Digipass Authentication for Citrix Web Interface Guide - Vasco
Digipass Authentication for Citrix Web Interface Guide - Vasco
Digipass Authentication for Citrix Web Interface Guide - Vasco
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
y these field values (right-click and select Fields) to change text throughout the document:<br />
2008<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong><br />
IIS 6 Module<br />
Internet In<strong>for</strong>mation Services<br />
IIS<br />
<strong>Authentication</strong> Server<br />
dpauthserver.xml<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong><br />
Exchange<br />
<strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong><br />
<strong>Guide</strong><br />
<strong>Citrix</strong>.msi<br />
dppack<br />
the web site<br />
IIS 6 Module<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong><br />
Internet In<strong>for</strong>mation Services<br />
IIS<br />
<strong>Authentication</strong> Server<br />
dpauthserver.xml<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong><br />
Exchange<br />
<strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong><br />
<strong>Guide</strong><br />
<strong>Citrix</strong>.msi<br />
the web site<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong><br />
<strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong><br />
3.2
Disclaimer of Warranties and Limitations of Liabilities<br />
Disclaimer of Warranties and Limitations of Liabilities<br />
The Product is provided on an 'as is' basis, without any other warranties, or conditions, express or implied,<br />
including but not limited to warranties of merchantable quality, merchantability of fitness <strong>for</strong> a particular purpose,<br />
or those arising by law, statute, usage of trade or course of dealing. The entire risk as to the results and<br />
per<strong>for</strong>mance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to<br />
you or any other person or entity <strong>for</strong> any indirect, incidental, special or consequential damages whatsoever,<br />
including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss,<br />
even if we have been advised of the possibility of such damages or they are <strong>for</strong>eseeable; or <strong>for</strong> claims by a third<br />
party. Our maximum aggregate liability to you, and that of our dealers and suppliers shall not exceed the amount<br />
paid by you <strong>for</strong> the Product. The limitations in this section shall apply whether or not the alleged breach or default<br />
is a breach of a fundamental condition or term, or a fundamental breach. Some states/countries do not allow the<br />
exclusion or limitation or liability <strong>for</strong> consequential or incidental damages so the above limitation may not apply to<br />
you.<br />
Copyright<br />
© 2008 VASCO Data Security Inc. All rights reserved.<br />
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any <strong>for</strong>m or by any<br />
means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of<br />
VASCO Data Security Inc.<br />
Trademarks<br />
VACMAN, Identikey, aXs GUARD and <strong>Digipass</strong> are registered trademarks of VASCO Data Security International Inc.<br />
Microsoft and Windows are registered trademarks of Microsoft Corporation.<br />
All other trademarks are the property of their respective holders.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 2
Table of Contents<br />
Table of Contents<br />
1 <strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> Overview............................................................................... 6<br />
1.1 IIS 6 Module Overview............................................................................................................................................6<br />
1.1.1 <strong>Authentication</strong> Methods....................................................................................................................................6<br />
1.1.2 Server Connection Management.......................................................................................................................7<br />
1.1.2.1 Connection Profiles.................................................................................................................................................. 7<br />
1.1.2.2 Connection Options.................................................................................................................................................. 8<br />
1.1.3 IIS Module Terminology.....................................................................................................................................9<br />
1.1.4 Password Change...........................................................................................................................................10<br />
1.1.5 Tracing............................................................................................................................................................ 10<br />
2 Installation.................................................................................................................................................... 12<br />
2.1 System Requirements..........................................................................................................................................12<br />
2.1.1 Server Requirements - Software.....................................................................................................................12<br />
2.2 Pre-Installation Tasks...........................................................................................................................................12<br />
2.2.1 Install <strong>Authentication</strong> Server ..........................................................................................................................13<br />
2.2.2 IIS...................................................................................................................................................................13<br />
2.2.3 In<strong>for</strong>mation Needed........................................................................................................................................13<br />
2.2.4 Licensing........................................................................................................................................................13<br />
2.3 Install <strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong>.........................................................................................14<br />
2.4 <strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> Wizard......................................................................................19<br />
3 Configuration................................................................................................................................................ 25<br />
3.1 IIS 6 Module Configuration...................................................................................................................................25<br />
3.1.1 Enable/Disable the IIS 6 Module......................................................................................................................26<br />
3.1.2 <strong>Authentication</strong> Server Details..........................................................................................................................26<br />
3.1.2.1 Add a Server..........................................................................................................................................................26<br />
3.1.2.2 Modify Server Details..............................................................................................................................................27<br />
3.1.2.3 Delete a Server Record...........................................................................................................................................28<br />
3.1.2.4 Modify Connection Settings.....................................................................................................................................29<br />
3.1.3 Turn Tracing On or Off....................................................................................................................................30<br />
3.1.4 Sites................................................................................................................................................................ 31<br />
3.1.4.1 Modify Login Page Details.......................................................................................................................................31<br />
3.1.4.2 Modify Change Password Page Details.................................................................................................................... 33<br />
3.1.4.3 Modify 1-Step Challenge/Response Login Page Details............................................................................................ 34<br />
3.1.4.4 Add a Query String Parameter.................................................................................................................................35<br />
3.1.4.5 Modify a Query String Parameter.............................................................................................................................36<br />
3.1.4.6 Delete a Query String Parameter............................................................................................................................. 37<br />
3.1.4.7 Add a Session Variable <strong>for</strong> the Failed Login Page..................................................................................................... 37<br />
3.1.4.8 Edit a Session Variable........................................................................................................................................... 37<br />
3.1.4.9 Remove a Session Variable.....................................................................................................................................38<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 3
Table of Contents<br />
3.1.4.10 Delete Site Record..................................................................................................................................................38<br />
3.2 Configuration File.................................................................................................................................................39<br />
3.2.1 Configuration Settings.....................................................................................................................................41<br />
3.2.2 Modify Character Set Used..............................................................................................................................45<br />
3.3 Configure <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.0 to work with the <strong>Authentication</strong> Server...........................................................45<br />
3.4 Configure <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.5 and <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.6 to work with the <strong>Authentication</strong> Server.............. 47<br />
3.5 Configure <strong>Authentication</strong> Server...........................................................................................................................50<br />
3.5.1 Component Record.........................................................................................................................................50<br />
3.5.2 Configure <strong>for</strong> Windows User Accounts............................................................................................................50<br />
3.5.2.1 Windows User Name Resolution..............................................................................................................................50<br />
3.5.2.2 Case Sensitivity......................................................................................................................................................51<br />
3.5.2.3 Default Domain...................................................................................................................................................... 51<br />
3.5.3 Policy..............................................................................................................................................................52<br />
3.5.3.1 Standard Policy Configurations <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong>.............................................................................................52<br />
3.5.3.2 1-Step Challenge/Response....................................................................................................................................54<br />
4 Post-Installation Tasks.................................................................................................................................. 56<br />
4.1 Set up 1-Step Challenge/Response Login.............................................................................................................56<br />
4.1.1 Set up <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.x...................................................................................................................56<br />
4.1.1.1 Modify Custom Login Page..................................................................................................................................... 57<br />
