................................................................... 60 

8.1.1 Extend Active Directory Schema............................................................................... 60 

8.1.1.1 Prerequisite Information................................................................................................... 60 

8.1.1.2 Extend the Schema on the Schema Master..........................................................................61 

8.1.1.3 Extend the Schema on the IAS Server................................................................................61 

8.1.1.4 Command Line Syntax......................................................................................................61 

8.1.2 Check Schema Extensions....................................................................................... 62 




8.1.2.2 Check the Schema on the IAS Server................................................................................. 62 

8.1.2.3 Check the Schema on a Machine in the Domain to Check...................................................... 63 

8.1.2.4 Command Line Syntax......................................................................................................63 

8.1.3 Set Up Digipass Configuration Container in Domain..................................................... 63 


8.1.3.2 Set Up Digipass Configuration Container............................................................................. 63 

8.1.3.3 Command Syntax............................................................................................................ 64 

8.1.4 Assign Digipass Permissions to a Group..................................................................... 64 

8.1.4.1 Pre-requisites..................................................................................................................64 

8.1.4.2 Command Syntax............................................................................................................ 64 

9 Login Options......................................................................................................65 

9.1 Login Permutations.................................................................................................... 65 

9.1.1 Response Only - PAP.............................................................................................. 67 

9.1.2 Response Only – CHAP/MS-CHAP............................................................................. 68 

9.1.3 Challenge/Response............................................................................................... 68 

9.1.4 Virtual Digipass..................................................................................................... 69 

10 Configuration Settings........................................................................................ 70 

10.1 IAS Plug-In................................................................................................................ 70 

10.1.1 Configuration GUI.................................................................................................. 70 

10.1.1.1 Enable IAS Plug-In...........................................................................................................70 

10.1.1.2 Allow Passthrough........................................................................................................... 70 

10.1.1.3 Set Component Location...................................................................................................70 

10.1.1.4 Library Path.................................................................................................................... 70 

10.1.1.5 Turn Tracing On or Off......................................................................................................70 

10.1.1.6 Active Directory Settings.................................................................................................. 71 

10.1.1.7 Data Encryption...............................................................................................................73 

10.1.2 Configuration File................................................................................................... 75 

10.2 MDC............................................................................................................................ 78 

10.2.1 Required Information............................................................................................. 78 

10.2.2 MDC Configuration GUI........................................................................................... 78 

10.2.2.1 Set IAS Server Connection Details..................................................................................... 78 

10.2.2.2 Modify Gateway Account Login Details................................................................................78 

10.2.2.3 Configure Internet Connection Details................................................................................ 79 

10.2.2.4 Configure Tracing............................................................................................................ 79 

10.2.2.5 Import HTTP Gateway settings.......................................................................................... 80 

10.2.2.6 Edit Advanced Settings.....................................................................................................80 

10.2.2.7 Export HTTP Gateway settings...........................................................................................80 

10.2.2.8 Gateway Result Pages...................................................................................................... 81 

10.2.3 MDC Configuration File........................................................................................... 85 

10.2.4 Configuration Settings............................................................................................ 86 

10.3 CGI............................................................................................................................. 87 

11 How to troubleshoot............................................................................................88 

11.1 Enable Tracing............................................................................................................88 

11.2 Installation Check...................................................................................................... 88 

11.2.1 Installation Log File................................................................................................ 88 

11.2.2 Check file placement.............................................................................................. 88 

11.2.3 Registry Entries..................................................................................................... 89 

11.2.4 DLLs to be Registered............................................................................................. 90 

11.2.5 Check Permissions................................................................................................. 90 

11.2.6 IAS Server Registered in Active Directory Domain....................................................... 91 



11.2.7 Default Policy and Component Created...................................................................... 91 

11.3 Fix Installation Errors.................................................................................................92 

11.3.1 Register IAS Plug-In............................................................................................... 92 

11.4 View Audit Information.............................................................................................. 92 

11.4.1 Windows Event Log................................................................................................ 92 

11.4.2 Audit log text file................................................................................................... 92 

11.5 Delete all Digipass Data from Active Directory........................................................... 93 

11.5.1 Run Delete Script on a Domain................................................................................ 93 

12 Audit Messages................................................................................................... 94 

12.1 Audit Message Listing.................................................................................................94 

12.2 Audit Message Fields.................................................................................................. 98 

13 Error and Status Codes......................................................................................100 

13.1 Error Code Listing..................................................................................................... 100 

13.2 Status Code Listing...................................................................................................102 

14 Technical Support............................................................................................. 105 

14.1 Support Contact Information.................................................................................... 105 



Index of Tables 

Table 1: Custom Object Classes........................................................................................................................9 

Table 2: Custom Object Attributes...................................................................................................................11 

Table 3: Custom Permission Property Sets....................................................................................................... 11 

Table 4: Custom Search options......................................................................................................................13 

Table 5: Encrypted Data Attributes..................................................................................................................14 

Table 6: User Fields.......................................................................................................................................35 

Table 7: Digipass Fields................................................................................................................................. 36 

Table 8: Digipass Application Fields................................................................................................................. 37 

Table 9: Policy Fields.....................................................................................................................................43 

Table 10: Component Fields........................................................................................................................... 44 

Table 11: License Parameters for Digipass Plug-In for IAS..................................................................................45 

Table 12: Configuration Settings for CGI Program............................................................................................. 49 

Table 13: Form Fields for Main Registration Page.............................................................................................. 50 

Table 14: Form Fields for Registration Challenge Page....................................................................................... 51 

Table 15: Form Fields for Server PIN Change Page............................................................................................ 52 

Table 16: Form Fields for Main Login Test Page.................................................................................................53 

Table 17: Form Fields for Login Test Challenge Page..........................................................................................54 

Table 18: Form Fields for OTP Request Page.....................................................................................................54 

Table 19: Query String Variable List................................................................................................................ 56 

Table 20: API Return Codes............................................................................................................................57 

Table 21: CGI Error Return Codes................................................................................................................... 58 

Table 22: Internal Error Codes........................................................................................................................59 

Table 23: DPADadmin addschema Command Line Options..................................................................................62 

Table 24: DPADadmin checkschema Command Line Options...............................................................................63 

Table 25: DPADadmin setupdomain Command Line Options................................................................................64 

Table 26: DPADadmin setupaccess Command Line Options.................................................................................64 

Table 27: Login Permutations - Response Only PAP........................................................................................... 67 

Table 28: Login Permutations - Response Only CHAP......................................................................................... 68 

Table 29: Login Permutations – Challenge/Response......................................................................................... 68 

Table 30: Login Permutations – Virtual Digipass................................................................................................69 

Table 31: MDC Audit Message Variables...........................................................................................................83 

Table 32: Message Delivery Component Configuration Settings........................................................................... 87 

Table 33: Required Files.................................................................................................................................89 

Table 34: Registry Entries.............................................................................................................................. 90 

Table 35: DLLs to be Registered......................................................................................................................90 

Table 36: Permissions Required...................................................................................................................... 91 

Table 37: IAS Plug-In Registry Entries............................................................................................................. 92 

Table 38: Audit Messages List.........................................................................................................................97 

Table 39: Audit Message Fields....................................................................................................................... 99 

Table 40: Error Code List..............................................................................................................................102 

Table 41: Status Code List............................................................................................................................104 


Digipass Plug-In for IAS Administrator Reference Introduction 

1 Introduction 

1.1 Available Reference Guides 

These Reference Guides are included with every VASCO product: 

Product Guide 

The Product Guide will introduce you to the features of this product and the various options 

you have for using it. 

Installation Guide 

Use this guide when planning and working through an installation of the product. 

Getting Started 

To get you up and running quickly with a simple installation and setup of the product. 

Administrator Reference 

In-depth information required for administration of the product. 

Data Migration Tool Guide 

Takes you through a data migration from one VASCO product to another, using the VASCO 

Data Migration Tool. 

Help Files 

These accompany various utilities and the administration interfaces. 


Digipass Plug-In for IAS Administrator Reference Active Directory Schema 

2 Active Directory Schema 

2.1 Schema Extensions 

The following tables document the changes made by the Digipass Plug-In for IAS to the Active 

Directory schema. 

2.1.1 Added Object Classes 

Attribute Type Location Explanation 

vasco-UserExt Aux. 

Class 

vasco-DPToken Class Unassigned – Optional 

User record Extra VASCO attributes are added to an Active Directory 

User record via an 'auxiliary class' vasco-UserExt on the 

User class. 

Assigned – with User 

record 

The vasco-DPToken class is used to store Digipass 

attributes. It is also a container, in which vasco- 

DPApplication records for that Digipass are stored. 

Upon assignment to a User, the Digipass record is stored 

in the same location as the User. 

vasco-DPApplication Class Within Digipass record This class is used to store Digipass Application attributes, 

such as Server PIN and expected OTP length. 

vasco-Policy Class Digipass Configuration 

Container 

vasco-Component Class Digipass Configuration 

Container 

vasco-BackEndServer Class Digipass Configuration 

Container 

Table 1: Custom Object Classes 

2.1.2 Added Attributes 

Name Class 

vasco-SerialNumber vasco-DPToken 

vasco-TokenType vasco-DPToken 

vasco-ApplicationNames vasco-DPToken 

vasco-ApplicationTypes vasco-DPToken 

vasco-LinkVascoDigipassToUserExt vasco-DPToken 

vasco-TokenAssignedDate vasco-DPToken 

vasco-GracePeriod vasco-DPToken 

vasco-EnableBVDP vasco-DPToken 

vasco-BVDPExpiryDate vasco-DPToken 

vasco-BVDPUsesLeft vasco-DPToken 

vasco-DirectAssignOnly vasco-DPToken 

vasco-AdditionalAttribute vasco-DPToken 

vasco-SerialNumber vasco-DPApplication 

vasco-ApplicationName vasco-DPApplication 

vasco-ApplicationNumber vasco-DPApplication 

vasco-ApplicationType vasco-DPApplication 

Policy attributes. Attributes will commonly be shared via 

inheritance. 

Component attributes include the License Key for IAS 

Plug-In Components. 

Information required for connection to back-end servers. 

This class is not used with the Digipass Plug-In for IAS, but 

is included for compatibility with other VASCO products. 



Name Class 

vasco-DPBlob vasco-DPApplication 

vasco-Active vasco-DPApplication 

vasco-LinkUserExtToVascoDigipass vasco-UserExt 

vasco-LinkUserExtToUser vasco-UserExt 

vasco-StaticPassword vasco-UserExt 

vasco-LocalAuth vasco-UserExt 

vasco-BackEndServerAuth vasco-UserExt 

vasco-Disable vasco-UserExt 

vasco-Profile Vasco-UserExt 

vasco-CreateTime Vasco-UserExt 

vasco-ModifyTime Vasco-UserExt 

vasco-ID vasco-BackEndServer 

vasco-Protocol vasco-BackEndServer 

vasco-Domain vasco-BackEndServer 

vasco-Priority vasco-BackEndServer 

vasco-ConfigurationValue vasco-BackEndServer 

vasco-ID vasco-Component 

vasco-Location vasco-Component 

vasco-LinkVascoPolicyToVascoPolicy vasco-Component 

vasco-Protocol vasco-Component 

vasco-ConfigurationValue vasco-Component 

vasco-PublicKey Vasco-Component 

vasco-AdditionalAttribute vasco-Policy 

vasco-EnableBVDP vasco-Policy 

vasco-LocalAuth vasco-Policy 

vasco-BackEndAuth vasco-Policy 

vasco-ApplicationNames vasco-Policy 

vasco-ID vasco-Policy 

vasco-Description vasco-Policy 

vasco-DUR vasco-Policy 

vasco-Autolearn vasco-Policy 

vasco-StoredPasswordProxy vasco-Policy 

vasco-AssignmentMode vasco-Policy 

vasco-AssignSearchUpOUPath vasco-Policy 

vasco-GracePeriod vasco-Policy 

vasco-AllowedApplType vasco-Policy 

vasco-AllowedDPTypes vasco-Policy 

vasco-Protocol vasco-Policy 

vasco-Domain vasco-Policy 

vasco-GroupList vasco-Policy 

vasco-GroupCheckMode vasco-Policy 

vasco-OneStepChalResp vasco-Policy 



Name Class 

vasco-OneStepChalLength vasco-Policy 

vasco-OneStepChalCheckDigit vasco-Policy 

vasco-BVDPMaximumDays vasco-Policy 

vasco-BVDPMaximumUses vasco-Policy 

vasco-PINChangeAllowed vasco-Policy 

vasco-SelfAssignSeparator vasco-Policy 

vasco-ChallengeRequestMethod vasco-Policy 

vasco-ChallengeRequestKeyword vasco-Policy 

vasco-PrimaryVDPRequestMethod vasco-Policy 

vasco-PrimaryVDPRequestKeyword vasco-Policy 

vasco-BackupVDPRequestMethod vasco-Policy 

vasco-BackupVDPRequestKeyword vasco-Policy 

vasco-ITimeWindow vasco-Policy 

vasco-STimeWindow vasco-Policy 

vasco-EventWindow vasco-Policy 

vasco-SyncWindow vasco-Policy 

vasco-IThreshold vasco-Policy 

vasco-SThreshold vasco-Policy 

vasco-CheckChallenge vasco-Policy 

vasco-OnLineSG vasco-Policy 

vasco-ChkInactDays vasco-Policy 

vasco-LinkPolicyToParentPolicy vasco-Policy 

vasco-LinkPolicyToChildPolicy vasco-Policy 

vasco-LinkPolicyToComponent vasco-Policy 

Version-Number vasco-Policy 

Table 2: Custom Object Attributes 

2.1.3 Added Permission Property Sets 

Property sets have been created for typical groups of permissions required for administration 

tasks. 

Property Set Applicable 

Object 

Actions Allowed 

Digipass Assignment Link Digipass Assign and unassign Digipass for Digipass User accounts. 

Digipass Application Data Digipass 

Application 

Digipass record functions. 

Digipass User Account Information User Modify Digipass User information. 

Digipass User Account to User Link User Link and unlink Digipass Users. This is also required when 

assigning Digipass to linked Digipass User records. 

Digipass User Account Stored Password User Read and modify the stored password for a Digipass User. 

Table 3: Custom Permission Property Sets 



2.2 Active Directory Auditing 

Active Directory auditing may be configured to record access and modifications to custom 

objects used by the Digipass Plug-In for IAS. If you currently have default auditing enabled, it 

might include already include actions on custom objects. See these Microsoft articles for 

information on turning on and configuring auditing: 

Windows 2000 

http://support.microsoft.com/?kbid=314955 

Windows 2003 

http://support.microsoft.com/?kbid=814595 

The basic process you will need to follow is: 

1. Select a scope for the the auditing (eg. Domain Root). 

2. Select a Windows User or Windows Group (eg. Everyone or Domain Administrators) 

3. Select the object classes to audit (eg. Digipass objects) – if required 

4. Select the permissions which should be audited (eg. Read, Write, Delete, Create) 

What Should I Audit? 

This will depend on what you need to audit. For example, if you wanted to record all Digipass 

assignments in the domain, you might set up auditing in the Domain Root for Everyone, with 

the Digipass Assignment Link property set. 

See the topic for more information on custom objects and permission property sets created 

for the Digipass Plug-In for IAS. 



2.3 Custom Search Options 

The Digipass Extension adds functionality to the Active Directory Users and Computers snap-in 

which allows searching for specific Digipass and Digipass User records throughout a domain, or 

within the limits of a delegated administrator's permissions. This functionality is especially 

useful where unassigned Digipass have been allocated to various Organizational Units. 

The table below displays the custom search attributes available for Digipass User accounts and 

Digipass records. 

Object Type Available Search attributes Location (tab) 

Users, Contacts and Groups Digipass Assignment Link Advanced 

Digipass Back-End Authentication Advanced 

Digipass Local Authentication Advanced 

Digipass RADIUS Profile Advanced 

Digipass User Account Disabled Advanced 

Digipass User Account Locked Advanced 

Digipass User to User Link Advanced 

Digipass Serial Number From Digipass 

Table 4: Custom Search options 

Serial Number To Digipass 

Digipass Type Digipass 

Application Name Digipass 

Application Type Digipass 

Digipass Assignment Digipass 

Reserved Digipass 

Backup Virtual Digipass Enabled Advanced 

2.3.1 Using the Custom Search 

This set of instruction shows the sort of use to which the Digipass custom search options can 

be put, and the basic steps required for a search. 

1. Right-click on the Organisational Unit to search in. 

2. Click on Find... 

3. Select the object type from the Find drop down list. 

4. If you are searching on advanced attributes (see table above): 

a. Click on the Advanced tab. 

b. Click on Field and select the attribute from the list (for User attributes, click on Field 

-> User -> attribute). 

5. Enter the search criteria. 

Note 

When a search is run with a Digipass Application criteria set, only Digipass 

records with that Application set to Active will be returned. 



Either exact text or wildcards should be used – the Search is performed on whole words only, 

not partial words. 

Example 

A search for Digipass records run with only the following text entered into the Serial Number 

field, would return these results: 

0097 No records returned 

0097* All Digipass with serial number starting with 0097 

0097987654 Digipass with serial number 0097987654 only 

*76 All Digipass with serial number ending in 76 

2.4 Sensitive Data Encryption 

Sensitive data is encrypted by the IAS Plug-In using an embedded key. If needed, this 

encryption may be strengthened by adding a custom key in the Configuration GUI. The 

embedded and custom keys are subjected to a logical XOR process to produce a new key 

derived from both. 

Note 

Encryption settings must be set before importing Digipass. 

2.4.1 Encrypted Data 

Attribute Class 

vasco-DPBlob vasco-DPApplication 

vasco-StaticPassword vasco-UserExt 

vasco-SharedSecret vasco-Component 

Table 5: Encrypted Data Attributes 

2.4.2 Which Encryption Algorithms can be used? 

AES 

blowfish 

cast5 

3DES 

3DES with 3 keys 

2.4.3 Exporting Encryption Settings 

Encryption settings may be exported to a password-protected text file from the IAS Plug-In 

Configuration GUI. This file may then be loaded to other IAS Plug-In modules. 



2.5 Active Directory Replication Issues 

Active Directory replication is not instantaneous. Intra-site replication is usually quite fast, 

especially under Windows Server 2003, but changes on one Domain Controller may still take 

several minutes to be replicated to other Domain Controllers. Inter-site replication may be 

quite slow – an hour or more between replications is common. 

Replication occurs when more than one Domain Controller exists in a domain. 

2.5.1 Old Data Used After Attribute Modified 

The time period between replications becomes a problem where information is changed on one 

Domain Controller (for example, a Digipass User's Server PIN is reset), but old information is 

used on another Domain Controller before the changed information has been replicated to it. 

There are a few scenarios where this may occur. These are listed below: 

2.5.1.1 Single Plug-In using more than one Domain Controller 

A single Plug-In may make a change to a record, have to switch to another Domain Controller, 

and read the same record – where the change has not yet been applied. 

Example 

A User logs in with an OTP, and the Plug-In connects to DC-01 to retrieve and update the 

Digipass data. The connection to the DC-01 fails soon after login, before replication has 

occurred. The User needs to log in again, and the Plug-In connects to DC-02 this time. The 

User can log in using the same OTP as the last login – the login should fail (OTP replay) but 

instead succeeds, because DC-02 does not yet know that the OTP has been previously used. 

Time DC-01 DC-02 

8:32 Replication occurs 

8:34 User logs in with OTP 10457920. 

The Plug-In records the use of the OTP in 

the Digipass record. 

8:35 Connection to DC-01 is broken, and Plug-In 

switches to DC-02. 

8:35 User retries login using same OTP 

10457920. The login succeeds where it 

should have failed (OTP replay). 

The Plug-In records the use of the OTP in 

the Digipass record. 


Digipass record changes are replicated between DC-01 and DC-02. 

The example timeline above shows the sequence of events. 



2.5.1.2 Administrator and Plug-In using different Domain Controllers 

The administrator may not be connected to the same Domain Controller (via the 

Administration Interfaces) as the Plug-In. 

Example 

An administrator changes a User's Server PIN through the Active Directory Users and 

Computers extension, which is connected to DC-01. The Plug-In connects to DC-03. The User 

attempts a login using the new PIN, which fails because DC-03 is not yet aware of the 

change of Server PIN. 



