Digipass Plug-In for SBR Administrator Reference - Vasco

Modify these field values (right-click and select Fields) to change text throughout the 

document: 

NOTE: Diagrams may appear or disappear depending on these field settings – so BE CAREFUL 

adding and removing diagrams, as you may be stuffing up formatting. 

ADDITIONAL NOTE: Be careful adding and removing text, too. Just because you see something 

in the document that looks like it shouldn't be there, doesn't mean removing it is a smart idea. 

Do a print preview to check if it will show up in the final document before you do anything. 

eld values (right-click and select Fields) to change text throughout the document: 

NOTE: Diagrams may appear or disappear depending on these field settings – so BE CAREFUL 

adding and removing diagrams, as you may be stuffing up formatting. 

ADDITIONAL NOTE: Be careful adding and removing text, too. Just because you see something 

in the document that looks like it shouldn't be there, doesn't mean removing it is a smart idea. 

Do a print preview to check if it will show up in the final document before you do anything. 

(the field values are currently just (relatively) rubbish values – modified at times to check that 

text conditions are working correctly) 

sbr 

Digipass Plug-In for SBR 

SBR Plug-In 

Starter 

Steel-Belted RADIUS 

SBR 

ODBCAD 


dpsbrauth.xml 






Starter 

ODBCAD 


dpsbrauth.xml 


A dministrator Reference

Disclaimer of Warranties and Limitations of Liabilities 

Disclaimer of Warranties and Limitations of Liabilities 

The Product is provided on an 'as is' basis, without any other warranties, or conditions, express 

or implied, including but not limited to warranties of merchantable quality, merchantability of 

fitness for a particular purpose, or those arising by law, statute, usage of trade or course of 

dealing. The entire risk as to the results and performance of the product is assumed by you. 

Neither we nor our dealers or suppliers shall have any liability to you or any other person or 

entity for any indirect, incidental, special or consequential damages whatsoever, including but 

not limited to loss of revenue or profit, lost or damaged data of other commercial or economic 

loss, even if we have been advised of the possibility of such damages or they are foreseeable; 

or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers 

and suppliers shall not exceed the amount paid by you for the Product. The limitations in this 

section shall apply whether or not the alleged breach or default is a breach of a fundamental 

condition or term, or a fundamental breach. Some states/countries do not allow the exclusion 

or limitation or liability for consequential or incidental damages so the above limitation may 

not apply to you. 

RADIUS Documentation Disclaimer 

The RADIUS documentation featured in this manual is focused on supplying required 

information pertaining to the RADIUS server and its operation in the VACMAN Middleware 

environment. It is recommended that further information be gathered from your NAS/RAS 

vendor for information on the use of RADIUS. 

Copyright 

© 2006 VASCO Data Security Inc. All rights reserved. 

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in 

any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, 

without the prior written permission of VASCO Data Security Inc. 

Trademarks 

VACMAN and Digipass are registered trademarks of VASCO Data Security International Inc. 

Microsoft and Windows are registered trademarks of Microsoft Corporation. 

All other trademarks are the property of their respective holders. 

© 2006 VASCO Data Security Inc. 2

Digipass Plug-In for SBR Administrator Reference Table of Contents 

Table of Contents 

1 Introduction........................................................................................................ 11 

1.1 Available Guides......................................................................................................... 11 

1.2 System Requirements.................................................................................................11 

1.2.1 Requirements Specific to Active Directory................................................................. 11 

1.2.2 Requirements Specific to ODBC Database................................................................. 12 

1.3 Software Components................................................................................................ 13 

1.3.1 Required Components........................................................................................... 13 

1.3.2 Optional Components............................................................................................ 14 

1.3.3 Extra Utilities....................................................................................................... 15 

2 Active Directory Schema......................................................................................16 

2.1 Schema Extensions.....................................................................................................16 

2.1.1 Added Object Classes............................................................................................ 16 

2.1.2 Added Attributes.................................................................................................. 16 

2.1.3 Added Permission Property Sets.............................................................................. 19 

2.2 Active Directory Auditing............................................................................................20 

2.3 Custom Search Options...............................................................................................21 

2.3.1 Saved Queries...................................................................................................... 21 

2.3.2 Using the Custom Search for Digipass...................................................................... 22 

2.3.3 Using the Custom Search for Users......................................................................... 23 

2.4 Active Directory Replication Issues............................................................................ 25 

2.4.1 Old Data Used After Attribute Modified..................................................................... 25 

2.4.1.1 Single SBR Plug-In using more than one Domain Controller....................................................25 

2.4.1.2 Administrator and SBR Plug-In using different Domain Controllers...........................................26 

2.4.1.3 Multiple SBR Plug-Ins Using Different Domain Controllers.......................................................26 

2.4.1.4 Two Administrators Modifying the Same Attribute................................................................. 26 

2.4.2 Old Data Used Overwrites New Data........................................................................ 27 

2.4.3 Factors Affecting Replication Issues......................................................................... 27 

2.4.4 Solutions and Mitigations....................................................................................... 28 

2.4.4.1 Digipass Cache.................................................................................................................28 

2.4.4.2 Identification Threshold Setting.......................................................................................... 29 

2.4.4.3 Administrator Connection Strategy......................................................................................29 

2.4.4.4 Set a Preferred Server.......................................................................................................30 

2.4.4.5 Use Preferred Server Only Option....................................................................................... 31 

2.5 DPADadmin Utility...................................................................................................... 32 

2.5.1 Extend Active Directory Schema............................................................................. 32 

2.5.2 Set Up Digipass Containers in Domain..................................................................... 34 

2.5.2.1 Prerequisite Information.................................................................................................... 34 

2.5.2.2 Set Up Digipass Configuration Container..............................................................................34 

2.5.2.3 Command Syntax............................................................................................................. 34 

2.5.3 Assign Digipass Permissions to a Group................................................................... 34 

2.5.3.1 Pre-requisites...................................................................................................................34 

2.5.3.2 Command Syntax............................................................................................................. 35 

2.5.4 Upgrade RADIUS Profile Information....................................................................... 35 

2.5.5 Delete all Digipass-Related Data from Active Directory............................................... 36 

2.5.5.1 Run Delete Script on a Domain...........................................................................................36 

3 ODBC Database....................................................................................................38 

3.1 Database Support....................................................................................................... 38 

3.1.1 Unicode Support................................................................................................... 38 



3.2 Embedded Database................................................................................................... 39 

3.2.1 Service Account.................................................................................................... 39 

3.2.2 Database Administration Account............................................................................ 39 

3.2.3 Database Administration........................................................................................ 40 

3.2.3.1 Changing the Digipass User's Password............................................................................... 40 

3.2.4 Connection Limitations.......................................................................................... 40 

3.3 Database Schema....................................................................................................... 41 

3.3.1 vdsControl Table.................................................................................................. 41 

3.3.2 vdsUser Table...................................................................................................... 42 

3.3.3 vdsUserAttr Table................................................................................................. 42 

3.3.4 vdsDigipass Table................................................................................................. 43 

3.3.5 vdsDPApplication Table.......................................................................................... 43 

3.3.6 vdsPolicy Table..................................................................................................... 44 

3.3.7 vdsComponent Table............................................................................................. 45 

3.3.8 vdsBackEnd Table................................................................................................. 45 

3.3.9 vdsDomain Table.................................................................................................. 46 

3.3.10 vdsOrgUnit Table.................................................................................................. 46 

3.4 Encoding and Case-Sensitivity.................................................................................... 47 

3.5 Domains and Organizational Units..............................................................................47 

3.5.1 Domains.............................................................................................................. 48 

3.5.1.1 Master Domain.................................................................................................................48 

3.5.1.2 Identifying the Domain for a Login Attempt..........................................................................49 

3.5.2 Organizational Units.............................................................................................. 50 

3.6 Database User Accounts............................................................................................. 51 

3.6.1 Permissions on the Tables...................................................................................... 51 

3.6.2 Access to Another Schema..................................................................................... 52 

3.6.2.1 Modify vdsControl Table.....................................................................................................52 

3.7 Database Connection Handling................................................................................... 53 

3.7.1 Multiple Data Sources............................................................................................ 53 

3.7.2 Max. Connections................................................................................................. 53 

3.7.3 Connection Wait Time........................................................................................... 54 

3.7.4 Idle Timeout........................................................................................................ 54 

3.7.5 Enable Load Sharing............................................................................................. 54 

3.7.6 Reconnect Intervals.............................................................................................. 54 

3.8 DPDBadmin................................................................................................................ 55 

3.8.1 Modify Database Schema....................................................................................... 55 

3.8.2 Check Database Modifications................................................................................. 57 


3.8.2.2 Check the Database Structure............................................................................................ 57 

3.8.2.3 Command Line Syntax...................................................................................................... 57 

3.8.3 Remove Database Modifications.............................................................................. 58 


3.8.3.2 Modify Database Structure.................................................................................................58 

3.8.3.3 Command Line Syntax...................................................................................................... 58 

3.8.4 Upgrade RADIUS Profiles Information...................................................................... 59 

4 Sensitive Data Encryption....................................................................................60 

4.1.1 Encrypted Data – Active Directory........................................................................... 60 

4.1.2 Encrypted Data – ODBC and Embedded Database..................................................... 60 

4.1.3 Which Encryption Algorithms can be used?............................................................... 60 

4.1.4 Exporting Encryption Settings................................................................................. 60 



5 Set Up Active Directory Permissions....................................................................62 

5.1 Permissions Needed by the SBR Plug-In.....................................................................62 

5.1.1 Giving Permissions to the SBR Plug-In..................................................................... 62 

5.2 Permissions Needed by Administrators...................................................................... 63 

5.2.1 Domain Administrators.......................................................................................... 63 

5.2.2 Delegated Administrators....................................................................................... 63 

5.2.3 Reduced-Rights Administrators............................................................................... 63 

5.2.4 System Administrators.......................................................................................... 64 

5.3 Assign Administration Permissions to a User .............................................................64 

5.4 Multiple Domains........................................................................................................66 

5.4.1 Scenario 1 – Each SBR Plug-In Handles One Domain................................................. 66 

5.4.2 Scenario 2 – One SBR Plug-In Handles All Domains................................................... 67 

5.4.3 Scenario 3 - Combination....................................................................................... 67 

6 Backup and Recovery.......................................................................................... 68 

6.1 What Must be Backed Up............................................................................................ 68 

6.1.1 Configuration files................................................................................................. 69 

6.1.2 Web Sites............................................................................................................ 69 

6.1.3 Audit Log Data..................................................................................................... 69 

6.1.3.1 Write to Text File..............................................................................................................69 

6.1.3.2 Write to ODBC Database....................................................................................................70 

6.1.3.3 Write to Windows Event Log...............................................................................................70 

6.1.4 DPX files............................................................................................................. 70 

6.1.5 Active Directory.................................................................................................... 70 

6.1.5.1 Cold Backup.....................................................................................................................70 

6.1.6 ODBC and Embedded Database.............................................................................. 71 

6.1.6.1 Data Source Settings........................................................................................................ 71 

6.1.6.2 Backup Strategies.............................................................................................................71 

6.1.6.3 Backup of Embedded Database...........................................................................................72 

6.2 Recovery.................................................................................................................... 73 

6.2.1 Active Directory.................................................................................................... 73 

6.2.2 ODBC or Embedded Database................................................................................ 74 

6.2.2.1 Rebuild SBR Plug-In, Database Undamaged......................................................................... 74 

6.2.2.2 Restore Database, SBR Plug-In Undamaged......................................................................... 75 

6.2.2.3 Rebuild SBR Plug-In, Restore Database............................................................................... 76 

6.2.2.4 Copy Database from Other SBR Plug-In...............................................................................78 

6.2.2.5 Rebuild SBR Plug-In, Copy Database................................................................................... 80 

7 Field Listings....................................................................................................... 82 

7.1 User Property Sheet................................................................................................... 82 

7.2 User Authorization Profiles/Attributes Window..........................................................84 

7.3 Digipass Property Sheet............................................................................................. 85 

7.4 Digipass Application Tab.............................................................................................86 

7.5 Policy Property Sheet................................................................................................. 87 

7.6 Component Property Sheet.........................................................................................94 

7.7 Domain Property Sheet...............................................................................................95 

7.8 Organizational Unit Property Sheet............................................................................ 95 

7.9 Data Changes Requiring a Restart.............................................................................. 96 

7.9.1 Changes to the Data Store..................................................................................... 96 

7.9.1.1 ODBC or Embedded Database............................................................................................ 96 

7.9.1.2 Active Directory................................................................................................................96 



7.9.1.3 Automatic Re-Loading of Cached Data................................................................................. 97 

7.9.1.4 Cached Data List.............................................................................................................. 97 

7.9.2 Changes to Configuration Settings.......................................................................... 97 

8 Licensing............................................................................................................. 98 

8.1 How is Licensing Handled?......................................................................................... 98 

8.2 Licensing Parameters................................................................................................. 98 

8.2.1 Sample License File............................................................................................... 98 

8.3 View License Information........................................................................................... 99 

8.4 Obtain and Load a License Key................................................................................... 99 

8.5 Change IP Address................................................................................................... 101 

9 Web Sites.......................................................................................................... 102 

9.1 Customizing the Web Sites....................................................................................... 102 

9.2 Setup Required in SBR Plug-In and SBR................................................................... 102 

9.2.1 SBR Plug-In....................................................................................................... 102 

9.2.2 Steel-Belted RADIUS........................................................................................... 102 

9.3 CGI Program.............................................................................................................102 

9.3.1 Configuration Settings......................................................................................... 103 

9.4 Form Fields...............................................................................................................104 

9.4.1 User Self Management Web Site........................................................................... 104 

9.4.1.1 Registration – Main Pages................................................................................................ 104 

9.4.1.2 Registration – Challenge Page.......................................................................................... 106 

9.4.1.3 PIN Change....................................................................................................................107 

9.4.1.4 Login Test – Main Page.................................................................................................... 108 

9.4.1.5 Login Test – Challenge Page.............................................................................................109 

9.4.2 OTP Request Site................................................................................................ 109 

9.4.2.1 Request Page................................................................................................................. 109 

9.5 Query String Variables..............................................................................................110 

9.5.1 Failure/Error Handling......................................................................................... 110 

9.5.2 Query String Variable List.................................................................................... 111 

9.5.3 Return Code Listing............................................................................................. 112 

9.5.3.1 API Return Codes............................................................................................................112 

9.5.3.2 CGI Errors..................................................................................................................... 112 

9.5.3.3 Internal Errors................................................................................................................113 

10 Login Options.................................................................................................... 114 

10.1 Login Permutations.................................................................................................. 114 

10.1.1 Response Only – PAP........................................................................................... 115 

10.1.2 Response Only – CHAP/MS-CHAP.......................................................................... 116 

10.1.3 Challenge/Response............................................................................................ 117 

10.1.4 Virtual Digipass.................................................................................................. 118 

11 Configuration Settings.......................................................................................119 

11.1 SBR Plug-In.............................................................................................................. 119 

11.1.1 RADIUS Attributes.............................................................................................. 119 

11.1.2 Set Component Location...................................................................................... 120 

11.1.3 Configure for Unknown Users................................................................................ 120 

11.1.4 Library Path and Type.......................................................................................... 120 

11.1.5 Turn Tracing On or Off......................................................................................... 120 

11.1.6 Active Directory Connection.................................................................................. 122 



11.1.6.1 Configuration Domain......................................................................................................122 

11.1.6.2 Domains List.................................................................................................................. 122 

11.1.7 ODBC Connection............................................................................................... 124 

11.1.7.1 Connect to an ODBC Database..........................................................................................124 

11.1.7.2 Connection Settings........................................................................................................ 124 

11.1.7.3 User ID and Domain Conversion....................................................................................... 125 

11.1.7.4 Master Domain............................................................................................................... 126 

11.1.7.5 Domains and Organizational Units.....................................................................................126 

11.1.8 Auditing............................................................................................................ 127 

11.1.9 Data Encryption.................................................................................................. 128 

11.1.10 Configuration File................................................................................................ 129 

11.2 MDC.......................................................................................................................... 132 

11.2.1 Required Information.......................................................................................... 132 

11.2.2 MDC Configuration GUI........................................................................................ 132 

11.2.2.1 Modify Gateway Account Login Details............................................................................... 132 

11.2.2.2 Configure Internet Connection Details................................................................................132 

11.2.2.3 Configure Tracing............................................................................................................133 

11.2.2.4 Import HTTP Gateway settings..........................................................................................134 

11.2.2.5 Edit Advanced Settings.................................................................................................... 134 

11.2.2.6 Export HTTP Gateway settings.......................................................................................... 134 

11.2.2.7 Gateway Result Pages..................................................................................................... 135 

11.2.3 MDC Configuration File........................................................................................ 138 

11.2.4 Configuration Settings......................................................................................... 139 

11.3 CGI........................................................................................................................... 140 

11.4 Digipass TCL Command Line Utility...........................................................................140 

12 Auditing.............................................................................................................141 

12.1 Text File................................................................................................................... 141 

12.1.1 Text File Name Variables...................................................................................... 141 

12.1.2 Configure Auditing to Text File.............................................................................. 141 

12.2 Windows Event Log.................................................................................................. 143 

12.3 ODBC Audit Message Database................................................................................. 144 

12.3.1 Set up ODBC Database........................................................................................ 144 

12.3.1.1 Create database............................................................................................................. 144 

12.3.1.2 Create database schema..................................................................................................144 

12.3.1.3 Create Database Account(s)............................................................................................. 145 

12.3.1.4 Create DSN on SBR Plug-In machine................................................................................. 145 

12.3.1.5 Create DSN on Audit Viewer machine................................................................................ 145 

12.3.2 Configure SBR Plug-In......................................................................................... 145 

12.3.3 Configure Audit Viewer........................................................................................ 146 

13 Tracing.............................................................................................................. 147 

13.1 Trace Message Types................................................................................................ 147 

13.2 Tracing Levels.......................................................................................................... 147 

13.3 Trace Message Contents........................................................................................... 148 

14 Digipass TCL Command-Line Administration......................................................149 

14.1 Introduction............................................................................................................. 149 

14.1.1 Knowledge Requirements..................................................................................... 149 

14.1.2 Data Store Connection......................................................................................... 150 

14.2 Using DPADMINCMD – Basics................................................................................... 151 

14.2.1 Using an Interactive TCL Command Prompt............................................................ 151 

14.2.2 Running a Script................................................................................................. 152 



14.2.3 Help.................................................................................................................. 153 

14.2.4 Command Parameters......................................................................................... 153 

14.2.5 Result Output..................................................................................................... 153 

14.2.6 Error Handling.................................................................................................... 154 

14.2.7 International Characters...................................................................................... 154 

14.2.8 Syntax Notes..................................................................................................... 154 

14.2.9 Sample Scripts................................................................................................... 155 

14.3 Configuration File..................................................................................................... 157 

14.3.1 Sample Configuration File.................................................................................... 157 

15 How to troubleshoot..........................................................................................158 

15.1 View Audit Information............................................................................................ 158 

15.1.1 Windows Event Log............................................................................................. 158 

15.1.2 Text file ............................................................................................................ 158 

15.1.3 ODBC Database.................................................................................................. 158 

15.2 Tracing..................................................................................................................... 159 

15.2.1 SBR Plug-In....................................................................................................... 159 

15.2.2 Web Sites.......................................................................................................... 159 

15.2.2.1 Enable Tracing................................................................................................................159 

15.2.2.2 Trace File Permissions..................................................................................................... 159 

15.2.3 Message Delivery Component............................................................................... 162 

15.2.3.1 Enable Tracing................................................................................................................162 

15.3 Installation Check.................................................................................................... 162 

15.3.1 Installation Log File............................................................................................. 162 

15.3.2 Registry Entries.................................................................................................. 162 

15.3.3 Check Permissions.............................................................................................. 164 

15.3.4 SBR Plug-In Registered in Active Directory Domain.................................................. 164 

15.3.5 Default Policy and Component Created................................................................... 164 

16 Audit Messages..................................................................................................166 

16.1 Audit Message Listing...............................................................................................166 

16.2 Audit Message Fields................................................................................................ 175 

17 Error and Status Codes......................................................................................177 

17.1 Error Code Listing..................................................................................................... 177 

17.2 Status Code Listing...................................................................................................181 

18 Technical Support..............................................................................................185 

18.1 Support Contact Information.................................................................................... 185 



Index of Tables 

Table 1: Custom Active Directory Object Classes...............................................................................................16 

Table 2: Custom Active Directory Object Attributes............................................................................................16 

Table 3: Custom Active Directory Permission Property Sets................................................................................ 19 

Table 4: Saved Queries in Active Directory Users and Computers........................................................................ 21 

Table 5: Custom Active Directory Search criteria - Digipass................................................................................ 22 

Table 6: Custom Active Directory Search criteria - Users.................................................................................... 24 

Table 7: DPADadmin addschema Command Line Options................................................................................... 33 

Table 8: DPADadmin setupdomain Command Line Options................................................................................. 34 

Table 9: DPADadmin setupaccess Command Line Options.................................................................................. 35 

Table 10: DPADadmin upgradeprofiles Command Line Options............................................................................36 

Table 11: ODBC Database Tables.................................................................................................................... 41 

Table 12: vdsControl Table.............................................................................................................................41 

Table 13: vdsUser Table................................................................................................................................ 42 

Table 14: vdsUserAttr Table........................................................................................................................... 42 

Table 15: vdsDigipass Table........................................................................................................................... 43 

Table 16: vdsDPApplication Table....................................................................................................................43 

Table 17: vdsPolicy Table...............................................................................................................................44 

Table 18: vdsComponent Table.......................................................................................................................45 

Table 19: vdsBackEnd Table...........................................................................................................................45 

Table 20: vdsDomain Table............................................................................................................................ 46 

Table 21: vdsOrgUnit Table............................................................................................................................ 46 

Table 22: Table Permissions Required..............................................................................................................51 

Table 23: Table Names in vdsControl...............................................................................................................52 

Table 24: DPDBadmin addschema Command Line Options..................................................................................55 

Table 25: DPDBadmin checkschema Command Line Options...............................................................................57 

Table 26: DPDBadmin dropschema Command Line Options................................................................................ 58 

Table 27: DPDBadmin upgradeprofiles Command Line Options............................................................................59 

Table 28: Encrypted Data Attributes – Active Directory...................................................................................... 60 

Table 29: Encrypted Data Attributes – ODBC and Embedded Database.................................................................60 

Table 30: User Fields.....................................................................................................................................82 

Table 31: User Fields.....................................................................................................................................84 

Table 32: Digipass Fields................................................................................................................................85 

Table 33: Digipass Application Fields............................................................................................................... 86 

Table 34: Policy Fields................................................................................................................................... 87 

Table 35: Component Fields........................................................................................................................... 94 

Table 36: Domain Fields................................................................................................................................ 95 

Table 37: Organizational Unit Fields.................................................................................................................95 

Table 38: License Parameters for Digipass Plug-In for SBR................................................................................. 98 

Table 39: Configuration Settings for CGI Program............................................................................................103 

Table 40: Form Fields for Main Registration Page.............................................................................................104 

Table 41: Form Fields for Registration Challenge Page......................................................................................106 

Table 42: Form Fields for Server PIN Change Page.......................................................................................... 107 



Table 43: Form Fields for Main Login Test Page............................................................................................... 108 

Table 44: Form Fields for Login Test Challenge Page........................................................................................ 109 

Table 45: Form Fields for OTP Request Page................................................................................................... 109 

Table 46: Query String Variable List...............................................................................................................111 

Table 47: API Return Codes..........................................................................................................................112 

Table 48: CGI Error Return Codes................................................................................................................. 112 

Table 49: Internal Error Codes......................................................................................................................113 

Table 50: Login Permutations - Response Only PAP (1).................................................................................... 115 

Table 51: Login Permutations - Response Only PAP (2).................................................................................... 116 

Table 52: Login Permutations - Response Only CHAP....................................................................................... 116 

Table 53: Login Permutations – Challenge/Response........................................................................................117 

Table 54: Login Permutations – Virtual Digipass.............................................................................................. 118 

Table 55: MDC Audit Message Variables......................................................................................................... 137 

Table 56: Message Delivery Component Configuration Settings......................................................................... 139 

Table 57: Audit Text File Name/Path Variables................................................................................................ 141 

Table 58: Required Audit Database Tables......................................................................................................144 

Table 59: vdsAuditMessage Required Fields.................................................................................................... 144 

Table 60: vdsAuditMsgField Required Fields.................................................................................................... 145 

Table 61: Tracing Message Types.................................................................................................................. 147 

Table 62: Tracing Message Levels..................................................................................................................148 

Table 63: Tracing Message Contents..............................................................................................................148 

Table 64: DPADMINCMD Help Commands.......................................................................................................153 

Table 65: Registry Entries............................................................................................................................ 162 

Table 66: Permissions Required.....................................................................................................................164 

Table 67: Audit Messages List.......................................................................................................................166 

Table 68: Audit Messages Fields....................................................................................................................175 

Table 69: Error Code List..............................................................................................................................177 

Table 70: Status Code List............................................................................................................................181 


Digipass Plug-In for SBR Administrator Reference Introduction 

1 Introduction 

1.1 Available Guides 

The following guides are available: 

Product Guide 

The Product Guide will introduce you to the features and concepts of Digipass Plug-In for SBR 

and the various options you have for using it. 