4.1.1.2 Troubleshooting..................................................................................................................................................... 59<br />
4.2 Set Up Password Change Page.............................................................................................................................59<br />
4.2.1 Replace Default Files - <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.0..............................................................................................59<br />
4.2.2 Replace Default Files - <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.5..............................................................................................60<br />
4.2.3 Replace Default Files - <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.6..............................................................................................60<br />
4.2.4 Modify Custom Change Password Page..........................................................................................................60<br />
4.2.5 Modify Server Include File...............................................................................................................................61<br />
4.3 Display Login Failure Reason................................................................................................................................61<br />
4.3.1 Replace Default Files......................................................................................................................................62<br />
4.3.2 Modify Existing Files.......................................................................................................................................63<br />
4.4 Create 2-Step Challenge/Response Template......................................................................................................64<br />
4.5 Copy Challenge Response Files............................................................................................................................64<br />
5 Troubleshooting............................................................................................................................................ 65<br />
5.1 IIS 6 Module Installation Problems........................................................................................................................65<br />
5.1.1 Check file placement......................................................................................................................................65<br />
5.1.2 Check Permissions.......................................................................................................................................... 67<br />
5.1.2.1 Trace File Directory................................................................................................................................................ 67<br />
5.1.2.2 Configuration file....................................................................................................................................................67<br />
5.1.2.3 Add the IIS_WPG Group..........................................................................................................................................68<br />
5.1.3 Set System Environment Variable...................................................................................................................70<br />
5.1.3.1 Register IIS 6 Module Extension.............................................................................................................................. 73<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 4
Table of Contents<br />
5.1.3.2 Remove IIS 6 Module Extension ............................................................................................................................. 73<br />
5.1.3.3 Check IIS 6 Module Extension ................................................................................................................................ 73<br />
5.1.4 Register as Wildcard Application Mapping......................................................................................................77<br />
5.2 Other Troubleshooting Options.............................................................................................................................81<br />
5.2.1 No Trace File................................................................................................................................................... 81<br />
5.2.2 In<strong>for</strong>mation from Trace File.............................................................................................................................81<br />
5.2.3 <strong>Authentication</strong> Server......................................................................................................................................81<br />
5.2.4 Licensing........................................................................................................................................................81<br />
5.3 Repair Installation.................................................................................................................................................82<br />
6 Uninstalling the IIS 6 Module......................................................................................................................... 83<br />
6.1 Uninstall the IIS 6 Module.....................................................................................................................................83<br />
7 Technical Support......................................................................................................................................... 84<br />
7.1 Support Contact In<strong>for</strong>mation.................................................................................................................................84<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 5
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> Overview<br />
1 <strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> Overview<br />
The main component of <strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> is the IIS 6 Module.<br />
1.1 IIS 6 Module Overview<br />
The IIS 6 Module is an add-on <strong>for</strong> VACMAN Middleware, Identikey Server and aXs GUARD Identifier. It can be<br />
configured to intercept authentication requests to a website which uses a login <strong>for</strong>m and redirect them to an<br />
<strong>Authentication</strong> Server. The <strong>Authentication</strong> Server must be one of the following servers:<br />
Identikey Server 3.x – Identikey Server component<br />
VACMAN Middleware 3.0 – <strong>Authentication</strong> Server component<br />
aXs GUARD Identifier 3.x<br />
The IIS 6 Module is an ISAPI extension specifically designed <strong>for</strong> use with IIS 6 only.<br />
Figure 1 – <strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> Overview<br />
1.1.1 <strong>Authentication</strong> Methods<br />
See the Product <strong>Guide</strong> <strong>for</strong> the authentication server <strong>for</strong> detailed in<strong>for</strong>mation on login methods and options.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 6
Response Only login<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> Overview<br />
Users log in via the current login page with their username and One Time Password (OTP).<br />
1-Step Challenge/Response login<br />
A random challenge - of a length configured <strong>for</strong> all users - is displayed on the login page. Users log in with their<br />
username and <strong>Digipass</strong> response to the displayed challenge.<br />
This requires modification of the current login page used by the web site.<br />
2-Step Challenge/Response login<br />
After the login page, the IIS 6 Module redirects users to a ‘Challenge page’ where a random challenge – of the<br />
length required by the user’s <strong>Digipass</strong> – is displayed. The user must enter a response to the challenge in order to<br />
complete the login.<br />
A Challenge page template must be used with this feature. A default template is provided. It can be used without<br />
modification or it can be customized to match your preferred look and feel.<br />
Virtual <strong>Digipass</strong> login<br />
Users logging in with a Virtual <strong>Digipass</strong> use a similar process to the 2-step Challenge/Response login. If the user<br />
has a Primary Virtual <strong>Digipass</strong> assigned, or requests use of the Backup Virtual <strong>Digipass</strong> feature during the first<br />
step, an OTP will be sent to the user’s mobile phone via text message. The user is then redirected by the IIS 6<br />
Module to the Challenge page to enter the OTP.<br />
This uses the same Challenge template used in the 2-step Challenge/Response login.<br />
1.1.2 Server Connection Management<br />
The IIS 6 Module provides flexibility in managing connections to multiple primary and/or backup <strong>Authentication</strong><br />
Servers. This allows redundancy and load sharing over multiple Servers.<br />
1.1.2.1 Connection Profiles<br />
Two connection profiles are available:<br />
Primary<br />
The Server(s) to which the IIS 6 Module will first attempt to connect. The Primary <strong>Authentication</strong> Server(s) take the<br />
majority of the data load. Load sharing may be implemented over all Primary <strong>Authentication</strong> Servers.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 7
Backup<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> Overview<br />
A Backup Server can provide redundancy and failover. It is typically a local machine which, if the Primary<br />
<strong>Authentication</strong> Server is busy or cannot be contacted, will be used until a connection to the Primary Server can be<br />
re-established.<br />
1.1.2.2 Connection Options<br />
Terminology<br />
Some of the terms used in configuring server connections are explained below:<br />
Maximum Connections<br />
The maximum number of connections that the IIS 6 Module may have open to the <strong>Authentication</strong> Server at one<br />
time.<br />
Timeout<br />
The time that the IIS 6 Module should wait <strong>for</strong> a reply from the <strong>Authentication</strong> Server.<br />
Reconnect Interval<br />
If the IIS 6 Module cannot connect to an <strong>Authentication</strong> Server, it will make connection attempts at increasing time<br />
intervals until it succeeds in establishing a connection. The time period between connection attempts is the<br />
Reconnect Interval.<br />
Figure 2 – Standard Server Connection Configuration<br />
This setup uses one main <strong>Authentication</strong> Server to handle requests from the <strong>Web</strong> Server, with a backup<br />
<strong>Authentication</strong> Server <strong>for</strong> use when the main Server is busy or unavailable.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 8
1.1.3 IIS Module Terminology<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> Overview<br />
The following definitions describe how these terms are used in this document. They are also used in other IIS<br />
Package manuals.<br />
Basic <strong>Authentication</strong><br />
A method of authentication that uses the HTTP Basic <strong>Authentication</strong> mechanism. This uses a login pop-up box<br />
provided by the Browser.<br />
Forms <strong>Authentication</strong><br />
The method of authentication where the <strong>Web</strong> Site provides its own login page.<br />
IIS Module/IIS 6 Module<br />
General term <strong>for</strong> a plug-in to IIS to allow <strong>Digipass</strong> authentication to take place.<br />
The IIS 6 module is the IIS Module <strong>for</strong> IIS version 6.<br />
The IIS 6 module takes two <strong>for</strong>ms depending on its application:<br />
IIS Extension<br />
The IIS Extension is an ISAPI extension used <strong>for</strong> Forms <strong>Authentication</strong>. The IIS plug-in is referred to as the IIS<br />
Module in manuals <strong>for</strong> Forms <strong>Authentication</strong>, unless the text is referring specifically to the IIS Extension.<br />
IIS Filter<br />
The IIS Filter is an ISAPI filter used <strong>for</strong> Basic <strong>Authentication</strong>. The IIS plug-in is referred to as the IIS Module in<br />
manuals <strong>for</strong> Basic <strong>Authentication</strong>, unless the text is referring specifically to the IIS Filter.<br />
<strong>Authentication</strong> Server<br />
The term <strong>Authentication</strong> Server refers to the component to which the IIS Module sends authentication requests.<br />
This component is:<br />
For Identikey Server, the Identikey Server service or daemon<br />
For aXs Guard Identifier, the Identikey Server daemon<br />
For VACMAN Middleware 3, the <strong>Digipass</strong> <strong>Authentication</strong> Service<br />
Client/Component/Client Component<br />
The above terms refer to the same thing. The Client Component is the record defined in the <strong>Authentication</strong><br />
Server's data store, to represent an installed instance of the IIS Module. Different terms are used due to<br />
differences in terminology on the server side. i.e. Client <strong>for</strong> Identikey Server and aXs Guard, Component <strong>for</strong><br />
VACMAN Middleware 3.<br />