9:03 Administrator changes a User's Server PIN 

from 1234 to 9876. 

9:04 User attempts to log in using new PIN 

(9876) and the login fails. 




2.5.1.3 Multiple Plug-Ins Using Different Domain Controllers 

Multiple Plug-Ins may connect to different Domain Controllers in a domain or site. 

Example 

A User changes their own PIN during a login through a Plug-In which connects to DC-01. The 

server on which the Plug-In is installed becomes unavailable, and the User attempts another 

login via the Plug-In on a backup server, which connects to DC-02. The login fails because 

DC-02 is not yet aware of the change of Server PIN. 



11:55 User changes their Server PIN from 1234 to 

9876 during login. 

The Plug-In records the PIN change in the 

Digipass record. 

11:57 User attempts to log in using new PIN 

(9876) and the login fails. 




2.5.1.4 Two Administrators Modifying the Same Attribute 

Two administrators attempt to modify the same attribute on a single User account or Digipass 

record within the same replication interval. The later modification will overwrite the earlier 

when replication occurs. 



2.5.2 Old Data Used Overwrites New Data 

The problems above are exacerbated when the old information used on the second Domain 

Controller is updated based on the old information. As the updated record on the second 

Domain Controller now has a later modification date, the end result is that the changed 

information on the first Domain Controller is overwritten incorrectly. 

Example 

An administrator connects to DC-01 and sets a User's PIN from '1234' to '9876'. The User 

logs in through the Plug-In, which connects to DC-02. The User enters the new Server PIN 

and his One Time Password. However, the PIN set on DC-01 has not yet been replicated to 

DC-02, so because the PIN entered does not match the old PIN still recorded in the Digipass 

record on DC-02, the login fails. 

Because the Policy setting of Identification Threshold is in use, his login failure is written 

back to the Digipass record. When replication occurs, the Digipass record on DC-02 has the 

latest modification date – and is copied to DC-01, wiping out the original PIN setting made 

by the administrator. Both DC-01 and DC-02 now consider '1234' to be the correct Server 

PIN for the Digipass. 


10:45 Replication 

10:46 Administrator changes User's PIN from 9876 

to 1234. 

10:48 User login (with new PIN of 1234) fails. 

Digipass Plug-In writes failure information to 

Digipass record. 

10:50 Replication 

Active Directory finds last instance of the Digipass blob having been modified. 

Active Directory overwrites DC-01 Digipass record with DC-02 Digipass record. 

The example timeline above shows how the problem can occur. 

The problem shown in the example above may also occur in a Force PIN Change set by an 

administrator. 

2.5.3 Factors Affecting Replication Issues 

A number of factors determine the likelihood and severity of the Active Directory issues 

described: 

Redundancy and load-balancing settings for the Plug-In 

There are a number of Plug-In configuration settings which may affect replication issues: 

Preferred Server 

The Plug-In will attempt to connect to the named Domain Controller, rather than simply 

polling the domain for an available Domain Controller. 

Preferred Server Only 

The Plug-In may be restricted to connecting only to the Domain Controller named in the 

above setting. If this is enabled, the Plug-In will not switch to any other Domain 

Controller, so it will never retrieve data older than its own. 

Max. Bind Lifetime 



The maximum bind lifetime controls how long the Plug-In will stay connected to a 

Domain Controller before polling the domain for a Domain Controller connection. 

Replication Interval 

In Windows 2000, the intra-site replication interval can be configured – the default is 5 

minutes. On Windows Server 2003, the intra-site replication interval is not configurable, but is 

set to approximately 15 seconds, as replication is much more efficient. 

Inter-site replication is fully configurable on both Windows 2000 and Windows Server 2003. 

The longer the replication interval, the more likelihood of these problems occuring. 

Number of Domain Controllers in the Site 

Each Domain Controller regularly requires replication with all other local Domain Controllers. 

As this is done sequentially, it will affect the amount of time between replications. 

2.5.4 Solutions and Mitigations 

2.5.4.1 Digipass Cache 

The Digipass cache collects Digipass records as they are modified, and keeps them in memory 

for a certain length of time. A newer entry from the cache is always used in preference to an 

older record from Active Directory. The cache age should be a little longer than the typical 

replication interval. The default is 10 minutes (600 seconds). 

This option will help in problems caused by a single Plug-In accessing more than one Domain 

Controller in a domain – see 2.5.1.1 Single Plug-In using more than one Domain 

Controller). It will not affect the scenarios of multiple Plug-Ins or a Administration Interface 

being connected to a different Domain Controller to the Plug-In. 

If you calculate that your typical replication interval will be more than ten minutes, the cache 

age may be increased by modifying the Blob-Cache Max-Age setting in the configuration file 

(\bin\dpiasext.xml): 

 

 

 

 

 

 

A large cache may slow down processing slightly for the Plug-In, so monitor performance to 

check the impact caused after modifying the cache age. 

Warning 

If the Plug-In is installed on a member server, this server must be closely 

time-synchronised with the Domain Controller(s). If the server is not timesynchronised, 

the Policy may select an older record when comparing records in 

the Digipass cache with those on the Domain Controller. 

If the Plug-In is installed on a Domain Controller, time-synchronisation is assumed. 



2.5.4.2 Identification Threshold Setting 

Reconsider use of the Identification Threshold setting in the relevant Policy(s). The User 

Lock setting may be used instead in most cases (see and for more information on these two 

settings). Discontinuing use of the Identification Threshold setting will avoid the scenario 

shown in 2.5.2 Old Data Used Overwrites New Data, 

where a failed login overwrites an 

administrator's modification. 

2.5.4.3 Administrator Connection Strategy 

The option exists in the Active Directory Users and Computers Plug-In to connect to a specific 

Domain Controller in a domain. An administrator should select the same Domain Controller as 

used by the Plug-In for urgent administration tasks likely to be affected by this issue – for 

example, resetting a User's Server PIN so they may login while on the phone to the 

administrator. 

To connect to a specific Domain Controller, right-click on the domain and select Connect to 

Domain Controller... 



2.5.4.4 Set a Preferred Server 

This option decreases some replication problems, as the Plug-In will be primarily connected to 

the Domain Controller named as its Preferred Server. This gives less opportunity for loadbalancing, 

however. 

If the Plug-In is installed on a Domain Controller, the Preferred Server will not need to be set 

for that domain, as the Plug-in will normally select that Domain Controller for connections. 

To set a Preferred Server for a domain: 

1. Open the IAS Plug-In Configuration GUI (Start -> Programs -> VASCO -> Digipass 

Plug-In for IAS -> Configuration GUI). 

2. Click on the Active Directory Connections tab. 

3. If the domain is the Configuration Domain, click on Edit... 

If the domain is in the Domains list, select the domain name and click on Edit... 

If the domain is not in the Domains list, click on Add... 

4. Enter the Fully Qualified Domain Name for the domain in the FQDN field. 



5. Enter the name of the Domain Controller in the Preferred Server field. 

This name should be the first part of the FQDN for the Domain Controller, eg. dc01 

from dc01.support.vasco.com. 

6. Enter any other information required. 

7. Click on OK. 

The IAS Plug-In will now always connect to the Preferred Server when it is available. 



2.5.4.5 Use Preferred Server Only Option 

In some cases this setting may be enabled. As it forces the Plug-In to use the same Domain 

Controller at all times. It will eliminate load-balancing and any fail-over for the Plug-In, 

though, so is not normally recommended. 


Digipass Plug-In for IAS Administrator Reference Set Up Active Directory Permissions 

3 Set Up Active Directory Permissions 

3.1 Permissions Needed by the IAS Plug-In 

The IAS Plug-In runs inside Microsoft's Internet Authentication Service, which runs as a 

Service. The Service runs as the 'Local System' account rather than as a named user account. 

Therefore, when connecting to Active Directory, the IAS Plug-In connects as the computer 

account, not a user account. The permissions that it has within Active Directory are the 

permissions of the computer account. 

An important exception to this occurs if you install IAS and the IAS Plug-In onto a Domain 

Controller. Any Service running as 'Local System' on a Domain Controller has all possible 

permissions to that Domain. In this case, no additional setup of permissions is required. 

Therefore, the rest of this section applies to the case where IAS is not on the Domain 

Controller. 

When you register IAS in Active Directory, this adds the computer account to the built-in 'RAS 

and IAS Servers' group in the Domain. This built-in group has the permissions required by IAS 

itself within Active Directory, but it does not have the extra permissions required by the IAS 

Plug-In. 

In order to function correctly, the IAS Plug-In requires the following permissions in Active 

Directory, that are not granted to the 'RAS and IAS Servers' by default: 

Read access to the Digipass Configuration Container 

Read access to all User accounts (or at least, all who might need to be authenticated by 

the IAS Plug-In) 

Write access to the new attributes that are added to the User class for the Digipass Plug- 

In for IAS (these are in the auxiliary class vasco-UserExt) 

Full control over all Digipass (vasco-DPToken) and Digipass Application (vasco- 

DPApplication) objects 

Create and delete permission for Digipass (vasco-DPToken) objects in Organizational 

Units and containers (specifically the Digipass-Pool and Users containers) 

3.1.1 Giving Permissions to the IAS Plug-In 

During installation, these additional permissions are granted to the 'RAS and IAS Servers' 

group automatically. 

There is also a manual way to grant these permissions, by running the 'setupaccess' command 

at the command prompt: 

dpadadmin.exe setupaccess -group “RAS and IAS Servers” 

See 8.1 DPADadmin Utility for more information on the setupaccess command. 

As mentioned above, this is not necessary if IAS is installed onto a Domain Controller. 



3.2 Permissions Needed by Administrators 

3.2.1 Domain Administrators 

Domain Administrators already have all required permissions within their Domain. 

3.2.2 Delegated Administrators 

The term 'Delegated Administrators' is used here to refer to administrators who have been 

delegated control over an Organizational Unit. Generally speaking, they have administrative 

control over the user and computer accounts within their Organizational Unit. 

See the Digipass Records topic in the Product Guide for more information on possible 

approaches to delegating Digipass administration. 

By default, these administrators will be able to view the Digipass User Account data for their 

users and the Digipass that are located within their Organizational Unit. However, they will not 

be able to modify any of that data or assign Digipass. 

If you wish to delegate responsibility for all Digipass-related administration within an 

Organizational Unit, the following additional permissions are required by the Delegated 

Administrator: 

Within the scope of the Organizational Unit, write permission to the new attributes that 

are added to the User class for the Digipass Plug-In for IAS (these are in the auxiliary 

class vasco-UserExt) – you can add write permissions for each individual Property Set or 

if appropriate, grant 'Write All Properties' permission 

Within the scope of the Organizational Unit, full control over all Digipass (vasco- 

DPToken) and Digipass Application (vasco-DPApplication) objects 

Create and delete permission for Digipass (vasco-DPToken) objects within the 

Organizational Unit 

If the Delegated Administrator should be allowed to assign Digipass from the Digipass 

Pool to their users, they need: 

the Delete Digipass objects permission in the Digipass-Pool container 

Write All Properties permission on Digipass objects in the Digipass-Pool container 

If the Delegated Administrator should be allowed to move unassigned Digipass back to 

the Digipass-Pool, they need the Create Digipass objects permission in the Digipass-Pool 

container 

3.2.3 Reduced-Rights Administrators 

The term 'Reduced-Rights Administrator' is used here to refer to administrators who are 

granted permissions to perform only selected Digipass-related administration tasks. They may 

be granted these permissions within the scope of the whole Domain, or only within an 

Organizational Unit. 

An example is a Helpdesk operator who is permitted to troubleshoot Digipass operations, but 

not to assign/unassign Digipass to/from users. 



By default, all users have read access to everything in the Active Directory. The modification 

permissions that can be granted to this kind of administrator are: 

Write permission for any of three Property Sets on the Digipass User Account fields: 

Digipass User Account Information – all attributes except those covered by the other 

two Property Sets 

Digipass User Account Link – the link attribute used to share a Digipass between two 

user accounts 

Digipass User Account Stored Password – the Stored Password attribute 

Write permission for any individual properties on Digipass objects, except for one 

Property Set that is defined to control the Digipass assignment link 

Write permission for any individual properties on Digipass Application objects, except for 

one Property Set that is defined to include the Digipass 'blob' that is required for any 

administrative operation such as Reset PIN, Test, Set Event Counter, etc. 

Create and delete permission on Digipass and Digipass Application objects 

If the administrator should be allowed to move Digipass, they need: 

the Delete Digipass objects and Create Digipass objects permissions in the relevant 

Domain and/or Organizational Unit 

Write All Properties permission on Digipass objects 

Note that this can be necessary for assigning Digipass to users, because a move from 

one location to another is controlled by permissions to delete from the source and create 

in the destination 

3.2.4 System Administrators 

The term 'System Administrator' is used here to refer to an administrator who will be 

responsible for management of the Component and Policy records, rather than Digipass User 

Accounts and Digipass. They need permissions within the Digipass Configuration Container to 

create, modify and delete Policy (vasco-Policy) and Component (vasco-Component) objects. 

In practice, System Administrators can typically be given full control over the Digipass- 

Configuration container. If you wish to grant more limited permissions, this can be handled 

with the standard Active Directory permissions on these objects within the scope of the 

container. 

3.3 Assign Administration Permissions to a User 

Note 

This example assumes that the administrator's User account has read 

permissions for all User records already. 

To grant permissions to manage Digipass records, you will need to follow these steps: 

1. Right-click on the Organizational Unit in which to assign permissions. 

2. Select Delegate Control... from the right-click menu. 

The Delegate Control Wizard will be displayed. 



3. Select the User or Windows Group to assign permissions. 


5. Select the Delegate Common Tasks option button. 

6. Select Create, Delete and Manage Digipass from the list. 

7. Click on Next. 

8. Click on Finish. 

If you wish to grant permissions to modify Digipass User Account properties, you will need to 

follow these steps: 

9. Select View -> Advanced Features from the main menu. 

10. Right-click on the Organizational Unit in which to assign permissions. 

11. Select Properties from the right-click menu. 

12. Click on the Security tab. 

13. Click on the Advanced button. 

The Advanced Security Settings window will be displayed. 

14. Click on Add... 

15. Type the username of the User to assign the permissions to and click OK. 

16. Click on the Properties tab. 

17. Select User Objects from the Apply onto drop down list. 

18. Select the required permissions from: 




Write Digipass User Account Information 

Write Digipass User Account Link 

Write Digipass User Account Stored Password 

If the administrator requires permissions to take Digipass out of the Digipass Pool for 

assignment, you will need to follow these steps: 

22. Right-click on the Digipass Pool. 

23. Select Properties from the right-click menu. 

24. Click on the Security tab. 

25. Click on the Advanced button. 

The Advanced Security Settings window will be displayed. 


27. Select the User account. 


29. Click on the Object tab. 

30. Select Child objects only from the Apply onto drop down list. 



31. Tick the Allow box for: 



Delete Digipass Objects 

Create Digipass Objects (if you wish to allow the administrator to move Digipass 

records into the Digipass Pool) 

34. Select the User account. 


36. Click on the Object tab. 

37. Select Digipass objects from the Apply onto drop down list. 

38. Tick the Allow box for Write All Properties. 






3.4 Multiple Domains 

When using the IAS Plug-In with multiple domains, extra steps must be followed to ensure 

that both the IAS Plug-In and administrators have permissions sufficient to access required 

data. The main issues are: 

The Digipass Configuration Container is only in one Domain. All IAS Plug-Ins need 

read access to this container, even when they are in a different Domain. Cross- 

Domain access for administrators is a less likely requirement however. 

If an IAS Plug-In handles users and Digipass in more than one Domain, they need to 

be granted the necessary permissions in all the necessary Domains. 

In this manual, we will handle cross-Domain permissions using a combination of Domain 

Local and Domain Global groups. It is possible in a 'native' mode Domain to use Universal 

groups, but these are not recommended in Windows 2000 due to replication issues. The 

replication efficiency has been improved in Windows Server 2003, however Universal 

groups are still not used as commonly as Domain Local/Global groups. 

Three possible scenarios for multiple domain setup are outlined below: 

3.4.1 Scenario 1 – Each IAS Server Handles One Domain 

Each IAS server handles only the domain in which it is a member. 

Install IAS in each domain (the result will be at least as many IAS servers as domains). 

Give each IAS server access to the Digipass Configuration Domain: 

Domain Global Group(s) 

For each domain (apart from the Digipass Configuration Domain) - 

1. Create a Domain Global group 

2. Add the IAS server(s) to the Domain Global group (check which machines are in the 

'RAS and IAS Servers' group to ensure the correct additions) 

Domain Local group 

In the Digipass Configuration Domain - 

3. Create or use an existing Domain Local group. 

4. Give the Domain Local group full read access to the Digipass Configuration Container. 

5. Add the Domain Global Group from each other domain to the Domain Local group. 

3.4.2 Scenario 2 – One IAS Server Handles All Domains 

IAS servers in one domain handle all domains. The Digipass Configuration Container should be 

located in the domain to which the IAS servers belong. 

Give the necessary access to User and Digipass data: 

Domain Global group 

In the IAS server Domain - 



1. Create a Domain Global group. 

2. Add the IAS servers to the Domain Global group (check which machines are in the 

'RAS and IAS Servers' group to ensure the correct additions). 

Domain Local groups 

For each other Domain - 

3. Create a Domain Local group. 

4. Give the Domain Local group the required permissions (run the setupaccess command 

- See 8.1 DPADadmin Utility for more information). 

5. Add the Domain Global group from the IAS Domain to the Domain Local group. 

3.4.3 Scenario 3 - Combination 

This scenario represents more complex setups, where a combination of steps from Scenarios 1 

and 2 will be required. Use the steps given in the first two scenarios as a guide for what you 

will need to do for the combination scenario. 


Digipass Plug-In for IAS Administrator Reference Backup and Recovery 

4 Backup and Recovery 

This section explores the measures that Administrators can undertake in backing up and 

recovering VASCO datafiles in the event of a system failure. 

Note 

This section does not cover backup of executables and system files. In the 

event of a catastrophic failure these can be restored or reinstalled from the 

original distribution media. 

Once the IAS Plug-In is installed and operational, backups should be made of important files 

and data. 

Any time changes are made to the system, file backups may need to be performed again. 

These changes include, but are not limited to: 

Changing any configuration settings including the IP address of an IAS server 

Adding/removing a Component 

Modifying a Policy 

4.1 What Must be Backed Up 

Configuration files for IAS Plug-In and Message Delivery Component 

User Self-Management Web Site pages and graphics (if customized) 

Virtual Digipass OTP Request Web Site pages and graphics (if customized) 

Audit Log data 

Active Directory 

DPX files (except for demo Digipass) 

Important Note 

The Digipass Plug-In for IAS installation includes a DPX directory containing 

sample DPX files for demo Digipass. These do not need to be backed up. 

However, if you have copied the DPX files for your real Digipass into that 

directory, ensure you still have the original files (normally on floppy disk). If 

you no longer have the DPX file(s) stored elsewhere, it is very important that 

you take a backup. 

4.1.1 Configuration files 

The configuration files for the IAS Plug-In and Virtual Digipass Message Delivery Component 

can be copied from the bin directory (by default C:\Program Files\VASCO\Digipass Plug-In for 

IAS\bin) to a secure location. 

The files to be copied are: 

dpiasext.xml – keep backups from all IAS servers. 



mdcconfig.xml – a backup of one working file is sufficient. 

Tip 

Save the files above with an extension that describes the server from which the 

file(s) were backed up. This makes it easier and quicker to locate the correct file 

during recovery. 

4.1.2 Web Sites 

In some cases, the web pages and graphics provided with the Digipass Plug-In for the User 

Self Management Web Site and Virtual Digipass OTP Request Web Site will have been 

customized to suit the organization’s colors/languages/themes/etc. 

If these web pages and graphics have been modified, it is important to have a backup stored 

in a secure location away from the production server. This will allow the web site to be 

restored for the look and feel of the organization. 

To back up the web site pages and graphics, you can copy the html, js, and gif files to another 

location. If the site is highly modified, or the location of the files on disk is not known, contact 

your web administrator for further guidance. 

Note 

Maintaining the directory structure will make restoration of the site, if required, 

quicker and easier. 