Installation Guide 

Use this guide when planning and working through an installation of Digipass Plug-In for SBR. 

Getting Started 

To get you up and running quickly with a simple installation and setup of Digipass Plug-In for 

SBR. 

Administrator Reference 

In-depth information required for administration of Digipass Plug-In for SBR. This includes 

references such as data attribute lists, backup and recovery and utility commands. 

Data Migration Tool Guide 

Takes you through a data migration from one VASCO product to another, using the VASCO 

Data Migration Tool. 

Help Files 

Context-sensitive help accompanies the administration interfaces. 

1.2 System Requirements 

Operating System 

Windows Server 2003 (32-bit version only) with Service Pack 1 or above, or 

Windows XP Professional (32-bit version only) with Service Pack 2 or above, or 

Windows 2000 with Service Pack 4 or above 

Language 

Digipass Plug-In for SBR is designed to function on any language version of Windows. 

However, the product has only been comprehensively tested on English language 

versions of Windows. 

1.2.1 Requirements Specific to Active Directory 

Digipass Extension for Active Directory Users and Computers 

Active Directory Users and Computers Snap-In 



Active Directory set up for SSL 

In the following cases, SSL must be available for Digipass Plug-In for SBR components to 

connect to Active Directory: 

SBR Plug-In not installed on a Domain Controller. 

Administration Interfaces not installed on a Domain Controller. 

SBR Plug-In and/or Administration Interface(s) on a Domain Controller, but accessing 

data in another domain. 

An Enterprise Certificate Authority must be installed in the forest to enable SSL. Windows 

Certificate Services is available as an optional Windows component. 

However, if you do not wish to install a CA, you can select during installation not to use SSL. 

1.2.2 Requirements Specific to ODBC Database 

Digipass Plug-In for SBR will support most modern ODBC-compliant relational, transactional 

databases. It has been tested on the following databases: 

Oracle 9i 

Microsoft SQL Server 2000 

Microsoft SQL Server 2005 

DB2 8.1 

Sybase Adaptive Server Anywhere 9.0 

PostgreSQL 8.1.3 



1.3 Software Components 

Digipass Plug-In for SBR consists of various components, some necessary and some optional. 

The diagram below shows an overview of the components, and how they interact. 

Image 1: Digipass Plug-In for SBR Components 

1.3.1 Required Components 


This is a Plug-In for SBR that performs the authentication processing. It can receive 

authentication requests from SBR and return an Access-Accept (with attributes if available) or 

Access-Reject. 



Data Store 

All information required by Digipass Plug-In for SBR is stored in Active Directory or an ODBCcompliant 

database. An embedded PostgreSQL database option is provided with Digipass Plug- 

In for SBR. The data store to be used is selected during installation. 

Administration MMC Interface 

This interface is used in slightly different ways, depending on the data store used by Digipass 

Plug-In for SBR. 

Active Directory 

If Active Directory is used as the data store, the Administration MMC Interface will be used for 

administration of Policy, Component and Back-End Server records. 

ODBC Database (including embedded database) 

If an ODBC database is used as the data store, the Administration MMC Interface will be used 

for administration of all VASCO data. 

Regardless of the data store used, administration is carried out by direct connection to the 

data store. 

Active Directory Users and Computers Extension 

A VASCO Extension to the Active Directory Users and Computers interface allows 

administration of additional User settings and Digipass records integrated with standard Active 

Directory User administration. This is only available when Active Directory is used as the data 

store for Digipass Plug-In for SBR. 

Audit System 

The SBR Plug-In provides a comprehensive audit trail of significant processing events such as 

successful and failed authentication attempts. The audit messages can be written to text files, 

the Windows Event Log and/or an ODBC-compliant database. 

1.3.2 Optional Components 

Audit Viewer 

The Audit Viewer is a Windows application that can display and filter audit messages from the 

SBR Plug-In. It can read the data from text files and ODBC databases, or receive a live feed 

from the SBR Plug-In. 

Virtual Digipass 

The VASCO components used for Virtual Digipass are: 

Message Delivery Component 

This is a Service that is responsible for delivering One Time Passwords through a text message 

HTTP gateway to a User’s mobile phone. 



OTP Request Site 

This is a miniature web site that allows a User to request a Virtual Digipass OTP to be sent to 

their mobile phone. 

User Self Management Web Site 

This is a miniature web site that allows Users to make appropriate changes to their own 

Digipass settings, such as PIN changes. This is used in a RADIUS environment, when the 

normal authentication requests are made using a CHAP-based protocol and therefore PIN 

changes and other 'self-management' features are not possible. 

Digipass TCL Command-Line Administration 

Administration may also be carried out using Digipass TCL Command-Line Administration 

Utility, which allows interactive command-line and scripted administration of Digipass Plug-In 

for SBR data. 

1.3.3 Extra Utilities 

These extra utilities may be used with Digipass Plug-In for SBR, but require separate 

installations. 

Data Migration Tool 

The VASCO Data Migration Tool is a general-purpose utility that allows you to migrate your 

data from one VASCO product to another. 

RADIUS Client Simulator 

The RADIUS Client Simulator is a program that simulates RADIUS Authentication and 

Accounting processing in a similar fashion to 'real' RADIUS clients. The RADIUS Client 

Simulator can be used to test Digipass authentication or to estimate performance. 


Digipass Plug-In for SBR Administrator Reference Active Directory Schema 

2 Active Directory Schema 

2.1 Schema Extensions 

The following tables document the changes required by Digipass Plug-In for SBR to the Active 

Directory schema when AD is used as the data store. 

2.1.1 Added Object Classes 

Table 1: Custom Active Directory Object Classes 

Attribute Type Location Explanation 

vasco-UserExt Aux. 

Class 

vasco-DPToken Class Unassigned – Optional 

User record Extra VASCO attributes are added to an Active Directory 

User record via an 'auxiliary class' vasco-UserExt on the 

User class. 

Assigned – with User 

record 

The vasco-DPToken class is used to store Digipass 

attributes. It is also a container, in which vasco- 

DPApplication records for that Digipass are stored. 

Upon assignment to a User, the Digipass record is stored 

in the same location as the User. 

vasco-DPApplication Class Within Digipass record This class is used to store Digipass Application attributes, 

such as Server PIN and expected OTP length. 

vasco-Policy Class Digipass Configuration 

Container 

vasco-Component Class Digipass Configuration 

Container 

vasco-BackEndServer Class Digipass Configuration 

Container 

2.1.2 Added Attributes 

Table 2: Custom Active Directory Object Attributes 

Name Class 

vasco-SerialNumber vasco-DPToken 

vasco-TokenType vasco-DPToken 

vasco-ApplicationNames vasco-DPToken 

vasco-ApplicationTypes vasco-DPToken 

vasco-LinkVascoDigipassToUserExt vasco-DPToken 

vasco-TokenAssignedDate vasco-DPToken 

vasco-GracePeriod vasco-DPToken 

vasco-EnableBVDP vasco-DPToken 

vasco-BVDPExpiryDate vasco-DPToken 

vasco-BVDPUsesLeft vasco-DPToken 

vasco-DirectAssignOnly vasco-DPToken 

vasco-AdditionalAttribute vasco-DPToken 

vasco-SerialNumber vasco-DPApplication 

vasco-ApplicationName vasco-DPApplication 

vasco-ApplicationNumber vasco-DPApplication 

Policy attributes. Attributes will commonly be shared via 

inheritance. 

Component attributes include the License Key for SBR 

Plug-In Components. 

Information required for connection to back-end servers. 



Name Class 

vasco-ApplicationType vasco-DPApplication 

vasco-DPBlob vasco-DPApplication 

vasco-Active vasco-DPApplication 

vasco-LinkUserExtToVascoDigipass vasco-UserExt 

vasco-LinkUserExtToUser vasco-UserExt 

vasco-StaticPassword vasco-UserExt 

vasco-LocalAuth vasco-UserExt 

vasco-BackEndServerAuth vasco-UserExt 

vasco-Disable vasco-UserExt 

vasco-Profile Vasco-UserExt 

vasco-CreateTime Vasco-UserExt 

vasco-ModifyTime Vasco-UserExt 

vasco-ID vasco-BackEndServer 

vasco-Protocol vasco-BackEndServer 

vasco-Domain vasco-BackEndServer 

vasco-Priority vasco-BackEndServer 

vasco-Retries vasco-BackEndServer 

vasco-AcctIPAddress vasco-BackEndServer 

vasco-AcctPort vasco-BackEndServer 

vasco-AdditionalAttribute vasco-BackEndServer 

vasco-AuthIPAddress vasco-BackEndServer 

vasco-SharedSecret vasco-BackEndServer 

vasco-Timeout vasco-BackEndServer 

Version-Number vasco-BackEndServer 

vasco-ID vasco-Component 

vasco-Location vasco-Component 

vasco-LinkComponentToPolicy vasco-Component 

vasco-Protocol vasco-Component 

vasco-ComponentType vasco-Component 

vasco-PublicKey vasco-Component 

vasco-AdditionalAttribute vasco-Component 

vasco-SharedSecret vasco-Component 

vasco-TCPPort vasco-Component 

Version-Number vasco-Component 

vasco-AdditionalAttribute vasco-Policy 

vasco-AllowedApplType vasco-Policy 

vasco-AllowedDPTypes vasco-Policy 

vasco-ApplicationNames vasco-Policy 

vasco-AssignmentMode vasco-Policy 

vasco-AssignSearchUpOUPath vasco-Policy 

vasco-Autolearn vasco-Policy 

vasco-BackEndAuth vasco-Policy 



Name Class 

vasco-BackupVDPRequestKeyword vasco-Policy 

vasco-BackupVDPRequestMethod vasco-Policy 

vasco-BVDPMaximumDays vasco-Policy 

vasco-BVDPMaximumUses vasco-Policy 

vasco-ChallengeRequestKeyword vasco-Policy 

vasco-ChallengeRequestMethod vasco-Policy 

vasco-CheckChallenge vasco-Policy 

vasco-ChkInactDays vasco-Policy 

vasco-Description vasco-Policy 

vasco-Domain vasco-Policy 

vasco-DUR vasco-Policy 

vasco-EnableBVDP vasco-Policy 

vasco-EventWindow vasco-Policy 

vasco-GracePeriod vasco-Policy 

vasco-GroupCheckMode vasco-Policy 

vasco-GroupList vasco-Policy 

vasco-ID vasco-Policy 

vasco-IThreshold vasco-Policy 

vasco-ITimeWindow vasco-Policy 

vasco-LinkPolicyToChildPolicy vasco-Policy 

vasco-LinkPolicyToComponent vasco-Policy 

vasco-LinkPolicyToParentPolicy vasco-Policy 

vasco-LocalAuth vasco-Policy 

vasco-OneStepChalCheckDigit vasco-Policy 

vasco-OneStepChalLength vasco-Policy 

vasco-OneStepChalResp vasco-Policy 

vasco-OnLineSG vasco-Policy 

vasco-PINChangeAllowed vasco-Policy 

vasco-PrimaryVDPRequestKeyword vasco-Policy 

vasco-PrimaryVDPRequestMethod vasco-Policy 

vasco-Protocol vasco-Policy 

vasco-SelfAssignSeparator vasco-Policy 

vasco-SThreshold vasco-Policy 

vasco-STimeWindow vasco-Policy 

vasco-StoredPasswordProxy vasco-Policy 

vasco-SyncWindow vasco-Policy 

Version-Number vasco-Policy 



2.1.3 Added Permission Property Sets 

Property sets have been created for typical groups of permissions required for administration 

tasks. 

Table 3: Custom Active Directory Permission Property Sets 

Property Set Applicable 

Object 

Actions Allowed 

Digipass Assignment Link Digipass Assign and unassign Digipass for Digipass User accounts. 

Digipass Application Data Digipass 

Application 

Digipass record functions. 

Digipass User Account Information User Modify Digipass User information. 

Digipass User Account to User Link User Link and unlink Digipass Users. This is also required when 

assigning Digipass to linked Digipass User records. 

Digipass User Account Stored Password User Read and modify the stored password for a Digipass User. 



2.2 Active Directory Auditing 

Active Directory auditing may be configured to record access and modifications to custom 

objects used by the Digipass Plug-In for SBR. If you currently have default auditing enabled, it 

might include already include actions on custom objects. See these Microsoft articles for 

information on turning on and configuring auditing: 

Windows 2000 

http://support.microsoft.com/?kbid=314955 

Windows 2003 

http://support.microsoft.com/?kbid=814595 

The basic process you will need to follow is: 

1. Select a scope for the the auditing (eg. Domain Root). 

2. Select a Windows User or Windows Group (eg. Everyone or Domain Administrators) 

3. Select the object classes to audit (eg. Digipass objects) – if required 

4. Select the permissions which should be audited (eg. Read, Write, Delete, Create) 

What Should I Audit? 

This will depend on what you need to audit. For example, if you wanted to record all Digipass 

assignments in the domain, you might set up auditing in the Domain Root for Everyone, with 

the Digipass Assignment Link property set. 

See the 2.1 Schema Extensions topic for more information on custom objects and 

permission property sets created for the Digipass Plug-In for SBR. 



2.3 Custom Search Options 

The Digipass Extension adds functionality to the Active Directory Users and Computers snap-in 

which allows searching for specific Digipass and Digipass User records throughout a domain, or 

within the limits of a delegated administrator's permissions. This functionality is especially 

useful where unassigned Digipass have been allocated to various Organizational Units. 

2.3.1 Saved Queries 

On Windows Server 2003 and Windows XP, the Microsoft Management Console (MMC) 

framework supports Saved Queries. 

Note 

The Saved Queries feature is not supported by the MMC on Windows 2000. 

No Saved Queries are provided by the Digipass Plug-In for SBR installation 

program on Windows 2000. 

On Windows Server 2003 and Windows XP, a number of Saved Queries are installed 

automatically into the saved MMC console file that is opened using the Start -> Programs -> 

VASCO -> Digipass Plug-In for SBR -> Active Directory Users and Computers shortcut. 

In addition, several Query Definition Files are installed in the \Queries folder. These can be imported into your existing Active Directory Users and 

Computers console by right-clicking on the Saved Queries folder and selecting Import 

Query Definition.... 

The Saved Queries provided by the installation are designed to provide several common 

queries that may be useful, as listed below. They can be edited, copied or deleted as required. 

If you have made a mistake modifying one and wish to start again, you can reload the query 

by deleting it and importing it from the Query Definition File. 

Table 4: Saved Queries in Active Directory Users and Computers 

Query Name Description Query Definition File 

Users with Digipass All Users in the Domain who have one or more 

Digipass assigned directly. 

Users without Digipass All Users in the Domain who have no Digipass 

assigned, directly or via a Linked User. 

Users with a DP User 

Account 

Users without a DP User 

Account 

All Users in the Domain who have a Digipass User 

Account. 

All Users in the Domain who do not have a Digipass 

User Account. 

users-with-dp.xml 

users-without-dp.xml 

users-with-dp-useraccount.xml 

users-without-dp-useraccount.xml 

Assigned Digipass All Digipass in the Domain that are assigned. assigned-dp.xml 

Unassigned Digipass All Digipass in the Domain that are currently 

unassigned, excluding any Reserved Digipass. 

Locked DP User Accounts All Users in the Domain whose Digipass User Account 

is Locked. 

unassigned-dp.xml 

locked-dp-user-accounts.xml 



2.3.2 Using the Custom Search for Digipass 

To perform a search for Digipass: 

1. Right-click on the Organizational Unit in which to search, or the domain root. 

2. Click on Find... 

3. Select the Digipass object type from the Find: drop down list. 

4. Use the Digipass tab to specify the search criteria. Almost all the Digipass search 

criteria can be set using the form on this tab. 

5. If you are searching on any criteria that do not appear on the Digipass tab, use the 

Advanced tab: 

a. Click on the Advanced tab. 

b. Click on Field and select the required attribute from the list. 

c. Enter the search Condition and Value, then click Add. 

d. Repeat with additional Fields. 

6. Click Find Now to execute the search. Multiple criteria are applied using the logical 

AND – all criteria must be met for a Digipass to be found. 

The available criteria are listed in the following table: 

Table 5: Custom Active Directory Search criteria - Digipass 

Tab Field Name Usage 

Digipass Serial Number Exact Serial Number (as seen in Digipass properties); 

Serial Number with wildcard*; 

First Serial Number in range, when used with To field. 

(Serial Number) To Last Serial Number in range. 

Digipass Type Digipass Type, eg. DP300. Wildcard* allowed. 

Application Name Application Name, eg. GO3DEFAULT. Wildcard* allowed. 

This will find Digipass that have an Active application of the 

specified name**. 

Application Type Application Type: Response Only, Challenge/Response. 


specified type**. 

Digipass Assignment Assignment status: Assigned, Unassigned. 

Reserved Reserved status: Reserved, Not Reserved. 

Advanced Application Name Conditions: Starts with, Ends with, Is (Exactly), Is Not. 

Values: Application Name (complete or partial) 


specified Application Name criteria**. 

Application Type Conditions: Is (Exactly), Is Not. 

Values: RO (Response Only), CR (Challenge/Response), SG 

(Signature). 


specified Application Type criteria**. 

Backup Virtual Digipass Enabled Conditions: Less than or equal to, Greater than or equal to, Is 

(Exactly), Is Not, Not Present. 

Values: 0 (Default), 1 (No), 2 (Yes - Permitted), 3 (Yes - 

Required), 4 (Yes – Time Limited). 

Note that Digipass with 'Default' for this setting may either have 0 



Tab Field Name Usage 

for this attribute or may not have the attribute present. 

Digipass Type Conditions: Starts with, Ends with, Is (Exactly), Is Not. 

Values: Digipass Type (complete or partial) 

Reserved Conditions: Is (Exactly), Is Not. 

Values: 0 (No), 1 (Yes). 

This attribute is always present. 

Serial Number Conditions: Starts with, Ends with, Is (Exactly), Is Not. 

Values: Serial Number, as seen in Digipass properties (complete or 

partial) 

User Assignment Link Conditions: Present, Not Present. 

Values: N/A. 

If this attribute is present, the Digipass is assigned; if not present, 

the Digipass is unassigned. 

* Search criteria on Digipass Application attributes ignore Inactive Digipass Applications. 

** For a wildcard, the * character is used. 

Example 

A search for Digipass records run with only the following text entered into the Serial Number 

field, would return these results: 

0097 No records returned 

0097* All Digipass with serial number starting with 0097 

0097987654 Digipass with serial number 0097987654 only 

*76 All Digipass with serial number ending in 76 

2.3.3 Using the Custom Search for Users 

To perform a search for Users: 

1. Right-click on the Organizational Unit in which to search, or the domain root. 

2. Click on Find... 

3. Select the Users, Contacts, and Groups object type from the Find: drop down list. 

4. If you have search criteria that are not related to Digipass, specify them as usual. 

5. To specify Digipass related search criteria, use the Advanced tab: 

a. Click on the Advanced tab. 

b. Click on Field, select the User submenu and select the required attribute from the 

list. 

c. Enter the search Condition and Value, then click Add. 

d. Repeat with additional Fields. 

6. Click Find Now to execute the search. Multiple criteria are applied using the logical 

AND – all criteria must be met for a User to be found. 

The available criteria are listed in the following table: 



Table 6: Custom Active Directory Search criteria - Users 

Field Name Usage 

Digipass Assignment Link Conditions: Present, Not Present. 

Values: N/A. 

If this attribute is present, a Digipass is assigned to the User; if 

not present, no Digipass is assigned. 

Digipass Back-End Authentication Conditions: Less than or equal to, Greater than or equal to, Is 


Values: 0 (Default), 1 (None), 2 (If Needed), 3 (Always). 

Note that Users with 'Default' for this setting may either have 0 for 

this attribute or may not have the attribute present. 

Digipass Local Authentication Conditions: Less than or equal to, Greater than or equal to, Is 


Values: 0 (Default), 1 (None), 2 (Digipass/Password), 3 (Digipass 

Only). 

Note that Users with 'Default' for this setting may either have 0 for 

this attribute or may not have the attribute present. 

Digipass User Account Create Time Conditions: Less than or equal to, Greater than or equal to, Is 

(Exactly), Is Not, Present, Not Present. 

Values: Number of seconds since 1 st Jan 1970 00:00:00 that the 

Digipass User account was created. 