They are used <strong>for</strong> the following main purposes:<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 9
1.1.4 Password Change<br />
1.1.5 Tracing<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> Overview<br />
To indicate that the <strong>Authentication</strong> Server is permitted to process a request from that client<br />
To specify a Policy to be used to process the request<br />
To hold a License Key <strong>for</strong> the IIS Module<br />
The IIS 6 Module can capture password changes made in <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong>. This requires modification of the<br />
current Password Change page used by <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong>.<br />
The IIS 6 Module makes use of a trace file to record in<strong>for</strong>mation about events that occur on the system, <strong>for</strong> use in<br />
troubleshooting. This could include generic in<strong>for</strong>mation, changing conditions, or problems and errors that have<br />
been encountered.<br />
The level of tracing that the IIS 6 Module employs depends on its configuration settings.<br />
Caution<br />
Enabling Full Tracing should only be done <strong>for</strong> troubleshooting purposes. There are no limits set<br />
on the size of the tracing file, so if the option is left on too long on a high-load system the file<br />
may dramatically slow down or crash Windows, due to excessive I/O or filling up the hard drive.<br />
Because there are no size limitations set on the trace file, it is not recommended that you have<br />
tracing permanently enabled. If your system is set up with Tracing always enabled, ensure that<br />
the file size does not cause problems by deleting or archiving it whenever it gets too large.<br />
Basic tracing includes:<br />
Critical error/warning messages [CRITC]<br />
Major error/warning messages [MAJOR]<br />
Minor error/warning messages [MINOR]<br />
Configuration messages [CONFG]<br />
Full tracing includes:<br />
Critical error/warning messages [CRITC]<br />
Major error/warning messages [MAJOR]<br />
Minor error/warning messages [MINOR]<br />
Configuration messages [CONFG]<br />
In<strong>for</strong>mational messages [INFOR]<br />
Data tracing messages [DATA]<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 10
Debugging messages (useful <strong>for</strong> support purposes) [DEBUG]<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> Overview<br />
Security messages, messages that may contain security sensitive data [SECUR]<br />
Note<br />
The IIS 6 Module will require permissions <strong>for</strong> the directory in which the tracing file is kept. See<br />
5.1.2 Check Permissions <strong>for</strong> more in<strong>for</strong>mation.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 11
2 Installation<br />
Installation<br />
Be<strong>for</strong>e installing the IIS 6 Module, check that all system requirements and pre-installation tasks have been met.<br />
This will help ensure a smooth, trouble-free installation and integration process.<br />
2.1 System Requirements<br />
2.1.1 Server Requirements - Software<br />
An authentication server running on another machine. This should be one of the following:<br />
Identikey Server 3.x – Identikey Server component<br />
VACMAN Middleware 3.0 - <strong>Authentication</strong> Server component<br />
aXs GUARD Identifier 3.x<br />
Internet In<strong>for</strong>mation Services (IIS) 6.0 or higher<br />
Windows Server 2003 SP2 or higher<br />
<strong>Citrix</strong> Presentation Server <strong>Web</strong> <strong>Interface</strong> 4.0 (also known as XenApp) or later<br />
The User must have administration rights on the installation machine.<br />
Note<br />
2.2 Pre-Installation Tasks<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> is not supported on 64-bit operating systems.<br />
Be<strong>for</strong>e installing the IIS 6 Module, there are several tasks which need to be completed. Per<strong>for</strong>ming these tasks<br />
(where applicable) will assist in a quick, smooth installation process.<br />
Note<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> cannot be installed on the same machine as any<br />
other <strong>Digipass</strong> <strong>Authentication</strong> packages.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 12
2.2.1 Install <strong>Authentication</strong> Server<br />
2.2.2 IIS<br />
Installation<br />
An <strong>Authentication</strong> Server must be installed on the network be<strong>for</strong>e the IIS 6 Module is installed. See 2.1 System<br />
Requirements <strong>for</strong> compatible servers and 3.5 Configure <strong>Authentication</strong> Server <strong>for</strong> configuration recommendations.<br />
Warning<br />
If the users are Active Directory users on a Windows plat<strong>for</strong>m, it is recommended that the Use<br />
Windows User Name Resolution feature on the <strong>Authentication</strong> Server is enabled. This uses<br />
Windows functions to identify User IDs as Windows User accounts, including the domain to<br />
which the account belongs.<br />
This feature is not available on Linux plat<strong>for</strong>ms or the aXs GUARD Identifier.<br />
If the Use Windows User Name Resolution feature is disabled, it is essential that users always<br />
use the same login name. If they try to log in using a different <strong>for</strong>m of their Windows account<br />
name, their login will be rejected, unless a second <strong>Digipass</strong> User account has been created.<br />
Ensure IIS and the <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> are installed and working correctly. The <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> must be<br />
installed on the IIS server where the web server is running.<br />
2.2.3 In<strong>for</strong>mation Needed<br />
2.2.4 Licensing<br />
Be<strong>for</strong>e you begin installation of the IIS 6 Module, ensure that you have the following in<strong>for</strong>mation easily accessible,<br />
as you will need to enter this during the installation.<br />
IP address and port number of the <strong>Authentication</strong> Server. To check this, open the <strong>Authentication</strong> Server<br />
Configuration and check the Component location and Port fields.<br />
Source IP address on the local machine to use when connecting to the <strong>Authentication</strong> Server (if multiple IP<br />
addresses are configured <strong>for</strong> this machine, as this affects licensing – see below).<br />
The <strong>Authentication</strong> Server will regard each incoming IP address as a different Client Component. This is the<br />
reason <strong>for</strong> selecting a single IP address in connecting to the <strong>Authentication</strong> Server if there is more than one IP<br />
address <strong>for</strong> a machine.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 13
2.3 Install <strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong><br />
1. Start the ‘<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> ’ installation process.<br />
If you are not using the CD Autorun interface, locate and double-click on the <strong>Citrix</strong>.msi file.<br />
2. Click Next.<br />
Installation<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 14
The License Agreement screen will be displayed.<br />
3. Tick the box marked 'I accept the terms in the License Agreement'. Click Next.<br />
4. Enter the destination folder <strong>for</strong> the module. Click Next to accept the default or choose your preferred<br />
destination and click Next.<br />
Installation<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 15
5. Click Install to install the <strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> .<br />
The files will be installed to the directory you specified.<br />
Installation<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 16
6. To finish the install click Finish<br />
Installation<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 17
On exit, the installer launches the <strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> Wizard.<br />
Installation<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 18
2.4 <strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> Wizard<br />
Note<br />
For a definition of the term <strong>Authentication</strong> Server, please see 1.1.3 IIS Module Terminology<br />
1. Enter the IP address <strong>for</strong> the <strong>Authentication</strong> Server in the IP Address field.<br />
Installation<br />
2. Check the Port field. If the SEAL port on which the primary <strong>Authentication</strong> Server is listening is not the<br />
default provided (20003), enter the correct port number.<br />
3. Select the type of data store that the primary <strong>Authentication</strong> Server is using. Select either Active Directory or<br />
ODBC-compliant or embedded database. If using the embedded PostgreSQL database, select ODBCcompliant<br />
or embedded database.<br />
4. Click Next.<br />
The Wizard will attempt to connect to the <strong>Authentication</strong> Server using the IP address and port provided.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 19
Installation<br />
If the connection fails an error window will appear in<strong>for</strong>ming you of the problem. Click OK to take you back<br />
to the <strong>Authentication</strong> Server Connection Details window. To get help identifying the problem, see the 5<br />
Troubleshooting section.<br />
5. Select an IP address from the IP Address drop down list, which will contain IP addresses assigned to the<br />
current machine. The IIS 6 Module will use the selected IP address exclusively. As VASCO component<br />
licensing operates on IP address, this ensures that the IIS 6 Module will only use up one component license<br />
slot.<br />
6. Click Next.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 20
7. Select one of the two option buttons.<br />
Create Component record manually<br />
Installation<br />
The Wizard will not attempt to create a Component record <strong>for</strong> the IIS 6 Module or load a license <strong>for</strong> the<br />
record. You will need to do this manually instead. This option where a Component record already exists <strong>for</strong><br />
the IIS 6 Module, with a valid license key loaded.<br />
a. Select Do not create the Component record and do not load the license automatically<br />
b. Click on Next.<br />
c. Jump to Step 10.<br />
Create Component record automatically<br />
The Wizard will create a Component record in the <strong>Authentication</strong> Server data store <strong>for</strong> the IIS 6 Module. You<br />
may also load a license <strong>for</strong> the created record. If the Component record already exists <strong>for</strong> the IIS 6 Module at<br />
the current IP address, a new Component record will not be created. The license key will be loaded into the<br />
existing Component record.<br />
a. Select Do create the Component record automatically<br />
b. Click on Next.<br />
c. Continue with the following steps.<br />
8. Enter your login details:<br />
Active Directory<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 21
a. Enter the User ID and password <strong>for</strong> the Domain Administrator.<br />
Installation<br />
If you are logged into the current machine as Domain Administrator in the correct Domain, you may<br />
leave these fields blank.<br />
b. Enter the Fully Qualified Domain Name of the Domain in which the <strong>Authentication</strong> Server configuration<br />
data is kept. Typically this will be <strong>Digipass</strong> Configuration Domain. This is a mandatory field.<br />
c. Enter a preferred server if you wish the Wizard to connect to a specific Domain Controller. The text<br />
entered should be the first part of the Fully Qualified Domain Name <strong>for</strong> the Domain Controller.<br />
d. Click on Next.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 22
ODBC-Compliant Database<br />
a. Enter the User ID and password <strong>for</strong> an Administrator account on the <strong>Authentication</strong> Server. This<br />
account will need permissions to:<br />
view, create and update Components<br />
b. Click on Next.<br />
view Policies<br />
Installation<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 23
Installation<br />
9. To load a license key:<br />
Select a license key file by clicking ... Select the license.dat file to load from where you saved it on your<br />
machine. Click Open to load the License Key from the file.<br />
If you do not already have a license.dat file containing a License Key <strong>for</strong> the <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong><br />
Component at this Location, click on the Request a License Key from www.vasco.com. button. This<br />
will take you to the vasco.com web site, where you can request a license key and save it to a file called<br />
license.dat.<br />
To load a license key later, simply click on Next.<br />
10. The Summary screen will allow you to review your configuration settings be<strong>for</strong>e they are applied.<br />
Check the configuration settings carefully and click Back to go back and change a setting if it is incorrect.<br />
Click Proceed to apply the configuration settings when they are correct.<br />
11. If the <strong>Authentication</strong> Server uses Active Directory as its data store, you may need to restart the<br />