4.1.3 Audit Log Data 

If your organization requires that the Audit Log data be archived, the method required will 

depend on the audit settings. 

4.1.3.1 Write to File 

Ensure you make copies of all files contained in the directory into which the audit log files are 

written. By default this will be \Log, however it may have been configured to 

another location. Check the audit configuration settings if you are unsure. 

4.1.3.2 Write to Windows Event Log 

By default, Event Log entries are written to the Application log. However, you can configure 

the entries to be written to another log. Check the audit configuration if you are unsure. 

Important Note 

The Event Log may be configured with a maximum size. When this size is 

reached, the oldest entries may be overwritten by new ones. To check this, 

view the Properties of the log in the Event Viewer. If older entries will be 

overwritten, you will need to archive them before that occurs. 



To archive an Event Log: 

1. Select Start -> Settings -> Control Panel. 

2. Double-click on Administrative Tools. 

3. Double-click on Event Viewer. 

4. Right-click on Application (or the correct log, if not Application). 

5. Click on Save log file as... 

6. Select a path and enter a filename. 

7. Select a file format from the Type drop down list. 

8. Click on the Save button. 

Note 

The Audit Log data is not required for system recovery purposes but may 

contain useful data in the event of a server failure. 

4.1.4 Active Directory 

4.1.4.1 Cold Backup 

In most cases the server running IAS will belong to an Active Directory domain consisting of 

several Domain Controllers. Replication should automatically occur between Domain 

Controllers, providing simple data backup. 

It is highly recommended, however, that you perform a cold backup of the System State Data, 

which includes the Active Directory repository. This will allow recovery if data is corrupted and 

then replicated. For more information about backing up and restoring System State Data, refer 

to Windows Help on your Domain Controller and enter 'backing up data, System State data' in 

the index tab. In particular, this should be performed on the Digipass Configuration Domain 

and any other Domains containing Digipass User accounts and/or Digipass records. 

Additional information can be found at: 

http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/enus/distsys/part1/dsgch09.mspx 

4.1.5 DPX files 

The DPX files are normally provided on a floppy disk, which can be stored securely as a 

backup. If you prefer another method of archive, copy the files to your preferred location. It is 

important to keep the DPX file transport keys secure and preferably in a separate location to 

the DPX files themselves. 



4.2 Recovery 

The recovery process for IAS Plug-In data requires the following procedure. Some 

assumptions have been made for these instructions: 

Assumptions: 

Active Directory is still valid and operational. 

Steps: 

Up-to-date backups of the configuration files for the IAS Plug-In are available. 

1. Rebuild the server with your operating system SOE, using the same IP address as 

before, in the same Domain as before. 

2. Retrieve your backup copy of the dpiasext.xml file. 

3. Reinstall the Digipass Plug-In for IAS on the server, ensuring you are logged in as a 

domain administrator. The same settings as those chosen in the previous installation 

should be selected, except that the This is not the first IAS Plug-In to be 

installed checkbox on the Active Directory Prerequisites screen should be ticked. 

4. Tick the Use an evaluation license checkbox (the existing Digipass data in Active 

Directory contains all necessary licensing information, which will be retrieved when the 

IAS Plug-In is operational). 

5. At the end of the installation, you will be prompted to select a license activation 

method. Select Just Continue. 

Before you restart the machine, carry out the following: 

6. Restore the backup copy of the configuration file dpiasext.xml into the same directory. 

7. Restore any customised files for the web sites (see and for more information). 

After restarting the machine: 

8. Check that you can view Digipass-specific information in the Administration MMC 

Interface and Digipass Extension for Active Directory Users and Computers. 


Digipass Plug-In for IAS Administrator Reference Field Listings 

5 Field Listings 

5.1 User Property Sheet 

Field Name in 

Administration 

Interfaces 

New Password 

Confirm Password 

Description 

These fields are used to modify the static password that is stored in the Digipass User 

account. If they are left blank, no modification is made. 

Local Authentication Specifies whether authentication requests for the User account will be handled by the IAS 

Plug-In using Local Authentication (see the Authenticating Users section in the Product 

Guide for more details on Local Authentication and Back-End Authentication). 

Normally, this field will be Default, meaning that the Policy applicable to the authentication 

request determines the setting. This field on the Digipass User account is used to override 

the Policy setting for special cases. 

When Local Authentication is used, there are two factors that determine whether Digipass 

authentication is used – any Policy restrictions on Digipass Types and/or Applications that 

can be used and whether the Digipass User account has any assigned Digipass that meet the 

restrictions. For example, if the Policy requires a DP300 and the User just has a DP700, they 

cannot use Digipass authentication under that Policy. 

Options: 

Back-End 

Authentication 

Default Use the setting of the effective Policy. 

None The IAS Plug-In will not carry out Local Authentication for this User 

account. They may be handled using Back-End Authentication, or not 

handled at all by the IAS Plug-In. 

Digipass/Password The IAS Plug-In will always carry out Local Authentication for this User, 

using Digipass authentication if possible, otherwise the static password. 

Back-End Authentication may also be utilized. 

Digipass Only the IAS Plug-In will always carry out Local Authentication for this User, 

using Digipass authentication. If Digipass authentication is not possible, 

the user cannot log in. Back-End Authentication may also be utilized. 

Specifies whether authentication requests for the User account will be handled by the IAS 

Plug-In using Back-End Authentication (see the Authenticating Users section in the 

Product Guide for more details on Local Authentication and Back-End Authentication). 


request determines the setting. This field on the Digipass User account is used to override 

the Policy setting for special cases. 

Options: 


None Back-End Authentication will not be used. 

If Needed The IAS Plug-In will utilize Back-End Authentication but only in certain 

cases: 

Dynamic User Registration 

Self-Assignment 

Password Autolearn 

Requesting a Challenge or Virtual Digipass OTP, when the Request 

Method includes a Password 

Static password authentication, when verifying a Virtual Digipass 

password-OTP combination or during the Grace Period 

Always The IAS Plug-In will utilize Back-End Authentication for every 

authentication request. 



Field Name in 



Description 

Disabled Specifies whether a Digipass User account is enabled or disabled. If disabled, authentication 

for the User will be rejected by the IAS Plug-In. 

This attribute will be set to disabled and made read-only if the Active Directory User account 

is disabled or expired. Otherwise, this attribute will be editable. 

Locked Specifies whether a Digipass User account is locked or not. If locked, authentication for the 

User will be rejected by the IAS Plug-In. 

The Locked indicator is normally set automatically when the User exceeds a certain number 

of failed authentication attempts. The User Lock Threshold is set in the Policy. 

Linked User Account It is possible to share Digipass between different User accounts, by linking User accounts 

together. This feature is intended for the case where one person, such as an administrator, 

has multiple User accounts. If their accounts are linked, there is no need to give more than 

one Digipass to that person. 

This feature is used by assigning the Digipass to one User account, then linking all the other 

User accounts for the person to the one that has the Digipass. 

If a User is linked to another User, their Linked User Account field will show the Active 

Directory DN (Distinguished Name) of the linked User. The DN shows the full address within 

Active Directory of the linked User, for example: 

CN=Test User,OU=Admin,OU=Europe,DC=vasco,DC=dom 

In this example, the linked User is called Test User and they are located in an Organizational 

Unit Admin, which is inside another Organizational Unit Europe in the vasco.com domain. 

Read-only. 

RADIUS Profiles NOTE: Not applicable to the IAS Plug-In. 

Included for compatibility with other VASCO products, eg. Digipass Plug-In for Funk. 

Created On The date and time that the Digipass User account was created. Read-only. 

Last Modified On The date and time that the Digipass User account was last modified. Read-only. 

Assigned Digipass list This lists all Digipass that are assigned to the User. For each Digipass, the list of active 

Applications is given with the Application Type indicated in brackets(). For example: 

0058384426 RESP_ONLY(RO), CHALLENGE(CR) 

In this example line, the Digipass with Serial Number 0058384426 has two active 

Applications: one Response Only Application RESP_ONLY and one Challenge/Response 

Application CHALLENGE. 

If the User does not have any Digipass assigned directly, but is linked to another User to use 

their Digipass (see Linked User Account), the linked User's Digipass list is shown with the 

Serial Numbers in square brackets (eg. [0058384426]). 

When a Digipass in the list is selected, the remainder of the property sheet tab indicates 

values from the corresponding Digipass record. 

Read-only. 

Table 6: User Fields 



5.2 Digipass Property Sheet 

Field Name in 



Description 

Digipass Type The type of Digipass represented by the Digipass record (eg. DP300). 

Reserve for Individual 

Assignment 

When used, this option prevents the Digipass from being assigned using the Auto-Assignment 

feature. It also prevents it from being assigned by an administrator who uses the 'Assign next 

available...' option in the assignment dialog. 

Assigned to User User ID of the Digipass User account that the Digipass is assigned to, if it is assigned. 

Read-only. 

Date Assigned The date and time when the Digipass was assigned to its current User. 

Read-only. 

Grace Period End The date on which the Grace Period will expire, or did expire, for this Digipass. If the date 

shows today's date or before, the Grace Period has already expired. If it is blank, there is no 

Grace Period. 

Enable Backup VDP Specifies whether and how the Backup Virtual Digipass feature can be used for this Digipass. 

Note that in order for the Backup Virtual Digipass feature to function, it must also be 

activated in the DPX file for the Digipass. 


request determines the setting. This field on the Digipass record is used to override the Policy 

setting for special cases. 

Options: 


No Backup Virtual Digipass is not permitted. 

Yes - Permitted Backup Virtual Digipass is permitted, but not mandatory. 

The Enabled Until date is not applicable when using this 

option, but the Uses Remaining count is. 

Yes – Time Limited Backup Virtual Digipass is permitted, but not mandatory. 

Both the Enabled Until date and the Uses Remaining count 

will be in effect. 

Yes - Required Backup Virtual Digipass is mandatory. This may be useful if the 

User may have lost the Digipass, to prevent it from being used 

until they have found it again. 

The Enabled Until date is not applicable when using this 

option, but the Uses Remaining count is. 

Enabled Until The date on which the Backup Virtual Digipass feature may no longer be used, provided that 

the effective Enable Backup VDP setting is Yes – Time Limited (it is ignored otherwise). 

If this date is blank, it will be set automatically the first time that the User requests a Backup 

Virtual Digipass OTP, using the Backup Virtual Digipass Time Limit defined in the Policy. 

Once this date has expired, it requires administrator intervention either to extend it or to 

reset it to blank for the next time that the User needs to use Backup Virtual Digipass. 

Uses Remaining The remaining number of times that the Backup Virtual Digipass feature may be used for this 

Digipass. Once this number has reached zero, Backup Virtual Digipass can no longer be used 

with this Digipass, unless the administrator increases it or resets it to blank. 

If this number is blank and there is a Backup Virtual Digipass Max. Uses/User defined in 

the Policy, it will be set automatically the first time that the User requests a Backup Virtual 

Digipass OTP, based on the Max. Uses/User. 

Created On The date and time that the Digipass was created. Read-only. 

Last Modified On The date and time that the Digipass was last modified. Read-only. 

Table 7: Digipass Fields 

5.2.1 Digipass Application Tab 



Field Name in 



Application Type The type of Digipass Application: 

RO – Response Only 

CR – Challenge/Response 

SG – Signature 

Description 

Active This field can be used to deactivate an Application, so that it cannot be used. 

Attribute/Value list This list indicates various internal settings of the Digipass Application. 

Created On The date and time that the Digipass Application was created. Read-only. 

Last Modified On The date and time that the Digipass Application was last modified. Read-only. 

Table 8: Digipass Application Fields 

5.3 Policy Property Sheet 

Note: Changes to Policy settings will not take effect until IAS is restarted. 

Field Name in 



Description 

Description This description can be entered to record the purpose of the Policy. 

Inherits from Policy Contains the Name of the Policy from which settings will be inherited, referred to as the 

'parent Policy'. Settings are inherited individually, depending on the value in the Policy field; 

they inherit the parent Policy value in the following cases: 

Choice lists/radio buttons – if the selected value is Default 

Text fields – if the field is blank 

Numeric fields – if the field is blank (not 0) 

List fields – if the list is empty 

The Show Effective Policy Settings... button can be used to display the result of 

inheriting settings combined with settings on the current Policy. 

Local Authentication Specifies whether authentication requests using the Policy will be handled by the IAS Plug- 

In using Local Authentication (see the Authenticating Users section in the Product 


When Local Authentication is used, there are two factors that determine whether Digipass 

authentication is used – any Policy restrictions on Digipass Types and/or Applications that 

can be used and whether the Digipass User account has any assigned Digipass that meet 

the restrictions. For example, if the Policy requires a DP300 and the User just has a DP700, 

they cannot use Digipass authentication under that Policy. 

Options: 

Default Use the setting of the parent Policy. 

None The IAS Plug-In will not carry out Local Authentication under this 

Policy. They may be handled using Back-End Authentication, or not 

handled at all by the IAS Plug-In. 

Digipass/Password The IAS Plug-In will always carry out Local Authentication under this 

Policy, using Digipass authentication if possible, otherwise the static 

password. Back-End Authentication may also be utilized. 

Digipass Only the IAS Plug-In will always carry out Local Authentication under this 

Policy, using Digipass authentication. If Digipass authentication is not 

possible, the user cannot log in. Back-End Authentication may also 

be utilized. 



Field Name in 



Back-End 


Description 

Specifies whether authentication requests using the Policy will be handled by the IAS Plug- 

In using Back-End Authentication (see the Authenticating Users section in the Product 


Options: 


None Back-End Authentication will not be used. 

If Needed The IAS Plug-In will utilize Back-End Authentication but only in 

certain cases: 

Dynamic User Registration 

Self-Assignment 


Requesting a Challenge or Virtual Digipass OTP, when the 

Request Method includes a Password 

Static password authentication, when verifying a Virtual 

Digipass password-OTP combination or during the Grace Period 

Always The IAS Plug-In will utilize Back-End Authentication for every 

authentication request. 

Back-End Protocol Specifies the protocol to be used for Back-End Authentication. 

There is currently only one option: 

Windows Authentication using the Windows operating system. 

Created On The date and time that the Policy was created. Read-only. 

Last Modified On The date and time that the Policy was last modified. Read-only. 

Dynamic User 

Registration 

Specifies whether the Dynamic User Registration (DUR) feature is enabled for the Policy. 

If this feature is used, when the IAS Plug-In receives an authentication request for a User 

for the first time and Back-End Authentication is successful, it will create a Digipass User 

account automatically. If DUR is used in conjunction with Auto-Assignment, a Digipass 

will be assigned to the new User account immediately. 

Password Autolearn Specifies whether the Password Autolearn feature is enabled for the Policy. This feature 

enables the IAS Plug-In to update the password stored in the Digipass User account when 

Back-End Authentication is successful. 

In Digipass Plug-In for IAS it is normally not necessary to store the password in the 

Digipass User account, so this feature is not typically used. 

Stored Password Proxy Specifies whether the Stored Password Proxy feature is enabled for the Policy. This 

feature can be used in conjunction with the Back-End Authentication Always setting and 

the Password Autolearn feature, so that even though a Back-End Authentication check is 

done every login, it is done using the password stored in the Digipass User account, so the 

User does not have to enter it during their login unless it has just changed. 

In Digipass Plug-In for IAS it is normally not necessary to perform a Back-End 

Authentication check at each login, so this feature is not typically used. 

Default Domain The default Domain in which the IAS Plug-In should look for and create Digipass User 

accounts, if a Domain is not specified by the login credentials. 

If the User logs in with the User-Principal-Name format (eg. testuser@vasco.com) or the 

NT4 style format (eg. VASCO\testuser), the Default Domain is not used. However, if they 

log in with just a UserId (eg. testuser), the Default Domain will be used if specified. 

In the case that no Domain is implied by the login credentials and there is no Default 

Domain, the IAS Plug-In will search in its Configuration Domain. 

Must be the fully qualified domain name. 



Field Name in 



Description 

User Lock Threshold This indicates the number of consecutive failed login attempts that will cause a Digipass 

User account to become Locked. For example, if the User Lock Threshold is 3, the account 

will become Locked on the third failed login attempt. Unlocking the account requires 

administrator action. 

Note that not all kinds of login failure will result in locking. For example, if the UserId is 

incorrect or the account is Disabled, the failure would not count towards the lock threshold. 

Locking is used mainly for incorrect OTPs and static passwords. 

Windows Group Check 

(radio buttons) 

Specifies whether and how the Windows Group Check feature is to be used. This feature 

is typically used for a staged deployment of Digipass when the Auto-Assignment method 

is used. It can also be used when only some Users are required to use Digipass or when 

only some Users will be permitted access and they have to use Digipass. 

Options: 


Authenticate all groups Do not use the Windows Group Check feature. 

Authenticate listed groups, pass 

others through 

Authenticate listed groups, reject 

others 

Use the Windows Group Check so that any Users who 

are not in one of the listed groups are ignored by the 

IAS Plug-In. 

Use the Windows Group Check so that any Users who 

are not in one of the listed groups are rejected by the 

IAS Plug-In. 

Group List This lists the names of the Windows Groups to be checked according to the Windows Group 

Check radio button setting. There are some important limitations of this check: 

Certain built-in Active Directory groups such as Domain Users and Everyone will not 

be checked. The check is intended to be used with a new group created specifically for 

this purpose. 

Nested group membership will not be detected by the check. 

There is no Domain qualifier for a group. The named group must be created in each 

Domain where User accounts exist that need to be added to the group. 

Assignment Mode Specifies the method of automated Digipass Assignment that will be used for this Policy, if 

any. There are two methods, Auto-Assignment and Self-Assignment. 

Auto-Assignment is used in conjunction with Dynamic User Registration (DUR). When 

DUR occurs, the next available Digipass is assigned to the new Digipass User account. A 

Grace Period is set for the Digipass according to the Grace Period setting in the Policy. 

Self-Assignment is typically used with DUR also, but if the Digipass User accounts are 

created first by the administrator, DUR is not necessary. In the Self-Assignment mode, a 

User is able to assign themselves a Digipass by entering the Serial Number, a valid OTP 

from the Digipass and their static password. There is no Grace Period associated with Self- 

Assignment, because the User has to use the Digipass to perform Self-Assignment. 

In both cases, any Applicable Digipass restrictions for the Policy apply. For example, it will 

not be permitted to self-assign a DP300 if the Policy restricts Digipass Types to DPGO3 and 

DPGO1. In addition, if the User already has a Digipass assigned that meets the Policy 

restrictions, they will not be able to self-assign another Digipass. 

Options: 


Auto-Assignment Use the Auto-Assignment method. 

Self-Assignment Use the Self-Assignment method. 

Neither Do not use either method of automated assignment. 

Grace Period Default time period (in days) to give Users between Auto-Assignment of a Digipass and 

the date they must start using their Digipass to login. Before that time they can still use a 

static password (unless the Local Authentication setting is Digipass Only). However, the 

first time that an OTP is used to log in, the Grace Period is ended at that point if it has not 

already ended. 

This setting does not affect manual assignment by an administrator. 



Field Name in 



Description 

Serial No. Separator The character (or short sequence of characters) that will be included at the end of the 

Digipass Serial Number during a Self-Assignment login. It allows the IAS Plug-In to easily 

recognise that a Self-Assignment attempt is being made and extract the Serial Number 

from the credentials. 

Search Upwards in Org. 

Unit hierarchy 

This controls the search scope for an available Digipass for Auto-Assignment or for a 

specific Digipass for Self-Assignment. 

This setting does not affect manual assignment by an administrator. 

Options: 


No The search scope is only the Organizational Unit in which the User 

account belongs. 

Yes The search will start in the User account's Organizational Unit, but if 

necessary it will then move upwards through the Organizational Unit 

hierarchy until it reaches the top. At the top, the Digipass-Pool 

container will be searched. See the Location of Digipass Records 

topic in the Product Guide for more information. 

Application Names The Policy can specify a restriction on which Digipass Applications may be used when it is 

effective. If the list is empty, there is no restriction. If there are one or more entries, they 

will indicate the Application Names that are permitted. 

Application Type The Policy can restrict which Digipass Application Type (eg. Response Only, 

Challenge/Response) may be used when it is effective. 

Options: 


No Restriction Digipass Application Type is not restricted. 

Response Only Only Digipass Applications of Type RO (Response Only) may be used. 