If this attribute is present, the User has a Digipass User account; if 

not present, the User does not. 

Digipass User Account Disabled Conditions: Is (Exactly), Is Not, Not Present. 


If this attribute is not present, the account is not disabled*. 

Digipass User Account Lock Count Conditions: Less than or equal to, Greater than or equal to, Is 


Values: current count of failed logins since last successful login. 

If this attribute is not present, it is treated as 0. 

Digipass User Account Locked Conditions: Is (Exactly), Is Not, Not Present. 


If this attribute is not present, the account is not locked*. 

Digipass User Account Modify Time Conditions: Less than or equal to, Greater than or equal to, Is 

(Exactly), Is Not, Present, Not Present. 

Values: Number of seconds since 1 st Jan 1970 00:00:00 that the 

Digipass User account was last modified. 

Digipass User Account Password This field does not have practical value as a search field, but is 

listed by Active Directory anyway. 

Digipass User Attributes This field is not currently used. 

Digipass User to User Link Conditions: Present, Not Present. 

Values: N/A. 

If this attribute is present, The Digipass User account is linked to 

another Digipass User account; if not present, there is no link. 

* If you specify Is Not 1, the results will include Users who do not have the attribute set, in 

addition to those who have the attribute set to 0. 

Example 

A search for Digipass User accounts where the Local Authentication setting has a value other 

than Default would use the following criteria: 

Digipass Local Authentication Greater than or equal to 1 



2.4 Active Directory Replication Issues 

Active Directory replication is not instantaneous. Intra-site replication is usually quite fast, 

especially under Windows Server 2003, but changes on one Domain Controller may still take 

several minutes to be replicated to other Domain Controllers. Inter-site replication may be 

quite slow – an hour or more between replications is common. 

Replication occurs when more than one Domain Controller exists in a domain. 

2.4.1 Old Data Used After Attribute Modified 

The time period between replications becomes a problem where information is changed on one 

Domain Controller (for example, a Digipass User's Server PIN is reset), but old information is 

used on another Domain Controller before the changed information has been replicated to it. 

There are a few scenarios where this may occur. These are listed below: 

2.4.1.1 Single SBR Plug-In using more than one Domain Controller 

A single SBR Plug-In may make a change to a record, have to switch to another Domain 

Controller, and read the same record – where the change has not yet been applied. 

Example 

A User logs in with an OTP, and the SBR Plug-In connects to DC-01 to retrieve and update 

the Digipass data. The connection to the DC-01 fails soon after login, before replication has 

occurred. The User needs to log in again, and the SBR Plug-In connects to DC-02 this time. 

The User can log in using the same OTP as the last login – the login should fail (OTP replay) 

but instead succeeds, because DC-02 does not yet know that the OTP has been previously 

used. 

Time DC-01 DC-02 

8:32 Replication occurs 

8:34 User logs in with OTP 10457920. 

The SBR Plug-In records the use of the OTP 

in the Digipass record. 

8:35 Connection to DC-01 is broken, and the SBR 

Plug-In switches to DC-02. 

8:35 User retries login using same OTP 

10457920. The login succeeds where it 

should have failed (OTP replay). 

The SBR Plug-In records the use of the OTP 

in the Digipass record. 


Digipass record changes are replicated between DC-01 and DC-02. 

The example timeline above shows the sequence of events. 



2.4.1.2 Administrator and SBR Plug-In using different Domain Controllers 

The administrator may not be connected to the same Domain Controller (via the 

Administration Interfaces) as the SBR Plug-In. 

Example 

An administrator changes a User's Server PIN through the Active Directory Users and 

Computers extension, which is connected to DC-01. The SBR Plug-In connects to DC-03. The 

User attempts a login using the new PIN, which fails because DC-03 is not yet aware of the 

change of Server PIN. 



9:03 Administrator changes a User's Server PIN 

from 1234 to 9876. 

9:04 User attempts to log in using new PIN 

(9876) and the login fails. 




2.4.1.3 Multiple SBR Plug-Ins Using Different Domain Controllers 

Multiple SBR Plug-Ins may connect to different Domain Controllers in a domain or site. 

Example 

A User changes their own PIN during a login through one SBR Plug-In which connects to DC- 

01. The server on which the SBR Plug-In is installed becomes unavailable, and the User 

attempts another login via the SBR Plug-In on a backup server, which connects to DC-02. 

The login fails because DC-02 is not yet aware of the change of Server PIN. 



11:55 User changes their Server PIN from 1234 to 

9876 during login. 

The SBR Plug-In records the PIN change in 

the Digipass record. 

11:57 User attempts to log in using new PIN 

(9876) and the login fails. 




2.4.1.4 Two Administrators Modifying the Same Attribute 

Two administrators attempt to modify the same attribute on a single User account or Digipass 

record within the same replication interval. The later modification will overwrite the earlier 

when replication occurs. 



2.4.2 Old Data Used Overwrites New Data 

The problems above are exacerbated when the old information used on the second Domain 

Controller is updated based on the old information. As the updated record on the second 

Domain Controller now has a later modification date, the end result is that the changed 

information on the first Domain Controller is overwritten incorrectly. 

Example 

An administrator connects to DC-01 and sets a User's PIN from '1234' to '9876'. The User 

logs in through the SBR Plug-In, which connects to DC-02. The User enters the new Server 

PIN and his One Time Password. However, the PIN set on DC-01 has not yet been replicated 

to DC-02, so because the PIN entered does not match the old PIN still recorded in the 

Digipass record on DC-02, the login fails. 

Because the Policy setting of Identification Threshold is in use, his login failure is written 

back to the Digipass record. When replication occurs, the Digipass record on DC-02 has the 

latest modification date – and is copied to DC-01, wiping out the original PIN setting made 

by the administrator. Both DC-01 and DC-02 now consider '1234' to be the correct Server 

PIN for the Digipass. 


10:45 Replication 

10:46 Administrator changes User's PIN from 9876 

to 1234. 

10:48 User login (with new PIN of 1234) fails. 

SBR Plug-In writes failure information to 

Digipass record. 

10:50 Replication 

Active Directory finds last instance of the Digipass blob having been modified. 

Active Directory overwrites DC-01 Digipass record with DC-02 Digipass record. 

The example timeline above shows how the problem can occur. 

The problem shown in the example above may also occur in a Force PIN Change set by an 

administrator. 

2.4.3 Factors Affecting Replication Issues 

A number of factors determine the likelihood and severity of the Active Directory issues 

described: 

Redundancy and load-balancing settings for the SBR Plug-In 

There are a number of SBR Plug-In configuration settings which may affect replication issues: 

Preferred Server 

The SBR Plug-In will attempt to connect to the named Domain Controller, rather than 

simply polling the domain for an available Domain Controller. 

Preferred Server Only 

The SBR Plug-In may be restricted to connecting only to the Domain Controller named in 

the above setting. If this is enabled, the SBR Plug-In will not switch to any other Domain 

Controller, so it will never retrieve data older than its own. 

Max. Bind Lifetime 

The maximum bind lifetime controls how long the SBR Plug-In will stay connected to a 

Domain Controller before polling the domain for a Domain Controller connection. 



Replication Interval 

In Windows 2000, the intra-site replication interval can be configured – the default is 5 

minutes. On Windows Server 2003, the intra-site replication interval is not configurable, but is 

set to approximately 15 seconds, as replication is much more efficient. 

Inter-site replication is fully configurable on both Windows 2000 and Windows Server 2003. 

The longer the replication interval, the more likelihood of these problems occuring. 

Number of Domain Controllers in the Site 

Each Domain Controller regularly requires replication with all other local Domain Controllers. 

As this is done sequentially, it will affect the amount of time between replications. 

2.4.4 Solutions and Mitigations 

2.4.4.1 Digipass Cache 

The Digipass cache collects Digipass records as they are modified, and keeps them in memory 

for a certain length of time. A newer entry from the cache is always used in preference to an 

older record from Active Directory. The cache age should be a little longer than the typical 

replication interval. The default is 10 minutes (600 seconds). 

This option will help in problems caused by a single SBR Plug-In accessing more than one 

Domain Controller in a domain – see 2.4.1.1 Single SBR Plug-In using more than one 

Domain Controller). However, it will not affect the scenario of an Administration Interface 

being connected to a different Domain Controller to the SBR Plug-In. 

If you calculate that your typical replication interval will be more than ten minutes, the cache 

age may be increased by modifying the Blob-Cache Max-Age setting in the configuration file 

(\bin\dpsbrauth.xml): 

 

 

 

 

 

 

A large cache may slow down processing slightly for the SBR Plug-In, so monitor performance 

to check the impact caused after modifying the cache age. 

Warning 

If the SBR Plug-In is installed on a Member Server, this server must be closely 

time-synchronized with the Domain Controller(s). If the server is not timesynchronized, 

the Policy may select an older record when comparing records in 

the Digipass cache with those on the Domain Controller. 

If the SBR Plug-In is installed on a Domain Controller, time-synchronization is assumed. 



2.4.4.2 Identification Threshold Setting 

Reconsider use of the Identification Threshold setting in the relevant Policy(s). The User 

Lock setting may be used instead in most cases (see 7.5 Policy Property Sheet and 7.1 

User Property Sheet for more information on these two settings). Discontinuing use of the 

Identification Threshold setting will avoid the scenario shown in 2.4.2 Old Data Used 

Overwrites New Data, where a failed login overwrites an administrator's modification. 

2.4.4.3 Administrator Connection Strategy 

The option exists in the Active Directory Users and Computers Snap-In to connect to a specific 

Domain Controller in a domain. An administrator should select the same Domain Controller as 

used by the SBR Plug-In for urgent administration tasks likely to be affected by this issue – for 

example, resetting a User's Server PIN so they may login while on the phone to the 

administrator. 

To connect to a specific Domain Controller, right-click on the domain and select Connect to 

Domain Controller... 



2.4.4.4 Set a Preferred Server 

This option decreases some replication problems, as the SBR Plug-In will be primarily 

connected to the Domain Controller named as its Preferred Server. This gives less opportunity 

for load-balancing, however. 

If the SBR Plug-In is installed on a Domain Controller, the Preferred Server will not need to be 

set for that domain, as the SBR Plug-In will normally select that Domain Controller for 

connections. 

To set a Preferred Server for a domain: 

1. Open the SBR Plug-In Configuration GUI (Start -> Programs -> VASCO -> Digipass 

Plug-In for SBR -> SBR Plug-In Configuration). 

2. Click on the Active Directory Connections tab. 

3. If the domain is the Configuration Domain, click on Edit... 

If the domain is in the Domains list, select the domain name and click on Edit... 

If the domain is not in the Domains list, click on Add... 

4. Enter the Fully Qualified Domain Name for the domain in the FQDN field. 



5. Enter the name of the Domain Controller in the Preferred Server field. 

This name should be the first part of the FQDN for the Domain Controller, eg. dc01 

from dc01.support.vasco.com. 

6. Enter any other information required. 

7. Click on OK. 

The SBR Plug-In will now always connect to the Preferred Server when it is available. 

2.4.4.5 Use Preferred Server Only Option 

In some cases this setting may be 

required, as it forces the SBR Plug-In to 

use the same Domain Controller at all 

times. It will, however, eliminate loadbalancing 

and any fail-over for the SBR 

Plug-In, so is not normally recommended. 



2.5 DPADadmin Utility 

2.5.1 Extend Active Directory Schema 

The addschema command is used to create all the Active Directory Schema extensions, if 

they are not already there. Each element will be checked individually to see if it is already 

there and if not, will be added. 

This command is intended to be run manually by a domain administrator before the main 

Digipass Plug-In for SBR installation is run, as recommended by Microsoft. 

It may be necessary to go through an approval process in your company before running this 

command, as it involves changes to Active Directory Schema. You may also need to have 

another administrator run the command for you, possibly in another part of your network. This 

depends on your company’s structure and rules for Active Directory control. 

Prerequisite Information 

Schema Master Machine 

This command may technically be run on any Windows 2000, XP or 2003 machine, however it 

needs to contact the Domain Controller which has the Schema Master role. There can be only 

one Domain Controller in the Forest with that role. It may be simplest to run the command 

directly on the Schema Master, to avoid any potential connectivity or permission issues. 

Warning 

Warning: If you are passing the credentials to the command in the 

parameters, and you are not running the command on the Schema Master, 

check that you do not have any shares on the Schema Master open. This will 

cause the command to fail. 

Domain Administrator Account 

In order to successfully update the Schema, you must know the username and password of a 

Domain Administrator account that is able to log into the Schema Master. You must either run 

the command while logged in as that user, or pass the credentials to the command in the 

parameters. The Domain Administrator must have permission to extend the Schema – they 

must be a member of the Schema Admins group in the Forest-Root-Domain (the first Domain 

created in the Forest). 

Schema Changes Allowed 

By default, Active Directory does not permit Schema extensions to be made. There is a registry 

setting that must be changed to allow extensions. If this is not already set, DPADadmin will 

ask you whether it should change the setting itself or not. If you click on Yes, it will change 

the setting itself, make the extensions then change it back again. 

If you would prefer to change the setting manually, log into the Schema Master and change 

the value of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\ 

Parameters\Schema Update Allowed registry key to 1, adding it as a value of type 



DWORD if it does not already exist. Alternatively, if the Schema Manager MMC snap-in is 

installed on the machine, this can be used to enable or disable Schema extensions. 

If you have disabled the Schema extensions after removing a previous installation in the 

Forest, reactivate them before using this command. This can be done using the Schema 

Manager MMC snap-in used to deactivate them. 

Extend the Schema on the Schema Master 

1. Log into the Schema Master as a member of the Schema Administrators group. 

2. Copy dpadadmin.exe onto the Schema Master 

3. Open a command prompt in the location to which it was copied. 

4. Type: 

dpadadmin addschema 

5. If DPADadmin detects that Schema extensions are not currently permitted, it will 

prompt you whether to enable them or not. Enter y to enable them, or n to cancel. 

The progress and success/failure of the command will be displayed in the command prompt 

window. If there was a failure, it can be run again after the problem has been rectified. 

Extend the Schema on the Digipass Plug-In for SBR Server 

1. Open a command prompt and navigate to the installation’s bin directory by typing: 

2. Type: 

cd \bin 

dpadadmin addschema –master schema_master –u user_name –p password 

3. See 2.5.1 Command Line Syntax for more details regarding the required parameters. 

4. If DPADadmin detects that Schema extensions are not allowed, it will prompt you to 

enable them. Enter y to enable them, or n to cancel. 



Command Line Syntax 

dpadadmin addschema [–master schema_master] [–u user_name [–p password]] [-q] 

Table 7: DPADadmin addschema Command Line Options 

Option Description 

-master Fully qualified name of the Domain Controller with the Schema Master role. This option may be 

omitted if the command is run directly on the Schema Master. 

-u User name of a Domain Administrator in the Schema Administrators group. This option may be 

omitted if you are logged into the machine as that Domain Administrator when you run the command. 

-p Password of the Domain Administrator. This option may be omitted if you are logged in as that Domain 

Administrator or if they have a blank password. 

-q Quiet mode, will not output commentary text. 

DPADadmin addschema Command Sample 

dpadadmin addschema –master dc1.vasco.com –u schema_admin –p sa_password 



2.5.2 Set Up Digipass Containers in Domain 

This command sets up the Digipass-Pool and Digipass-Reserve containers in the specified 

domain. It can optionally set up the Digipass-Configuration container also. 

2.5.2.1 Prerequisite Information 

Domain Administrator 

You must be logged into the machine as a Domain Admin in the target domain. 

2.5.2.2 Set Up Digipass Configuration Container 

1. Log into the machine as a Domain Administrator in that Domain. 

2. Copy dpadadmin.exe onto the machine and open a command prompt in the location 

to which it was copied. 

3. Type: 

dpadadmin setupdomain -config 


window. 

2.5.2.3 Command Syntax 

dpadadmin setupdomain [-config] [-domain ] [-q] 

Table 8: DPADadmin setupdomain Command Line Options 


-config OPTIONAL. Specifies that this is the Digipass Configuration Domain, so the Digipass-Configuration 

container must be created. 

-domain 

 

OPTIONAL. Specifies the FQDN of the domain to set up. If omitted, the domain to which the current 

machine belongs will be used. 

-q OPTIONAL. Specifies that quiet mode should be used. 

DPADadmin setupdomain Command Sample 

dpadadmin setupdomain -config -q 

2.5.3 Assign Digipass Permissions to a Group 

This command assigns Digipass-specific permissions to a Windows group, applicable at the 

domain root and downwards. The permissions assigned are: 

Full read access to everything in the domain 

Full control over vasco-DPToken objects 

Full control over vasco-DPApplication objects 

Full write access to vasco-UserExt auxiliary objects 

2.5.3.1 Pre-requisites 

You must be logged into the machine as a Domain Admin in the target domain. 



2.5.3.2 Command Syntax 

dpadadmin.exe setupaccess -group [-domain ] [-q] [-c] 

Table 9: DPADadmin setupaccess Command Line Options 


-group MANDATORY. Specify the name of the group to assign the permissions. Double-quotes are 

required if there are any spaces. 

-domain OPTIONAL. Specify the fully-qualified domain name for the domain to which the group or 

user belongs. If omitted, the domain to which the current machine belongs will be used. 

-q OPTIONAL. Specify that quiet mode should be used. 

-c OPTIONAL. Add the local computer to the group named. 

DPADadmin setupaccess Command Sample 

dpadadmin.exe setupaccess -group “RAS and IAS Servers” -q 

2.5.4 Upgrade RADIUS Profile Information 

The upgradeprofiles command is used to upgrade RADIUS profile information from the 

format used in Digipass Plug-In for Funk 2.0 and 2.1, to the User Attributes format used in 

Digipass Plug-In for SBR 2.2. It must be run in each domain where User accounts with RADIUS 

Profile information are located. 


Attribute Group 

You may have a custom Attribute Group name set in the configuration of the new SBR Plug-In. 

If so, you will need to have the exact name available. Check the SBR Plug-In Configuration 

(SBR Settings tab) if you are unsure. 


You must run the command as an administrator in that domain with sufficient administration 

rights to: 

Read User information 

Read and write to the vasco-Profile attribute 

Upgrade Profile Information 


2. Type: 

cd \bin 

dpadadmin upgradeprofiles -domain 


window. 




dpadadmin upgradeprofiles [-attrgroup ] [-domain ] [-q] 

[-l] [-v] 

Table 10: DPADadmin upgradeprofiles Command Line Options 


-attrgroup OPTIONAL. Specifies the name of the Attribute Group to which the RADIUS Profile should be added. If 

this is not specified, the default RADIUS will be used. 

-domain OPTIONAL. Specifies the FQDN of the domain to set up. If omitted, the Digipass Configuration Domain 

will be used. 


-l Record messages to a log file. 

-v Use verbose logging output. 

DPADadmin upgradeprofiles Command Sample 

dpadadmin upgradeprofiles -attrgroup RADIUS -domain test.vasco.com 

2.5.5 Delete all Digipass-Related Data from Active Directory 

Digipass-specific information is not removed from Active Directory when Digipass Plug-In for 

SBR is uninstalled from a computer. 

A custom VB script is available which will strip all information related to the SBR Plug-In from a 

domain. The data removed includes: 

Digipass-Configuration container if present 

Policy and Component records in container 

Digipass-Pool container if present 

Digipass records in container 

Digipass-Reserve container if present 

Digipass records in container 

All Digipass in the domain, including all Digipass Applications. 

All Digipass User Accounts 

Each Digipass User account is deleted by searching for Active Directory Users with the vasco- 

CreateTime attribute set (indicating that a Digipass User account has been created for that 

User). All vasco-UserExt attributes on the Active Directory User are reset. 

Note 

The script must be run in each domain from which data is to be removed. 

2.5.5.1 Run Delete Script on a Domain 

1. Get dpDeleteAll.vbs file from the CD \Windows\Utilities\VBScript directory and copy to 

the computer where you will run the command. 

2. Open cmd prompt, logged in as domain admin in the domain required. 

3. Enter the following: 



cscript dpDeleteAll.vbs [] [-v] 

4. If the machine does not belong to the target domain, specify the domain name 

5. If you want record-by-record progress display, specify -v (verbose mode). 

Example 

cscript dpDeleteAll.vbs dm3.vasco.com -v 


Digipass Plug-In for SBR Administrator Reference ODBC Database 

3 ODBC Database 

3.1 Database Support 

Note 

An embedded database option is available in the installation program. This will 

install PostgreSQL 8.1 for you on the server. However, Digipass Plug-In for SBR 

supports other ODBC-compliant databases, should you prefer to use your own 

database. 

Digipass Plug-In for SBR makes use of a limited set of database features, in order to support 

as many RDBMS (Relational Database Management Systems) as possible: 

Tables (relations) with the following datatypes: 

INTEGER (32-bit) 

VARCHAR (with the maximum length up to 1024 characters; on Microsoft SQL 

Server this is NVARCHAR for Unicode support) 

TIMESTAMP (for some databases, this is DATETIME or DATE – this is not an 

automatically generated timestamp, but just a date/time field) 

Primary Key constraints 

Foreign Key constraints, using the default action (restrict) and cascade delete 

ANSI Standard SQL DML (Data Manipulation Language) – select, insert, update, delete, 

without any vendor-specific syntax 

Transactions with simple COMMIT and ROLLBACK (no 'save points' or equivalents) 

In order for a database to be supported, there must be an ODBC level 3 driver that 

supports: 

Multi-threaded access using multiple concurrent connections 

'Wide char' (Unicode) parameters for input and output 

The following databases have been specifically tested: 

Oracle 10g 

Microsoft SQL Server 2000, 2005 

IBM DB2 8.2 

Sybase Adaptive Server Anywhere 9.0 

PostgreSQL 8.1 

3.1.1 Unicode Support 

At a minimum, the database ODBC driver must allow the 'wide char' parameters to be used, as 

mentioned above. However, the underlying database does not necessarily need to be 

configured with Unicode support. The database only needs to be able to handle the characters 

that are actually used. 



If you do want full Unicode support in the database, refer to the database vendor's 

instructions. Normally, a database has to be created with Unicode storage from the start. 

Depending upon the database type, some of the columns in the database need to be increased 

in size, to handle multi-byte UTF-8 encoded data. The database documentation should indicate 

whether VARCHAR columns are defined by number of characters or number of bytes. 

3.2 Embedded Database 

The embedded database option supplied with Digipass Plug-In for SBR uses PostgreSQL 8.1. 

The database server is installed as a Service and a single database created. This database has 

full Unicode support. 

The full PostgreSQL install package is used, so the database administation tools and 

documentation are available. 

3.2.1 Service Account 

A local Windows account called dppostgres is created on the installation machine. This account 

is given privileges to log on as a service and locally. If installed on a domain controller, this 

account will be a domain account. The privileges to log on locally may be removed manually 

after installation if preferred, without preventing PostgreSQL from running. 