<strong>Authentication</strong> Server be<strong>for</strong>e it will recognise the new Component record and acknowledge requests<br />
from the IIS 6 Module.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 24
3 Configuration<br />
Configuration<br />
Configuration settings can be modified in two ways. The easiest method is via the IIS 6 Module Configuration – a<br />
graphical interface that allows you to make changes with a few mouse clicks. Advanced users may prefer to edit<br />
the configuration file directly.<br />
3.1 IIS 6 Module Configuration<br />
A Graphical User <strong>Interface</strong> (GUI) is available <strong>for</strong> use in configuring the IIS 6 Module. This provides a simple,<br />
intuitive way to set up the IIS 6 Module to work with your current system.<br />
To open the IIS 6 Module Configuration, click on the Start Button and select Programs VASCO <strong>Digipass</strong><br />
<strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> IIS Module Configuration<br />
Alternatively, open Windows Explorer and open \Bin\dpiismodcfg.exe.<br />
If this is the first time you have opened the IIS 6 Module Configuration and the configuration file has not been<br />
edited, the values you will see are those entered when the Wizard was last run.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 25
3.1.1 Enable/Disable the IIS 6 Module<br />
Configuration<br />
This option starts or stops the IIS 6 Module from redirecting authentication requests to the <strong>Authentication</strong> Server.<br />
1. Click on the General tab.<br />
2. Tick or untick the Enable <strong>Digipass</strong> <strong>Authentication</strong> checkbox.<br />
3. Click on the Apply button.<br />
3.1.2 <strong>Authentication</strong> Server Details<br />
3.1.2.1 Add a Server<br />
The Server list contains all <strong>Authentication</strong> Servers which may be utilized by the IIS 6 Module. <strong>Authentication</strong> Server<br />
records can be added, deleted, or their details modified.<br />
1. Click on the Add button.<br />
The New Server window will be displayed.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 26
Configuration<br />
2. Enter a name <strong>for</strong> the <strong>Authentication</strong> Server in the Display Name field.<br />
This name will be used to distinguish the <strong>Authentication</strong> Server in the Server list, but has no effect on the<br />
behaviour of the IIS 6 Module.<br />
3. Enter an IP address and port (typically 20003) <strong>for</strong> the <strong>Authentication</strong> Server, in the IP Address and Port<br />
fields.<br />
4. Select a Server Type (see 1.1.2<br />
Server Connection Management).<br />
5. Enter a timeout period (in seconds) in the Timeout field.<br />
6. Enter the maximum number of concurrent connections to be made from the IIS 6 Module to the Server, in the<br />
Max. Connections field.<br />
7. Enter a minimum and maximum amount of time that the IIS 6 Module should wait be<strong>for</strong>e attempting to<br />
reconnect to the <strong>Authentication</strong> Server in the Min. Reconnect Interval and Max. Reconnect Interval fields.<br />
8. Click on the OK button.<br />
3.1.2.2 Modify Server Details<br />
1. Select the Server to be edited.<br />
2. Click on the Edit button.<br />
The Edit Server window will be displayed.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 27
3. Make required changes.<br />
4. Click on the OK button.<br />
3.1.2.3 Delete a Server Record<br />
1. Select the Server record to be deleted.<br />
2. Click on the Delete button.<br />
A confirmation window will be displayed.<br />
3. Click on OK to delete the Server record.<br />
Configuration<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 28
3.1.2.4 Modify Connection Settings<br />
Reconnect Interval<br />
Configuration<br />
If the IIS 6 Module loses contact with the primary <strong>Authentication</strong> Server(s), it will switch its connection over to a<br />
backup <strong>Authentication</strong> Server. It will try to reconnect with the primary server(s) at increasing intervals until<br />
connection with the primary server(s) is re-established.<br />
The Minimum Reconnect Interval and Maximum Reconnect Intervalsets the minimum and maximum amounts of<br />
time that the IIS 6 Module will leave between attempts to reconnect to the primary <strong>Authentication</strong> Server(s).<br />
Connect from IP Address<br />
If a server has multiple IP addresses configured, the IIS 6 Module needs to know which to use in connecting to the<br />
<strong>Authentication</strong> Server(s).<br />
1. Enter the IP address from which to connect to <strong>Authentication</strong> Servers in the Connect from IP Address field.<br />
This may be left blank if there is only one IP address <strong>for</strong> the machine.<br />
2. Click on the Apply button.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 29
Load Sharing<br />
Configuration<br />
Load sharing allows the IIS 6 Module to connect to multiple <strong>Authentication</strong> Servers when it has reached the<br />
maximum number of concurrent connections <strong>for</strong> the first primary <strong>Authentication</strong> Server in the Server list.<br />
1. Tick the Enable Load Sharing checkbox.<br />
2. Click on the Apply button.<br />
3.1.3 Turn Tracing On or Off<br />
1. Select a Tracing option. See 1.1.5 Tracing <strong>for</strong> more in<strong>for</strong>mation.<br />
2. If you have selected Basic Tracing or Full Tracing, enter a path and filename <strong>for</strong> the tracing file into the File<br />
Name field.<br />
The file path entered must be the full absolute path.<br />
3. Click on the Apply button.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 30
3.1.4 Sites<br />
Note<br />
If the File Name field is left blank or the file path does not exist, the IIS 6 Module will not output<br />
tracing. If the file does exist, tracing will be appended to the file. If the path is valid but the file<br />
does not exist, it will be created.<br />
If the IIS_WPG group does not have Write permissions <strong>for</strong> the directory specified, tracing will not<br />
be successful. See 5.1.2.1 Trace File Directory <strong>for</strong> more in<strong>for</strong>mation.<br />
Configuration<br />
Each web site to be protected by the IIS 6 Module is displayed in the Sites list. C One Site record will be entered<br />
into the configuration during installation and named <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.x, depending on the version of <strong>Citrix</strong><br />
<strong>Web</strong> <strong>Interface</strong> installed on the machine. Site records may be modified at any time.<br />
3.1.4.1 Modify Login Page Details<br />
1. Click on the <strong>Authentication</strong> tab.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 31
2. Select the Site and click on the Edit button.<br />
The Edit Site window will be displayed.<br />
3. Click on the Login tab.<br />
4. Modify the Base URL if required.<br />
5. For in<strong>for</strong>mation on modifying query string parameters <strong>for</strong> the login page, see the Add,<br />
Modify and Delete a Query String Parameter topics below.<br />
6. Click on the Form Fields tab.<br />
7. Ensure that the correct names <strong>for</strong> the fields on the login page corresponding to User,<br />
Password and Domain are entered into the relevant fields.<br />
8. Click on the Failed Login tab.<br />
Configuration<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 32
Modify the Base URL if required.<br />
Configuration<br />
9. Tick the Return Failure Reason checkbox if you wish to enable the IIS 6 Module to add in<strong>for</strong>mation about a<br />
login failure to the login page (see Display Login Failure Reason).<br />
10. For in<strong>for</strong>mation on modifying query string parameters <strong>for</strong> the login page, see the Add,<br />
Modify and Delete a Query String Parameter topics below.<br />
11. If you need to set up 2-step Challenge/Response login or Virtual <strong>Digipass</strong> login:<br />
a. Click on the Two Step C/R tab<br />
12. Enter the location of the Challenge/Response template.<br />
13. Click on OK.<br />
3.1.4.2 Modify Change Password Page Details<br />
1. Click on the <strong>Authentication</strong> tab.<br />
2. Select the Site and click on the Edit button.<br />
The Edit Site window will be displayed.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 33
3. Click on the Change Password tab.<br />
4. Tick the Enabled checkbox to allow the IIS 6 Module to capture password changes.<br />
5. Modify the Base URL if required.<br />
Configuration<br />
6. For in<strong>for</strong>mation on modifying query string parameters <strong>for</strong> the change password page,see the Add, Modify and<br />
Delete a Query String Parameter topics below.<br />
7. Ensure that the correct names <strong>for</strong> the fields on the login page corresponding to User,Password, New<br />
Password and Confirm Password are entered into the relevant fields.<br />
8. Click on OK.<br />
3.1.4.3 Modify 1-Step Challenge/Response Login Page Details<br />
1. Click on the <strong>Authentication</strong> tab.<br />
2. Select the Site and click on the Edit button.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 34
The Edit Site window will be displayed.<br />
3. Click on the One Step C/R tab.<br />
4. Tick the Enabled checkbox to allow 1-step Challenge/Response logins.<br />
5. Modify the Base URL if required.<br />
Configuration<br />
6. For in<strong>for</strong>mation on modifying query string parameters <strong>for</strong> the change password page,see the Add, Modify and<br />
Delete a Query String Parameter topics below.<br />
7. Click on OK.<br />
3.1.4.4 Add a Query String Parameter<br />
The Query String Parameters list contains URL parameters required by <strong>Citrix</strong> when a login is submitted. The IIS 6<br />
Module will only identify a request as a login if these variables are present in the query string.<br />
1. Click on the + button.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 35
The Add Login Query String Parameter window will be displayed.<br />
2. Enter the new parameter, exactly as it will appear in the query string – eg. page=login<br />
3. Click on OK.<br />
4. Repeat the process <strong>for</strong> other query string parameters<br />
3.1.4.5 Modify a Query String Parameter<br />
1. Select a Query String Parameter from the list.<br />
2. Click on the button.<br />
The Edit Login Query String Parameter window will be displayed.<br />
3. Make the required changes.<br />
4. Click on OK.<br />
Configuration<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 36
3.1.4.6 Delete a Query String Parameter<br />
1. Select a query string parameter from the list.<br />
2. Click on the button.<br />
A confirmation window will be displayed.<br />
3. Click on Yes to delete the query string parameter.<br />
3.1.4.7 Add a Session Variable <strong>for</strong> the Failed Login Page<br />
Configuration<br />
The Session Variables list contains query string parameters from the login submit request which should be<br />
included in the failed login URL, such as session identifiers.<br />
1. Click on the + button.<br />
The Add Failed Login Session Variable window will be displayed.<br />
2. Enter the name of the query string parameter.<br />
3. Click on OK.<br />
Repeat the process <strong>for</strong> other query string parameters to be included in the failed login URL.<br />
3.1.4.8 Edit a Session Variable<br />
1. Select a session variable from the list.<br />
2. Click on the button.<br />
The Edit Failed Login Session Variable window will be displayed.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 37
3. Modify the name of the query string parameter.<br />
4. Click on OK.<br />
3.1.4.9 Remove a Session Variable<br />
3.1.4.10 Delete Site Record<br />
1. Select a query string parameter from the session variable list.<br />
2. Click on the button.<br />
A confirmation window will be displayed.<br />
3. Click on Yes to remove the query string parameter from the list.<br />
1. Click on the <strong>Authentication</strong> tab.<br />
2. Select the site name from the Sites list.<br />
3. Click on the Delete button.<br />
A confirmation window will be displayed.<br />
4. Click on OK to delete the site record.<br />
Configuration<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 38
3.2 Configuration File<br />
Configuration<br />
The IIS 6 Module Configuration writes to an .xml file named dpmodulecfg.xml in the installation directory. It is<br />
possible to edit this file directly instead of using the IIS 6 Module Configuration. Increment the Revision number by<br />
1 to have your changes take effect.<br />
Note<br />
This option is recommended only <strong>for</strong> advanced users. The IIS 6 Module Configuration GUI will<br />
prevent most common configuration mistakes, but there are no such checks made when edits<br />
are made directly to the configuration file. Incorrect changes to the configuration file may cause<br />
the IIS 6 Module to stop working.<br />
Example configuration file<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 39
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Caution<br />
The configuration file is UTF8 encoded. Non-UTF8 encoded characters should not be added to<br />
the configuration file, or it will not load.<br />
Configuration<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 40