Challenge/Response Only Digipass Applications of Type CR (Challenge/Response) may be 

used. 

Digipass Types The Policy can specify a restriction on which Digipass Types may be used when it is 

effective. If the list is empty, there is no restriction. If there are one or more entries, they 

will indicate the Digipass Types that are permitted. 

Allow PIN change Specifies whether Digipass Users will be allowed to change their Server PIN during logins 

to which the current Policy applies. Normally this setting is enabled, but it can be used to 

prevent PIN changes if required. 

1-Step 

Challenge/Response – 

Permitted 

1-Step 


Challenge Length 

1-Step 


Add Check Digit 

Controls whether 1-step Challenge/Response logins will be enabled for the current Policy 

and, if so, where the challenge should originate. 

Note that 1-step Challenge/Response is not applicable in a RADIUS environment. 

Options: 

Default 

No 1-step Challenge/Response may not be used. 

Yes – Server 

Challenge 

1-step Challenge/Response may be used provided that the 

authentication server that verifies the response generated the 

challenge. 

Yes – Any Challenge 1-step Challenge/Response may be used with any random challenge. 

Specifies the length of the challenge (excluding a check digit) which should be generated for 

1-step Challenge/Response logins. 

A check digit may be added to the geneated challenge. This allows the Digipass to more 

quickly identify invalid Challenges. 



Field Name in 



2-Step 


Request Method 

2-Step 


Request Keyword 

Primary Virtual Digipass 

– Request Method 

Primary Virtual Digipass 

– Request Keyword 

Backup Virtual Digipass 

– Enable Backup VDP 

Description 

The method by which a User has to request a 2-step Challenge/Response login. 

This is the only mode of Challenge/Response available in a RADIUS environment. 

The 'request' is made in the password field during login. The request will be ignored if the 

User does not have a Challenge/Response-capable Digipass assigned. 

Options: 


None Do not use 2-step Challenge/Response. 

Keyword Use the Request Keyword. For Challenge/Response, this is 

permitted to be blank. 

Password Use the static password. 

KeywordPassword Use the Request Keyword followed by the static password. No 

separator characters or whitespace should be between them. 

PasswordKeyword Use the static password followed by the Request Keyword. No 


Defines the Keyword that a User must enter to request a 2-step Challenge/Response login, 

if a method using a Keyword is selected in the Request Method. 

For Challenge/Response, this is permitted to be blank. 

The method by which a User has to request a Primary Virtual Digipass login. 


User does not have a Primary Virtual Digipass assigned. 

Options: 


None Do not use Primary Virtual Digipass. 

Keyword Use the Request Keyword. For Primary Virtual Digipass, this is not 







Defines the Keyword that a User must enter to request a Primary Virtual Digipass login, if a 

method using a Keyword is selected in the Request Method. For Primary Virtual Digipass, 

this is not permitted to be blank. 

Specifies whether and how the Backup Virtual Digipass feature can be used when this Policy 

is effective. Note that in order for the Backup Virtual Digipass feature to function, it must 

also be activated in the DPX file for the Digipass. 

Options: 


No Backup Virtual Digipass is not permitted. 

Yes - 

Permitted 

Yes – Time 

Limited 

Yes - 

Required 

Backup Virtual Digipass is permitted, but not mandatory. 

The Time Limit is not applicable when using this option, but the Max. 

Uses/User limit is. 

Backup Virtual Digipass is permitted, but not mandatory. 

Both the Time Limit and the Max. Uses/User limit will be in effect. 

Backup Virtual Digipass is mandatory. 

The Time Limit is not applicable when using this option, but the Max. 

Uses/User limit is. 



Field Name in 




– Time Limit 


– Max. Uses/User 


– Request Method 


– Request Keyword 

Identification Time 

Window 

Description 

When the Enable Backup VDP setting is Yes – Time Limited, the Time Limit setting 

indicates the number of days for which the Backup Virtual Digipass feature may be used by 

a User, once they start using it. 

The Backup Virtual Digipass Enabled Until setting on the Digipass record will be set 

automatically the first time that the User requests a Backup Virtual Digipass OTP, using the 

Time Limit defined in the Policy. Once this date has expired, it requires administrator 

intervention either to extend it or to reset it to blank for the next time that the User needs 

to use Backup Virtual Digipass. 

Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they will 

have a separate limit for each one. 

The maximum number of uses of the Backup Virtual Digipass feature permitted for each 

User, if they do not have a specific limit set for them. 

If the Backup Virtual Digipass Uses Remaining on the Digipass record is blank and 

there is a Max. Uses/User limit defined in the Policy, the Uses Remaining will be set 

automatically the first time that the User requests a Backup Virtual Digipass OTP. 

Once the Uses Remaining has reached zero, Backup Virtual Digipass can no longer be used 

with this Digipass, unless the administrator increases it or resets it to blank. 

Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they will 

have a separate limit for each one. 

The method by which a User has to request a Backup Virtual Digipass login. 


User does not have a Digipass assigned that is activated for the Backup Virtual Digipass 

feature, or if other Policy or Digipass settings do not permit Backup Virtual Digipass use. 

Options: 


None Do not use Backup Virtual Digipass. 

Keyword Use the Request Keyword. For Backup Virtual Digipass, this is not 







Defines the Keyword that a User must enter to request a Backup Virtual Digipass login, if a 

method using a Keyword is selected in the Request Method. For Backup Virtual Digipass, 

this is not permitted to be blank. 

Controls the maximum number of time steps' variation allowable between a Digipass and 

the authentication server during login. This only applies to time-based Response Only and 

Challenge/Response Applications. 

The Dynamic Time Window option may be used to allow more variation according to the 

length of time since the last successful login. 

If this setting is not specified at all, there is an inbuilt default value of 20. 

Signature Time Window Controls the maximum number of time steps' variation allowable between a Digipass and 

the authentication server during Digital Signature verification. This only applies to timebased 

Signature Applications. 


Signature Applications are not currently used in RADIUS environments. 



Field Name in 



Description 

Initial Time Window Controls the maximum allowed time variation allowable between a Digipass and the 

authentication server, the first time that the Digipass is used. The time is specified in hours. 

This Initial Time Window is also used directly after a Reset Application operation, which 

can be used if it appears that the internal clock in the Digipass has drifted too much since 

the last successful login. 

This only applies to time-based Applications. 

In either case, after the first successful login, the Initial Time Window is no longer active. 


Event Window Controls the maximum number of events' variation allowable between a Digipass and the 

authentication server during login that uses an event-based Application. 


Identification Threshold Specifies the number of consecutive failed authentication attempts allowed before the 

Digipass Application is locked from future authentication attempts. 

This locking mechanism is separate from the User Lock Threshold and is normally not 

necessary. It only applies when a single Digipass Application can be used for a login, either 

because the User only has one Digipass with one Application, or because the Policy 

restrictions narrow the list down to one Digipass Application. If Policy restrictions are used 

in this way, the Identification Threshold can be used to lock a User out of one kind of login 

(eg. a VPN) while still permitting them to use another kind (eg. Wireless). 

If this setting is not specified at all, this feature is not used. 

Signature Threshold Specifies the number of consecutive failed Digital Signature authentication attempts allowed 

before the Digipass Application is set to be locked from future authentication attempts. 



Max. Days Since Last 

Use 

This setting specifies the maximum number of days for which a Digipass Application can go 

unused for authentication. After this limit, authentication will be rejected until an 

admnistrator performs a Reset Application operation. 


Challenge Check Mode This setting is for advanced control over time-based Challenge/Response authentication. 

The value 1 should be used for standard RADIUS challenge/response. This is the inbuilt 

default value if the setting is not specified at all. 

0 No check is made. This is necessary for 1-step Challenge/Response. 

1 The challenge presented for verification must be the last one that was 

generated specifically for that Digipass. This is the normal mode of operation 

in 2-step Challenge/Response. 

2 The challenge presented for verification is ignored; the last one that was 

generated specifically for that Digipass is used. This is rarely applicable. 

3 Only one verification is permitted per time step. This option only applies to 

time-based Challenge/Response. This is a method of avoiding a potential 

replay of a captured response if the same challenge comes up again in the 

same time step. 

4 If the same challenge and response are presented for verification twice in a 

row during the same time step, they are rejected. This is an advanced method 

of avoiding a potential replay of a capture challenge/response. 

Online Signature Level This setting is for advanced control of Digital Signature authentication, and is not applicable 

currently. 


Table 9: Policy Fields 



5.4 Component Property Sheet 

Field Name in 



Description 

Component Type The type of Component represented by the record. 

Options: 

RADIUS Client 


Funk SBR Plug-In 

Location The IP address or name of the machine represented by the record. For a Plug-In, it must be 

the licensed IP address; for a RADIUS Client, it must be the NAS-IP-Address or NAS-Identifier 

values sent in the RADIUS requests. 

Policy The name of the Policy that should be used for authentication requests from the Component. 

Protocol The network protocol used by the Component to communicate with the authentication server. 

This is not applicable to the RADIUS Plug-Ins at this stage. 

Shared Secret The RADIUS Shared Secret for the Component. 

This is not used by the RADIUS Plug-Ins. 

TCP Port TCP port to send to the Component. 

This is not applicable to the RADIUS Plug-Ins. 

Created On The date and time that the Component was created. Read-only. 

Last Modified On The date and time that the Component was last modified. Read-only. 

Table 10: Component Fields 


Digipass Plug-In for IAS Administrator Reference Licensing 

6 Licensing 

6.1 How is Licensing Handled? 

VASCO products are licensed per IAS Plug-In Component record in the Digipass Configuration 

Container(s). A license key file is created for each IAS Plug-In installed, and the license key is 

loaded into the data store using the Administration MMC Interface. 

6.2 Licensing Parameters 

Parameter Value 

Product The name of the VASCO product. eg. Digipass Plug-In for IAS 

Component The type of Component licensed. eg. RADIUS 

Version Current version number of the licensed VASCO product. 

Location The IP address or DNS name for the machine represented by the Component record. 

Company The name of your company. 

Username Your name. 

SerialNo The serial number for the VASCO product. 

Generated The date and time that the license file was generated. 

Expires Used for evaluation license only – expiry date. 

Signature Encrypted combination of the above parameters. 

Table 11: License Parameters for Digipass Plug-In for IAS 

6.2.1 Sample License File 

----- VASCO PRODUCT LICENCE ----- 

Product=Digipass Plug-In for IAS 

Component=IAS Plug-In 

Version=1.0 

Expires=2005/06/19 02:40:32 GMT 

Location=test.vasco.com 

Company=Vasco Data Security 

Username=Mr Mark J Eaton 

SerialNo=8174F715E0 

Generated=2005/05/20 02:40:32 GMT 

----- SIGNATURE ----- 

3:302C02147A48E891E0745D 

6866E0A08DDB7D6AF092BFCD 

27021474601702D4FCE5B500 

D76354022F048EDB159B62 

----- END LICENCE ----- 

6.3 View License Information 

To view the license information for a specific Component: 

1. Open the Administration MMC Interface. 

2. Click on the Components node. 

The Component List will be displayed in the Result pane. 



3. Double-click on the required Component record. 

The Component property sheet will be displayed. 

4. Click on the License Key Details... button. 

The License Key Details window will be displayed. 

6.4 Obtain a License Key for a Component 

Note 

An active internet connection is required to obtain a License Key. 



The Component List will be displayed in the Result pane. 

3. Double-click on the required Component record. 

The Component property sheet will be displayed. 

4. Click on the License Key Details... button. 

The License Key Details window will be displayed. 

5. Click on the Request License Key... button. 

A browser window will be opened, with the VASCO Licensing site loaded. Any required 

information which the IAS Plug-In has will be entered as the site is loaded. 

6. Enter any other required information in the browser window. 

7. Click on the Request License Key button in the browser window. 

A download of your license key file should begin. Keep note of where you save the 

file, and its name. 

8. Once the download is complete, go back to the Administration MMC Interface and the 

License Key Details window. 

9. Click on the Load License Key... button. 

10. Browse to the download location and select the license key file. 

11. Click on Open. 

A message window will display the success or failure of loading the license key into the 

data store. 



6.5 Change IP Address 

To change the IP address for a IAS Plug-In server: 

1. Create a new Component record for the server, using the new IP address for the 

location. 

2. Request and download a License Key for the new Component record. 

3. Load the License Key into the new Component record. 

4. Test that the IAS Plug-In works with the new IP address and Component record. 

5. Delete the old Component record. 


Digipass Plug-In for IAS Administrator Reference Web Sites 

7 Web Sites 

7.1 Customizing the Web Sites 

It is anticipated that you may want to customize the web pages that are provided by default, 

for the following kinds of reason: 

to change the colours and graphics to match your corporate colours/logos. 

to integrate the pages into a larger web site. For example, you may wish to control the 

pages using a sub-menu within the overall site menu. 

to modify the navigation in such a way that you believe would suit your users better. For 

example, you may wish to have a failure page that just reports failure, without the form 

fields to try again, which gives troubleshooting hints. 

The sites are both designed to permit extensive customization, provided that you post the right 

data to the CGI program. This section provides the instructions and reference material that 

you require to successfully customize the site. It is assumed that the reader will have some 

web development knowledge. 

You can change any cosmetic part of the web pages. You can even write completely new web 

pages, provided that you provide the correct posted form fields to the CGI program, and 

interpret the query string variables correctly. You do not need to use plain HTML pages – 

server scripting languages such as PHP or ASP, or any other way of generating HTML, can be 

used. 

7.2 CGI Program 

A single CGI script is used for both the User Self Management Web Site and the OTP Request 

Site. The functionality provided depends on the Site. 

For each function, the CGI program carries out the following actions: 

Read and validate the input. This input is gathered from: 

Configuration settings from the registry 

Form variables posted 

Send an authorisation request to the IAS Server (provided that there were no validation 

errors) and interpret the response. Requests are sent to the Server using the RADIUS 

protocol. A component identifier Self-Mgt Site will indicate in the Audit Console which 

audit messages relate to requests from the User Self-Management Web Site or OTP 

Request Site. 

(OTP Request Site only) Send a request to the Message Delivery Component to send an 

OTP to the User's mobile phone via text message. 

Output the HTML to direct the user to the page that will indicate success or failure, or 

display a challenge. This is achieved by returning the HTML for a basic ‘please wait’ page 

with a ‘meta-refresh’ instruction to go directly to the appropriate page. The meta-refresh 

will happen immediately, but on a slow link you may notice the intermediate page. 



The CGI program cannot be customized. Its behaviour is controlled by the configuration 

settings and the posted form variables. The configuration settings are listed below; the posted 

form variables are specified in the Customizing the Web Site section. 

7.2.1 Configuration Settings 

Various configuration settings are used by the CGI program to locate the IAS server(s) and to 

enable tracing. These can be modified using the Start->Programs menu option “User CGI 

Configuration”. 

The configuration settings are stored in the Windows Registry, at the path: 

HKEY_LOCAL_MACHINE\Software\VASCO\User CGI 

Name Type Value Default 

Trace-Mask Number 

(DWORD) 

Used to enable internal tracing levels. In general, just use these 

values:0 = no tracingFFFFFFFF (hexadecimal) = full tracing 

Trace-File String Full path and filename of output file for internal tracing. NB: the 

file will be created if it is missing, but not the directory. 

Source-IP- 

Address 

Server1-IP- 

Address 

Server1-Port Number 

(DWORD) 

Server2-IP- 

Address 

Server2-Port Number 

(DWORD) 

String Source IP address to bind to when sending API requests, if any 

(only required if there are multiple IP addresses on the 

machine).eg. 10.9.255.7 

0 

 

 

String IP address of primary IAS Server. eg. 10.2.255.45 127.0.0.1 

API port of primary IAS Server (in general, this should not be 

changed from the default). 

20003 

String IP address of backup IAS Server, or blank if there is no backup. 

Table 12: Configuration Settings for CGI Program 

7.3 Form Fields 

API port of backup IAS Server (in general, this should not be 

changed from the default) 

7.3.1 User Self Management Web Site 

7.3.1.1 Registration – Main Pages 

20003 

User Registration (UR), Digipass Assignment (DA) and Password Synchronization (PS) are all 

implemented using a single invocation of the CGI program. This permits them to be carried out 

either separately or in any combination. You can choose to separate them in your customized 

web site or keep them together as you prefer. 

If Challenge/Response or a Virtual Digipass is used, the user will enter their User ID, static 

password and Serial Number into the main page without a Digipass Response. They will be 

directed to a challenge page, which is specified in the next topic, in which they should enter 

either a Response to the challenge or the OTP sent to their mobile phone. The following table 

applies only to the main page. 



The following posted form fields must be used on the main page, according to the particular 

function and other conditions specified below: 

Form Field Name Visible 

Label 

(Default) 

Value(s) Required? 

dpcgi_operation “register” for User Registration, Digipass Assignment or 

Password Synchronization. 

dpcgi_success_page Relative or absolute URL of web page to go to if the 

function is successful. 

dpcgi_fail_page Relative or absolute URL of web page to go to if the 

function fails. 

dpcgi_challenge_page Relative or absolute URL of web page to go to if a 

challenge is returned for the user. 

UR PS DA 

Y Y Y 

Y Y Y 

Y Y Y 

(4) (1) 

dpcgi_userid UserId UserID in the IAS Plug-In. Y Y Y 

dpcgi_password Password Static password. Y Y Y 

dpcgi_serialno Serial 

Number 

dpcgi_response Digipass 

Response 

Digipass serial number. Y 

Digipass response (without static PIN if there is one). (5) (2) 

dpcgi_newpin New PIN New static PIN (for Go 1/Go 3). (3) 

dpcgi_confirmpin Confirm New 

PIN 

Confirm the new static PIN. (3) 

dpcgi_usecombinedpwd “True” to send the password, serial number, response 

and PIN to the IAS Plug-In in one attribute. 

“False” to send the contents of the password field 

Table 13: Form Fields for Main Registration Page 

(1) If any users may self-assign a Challenge/Response Digipass, provide this form field. 

(2) If any users may self-assign a Response Only Digipass, provide this form field. 

(3) If any users may self-assign a Response Only Digipass which uses a static PIN at the 

beginning of the response (eg. Go 1/Go 3), where the Digipass are initialized with no 

initial static PIN, they have to enter a new PIN the first time they use the Digipass. If they 

are self-assigning the Digipass, that means that they have to enter the new PIN and 

confirm it during the self-assignment process. They can do this by adding the new PIN 

twice at the end of the Digipass Response, however it may be more user-friendly to 

provide these two separate form fields. 

(4) If any users have a Challenge/Response application or a Primary Virtual Digipass, include 

this field. 

(5) If any users have a Response Only application, include this field. 



7.3.1.2 Registration – Challenge Page 

The Registration challenge page will be used for Digipass Challenge/Response or Virtual 

Digipass. The user enters their response to the challenge, to complete the registration process. 

The following posted form fields must be used on the challenge page: 

Form Field 

Name 

Visible 

Label 

(Default) 


dpcgi_operation “register” for User Registration, Digipass Assignment or 

Password Synchronization. 





dpcgi_userid UserId UserID in the IAS Plug-In. Y 

dpcgi_response Digipass 

Response 

Digipass response or Virtual Digipass OTP. Y 

dpcgi_challenge Challenge Digipass challenge returned to the user. Y 

Table 14: Form Fields for Registration Challenge Page 

Note 

If you make dpcgi_challenge a visible form field, ensure that it is not 

modifiable. An alternative is to make it a hidden form field, while also 

displaying the challenge in HTML text rather than as a form field. 

© 2006 VASCO Data Security Inc. 51 

Y 

Y 

Y


7.3.1.3 Server PIN Change 

The PIN Change function is only applicable for Digipass Response Only where a Server PIN is 

entered at the start of the response (eg. Go 1/Go 3). 

The following posted form fields must be used on the PIN Change page: 

Form Field 

Name 

Visible Label 

(Default) 


dpcgi_operation “changepin” for PIN Change. Y 






dpcgi_response Digipass Response Digipass response (without static PIN if there is one). Y 

dpcgi_currentpin Current PIN Current static PIN to be changed. (6) 

dpcgi_newpin New PIN New static PIN. Y 

dpcgi_confirmpin Confirm New PIN Confirm the new static PIN. Y 

Table 15: Form Fields for Server PIN Change Page 

(6) If the Digipass has had its Server PIN reset by the administrator, because the user has 

forgotten it, there is no current Server PIN to enter here. In all other cases, the current 

Server PIN must be provided to permit the PIN change. 