Note 

The dppostgres account is not automatically deleted upon uninstallation of 

Digipass Plug-In for SBR. 

The default password for dppostgres is p!ss&0rd. This can be changed using the standard 

Windows or Active Directory user management interface. If you do this, make sure that the 

Windows Service Control Manager is configured with the new password. The PostgreSQL 

service is PostgreSQL Database Server 8.1. 

If you have changed the password when you uninstall and reinstall the product, either delete 

the dppostgres account or change its password back to the default password shown above 

before re-installing. Otherwise, the installation will fail. 

3.2.2 Database Administration Account 

A single database administrator account called digipass is created when the embedded 

database is installed, with password digipassword. It has full administration and access rights 

to the database. 

This account is used by the SBR Plug-In to connect to the database. If you use an SQL or 

database administation tool to connect to the database, you can also use this account. 

If you want to change the password, you can do this using the pgAdmin III utility. See 3.2.3 

Database Administration below. 



3.2.3 Database Administration 

The full set of PostgreSQL administration tools are installed with the embedded database. For a 

full description, refer to the PostgreSQL documentation that is installed. 

The main tool to use is pgAdmin III, which is a graphical administration interface. This can 

be launched by clicking on the Start Button and selecting Programs -> PostgreSQL 8.1 -> 

pgAdmin III. 

To connect to the database, right-click on the Servers -> PostgreSQL Database Server 8.1 

node in the tree pane and select the Connect option. You will be prompted for the password 

for the digipass user – the default after installation is digipassword. 

After logging in, you can perform a range of database administration tasks. See the online help 

for more details on what can be done with the utility. 

The 6 Backup and Recovery section includes instructions on the pg_dump, pg_restore and 

vacuumdb utilities. 

3.2.3.1 Changing the Digipass User's Password 

After logging in as described above, expand the Login Roles node in the tree pane. Right-click 

on the digipass node underneath and select Properties. Enter the new password, confirm it 

and click OK. 

1. Run pgAdmin III and connect as described above. 

2. Expand the Login Roles node in the tree pane. 

3. Right-click on the digipass node underneath and select Properties. 

4. Enter the new Password and confirm it in Password (again). 


6. Open the SBR Plug-In Configuration GUI: click on the Start Button and select 

Programs -> VASCO -> Digipass Plug-In for SBR -> SBR Plug-In 

Configuration. 

7. Change to the ODBC Connection tab. 

8. Click on the Digipass Authentication Server row in the Data Sources list and click the 

Edit... button. 

9. Modify the Password field with the new password and click OK. 

10. Click OK to exit SBR Plug-In Configuration. When prompted to restart the Service, 

click Yes. 

3.2.4 Connection Limitations 

The embedded database install leaves PostgreSQL with the default configuration, that 

connections to the database may only be made on the same machine. If you need to connect 

from another machine to the database, you need to update the configuration. 

In order to allow connection from another machine, you need to modify a PostgreSQL 

configuration file. Edit the file \PostgreSQL\data\pg_hba.conf with a text 



editor. At the bottom of this file, there is a list of rules for authenticating connections to the 

database, which by default will be: 

# TYPE DATABASE USER CIDR-ADDRESS METHOD 

# IPv4 local connections: 

host all all 127.0.0.1/32 md5 


#host all all ::1/128 md5 

Refer to the PostgreSQL documentation for more details. As an example, to permit access from 

IP address 10.10.1.50 by the digipass user to the postgres database, add the following line 

directly below # Ipv4 local connections: 

host postgres digipass 10.10.1.50/32 md5 

3.3 Database Schema 

Digipass-related data is stored in a number of tables that are created using the DPDBadmin 

command line utility: 

Table 11: ODBC Database Tables 

Table Name Notes 

vdsControl This table is used to control various details about the database 

schema and connection. 

vdsUser Contains Digipass User Account details. 

vdsUserAttr Authorization profiles/attributes (not used for all scenarios). 

vdsDigipass Information about individual Digipass, including the Digipass User 

to which they are assigned. 

vdsDPApplication Data for Applications belonging to each Digipass, such as Server 

PIN and expected OTP length. 

vdsPolicy Policy attributes. Attributes will commonly be shared via 

inheritance. 

vdsComponent Component attributes include the License Key for SBR Plug-In 

Components. 

vdsBackEnd Back-End Server attributes. Presently, this table includes RADIUS 

Servers only. 

vdsDomain Domain list. 

vdsOrgUnit Organizational Unit structure. 

3.3.1 vdsControl Table 

Table 12: vdsControl Table 

Name Type Required? 

vdsName varchar(64) Yes 

vdsValue varchar(512) 

vdsFlags integer 

Primary Key: (vdsName) 

Foreign Keys: None 



3.3.2 vdsUser Table 

Table 13: vdsUser Table 


vdsDomain varchar(255) Yes 

vdsUserId varchar(255) Yes 

vdsOrgUnit varchar(255) 

vdsUserName varchar(64) 

vdsDescription varchar(1024) 

vdsPhone varchar(64) 

vdsMobile varchar(64) 

vdsEmail varchar(64) 

vdsStaticPwd varchar(690)* 

vdsLinkUserDomain varchar(255) 

vdsLinkUserId varchar(255) 

vdsLocalAuth integer 

vdsBackEndAuth integer 

vdsLockCount integer 

vdsLocked integer 

vdsDisabled integer 

vdsProfiles varchar(255) 

vdsAdminPrivileges varchar(255)* 

vdsCreateTime timestamp Yes 

vdsModifyTime timestamp Yes 

* This column contains binary data stored in base64-encoded format. 

Primary Key: (vdsDomain, vdsUserId) 

Foreign Keys: 

(vdsDomain) references vdsDomain 

(vdsDomain, vdsOrgUnit) references vdsOrgUnit 

(vdsLinkUserDomain, vdsLinkUserId) references vdsUser 

3.3.3 vdsUserAttr Table 

Table 14: vdsUserAttr Table 



vdsUserId varchar(255) Yes 

vdsAttrGroup varchar(64) Yes 

vdsSeqNo integer Yes 

vdsName varchar(64) Yes 

vdsUsageQual varchar(64) 

vdsValue varchar(255) 






Primary Key: (vdsDomain, vdsUserId, vdsAttrGroup, vdsSeqNo) 

Foreign Keys: 

(vdsDomain, vdsUserId) references vdsUser (ON DELETE CASCADE) 

3.3.4 vdsDigipass Table 

Table 15: vdsDigipass Table 


vdsSerialNo varchar(32) Yes 


vdsOrgUnit varchar(255) 

vdsDPType varchar(32) 

vdsUserId varchar(255) 

vdsAssignDate timestamp 

vdsGPExpires timestamp 

vdsBVDPEnabled integer 

vdsBVDPExpires timestamp 

vdsBVDPUsesLeft integer 

vdsDirectAssign integer 



Primary Key: (vdsSerialNo) 

Foreign Keys: 


(vdsDomain, vdsOrgUnit) references vdsOrgUnit 

(vdsDomain, vdsUserId) references vdsUser 

3.3.5 vdsDPApplication Table 

Table 16: vdsDPApplication Table 


vdsSerialNo varchar(32) Yes 

vdsApplName varchar(32) Yes 

vdsApplNo integer 

vdsApplType integer 

vdsActive integer 

vdsBlob varchar(255) 






Primary Key: (vdsSerialNo, vdsApplName) 

Foreign Keys: 

(vdsSerialNo) references vdsDigipass 

3.3.6 vdsPolicy Table 

Table 17: vdsPolicy Table 


vdsPolicyId varchar(60) Yes 


vdsParentPolicyId varchar(60) 

vdsDUR integer 

vdsAutoLearn integer 

vdsSPwdProxy integer 

vdsAssignMode integer 

vdsSearchUpOU integer 

vdsApplNames varchar(255) 

vdsApplType integer 

vdsDPTypes varchar(255) 

vdsGracePeriod integer 

vdsLocalAuth integer 

vdsBackEndAuth integer 

vdsBackEndProtocol varchar(32) 

vdsDefDomain varchar(255) 

vdsGroupList varchar(1024) 

vdsGroupMode integer 

vdsOSCR integer 

vdsOSCLength integer 

vdsOSCChkDgt integer 

vdsBVDPEnabled integer 

vdsBVDPMaxDays integer 

vdsBVDPMaxUses integer 

vdsChgPinAllowed integer 

vdsSelfAssignSep varchar(8) 

vdsCRMethod integer 

vdsCRKeyword varchar(16) 

vdsPVDPRqstMeth integer 

vdsPVDPKeyword varchar(16) 

vdsBVDPRqstMeth integer 

vdsBVDPKeyword varchar(16) 




vdsITimeWindow integer 

vdsSTimeWindow integer 

vdsEventWindow integer 

vdsSyncWindow integer 

vdsIThreshold integer 

vdsSThreshold integer 

vdsCheckChal integer 

vdsOnlineSG integer 

vdsChkInactDays integer 



vdsLockThreshold integer 

Primary Key: (vdsPolicyId) 

Foreign Keys: 

(vdsParentPolicyId) references vdsPolicy 

3.3.7 vdsComponent Table 

Table 18: vdsComponent Table 


vdsComponentType varchar(60) Yes 

vdsLocation varchar(255) Yes 

vdsPolicyId varchar(80) Yes 

vdsProtocolId varchar(32) 

vdsTCPPort integer 

vdsSharedSecret varchar(690)* 

vdsLicenseKey varchar(1024) 

vdsPubKey varchar(1024) 

vdsCreateTime Timestamp Yes 

vdsModifyTime Timestamp Yes 


Primary Key: (vdsComponentType, vdsLocation) 

Foreign Keys: 

(vdsPolicyId) references vdsPolicy 

3.3.8 vdsBackEnd Table 

Table 19: vdsBackEnd Table 


vdsServerId varchar(80) Yes 




vdsProtocolId varchar(32) 

vdsDomain varchar(255) 

vdsPriority integer 

vdsRadAuthAddr varchar(128) 

vdsRadAuthPort integer 

vdsRadAcctAddr varchar(128) 

vdsRadAcctPort integer 

vdsRadRetries integer 

vdsRadTimeout integer 

vdsSharedSecret varchar(690)* 




Primary Key: (vdsServerId) 

Foreign Keys: 


3.3.9 vdsDomain Table 

Table 20: vdsDomain Table 






Primary Key: (vdsDomain) 

Foreign Keys: None 

3.3.10 vdsOrgUnit Table 

Table 21: vdsOrgUnit Table 



vdsOrgUnit varchar(255) Yes 


vdsParentOrgUnit varchar(255) 



Primary Key: (vdsDomain, vdsOrgUnit) 



Foreign Keys: 


(vdsDomain, vdsParentOrgUnit) references vdsOrgUnit 

3.4 Encoding and Case-Sensitivity 

When you create the database, depending on the database type, you may have the chance to 

select a collation sequence. The collation sequence determines both the sort order and the 

case-sensitivity of the database. If you do not have the chance to select the collation 

sequence, it is advisable to find out how it is already defined. 

The encoding used by the database is important when considering support for non-English 

languages. You must ensure that the database will be able to store the data in whatever 

languages may be used in your system. 

Case-sensitivity is of particular importance when looking up a Digipass User Account. It 

determines whether the user must get the correct case for their UserId when logging in. For 

example, if your database collation sequence is case-sensitive, user “JSmith” would have to log 

in as exactly “JSmith”, not “jsmith”. If you want a case-insensitive User ID and domain lookup, 

and your database does not behave this way by default, you have two choices: 

Choose a case-insensitive collation sequence for the database. 

Use a configuration option in Digipass Plug-In for SBR to convert User ID and domain 

names to all upper or all lower case. See 11.1.7.3 User ID and Domain Conversion 

for more information. 

Caution 

Configuration settings for case-sensitivity must be set up in the Configuration 

GUI before data is entered into the database. 

The Master Domain (named 'master') is an exception, as it is created in the 

database when the dpdbadmin addschema command is run. If you will be 

configuring the SBR Plug-In to convert User IDs and domains to upper case, 

change the name of the Master Domain before changing the case settings. See 

3.5.1.1 Master Domain for more information. 

The embedded database created by the installation program uses UTF-8 encoding. In addition, 

as this results in case-sensitive collation, the option to convert User IDs and domain names to 

lower case is set by default. 

3.5 Domains and Organizational Units 

The concepts of Domain and Organizational Unit are present in Digipass Plug-In for SBR for 

the purpose of grouping users. They closely match the concepts of the same names in Active 

Directory/LDAP, but they are not identical. 



3.5.1 Domains 

Domains are essentially separate sub-databases of Digipass User Accounts and Digipass. All 

Digipass User Accounts and Digipass must belong to a Domain. The Domain is used as a 

naming scope for the UserId – it is allowed to have two different Digipass User Accounts with 

the same UserId, so long as they are in different Domains. 

3.5.1.1 Master Domain 

When the Digipass Plug-In for SBR is installed, a single Domain will be created in the 

database, the Master Domain. By default, all new Digipass User Accounts and Digipass will be 

created in that Domain. 

A Domain must be chosen for a Digipass User account when it is created, as the Domain 

makes up part of the identification (primary key) for the account. A Digipass User account may 

not be moved to a different Domain. It must be deleted and recreated in the required Domain. 

Digipass, however, may be moved to the required Domain after importation. The 'primary key' 

of the Digipass record consists only of its Serial Number, which cannot be duplicated in 

different Domains. 

A Digipass that is assigned to a Digipass User Account must belong to the same Domain as the 

account. Therefore, you need to ensure that the correct numbers of Digipass are allocated to 

the different Domains. 

If you do not need to use the concept of Domains in your system, then you can leave all 

Digipass User Accounts and Digipass in the Master Domain. You can designate a different 

Domain as the Master Domain using the SBR Plug-In Configuration interface, Configure 

Advanced Settings screen. 

The Master Domain has additional significance in other VASCO products, but not Digipass Plug- 

In for SBR. 

Modify the Master Domain 

You might need to modify the domain used as the Master Domain if: 

You want new Digipass User accounts and Digipass records to be created in a different 

domain by default 

You want to change the name of the Master Domain 

The case used in the name of the Master Domain will not be compatible with SBR Plug-In 

configuration settings. 

For instructions on changing the domain used as the Master Domain, see 11.1.7.4 Master 

Domain. 



3.5.1.2 Identifying the Domain for a Login Attempt 

As the Domain is part of the naming scope for a Digipass User Account, the Domain must be 

identified when a user attempts to log in. 

Image 2: Domain Identification Logic 

When Windows Back-End Authentication is used, the Domain of a Digipass User Account must 

match the Domain of their corresponding Windows user account. In this situation, the Use 

Windows User Name Resolution feature would typically be used, in case the same user logs 

in with different Windows user name formats (DOMAIN\userid, userid@domain.com, userid). 

You can enable this feature using the SBR Plug-In Configuration interface, Configure 

Advanced Settings screen. 

Without Windows name resolution, a simple rule is applied to identify the Domain of a user 

who is logging in: if the UserId is in the form userid@domain, and there is a Domain with the 

given domain name, that Domain will be used. In that case, the UserId will have the @domain 

part removed. Otherwise, the whole UserId will remain as userid@domain and no Domain will 

be identified. 



If through either kind of name resolution, no Domain is identified, the applicable Policy is 

checked for a Default Domain. The Default Domain is used if it is specified in the Policy. 

Otherwise, the Master Domain is used as a default. 

3.5.2 Organizational Units 

Within a Domain, Organizational Units can be used to group Digipass User Accounts and 

Digipass. They are primarily used in Digipass Plug-In for SBR to allocate unassigned Digipass 

to groups of users such as offices or departments. In other VASCO products, they can also be 

used to provide delegated administration by user group. 

Organizational Units can be created as a hierarchy, in a similar way to Active Directory/LDAP. 

It is not permitted to create a circular chain in the hierarchy. 

Organizational Units are not used as a naming scope in the same way as Domains. It is 

permitted to move Digipass User Accounts and Digipass between Organizational Units 

whenever required. However, a Digipass that is assigned to a Digipass User Account must 

belong to the same Organizational Unit, as well as the same Domain. Upon assignment, or 

upon moving the Digipass User Account, the Digipass is moved automatically. It is not 

permitted to move an assigned Digipass – instead, you must move the Digipass User Account, 

which may have other Digipass assigned also. 

Organizational Units have no effect on the authentication process, with the exception of Auto- 

and Self-Assignment – the Digipass to be assigned must be in the same Organizational Unit as 

the Digipass User Account. However, if you enable the 'Search up Organizational Unit 

Hierarchy' Policy setting, the Digipass may be located higher up the Organizational Unit 

structure, provided it is still in the same Domain. 



3.6 Database User Accounts 

It is important to consider which database user accounts will be utilized when installing, 

running and administering Digipass Plug-In for SBR. There are a few main roles that need to 

be considered: 

Schema creator. A database user account is needed to create the tables used by 

Digipass Plug-In for SBR. Typically this would be either a fully privileged DBA account, or 

the account that will own the schema. 

Schema owner. This may be the same as the schema creator. If not, the schema 

creator can transfer ownership of the new tables after they have been created. 

SBR Plug-In account. This may be the same as the schema creator or owner, but as it 

does not need extensive permissions on the tables, you may prefer to use an account 

with less privileges. 

Administrator account. Administrators may be allowed to log directly into the 

database in order to administer data. If so, the Adminstration MMC Interface will require 

a database user account with sufficient permissions to modify the data as required. It is 

not necessary to create a separate account, but you may prefer to do so, in order to 

control the permissions strictly. You may even create multiple administrator accounts 

with different permissions. 

A few elements need to be taken into account when setting up these various database user 

accounts. 

3.6.1 Permissions on the Tables 

The following permissions are required by the SBR Plug-In and administrator accounts: 

Table 22: Table Permissions Required 

Table SBR Plug-In Administrator 

vdsControl SELECT, INSERT*, UPDATE* SELECT 

vdsUser SELECT, INSERT**, UPDATE SELECT, INSERT, UPDATE, DELETE*** 

vdsUserAttr SELECT SELECT, INSERT, UPDATE, DELETE*** 

vdsDigipass SELECT, UPDATE SELECT, INSERT, UPDATE, DELETE*** 

vdsDPApplication SELECT, UPDATE SELECT, INSERT, UPDATE, DELETE*** 

vdsPolicy SELECT SELECT, INSERT, UPDATE, DELETE*** 

vdsComponent SELECT SELECT, INSERT, UPDATE, DELETE*** 

vdsBackEnd SELECT SELECT, INSERT, UPDATE, DELETE*** 

vdsDomain SELECT SELECT, INSERT, UPDATE, DELETE*** 

vdsOrgUnit SELECT SELECT, INSERT, UPDATE, DELETE*** 

* The SBR Plug-In does not need INSERT and UPDATE permission on the vdsControl table itself. However, when 

the SBR Plug-In Configuration GUI is used to Configure Advanced Settings, the same database user account 

is used as the SBR Plug-In, and at this time the INSERT and UPDATE permissions are needed. 

** INSERT permission is only required when Dynamic User Registration is used. 

*** In general, SELECT permission is required on all tables, but you can restrict any of INSERT, UPDATE and DELETE 

permissions according to the restrictions you need to impose upon your administrators. 



3.6.2 Access to Another Schema 

Depending on the database type, there may be a problem with one database user account 

accessing the tables from another schema/user account. Digipass Plug-In for SBR components 

will access the tables according to the table names that are defined in the vdsControl table. 

If the tables are not accessible to the database user account without qualifying the table name 

(eg. schema.table), there are a few ways to solve the problem: 

Set the default schema or database. Some databases allow you to specify which 

schema or database a database user account will use by default when they log in. This 

may be a setting in the database itself or the ODBC data source 

Create views. You can create a view for each table in the database user account's own 

schema, that provides access to the table. The view names should match the table 

names. However, be careful that your database type permits the necessary INSERT, 

UPDATE and DELETE operations on the views (see the table above). Some database 

types provide only limited support for those operations or disallow them all. 

Modify the vdsControl table. Provided that all database user accounts need the 

schema qualifier in front of the table names, you can safely modify the vdsControl table 

entries to add the schema qualifier (see below). 

Another possible solution is to create a vdsControl table in each database user account's 

schema, that contains the necessary schema qualifier. However this is not recommended, as it 

is complex to set up and there are other settings in the vdsControl table other than the table 

names. It would be easy to end up with different settings in each table. 

3.6.2.1 Modify vdsControl Table 

There are two parts to this solution. Firstly, to make sure that the vdsControl table itself can 

be accessed; secondly, to update the remaining table names using the vdsControl table. 

The SBR Plug-In component uses a configuration setting in its configuration file 

dpsbrauth.xml to identify the vdsControl table name: 

VASCO->AAL3->ODBC->Data-Sources->Data-Sourcesnn->Control-Table 

where nn is 01 for the first data source, 02 for the next, and so on. Each data source must be 

configured separately. 

However, the administration interface does not use this configuration file, and if the 

administrator database account has a schema qualifier problem for the vdsControl table, 

another solution such as a view must be used. 

Modification of the vdsControl table entries that define the table names must be performed 

using your database's SQL utility. The following entries in vdsControl are used to define the 

table names: 

Table 23: Table Names in vdsControl 



Table vdsName 

vdsUser user_table 

vdsUserAttr user_attr_table 

vdsDigipass dp_table 

vdsDPApplication dpappl_table 

vdsPolicy policy_table 

vdsComponent comp_table 

vdsBackEnd backend_table 

vdsDomain domain_table 

vdsOrgUnit org_table 

3.7 Database Connection Handling 

The SBR Plug-In can be configured with a few settings that control the connection to the 

database. These settings can be found in the SBR Plug-In Configuration GUI. 

3.7.1 Multiple Data Sources 

It is possible to make more than one database available to the SBR Plug-In by creating 

additional databases and corresponding ODBC data sources. The additional database(s) can be 

used for redundancy and/or simple load sharing. 

If this is done, it is critical that the second and subsequent databases are synchronized with 

the first database. You will have to use the methods available to your database type, according 

to the database vendor's instructions. Typical methods include mirroring, shadow databases 

and instantaneous replication. 

Simply by configuring a second data source, if all connections to the main data source fail and 

cannot be reopened, the SBR Plug-In will open connections to the second data source. 

Similarly, a third data source can be used when the first and second are both unavailable. 

3.7.2 Max. Connections 

There is a configurable limit on the number of connections to the data source that the SBR 

Plug-In will have open at one time. This will prevent too many connections being opened to the 

database in case of peak load. However, each authentication request uses a connection for its 

duration, so the number of connections effectively limits the number of authentication requests 

that can be concurrently executed. It may improve performance to increase this setting, when 

there are a lot of concurrent requests – provided that the database is able to handle the 

increased load. 

The effect of this setting depends on the characteristics of your ODBC driver and database. 