3.2.1 Configuration Settings<br />
The table below lists the options, their default values, and a brief explanation of each.<br />
Table 1 – Configuration Options<br />
Option Name Default Value Notes<br />
Configuration<br />
Revision 1 The current revision of the configuration. This is incremented each<br />
time the configuration is changed and allows the IIS 6 Module to<br />
automatically reload its configuration parameters. If you have<br />
manually changed configuration settings in the file, increment this<br />
setting by 1 so that your changes take effect.<br />
Enabled 1 Whether the IIS 6 Module is enabled or disabled. If disabled, does<br />
not block access, but does not intercept authentication requests –<br />
they pass through unmodified.<br />
Default-Component-Type <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> Default Component type to specify when connecting to an<br />
<strong>Authentication</strong> Server.<br />
Local-Address IP address<br />
automatically detected<br />
by the install program.<br />
If more than one IP<br />
address was detected,<br />
this value will be the IP<br />
address selected during<br />
installation.<br />
The local IP address to be used when connecting to <strong>Authentication</strong><br />
Servers.<br />
Trace/Trace-Header 31 The tracing header fields that have been enabled. This is a bitmask<br />
constructed by adding the following values:<br />
1 Enable the Date field<br />
2 Enable the Time field<br />
4 Enable the Tracing level field<br />
8 Enable the Thread ID field<br />
16 Enable the File field<br />
32 Enable the Line field<br />
Trace/Trace-Mask 0x00000000 Hexadecimal or decimal values:<br />
Trace/Trace-File \<br />
eg. <strong>for</strong> DATE,TIME,LEVEL = 1 + 2 + 4 = 7<br />
A value of 0 will result in no header being added to the trace output.<br />
Hex Decimal<br />
0x00000000 0 No tracing<br />
0x0010000E 1048590 Configuration and error messages only<br />
0xFFFFFFFF 4294967295 All levels enabled.<br />
The absolute path and filename of the file to which internal state<br />
tracing will be written. The file but not the path will be created by the<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 41
Option Name Default Value Notes<br />
Configuration<br />
Log\dpextcfg.trace IIS6 module if it does not exist.<br />
If this option is blank, the IIS 6 Module will not output tracing.<br />
Local-Address 127.0.0.1 The local IP address to be used when connecting to <strong>Authentication</strong><br />
Servers.<br />
Connection-List/Load-<br />
Balancing<br />
Connection-List/ Connection<br />
/ Name<br />
Connection-List/ Connection<br />
/ Address<br />
Connection-List/<br />
Connection/ Port<br />
Connection-List/<br />
Connection/<br />
Server-Type<br />
Connection-List/ Connection<br />
/<br />
Nr-Connections<br />
Connection-List/ Connection<br />
/Min-Reconnect-<br />
Interval<br />
Connection-List/ Connection<br />
/Max-Reconnect-<br />
Interval<br />
False Whether load balancing is enabled <strong>for</strong> connections to <strong>Authentication</strong><br />
Servers.<br />
Text to display in the Servers list on the Configuration.<br />
IP Address entered<br />
during installation.<br />
20003 (default) or<br />
Port number entered<br />
during installation.<br />
IP Address of the <strong>Authentication</strong> Server.<br />
Port to use in connecting to the <strong>Authentication</strong> Server<br />
Primary Either Primary or Backup <strong>Authentication</strong> Server. This setting affects<br />
load-balancing.<br />
10 The maximum number of concurrent connections which the IIS 6<br />
Module may hold open to the <strong>Authentication</strong> Server.<br />
30 The minimum amount of time in seconds that the IIS 6 Module will<br />
leave between attempts to reconnect to a higher-priority server after<br />
losing connection to it.<br />
300 The maximum amount of time in seconds that the IIS 6 Module will<br />
leave between attempts to reconnect to a higher-priority server after<br />
losing connection to it.<br />
Attribute-Group The Attribute Group name to use in retrieving credentials from a<br />
<strong>Digipass</strong> User account.<br />
Use-Attribute-For-User-<br />
Name<br />
0 If this option is enabled, the IIS 6 Module will retrieve a User-Name<br />
attribute from a <strong>Digipass</strong> User account. It will replace the User ID<br />
entered during login with the attribute value be<strong>for</strong>e passing the<br />
request to the the web site.<br />
0 Disabled. The User ID will not be replaced with the User attribute.<br />
1 Enabled. The User ID will be replaced with the User-Name<br />
attribute.<br />
Sites/Site/ Name <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.x Text to display in the Sites list on the Configuration GUI.<br />
Sites/Site/<br />
Component-Type<br />
Sites/Site/<br />
Login/Match-URL/URL<br />
<strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> Component type to specify when connecting to an <strong>Authentication</strong><br />
Server <strong>for</strong> this Site.<br />
/citrix/metaframe/auth<br />
/login.aspx<br />
(CWI 4.0 - 4.5)<br />
The base URL to use in submitting a login<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 42
Option Name Default Value Notes<br />
Sites/Site/<br />
Login/Match-URL/<br />
Param<br />
Sites/Site/<br />
Login/Failed-URL/URL<br />
Sites/Site/<br />
Login/User-Field<br />
Sites/Site/<br />
Login/Password-Field<br />
Sites/Site/<br />
Login/Domain-Field<br />
Sites/Site/<br />
Login/Challenge-Template<br />
Sites/Site/<br />
Login/Error-Message<br />
Sites/Site/<br />
ChgPasswd/Match-URL/URL<br />
OR<br />
/citrix/AccessPlat<strong>for</strong>m/a<br />
uth /login.aspx<br />
(CWI 4.6)<br />
Query string parameter needed in the URL.<br />
/citrix/metaframe/auth<br />
/login.aspx?Nfuse_Mes<br />
sageType=Error&<br />
Nfuse_MessageKey=In<br />
validCredentials&N<br />
fuse_LogEventID=<br />
(CWI 4.0 - 4.5)<br />
OR<br />
/citrix/AccessPlat<strong>for</strong>m/a<br />
uth<br />
/login.aspx?Nfuse_Mes<br />
sageType=Error&<br />
Nfuse_MessageKey=In<br />
validCredentials&N<br />
fuse_LogEventID=<br />
(CWI 4.6)<br />
The base URL to use after a failed login attempt<br />
user Name of the field that corresponds to User.<br />
password Name of the field that corresponds to Password.<br />
domain Name of the field that corresponds to Domain<br />
\<br />
change_password\chall<br />
enge_template.html<br />
Location and file name of the template to use in creating a<br />
Challenge/Response page<br />
Configuration<br />
false Specifies whether the IIS Module should pass a reason <strong>for</strong> a login<br />
failure to <strong>Citrix</strong>. Corresponds to Return Failure Reason checkbox in<br />
the Configuration GUI.<br />
/citrix/metaframe/auth<br />
/changepassword.aspx<br />
(CWI 4.0 - 4.5)<br />
OR<br />
/citrix/AccessPlat<strong>for</strong>m/<br />
auth<br />
The base URL used in changing a User’s password.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 43
Option Name Default Value Notes<br />
Sites/Site/<br />
ChgPasswd/ Match-<br />
URL/Param<br />
Sites/Site/<br />
ChgPasswd/Enabled<br />
Sites/Site/<br />
ChgPasswd/ User-Field<br />
Sites/Site/<br />
ChgPasswd/ Password-Field<br />
Sites/Site/<br />
ChgPasswd/ NewPassword-<br />
Field<br />
Sites/Site/<br />
ChgPasswd/ PasswordConf-<br />
Field<br />
Sites/Site/ One-<br />
Step-CR/Match-URL/URL<br />
Sites/ Site/ One-<br />
Step-CR/ Match-URL/<br />
Param<br />
Sites/ Site/ One-<br />
Step-CR/ Enabled<br />
/changepassword.aspx<br />
(CWI 4.6)<br />
Query string parameter needed in the URL.<br />
0 Whether the IIS 6 Module will capture password changes.<br />
dp_user Name of the field that corresponds to User.<br />
password Name of the field that corresponds to Password.<br />
passwordNew Name of the field that corresponds to New Password.<br />
Configuration<br />
passwordConfirm Name of the field that corresponds to Confirm New Password.<br />
/citrix/metaframe/auth/l<br />
ogin.aspx<br />
(CWI 4.0 - 4.5)<br />
OR<br />
/citrix/AccessPlat<strong>for</strong>m/a<br />
uth/login.aspx<br />
(CWI 4.6)<br />
The base URL to use in making a one-step challenge/response login<br />
request.<br />
Query string parameter needed in the URL.<br />
0 Whether one-step challenge/response logins are enabled.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 44
3.2.2 Modify Character Set Used<br />
Configuration<br />
If you are using non-Western European characters, the IIS 6 Module may need to be configured to use a specific<br />
character set when submitting login requests to the the web site.<br />
The character set to be used can be modified in the IIS 6 Module configuration file (dpmodulecfg.xml) in the<br />
\bin directory. Edit the Encoding setting to the desired character set code – these are listed<br />
in the table below.<br />
Caution<br />
The IIS 6 Module can only be configured to use a single character set – it is not able to handle<br />
multiple character sets simultaneously.<br />
Table 2 - Character Set Codes<br />
Language ISO code Windows code Other code(s)<br />
Arabic ISO-8859-6 CP1256<br />
Baltic ISO-8859-4 or ISO-8859-13 CP1257<br />
Central European ISO-8859-2 CP1257<br />
Chinese Simplified ISO-2022-CN GB2312<br />
Chinese Traditional Big5<br />
Cyrillic ISO-8859-2 CP1251<br />
Greek ISO-8859-7 CP1253<br />
Hebrew ISO-8859-8-I CP1255<br />
Japanese ISO-2022-JP<br />
Korean ISO-2022-KR<br />
Thai ISO-8859-11 CP874<br />
Turkish ISO-8859-9<br />
Vietnamese CP1258<br />
Western European ISO-8859-1 CP1252<br />
3.3 Configure <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.0 to work with the <strong>Authentication</strong> Server<br />
1. Open the Access Suite Console <strong>for</strong> Presentation Server.<br />
2. Expand the Suite Components node.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 45
3. Expand the Configuration Tools and <strong>Web</strong> <strong>Interface</strong> nodes.<br />
4. Select the location of the <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> installation to modify.<br />
5. Click on Configure authentication methods.<br />
6. The Configure <strong>Authentication</strong> Methods Wizard window will be displayed.<br />
Configuration<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 46
7. Tick the Explicit checkbox.<br />
8. Select Disable from the En<strong>for</strong>ce 2-factor authentication drop down list.<br />
9. C lick on Next.<br />
10. Select the Windows or NIS (UNIX) option button.<br />
11. Click on Next.<br />
12. Complete the next two Wizard steps as needed.<br />
13. Click on Finish.<br />
Configuration<br />
3.4 Configure <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.5 and <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.6 to work with the<br />
<strong>Authentication</strong> Server<br />
1. Open the Access Management Console <strong>for</strong> Presentation Server.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 47
2. Expand the <strong>Citrix</strong> Resources node.<br />
3. Expand the Configuration Tools and <strong>Web</strong> <strong>Interface</strong> nodes.<br />
4. Select the location of the <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> installation to modify.<br />
5. Click on Configure authentication methods.<br />
The Configure <strong>Authentication</strong> Methods window will be displayed.<br />
6. Tick the Explicit checkbox and click on the Properties… button.<br />
Configuration<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 48
Configuration<br />
7. In the Properties window, click on the Explicit-><strong>Authentication</strong> Type entry in the tree on the left.<br />
8. Select the Windows or NIS (UNIX) option button and the desired credential <strong>for</strong>mat.<br />
9. Click on the Two-factor <strong>Authentication</strong> entry in the tree.<br />
10. Select Disable from the Two-factor setting drop down list.<br />
11. Complete the sections of the Properties dialog as needed.<br />
12. Click on OK to close the Properties window, then OK again to close the Configure <strong>Authentication</strong><br />
Methods window.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 49
3.5 Configure <strong>Authentication</strong> Server<br />
3.5.1 Component Record<br />
Configuration<br />
A Client Component record must be configured in the <strong>Authentication</strong> Server <strong>for</strong> the IIS 6 Module. The wizard can<br />
create the required record if:<br />
The <strong>Authentication</strong> Server is using an ODBC database (including the embedded PostgreSQL database) as its<br />
data store, or<br />
The <strong>Authentication</strong> Server is using Active Directory and the wizard can successfully connect to Active Directory<br />
from the web server.<br />
To create the Client Component record manually:<br />
1. Create a Client Component record <strong>for</strong> the IIS 6 Module.<br />
a. The Component Type should be set to <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong>.<br />
b. The Location should be set to the same IP address as in the Connect from IP Address setting in IIS 6<br />
Module Configuration.<br />
c. Select a Policy <strong>for</strong> the <strong>Authentication</strong> Server to use when processing authentication requests from the<br />
IIS 6 Module. See 3.5.3 Policy <strong>for</strong> more in<strong>for</strong>mation.<br />