Y 

Y


7.3.1.4 Login Test – Main Page 

If a Challenge/Response application or Primary Virtual Digipass is used, the user will enter just 

their UserId (and maybe password) into the main page without a Digipass Response. If using 

the Backup Virtual Digipass, they will need to enter the trigger specified in server settings 

(password and/or a Keyword) into the password field. 

They will be directed to a challenge page, specified in the next topic. The following table 

applies only to the main page. 

The following posted form fields must be used on the main page: 

Form Field 

Name 

Visible Label 

(Default) 


dpcgi_operation “testlogin” for Login Test. Y 





dpcgi_challenge_page Relative or absolute URL of web page to go to if a 

challenge is returned for the user. 


dpcgi_response Digipass Response Digipass response (with static PIN if there is one). (8) 

Table 16: Form Fields for Main Login Test Page 

(7) If any users have a Challenge/Response Digipass, a Primary Digipass or use the Backup 

Virtual Digipass feature, provide this form field. 

(8) If any users have a Response Only Digipass, provide this form field. 


Y 

Y 

(7)


7.3.1.5 Login Test – Challenge Page 

The user enters their response to the challenge or the OTP sent to their mobile phone to 

complete the login test. 

The following posted form fields must be used on the challenge page: 

Form Field 

Name 

Visible Label 

(Default) 


dpcgi_operation “testlogin” for Login Test. Y 





dpcgi_userid UserID User ID in the IAS Plug-In. Y 

dpcgi_response Digipass Response Digipass response. Y 

dpcgi_challenge Challenge Digipass challenge returned to the user. Y 

Table 17: Form Fields for Login Test Challenge Page 

Note 

If you make vmcgi_challenge a visible form field, make sure that it is not 

modifiable. An alternative is to make it a hidden form field, while also 

displaying the challenge in HTML text rather than as a form field. 

7.3.2 OTP Request Site 

7.3.2.1 Request Page 

The request page must contain the following fields: 

Name Type 

Username text Visible 

Password Password Visible 

dpcgi_operation “VDPrequest” Hidden 

dpcgi_vdp_success_page Name of “OTP was sent” Page Hidden 

dpcgi_vdp_fail_page Name of “OTP not sent” Page Hidden 

dpcgi_vdp_wrongtoken_page Name of “Not a Virtual Digipass” Page Hidden 

Table 18: Form Fields for OTP Request Page 


Y 

Y


7.4 Query String Variables 

The query string variables that are passed to the web pages by the CGI program are mainly 

concerned with status and error reporting. There is also a variable that is used to pass a 

challenge to the pages that display one. 

7.4.1 Failure/Error Handling 

There are three main groups of failures that can occur, which should be handled in a different 

manner. In all cases there is a numeric error code, however in some cases there is an auxiliary 

code and message such as the return code and message from the VACMAN Controller. The 

main error codes will be assigned in three separate ranges, so that the web pages can identify 

which category of error is returned. 

API return codes – these are returned by the VASCO API used to make the 

authentication request to the Server. In some cases there will be an auxiliary code and 

message. 

CGI errors – these errors are detected by the CGI program, mainly when the web pages 

are not providing or enforcing the posted form fields correctly. These will not generally 

have an auxiliary code and message, but it is possible. 

Internal errors – these are technical errors that ‘should not occur’. In some cases there 

will be an auxiliary code and message. 

The intention of using this code-based scheme is to allow translation and customization of the 

messages. The main error code will be translated into a message by the web pages 

themselves. The pages can also translate the auxiliary code into a message, for the VACMAN 

Controller codes, but normally, the pages would not know how to translate it into a message, 

and should display the auxiliary message as provided. 



7.4.2 Query String Variable List 

The following table indicates which variables are used for the User Self Management Web Site 

and OTP Request Site, and the required conditions: 

Variable Value Condition Used by Site 

result 0 Successful authentication request Both 

Unsuccessful authentication request Both 

CGI or internal error occurred Both 

challenge Challenge returned by API User Self 

Management Web 

Site only 

auxcode 

 

auxmsg 

 

Table 19: Query String Variable List 

Examples: 

success: /vmsite/success.html?result=0 

Unsuccessful authentication request due to 

Controller rejecting password 

CGI or internal error occurred, where another 

error code is relevant 

Unsuccessful authentication request due to 

Controller rejecting password 

CGI or internal error occurred, where an error 

message is relevant 

invalid Digipass response due to code replay: 

/vmsite/fail.html?result=1000&auxcode=2&auxmsg=Code+Replay+Attempt 

challenge: /vmsite/challenge.html?challenge=738453 


Both 

Both 

Both 

Both


7.4.3 Return Code Listing 

In the following tables, the Message is the one that is provided by the standard web pages that 

we install. 

7.4.3.1 API Return Codes 

The following codes are the ones that in normal cases might be returned: 

Code Message Auxiliary 

Code/ 

Message? 

Notes 

-1 Error during request to Server N We are unable to distinguish the error from the 

client side of the API – the administrator would 

have to look at the Audit Console. 

Table 20: API Return Codes 



7.4.3.2 CGI Errors 


Code/ 

Message? 

-100 Only the POST method is permitted N 

-101 No dpcgi_operation was posted N 

-102 An invalid dpcgi_operation was posted N 

-103 dpcgi_challenge_page cannot be used for this operation N 

-104 dpcgi_password cannot be used for this operation N 

-105 dpcgi_serialno cannot be used for this operation N 

-106 dpcgi_currentpin cannot be used for this operation N 

-107 dpcgi_newpin cannot be used for this operation N 

-108 dpcgi_confirmpin cannot be used for this operation N 

-109 dpcgi_challenge cannot be used for this operation N 

-110 dpcgi_success_page must be entered for this operation N 

-111 dpcgi_fail_page must be entered for this operation N 

-112 dpcgi_userid must be entered for this operation N 

-113 dpcgi_password must be entered for this operation N 

-114 dpcgi_response must be entered for this operation N 

-115 dpcgi_newpin must be entered for this operation N 

-116 dpcgi_confirmpin must be entered for this operation N 

-117 A Digipass Response is required to assign a Digipass N 

-118 A New PIN can only be set when assigning a Digipass N 

-119 Enter the new PIN in the New PIN and Confirm New PIN fields N 

-120 The New PIN and Confirm New PIN fields have different values N 

-121 A challenge was returned, but there is no dpcgi_challenge_page N 

-122 Unknown parameter N 

-123 The Content-Length passed in was invalid N 

-124 vmcgi_serialno must be entered for this operation N 

Table 21: CGI Error Return Codes 



7.4.3.3 Internal Errors 


Code/ 

Message? 

-1000 Cannot read Trace-Mask configuration setting Y 

-1001 Cannot read Trace-File configuration setting Y 

-1002 Cannot open Trace-File Y 

-1003 Cannot read Source-IP-Address configuration setting Y 

-1004 Cannot read Server1-IP-Address configuration setting Y 

-1005 Cannot read Server1-Port configuration setting Y 

-1006 Cannot read Server2-IP-Address configuration setting Y 

-1007 Cannot read Server2-Port configuration setting Y 

-1008 Invalid configuration setting Source-IP-Address Y 

-1009 Invalid configuration setting Server1-IP-Address Y 

-1010 Invalid configuration setting Server1-Port Y 

-1011 Invalid configuration setting Server2-IP-Address Y 

-1012 Invalid configuration setting Server2-Port Y 

-1013 Cannot read HTTP request data N 

-1014 Request to Server not completed Y 

-1015 Cannot read Self-Management Site registry key Y 

-1016 The specified Source-IP-Address is not on this machine N 

-1017 Cannot read Trace-Header configuration setting Y 

-1018 Invalid configuration setting Trace-Header Y 

Table 22: Internal Error Codes 


Digipass Plug-In for IAS Administrator Reference Command line utilities 

8 Command line utilities 

8.1 DPADadmin Utility 

8.1.1 Extend Active Directory Schema 

The addschema command is used to create all the Active Directory Schema extensions, if 

they are not already there. Each element will be checked individually to see if it is already 

there and if not, will be added. 

This command is intended to be run manually by a domain administrator before the main 

Digipass Plug-In for IAS installation is run, as recommended by Microsoft. 

It may be necessary to go through an approval process in your company before running this 

command, as it involves changes to Active Directory Schema. You may also need to have 

another administrator run the command for you, possibly in another part of your network. This 

depends on your company’s structure and rules for Active Directory control. 

8.1.1.1 Prerequisite Information 

Schema Master Machine 

This command may technically be run on any Windows 2000, XP or 2003 machine, however it 

needs to contact the Domain Controller which has the Schema Master role. There can be only 

one Domain Controller in the Forest with that role. It may be simplest to run the command 

directly on the Schema Master, to avoid any potential connectivity or permission issues. 

Warning 

Warning: If you are passing the credentials to the command in the 

parameters, and you are not running the command on the Schema Master, 

check that you do not have any shares on the Schema Master open. This will 

cause the command to fail. 

Domain Administrator Account 

In order to successfully update the Schema, you must know the username and password of a 

Domain Administrator account that is able to log into the Schema Master. You must either run 

the command while logged in as that user, or pass the credentials to the command in the 

parameters. The Domain Administrator must have permission to extend the Schema – they 

must be a member of the Schema Admins group in the Forest-Root-Domain (the first Domain 

created in the Forest). 

Schema Changes Allowed 

By default, Active Directory does not permit Schema extensions to be made. There is a registry 

setting that must be changed to allow extensions. If this is not already set, VMADUTIL will ask 

you whether it should change the setting itself or not. If you click on Yes, it will change the 

setting itself, make the extensions then change it back again. 



If you would prefer to change the setting manually, log into the Schema Master and change 

the value of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\ 

Parameters\Schema Update Allowed registry key to 1, adding it as a value of type 

DWORD if it does not already exist. Alternatively, if the Schema Manager MMC snap-in is 

installed on the machine, this can be used to enable or disable Schema extensions. 

If you have disabled the Schema extensions after removing a previous installation in the 

Forest, reactivate them before using this command. This can be done using the Schema 

Manager MMC snap-in used to deactivate them. 

8.1.1.2 Extend the Schema on the Schema Master 

1. Log into the Schema Master as a member of the Schema Administrators group. 

2. Copy dpadadmin.exe onto the Schema Master 

3. Open a command prompt in the location to which it was copied. 

4. Type: 

dpadadmin addschema 

5. If DPADadmin detects that Schema extensions are not currently permitted, it will 

prompt you whether to enable them or not. Enter y to enable them, or n to cancel. 

The progress and success/failure of the command will be displayed in the command prompt 

window. If there was a failure, it can be run again after the problem has been rectified. 

8.1.1.3 Extend the Schema on the IAS Server 

1. Open a command prompt and navigate to the installation’s bin directory by typing: 

2. Type: 

cd \bin 

dpadadmin addschema –master schema_master –u user_name –p password 

3. See 8.1.1.4 Command Line Syntax for more details regarding the required 

parameters. 

4. If VMADUTIL detects that Schema extensions are not allowed, it will prompt you to 

enable them. Enter y to enable them, or n to cancel. 


window. If there was a failure, it can be run again after the problem has been rectified. 

8.1.1.4 Command Line Syntax 

dpadadmin addschema [–master schema_master] [–u user_name [–p password]] [-q] 



Option Description 

-master Fully qualified name of the Domain Controller with the Schema Master role. This option may be 

omitted if the command is run directly on the Schema Master. 

-u User name of a Domain Administrator in the Schema Administrators group. This option may be 

omitted if you are logged into the machine as that Domain Administrator when you run the command. 

-p Password of the Domain Administrator. This option may be omitted if you are logged in as that Domain 

Administrator or if they have a blank password. 

-q Quiet mode, will not output commentary text. 

Table 23: DPADadmin addschema Command Line Options 

DPADadmin addschema Command Sample 

dpadadmin addschema –master dc1.vasco.com –u schema_admin –p sa_password 

8.1.2 Check Schema Extensions 

This command is called from the Digipass Plug-In for IAS installation program to check that all 

the Active Directory Schema extensions have been applied. Each element is checked 

individually to see if it is already there, but it will not be added if not. 

It is not practical for the installation program to check that the Schema extensions have been 

replicated to all parts of the Domain Forest. The check will be restricted to checking the 

Digipass Configuration Domain, since that needs to have the Schema extensions before 

anything else. 

In a complicated, multi-site Domain Forest structure, where long delays may occur before the 

Schema extensions have been fully replicated around the Forest, you may have to wait a while 

before you use the IAS Plug-In. You can run this command manually a number of times, 

specifying a different Domain to check each time, if you want to be sure that the Schema 

extensions have finally reached all the necessary Domains. This will include all the Domains in 

which Active Directory Users of interest to the IAS Plug-In may be located. 


Domain Administrator 

Ensure that you know the username and password of a Domain Administrator in the Domain 

that will be checked for the Schema extensions (normally the Digipass Configuration Domain). 

8.1.2.2 Check the Schema on the IAS Server 

1. Open a command prompt and go to the installation’s bin directory by typing: 

2. Type 

cd \bin 

dpadadmin checkschema –domain domain_name –u user_name –p password. 

3. See the VMADUTIL checkschema Command Line Syntax section for more details 

regarding the parameters. 


window. 



8.1.2.3 Check the Schema on a Machine in the Domain to Check 

1. Log into the machine as a Domain Administrator in that Domain. 

2. Copy dpadadmin.exe onto the machine and open a command prompt in the location 

to which it was copied. 

3. Type: 

dpadadmin checkschema 


window. 

8.1.2.4 Command Line Syntax 

dpadadmin checkschema [–domain domain_name] [–u user_name [–p password]] [-q] 


-domain Name of the Domain in which you wish to check the Schema extensions. This option may be omitted if 

the command is run directly on a machine belonging to that Domain. 

-u User name of a Domain Administrator in this Domain. This option may be omitted if you are logged into 

the machine as that Domain Administrator when you run the command. 

-p Password of the Domain Administrator. This option may be omitted if you are logged in as that Domain 

Administrator or if they have a blank password. 

-q Quiet mode, will not output commentary text. 

Table 24: DPADadmin checkschema Command Line Options 

DPADadmin checkschema Command Sample 

dpadadmin checkschema –domain mdd.vasco.com –u mdd_admin –p mdd_password 

8.1.3 Set Up Digipass Configuration Container in Domain 

This command sets up the Digipass Configuration Container in the specified domain. 


Domain Administrator 

You must be logged into the machine as a Domain Admin in the target domain. 

8.1.3.2 Set Up Digipass Configuration Container 

1. Log into the machine as a Domain Administrator in that Domain. 

2. Copy dpadadmin.exe onto the machine and open a command prompt in the location 

to which it was copied. 

3. Type: 

dpadadmin setupdomain -config 


window. 



8.1.3.3 Command Syntax 

dpadadmin setupdomain [-config] [-domain ] [-q] 


-config OPTIONAL. Specifies that this is the Digipass Configuration Domain, so the Digipass-Configuration 

container must be created. 

-domain 

 

OPTIONAL. Specifies the FQDN of the domain to set up. If omitted, the domain to which the current 

machine belongs will be used. 

-q OPTIONAL. Specifies that quiet mode should be used. 

Table 25: DPADadmin setupdomain Command Line Options 

DPADadmin setupdomain Command Sample 

dpadadmin setupdomain -config -q 

8.1.4 Assign Digipass Permissions to a Group 

This command assigns Digipass-specific permissions to a Windows group, applicable at the 

domain root and downwards. The permissions assigned are: 

Full read access to everything in the domain 

Full control over vasco-DPToken objects 

Full control over vasco-DPApplication objects 

Full write access to vasco-UserExt auxiliary objects 

8.1.4.1 Pre-requisites 

You must be logged into the machine as a Domain Admin in the target domain. 

8.1.4.2 Command Syntax 

dpadadmin.exe setupaccess -group [-domain ] [-q] [-c] [-c] 


-group MANDATORY. Specify the name of the group to assign the permissions. Double-quotes are 

required if there are any spaces. 

-domain OPTIONAL. Specify the fully-qualified domain name for the domain to which the group or 

user belongs. If omitted, the domain to which the current machine belongs will be used. 

-q OPTIONAL. Specify that quiet mode should be used. 

-c OPTIONAL. Add the local computer to the group named. 

Table 26: DPADadmin setupaccess Command Line Options 

DPADadmin setupdomain Command Sample 

dpadadmin.exe setupaccess -group “RAS and IAS Servers” -q 


Digipass Plug-In for IAS Administrator Reference Login Options 

9 Login Options 

9.1 Login Permutations 

The information required to be entered during a login will vary according to the configuration 

settings of the relevant Policy, the login method, and any actions to be performed during the 

login. 

Login Methods 

The login methods specified are: 

Response Only 

Challenge/Response 

Virtual Digipass - Primary or Backup 

Login Actions 

A User may be allowed to do these things during a login: 

Set their Server PIN – on first use or after a PIN reset. 

Change their Server PIN. 

Inform the IAS Plug-In that their static password for the back-end authenticator – eg. 

Windows - has been modified. 

Perform a Self-Assignment for a Digipass in their possession. 

Login Variables 

The variables which a User may need to enter, in order to do one of the above functions are 

listed below. The code or word used to designate each variable in the following tables is 

included in brackets. 

One Time Password (OTP) 

Password (Password) 

Server PIN (PIN) 

Serial Number of their Digipass (Serial No) 

Serial Number Separator (Sep.) 

Request Keyword (Keyword) 

Policy Settings 

The Policy settings which will affect the variables required in logins are: 

Stored Password Proxy 

If this attribute is set to Enabled, each User's password must be kept up to date in the 

IAS Plug-In. This is typically achieved by enabled Password Autolearn. 

Serial Number Separator 

If a Serial Number Separator is specified, the User may enter their Digipass serial 

number exactly as it appears on the back of their Digipass (or in the documentation 



provided to the User), including dashes. If a Serial Number is not specified, the Digipass 

serial number must be padded to 10 characters, with all non-numerical characters 

removed. 

Back-End Authentication 

In the following login permutations tables, 'Back-End Authentication Required' means 

that the Back-End Auth. attribute is set to Always or If Needed. 


If the IAS Plug-In is informed of a User's password change, the new password will only 

be recorded by the IAS Plug-In if Password Autolearn is enabled in the relevant Policy. 



9.1.1 Response Only - PAP 

Server PIN 

Required 

No Server 

PIN 

Required 

Login Type Existing PIN? 

Serial Number 

Separator? 

Stored Password Proxy On 

OR 

No Back-End Authentication 

Password Field Contents 

Normal login Yes N/A PIN+OTP Password+PIN+OTP 

Stored Password Proxy Off 

AND 

Back-End Authentication Required 

Set PIN No N/A OTP+NewPIN+NewPIN Password+OTP+NewPIN+NewPIN 

Change PIN Yes N/A PIN+OTP+NewPIN+NewPIN Password+PIN+OTP+NewPIN+NewPIN 

Changed Password Yes N/A Password+PIN+OTP Password+PIN+OTP 

Set PIN and Changed Password No N/A Password+OTP+NewPIN+NewPIN Password+OTP+NewPIN+NewPIN 

Change PIN and Changed Password Yes N/A Password+PIN+OTP+NewPIN+NewPIN Password+PIN+OTP+NewPIN+NewPIN 

Self-Assignment 1 

Yes Yes SerialNo+Sep.+Password+PIN+OTP SerialNo+Sep.+Password+PIN+OTP 

No SerialNo+Password+PIN+OTP SerialNo+Password+PIN+OTP 

No Yes SerialNo+Sep.+Password+OTP+NewPIN+NewPIN SerialNo+Sep.+Password+OTP+NewPIN+NewPIN 

No SerialNo+Password+OTP+NewPIN+NewPIN SerialNo+Password+OTP+NewPIN+NewPIN 

Normal login N/A N/A OTP Password+OTP 

Changed Password N/A N/A Password+OTP Password+OTP 

Self-Assignment N/A Yes SerialNo+Sep.+Password+OTP SerialNo+Sep.+Password+OTP 

Table 27: Login Permutations - Response Only PAP 

Examples 

No SerialNo+Password+OTP SerialNo+Password+OTP 

Self-Assignment of a GO 1 Digipass with no existing Server PIN and Serial Number Separator set to '::'. 