Some ODBC drivers may not open a separate connection to the database for each connection 

that is made to it; they may set up a 'pool' of connections to the database or they may even 

just maintain a single connection. 



3.7.3 Connection Wait Time 

When the SBR Plug-In already has the maximum number of connections open and a new 

authentication request arrives, it will wait a configurable amount of time for a connection to 

become available (unless the Enable Load Sharing option is used, see below). You may want 

to reduce this waiting time, to reduce the impact of an overload of requests. Alternatively you 

may want to increase the waiting time, to make it less likely that a request will be rejected due 

to a temporary 'spike' of requests. 

3.7.4 Idle Timeout 

After a period of peak load, there may be a large number of connections open to the database. 

The Idle Timeout setting can be used to configure how quickly the connections are closed 

after being idle for a period of time. It may reduce the load on the database to close these 

connections quickly. Alternatively, if the load is very irregular but is often high, you may prefer 

to keep idle connections open for longer. 

3.7.5 Enable Load Sharing 

A simple form of load sharing can be implemented if you make a second database available to 

the SBR Plug-In. In fact, any number of databases can be added to the list of data sources, 

and the load can be shared across all of them. 

If you have more than one database available and the Enable Load Sharing option is used, 

the SBR Plug-In will open connections to the second database when it would exceed the 

maximum number of connections it is allowed to have to the first database. Similarly, it will 

open connections to the third database when it has reached the maximum for the second, and 

so on. In general, connections to the first database will be used when available, in preference 

to connections to any other database. 

3.7.6 Reconnect Intervals 

After the first data source has become unavailable, the SBR Plug-In will attempt at intervals to 

reconnect, even if it has successfully failed over to a second data source. It will always use the 

first data source in preference to the others. 

The Min. Reconnect Interval and Max. Reconnect Interval settings control the minimum 

and maximum intervals between retries respectively. The interval will start at the minimum 

and increase in steps until the maximum is reached. After that, the interval will stay at the 

maximum. 



3.8 DPDBadmin 

3.8.1 Modify Database Schema 

The addschema command is used to create all required tables in an existing database, if they 

are not already there. Each table will be checked individually to see if it is already there and if 

not, will be added. 

This command is intended to be run manually by an administrator before Digipass Plug-In for 

SBR is installed. 


command. You may also need to have a database administrator run the command for you. 

This depends on your company’s structure and rules for control of the database. 

This command may also be used to create the tables required for auditing to an ODBC 

database. 


Database Administrator Account 

In order to successfully modify the database structure, you will need the username and 

password of a database administrator account that is able to make changes to the database 

schema – for example, creating tables. You must pass these credentials to the command in the 

parameters. 

Database Name 

You will need the ODBC Data Source Name of the database (as registered with Windows an as 

ODBC Data Source). 

Modify the Database Structure 


2. Type: 

cd \bin 

dpdbadmin addschema –u user_name –p password -d dsn 

3. See below for more details regarding the required parameters. 




dpdbadmin addschema –u user_name [–p password] -d dsn [-nouser] [-domain 

domain_name] [-case case_conversion] [-vdsuser alternatename] [-vdsuserattr 

alternatename] [-vdsdomain alternatename] [-vdscontrol alternatename] [-vdsdigipass 

alternatename] [-vdsdpapplication alternatename] [-vdspolicy alternatename] 

[vdsbackend alternatename] [-vdscomponent alternatename] [-vdsorgunit alternatename] 

[-audit] [-noserver] [-utf8factor factor] [-q] 

Table 24: DPDBadmin addschema Command Line Options 




-u User name of a database administrator. 

-p Password of the database administrator. This option may be omitted if they have a blank 

password. 

-d ODBC Data Source Name (DSN) 

-nouser Do not create Digipass User table. This option is not currently supported. 

-domain Specify the Master Domain to be used. If not specified, it will be “master”. The Domain will be 

created if it does not already exist. 

-case Specify to convert User IDs and domain names to either upper or lower case. The value must be 

either “upper” or “lower”. 

vdsuser Alternative name for the Digipass User table to be created. 

vdsuserattr Alternative name for the Digipass User Attribute table to be created. 

vdsdomain Alternative name for the Domain table to be created. 

vdscontrol Alternative name for the Controller table to be created. 

vdsdigipass Alternative name for the Digipass table to be created. 

vdsdpapplication Alternative name for the Digipass Application table to be created. 

vdspolicy Alternative name for the Policy table to be created. 

vdsbackend Alternative name for the Back-end Server table to be created. 

vdscomponent Alternative name for the Component table to be created. 

vdsorgunit Alternative name for the Organizational Unit table to be created. 

-audit Create the Audit tables. 

-noserver Do not create the main tables used by the Authentication Server. This should only be used with 

the -audit option, when you only want to create the auditing tables. 

-utf8factor On certain databases (such as Oracle and DB2), column sizes are specified in bytes, not 

characters, by default. When UTF-8 encoding is used to store data, for full Unicode support, one 

character may be represented as more than one byte. Normally 2 or 3 characters are used, 

depending on the language, but some characters require 4. If your data will include a lot of non- 

English characters, you can increase the size of certain columns by a factor to allow for the extra 

bytes. The value of the parameter should be 2, 3 or 4. Typically, 3 is sufficient. The columns 

affected by this are the User Name (not User ID) and various Description fields. 

On other databases, column sizes are specified in characters, and this parameter is not needed. 


DPDBadmin addschema Command Sample 

dpdbadmin addschema –u DBAdmin –p pwd3498 -d UserDb -domain mydomain 

This command will modify the database structure of the ODBC database with the data source 

name of UserDb. It uses a database administrator account with the User ID of DBAdmin and 

password pwd3498. A non-default Master Domain will be used, called “mydomain”. 

dpdbadmin addschema –u DBAdmin –p pwd3498 -d AuditDb -audit -noserver 

This command will create only the auditing tables in the ODBC database with the data source 

name of AuditDb. It uses a database administrator account with the User ID of DBAdmin and 

password pwd3498. 



3.8.2 Check Database Modifications 

The checkschema command is called from the Digipass Plug-In for SBR installation program 

to check that all required database changes have been applied. Each table and field is checked 

individually to see if it exists within the database, but it will not be added if it does not exist. 



Ensure that you know the username and password of a database administrator for the 

database to be checked. 

Database Name 

You will need the Data Source Name of the database (as registered with Windows an as ODBC 

Data Source). 

3.8.2.2 Check the Database Structure 

1. Open a command prompt and go to the installation’s bin directory by typing: 

2. Type 

cd \bin 

dpdbadmin checkschema –u user_name –p password -d dsn 

3. See below for more details regarding the parameters. 


window. 

3.8.2.3 Command Line Syntax 

odbcadmin checkschema –u user_name [–p password] -d dsn [-domain domain_name] 

[-q] 

Table 25: DPDBadmin checkschema Command Line Options 



-p Password of the database administrator. This option may be omitted if they have a blank password. 


-domain Specify the Master Domain to be used. If not specified, it will be “master”. The Domain must exist. 


DPDBadmin checkschema Command Sample 

dpdbadmin checkschema –u db_admin –p db_password -d db_users 



3.8.3 Remove Database Modifications 

This command removes from a database the tables added by the addschema command. 


command. You may also need to have a database administrator run the command for you. 


Database Administrator Account 

In order to successfully modify the database structure, you will need the username and 

password of a database administrator account that is able to make changes to the database 

structure – for example, creating tables. You must pass these credentials to the utility in the 

parameters of the command. 

Database Name 

You will need the Data Source Name of the database (as registered with Windows an as ODBC 

Data Source). This DSN must be registered on the computer from which the command line 

utility wil be run. 

3.8.3.2 Modify Database Structure 


2. Type: 

cd \bin 

dpdbadmin dropschema –u user_name –p password -d dsn 

3. See below for more details regarding the required parameters. 



3.8.3.3 Command Line Syntax 

dpdbadmin dropschema –u user_name [–p password] -d dsn [-nouser] [-q] 

Table 26: DPDBadmin dropschema Command Line Options 



-p Password of the database administrator. This option may be omitted if they have a blank 

password. 


-nouser Do not delete Digipass User table. This option is not currently supported. 


DPDBadmin checkschema Command Sample 

dpdbadmin dropschema –u DBAdmin –p pwd3498 -d UserDb 



3.8.4 Upgrade RADIUS Profiles Information 

The upgradeprofiles command is used to upgrade RADIUS profile information from the 

format used in Digipass Plug-In for Funk 2.0 and 2.1, to the User Attributes format used in 

Digipass Plug-In for SBR 2.2. 

Prerequisites 

These conditions must be met before this command can be run successfully: 

Must be run on the machine on which the SBR Plug-In is installed. 

The SBR Plug-In configuration file (dpsbrauth.xml) must be in the default location 

(\Bin) 

Attribute Group 

You may have a custom Attribute Group name set in the SBR Plug-In Configuration. If so, you 

will need to have the exact name available. Check the SBR Plug-In Configuration (SBR Settings 

tab) if you are unsure. 

Upgrade Profile Information 


2. Type: 

cd \bin 

dpdbadmin upgradeprofiles 


window. 


dpdbadmin upgradeprofiles [-attrgroup ] [-q] [-l] [-v] 

Table 27: DPDBadmin upgradeprofiles Command Line Options 


-attrgroup OPTIONAL. Specifies the name of the Attribute Group to which the RADIUS Profile should be added. If 

this is not specified, the default RADIUS will be used. 


-l Record messages to a log file. 

-v Use verbose logging output. 

DPDBadmin upgradeprofiles Command Sample 

dpdbadmin upgradeprofiles -attrgroup RADIUS -l c:\temp\upgrade.log 


Digipass Plug-In for SBR Administrator Reference Sensitive Data Encryption 

4 Sensitive Data Encryption 

Sensitive data is encrypted by Digipass Plug-In for SBR using an embedded key. If needed, 

this encryption may be strengthened by adding a custom key in the Configuration GUI. The 

embedded and custom keys are subjected to a logical XOR process to produce a new key 

derived from both. 

Note 

Encryption settings must be set before importing Digipass. 

4.1.1 Encrypted Data – Active Directory 

Table 28: Encrypted Data Attributes – Active Directory 

Attribute Class 

vasco-StaticPassword vasco-UserExt 

vasco-SharedSecret vasco-Component 

vasco-SharedSecret vasco-BackEndServer 

4.1.2 Encrypted Data – ODBC and Embedded Database 

Table 29: Encrypted Data Attributes – ODBC and Embedded Database 

Column Table 

vdsStaticPwd vdsUser 

vdsAdminPrivileges vdsUser 

vdsSharedSecret vdsComponent 

vdsSharedSecret vdsBackEnd 

4.1.3 Which Encryption Algorithms can be used? 

AES 

blowfish 

cast5 

3DES 

3DES with 3 keys 

4.1.4 Exporting Encryption Settings 

Encryption settings may be exported to a password-protected text file from the SBR Plug-In 

Configuration GUI. This file must then be loaded to other SBR Plug-Ins – see 11.1.9 Data 

Encryption for instructions. 

The same file must be loaded into the administration interfaces wherever they are installed: 


1. Open the Administration MMC Interface. 

2. Right-click on the Digipass Administration node and select the Encryption Settings 

option. 


Digipass Plug-In for SBR Administrator Reference Sensitive Data Encryption 

3. In the Configure Encryption Settings dialog, click the Import... button. 

4. Browse to the encryption settings file. 


6. Enter the required password. 


Active Directory Users and Computers 

The following only applies if you are using Active Directory. In addition, if Active Directory 

Users and Computers is on the same machine as the Administration MMC Interface, the 

following steps will not be necessary, as the two programs share the same encryption 

configuration settings. 

1. Open Active Directory Users and Computers. 

2. Right-click on the Users container and select the Digipass Extension Encryption 

Settings option. 

3. In the Configure Encryption Settings dialog, click the Import... button. 





Digipass TCL Command-Line Administration 

1. Open the file \Bin\dpadmincmd.xml in a text editor (or XML 

editing tool). 

2. Open the file \Bin\dpsbrauth.xml in a text editor (or XML editing 

tool). 

3. Copy and paste the whole VASCO -> AAL3 -> Encryption section from 

dpsbrauth.xml, overwriting the same section in dpadmincmd.xml. 

4. Save dpadmincmd.xml and exit the editors. 


Digipass Plug-In for SBR Administrator Reference Set Up Active Directory Permissions 

5 Set Up Active Directory Permissions 

5.1 Permissions Needed by the SBR Plug-In 

The SBR Plug-In runs inside Steel-Belted RADIUS, which runs as a Service. The Service runs 

as the 'Local System' account rather than as a named user account. Therefore, when 

connecting to Active Directory, the SBR Plug-In connects as the computer account, not a user 

account. The permissions that it has within Active Directory are the permissions of the 

computer account. 

An important exception to this occurs if you install the SBR Plug-In onto a Domain Controller. 

Any Service running as 'Local System' on a Domain Controller has all possible permissions to 

that Domain. In this case, no additional setup of permissions is required. Therefore, the rest of 

this section applies to the case where the SBR Plug-In is not on the Domain Controller. 

During installation, the computer account is added to the built-in 'RAS and IAS Servers' group 

in the Domain, as it will require the permissions assigned by default to this group. 

In order to function correctly, the SBR Plug-In requires the following permissions in Active 

Directory, that are not granted to 'RAS and IAS Servers' by default: 

Read access to the Digipass Configuration Container 

Read access to all User accounts (or at least, all who might need to be authenticated by 

the SBR Plug-In) 

Write access to the new attributes that are added to the User class for Digipass Plug-In 

for SBR (these are in the auxiliary class vasco-UserExt) 

Full control over all Digipass (vasco-DPToken) and Digipass Application (vasco- 

DPApplication) objects 

Create and delete permission for Digipass (vasco-DPToken) objects in Organizational 

Units and containers (specifically the Digipass-Pool and Users containers) 

5.1.1 Giving Permissions to the SBR Plug-In 

During installation, these additional permissions are granted to the 'RAS and IAS Servers' 

group automatically. 

There is also a manual way to grant these permissions, by running the 'setupaccess' command 

at the command prompt: 

dpadadmin.exe setupaccess -group “RAS and IAS Servers” 

See 2.5 DPADadmin Utility for more information on the setupaccess command. 

As mentioned above, this is not necessary if the SBR Plug-In is installed onto a Domain 

Controller. 



5.2 Permissions Needed by Administrators 

5.2.1 Domain Administrators 

Domain Administrators already have all required permissions within their Domain. 

5.2.2 Delegated Administrators 

The term 'Delegated Administrators' is used here to refer to administrators who have been 

delegated control over an Organizational Unit. Generally speaking, they have administrative 

control over the user and computer accounts within their Organizational Unit. 

See the Digipass Records topic in the Product Guide for more information on possible 

approaches to delegating Digipass administration. 

By default, these administrators will be able to view the Digipass User Account data for their 

users and the Digipass that are located within their Organizational Unit. However, they will not 

be able to modify any of that data or assign Digipass. 

If you wish to delegate responsibility for all Digipass-related administration within an 

Organizational Unit, the following additional permissions are required by the Delegated 

Administrator: 

Within the scope of the Organizational Unit, Write permission to the new attributes that 

are added to the User class for Digipass Plug-In for SBR (these are in the auxiliary class 

vasco-UserExt) – you can add Write permissions for each individual Property Set or if 

appropriate, grant 'Write All Properties' permission 

Within the scope of the Organizational Unit, Full Control over all Digipass (vasco- 

DPToken) and Digipass Application (vasco-DPApplication) objects 

Create and Delete permission for Digipass (vasco-DPToken) objects within the 

Organizational Unit 

If the Delegated Administrator should be allowed to assign Digipass from the Digipass 

Pool to their users, they need Delete Digipass permission in the Digipass-Pool container 

5.2.3 Reduced-Rights Administrators 

The term 'Reduced-Rights Administrator' is used here to refer to administrators who are 

granted permissions to perform only selected Digipass-related administration tasks. They may 

be granted these permissions within the scope of the whole Domain, or only within an 

Organizational Unit. 

An example is a Helpdesk operator who is permitted to troubleshoot Digipass operations, but 

not to assign/unassign Digipass to/from users. 

By default, all users have read access to everything in the Active Directory. The modification 

permissions that can be granted to this kind of administrator are: 

Write permission for any of three Property Sets on the Digipass User Account fields: 

Digipass User Account Information – all attributes except those covered by the other two 

Property Sets, including Authorization Profiles/Attributes 



Digipass User Account Link – the link attribute used to share a Digipass between two 

user accounts 

Digipass User Account Stored Password – the Stored Password attribute 

Write permission for any individual properties on Digipass objects, except for one 

Property Set that is defined to control the Digipass assignment link 

Write permission for any individual properties on Digipass Application objects, except for 

one Property Set that is defined to include the Digipass 'blob' that is required for any 

administrative operation such as Reset PIN, Test, Set Event Counter, etc. 

Create and delete permission on Digipass and Digipass Application objects (note that this 

can be necessary for assigning Digipass to users, because a move from one location to 

another is controlled by permissions to delete from the source and create in the 

destination) 

5.2.4 System Administrators 

The term 'System Administrator' is used here to refer to an administrator who will be 

responsible for management of the Component and Policy records, rather than Digipass User 

Accounts and Digipass. They need permissions within the Digipass Configuration Container to 

create, modify and delete Component (vasco-Component) and Policy (vasco-Policy) objects. 

In practice, System Administrators can typically be given full control over the Digipass- 

Configuration container. If you wish to grant more limited permissions, this can be handled 

with the standard Active Directory permissions on these objects within the scope of the 

container. 

5.3 Assign Administration Permissions to a User 

Note 

This example assumes that the administrator's User account has read 

permissions for all User records already. 

To grant permissions to manage Digipass records, you will need to follow these steps: 

1. Right-click on the Organizational Unit in which to assign permissions. 

2. Select Delegate Control... from the right-click menu. 

3. The Delegate Control Wizard will be displayed. 

4. Select the User or Windows Group to assign permissions. 


6. Select the Delegate Common Tasks option button. 

7. Select Create, Delete and Manage Digipass from the list. 

8. Click on Next. 

9. Click on Finish. 

If you wish to grant permissions to modify Digipass User Account properties, you will need to 

follow these steps: 



10. Select View -> Advanced Features from the main menu. 

11. Right-click on the Organizational Unit in which to assign permissions. 

12. Select Properties from the right-click menu. 

13. Click on the Security tab. 

14. Click on the Advanced... button. 

15. The Advanced Settings window will be displayed. 

16. Click on Add... 

17. Type the username of the User to assign the permissions to and click OK. 

18. Click on the Properties tab. 

19. Select User Objects from the drop down list. 

20. Select the required permissions from: 

Write Digipass User Account Information 

Write Digipass User Account Link 

Write Digipass User Account Stored Password 

Write vasco-LockCount 

Write vasco-CreateTime 

Write vasco-ModifyTime 


If the administrator requires permissions to take Digipass out of the Digipass-Pool for 

assignment, you will need to follow these steps: 

22. Right-click on the Digipass Pool. 

23. Select Properties from the right-click menu. 


25. Click on Advanced... 

26. Click on the Object tab. 

27. Select Child objects only from the drop down list. 

28. Click on Add... 

29. Select these permissions: 

Delete Digipass Objects 




5.4 Multiple Domains 

When using the SBR Plug-In with multiple domains, extra steps must be followed to ensure 

that both the SBR Plug-In and administrators have permissions sufficient to access required 

data. The main issues are: 

The Digipass Configuration Container is only in one Domain. All SBR Plug-Ins need read 

access to this container, even when they are in a different Domain. Cross-Domain access 

for administrators is a less likely requirement however. 

If a SBR Plug-In handles users and Digipass in more than one Domain, they need to be 

granted the necessary permissions in all the necessary Domains. 

In this manual, we will handle cross-Domain permissions using a combination of Domain Local 

and Domain Global groups. It is possible in a 'native' mode Domain to use Universal groups, 

but these are not recommended in Windows 2000 due to replication issues. The replication 

efficiency has been improved in Windows Server 2003, however Universal groups are still not 

used as commonly as Domain Local/Global groups. 

Three possible scenarios for multiple domain setup are outlined below: 

5.4.1 Scenario 1 – Each SBR Plug-In Handles One Domain 

Each SBR Plug-In handles only the domain in which it is a member. 

Install the SBR Plug-In in each domain (the result will be at least as many SBR Plug-Ins as 

domains). 

Give each SBR Plug-In access to the Digipass Configuration Domain: 

Domain Global Group(s) 

For each domain (apart from the Digipass Configuration Domain) - 

1. Create a Domain Global group 

2. Add the SBR Plug-In(s) to the Domain Global group (check which machines are in the 

'RAS and IAS Servers' group to ensure the correct additions) 

Domain Local group 

In the Digipass Configuration Domain - 

3. Create or use an existing Domain Local group. 

4. Give the Domain Local group full read access to the Digipass Configuration Container. 

5. Add the Domain Global Group from each other domain to the Domain Local group. 



5.4.2 Scenario 2 – One SBR Plug-In Handles All Domains 

SBR Plug-Ins in one domain handle all domains. The Digipass Configuration Container should 

be located in the domain to which the SBR Plug-Ins belong. 

Give the necessary access to User and Digipass data: 

Domain Global group 

In the SBR server Domain - 

1. Create a Domain Global group. 

2. Add the SBR Plug-Ins to the Domain Global group (check which machines are in the 

'RAS and IAS Servers' group to ensure the correct additions). 

Domain Local groups 

For each other Domain - 

3. Create a Domain Local group. 

4. Give the Domain Local group the required permissions (run the setupaccess command - 

See 2.5 DPADadmin Utility for more information). 

5. Add the Domain Global group from the SBR Plug-In Domain to the Domain Local group. 

5.4.3 Scenario 3 - Combination 

This scenario represents more complex setups, where a combination of steps from Scenarios 1 

and 2 will be required. Use the steps given in the first two scenarios as a guide for what you 

will need to do for the combination scenario. 


Digipass Plug-In for SBR Administrator Reference Backup and Recovery 

6 Backup and Recovery 

This section explores the measures that Administrators can undertake in backing up and 

recovering Digipass Plug-In for SBR datafiles in the event of a system failure. 

Note 

This section does not cover backup of executables and system files. In the 

event of a catastrophic failure these can be restored or reinstalled from the 

original distribution media (and any subsequent service packs/patches). 

Once the SBR Plug-In is installed and operational, backups should be made of important files 

and data. 

Any time changes are made to the system, backups may need to be performed again. These 

changes include, but are not limited to: 

Changing any configuration settings including the IP address of a server 

Adding/removing a Component 

Modifying a Policy 

User and Digipass data should be backed up on a frequent, regular basis. 

6.1 What Must be Backed Up 

Configuration files for SBR Plug-In, Message Delivery Component and Command Line 

Administration Utility. 