2. A valid license key must be obtained <strong>for</strong> the IIS 6 Module and loaded in to the Component record.<br />
3.5.2 Configure <strong>for</strong> Windows User Accounts<br />
3.5.2.1 Windows User Name Resolution<br />
If the <strong>Authentication</strong> Server is installed on a Windows plat<strong>for</strong>m and is using an ODBC database (including the<br />
embedded database) as its data store, it is recommended that you enable Windows User Name Resolution. This<br />
allows the <strong>Authentication</strong> Server to use Windows functionality to resolve a User ID – as entered during a login –<br />
into a User ID and Domain. It is highly recommended if Dynamic User Registration will be enabled.<br />
This setting is not required where the <strong>Authentication</strong> Server is using Active Directory as its data store - name<br />
resolution will occur automatically.<br />
This setting is not available on Identikey Server on Linux, or aXs GUARD Identifier.<br />
If the Use Windows User Name Resolution feature is disabled or unavailable, it is essential that users always use<br />
the same login name. If they try to log in using a different <strong>for</strong>m of their Windows account name, their login will be<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 50
3.5.2.2 Case Sensitivity<br />
3.5.2.3 Default Domain<br />
Configuration<br />
rejected, unless a second <strong>Digipass</strong> User account has been created. This is essential <strong>for</strong> enabling the change<br />
password facility to work.<br />
Windows User names are not case-sensitive. If the ODBC database used by the <strong>Authentication</strong> Server is casesensitive,<br />
ensure that User ID case is converted to lower case. Upper case may also be used, but will involve extra<br />
configuration steps. The embedded PostgreSQL database is set to convert to lower case by default. See the<br />
Encoding and Case Sensitivity topic in the Administrator Reference <strong>for</strong> more in<strong>for</strong>mation.<br />
Where Users log in without entering a domain name or UPN, the <strong>Authentication</strong> Server will need to be configured to<br />
use the correct domain. There are two basic scenarios that might apply:<br />
Change Master Domain<br />
If Users will only ever be logging in to one domain via the <strong>Authentication</strong> Server, the simplest solution is to set the<br />
Master Domain name to the Fully Qualified Domain Name of the required domain.<br />
This option is not available <strong>for</strong> aXs GUARD Identifier.<br />
Set Default Domain in Policy<br />
This strategy should be used if:<br />
You wish to keep the Master Domain strictly <strong>for</strong> administration accounts and separate from User accounts<br />
The <strong>Authentication</strong> Server may be required to handle a different default domain <strong>for</strong> different IIS 6 Modules or<br />
other clients<br />
Each Policy may be configured with a Default Domain, to be used if a User does not enter a domain on login.<br />
Typically, you will need to modify the Policy used by each IIS 6 Module.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 51
3.5.3 Policy<br />
Configuration<br />
The Component record created during installation of the IIS 6 Module uses the default Password Replacement<br />
Policy <strong>for</strong> the package. It will be named:<br />
VM3 Windows Password Replacement (VACMAN Middleware)<br />
Identikey Windows Password Replacement (Identikey Server)<br />
Identikey Microsoft AD Password Replacement (aXs GUARD Identifier)<br />
These Policies are configured with the following settings:<br />
Note<br />
These settings are all available on Windows but the VM3 Windows Password Replacement<br />
policy is not available on Identikey Server on Linux or the aXs GUARD Identifier, so the<br />
corresponding settings are not available on those plat<strong>for</strong>ms<br />
Back-End <strong>Authentication</strong> is set to If Needed (used <strong>for</strong> DUR, Password Autolearn etc, not all logins).<br />
Windows is used as the back-end authenticator in the VM3 Windows Password Replacement and Identikey<br />
Windows Password Replacement Policies.<br />
Dynamic User Registration, Password Autolearn and Stored Password Proxy are enabled.<br />
Group Check Mode is set to Pass Back and <strong>Digipass</strong> Users is placed in the Group List. This will mean that any<br />
logins by Users not in the <strong>Digipass</strong> Users group will be ignored – not rejected – by the <strong>Authentication</strong> Server in<br />
the VM3 Windows Password Replacement and Identikey Windows Password Replacement Policies.<br />
If you will need different settings, either select a different Policy (eg. Self-Assignment or Auto-Assignment) <strong>for</strong> the<br />
IIS 6 Module Component or copy the Password Replacement Policy to a new record, modify the new Policy as<br />
required, and use the new Policy <strong>for</strong> the IIS 6 Module Component.<br />
3.5.3.1 Standard Policy Configurations <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong><br />
<strong>Digipass</strong> Users login with OTP only (Windows user accounts)<br />
The following settings are recommended <strong>for</strong> this scenario:<br />
Back-End <strong>Authentication</strong><br />
Back-End <strong>Authentication</strong>: If Needed<br />
Back-End Protocol: Windows (Identikey Server and VACMAN Middleware) or Microsoft AD (aXs GUARD Identifier)<br />
These settings allow the <strong>Authentication</strong> Server to check user login details with Windows or Active Directory in case<br />
of DUR, Password Autolearn and Self-Assignment logins through the IIS 6 Module.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 52
<strong>Digipass</strong> User Account Handling<br />
Dynamic User Registration: Enabled<br />
Password Autolearn: Enabled<br />
Stored Password Proxy: Enabled<br />
Configuration<br />
These settings allow the <strong>Authentication</strong> Server to create an account <strong>for</strong> an unrecognized User based on a<br />
successful Windows or Active Directory authentication. The <strong>Authentication</strong> Server can then store the User’s Active<br />
Directory password and replay it to the IIS 6 Module in place of the One Time Password entered by the User on<br />
future logins.<br />
<strong>Digipass</strong> Assignment Mode<br />
Either Self-Assignment or Auto-Assignment would typically be used in this scenario, although manual assignment<br />
may also be used.<br />
Local <strong>Authentication</strong><br />
The typical setting <strong>for</strong> local authentication would be <strong>Digipass</strong>/Password, meaning that Users usually need to use an<br />
OTP when logging in, but are not required to in some circumstances (eg. in Grace Period).<br />
<strong>Digipass</strong> Users login with Password and OTP (Windows user accounts)<br />
The following settings are recommended <strong>for</strong> this scenario:<br />
Back-End <strong>Authentication</strong><br />
Back-End <strong>Authentication</strong>: If Needed<br />
Back-End Protocol: Windows (Identikey Server and VACMAN Middleware) or Microsoft AD (aXs GUARD Identifier)<br />
These settings allow the <strong>Authentication</strong> Server to check user login details with Windows or Active Directory in case<br />
of DUR and Self-Assignment logins through the IIS 6 Module.<br />
<strong>Digipass</strong> User Account Handling<br />
Dynamic User Registration: Enabled<br />
Password Autolearn: Disabled<br />
Stored Password Proxy: Disabled<br />
These settings allow the <strong>Authentication</strong> Server to create an account <strong>for</strong> an unrecognized User based on a<br />
successful Windows or Active Directory authentication. The <strong>Authentication</strong> Server will not store or replay a User’s<br />
Windows or Active Directory password.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 53
<strong>Digipass</strong> Assignment Mode<br />
Configuration<br />
Either Self-Assignment or Auto-Assignment would typically be used in this scenario, although manual assignment<br />
may also be used.<br />
Local <strong>Authentication</strong><br />
The typical setting <strong>for</strong> local authentication would be <strong>Digipass</strong>/Password, meaning that Users usually need to use an<br />
OTP when logging in, but are not required to in some circumstances (eg. in Grace Period).<br />
Non-Windows User accounts<br />
The following settings are recommended <strong>for</strong> this scenario:<br />
Back-End <strong>Authentication</strong><br />
Back-End <strong>Authentication</strong>: None<br />
The <strong>Authentication</strong> Server will not use back-end authentication.<br />
<strong>Digipass</strong> User Account Handling<br />
Dynamic User Registration: Disabled<br />
Password Autolearn: Disabled<br />
Stored Password Proxy: Disabled<br />
As these settings are used with Windows back-end authentication, they will not be used.<br />
<strong>Digipass</strong> Assignment Mode<br />
As Self-Assignment and Auto-Assignment are both reliant on back-end authentication,only manual assignment will<br />
be available.<br />
Local <strong>Authentication</strong><br />
The typical setting <strong>for</strong> local authentication would be <strong>Digipass</strong>, meaning that Users are required to use an OTP when<br />
logging in<br />
3.5.3.2 1-Step Challenge/Response<br />
If you use 1-Step Challenge/Response, you will need these Policy settings:<br />
1-Step Challenge/Response Permitted: Yes – Server Challenge<br />
Challenge Length as required<br />
Add Check Digit as required<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 54
Challenge Check Mode: 0<br />
For more in<strong>for</strong>mation, see the Policies section of the Product <strong>Guide</strong>.<br />
Configuration<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 55
4 Post-Installation Tasks<br />
4.1 Set up 1-Step Challenge/Response Login<br />
Post-Installation Tasks<br />
Implementing one-step Challenge/Response login requires the login page used by <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> to be<br />
modified. The standard login page has been modified and the correct page <strong>for</strong> the <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> version has<br />
been placed in the \change_password\CWI_ directory. To use a login page<br />
which has been customized <strong>for</strong> your company – eg. colours and graphics used – follow the instructions in Modify<br />
Custom Login Page.<br />
Some file names and locations, and code used in the login page, will vary depending on the version of <strong>Citrix</strong> <strong>Web</strong><br />
<strong>Interface</strong> in use. Follow the instructions <strong>for</strong> your current version of <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong>.<br />
4.1.1 Set up <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.x<br />
The instructions <strong>for</strong> modifying the <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> login page vary slightly between <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong><br />
versions 4.0 and 4.5 and 4.6. The differences are in the location of the <strong>Citrix</strong> directory, and the name of the login<br />
page.<br />
The standard settings <strong>for</strong> each are listed below. The directory is located in \<strong>Citrix</strong>\MetaFrame\<br />
(4.0 - 4.5) and \<strong>Citrix</strong>\AccessPlat<strong>for</strong>m\ (4.6) in the table below.<br />
<strong>Web</strong> root is typically c:\inetpub\wwwroot.<br />
Table 3 - <strong>Citrix</strong> directory and login page variations<br />
<strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.0 <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.5 and 4.6<br />
<strong>Citrix</strong> directory \auth \app_data\auth<br />
Login page loginMainForm.inc loginMainForm.inc<br />
Login page<br />
1. Backup \include\ to a suitable place.<br />
2. Copy modified login page from \change_password\CWI_\ to<br />
\include\<br />
3. Enable one-step Challenge/Response in the Configuration GUI. Modify the base URL and/or query string<br />
parameters as required.<br />
See the Modify 1-Step Challenge/Response Login Page Details topic in the IIS 6 Module<br />
Configuration GUI section <strong>for</strong> more in<strong>for</strong>mation.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 56
Challenge Flash Applet<br />
Post-Installation Tasks<br />
This applet is only required if your company is using <strong>Digipass</strong> which have an optical challenge reader, and you wish<br />
to utilize this functionality.<br />
1. Copy \change_password\CWI_\flash.class to .<br />
2. Remove commenting (the greyed-out lines in the example below) <strong>for</strong> the applet code in the login page \include\.<br />
To edit the file, right-click on it and select Edit from the menu.<br />
CWI 4.x<br />
<br />
<br />
3. Save the file and close.<br />
4. Using the IIS Management Console, check that permissions <strong>for</strong> the \flash.class file allow<br />
read access.<br />
4.1.1.1 Modify Custom Login Page<br />
If you have a current login page in use which differs from the standard <strong>Citrix</strong> login page, you may need to modify it<br />
rather than replacing it with the login page provided with the IIS 6 Module.<br />