3-179-0987::pA192ss086382012341234 

Self-Assignment of a GO 3 Digipass with no Server PIN required and no Serial Number Separator set. 

0031790987pA192ss0863820 

1 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be padded to 10 characters with preceding zeroes. 



9.1.2 Response Only – CHAP/MS-CHAP 

The table below assumes that Stored Password Proxy is enabled, or Backend Authentication is 

not in use. 

Login Type Server PIN 

Required? 

Normal login Yes PIN+OTP 

No OTP 

Table 28: Login Permutations - Response Only CHAP 

9.1.3 Challenge/Response 

Challenge/Response is supported with PAP only. 

Login Type Serial Number 

Separator? 

Request 

Method 

Password Field Contents 

2-Step Challenge/Response 

Stored 

Password 

Proxy Off 

AND 

Back-End 

Auth. 

Required Pre-Challenge Response 

Normal login N/A Keyword Yes Keyword Password+OTP 

Changed 

Password 

Self- 

Assignment 2 

No Keyword OTP 

Password N/A Password OTP 

Keyword-Password N/A Keyword+Password OTP 

Password-Keyword N/A Password+Keyword OTP 

N/A Keyword N/A Keyword Password+OTP 

Password N/A Password OTP 

Keyword-Password N/A Keyword+Password OTP 

Password-Keyword N/A Password+Keyword OTP 

Yes N/A N/A SerialNo+Sep.+Password OTP 

No N/A N/A SerialNo+Password OTP 

Table 29: Login Permutations – Challenge/Response 

2 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be 

padded to 10 characters with preceding zeroes. 



9.1.4 Virtual Digipass 

Login 

Type 

Normal 

login 

Changed 

Password 

Request 

Method 

2-step login 3 

Two 1-step logins 4 

Step 1 Step 2 Step 1 Step 2 

Keyword Keyword Password+OTP Keyword Password+OTP 

Password Password OTP Password Password+OTP 

Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP 

Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP 

Keyword Keyword Password+OTP Keyword Password+OTP 

Password Password OTP Password Password+OTP 

Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP 

Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP 

Table 30: Login Permutations – Virtual Digipass 

3 2-step logins are compatible with PAP only 

4 Two 1-step logins may be used with any protocol compatible with the Digipass Plug-In for IAS. 


Digipass Plug-In for IAS Administrator Reference Configuration Settings 

10 Configuration Settings 

10.1 IAS Plug-In 

10.1.1 Configuration GUI 

A Graphical User Interface (GUI) is available for use in configuring the IAS Plug-In. To open 

the IAS Plug-In Configuration GUI, click on the Start Button and select Programs -> VASCO 

-> Digipass Plug-In for IAS Configuration. 

10.1.1.1 Enable IAS Plug-In 

Enable the plug-in within IAS. 

1. Tick the Enabled checkbox. 

2. Click on Apply. 

10.1.1.2 Allow Passthrough 

Allow the IAS Plug-In to pass the static password to IAS for checking after it has checked the 

One Time Password. This option is not required for typical usage. 

1. Tick the Allow Passthrough checkbox. 


10.1.1.3 Set Component Location 

1. Enter the location of the IAS Plug-In Component which will be generating audit 

messages in the Component Location field. 


10.1.1.4 Library Path 

The Library Path setting tells the IAS Plug-In where to find the LDAP library file. 

1. Enter the path and name of the LDAP library file (typically \bin). 


10.1.1.5 Turn Tracing On or Off 

1. Select a Tracing option. 

2. To send tracing output to a text file, enter a path and filename for the tracing file into 

the File Name field. The file path entered must be the full absolute path. 

Click on the Apply button. 

Note 

If the File Name field is left blank or the file path does not exist, the IAS Plug- 

In will not output tracing. If the file does exist, tracing will be appended to the 

file. If the path is valid but the file does not exist, it will be created. 



10.1.1.6 Active Directory Settings 

To view Active Directory settings, open the configuration GUI and click on the Active Directory 

tab. 

Configuration Domain 

The configuration domain is the main Active Directory domain which the IAS Plug-In should 

use for User authentications, and the domain in which the Digipass Configuration Container is 

located. This domain will be set automatically during the Digipass Plug-In for IAS installation. 

To set the default domain: 

1. Click on the Edit... button next to the Configuration Domain field. 

The Domain window will be displayed. 

2. Enter the fully qualified domain name for the configuration domain into the Name 

field. 

3. If required, enter the name of the server in the domain to which the IAS Plug-In 

should connect, in the Preferred Server field. 

4. Tick the Preferred Server Only checkbox to limit the IAS Plug-In to connecting only 

to that server in the configuration domain. 

5. Enter the server port to use in making encrypted connections (SSL) to the 

configuration domain into the Encrypted Server Port field. 

6. Enter the server port to use in making unencrypted connections to the configuration 

domain into the Unencrypted Server Port field. 

7. Tick the Encrypt checkbox to use an encrypted connection (using SSL) from the IAS 

Plug-In to Active Directory, or leave the checkbox unticked to leave the connection 

unencrypted. Note that SSL is not used when the IAS Plug-In is on a Domain 

Controller and connects to Active Directory using that. 

8. Enter the maximum amount of time (in minutes) that the IAS Plug-In should stay 

connected to a server before re-synching in the Max Bind Lifetime field. 



Domains List 

The Domains list contains the names of all other domains that the IAS Plug-In may need to 

use in User authentications. Note that this list is only needed if you wish to configure how the 

IAS Plug-In will connect to the other domains – if a domain is not in the list, it will still try to 

connect to it. 

Add a Domain 

To add a domain to the Domains List: 

1. Click on the Add... button. 

The Domain window will be displayed. 

2. Enter the fully qualified domain name for the domain into the Name field. 

3. If required, enter the name of the server in the domain to which the IAS Plug-In 

should connect, in the Preferred Server field. 



4. Tick the Preferred Server Only checkbox to limit the IAS Plug-In to connecting only 

to that server in the domain. 

5. Enter the server port to use in making encrypted connections (SSL) to the default 

domain into the Encrypted Server Port field. 

6. Enter the server port to use in making unencrypted connections to the default domain 

into the Unencrypted Server Port field. 

7. Tick the Encrypt checkbox to use an encrypted connection (using SSL) from the IAS 

Plug-In to Active Directory, or leave the checkbox unticked to leave the connection 

unencrypted. 

8. Enter the maximum amount of time (in minutes) that the IAS Plug-In should stay 

connected to a server in the domain before re-synching in the Max Bind Lifetime 

field. 



Modify a domain record in the Domains List 

To modify information for a domain in the Domains List: 

1. Select the domain to be modified from the Domains List. 

2. Click on the Edit... button. 

3. Modify the required information. 



Delete a domain record from the Domains List 

To remove a domain record from the Domains List: 

1. Select the domain to be deleted from the Domains List. 

2. Click on the Delete button. 

3. The record will be deleted. 

Auditing 

To configure auditing for the IAS Plug-In, add at least one auditing plug-in to the Methods list. 

To view or edit auditing settings, click on the Auditing tab in the Configuration GUI. 

Add an Audit Method 

1. Click on the Add... button. 

2. Select a Plug-in type from the drop down list. 


The Plugin window will be displayed. 

4. Enter a name to use for display purposes in the Display Name field. 

5. Tick the Enabled checkbox to enable auditing to this plug-in. 

6. Tick the Fail on Error checkbox if you want the IAS Plug-In to return an error if it fails 

to record an auditing message. 



7. Tick the Unhandled Only checkbox if messages should only be logged by this 

auditing plug-in if they have not been previously logged by any other plug-in. 

8. Select one or more audit message types to be logged by this plug-in: 

Error 

Warning 

Information 

Success 

Failure 

9. Enter other required information. 



Edit an Audit Method 

1. Select an auditing plug-in from the Methods list. 

2. Click on the Edit... button. 

The Plug-In window will be displayed. 

3. Make the required changes. 



Delete an Audit Method 

1. Select an auditing plug-in from the Methods list. 

2. Click on the Delete button. 

The record will be deleted. 

10.1.1.7 Data Encryption 

See 2.4 Sensitive Data Encryption for more information on encryption in the IAS Plug-In. 

To modify encryption settings for the IAS Plug-In: 

1. Click on the Active Directory tab. 

2. Click on Configure Encryption Settings. 

The Configure Encryption Settings window will be displayed. 

3. Enter the custom encryption key in the Storage Key field. 

4. Select an encryption algorithm from the Cipher Name drop down list. 


Export Encryption Settings 




3. Click on Export... 

4. Browse to the desired directory. 



5. Enter a file name to export the settings to. 


7. Enter a password. 


Import Encryption Settings 




3. Click on Import... 

4. Browse to the encryption settings file. 


6. Enter the required password. 


See 2.4 Sensitive Data Encryption for more information on encryption in the IAS Plug-In. 

To modify encryption settings for the IAS Plug-In: 




3. Enter the custom encryption key in the Storage Key field. 

4. Select an encryption algorithm from the Cipher Name drop down list. 


Export Encryption Settings 




3. Click on Export... 

4. Browse to the desired directory. 

5. Enter a file name to export the settings to. 


7. Enter a password. 


Import Encryption Settings 




3. Click on Import... 



4. Browse to the encryption settings file. 


6. Enter the required password. 


10.1.2 Configuration File 

The Configuration GUI for the IAS Plug-In writes to an .xml file named dpiasext.xml in the 

install/bin directory. It is possible to edit this file directly instead of using the Configuration 

GUI, but is not recommended. 

Example Configuration File 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



10.2 MDC 

10.2.1 Required Information 

To configure gateway settings you will need: 

Gateway details: 

OR 

Protocol to use in connecting to the gateway. 

An address string and port to use in connecting to the gateway. 

The path and filename of a certificate file, if required. 

The required Query String. 

The Query Method (GET or POST) required by the gateway. 

A customized configuration file ordered from your VASCO supplier. This will need to be 

imported using the Configuration GUI. 

Username and password for the gateway account. 

10.2.2 MDC Configuration GUI 

A Graphical User Interface (GUI) is available for use in configuring the MDC. To open the MDC 

Configuration GUI, click on the Start Button and select Programs -> VASCO -> Digipass 

Plug-In for IAS -> Message Delivery Component Configuration. 

Note 

The MDC must be restarted after any change is made in the Configuration GUI. 

10.2.2.1 Set IAS Server Connection Details 

Set the IAS Server IP address and port. 

1. Modify the Server IP Address if needed. 

2. Change the Port number for the server if needed. 

10.2.2.2 Modify Gateway Account Login Details 

The MDC needs a Username and password for the gateway in order to send text messages 

through it. 

1. Modify the Username if needed. 

2. Change the Password and Confirm Password fields if required. 

The Password and Confirm Password fields must contain identical data. 



10.2.2.3 Configure Internet Connection Details 

Enable or disable the use of an HTTP Proxy and enter details if required. 

1. Enable or disable the use of the HTTP Proxy by ticking or clearing the Use HTTP Proxy 

checkbox. 

2. If required, enter an IP address, port and timeout for the HTTP Proxy. 

3. Enter a maximum number of internet connections to allow in the Max. Connections 

field. 

10.2.2.4 Configure Tracing 

The MDC makes use of a trace file to record information about events that occur on the 

system, for use in troubleshooting. This could include generic information, changing 

conditions, or problems and errors that have been encountered. 

The level of tracing that the MDC employs depends on its configuration settings. 

Caution 

Enabling Full Tracing should only be done for troubleshooting purposes. There 

are no limits set on the size of the tracing file, so if the option is left on too 

long on a high-load system the file may dramatically slow down or crash 

Windows, due to excessive I/O or filling up the hard drive. This is not highly 

likely for MDC, but should be considered. 

Because there are no size limitations set on the trace file, it is not recommended that you have 

tracing permanently enabled. If your system is set up with Basic Tracing always enabled, 

ensure that the file size does not cause problems by deleting or archiving it whenever it gets 

too large. 

Basic tracing includes: 

Critical error/warning messages [CRITC] 

Major error/warning messages [MAJOR] 

Minor error/warning messages [MINOR] 

Configuration messages [CONFG] 

Full tracing includes: 

Critical error/warning messages [CRITC] 

Major error/warning messages [MAJOR] 

Minor error/warning messages [MINOR] 

Configuration messages [CONFG] 

Informational messages [INFOR] 

Data tracing messages [DATA] 

Debugging messages (useful for support purposes) [DEBUG] 

Security messages, messages that may contain security sensitive data [SECUR] 



Turn Tracing On or Off 

1. Select a Tracing option. 

2. If you have selected Basic Tracing or Full Tracing, enter a path and filename for the 

tracing file into the File Name field. 

The file path entered must be the full absolute path. 

Note 

If the File Name field is left blank or the file path does not exist, the MDC will 

not output tracing. If the file does exist, tracing will be appended to the file. If 

it does not exist, it will be created. 

10.2.2.5 Import HTTP Gateway settings 

Import a customized configuration file ordered from your VASCO supplier, containing the 

configuration details for your gateway needed by the MDC. 

1. Click on the Gateway Settings tab. 

2. Enter a name for the gateway. 

3. Click on Import Settings. 

4. Select a file from the Browse window. 


The import progress will be displayed. 


10.2.2.6 Edit Advanced Settings 


2. Ensure that the Edit Advanced Settings checkbox is ticked. 

3. Select a protocol to use in connecting to the gateway from the Protocol drop down list 

(typically HTTP). 

4. Enter an address string to use in connecting to the gateway in the Address field. 

5. Enter a port in the Port field (typically 80 for HTTP connections). 

6. Enter the path and filename of a certificate file if required. 

7. Modify the Query String field if required. 

Example Query String: 

username=[acc_user]&password=[acc_pwd]&device=[otp_dest]&network=tgsm&message= 

[otp_msg] 

8. Select a Query Method according to what the gateway requires (typically POST). 

10.2.2.7 Export HTTP Gateway settings 

Once you have entered the necessary gateway configuration information into the Configuration 

GUI, you may wish to export the settings into a file for backup purposes or to transfer to 

another IAS server. 




2. Ensure that the Edit Advanced Settings checkbox is ticked. 

3. Click on Export Settings. 

4. Select a directory from the Browse window. 

5. Enter a filename. 


The export progress will be displayed. 

10.2.2.8 Gateway Result Pages 

A result page is returned by the gateway service when a text message is submitted by the GET 

or POST methods. This page would normally be a HTML formatted page containing specific 

error codes and/or additional messages for success/failure. 

Three types of result messages are generally categorized as: 

Information 

Success of message delivery (the message has been accepted by the server) 

Warning 

The submission/delivery failed, but it is most likely a specific error only affecting this User. 

The User’s login will fail on the first step. Possible causes are: 

Error 

Phone number invalid 

Temporary gateway failure 

Error(s) occurred while attempting delivery. This means that the delivery failed for a particular 

User, but the error might be affecting all Users. In this case, the User’s login will fail 

immediately. Possible such errors are: 

Account data incorrect (Account User or password wrong) 

Account credit expired (for a pre-paid gateway account) 

Communication error with gateway (network error) 

Other permanent gateway errors 

Audit Console Logging 

A gateway result page can be recognized by key words and phrases, and an alternate message 

created for logging to the audit console whenever the result is received. Variables can be 

extracted from the result page and used in the log message to provide extra information. 

Result Page Rules 

The result page rule patterns use the following syntax: 

[Var-Name1] [] [Var-Name2] … 



Where the template is constructed in the following way: 

: a character string which must be matched in the page returned by the 

gateway. Note that multiple can appear in a single template, but they 

must not be overlapping. Matching is case-sensitive. 

[]: Omits a variable part of the result page between two segments, when 

matching a template. This can be useful to ignore arbitrary data or time/date data in the 

returned web page. 

[Var-Namex]: Describes a segment of the result page between two 

segments or at the end of the result page, which will be written to a variable. Usually 

this will be data that can provide more detailed information why a particular message 

submission has failed. The variable name inside the [] brackets can then be used as part 

of the audit message template to create a meaningful message. 

Example 

If the server returns the following result page 

“Submission successful at 10:00, 11/11/02, status: 00 - message delivery in 

progress.” 

for successful transmission, or 

“Submission unsuccessful at 10:05, 11/11/02, status: 47 – number too short” 

for an unsuccessful submission, then the following result page rules can be configured: 

Message Rule Name: Success 

Message Rule Pattern: successful at [DateTime], status: [Status] – [Message] 

Variables retrieved: DateTimeStatusMessage 

Message Rule Name: Warning 

Message Rule Pattern: unsuccessful at [DateTime], status: 47 – [Message] 

Variables retrieved: DateTimeMessage 

Message Rule Name: Error 

Message Rule Pattern: unsuccessful at [DateTime], status: [status] – [Message] 

Variables retrieved: DateTimeStatusMessage 

No Match Available If no Rule matches a Result page returned, an error will be logged to the 

Audit Console, reporting that the result page returned from the gateway could not be matched. 

Ordering Rules The order of the result page template in the configuration data can be used to 

match more specific messages first and finally catch any “other” message, which the gateway 

might send. 

Audit message template 

Once a result page template a matched, a corresponding audit message is constructed with the 

variables retrieved from the result page rule. 

The message template will use the following syntax: 



[VAR-Name1] [Var-Name2] … 

: a character string which will appear literally in the constructed audit 

message. 

[Var-Namex]: Variable which is derived from the matched variables from the 

corresponding result page template. 

The following variables are predefined and can be used in the audit message template: 

[otp_dest] The destination address (a mobile phone number) the OTP was sent to. 

[otp_msg] The message that was submitted. This variable will also contain the OTP, so should not be used for the 

construction of audit messages. 

[acc_user] Account name for the gateway.Not recommended for use in audit messages. 

[acc_pwd] Account password for the gateway.Not recommended for use in audit messages. 

[Username] the User ID of the User requesting the OTP 

Table 31: MDC Audit Message Variables 

Examples of variable use: 

Insufficient credit on account [acc_user] when sending to [username] 

Message not sent to User "[Username]"/[otp_dest]. Gateway reported: [message] 

Modify a Gateway Result Message Rule 

Ensure that the Edit Advanced Settings checkbox on the Gateway Settings tab is ticked. 

1. Click on the Gateway Results tab. 

2. Select a Rule to modify. 

3. Click on Edit. 

4. Make any required changes. 




Add a Gateway Result Message Rule 

1. Click on the Gateway Results tab. 

2. Click on Add. 

3. Enter a descriptive name for the Rule in the Description field. 

4. Enter the full text or a partial match of the text displayed by the gateway in the 

Matching Pattern field. 

5. Select an Audit Message Level for the Rule. 

Each level of message will be displayed with a different color background in the Audit 

Console. 

Info – normal 

Warning – yellow 

Error – red 

6. Enter the message text you wish the User to see into the Message Text field. 




10.2.3 MDC Configuration File 

The MDC Configuration GUI writes to an .xml file named MDCConfig.xml in the install/bin 

directory. It is possible to edit this file directly instead of using the MDC Configuration GUI. 

Example Configuration File 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Caution 

The configuration file is UTF8 encoded. Non-UTF8 encoded characters should 

not be added to the configuration file, or it will not load. 



10.2.4 Configuration Settings 

The table below lists the options, their default values, and a brief explanation of each. 

Option 

Name 

General tab 

Config. 

GUI Field 

Server/ IP Server IP 

Address 

Default 

Value 

 

Notes 

This string is the IP address of the local server. It needs to correspond 

with the licensing as well as the IP address configured for the 

server.Data type: String with valid IP4 address or hostname that can be 

resolved through DNS 

Server/ Port Port 20003 This integer is the TCP/IP port on which the local server is listening. 