User Self-Management Web Site pages and graphics (if customized) 

Virtual Digipass OTP Request Web Site pages and graphics (if customized) 

Audit Log data 

Active Directory or ODBC database containing Digipass-specific data 

DPX files (except for demo Digipass) 

Any command line administration scripts which have been written for use with the 

Command Line Administration Utility. 

Important Note 

The Digipass Plug-In for SBR installation includes a DPX directory containing 

sample DPX files for demo Digipass. These do not need to be backed up. 

However, if you have copied the DPX files for your real Digipass into that 

directory, ensure you still have the original files (normally on floppy disk). If 

you no longer have the DPX file(s) stored elsewhere, it is very important that 

you take a backup. 



6.1.1 Configuration files 

The configuration files for the SBR Plug-In, Virtual Digipass Message Delivery Component and 

Command Line Administration Utility can be copied from the bin directory (by default 

C:\Program Files\VASCO\Digipass Plug-In for SBR\Bin) to a secure location. 

The files to be copied are: 

dpsbrauth.xml for all SBR Plug-Ins 

dpadmincmd.xml 

mdcconfig.xml – a backup of one working file is sufficient. 

Tip 

Save the files above with an extension that describes the server from which the 

file(s) were backed up. This makes it easier and quicker to locate the correct file 

during recovery. 

6.1.2 Web Sites 

In some cases, the web pages and graphics provided with Digipass Plug-In for SBR for the 

User Self Management Web Site and Virtual Digipass OTP Request Web Site will have been 

customized to suit the organization’s colors/languages/themes/etc. 

If these web pages and graphics have been modified, it is important to have a backup stored 

in a secure location away from the production server. This will allow the web site to be 

restored for the look and feel of the organization. 

To back up the web site pages and graphics, you can copy the html, js, and gif files to another 

location. If the site is highly modified, or the location of the files on disk is not known, contact 

your web administrator for further guidance. 

Note 

Maintaining the directory structure will make restoration of the site, if required, 

quicker and easier. 

6.1.3 Audit Log Data 

If your organization requires that the Audit Log data be archived, the method required will 

depend on the audit settings. You may need to archive periodically, to avoid too much disk 

space being used or to keep the database from growing too large and slow. 

6.1.3.1 Write to Text File 

Ensure you make copies of all files contained in the directory into which the audit log files are 

written. By default this will be \Log, however it may have been configured to 

another location. Check the audit configuration settings if you are unsure. 



6.1.3.2 Write to ODBC Database 

Back up the database using the database's backup utility. 

6.1.3.3 Write to Windows Event Log 

By default, Event Log entries are written to the Application log. However, you can configure 

the entries to be written to another log. Check the audit configuration if you are unsure. 

Important Note 

The Event Log may be configured with a maximum size. When this size is 

reached, the oldest entries may be overwritten by new ones. To check this, 

view the Properties of the log in the Event Viewer. If older entries will be 

overwritten, you will need to archive them before that occurs. 

To archive an Event Log: 

1. Select Start -> Settings -> Control Panel. 

2. Double-click on Administrative Tools. 

3. Double-click on Event Viewer. 

4. Right-click on Application (or the correct log, if not Application). 

5. Click on Save log file as... 

6. Select a path and enter a filename. 

7. Select a file format from the Type drop down list. 

8. Click on the Save button. 

Note 

The Audit Log data is not required for system recovery purposes. 

6.1.4 DPX files 

The DPX files are normally provided on a floppy disk, which can be stored securely as a 

backup. If you prefer another method of archive, copy the files to your preferred location. It is 

important to keep the DPX file transport keys secure and preferably in a separate location to 

the DPX files themselves. 

6.1.5 Active Directory 

6.1.5.1 Cold Backup 

In many cases the SBR Plug-In will belong to an Active Directory domain that includes several 

Domain Controllers. Replication should automatically occur between Domain Controllers, 

providing simple data backup. 

It is highly recommended, however, that you perform a 'cold' backup of the System State 

Data, which includes the Active Directory repository. This will allow recovery if data is 

corrupted and then replicated. For more information about backing up and restoring System 



State Data, refer to Windows Help on your Domain Controller and enter 'backing up data, 

System State data' in the index tab. In particular, this should be performed on the Digipass 

Configuration Domain and any other Domains containing Digipass User accounts and/or 

Digipass records. 

6.1.6 ODBC and Embedded Database 

6.1.6.1 Data Source Settings 

If you have performed some adjustments to the ODBC Data Source (DSN) that are important 

to keep, make sure that you have a readout of the settings. 

6.1.6.2 Backup Strategies 

Warm Backup 

A 'warm' backup of the disk containing the database used by the SBR Plug-In via a RAID 

hardware configuration or server mirroring is a favorable backup method. It is both entirely up 

to date and incurs no downtime if a single disk failure occurs. 

This method requires either software RAID, or for better performance a hardware RAID 

configuration. 

Another technique that achieves the same effect is the 'shadow database'. 

However, it is still recommended to take a cold backup at intervals, as there is a possibility 

that a database corruption could be mirrored/shadowed under some circumstances. 

Cold Backup 

A 'cold' backup of the database allows administrators to implement a duplicate database as a 

safeguard on a regular basis. Generally speaking there are two methods that can be used to 

perform a cold backup: 

Backup Utility 

The first option is to use the vendor-specific backup utility that allows the contents of the 

database to backed up to a file or device while the system is running. Such a utility is provided 

with the embedded database PostgreSQL (see below). 

Shut Down and Copy the Database File 

The second option involves stopping the database server and any connecting server processes 

and copying the database files. However, this is only possible where the database vendor 

recommends this approach. Normally this is only appropriate if the database is contained in a 

single operating system file. 

Replicated Copy 

If replication has been configured between databases, a replicated copy can be used as a 

backup. However, it is still recommended to take a cold backup at intervals. 



6.1.6.3 Backup of Embedded Database 

The PostgreSQL database available with the SBR Plug-In installation may be backed up while 

operational by completing these steps: 

1. Open command prompt in \PostgreSQL\Bin. 

2. Enter the following command and hit ENTER: 

pg_dump -f "" -Fc -Z9 -U [-v] postgres 

where: 

is the absolute path and file name of the file to back up the data 

to 

is the database administrator account name. When installed, 

this is set to "digipass". 

-v is an optional 'verbose mode' parameter. Use this if you wish to see output as the 

backup is run. 

3. You will normally be prompted for the password of the database administrator account. 

When installed, this is set to "digipassword". 

This command may also be run via a batch file in order to automatically take a backup at 

regular intervals. In order to remove the interactive prompt for the password, you can add a 

line to a PostgreSQL configuration file to allow local logins for a database administrator account 

without a password. Edit the file \PostgreSQL\data\pg_hba.conf with a text 

editor. At the bottom of this file, there is a list of rules for authenticating connections to the 

database, which by default will be: 

# TYPE DATABASE USER CIDR-ADDRESS METHOD 


host all all 127.0.0.1/32 md5 


#host all all ::1/128 md5 

Add the following line directly below # Ipv4 local connections: 

host postgres digipass 127.0.0.1/32 trust 

You may prefer to create a second database administrator account that only has permission to 

back up the database. This can be done using the PostgreSQL database administration utility 

Programs -> PostgreSQL 8.1 -> pgAdmin III. Refer to the PostgreSQL documentation for 

more information. 



6.2 Recovery 

6.2.1 Active Directory 

Assumptions: 

Active Directory itself is still valid and operational. 

Steps: 

Up-to-date backups of the configuration files for the SBR Plug-In are available. 

1. Rebuild the server with your operating system SOE, using the same IP address as 

before, in the same Domain as before. 

2. Retrieve your backup copy of the dpsbrauth.xml file. 

3. Reinstall Digipass Plug-In for SBR on the server. The same settings as those chosen in 

the previous installation should be selected. Note: on Active Directory or an ODBC 

database, the This is not the first SBR Plug-In to be installed checkbox on the 

Prerequisites screen should be ticked. 

4. Tick the Use an evaluation license checkbox (the existing Digipass data in the data 

store contains all necessary licensing information, which will be retrieved when the 

SBR Plug-In is operational). 

5. At the end of the installation, you will be prompted to select a license activation 

method. Select Just Continue. 

Before you restart the machine, carry out the following: 

6. Restore the backup copy of the configuration file dpsbrauth.xml to \bin. 

7. Restore any customized files for the web sites (see 9.1 Customizing the Web Sites 

and 6.1.2 Web Sites for more information). 

After restarting the machine: 

8. Check that you can view Digipass-specific information in the Administration MMC 

Interface and the Digipass Extension for Active Directory Users and Computers. 



6.2.2 ODBC or Embedded Database 

6.2.2.1 Rebuild SBR Plug-In, Database Undamaged 












6. Restore the backup copy of the configuration file dpsbrauth.xml into the same 

directory. 



After restarting the machine: 


Interface. 



6.2.2.2 Restore Database, SBR Plug-In Undamaged 

This procedure should be followed where a database has been damaged and no current, valid 

database exists on another server. The database is restored from an earlier backup. 

1. Stop the Steel-Belted RADIUS service. 

2. Restore database from backup. If you are using the embedded PostgreSQL database: 

a. Open a command prompt in \PostgreSQL\Bin. 

b. Enter the following command and hit ENTER: 

pg_restore -d postgres -c -U [-v] "" 

where: 

is the absolute path and file name of the file to restore from 

is the database administrator account name. The database 

administrator account created during installation is "digipass". 

-v is an optional 'verbose mode' parameter. Use this if you wish to see output as 

the database is restored. 

c. Enter the following command and hit ENTER: 

vacuumdb -z -d postgres -U [-v] 

where: 





This step forces the database to recalculate optimization statistics, because all the 

data has been removed and reloaded. 



6.2.2.3 Rebuild SBR Plug-In, Restore Database 

This procedure is required where both the SBR Plug-In and its database have been lost. 

Configuration files and the database will be restored from backups. 

1. Rebuild the server with your operating system SOE, using the same IP address as 

before, in the same Domain as before. 













directory. 



8. Restore database from backup. If you are using the embedded PostgreSQL database: 

a. Stop the Steel-Belted RADIUS service. 

b. Open a command prompt in \PostgreSQL\Bin. 



where: 








d. You will normally be prompted for the password of the database administrator 

account. When installed, this is set to "digipassword". 

e. Enter the following command and hit ENTER: 


where: 







f. You will normally be prompted for the password of the database administrator 

account. When installed, this is set to "digipassword". 

9. Reboot the machine. 





6.2.2.4 Copy Database from Other SBR Plug-In 

This procedure will be required where multiple SBR Plug-Ins are using databases which have 

been configured to synchronize with each other, where one database has become 

unsynchronized or unstable. This database must be replaced with a 'safe' database – one 

containing up-to-date, uncorrupted data. The instructions below assume a simple two-SBR 

Plug-In pair where one SBR Plug-In (SVR-2) is using a database that has become unstable, 

and the other (SVR-1) is using a 'safe' database. 

To replace the database: 

1. Identify the SBR Plug-In with the 'safe' database. For these steps, the machine will be 

referred to as SVR-1. 

2. Stop the Steel-Belted RADIUS service on SVR-1 and SVR-2. 

3. Take a complete copy of the database used by the SBR Plug-In on SVR-1. If you are 

using the embedded PostgreSQL database: 




where: 








where: 









4. Delete the replication queue file(s) on SVR-1 for SVR-2. 

5. The Steel-Belted RADIUS service on SVR-1 may be restarted now if needed. 

6. Completely overwrite the database used by the SBR Plug-In on SVR-2 with the copy 

from SVR-1. If you are using the embedded PostgreSQL database: 




where: 








where: 







7. Delete the replication queue file on SVR-2 for SVR-1. 

Warning 

If the 'bad' database used by the SBR Plug-In on SVR-2 was being 

synchronized with another database (eg. SVR-3), you must copy over the 

other database as well. Follow the steps above for any databases with which 

the database on SVR-2 was synchronized. 

8. Restart the Steel-Belted RADIUS service on SVR-2. 



6.2.2.5 Rebuild SBR Plug-In, Copy Database 

This procedure will be required where multiple SBR Plug-Ins are synchronizing with each other 

and one SBR Plug-In, together with its database, is lost. The instructions below assume one 

functional SBR Plug-In (SVR-1) with an up-to-date database, and a server on which an SBR 

Plug-In must be rebuilt (SVR-2) and its database copied from the other SBR Plug-In. 

1. Rebuild SVR-2 with your operating system SOE, using the same IP address as before, 











Before you restart SVR-2, carry out the following: 


directory. 



8. On SVR-1, stop the Steel-Belted RADIUS service. 

9. Take a complete copy of the database used by the SBR Plug-In on SVR-1. If you are 

using the embedded PostgreSQL database, see 6.1.6.3 Backup of Embedded 

Database for instructions. 

10. Delete the synchronization queue file(s) on SVR-1 for SVR-2. 

11. The Steel-Belted RADIUS service on SVR-1 may be restarted now if needed. 

12. Completely overwrite the database used by the SBR Plug-In on SVR-2 with the copy 

from SVR-1. If you are using the embedded PostgreSQL database: 






where: 








where: 







13. Restart SVR-2. 



Warning 

If the 'bad' database used by the SBR Plug-In on SVR-2 was being 

synchronized with another database (eg. SVR-3), you must copy over the 

other database as well. Follow the steps above for any databases with which 

the database on SVR-2 was synchronized. 


Digipass Plug-In for SBR Administrator Reference Field Listings 

7 Field Listings 

7.1 User Property Sheet 

Table 30: User Fields 

Field Name in 

Administration 

Interfaces 

New Password 

Confirm Password 

Description 

These fields are used to modify the static password that is stored in the Digipass User 

account. If they are left blank, no modification is made. 

Local Authentication Specifies whether authentication requests for the User account will be handled by the SBR 

Plug-In using Local Authentication (see the Authenticating Users section in the Product 

Guide for more details on Local Authentication and Back-End Authentication). 

Normally, this field will be Default, meaning that the Policy applicable to the authentication 

request determines the setting. This field on the Digipass User account is used to override 

the Policy setting for special cases. 

When Local Authentication is used, there are two factors that determine whether Digipass 

authentication is used – any Policy restrictions on Digipass Types and/or Applications that 

can be used and whether the Digipass User account has any assigned Digipass that meet the 

restrictions. For example, if the Policy requires a DP300 and the User just has a DP700, they 

cannot use Digipass authentication under that Policy. 

Options: 

Back-End 

Authentication 

Default Use the setting of the effective Policy. 

None The SBR Plug-In will not carry out Local Authentication for this User 

account. They may be handled using Back-End Authentication, or not 

handled at all by the SBR Plug-In. 

Digipass/Password The SBR Plug-In will always carry out Local Authentication for this User, 

using Digipass authentication if possible, otherwise the static password. 

Back-End Authentication may also be utilized. 

Digipass Only The SBR Plug-In will always carry out Local Authentication for this User, 

using Digipass authentication. If Digipass authentication is not possible, 

the user cannot log in. Back-End Authentication may also be utilized. 

Specifies whether authentication requests for the User account will be handled by the SBR 

Plug-In using Back-End Authentication (see the Authenticating Users section in the 

Product Guide for more details on Local Authentication and Back-End Authentication). 


request determines the setting. This field on the Digipass User account is used to override 

the Policy setting for special cases. 

Options: 


None Back-End Authentication will not be used. 

If Needed The SBR Plug-In will utilize Back-End Authentication but only in certain 

cases: 

Dynamic User Registration 

Self-Assignment 

Password Autolearn 

Requesting a Challenge or Virtual Digipass OTP, when the Request 

Method includes a Password 

Static password authentication, when verifying a Virtual Digipass 

password-OTP combination or during the Grace Period 

Always The SBR Plug-In will utilize Back-End Authentication for every 

authentication request. 

Disabled Specifies whether a Digipass User account is enabled or disabled. If disabled, authentication 



Field Name in 



Description 

for the User will be rejected by the SBR Plug-In. 

Active Directory only: 

This attribute will be set to disabled and made read-only if the Active Directory User account 

is disabled or expired. Otherwise, this attribute will be editable. 

Locked Specifies whether a Digipass User account is locked or not. If locked, authentication for the 

User will be rejected by the SBR Plug-In. 

The Locked indicator is normally set automatically when the User exceeds a certain number 

of failed authentication attempts. The User Lock Threshold is set in the Policy. 

Linked User Account It is possible to share Digipass between different User accounts, by linking User accounts 

together. This feature is intended for the case where one person, such as an administrator, 

has multiple User accounts. If their accounts are linked, there is no need to give more than 

one Digipass to that person. 

This feature is used by assigning the Digipass to one User account, then linking all the other 

User accounts for the person to the one that has the Digipass. 

Read-only. 


If a User is linked to another User, their Linked User Account field will show the Active 

Directory format DN (Distinguished Name) of the linked User. The DN shows the full address 

within Active Directory of the linked User, for example: 

CN=Test User,OU=Admin,OU=Europe,DC=vasco,DC=com 

In this example, the linked User is called Test User and they are located in an Organizational 

Unit Admin, which is inside another Organizational Unit Europe in the vasco.com domain. 

ODBC Database only: 

If a User is linked to another User, their Linked User Account field will show the UserId and 

Domain of the linked User, for example: 

testuser [vasco.com] 

Created On The date and time that the Digipass User account was created. Read-only. 

Last Modified On The date and time that the Digipass User account was last modified. Read-only. 

Domain ODBC Database only: 

The Domain to which the User belongs. 

Read only. 

Organizational Unit ODBC Database only: 

The Organizational Unit in which the User is located. This is optional as the User does not 

have to be located in an Organizational Unit. 

Read only. The Move command must be used from the User list menu to change this. 

User Name ODBC Database only: 

The full name of the User. 

Email Address ODBC Database only: 

The email address of the User. 

Phone No. ODBC Database only: 

The telephone number of the User. 

Mobile No. ODBC Database only: 

The mobile phone number of the User. This will be used for Virtual Digipass logins. 

Description ODBC Database only: 

Any descriptive text or notes. 

Assigned Digipass list This lists all Digipass that are assigned to the User. For each Digipass, the list of active 

Applications is given with the Application Type indicated in brackets(). For example: 

0058384426 RESP_ONLY(RO), CHALLENGE(CR) 

In this example line, the Digipass with Serial Number 0058384426 has two active 

Applications: one Response Only Application RESP_ONLY and one Challenge/Response 

Application CHALLENGE. 

If the User does not have any Digipass assigned directly, but is linked to another User to use 



Field Name in 



Description 

their Digipass (see Linked User Account), the linked User's Digipass list is shown with the 

Serial Numbers in square brackets (eg. [0058384426]). 

When a Digipass in the list is selected, the remainder of the property sheet tab indicates 

values from the corresponding Digipass record. 

Read-only. 

7.2 User Authorization Profiles/Attributes Window 

Table 31: User Fields 

Field Name in 



Description 

Attribute Group list This list box displays all Attribute Groups, RADIUS attributes and RADIUS Profiles currently 

configured for a User account. 

Attribute Group drop 

down list 

Contains all Attribute Groups configured so far. A new Attribute Group may be created by 

typing a new value into the drop down list. 

Attribute Groups contain one or more RADIUS attributes and/or RADIUS Profiles. They are 

used where multiple SBR Plug-Ins are in use, and each SBR Plug-In needs to use different 

RADIUS attributes or a different Profile for a User. See the RADIUS Attributes topic in the 

Product Guide for more information. 

The name selected in this field should match a name entered in the Configuration for a SBR 

Plug-In. 

Name drop down list The name of the item being configured. If this is a RADIUS attribute, it must match the name 

of a RADIUS attribute in Steel-Belted RADIUS. If this is a RADIUS Profile, it should match the 

Profile Attribute Name configured for a SBR Plug-In. 

Usage drop down list Specifies the usage required from the RADIUS attribute or RADIUS Policy. 

Options: 

Check Used to ensure that an attribute supplied by Steel-Belted RADIUS 

contains the expected value. 

Profile Indicates that the value entered is the name of a Profile existing in 

Steel-Belted RADIUS. 

Return Passed back to SBR when the result of an authentication is returned by 

the SBR Plug-In. 

Value field If the new item is a RADIUS attribute, this field must contain the RADIUS attribute value 

expected by or sent by SBR Plug-In. If it is a RADIUS Profile, it should match a RADIUS 

Profile existing in Steel-Belted RADIUS. 



7.3 Digipass Property Sheet 

Table 32: Digipass Fields 

Field Name in 



Description 

Domain ODBC Database only: 

The Domain to which the Digipass belongs. 

Read only. The Move command must be used from the Digipass list menu to change this. 

Organizational Unit ODBC Database only: 

The Organizational Unit in which the Digipass is located. This is optional as the Digipass does 

not have to be located in an Organizational Unit. 

Read only. The Move command must be used from the Digipass list menu to change this. 

Digipass Type The type of Digipass represented by the Digipass record (eg. DP300). 

Reserve for Individual 

Assignment 

When used, this option prevents the Digipass from being assigned using the Auto-Assignment 

feature. It also prevents it from being assigned by an administrator who uses the 'Assign next 

available...' option in the assignment dialog. 

Assigned to User User ID of the Digipass User account that the Digipass is assigned to, if it is assigned. 

Read-only. 

Date Assigned The date and time when the Digipass was assigned to its current User. 

Read-only. 

Grace Period End The date on which the Grace Period will expire, or did expire, for this Digipass. If the date 

shows today's date or before, the Grace Period has already expired. If it is blank, there is no 

Grace Period. 

Enable Backup VDP Specifies whether and how the Backup Virtual Digipass feature can be used for this Digipass. 

Note that in order for the Backup Virtual Digipass feature to function, it must also be activated 

in the DPX file for the Digipass. 


request determines the setting. This field on the Digipass record is used to override the Policy 

setting for special cases. 

Options: 


No Backup Virtual Digipass is not permitted. 

Yes - Permitted Backup Virtual Digipass is permitted, but not mandatory. 

The Enabled Until date is not applicable when using this 

option, but the Uses Remaining count is. 

Yes – Time Limited Backup Virtual Digipass is permitted, but not mandatory. 

Both the Enabled Until date and the Uses Remaining count 

will be in effect. 

Yes - Required Backup Virtual Digipass is mandatory. This may be useful if the 

User may have lost the Digipass, to prevent it from being used 

until they have found it again. 

The Enabled Until date is not applicable when using this 

option, but the Uses Remaining count is. 

Enabled Until The date on which the Backup Virtual Digipass feature may no longer be used, provided that 

the effective Enable Backup VDP setting is Yes – Time Limited (it is ignored otherwise). 

If this date is blank, it will be set automatically the first time that the User requests a Backup 

Virtual Digipass OTP, using the Backup Virtual Digipass Time Limit defined in the Policy. 

Once this date has expired, it requires administrator intervention either to extend it or to 

reset it to blank for the next time that the User needs to use Backup Virtual Digipass. 