When the IIS 6 Module detects a request <strong>for</strong> the login page, it adds three headers to the request be<strong>for</strong>e passing it<br />
on. The headers added are:<br />
Table 4 - Headers added to login request string<br />
Header Explanation<br />
VASCO-Challenge Contains the string challenge to be displayed to the user. ie "1234"<br />
VASCO-State Contains data that needs to be passed as the field "DPExtState" on the login request.<br />
VASCO-FlashCode Contains the html code needed to include the challenge flash applet in the login page.<br />
This requires the applet be copied to the appropriate location in the website.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 57
Post-Installation Tasks<br />
A piece of code must be inserted into the login page to include 1-step Challenge/Response functionality. The code<br />
required can be found below or taken directly from the login page added to the \change_password\CWI_\ directory during installation.<br />
CWI 4.x<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Challenge:<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
--><br />
4.1.1.2 Troubleshooting<br />
<br />
<br />
<br />
<br />
If the challenge flash applet is not functioning, ensure that:<br />
The applet file (flash.class) is in the correct directory<br />
The applet code has been referred to correctly in the login page code.<br />
Read permissions have been applied to the flash.class file<br />
4.2 Set Up Password Change Page<br />
Post-Installation Tasks<br />
The IIS 6 Module can capture password changes within <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong>. For version 4.x, note that only expired<br />
password changes can be captured.<br />
To enable this, the Password Change page used by <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> must be modified. A modified version of<br />
the standard password change page is provided with the IIS 6 Module, and is installed to \change_password\CWI_\changepassword.inc. For <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.x an additional<br />
file – login.cs (4.0) or login.aspxf (4.5 and 4.6) - must be modified.<br />
Some file names and locations, and code used in the change password page, will vary depending on the version of<br />
<strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> in use. Follow the instructions <strong>for</strong> your current version of <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong>.<br />
4.2.1 Replace Default Files - <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.0<br />
The is located in \<strong>Citrix</strong>\MetaFrame\auth.<br />
<strong>Web</strong> root is typically located in c:\inetpub\wwwroot.<br />
1. Backup \include\changepassword.inc and \ serverscripts\login.cs to a<br />
suitable place.<br />
2. Copy changepassword.inc from \change_password\CWI_ to \include.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 59
3. Copy login.cs from \change_password\v to \serverscripts.<br />
Post-Installation Tasks<br />
4. Enable Change Password in the Configuration GUI. Modify the base URL and/or query string parameters if<br />
required. See the Modify Change Password Page Details topic in the IIS 6 Module Configuration GUI<br />
section <strong>for</strong> more in<strong>for</strong>mation.<br />
4.2.2 Replace Default Files - <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.5<br />
The is located in \<strong>Citrix</strong>\MetaFrame\app_data\auth.<br />
<strong>Web</strong> root is typically c:\inetpub\wwwroot.<br />
1. Backup \include\changepassword.inc and \ serverscripts\login.aspxf<br />
to a suitable place.<br />
2. Copy changepassword.inc from \change_password\CWI_ to \include.<br />
3. Copy login.aspxf from \change_password\CWI_ to \serverscripts.<br />
4. Enable Change Password in the Configuration GUI. Modify the base URL and/or query string parameters if<br />
required. See the Modify Change Password Page Details topic in the IIS 6 Module Configuration GUI<br />
section <strong>for</strong> more in<strong>for</strong>mation.<br />
4.2.3 Replace Default Files - <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.6<br />
The is located in \<strong>Citrix</strong>\AccessPlat<strong>for</strong>m\app_data\auth.<br />
<strong>Web</strong> root is typically located in c:\inetpub\wwwroot.<br />
1. Backup \include\changepassword.inc and \ serverscripts\login.aspxf<br />
to a suitable place.<br />
2. Copy changepassword.inc from \change_password\CWI_ to \include.<br />
3. Copy login.aspxf from \change_password\CWI_ to \serverscripts.<br />
4. Enable Change Password in the Configuration GUI. Modify the base URL and/or query string parameters if<br />
required. See the Modify Change Password Page Details topic in the IIS 6 Module Configuration GUI section<br />
<strong>for</strong> more in<strong>for</strong>mation.<br />
4.2.4 Modify Custom Change Password Page<br />
If you have a current Change Password page in use which differs from the standard <strong>Citrix</strong> page, you may need to<br />
modify it rather than replacing it with the Change Password page provided with the IIS 6 Module.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 60
Post-Installation Tasks<br />
A piece of code must be inserted into the page to include a hidden field used by the IIS 6 Module . The code<br />
required can be found below or taken directly from the Change Password page added to the \change_password\CWI_ directory during installation.<br />
<strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.x<br />
<br />
<br />
<br />
<br />
4.2.5 Modify Server Include File<br />
The login.cs (4.0) or login.aspxf (4.5 and 4.6) file <strong>for</strong> a site may have been modified from the default <strong>Citrix</strong> file by<br />
other programs. If so, it is recommended that you modify it with the required extra code rather than replacing it<br />
with the file included with the IIS 6 Module. This is required <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.x only.<br />
The code should be inserted in the loginAuthenticateExplicit function, underneath the following text:<br />
Code<br />
if (credentials != null && !bIsError()) {<br />
System.Collections.Hashtable parameters = new System.Collections.Hashtable();<br />
parameters["AccessToken"] = credentials;<br />
parameters["ExplicitAuth"] = expAuth;<br />
// <strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> modifications : START<br />
// The following session variable is required to learn password changes.<br />
Session["dp_user"] = (string)credentials.getUserIdentity();<br />
// <strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> modifications : END<br />
4.3 Display Login Failure Reason<br />
The IIS 6 Module may be configured to pass in<strong>for</strong>mation to <strong>Citrix</strong> when it fails an authentication request. This<br />
in<strong>for</strong>mation may be used to provide Users with an explanation of why their login failed, and steps that they may be<br />
able to take to rectify the problem. The IIS 6 Module will pass the error or status code and message text <strong>for</strong> the<br />
<strong>Authentication</strong> Server to <strong>Citrix</strong>, which – depending on settings in the messagecenter.inc and login.js files - may<br />
then display the message verbatim or interpret the code to provide the User with a clear explanation or set of<br />
instructions.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 61
4.3.1 Replace Default Files<br />
Post-Installation Tasks<br />
A simple option is to replace the default <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> files with those provided with the <strong>Digipass</strong> Pack. This<br />
will allow <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> to display an <strong>Authentication</strong> Server error or status code and message on the User’s<br />
screen underneath the <strong>Citrix</strong>-generated login failure in<strong>for</strong>mation.<br />
<strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.0<br />
The is located in \<strong>Citrix</strong>\MetaFrame\auth.<br />
<strong>Web</strong> root is typically located in c:\inetpub\wwwroot.<br />
1. Backup \include\messagecenter.inc and \ clientscripts\login.js to a<br />
suitable place.<br />
2. Copy messagecenter.inc from \fail_reason\v- to \include.<br />
3. Copy login.js from \fail_reason\v- to \clientscripts.<br />
4. Enable Return Failure Reason (see Modify Login Page Details).<br />
<strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.5<br />
The is located in \<strong>Citrix</strong>\MetaFrame.<br />
<strong>Web</strong> root is typically located in c:\inetpub\wwwroot.<br />
1. Backup \app_data\auth\include\messagecenter.inc and \auth\clientscripts\login.js to a suitable place.<br />
2. Copy messagecenter.inc from \fail_reason\v- to \app_data\auth\include.<br />
3. Copy login.js from \fail_reason\v- to \auth\clientscripts.<br />
4. Enable Return Failure Reason (see Modify Login Page Details).<br />
<strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.6<br />
The is located in \<strong>Citrix</strong>\AccessPlat<strong>for</strong>m.<br />
<strong>Web</strong> root is typically located in c:\inetpub\wwwroot.<br />
1. Backup \app_data\auth\include\messagecenter.inc and \auth\clientscripts\login.js to a suitable place.<br />
2. Copy messagecenter.inc from \fail_reason\v- to \app_data\auth\include.<br />
3. Copy login.js from \fail_reason\v- to \auth\clientscripts.<br />
4. Enable Return Failure Reason (see Modify Login Page Details).<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 62
4.3.2 Modify Existing Files<br />
The basic modification provided by VASCO consists of:<br />
Post-Installation Tasks<br />
A javascript function inserted into the login.js file which retrieves the code or message text <strong>for</strong> an error or<br />
status message returned by the <strong>Authentication</strong> Server.<br />
Javascript code inserted into the messagecenter.inc file which calls the javascript function to get in<strong>for</strong>mation<br />
about the current error or status message.<br />
These may be customised as required to provide interpretation of messages which Users may find confusing, extra<br />
in<strong>for</strong>mation and/or troubleshooting tips.<br />
Messagecenter.inc Code<br />
<br />
<br />
<br />
dp_failcode = dp_getQueryVariable("failcode");<br />
if (dp_failcode != "") {<br />
document.write("<strong>Digipass</strong> Error: ");<br />
document.write(dp_failcode);<br />
document.write(" ");<br />
document.writeln(dp_getQueryVariable("failmessage"));<br />
}<br />
<br />
<br />
Login.js Function<br />
// <strong>Digipass</strong> Pack <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> modifications : START<br />
function dp_getQueryVariable(variable) {<br />
var query = window.location.search.substring(1);<br />
var vars = query.split("&");<br />
<strong>for</strong> (var i=0;i
4.4 Create 2-Step Challenge/Response Template<br />
Post-Installation Tasks<br />
The example challenge-template.html is found in the \change_password directory. You may<br />
create your own based on this template, or use the example template as is.<br />
The template must contain a number of key words which the IIS 6 Module will replace with the appropriate html<br />
code. (Note: These fields may appear more than once in the file, and each instance will be replaced)<br />
These fields are:<br />
DPEXT_FORM_METHOD - This will be replaced with the correct <strong>for</strong>m method<br />
DPEXT_FORM_ACTION - This must be the action specified <strong>for</strong> the <strong>for</strong>m<br />
DPEXT_PASSWORD_FIELD_NAME - This must be the name <strong>for</strong> field into which the response will be written<br />
DPEXT_CHALLENGE_TEXT - This string will be replaced with the Challenge issued.<br />
DPEXT_HIDDEN_FIELDS - This will be replaced with any fields submitted from login page<br />
DPEXT_CHALLENGE_FLASH - This optional field will include the <strong>Digipass</strong> challenge flash applet html<br />
4.5 Copy Challenge Response Files<br />
The flash.class file is required if the challenge flash applet will be used <strong>for</strong> Challenge/Response logins. The applet<br />
will only be useful if the <strong>Digipass</strong> used by your company have an optical challenge reader.<br />
The flash.class file must be copied from \change_password to the citrix\metaframe\site or<br />
citrix\auth (<strong>for</strong> 4.0) or citrix\app_data\auth (<strong>for</strong> 4.5 and 4.6) directory under the web server root (typically<br />
c:\inetpub\wwwroot).<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 64
5 Troubleshooting<br />
5.1 IIS 6 Module Installation Problems<br />
Troubleshooting<br />
The installation program <strong>for</strong> the IIS 6 Module will usually complete the following tasks automatically. However, if it<br />
fails in these tasks <strong>for</strong> some reason, an error message will be displayed during installation. These steps can then<br />
be followed to complete the installation manually.<br />
If you are having trouble running the <strong>Authentication</strong> Server and the IIS 6 Module <strong>for</strong> the first time, following these<br />
steps may help you track down the problem and fix it manually.<br />
5.1.1 Check file placement<br />
The following files must be placed in the directory they are listed under. If they have been moved to another<br />