Must correspond with the IAS server settings.Data type: Integer with 

valid Port address (1-65535) 

Gateway/ 

ProxyIP 

Gateway/ 

ProxyPort 

Gateway/ 

Timeout 

Gateway/ 

MaxConnecti 

ons 

Tracing/ 

TraceFile 

Tracing/ 

TraceMask 

Gateway- 

Acnt/ 

Username 

Gateway- 

Acnt/ 

Password 

Proxy IP IP address of the HTTP proxy used by the MDC to contact the HTTP 

gateway. This can be used when the firewall settings do not allow a 

direct connection.Empty - no proxy being used.Data type: String with 

valid IP4 address 

Port Port number to contact the HTTP proxy on.Must be supplied if the 

ProxyIP setting is used.Data type: Integer with valid Port address (1- 

65535) 

Proxy 

Timeout 

Max 

Connections 

30 Time in seconds that the MDC will wait on a response from the 

HTTP/gateway.Data type: integer 

10 Maximum allowed number of concurrent connections to the HTTP 

gateway.Data type: Integer (1-100) 

File Name The file that tracing output should be written to.None – no tracing.Data 

type: String 

Tracing 0 The tracemask specifies how much tracing is done.0 – no tracing1 – 

basic tracing2 – full tracingData type: Integer 

(General 

tab)Usernam 

e 

Gateway Settings tab 

Gateway/ 

Description 

Gateway/ 

HTTPMethod 

Gateway/ 

URL 

(General 

tab)Password 

& Confirm 

Password 

Gateway 

Name 

Query 

Method 

Protocol and 

Address 

 

 

Sets the account Username the HTTP gateway. The given value will be 

used as content for the variable [acc_User] in the query string.Data 

type: String 

Sets the account password the HTTP gateway. The given value will be 

used as content for the variable [acc_pwd] in the query string.Data 

type: String 

This is an informational field, naming or describing the HTTP gateway. It 

can be set to provide a description for a particular service, but is ignored 

by the MDC.Data type: String 

POST Designates either the GET or POST method for use in transferring 

account and message data to the HTTP/HTTPS gateway.Data type: 

String (“GET” or “POST”) 

 

Required parameter.Sets the URL to the HTTP gateway. The address 

should not contain any variables, but is should contain the protocol 

identifier.Note: the protocol identifier of “https://” can be used to SSLencrypt 

the link between the MDC and the HTTP gateway. In this case it 

is required to specify a filename where the server certificates can be 

found.Data type: String 



Option 

Name 

Gateway/ 

HTTPQuery 

Gateway/ 

CertFile 

Config. 

GUI Field 

Default 

Value 

Query String 

Certificate 

File 

Gateway Results tab 

Results/ 

Resultnn/ 

Name 

Results/ 

Resultnn/ 

Pagematch 

Results/ 

Resultnn/ 

MsgType 

Results/ 

Resultnn/ 

Message 

.\curl-cabundle.crt 

Notes 

Required parameter.Defines the query string which will be submitted to 

the http server, either using POST or GET (as specified by HttpGw- 

Method). This string must contain all required variables that are 

expected by the HTTP gateway. Contained in the query string must be 

the following parameters which will be set by the MDC before submitting 

the query: 

[acc_user] specifies the account name for the gateway which will be 

used to submit the information§ 

[acc_pwd]password for the gateway account specified by the 

[Username] parameters§ 

[otp_msg]specifies the part of the query string, where the OTP message 

will be substituted§ 

[otp_dest]specifies the part of the query string, where the destination 

for the OTP (usually the mobile phone number) will be substituted.The 

query string should also incorporate any other parameters which might 

be expected by the gateway.Example:Data type: String 

When using the HTTPS protocol, the server certificate file is used to 

authenticate the message gateway and to derive the data encryption 

keys. It can contain either one or multiple server certificates.The file 

needs to be PEM-encoded,X.509 compliant certificate.It can be created 

by exporting the required Root CA from any browser (eg. Internet 

Explorer) using the base-64 format - equivalent to PEM.Data type: 

String 

Description Name of this entry, as displayed by the MDC Configuration GUI. This 

field has no functional meaning.Data type: String 

Matching 

Pattern 

Audit 

Message 

Level 

Message 

Text 

 

Result Page Template to match the result page returned by the HTTP 

service. If this template is matched, the corresponding audit message is 

composed and returned to the IAS Plug-In Audit message.Data type: 

String 

2 Type of message to appear in the audit log:0 INFO – informational 

message (login on)1 WARNING – warning message (login fails)2 

ERROR – error message (login fails)Data type: Integer (0-2) 

 

Table 32: Message Delivery Component Configuration Settings 

10.3 CGI 

Audit Message Template for the message to be compiled and sent back 

to the IAS Plug-In. The message is returned as Information, Warning or 

Error, depending on the MsgType parameter in the same section. 

Includes [variable] options.Data type: String 

See 7.2.1 Configuration Settings for VASCO CGI configuration settings and location. 


Digipass Plug-In for IAS Administrator Reference How to troubleshoot 

11 How to troubleshoot 

11.1 Enable Tracing 

1. Set the IAS Plug-In to tracing. 

2. Restart IAS. 

3. Attempt a login. 

4. Check the trace file for information on the start-up conditions of the IAS Plug-In and of 

the login attempt. 

11.2 Installation Check 

The information in this section will enable you to check that various files have been installed in 

the correct locations and registered (where required), and Windows registry entries have been 

created and the correct values inserted. 

11.2.1 Installation Log File 

Check the log file created during the installation of the Digipass Plug-In for IAS. The log file 

should be found in \install.log. 

Example Log Entries 

File successfully created 

CreateDirectory: "C:\Program Files\VASCO\Digipass Plug-In for IAS\Bin" (1) 

File: overwriteflag=0, allowskipfilesflag=2, name="aal3ad30.dll" 

File: wrote 2416640 to "C:\Program Files\VASCO\Digipass Plug-In for IAS\Bin\aal3ad30.dll" 

DLL could not be registered 

Error registering DLL: Could not load dpmmccom.dll 

11.2.2 Check file placement 


File Name Location 

dpiasext.dll \Bin 

dpiasext.xml \Bin 


dpmmc.dll \Bin 

dpmmcpol.dll \Bin 

dpmmccom.dll \Bin 

dpmmc.msc \Bin 

dpwxlib.dll \Bin 

Admin_MMC_Interface_Help.chm \Doc 


dpextaduc.dll \Bin 



AD_Extension_Help.chm \Doc 

VACMAN Controller 

aal2sdk.dll \Bin 

Demo Digipass 

demo.dpx \DPX 

demogo1.dpx 

demovdp.dpx 

CGI Configuration Interface 

dpcgicfg.exe \Bin 

User Self Management Web Site 

*.html \UserSite 

usercgi.exe \UserSite\CGI 

*.gif \UserSite\Images 

Message Delivery Component 

mdcserver.exe \Bin 

mdccfg.exe \Bin 

libcurl.dll \Bin 

libeay32.dll \Bin 

libssl32.dll \Bin 

mdcconfig.xml \Bin 

curl-ca-bundle.crt \Bin 

OTP Request Site 

*.html \VDPSite 

vdpcgi.exe \VDPSite\CGI 

*.gif \VDPSite\Images 

Version Information 

version.txt 

Table 33: Required Files 

11.2.3 Registry Entries 

General 

Registry Key Path\Name Value Notes 

HKEY_LOCAL_MACHINE\Software\VASCO Data 

Security\InstallDirectory 


Security\InstalledProducts\Digipass Plug-In for 

IAS 


Security\InstalledComponents\ 


Security\Digipass Plug-In for IAS\Version 


Typically c:\program files\VASCO\Digipass 

Plug-In for IAS 

1 1 = installed 

0 = not installed 

If the Pack has been incorrectly installed, the 

key will typically be missing rather than having 

a value of 0. 

Check the recorded version numbers for 

various components. 

1.0.0. Version number for the Digipass Plug-In for 

IAS. 



Registry Key Path\Name Value Notes 

HKEY_LOCAL_MACHINE\System\ 

CurrentControlSet\Services\AuthSrv\ 

Parameters\ExtensionDLLs 

HKEY_LOCAL_MACHINE\System\ 

CurrentControlSet\Services\AuthSrv\ 

Parameters\AuthorizationDLLs 



Security\MMC Admin Interface\ApiLibrary 


Security\MMC Admin Interface\DialogLibrary 


Security\MMC Admin Interface\HelpFile 

\Bin\ 

dpiasext.dll 

\Bin\ 

dpiasext.dll 

\Bin\ 

aal3ad30.dll 

\Bin\ 

dpwxlib.dll 

\Doc\ 

Admin_MMC_Interfa 

ce_Help.chm 



Security\AD U&C Extension\ApiLibrary 


Security\AD U&C Extension\DialogLibrary 


Security\AD U&C Extension\HelpFile 

Message Delivery Component 

HKEY_LOCAL_MACHINE\System\CurrentContr 

olSet\Services\EventLog\Application\VDPMDC\ 

EventMessageFile 

HKEY_LOCAL_MACHINE\System\CurrentContr 

olSet\Services\EventLog\Application\VDPMDC\ 

TypesSupported 

Table 34: Registry Entries 

Note 

\Bin\ 

aal3ad30.dll 

\Bin\ 

dpwxlib.dll 

\Doc\ 

AD_Extension_Help. 

chm 

\Bin\ 

mdcserver.exe 

1 1 = EVENTLOG_ERROR_TYPE 

See 7.2.1 Configuration Settings for VASCO CGI configuration settings in 

the Windows registry. 

11.2.4 DLLs to be Registered 

These DLLs need to be registered with Windows in order for the Digipass Plug-In for IAS to 

work correctly. See for information on registering them manually. 

DLL Location 

dpmmc.dll \Bin 

dpmmcpol.dll \Bin 

dpmmccom.dll \Bin 

dpextaduc.dll \Bin 

Table 35: DLLs to be Registered 

11.2.5 Check Permissions 



Directory or File Permission(s) required Notes 

User Self Management Web Site (IIS) 

/dpselfservice/cgi execute 

\UserSite\CGI\usercgi.exe 

OTP Request Site (IIS) 

/requestotp/cgi execute 

execute This is required on Windows Server 

2003 only. 

\VDPSite\CGI\vdpcgi.exe execute This is required on Windows Server 

2003 only. 

Table 36: Permissions Required 

11.2.6 IAS Server Registered in Active Directory Domain 

Check that the IAS server is registered in the relevant Active Directory domain(s): 

1. Open Active Directory Users and Computers. 

2. Click on Users. 

A list of Windows Users and Groups will be displayed in the Result pane. 

3. Double-click on the RAS and IAS Servers group. 

4. Check that the IAS server is listed in the group members. 

If the IAS Server is not registered in the domain: 

1. Log on to the IAS server with an administrator account for the domain. 

2. Open Internet Authentication Service. 

3. Right-click on Internet Authentication Service. 

4. Click on Register Server in Active Directory. 

The Register Internet Authentication Service in Active Directory window will be 

displayed. 

5. Click OK. 

11.2.7 Default Policy and Component Created 

A default Policy and a Component for the IAS Plug-In should have been created during the 

installation. If they have not been created, the IAS Plug-In will not process authentication 

requests. 

Note 

These steps should only be followed if the Policies and Components have not 

been modified since installation. 

To check that Policies and Components were created successfully during installation: 


2. Click on the Policies node. 

A Policy named 'Base Policy' should be included in the Policies List. 




4. Check that a Component named IAS Plug-In is included in the Components List. 

5. Double-click on the IAS Plug-In Component record. 

The Component Properties window will be displayed. 

6. Base Policy should be selected in the Policy drop down list. 

11.3 Fix Installation Errors 

11.3.1 Register IAS Plug-In 

If they do not currently exist, create the following registry entries under the 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AuthSrv\Parameters key: 

Name Type Data 

AuthorizationDLLs REG_MULTI_SZ \Bin\dpiasext.dll 

ExtensionDLLs REG_MULTI_SZ \Bin\dpiasext.dll 

Table 37: IAS Plug-In Registry Entries 

11.4 View Audit Information 

The IAS Plug-In can generate audit messages and save them either to the Windows Event Log 

or a text file. Your audit settings in the Administration MMC Interface will determine where 

you should look for each type of audit message. 

11.4.1 Windows Event Log 

Filter for audit messages from the IAS Plug-In by: 

1. Click on View -> Filter... 

2. Select Digipass Plug-In for IAS from the Event Source drop down list. 


11.4.2 Audit log text file 

The audit log file name and location is configured in the Administration MMC Interface. 



11.5 Delete all Digipass Data from Active Directory 

Digipass-specific information is not removed from Active Directory when the Digipass Plug-In 

for IAS is uninstalled from a computer. 

A custom VB script is available which will strip all information related to the IAS Plug-In from a 

domain. The data removed includes: 

Digipass-Configuration container if present 

Policy and Component records in container 

Digipass-Pool container if present 

Digipass records in container 

Digipass-Reserve container if present 

Digipass records in container 

All Digipass in the domain, including all Digipass Applications. 

Search for all Digipass User Accounts and delete them 

Each Digipass User account is deleted by searching for Active Directory Users with the 

vasco-CreateTime attribute set (indicating that a Digipass User account has been created 

for that User). All vasco-UserExt attributes on the Active Directory User are reset. 

Note 

The script must be run in each domain from which data is to be removed. 

11.5.1 Run Delete Script on a Domain 

1. Get dpDeleteAll.vbs file from the CD \Windows\Utilities\VBScript directory and copy to 

the computer where you will run the command. 

2. Open cmd prompt, logged in as domain admin in the domain required. 

3. Enter the following: 

'cscript dpDeleteAll.vbs [] [-v]' 

If the machine does not belong to the target domain, specify the domain name 

If you want record-by-record progress display, specify -v (verbose mode). 

Example 

cscript dpDeleteAll.vbs dm3.vasco.com -v 


Digipass Plug-In for IAS Administrator Reference Audit Messages 

12 Audit Messages 

To set up auditing in the IAS Plug-In, see 10.1.1.6 

12.1 Audit Message Listing 

Message 

Code 

Auditing. 

Description Notes 

E000001 A system error has occurred. This message is used whenever there is a general 

processing error. It will contain full details of the error. 

E001001 The Digipass Plug-In failed to start up. The Plug-In encountered a fatal error on startup such as an 

invalid or missing configuration file. 

E001002 The Digipass Plug-In has been forced 

into the disabled state. 

E002001 The Active Directory AAL3 library failed 

to initialize. 

E002002 The Digipass Authentication library 

failed to initialize. 

E009001 An error occurred in the Virtual Digipass 

Message Delivery Component. 

E012001 The RADIUS Profile was not found in 

Funk SBR. 

W004001 A connection attempt to Active 

Directory failed. 

W005001 A connection to Active Directory has 

terminated due to an error. 

W009001 Virtual Digipass One Time Password 

delivery failed. 

W010001 A blank password was used for Back- 

End Authentication, as Stored Password 

Proxy is disabled and the user did not 

enter a static password. 

The Plug-In has started up, but is in a disabled state in 

which it will not process authentication requests. This is 

typically due to a license problem (an invalid or missing 

License Key in the IAS Plug-In Component record); an 

invalid Component Location setting in the configuration 

file; or a missing IAS Plug-In Component record. 

The Active Directory 'AAL3' library encountered a fatal 

error on initialization, eg. invalid configuration settings in 

the configuration file. 

The 'Authentication' library encountered a fatal error on 

initialization, eg. invalid configuration settings in the 

configuration file. 

The MDC encountered an error during the process of 

submitting a request to the HTTP gateway and interpreting 

the response. This may indicate a configuration problem for 

the gateway or connectivity issues. The audit message may 

contain further details from the gateway. 

Not applicable to IAS. 

An attempt to connect to an Active Directory Domain 

Controller failed. This may occur because: the Domain 

Controller is unavailable for some reason such as 

rebooting; the Domain Controller is too busy temporarily to 

service the connection; or there are DNS or networking 

problems. 

An established connection to an Active Directory Domain 

Controller has broken. This may occur because: the 

Domain Controller suddenly becomes unavailable for some 

reason such as rebooting; the Domain Controller becomes 

too busy temporarily to service the connection; or there 

are DNS or networking problems. 

The MDC could not successfully deliver a text message via 

the HTTP gateway. The audit message should contain 

further details from the gateway. 

This message only occurs when the Back-End 

Authentication setting is Always. 

When Stored Password Proxy is disabled, the IAS Plug- 

In does not pass on the password stored in the Digipass 

User Account to Windows for Back-End Authentication. If a 

User does not enter their password as well as their OTP, 

the login will fail because their password has not been 

provided to Windows. 



Message 

Code 

W011001 A Backup Virtual Digipass quota of uses 

has been finished. 

W011002 No Digipass was found to assign to a 

new Digipass User Account for Auto- 

Assignment. 

W011003 A Digipass User Account has become 

locked. 

I001001 The Digipass Plug-In has started up 

successfully. 

I002001 The Active Directory AAL3 library has 

been initialized successfully. 

I002002 The Digipass Authentication library has 

been initialized successfully. 

I003001 The Digipass Plug-In has shut down. 

I004001 A connection attempt to Active 

Directory was successful. 

I005001 A connection to Active Directory has 

been terminated normally. 

I005002 A connection to Active Directory has 

been timed out for load-balancing. 

I006001 A RADIUS Access-Request has been 

received. 

I007001 A RADIUS Access-Accept has been 

issued. 

I007002 A RADIUS Access-Challenge has been 

issued. 

I007003 A RADIUS Access-Reject has been 

issued. 

I008001 A Digipass has been moved for 

assignment to a user. 

I008002 A user-to-user link has been removed 

due to assignment of a Digipass. 

I009001 A Virtual Digipass One Time Password 

has been delivered. 


BVDP Uses Remaining has just been decremented to 0 

for a Digipass. The User will not be able to use that 

Digipass for Backup Virtual Digipass logins until the Uses 

Remaining is increased or cleared. 

No available Digipass were found for Auto-Assignment. 

This may be because: there were no unassigned Digipass 

in the right location; the unassigned Digipass did not 

conform to Policy restrictions; the unassigned Digipass 

were Reserved for individual assignment. 

The location in which the IAS Plug-In searches for available 

Digipass records can be controlled to some extent using 

the Search Upwards in Org. Unit hierarchy setting. 

A User just exceeded the User Lock Threshold of failed 

logins and their Digipass User Account is now Locked. 

Administrator action is required to unlock the account. 

Configuration details are given in the audit message. 

The Active Directory 'AAL3' library has completed 

initialization. Configuration details are given in the audit 

message. 

The 'Authentication' library has completed initialization. 

Configuration details are given in the audit message. 


Controller has ended with a normal disconnection. 


Controller has been ended for load-balancing purposes. 

Periodically the connections will be dropped and new ones 

established, in case there is a less busy Domain Controller 

available. The time period is defined by the configuration 

setting Max-Bind-LifeTime in the file, in minutes. 

The IAS Plug-In has received an Access-Request. The audit 

message will indicate what action will be taken as well as 

key details of the request. 

The IAS Plug-In has accepted an Access-Request. Note 

however that it is still possible that after the IAS Plug-In 

has accepted the request, IAS rejects it. 

The IAS Plug-In has issued a challenge, either 

Challenge/Response or Virtual Digipass. 

The IAS Plug-In has rejected an Access-Request. 

Upon assignment of a Digipass to a User, if the Digipass is 

not already in the same location (Organizational Unit) as 

the User, it is moved to that location. 

If a Digipass User Account is linked to another in order to 

share the Digipass, it must not have a Digipass assigned 

itself. If a Digipass is assigned, the link will be broken. 

The MDC successfully delivered a text message via the 

HTTP gateway, as reported by the gateway. The audit 

message may contain further details from the gateway. 



Message 

Code 


Note that depending on the gateway, it may still be 

possible for delivery to fail after the gateway has reported 

success. 

I010001 User authentication was not handled. The IAS Plug-In decided not to handle an authentication 

request due to Policy and/or Digipass User Account 

settings. The main reasons why this may occur are: the 

effective Local Authentication and Back-End 

Authentication settings were both None; the User failed 

the Windows Group Check, using the Authenticate listed 

groups, pass others through option. 

Note that the 'effective' settings are the effective settings 

of the Policy, unless the Digipass User Account overrides 

the Policy. 

I011001 A Digipass Grace Period has been ended 

by the use of a One Time Password. 

I011002 A Backup Virtual Digipass expiration 

date has been set due to the first 

request for a Virtual One Time 

Password. 

I011003 A Backup Virtual Digipass time limit has 

been expired by the use of the normal 

One Time Password. 

I011004 A Backup Virtual Digipass quota of uses 

has been set due to the first request for 

a Virtual One Time Password. 