Uses Remaining The remaining number of times that the Backup Virtual Digipass feature may be used for this 

Digipass. Once this number has reached zero, Backup Virtual Digipass can no longer be used 

with this Digipass, unless the administrator increases it or resets it to blank. 

If this number is blank and there is a Backup Virtual Digipass Max. Uses/User defined in 



Field Name in 



Description 

the Policy, it will be set automatically the first time that the User requests a Backup Virtual 

Digipass OTP, based on the Max. Uses/User. 

Created On The date and time that the Digipass was created. Read-only. 

Last Modified On The date and time that the Digipass was last modified. Read-only. 

7.4 Digipass Application Tab 

Table 33: Digipass Application Fields 

Field Name in 



Application Type The type of Digipass Application: 

RO – Response Only 

CR – Challenge/Response 

SG – Signature 

Description 

Active This field can be used to deactivate an Application, so that it cannot be used. 

Attribute/Value list This list indicates various internal settings of the Digipass Application. 

Created On The date and time that the Digipass Application was created. Read-only. 

Last Modified On The date and time that the Digipass Application was last modified. Read-only. 



7.5 Policy Property Sheet 

Note 

Changes to Policy settings will not take effect immediately. They will take effect 

when the SBR Plug-In is restarted, once the Policy change is available to the 

SBR Plug-In in the data store. Alternatively, if there is no restart, the cache of 

Policy settings will refresh from the data store after approximately every 15 

minutes. 

Table 34: Policy Fields 

Field Name in 



Description 

Description This description can be entered to record the purpose of the Policy. 

Inherits from Policy Contains the Name of the Policy from which settings will be inherited, referred to as the 

'parent Policy'. Settings are inherited individually, depending on the value in the Policy field; 

they inherit the parent Policy value in the following cases: 

Choice lists/radio buttons – if the selected value is Default 

Text fields – if the field is blank 

Numeric fields – if the field is blank (not 0) 

List fields – if the list is empty 

The Show Effective Policy Settings... button can be used to display the result of 

inheriting settings combined with settings on the current Policy. 

Local Authentication Specifies whether authentication requests using the Policy will be handled by the SBR Plug- 

In using Local Authentication (see the Authenticating Users section in the Product 


When Local Authentication is used, there are two factors that determine whether Digipass 

authentication is used – any Policy restrictions on Digipass Types and/or Applications that 

can be used and whether the Digipass User account has any assigned Digipass that meet 

the restrictions. For example, if the Policy requires a DP300 and the User just has a DP700, 

they cannot use Digipass authentication under that Policy. 

Options: 

Back-End 


Default Use the setting of the parent Policy. 

None The SBR Plug-In will not carry out Local Authentication under this 

Policy. They may be handled using Back-End Authentication, or not 

handled at all by the SBR Plug-In. 

Digipass/Password The SBR Plug-In will always carry out Local Authentication under this 

Policy, using Digipass authentication if possible, otherwise the static 

password. Back-End Authentication may also be utilized. 

Digipass Only The SBR Plug-In will always carry out Local Authentication under this 

Policy, using Digipass authentication. If Digipass authentication is not 

possible, the user cannot log in. Back-End Authentication may also 

be utilized. 

Specifies whether authentication requests using the Policy will be handled by the SBR Plug- 

Inusing Back-End Authentication (see the Authenticating Users section in the Product 


Options: 


None Back-End Authentication will not be used. 

If Needed The SBR Plug-In will utilize Back-End Authentication but only in 

certain cases: 

Dynamic User Registration 



Field Name in 



Description 

Self-Assignment 


Requesting a Challenge or Virtual Digipass OTP, when the 

Request Method includes a Password 

Static password authentication, when verifying a Virtual 

Digipass password-OTP combination or during the Grace Period 

Always The SBR Plug-In will utilize Back-End Authentication for every 

authentication request. 

Back-End Protocol Specifies the protocol to be used for Back-End Authentication. 

Options: 

Windows Authentication using the Windows operating system. 

RADIUS Authentication using a RADIUS server. 

This option is not available in Digipass Plug-In for SBR. 

Created On The date and time that the Policy was created. Read-only. 

Last Modified On The date and time that the Policy was last modified. Read-only. 

Dynamic User 

Registration 

Specifies whether the Dynamic User Registration (DUR) feature is enabled for the Policy. 

If this feature is used, when the SBR Plug-In receives an authentication request for a User 

for the first time and Back-End Authentication is successful, it will create a Digipass User 

account automatically. If DUR is used in conjunction with Auto-Assignment, a Digipass will 

be assigned to the new User account immediately. 

Password Autolearn Specifies whether the Password Autolearn feature is enabled for the Policy. This feature 

enables the SBR Plug-In to update the password stored in the Digipass User account when 

Back-End Authentication is successful. 

In Digipass Plug-In for SBR it is normally not necessary to store the password in the 

Digipass User account, so this feature is not typically used. 

Stored Password Proxy Specifies whether the Stored Password Proxy feature is enabled for the Policy. This 

feature can be used in conjunction with the Back-End Authentication Always setting and 

the Password Autolearn feature, so that even though a Back-End Authentication check is 

done every login, it is done using the password stored in the Digipass User account, so the 

User does not have to enter it during their login unless it has just changed. 

In Digipass Plug-In for SBR it is normally not necessary to perform a Back-End 

Authentication check at each login, so this feature is not typically used. 

Default Domain The default Domain in which the SBR Plug-In should look for and create Digipass User 

accounts, if a Domain is not specified by the login credentials. 


If the User logs in with the User-Principal-Name format (eg. testuser@vasco.com) or the 

NT4 style format (eg. VASCO\testuser), the Default Domain is not used. However, if they 

log in with just a UserId (eg. testuser), the Default Domain will be used if specified. 

In the case that no Domain is implied by the login credentials and there is no Default 

Domain, the SBR Plug-In will search in its Configuration Domain. 

This must be the fully qualified domain name. 

ODBC Database only: 

Windows User Name Resolution can be used, in which case the User-Principal-Name and 

NT4 style formats will determine the Domain. If the Domain is not determined by that 

method, a simple UPN-like format (ie. testuser@vasco.com) will identify the Domain, when 

the Domain exists in the database. 

In either case, if no Domain has been identified, the Policy's Default Domain will be used if 

it is defined. Finally, if there is no Default Domain, the Master Domain will be used. 

User Lock Threshold This indicates the number of consecutive failed login attempts that will cause a Digipass 

User account to become Locked. For example, if the User Lock Threshold is 3, the account 

will become Locked on the third failed login attempt. Unlocking the account requires 

administrator action. 

Note that not all kinds of login failure will result in locking. For example, if the UserId is 



Field Name in 



Windows Group Check 

(radio buttons) 

Description 

incorrect or the account is Disabled, the failure would not count towards the lock threshold. 

Locking is used mainly for incorrect OTPs and static passwords. 

Specifies whether and how the Windows Group Check feature is to be used. This feature 

is typically used for a staged deployment of Digipass when the Auto-Assignment method 

is used. It can also be used when only some Users are required to use Digipass or when 

only some Users will be permitted access and they have to use Digipass. 

Options: 


No check Do not use the Windows Group Check feature. 

Pass requests for users not 

in listed groups back to 

host system 

Reject requests for users 

not in listed group 

Use only Back-End 

Authentication for users 

not in listed groups 

Use the Windows Group Check so that any Users who are not in 

one of the listed groups are ignored by the SBR Plug-In. 

Use the Windows Group Check so that any Users who are not in 

one of the listed groups are rejected by the SBR Plug-In. 

Use Back-End Authentication only for any Users who are not in 

one of the listed groups. 

Group List This lists the names of the Windows Groups to be checked according to the Windows Group 

Check radio button setting. There are some important limitations of this check: 

Certain built-in Active Directory groups such as Domain Users and Everyone will not 

be checked. The check is intended to be used with a new group created specifically for 

this purpose. 

Nested group membership will not be detected by the check. 

There is no Domain qualifier for a group. The named group must be created in each 

Domain where User accounts exist that need to be added to the group. 

In the case of an ODBC Database, a local machine group can be used also. 

Assignment Mode Specifies the method of automated Digipass Assignment that will be used for this Policy, if 

any. There are two methods, Auto-Assignment and Self-Assignment. 

Auto-Assignment is used in conjunction with Dynamic User Registration (DUR). When 

DUR occurs, the next available Digipass is assigned to the new Digipass User account. A 

Grace Period is set for the Digipass according to the Grace Period setting in the Policy. 

Self-Assignment is typically used with DUR also, but if the Digipass User accounts are 

created first by the administrator, DUR is not necessary. In the Self-Assignment mode, a 

User is able to assign themselves a Digipass by entering the Serial Number, a valid OTP 

from the Digipass and their static password. There is no Grace Period associated with Self- 

Assignment, because the User has to use the Digipass to perform Self-Assignment. 

In both cases, any Applicable Digipass restrictions for the Policy apply. For example, it will 

not be permitted to self-assign a DP300 if the Policy restricts Digipass Types to DPGO3 and 

DPGO1. In addition, if the User already has a Digipass assigned that meets the Policy 

restrictions, they will not be able to self-assign another Digipass. 

Options: 


Auto-Assignment Use the Auto-Assignment method. 

Self-Assignment Use the Self-Assignment method. 

Neither Do not use either method of automated assignment. 

Grace Period Default time period (in days) to give Users between Auto-Assignment of a Digipass and 

the date they must start using their Digipass to login. Before that time they can still use a 

static password (unless the Local Authentication setting is Digipass Only). However, the 

first time that an OTP is used to log in, the Grace Period is ended at that point if it has not 

already ended. 

This setting does not affect manual assignment by an administrator. 

Serial No. Separator The character (or short sequence of characters) that will be included at the end of the 



Field Name in 



Search Upwards in Org. 

Unit hierarchy 

Description 

Digipass Serial Number during a Self-Assignment login. It allows the SBR Plug-In to easily 

recognise that a Self-Assignment attempt is being made and extract the Serial Number from 

the credentials. 

This controls the search scope for an available Digipass for Auto-Assignment or for a 

specific Digipass for Self-Assignment. 

This setting does not affect manual assignment by an administrator. 

Options: 


No The search scope is only the Organizational Unit in which the User 

account belongs. If the User does not belong to an Organizational 

Unit (ODBC Database only), the search will look for Digipass that 

also do not belong to an Organizational Unit. 

Yes The search will start in the User account's Organizational Unit, but if 

necessary it will then move upwards through the Organizational Unit 

hierarchy until it reaches the top. At the top, in the case of Active 

Directory, the Digipass-Pool container will be searched instead of the 

Domain Root. See the Location of Digipass Records topic in the 

Product Guide for more information. 

Application Names The Policy can specify a restriction on which Digipass Applications may be used when it is 

effective. If the list is empty, there is no restriction. If there are one or more entries, they 

will indicate the Application Names that are permitted. 

Application Type The Policy can restrict which Digipass Application Type (eg. Response Only, 

Challenge/Response) may be used when it is effective. 

Options: 


No Restriction Digipass Application Type is not restricted. 

Response Only Only Digipass Applications of Type RO (Response Only) may be 

used. 

Challenge/Response Only Digipass Applications of Type CR (Challenge/Response) may be 

used. 

Digipass Types The Policy can specify a restriction on which Digipass Types may be used when it is 

effective. If the list is empty, there is no restriction. If there are one or more entries, they 

will indicate the Digipass Types that are permitted. 

Allow PIN change Specifies whether Digipass Users will be allowed to change their Server PIN during logins 

to which the current Policy applies. Normally this setting is enabled, but it can be used to 

prevent PIN changes if required. 

1-Step 

Challenge/Response – 

Permitted 

1-Step 


Challenge Length 

Controls whether 1-step Challenge/Response logins will be enabled for the current Policy 

and, if so, where the challenge should originate. 

Note that 1-step Challenge/Response is not applicable in a RADIUS environment. 

Options: 

Default 

No 1-step Challenge/Response may not be used. 

Yes – Server 

Challenge 

1-step Challenge/Response may be used provided that the 

authentication server that verifies the response generated the 

challenge. 

Yes – Any Challenge 1-step Challenge/Response may be used with any random challenge. 

Specifies the length of the challenge (excluding a check digit) which should be generated for 

1-step Challenge/Response logins. 

1-Step A check digit may be added to the generated challenge. This allows the Digipass to more 



Field Name in 




Add Check Digit 

2-Step 


Request Method 

2-Step 


Request Keyword 

Primary Virtual Digipass 

– Request Method 

Primary Virtual Digipass 

– Request Keyword 

Backup Virtual Digipass 

– Enable Backup VDP 

quickly identify invalid Challenges. 

Description 

The method by which a User has to request a 2-step Challenge/Response login. 

This is the only mode of Challenge/Response available in a RADIUS environment. 

The 'request' is made in the password field during login. The request will be ignored if the 

User does not have a Challenge/Response-capable Digipass assigned. 

Options: 


None Do not use 2-step Challenge/Response. 

Keyword Use the Request Keyword. For Challenge/Response, this is 

permitted to be blank. 

Password Use the static password. 

KeywordPassword Use the Request Keyword followed by the static password. No 

separator characters or whitespace should be between them. 

PasswordKeyword Use the static password followed by the Request Keyword. No 


Defines the Keyword that a User must enter to request a 2-step Challenge/Response login, 

if a method using a Keyword is selected in the Request Method. 

For Challenge/Response, this is permitted to be blank. 

The method by which a User has to request a Primary Virtual Digipass login. 


User does not have a Primary Virtual Digipass assigned. 

Options: 


None Do not use Primary Virtual Digipass. 

Keyword Use the Request Keyword. For Primary Virtual Digipass, this is not 







Defines the Keyword that a User must enter to request a Primary Virtual Digipass login, if a 

method using a Keyword is selected in the Request Method. For Primary Virtual Digipass, 

this is not permitted to be blank. 

Specifies whether and how the Backup Virtual Digipass feature can be used when this Policy 

is effective. Note that in order for the Backup Virtual Digipass feature to function, it must 

also be activated in the DPX file for the Digipass. 

Options: 


No Backup Virtual Digipass is not permitted. 

Yes - Permitted Backup Virtual Digipass is permitted, but not mandatory. 

The Time Limit is not applicable when using this option, but the 

Max. Uses/User limit is. 

Yes – Time Limited Backup Virtual Digipass is permitted, but not mandatory. 

Both the Time Limit and the Max. Uses/User limit will be in effect. 

Yes - Required Backup Virtual Digipass is mandatory. 

The Time Limit is not applicable when using this option, but the 



Field Name in 




– Time Limit 


– Max. Uses/User 


– Request Method 


– Request Keyword 

Identification Time 

Window 

Description 

Max. Uses/User limit is. 

When the Enable Backup VDP setting is Yes – Time Limited, the Time Limit setting 

indicates the number of days for which the Backup Virtual Digipass feature may be used by 

a User, once they start using it. 

The Backup Virtual Digipass Enabled Until setting on the Digipass record will be set 

automatically the first time that the User requests a Backup Virtual Digipass OTP, using the 

Time Limit defined in the Policy. Once this date has expired, it requires administrator 

intervention either to extend it or to reset it to blank for the next time that the User needs 

to use Backup Virtual Digipass. 

Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they will 

have a separate limit for each one. 

The maximum number of uses of the Backup Virtual Digipass feature permitted for each 

User, if they do not have a specific limit set for them. 

If the Backup Virtual Digipass Uses Remaining on the Digipass record is blank and 

there is a Max. Uses/User limit defined in the Policy, the Uses Remaining will be set 

automatically the first time that the User requests a Backup Virtual Digipass OTP. 

Once the Uses Remaining has reached zero, Backup Virtual Digipass can no longer be used 

with this Digipass, unless the administrator increases it or resets it to blank. 

Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they will 

have a separate limit for each one. 

The method by which a User has to request a Backup Virtual Digipass login. 


User does not have a Digipass assigned that is activated for the Backup Virtual Digipass 

feature, or if other Policy or Digipass settings do not permit Backup Virtual Digipass use. 

Options: 


None Do not use Backup Virtual Digipass. 

Keyword Use the Request Keyword. For Backup Virtual Digipass, this is not 







Defines the Keyword that a User must enter to request a Backup Virtual Digipass login, if a 

method using a Keyword is selected in the Request Method. For Backup Virtual Digipass, 

this is not permitted to be blank. 

Controls the maximum number of time steps' variation allowable between a Digipass and 

the authentication server during login. This only applies to time-based Response Only and 

Challenge/Response Applications. 

The Dynamic Time Window option may be used to allow more variation according to the 

length of time since the last successful login. 

If this setting is not specified at all, there is an inbuilt default value of 20. 

Signature Time Window Controls the maximum number of time steps' variation allowable between a Digipass and 

the authentication server during Digital Signature verification. This only applies to timebased 

Signature Applications. 


Signature Applications are not currently used in RADIUS environments. 

Initial Time Window Controls the maximum allowed time variation allowable between a Digipass and the 

authentication server, the first time that the Digipass is used. The time is specified in hours. 

This Initial Time Window is also used directly after a Reset Application operation, which 

can be used if it appears that the internal clock in the Digipass has drifted too much since 



Field Name in 



Description 

the last successful login. 

This only applies to time-based Applications. 

In either case, after the first successful login, the Initial Time Window is no longer active. 


Event Window Controls the maximum number of events' variation allowable between a Digipass and the 

authentication server during login that uses an event-based Application. 


Identification Threshold Specifies the number of consecutive failed authentication attempts allowed before the 

Digipass Application is locked from future authentication attempts. 

This locking mechanism is separate from the User Lock Threshold and is normally not 

necessary. It only applies when a single Digipass Application can be used for a login, either 

because the User only has one Digipass with one Application, or because the Policy 

restrictions narrow the list down to one Digipass Application. If Policy restrictions are used 

in this way, the Identification Threshold can be used to lock a User out of one kind of login 

(eg. a VPN) while still permitting them to use another kind (eg. Wireless). 

If this setting is not specified at all, this feature is not used. 

Signature Threshold Specifies the number of consecutive failed Digital Signature authentication attempts allowed 

before the Digipass Application is set to be locked from future authentication attempts. 



Max. Days Since Last 

Use 

This setting specifies the maximum number of days for which a Digipass Application can go 

unused for authentication. After this limit, authentication will be rejected until an 

admnistrator performs a Reset Application operation. 


Challenge Check Mode This setting is for advanced control over time-based Challenge/Response authentication. 

The value 1 should be used for standard RADIUS challenge/response. This is the inbuilt 

default value if the setting is not specified at all. 

0 No check is made. This is necessary for 1-step 

Challenge/Response. 

1 The challenge presented for verification must be the last one that 

was generated specifically for that Digipass. This is the normal mode 

of operation in 2-step Challenge/Response. 

2 The challenge presented for verification is ignored; the last one that 

was generated specifically for that Digipass is used. This is rarely 

applicable. 

3 Only one verification is permitted per time step. This option only 

applies to time-based Challenge/Response. This is a method of 

avoiding a potential replay of a captured response if the same 

challenge comes up again in the same time step. 

4 If the same challenge and response are presented for verification 

twice in a row during the same time step, they are rejected. This is 

an advanced method of avoiding a potential replay of a capture 

challenge/response. 

Online Signature Level This setting is for advanced control of Digital Signature authentication, and is not applicable 

currently. 




7.6 Component Property Sheet 

Note 

Changes to Component settings will not take effect immediately. They will take 

effect when the SBR Plug-In is restarted, once the Component change is 

available to the SBR Plug-In in the data store. Alternatively, if there is no 

restart, the cache of Component settings will refresh from the data store after 

approximately every 15 minutes. 

Table 35: Component Fields 

Field Name in 



Description 

Component Type The type of Component represented by the record. 

Options: 

Authentication Server 

RADIUS Client 

Citrix Web Interface 

Outlook Web Access 

IAS Plug-In 


Administration Interface 

IIS Module 2.x 

Location The IP address or name of the machine represented by the record. For a Plug-In, it must be 

the licensed IP address; for a RADIUS Client, it must be the NAS-IP-Address or NAS-Identifier 

values sent in the RADIUS requests. 

Policy The name of the Policy that should be used for authentication requests from the Component. 

Shared Secret The RADIUS Shared Secret for the Component. 

Created On The date and time that the Component was created. Read-only. 

Last Modified On The date and time that the Component was last modified. Read-only. 



7.7 Domain Property Sheet 

This property sheet is required if the data store used by the SBR Plug-In is an ODBC or 

embedded database. 

Note 

If you have multiple Domains and use the simple user@domain format to log in 

(NOT Windows User Name Resolution), Domain names are cached in the 

SBR Plug-In to avoid repeated database lookups. 

Therefore, creation and deletion of Domains will not take effect immediately for 

this purpose. They will take effect when the SBR Plug-In is restarted, once the 

Domain change is available to the SBR Plug-In in the data store. Alternatively, 

if there is no restart, the cache of Domain settings will refresh from the data 

store after approximately every 15 minutes. 

Table 36: Domain Fields 

Field Name in 


Interface 

Description Any descriptive text and notes. 

Description 

Created On The date and time that the record was created. Read-only. 

Last Modified On The date and time that the record was last modified. Read-only. 

7.8 Organizational Unit Property Sheet 

This property sheet is required if the data store used by the SBR Plug-In is an ODBC database. 

Table 37: Organizational Unit Fields 

Field Name in 


Interface 

Description 

Domain The domain to which the Organizational Unit belongs. 

Read-only after creation. 

Description A short description for the Organizational Unit. 

Inherits from 

Organizational Unit 

The parent Organizational Unit. 

This is used to define a hierarchy of Organizational Units. 

Read-only after creation. 

Created On The date and time that the record was created. 

Read-only. 

Last Modified On The date and time that the record was last modified. 

Read-only. 



7.9 Data Changes Requiring a Restart 

7.9.1 Changes to the Data Store 

7.9.1.1 ODBC or Embedded Database 

All modifications listed in the Cached Data List topic below will not take effect until the SBR 

Plug-In is restarted, or until the caches re-load the data automatically. 

Where multiple SBR Plug-Ins are in use, with multiple databases, user-configured 

synchronization between the databases must be considered. A SBR Plug-In will not know about 

a data change made in another SBR Plug-In's database until that change has been copied to its 

own database. 

Example 

SBR Plug-In 1 is using Database 1 (Db1); 

SBR Plug-In 2 is using Database 2 (Db2); 

A data change is made on Db1, via the Administration MMC Interface. 

SBR Plug-In 1 will see the change as soon as it is restarted; 

SBR Plug-In 2 will see the change at the first restart after database synchronization has 

transferred the change to Db2. 

7.9.1.2 Active Directory 

If the data store is Active Directory, all modifications listed in the Cached Data List topic 

below will not take effect until the SBR Plug-In is restarted, or until the caches re-load the data 

automatically. 