directory, or incorrectly copied, the IIS 6 Module will not function correctly.<br />
<br />
version.txt<br />
\Bin<br />
ikaal3seal30.dll<br />
ikaal3ldap.dll<br />
libeay32.dll<br />
libxml2.dll<br />
openssl.exe<br />
stlport.5.1.dll<br />
vxmsw28u_vc_custom.dll<br />
ssleay32.dll<br />
dpmodulecfg.xml<br />
dpiisext.dll<br />
dpiismodtcfg.exe<br />
add_ext.vbs<br />
rem_ext.vbs<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 65
citrixwiz.exe<br />
\change_password\CWI_4_0<br />
changepassword.inc<br />
default.htm<br />
login.js<br />
loginMainForm.inc<br />
Messagecenter.inc<br />
README_challenge.inc<br />
README_chpwd.inc<br />
README_failreason.inc<br />
session.cs<br />
\change_password\CWI_4_5<br />
changepassword.inc<br />
default.htm<br />
login.aspxf<br />
login.js<br />
loginMainForm.inc<br />
Messagecenter.inc<br />
README_challenge.inc<br />
README_chpwd.inc<br />
README_failreason.inc<br />
\change_password\CWI_4_6<br />
changepassword.inc<br />
default.htm<br />
login.aspxf<br />
login.js<br />
loginMainForm.inc<br />
Messagecenter.inc<br />
Troubleshooting<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 66
README_challenge.inc<br />
README_chpwd.inc<br />
README_failreason.inc<br />
\fail_reason<br />
messagecenter.inc<br />
login.js<br />
5.1.2 Check Permissions<br />
5.1.2.1 Trace File Directory<br />
Troubleshooting<br />
Permissions need to be set to allow the IIS 6 Module to access and write to the trace file. By default, the trace file<br />
is stored in \log. Follow these steps <strong>for</strong> the folder the trace file will be written to.<br />
1. Open Windows Explorer and browse to the directory that the trace file will be written to (\log by default).<br />
2. Right-click on the relevant directory.<br />
3. Select Properties.<br />
5.1.2.2 Configuration file<br />
The Properties window will be displayed.<br />
4. Click on the Security tab.<br />
5. Ensure that the IIS_WPG group has Write permissions ticked.<br />
6. If changes need to be made to the permissions, make changes and click on the Apply button.<br />
If the IIS_WPG group is not listed, see Add the IIS_WPG Group.<br />
1. Open Windows Explorer and browse to the installation directory.<br />
2. Right-click on the dpmodulecfg.xml file.<br />
3. Select Properties.<br />
The dpmodulecfg.xml Properties window will be displayed.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 67
4. Click on the Security tab.<br />
5. Ensure that the IIS_WPG group has the Read permission ticked.<br />
6. If changes were made to the permissions, click on the Apply button.<br />
Troubleshooting<br />
7. If the IIS_WPG group is not listed <strong>for</strong> the configuration file, see 5.1.2.3 Add the IIS_WPG Group <strong>for</strong><br />
instructions on adding the account manually.<br />
5.1.2.3 Add the IIS_WPG Group<br />
If the IIS_WPG group is not listed <strong>for</strong> the trace file directory or configuration file, you will need to add it.<br />
1. Click on the Add… button.<br />
The Select Users, Computers, or Groups window will be displayed.<br />
2. Click on the Advanced… button.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 68
3. Enter search criteria (see example below) and click on the Find Now button.<br />
Troubleshooting<br />
4. If no search criteria are entered, a list of all users and groups in the selected location will be returned.<br />
5. Select the IIS_WPG group.<br />
6. Click on the OK button.<br />
7. Check that the IIS_WPG group is listed.<br />
8. Click on the OK button.<br />
9. The account should now be listed in the Security group and user list.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 69
5.1.3 Set System Environment Variable<br />
1. Right-click on My Computer.<br />
2. Click on Properties.<br />
Troubleshooting<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 70
3. The System Properties window will be displayed.<br />
Click on the Advanced tab.<br />
4. Click on the Environment Variables button.<br />
The Environment Variables window will be displayed.<br />
Troubleshooting<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 71
If DPIISModuleDirectory is not displayed in the System variables list, create it manually:<br />
5. Click on the New button.<br />
6. Enter the following values:<br />
Variable Name: DPIISModuleDirectory<br />
Variable Value: <br />
7. Click on the OK button<br />
8. Click on the OK button again.<br />
The new System variable should now appear in the System variables list.<br />
Troubleshooting<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 72
5.1.3.1 Register IIS 6 Module Extension<br />
Troubleshooting<br />
You must run a script to add the new IIS 6 Module Extension. The script is installed in the \bin<br />
directory at install time.<br />
1. Open up a DOS command prompt and navigate to the \bin directory<br />
2. Enter cscript add-ext.vbs and press enter.<br />
3. Your new IIS 6 Module Extension will be registered by the script.<br />
5.1.3.2 Remove IIS 6 Module Extension<br />
Run the following script to remove the IIS 6 Module Extension. The script is installed in the \bin<br />
directory at install time.<br />
1. Open up a DOS command prompt and navigate to the \bin directory<br />
2. Enter cscript rem-ext.vbs and press enter.<br />
3. Your IIS 6 Module Extension will now be removed.<br />
5.1.3.3 Check IIS 6 Module Extension<br />
You can use the following method to check that your new <strong>Web</strong> Service extension exists, but you will not be able to<br />
see if the Wildcard Application Mapping exists.<br />
1. Right-click on My Computer<br />
2. Click on Manage.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 73
The Computer Management window will be displayed<br />
3. Expand the Services and Applications heading.<br />
Troubleshooting<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 74
4. Expand the Internet In<strong>for</strong>mation Services heading<br />
Troubleshooting<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 75
5. Click on <strong>Web</strong> Services Extensions.<br />
The <strong>Web</strong> Service Extensions window will be displayed.<br />
Troubleshooting<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 76
5.1.4 Register as Wildcard Application Mapping<br />
1. Right-click on My Computer<br />
2. Click on Manage.<br />
The Computer Management window will be displayed.<br />
For <strong>Citrix</strong> 4.0 – 4.5<br />
Troubleshooting<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 77
For <strong>Citrix</strong> 4.6<br />
Troubleshooting<br />
3. Expand Services and Applications -> Internet In<strong>for</strong>mation Services (IIS) Manager -> <strong>Web</strong> Sites -><br />
Default <strong>Web</strong> Site -> <strong>Citrix</strong> -> MetaFrame <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 3.0 – 4.5,<br />
or<br />
Services and Applications -> Internet In<strong>for</strong>mation Services (IIS) Manager -> <strong>Web</strong> Sites -><br />
Default <strong>Web</strong> Site -> <strong>Citrix</strong> -> AccessPlat<strong>for</strong>m <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.6<br />
4. Right-click on MetaFrame (<strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.0 – 4.5) or AccessPlat<strong>for</strong>m (<strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> 4.6).<br />
5. Click on Properties.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 78
6. Click on the Virtual Directory tab.<br />
7. Click on the Configuration… button.<br />
The Application Configuration window will be displayed.<br />
If the dpiisext.dll is not included in the list, add it manually:<br />
Troubleshooting<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 79
Click on the Insert… button.<br />
Troubleshooting<br />
8. Browse to \bin\dpiisext.dll (surround with double quotes if there are spaces in the file<br />
path).<br />
Click on the OK button. The extension should now appear in the Wildcard application maps list.<br />
9. If the extension is not at the top of the Wildcard application maps list:<br />
a. Select the dpiisext.dll extension.<br />
b. Click on the Move Up button until the extension is at the top of the list.<br />
c. Click on the OK button to exit the Application Configuration window.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 80
5.2 Other Troubleshooting Options<br />
5.2.1 No Trace File<br />
Troubleshooting<br />
If you are still having problems after checking that all installation and configuration settings <strong>for</strong> the IIS 6 Module are<br />
correct, follow these steps to check <strong>for</strong> other possible problems.<br />
If there is no trace file, or the trace file in<strong>for</strong>mation does not help, first check that the ISAPI extension has been<br />
registered (see 5.1.3.1 Register IIS 6 Module Extension <strong>for</strong> instructions) and the wildcard application mapping is<br />
set (see 5.1.4 Register as Wildcard Application Mapping <strong>for</strong> instructions). Next, check the Windows Events <strong>for</strong><br />
any warnings or errors generated by a failure to load the IIS 6 Module into IIS.<br />
5.2.2 In<strong>for</strong>mation from Trace File<br />
1. Set the IIS 6 Module to tracing.<br />
2. Restart IIS.<br />
3. Attempt a login.<br />
4. Check the trace file <strong>for</strong> in<strong>for</strong>mation on the start-up conditions of the IIS 6 Module and of the login attempt.<br />
5.2.3 <strong>Authentication</strong> Server<br />
5.2.4 Licensing<br />
If the IIS 6 Module appears to load and update but you are unable to achieve a successful login, check the<br />
<strong>Authentication</strong> Server. Open the Audit Viewer to:<br />
check available audit messages in the audit files or database.<br />
configure a live audit connection from the <strong>Authentication</strong> Server and retry a login.<br />
See the <strong>Authentication</strong> Server's Administrator Reference <strong>for</strong> more in<strong>for</strong>mation.<br />
Check that the IIS 6 Module has a valid client Component in the <strong>Authentication</strong> Server data store, which has a valid<br />
license loaded. See the Licensing section of the <strong>Authentication</strong> Server's Administrator Reference <strong>for</strong> more<br />
in<strong>for</strong>mation on licensing options.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 81
5.3 Repair Installation<br />
The installation of the IIS 6 Module may need to be repaired if files have been corrupted, deleted or lost.<br />
1. Locate and double-click on <strong>Citrix</strong>.msi file.<br />
2. Click on the Next button.<br />
3. Select the Repair option button to enter the repair function.<br />
4. Click on the Repair option button to confirm the repair.<br />
5. Click on the Finish button.<br />
Note<br />
Troubleshooting<br />
The configuration file (dpmodulecfg.xml) will not be copied over if it exists in the standard<br />
directory. To repair this file, delete or move it and run the installation repair.<br />
If you have deleted or moved the configuration file, changed the IP address <strong>for</strong> the machine or received a new<br />
license <strong>for</strong> the IIS 6 Module, you will need to run the <strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> Wizard after<br />
the installation repair.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 82
6 Uninstalling the IIS 6 Module<br />
6.1 Uninstall the IIS 6 Module<br />
1. Open the Windows Add or Remove Programs utility.<br />
Select <strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong><br />
2. Click on the Change/Remove button.<br />
OR<br />
Locate and double-click on the <strong>Citrix</strong>.msi file to start the MSI.<br />
3. Click on the Next button.<br />
4. Select the Remove option button to select the remove function.<br />
5. Click on the Remove option button to confirm the remove function.<br />
6. Click on the Finish button.<br />
Uninstalling the IIS 6 Module<br />
The Uninstallation Progress screen will be displayed, showing the progress of your uninstall.<br />
7. After uninstallation, the system must be restarted.<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 83
7 Technical Support<br />
If you encounter problems with a VASCO product please do the following:<br />
Technical Support<br />
1. Read the Troubleshooting topic in the Administrator Reference or the Troubleshooting section of this guide<br />
<strong>for</strong> help in discovering the source of your problem.<br />
2. Check if your problem is resolved in the Knowledge Base located at the following URL:<br />
http://www.vasco.com/support.<br />
3. If you do not find the in<strong>for</strong>mation you need in the Knowledge Base, please contact the company that sold you<br />
the VASCO product.<br />
Only after doing these steps, if your problem is not yet solved, please contact VASCO support:<br />
7.1 Support Contact In<strong>for</strong>mation<br />
E-mail<br />
support@vasco.com<br />
<strong>Web</strong>site<br />
http://www.vasco.com/support/contacts.html<br />
Phone<br />
Australia +61 2 8061 3700 (Sydney)<br />
Belgium +32 2 609 9770 (Brussels)<br />
Singapore +65 6 232 2727<br />
USA +1 508 366 3400 (Boston)<br />
<strong>Digipass</strong> <strong>Authentication</strong> <strong>for</strong> <strong>Citrix</strong> <strong>Web</strong> <strong>Interface</strong> <strong>Guide</strong> 84