I011005 A Digipass User Account has been 

created using Dynamic User 

Registration. 

I011006 A new static password has been stored 

using Password Autolearn. 

I011007 A Digipass has been assigned to a new 

Digipass User Account using Auto- 

Assignment. 

I011008 A Digipass has been assigned to a 

Digipass User Account using Self- 

Assignment. 

I011009 A Digipass challenge has been issued 

for a Self-Assignment attempt. 

The first time that an assigned Digipass is used 

successfully to log in, if a Grace Period is still active, it is 

ended immediately. They must continue to use their 

Digipass to log in after that point. 

A User has requested a Backup Virtual Digipass OTP for the 

first time, when the effective Backup VDP Enabled 

setting is Yes – Time Limited and they did not already have 

an Enabled Until date set on their Digipass. At this time, 

they are given the Time Limit from the Policy by adding it 

to the current date. 

A User who has been using Backup Virtual Digipass has 

used their normal OTP login using the Digipass again. 

When the effective Backup VDP Enabled setting is Yes – 

Time Limited, using the normal OTP login ends their time 

limit immediately. This is done by setting the Enabled 

Until date on their Digipass to the current date. 

An administrator action is required to reset their Enabled 

Until date, if the User is to be allowed to use Backup 

Virtual Digipass again. 

A User has requested a Backup Virtual Digipass OTP for the 

first time, when the effective Backup VDP Max. 

Uses/User setting is greater than 0 and they did not 

already have a Uses Remaining date set on their 

Digipass. At this time, they are given the Max. Uses/User 

limit from the Policy. 

A Digipass User Account has been created automatically 

upon successful Back-End Authentication. This occurs 

when the Dynamic User Registration feature is enabled. 

A new static password has been stored in the Digipass User 

Account after successful Back-End Authentication. This 

occurs when the Password Autolearn feature is enabled. 

Upon creation of a new Digipass User Account through 

Dynamic User Registration, an available Digipass has 

been assigned to the new account automatically. This 

occurs when the Auto-Assignment feature is enabled. 

A User has successfully assigned a Digipass to themselves 

using the Self-Assignment feature. 

A User has obtained a challenge during an attempt to 

assign a Digipass to themselves using the Self- 

Assignment feature. In order to complete the assignment, 

they must provide the correct response to the challenge 



Message 

Code 


from the Digipass. 

I011010 A user has changed their Digipass PIN. A User has changed their Server PIN during their login, or 

set it up on first use or after a PIN reset. 

S001001 A query for a single data object was 

successful. 

S001002 A query for a list of data objects was 

successful. 

The IAS Plug-In or an administrator has made a successful 

query to Active Directory for a single record. In the case of 

the IAS Plug-In this will be a search for its Component 

record; for an administrator it could be any single record 

query. The audit message has details of the record found. 

The IAS Plug-In or an administrator has made a successful 

query to Active Directory for some records. In the case of 

the IAS Plug-In this will be a search for a RADIUS Client 

Component record; for an administrator it could be any list 

query. The audit message has details of the records found 

but this may be truncated. 

S001003 A data object command was successful. An administrator has issued a successful data modification 

command such as an update of settings or one of the 

Digipass Application operations like Reset PIN. The audit 

message has details of the command and results. 

S002001 User authentication was successful. The 'Authentication' library has passed authentication for a 

request. Note however that the IAS Plug-In or IAS itself 

may still decide to reject the request ultimately. 

S002002 User authentication issued a challenge. The 'Authentication' library has issued a challenge for an 

authentication request, either Challenge/Response or 

Virtual Digipass. 

F001001 A query for a single data object failed. The IAS Plug-In or an administrator has made an 

unsuccessful query to Active Directory for a single record. 

In the case of the IAS Plug-In this will be a search for its 

Component record; for an administrator it could be any 

single record query. The audit message has basic details of 

the failure, but there should be a preceding E000001 with 

more details. 

F001002 A query for a list of data objects failed. The IAS Plug-In or an administrator has made an 

unsuccessful query to Active Directory for some records. In 

the case of the IAS Plug-In this will be a search for a 

RADIUS Client Component record; for an administrator it 

could be any list query. The audit message has basic 

details of the failure, but there should be a preceding 

E000001 with more details. 

F001003 A data object command failed. An administrator has issued an unsuccessful data 

modification command such as an update of settings or 

one of the Digipass Application operations like Reset PIN. 

The audit message has basic details of the failure, and 

there may be a preceding E000001 with more details. 

F002001 User authentication failed. The 'Authentication' library has failed authentication for a 

request. The audit message has details of the failure (see 

) and there may be a precedeing E000001 with error 

details. 

Table 38: Audit Messages List 



12.2 Audit Message Fields 

Display Name Description 

Area Area of code/functionality in which the audit event occurred. Eg. “Active Directory search”. 

Operation Operation being attempted/processed when the audit event occurred. 

Error Code Standard error code. 

Error Message Fixed error message corresponding to ERROR_CODE. 

Error Details Full dump of 'error stack'. 

Source Location Location of source of audit message, typically IP address or host name. 

Server Location When the server itself is not the source of the audit message, this is the location of the 

server (IP/host name). 

Client Location When the client itself is not the source of the audit message, this is the location of the client 

(IP/host name). 

Version Full version string. Eg. “2.5.2.0045”. 

Data Source Type of data source. Eg. “File”, “Registry”. 

Data Source Location Specific location of data source. Eg. for a File, the path/filename. 

Configuration Details Breakdown of configuration settings. 

Outcome Outcome of an attempt to do something. Eg. “Success”, “Failure”, “Challenge”. 

Reason Generally a short phrase indicating a reason for a failure. 

Characteristics Space-separated list of keywords indicating characteristics of interest. Eg. for a connection 

attempt, keywords such as “SSL” , “TCP”, “IPv6” may be useful. 

User ID UserID. Can be in various formats, unless it refers to a Digipass User Account UserID, when 

it must be exact (SAM-Account-Name). 

Domain Domain name (FQDN). 

Credentials What kind of credential was offered for a connection/login attempt. Eg. “Password”, “None”. 

Session ID Session identifier. 

Serial No Digipass Serial No. 

Application Digipass Application Name. 

Request ID Any request identifier(s). Eg. a RADIUS packet ID. 

Password Protocol The way in which a password is encoded. Eg. “PAP”, “CHAP”, “MS-CHAP1”, “MS-CHAP2”. 

Input Details Breakdown of request parameters/attributes. 

Action Intended action to take for a request received. Eg. “Ignore”, “Process”. 

Output Details Breakdown of response parameters/attributes. 

Policy ID Name of Policy used to handle a request. 

Mobile No Mobile phone no. for sending a text message. 

From Location from which something is moved. Eg. an Active Directory location. 

To Location to which something is moved. Eg. an Active Directory location. 

User Link Identification of user to which another user is linked. 

Message This is used where something external (eg. the MDC) returns a message for auditing. 

Expiration Date Value of an expiry date such as Grace Period. 

Quota Value of a quota such as Backup Virtual Digipass Uses Remaining. 

Local Authentication Whether Local Authentication was done or not. 

Back-End 


If Back-End Authentication was done, the Back-End Protocol used, otherwise “None”. 

Object Name of data object of query/command. 



Command Name of command. 

Fields The list of fields to be returned by the query, or 'All Fields'. 

RADIUS Profile Name of RADIUS Profile 

Table 39: Audit Message Fields 


Digipass Plug-In for IAS Administrator Reference Error and Status Codes 

13 Error and Status Codes 

This section lists the standard error and status codes with the associated messages. 

13.1 Error Code Listing 

Error 

Code 

0 (No error) 

Message Notes 

-1 An unspecified error occurred This error code may occur when a more specific error code is 

not available or was recorded separately. 

-2 The parameters supplied were invalid Parameters supplied to a function or command were invalid. 

-3 A memory error occurred Memory allocation failed. This is normally due to the system 

running low on memory. 

-10 A communications error occurred Inter-process or inter-component communication failed. This 

may also occur with communications to Active Directory or a 

database. This error is normally accompanied by further 

details. 

-11 A license error has occurred General-purpose license failure when a more specific code is 

not available or was recorded separately. 

-12 An operating system call failed A system call failed. This may include file handling, Active 

Directory Services Interface and other calls. It is normally 

accompanied by further details. 

-13 The object was not found An attempt was made to perform an operation on an object, 

such as an Active Directory object, but the object did not exist. 

For example, this may occur when one administrator deletes a 

record that another administrator is about to update, when the 

update operation is attempted. 

-14 The object already exists An attempt was made to create an object, such as an Active 

Directory object, but the object already exists. For example, 

this may occur when two administrators try to create the same 

record at the same time. 

-15 The supplied buffer was of the 

incorrect size 

An internal data buffer was of insufficient length to hold the 

data required. 

-16 A version error has occurred A version mismatch has occurred. Further details in the error 

record will indicate what versions were mismatched. 

-17 The supplied data are invalid General-purpose error when input data to an operation is 

incorrect. Further details of the error will be recorded. 

-18 The object is invalid An attempt was made to perform an operation upon an object 

type that was not recognized. 

-19 The command is invalid An attempt was made to perform an operation using a 

command that was not recognized. 

-20 The object is in use An attempt was made to delete an object, such as an Active 

Directory object, but that object was in use. 

This may occur when you try to delete a Policy, but another 

Policy inherits from the one you are deleting, or a Component 

uses the Policy. 

-21 The operation is not supported General-purpose error when an operation is attempted on an 

object that does not support it. For example, an attempt is 

made to generate a Virtual Digipass OTP using a Digipass that 

is not enabled for Virtual Digipass. 



Error 

Code 

Message Notes 

-22 An object error has occurred General-purpose error on an operation on an object. This 

should be supplemented with more specific details. 

-23 A required field was missing An operation was attempted without specifying one or more 

mandatory input fields. 

-30 The configuration is invalid The configuration data in the configuration file are invalid. The 

error record should indicate which specific data were invalid. 

-31 A type mismatch has occurred General-purpose error when one datatype is expected but a 

different datatype was provided. 

-32 One or more objects were not 

initialized 

Internal initialization error. More specific error details will be 

recorded. 

-33 The cache is full An attempt was made to add an entry to a cache, but the 

cache has reached its configured maximum size. 

-34 The cache entry has reached the 

maximum reference count 

An attempt was made to retrieve an item from a cache, but the 

item was already in use and the configuration indicates a limit 

on the number of times an item can be retrieved from the 

cache at one time. 

-140 A Digipass error has occurred General-purpose failure of a Digipass operation such as OTP 

verification, Reset PIN, Unlock, etc. This is normally 

accompanied by a more specific error code and message from 

the VACMAN Controller library. 

-150 Delivery of the Virtual Digipass One- 

Time Password failed 

A Virtual Digipass OTP was generated successfully, but delivery 

by text message failed. A separate message will give more 

details about the failure. 

-200 The license has expired The License Key has an expiration date set, and the date has 

passed. A permanent License Key must be obtained. 

-201 The license data are invalid One of the details embedded into the License Key is invalid for 

the Component in which it is being loaded. The Component will 

not be able to use the License Key. This may be IP address, 

Component Type, or any other detail that can be seen in the 

License Key text. 

-202 The License Key is corrupted The signature at the bottom of the License Key is invalid. This 

would typically occur if the License Key details were modified in 

any way. 

-250 Decryption has failed - no Storage Key 

is specified in the Encryption Settings 

-251 Decryption has failed - an incorrect 

Cipher is specified in the Encryption 

Settings 

-252 Decryption has failed - an incorrect 

Storage Key is specified in the 

Encryption Settings 

Some encrypted data has been created or modified using 

configured, rather than default, encryption settings. This error 

occurs when that data is read by a component that does not 

have configured encryption settings – the component is 

therefore unable to decrypt the data. 

It is necessary to configure the encryption settings in the 

component. See 2.4 Sensitive Data Encryption for more 

information on encryption settings. 


differently configured encryption settings. This error occurs 

when that data is read by a component with configured 

encryption settings that use a different Cipher Name – the 

component is therefore unable to decrypt the data. 

It is necessary to make sure that the encryption settings in all 

components are identical. See 2.4 Sensitive Data Encryption 

for more information. 


differently configured encryption settings. This error occurs 

when that data is read by a component with configured 

encryption settings that use a different Storage Key – the 



Error 

Code 

Table 40: Error Code List 

13.2 Status Code Listing 

Status 

Code 

0 No error 

 

Message Notes 

component is therefore unable to decrypt the data. 

It is necessary to make sure that the encryption settings in all 

components are identical. See 2.4 Sensitive Data Encryption 

for more information. 

Message Notes 

 

The status codes from -1 downwards match the Error Codes 

above. 

1000 The credentials were invalid General-purpose failure due to invalid username or password, 

when a more specific status is unavailable. 

1002 The user failed the Windows Group 

Check 

The IAS Plug-In rejected an authentication request due to the 

Windows Group Check failing. This can occur when the 

effective Windows Group Check option is Authenticate listed 

groups, reject others. 

Note that the 'effective' setting is the effective setting of the 

Policy, unless the Digipass User Account overrides the Policy. 

1004 The challenge has expired A response to challenge has been given, but the expiration 

time for the challenge has expired. The default expiration time 

is one minute, however this can be configured in the 

configuration file VASCO/AAL3/Authlib/Challenge-Cache/Max- 

Age setting (in seconds). 

1005 The user does not have permission to 

perform the specified action 

General-purpose failure of an administration command when 

the administrator does not have sufficient privileges to carry 

out the command. 

1007 The user account is locked The Digipass User Account is Locked. This is normally due to 

consecutive login failures, as determined by the Policy setting 

User Lock Threshold. Alternatively the administrator can 

actively lock the account. 

To unlock the User account, an administrator has to uncheck 

the Locked checkbox on the User record. 

1008 The One Time Password has already 

been used 

This status code occurs specifically when an OTP is rejected 

because it has already been used. It may also occur when the 

OTP has not been used but is older than the most recently used 

OTP. 

This can sometimes happen when an authentication request is 

re-sent automatically. 

1009 The user account is disabled The Digipass User Account is Disabled. This may be because 

the administrator has actively disabled the account, or because 

the corresponding Windows User account has become disabled 

or expired. 

1010 No user account was found An authentication request was rejected because no Digipass 

User account was found and Local Authentication is required 

by the Policy. 

1011 The static password was incorrect As part of Local Authentication, verification of the static 

password failed. 



Status 

Code 

Message Notes 

1012 The One Time Password was incorrect Verification of the OTP failed. More specific details may be 

found in the VACMAN Controller error code and message. 

1013 The challenge was invalid A response to a challenge was given, but the challenge was not 

the latest one issued for that Digipass. This is controlled by the 

Check Challenge Policy setting. 

1014 The Digipass Grace Period has expired A User attempted to log in with their static password, but their 

Grace Period had already expired. They have to use a Digipass 

to log in. 

If they do not have their Digipass yet, the administrator will 

have to allow them more time by modifying the Grace Period 

End date on their Digipass record. 

1015 Backup Virtual Digipass is not allowed A User attempted to request a Backup Virtual Digipass OTP, but 

they were not permitted. This would normally occur when 

either: 

The effective Backup VDP Enabled setting is Yes – Time 

Limited, and the Digipass Backup VDP Enabled Until 

date is the current date or before. 

The Digipass Backup VDP Uses Remaining counter 

has reached 0. 

In both cases, administrator intervention is required to permit 

the User to continue to use Backup Virtual Digipass. The 

Enabled Until or Uses Remaining limits need to be increased 

to permit this. 


Policy, unless the Digipass record overrides the Policy. 

1016 The Digipass is not available A User attempted Self-Assignment, but the Digipass they 

requested either could not be found within the search scope or 

was already assigned to someone else. 

This may occur because of a mistyped Serial Number. 

Otherwise, the search scope may be incorrect or the Digipass 

may not be in the correct location to be made available to the 

User. See the Location of Digipass Records section in the 

Product Guide. 

1017 The user account has no mobile 

number for Virtual Digipass 

1018 No password was supplied for a Virtual 

Digipass login 

A User requested a Primary or Backup Virtual Digipass OTP, but 

it could not be delivered because the User account had no 

mobile phone number. In Active Directory this is the first 

Mobile No. on the record. 

A User attempted a Virtual Digipass login, but did not enter a 

password in the second stage of the login. See 9.1.4 Virtual 

Digipass for more information. 

1020 Local authentication failed General-purpose failure of Local Authentication when a more 

specific status code is not available. Additional information 

should provide more specific details. 

1021 Back-end authentication reported that 

the password has expired 

Back-End Authentication (eg. Windows) failed because the 

password was correct but it has expired. 

1022 Back-end authentication failed Back-End Authentication (eg. Windows) failed. A specific 

error code and message will accompany this record. 

1030 The policy was invalid An authentication request was rejected because the applicable 

Policy had invalid settings or failed to load. This should not 

occur, but is possible due to the delay in Active Directory 

replication for example. The two main ways in which a Policy 

can become invalid are: 

One or more choice list settings are Default in the Policy, 

and its parent Policy if it has one. 

A circular chain of Policies has been created, for example: 



Status 

Code 

1031 The policy does not allow a selfassignment 

attempt 

1032 Hashed passwords cannot be verified 

by Windows 

Message Notes 

Policy A inherits from Policy B; Policy B inherits from 

Policy C; Policy C inherits from Policy A. 

The Policy must be fixed in order for authentication to be 

permitted using that Policy. 

A User attempted Self-Assignment, but it is not permitted 

under the Policy. 

An authentication request could not be processed successfully 

because Back-End Authentication using Windows was 

required, but the User's password was hashed. It is not 

possible to verify hashed passwords with Windows. This can 

occur when a CHAP-based protocol is used – this includes 

CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 and other more complex 

protocols that utilize a one-way hash of the password entered 

by the User. 

Note that the effective Back-End Authentication setting is 

the effective setting of the Policy, unless the Digipass User 

Account overrides the Policy. 

1033 A Digipass must be used The effective Local Authentication setting is Digipass Only 

and the User tried to log in with a static password. 



1034 Challenge/Response is not supported 

by CHAP-based protocols 

1035 Challenge/Response is not supported 

by Windows 2000 

Challenge/Response is only supported in RADIUS using the PAP 

protocol. An attempt was made to generate a challenge using a 

CHAP-based protocol – this includes CHAP, MS-CHAP, MS- 

CHAP2, EAP-MD5 and other more complex protocols. 

This status code can only occur in the Digipass Plug-In for IAS. 

There is a product limitation on Windows 2000 only that 

Challenge/Response is not supported. It will occur if the User 

attempted to request a challenge. 

3001 A Digipass Challenge was returned This status code is the standard code when a challenge is 

issued and does not indicate any kind of error. 

5001 The user failed the Windows Group 

Check 

5002 Neither local nor back-end 

authentication was done due to policy 

and/or user settings 

Table 41: Status Code List 

The IAS Plug-In decided not to handle an authentication 

request due to the Windows Group Check failing. This can 

occur when the effective Windows Group Check option is 

Authenticate listed groups, pass others through. 

In this case, IAS will process the request itself using other 

authentication methods. 



The IAS Plug-In decided not to handle an authentication 

request because the effective Local Authentication and 

Back-End Authentication settings were both None. 

In this case, IAS will process the request itself using other 

authentication methods. 

Note that the 'effective' settings are the effective settings of 

the Policy, unless the Digipass User Account overrides the 

Policy. 


Digipass Plug-In for IAS Administrator Reference Technical Support 

14 Technical Support 

If you encounter problems with a VASCO product please do the following: 

1. Read the 11 How to troubleshoot topic for help in discovering the source of your 

problem. 

2. Check if your problem is resolved in the FAQs section located at the following URL: 

www.vasco.com/support. 

3. If you do not find the information you need in the FAQs, please contact the company 

that sold you the VASCO product. 

Only after doing steps 1 and 2, if your needs are still not completely met please contact 

VASCO support: 

14.1 Support Contact Information 

E-mail 

support@vasco.com 

Website 

http://www.vasco.com/support/contacts.html 

Phone 

Australia +61 2 8920 9666 (Sydney) 

Belgium +32 2 456 98 10 (Brussels) 

Singapore +65 6 232 2727 

USA +1 508 366 3400 (Boston)

Digipass Plug-In for IAS Administrator Reference - Vasco

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?