In addition, it is necessary for Active Directory replication to make the modification available to 

the SBR Plug-In, if there is more than one Domain Controller used by the SBR Plug-Ins. For 

example: 

Example 

SBR Plug-In 1 is connected to Domain Controller 1 (DC1); 

SBR Plug-In 2 is connected to Domain Controller 2 (DC2); 

A data change is made on DC1; 

SBR Plug-In 1 will see the change as soon as it is restarted; 

SBR Plug-In 2 will see the change at the first restart after Active Directory replication has 

transferred the change to DC2. 

You must also remember that when the SBR Plug-In starts up, it tries to locate an available 

Domain Controller, and may not choose the same one again. In the above example, if both 

Domain Controllers are local to SBR Plug-In 2, DC1 may be chosen by SBR Plug-In 2 when it is 

restarted. 

Wider issues related to Active Directory replication are explained in 2.4 Active Directory 

Replication Issues. 



7.9.1.3 Automatic Re-Loading of Cached Data 

In the SBR Plug-In, all cached data is periodically re-loaded from the data store. This time 

period, around 15 minutes, is tracked for each entry separately. Therefore, even without a 

restart, data changes will typically take effect within a matter of minutes (unless Active 

Directory replication slows the process down). 

7.9.1.4 Cached Data List 

The following data modifications relate to cached data: 

Creation, editing and deletion of Policy records 

Creation, editing and deletion of Component records 

Creation, editing and deletion of Back-End Server records 

For ODBC and embedded databases: Creation, editing and deletion of Domain records 

For Active Directory: Digipass Application updates resulting from OTP verification, PIN 

changes and certain administrative actions such as resetting the PIN – see 2.4.4.1 

Digipass Cache for more information on the Digipass Cache. 

7.9.2 Changes to Configuration Settings 

Configuration settings are modified using the SBR Plug-In Configuration GUI, or can be 

modified directly in the XML file (see 11 Configuration Settings). 

All configuration settings 

require a restart. The SBR Plug-In Configuration GUI automatically prompts to restart the 

Service upon exiting. However if you modify the file directly, you will need to restart the Steel- 

Belted RADIUS Service using the Windows Service Control Manager. 

Advanced Settings for ODBC and embedded databases 

Advanced configuration settings are edited using the Configure Advanced 

Settings button on the ODBC Connection tab. As they are stored in the 

database itself, if you copy a database from one SBR Plug-In to another, these 

settings will be copied also. 


Digipass Plug-In for SBR Administrator Reference Licensing 

8 Licensing 

8.1 How is Licensing Handled? 

VASCO products are licensed per Component record in the data store. The licensing relies upon 

a License Key which is checked when the SBR Plug-In starts. This License Key is tied to the 

location (IP address) where the SBR Plug-In is installed, and stored in the Component record 

for the SBR Plug-In. 

The SBR Plug-In will not start up without a correct License Key. 

Evaluation Licenses 

An evaluation license means that you can use its full functionality until the evaluation period 

runs out. At the end of this period, you will need to either uninstall the product or buy a 

permanent license. Contact your distributor or the appropriate VASCO Reseller representative 

to acquire the licences you will need. For your convenience, the evaluation serial number is 

embedded in the installation program. You will still need to obtain and load a license key. 

8.2 Licensing Parameters 

Table 38: License Parameters for Digipass Plug-In for SBR 

Parameter Value 

Product The name of the VASCO product, eg. Digipass Plug-In for SBR. 

Component The type of Component licensed, eg. SBR Plug-In. 

Version Current version number of the licensed VASCO product. 

Location The IP address for the machine represented by the Component record. 

Company The name of your company. 

Username Your name. 

SerialNo The serial number for the VASCO product. 

Generated The date and time that the license file was generated. 

Expires Used for evaluation license only – expiry date. 

Signature Encrypted combination of the above parameters. 

8.2.1 Sample License File 

----- VASCO PRODUCT LICENCE ----- 

Product=Digipass Plug-In for SBR 

Component=SBR Plug-In 

Version=1.0 

Expires=2005/06/19 02:40:32 GMT 

Location=test.vasco.com 

Company=VASCO Data Security 

Username=Mr Demo User 

SerialNo=0A2B4C6D8E 

Generated=2005/05/20 02:40:32 GMT 

----- SIGNATURE ----- 

3:302C02147A487891E0745D 

6866E0Af8DDB7D6AF092BFCD 

27021474601702DbFCE5B500 

D76354022F0489DB159B62 

----- END LICENCE ----- 



8.3 View License Information 

To view the license information for a specific Component: 


2. Click on the Components node. 

The Component List will be displayed in the Result pane. 

3. Double-click on the required Component record. 

The Component property sheet will be displayed. 

4. Click on the License Key Details... button. 

The License Key Details window will be displayed. 

8.4 Obtain and Load a License Key 

Note 

An active internet connection is required to obtain a License Key. 



The Component List will be displayed in the Result pane. 

3. Double-click on the required Component record. 

The Component property sheet will be displayed. 

4. Click on the License Key Details... button. 

The License Key Details window will be displayed. 

5. Click on the Request License Key... button. 

A browser window will be opened, with the VASCO Licensing site loaded. Any required 

information which the SBR Plug-In has will be entered as the site is loaded. 

6. Enter any other required information in the browser window. 

7. Click on the Request License Key button in the browser window. 

A download of your license key file should begin. Keep note of where you save the 

file, and its name. 

8. Once the download is complete, go back to the Administration MMC Interface and the 

License Key Details window. 

9. Click on the Load License Key... button. 

10. Browse to the download location and select the license key file. 

11. Click on Open. 



A message window will display the success or failure of loading the license key into the 

data store. 



8.5 Change IP Address 

To change the IP address for an SBR server: 

1. Create a new Component record for the server, using the new IP address for the 

location. 

2. Request and download a License Key for the new Component record. 

3. Load the License Key into the new Component record. 

4. Test that SBR and the SBR Plug-In work with the new IP address and Component 

record. 

5. Delete the old Component record. 


Digipass Plug-In for SBR Administrator Reference Web Sites 

9 Web Sites 

9.1 Customizing the Web Sites 

The User Self Management Web Site and OTP Request Site can be customized by modifying 

the pages provided with the installation. You may wish to: 

change the colors and graphics to match your corporate colors/logos. 

integrate the pages into a larger web site. 

translate or customize the text 

Any cosmetic part of the web pages may be modified. Completely new web pages may be 

used, provided that the correct form fields are posted to the CGI program, and query string 

variables are interpreted correctly. Server scripting languages such as PHP or ASP, or any 

other way of generating HTML, can be used. 

This section provides the instructions and reference material that you require to customize the 

site. It is assumed that the reader has some web development knowledge. 

9.2 Setup Required in SBR Plug-In and SBR 

9.2.1 SBR Plug-In 

A Component record in the SBR Plug-In(s) is required for each Web Site. This allows the Web 

Site to make authentication requests to the SBR Plug-In via Steel-Belted RADIUS. 

9.2.2 Steel-Belted RADIUS 

Steel-Belted RADIUS must have a RADIUS Client record for each Web Site in order to pass its 

authentication requests to the SBR Plug-In. The Make/model for the RADIUS Client must be 

set to VASCO. 

9.3 CGI Program 

A single CGI script is used for both the User Self Management Web Site and the OTP Request 

Site. The functionality provided depends on the Site. 

For each function, the CGI program carries out the following actions: 

Read and validate the input. This input is gathered from: 

Configuration settings from the registry 

Form variables posted 

Send an authentication request to the SBR Plug-In (provided that there were no 

validation errors) and interpret the response. Requests are sent to the Server using the 

RADIUS protocol. A component identifier Self-Mgt Site will indicate in the Audit Console 

which audit messages relate to requests from the User Self-Management Web Site or 

OTP Request Site. 



(OTP Request Site only) Send a request to the Message Delivery Component to send an 

OTP to the User's mobile phone via text message. 

Output the HTML to direct the user to the page that will indicate success or failure, or 

display a challenge. This is achieved by returning the HTML for a basic ‘please wait’ page 

with a ‘meta-refresh’ instruction to go directly to the appropriate page. The meta-refresh 

will happen immediately, but on a slow link you may notice the intermediate page. 

The CGI program cannot be customized. Its behaviour is controlled by the configuration 

settings and the posted form variables. The configuration settings are listed below; the posted 

form variables are specified in the Customizing the Web Site section. 

9.3.1 Configuration Settings 

Various configuration settings are used by the CGI program to locate the server(s) and to 

enable tracing. These can be modified using the Start -> Programs -> VASCO -> Digipass 

Plug-In for SBR -> User CGI Configuration menu option. 

The configuration settings are stored in the Windows Registry, at the path: 

HKEY_LOCAL_MACHINE\Software\VASCO\User CGI 

Table 39: Configuration Settings for CGI Program 

Name Type Value Default 

Trace-Mask Number 

(DWORD) 

Trace-Header Number 

(DWORD) 

Used to enable internal tracing levels. In general, just use these values: 0 

= no tracing 3FFFFFFF (hexadecimal) = full tracing 

Used to configure tracing. In general, leave with the default value. 47 

Trace-File String Full path and filename of output file for internal tracing. NB: the file will be 

created if it is missing, but not the directory. 

Source-IP- 

Address 

Server1-IP- 

Address 

Server1-Port Number 

(DWORD) 

Server1- 

Shared-Secret 

Server2-IP- 

Address 

Server2-Port Number 

(DWORD) 

Server2- 

Shared-Secret 

Timeout Number 

(DWORD) 

No-Of-Retries Number 

(DWORD) 

String Source IP address to bind to when sending API requests, if any (only 

required if there are multiple IP addresses on the machine).eg. 10.9.255.7 

0 

 

 

String IP address of primary server. eg. 10.2.255.45 127.0.0.1 

API port of primary server (in general, this should not be changed from the 

default). 

1812 

String Shared Secret for primary server. 

String IP address of backup server, or blank if there is no backup. 

API port of backup server (in general, this should not be changed from the 

default) 

1812 

String Shared Secret for backup server. 

Timeout waiting for each server to respond, in seconds. 5 

Number of times to retry each server when they time out. 0 

Protocol String The only protocol supported currently is RADIUS. RADIUS 



9.4 Form Fields 

9.4.1 User Self Management Web Site 

9.4.1.1 Registration – Main Pages 

User Registration (UR), Digipass Assignment (DA) and Password Synchronization (PS) are all 

implemented using a single invocation of the CGI program. This permits them to be carried out 

either separately or in any combination. You can choose to separate them in your customized 

web site or keep them together as you prefer. 

If Challenge/Response or a Virtual Digipass is used, the user will enter their User ID, static 

password and Serial Number into the main page without a Digipass Response. They will be 

directed to a challenge page, which is specified in the next topic, in which they should enter 

either a Response to the challenge or the OTP sent to their mobile phone. The following table 

applies only to the main page. 

The following posted form fields must be used on the main page, according to the particular 

function and other conditions specified below: 

Table 40: Form Fields for Main Registration Page 

Form Field Name Visible 

Label 

(Default) 

Value(s) Required? 

dpcgi_operation “register” for User Registration, Digipass Assignment or 

Password Synchronization. 

dpcgi_success_page Relative or absolute URL of web page to go to if the 

function is successful. 

dpcgi_fail_page Relative or absolute URL of web page to go to if the 

function fails. 

dpcgi_challenge_page Relative or absolute URL of web page to go to if a 

challenge is returned for the user. 

UR PS DA 

Y Y Y 

Y Y Y 

Y Y Y 

(4) (1) 

dpcgi_userid UserId UserID in the SBR Plug-In. Y Y Y 

dpcgi_password Password Static password. Y Y Y 

dpcgi_serialno Serial 

Number 

dpcgi_response Digipass 

Response 

Digipass serial number. Y 

Digipass response (without static PIN if there is one). (5) (2) 

dpcgi_newpin New PIN New static PIN (for Go 1/Go 3). (3) 

dpcgi_confirmpin Confirm New 

PIN 

Confirm the new static PIN. (3) 

dpcgi_usecombinedpwd “True” to send the password, serial number, response 

and PIN to the SBR Plug-In in one attribute. 

“False” to send the contents of the password field 

(1) If any users may self-assign a Challenge/Response Digipass, provide this form field. 

(2) If any users may self-assign a Response Only Digipass, provide this form field. 



(3) If any users may self-assign a Response Only Digipass which uses a static PIN at the 

beginning of the response (eg. Go 1/Go 3), where the Digipass are initialized with no 

initial static PIN, they have to enter a new PIN the first time they use the Digipass. If they 

are self-assigning the Digipass, that means that they have to enter the new PIN and 

confirm it during the self-assignment process. They can do this by adding the new PIN 

twice at the end of the Digipass Response, however it may be more user-friendly to 

provide these two separate form fields. 

(4) If any users have a Challenge/Response application or a Primary Virtual Digipass, include 

this field. 

(5) If any users have a Response Only application, include this field. 



9.4.1.2 Registration – Challenge Page 

The Registration challenge page will be used for Digipass Challenge/Response or Virtual 

Digipass. The user enters their response to the challenge, to complete the registration process. 

The following posted form fields must be used on the challenge page: 

Table 41: Form Fields for Registration Challenge Page 

Form Field 

Name 

Visible 

Label 

(Default) 


dpcgi_operation “register” for User Registration, Digipass Assignment or 

Password Synchronization. 





dpcgi_userid UserId UserID in the SBR Plug-In. Y 

dpcgi_response Digipass 

Response 

Digipass response or Virtual Digipass OTP. Y 

dpcgi_challenge Challenge Digipass challenge returned to the user. Y 

Note 

If you make dpcgi_challenge a visible form field, ensure that it is not 

modifiable. An alternative is to make it a hidden form field, while also 

displaying the challenge in HTML text rather than as a form field. 

© 2006 VASCO Data Security Inc. 106 

Y 

Y 

Y


9.4.1.3 PIN Change 

The PIN Change function is only applicable for Digipass Response Only where the Server PIN is 

entered at the start of the response (eg. Go 1/Go 3). 

The following posted form fields must be used on the PIN Change page: 

Table 42: Form Fields for Server PIN Change Page 

Form Field 

Name 

Visible Label 

(Default) 


dpcgi_operation “changepin” for PIN Change. Y 






dpcgi_response Digipass Response Digipass response (without static PIN if there is one). Y 

dpcgi_currentpin Current PIN Current static PIN to be changed. (6) 

dpcgi_newpin New PIN New static PIN. Y 

dpcgi_confirmpin Confirm New PIN Confirm the new static PIN. Y 

(6) If the Digipass has had its Server PIN reset by the administrator, because the user has 

forgotten it, there is no current Server PIN to enter here. In all other cases, the current 

Server PIN must be provided to permit the PIN change. 


Y 

Y


9.4.1.4 Login Test – Main Page 

If a Challenge/Response application or Primary Virtual Digipass is used, the user will enter just 

their UserId (and maybe password) into the main page without a Digipass Response. If using 

the Backup Virtual Digipass, they will need to enter the trigger specified in server settings 

(password and/or a Keyword) into the password field. 

They will be directed to a challenge page, specified in the next topic. The following table 

applies only to the main page. 

The following posted form fields must be used on the main page: 

Table 43: Form Fields for Main Login Test Page 

Form Field 

Name 

Visible Label 

(Default) 


dpcgi_operation “testlogin” for Login Test. Y 





dpcgi_challenge_page Relative or absolute URL of web page to go to if a 

challenge is returned for the user. 


dpcgi_response Digipass Response Digipass response (with static PIN if there is one). (8) 

(7) If any users have a Challenge/Response Digipass, a Primary Digipass or use the Backup 

Virtual Digipass feature, provide this form field. 

(8) If any users have a Response Only Digipass, provide this form field. 


Y 

Y 

(7)


9.4.1.5 Login Test – Challenge Page 

The user enters their response to the challenge or the OTP sent to their mobile phone to 

complete the login test. 

The following posted form fields must be used on the challenge page: 

Table 44: Form Fields for Login Test Challenge Page 

Form Field 

Name 

Visible Label 

(Default) 


dpcgi_operation “testlogin” for Login Test. Y 





dpcgi_userid UserID User ID in the SBR Plug-In. Y 

dpcgi_response Digipass Response Digipass response. Y 

dpcgi_challenge Challenge Digipass challenge returned to the user. Y 

Note 

If you make dpcgi_challenge a visible form field, make sure that it is not 

modifiable. An alternative is to make it a hidden form field, while also 

displaying the challenge in HTML text rather than as a form field. 

9.4.2 OTP Request Site 

9.4.2.1 Request Page 

The request page must contain the following fields: 

Table 45: Form Fields for OTP Request Page 

Name Type 

Username text Visible 

Password Password Visible 

dpcgi_operation “VDPrequest” Hidden 

dpcgi_vdp_success_page Name of “OTP was sent” Page Hidden 

dpcgi_vdp_fail_page Name of “OTP not sent” Page Hidden 

dpcgi_vdp_wrongtoken_page Name of “Not a Virtual Digipass” Page Hidden 


Y 

Y


9.5 Query String Variables 

The query string variables that are passed to the web pages by the CGI program are mainly 

concerned with status and error reporting. There is also a variable that is used to pass a 

challenge to the pages that display one. 

9.5.1 Failure/Error Handling 

There are three main groups of failures that can occur, which should be handled in a different 

manner. In all cases there is a numeric error code, however in some cases there is an auxiliary 

code and message such as the return code and message from the VACMAN Controller. The 

main error codes will be assigned in three separate ranges, so that the web pages can identify 

which category of error is returned. 

API return codes – these are returned by the VASCO API used to make the 

authentication request to the Server. In some cases there will be an auxiliary code and 

message. 

CGI errors – these errors are detected by the CGI program, mainly when the web pages 

are not providing or enforcing the posted form fields correctly. These will not generally 

have an auxiliary code and message, but it is possible. 

Internal errors – these are technical errors that ‘should not occur’. In some cases there 

will be an auxiliary code and message. 

The intention of using this code-based scheme is to allow translation and customization of the 

messages. The main error code will be translated into a message by the web pages 

themselves. The pages can also translate the auxiliary code into a message, for the VACMAN 

Controller codes, but normally, the pages would not know how to translate it into a message, 

and should display the auxiliary message as provided. 



9.5.2 Query String Variable List 

The following table indicates which variables are used for the User Self Management Web Site 

and OTP Request Site, and the required conditions: 

Table 46: Query String Variable List 

Variable Value Condition Used by Site 

result 0 Successful authentication request Both 

Unsuccessful authentication request Both 

CGI or internal error occurred Both 

challenge Challenge returned by API User Self 

Management Web 

Site only 

serialNo Successful Auto- or Self-Assignment User Self 

Management Web 

Site only 

auxcode 

 

auxmsg 

 

Examples: 

success: /vmsite/success.html?result=0 

Unsuccessful authentication request due to 

Controller rejecting password 

CGI or internal error occurred, where another 

error code is relevant 

Unsuccessful authentication request due to 

Controller rejecting password 

CGI or internal error occurred, where an error 

message is relevant 

invalid Digipass response due to code replay: 

/vmsite/fail.html?result=1000&auxcode=2&auxmsg=Code+Replay+Attempt 

challenge: /vmsite/challenge.html?challenge=738453 


Both 

Both 

Both 

Both


9.5.3 Return Code Listing 

In the following tables, the Message is the one that is provided by the standard web pages that 

we install. 

9.5.3.1 API Return Codes 

The following codes are the ones that in normal cases might be returned: 

Table 47: API Return Codes 

Code Message Auxiliary 

Code/ 

Message? 

Notes 

-1 Error during request to Server N We are unable to distinguish the error from the 

client side of the API – the administrator would 

have to look at the Audit Console. 

9.5.3.2 CGI Errors 

Table 48: CGI Error Return Codes 


Code/ 

Message? 

-100 Only the POST method is permitted N 

-101 No dpcgi_operation was posted N 

-102 An invalid dpcgi_operation was posted N 

-103 dpcgi_challenge_page cannot be used for this operation N 

-104 dpcgi_password cannot be used for this operation N 

-105 dpcgi_serialno cannot be used for this operation N 

-106 dpcgi_currentpin cannot be used for this operation N 

-107 dpcgi_newpin cannot be used for this operation N 

-108 dpcgi_confirmpin cannot be used for this operation N 

-109 dpcgi_challenge cannot be used for this operation N 

-110 dpcgi_success_page must be entered for this operation N 

-111 dpcgi_fail_page must be entered for this operation N 

-112 dpcgi_userid must be entered for this operation N 

-113 dpcgi_password must be entered for this operation N 

-114 dpcgi_response must be entered for this operation N 

-115 dpcgi_newpin must be entered for this operation N 

-116 dpcgi_confirmpin must be entered for this operation N 

-117 A Digipass Response is required to assign a Digipass N 

-118 A New PIN can only be set when assigning a Digipass N 

-119 Enter the new PIN in the New PIN and Confirm New PIN fields N 

-120 The New PIN and Confirm New PIN fields have different values N 

-121 A challenge was returned, but there is no dpcgi_challenge_page N 

-122 Unknown parameter N 

-123 The Content-Length passed in was invalid N 




Code/ 

Message? 

-124 dpcgi_serialno must be entered for this operation N 

-131 Wrong token page is forbidden N 

9.5.3.3 Internal Errors 

Table 49: Internal Error Codes 


Code/ 

Message? 

-1000 Cannot read Trace-Mask configuration setting Y 

-1001 Cannot read Trace-File configuration setting Y 

-1002 Cannot open Trace-File Y 

-1003 Cannot read Source-IP-Address configuration setting Y 

-1004 Cannot read Server1-IP-Address configuration setting Y 

-1005 Cannot read Server1-Port configuration setting Y 

-1006 Cannot read Server2-IP-Address configuration setting Y 

-1007 Cannot read Server2-Port configuration setting Y 

-1008 Invalid configuration setting Source-IP-Address Y 

-1009 Invalid configuration setting Server1-IP-Address Y 

-1010 Invalid configuration setting Server1-Port Y 

-1011 Invalid configuration setting Server2-IP-Address Y 

-1012 Invalid configuration setting Server2-Port Y 

-1014 Cannot read HTTP request data N 

-1015 Request to Server not completed Y 

-1016 Cannot read Self-Management Site registry key Y 

-1017 The specified Source-IP-Address is not on this machine N 

-1018 Cannot read Trace-Header configuration setting Y 

-1019 Invalid configuration setting Trace-Header Y 

-1020 The Trace file name must not contains quotes ' or ". N 

-1021 No File found in the trace file N 

-1030 Error reading Server 1 Secret - return code was N 

-1031 Error reading Server 2 Secret - return code was N 

-1032 Error reading No of Retries - return code was N 

-1033 Error reading Timeout - return code was N 

-1034 Error writing Protocol - return code was N 

-1040 The Shared Secret and Confirm Shared Secret do not match. N 


Digipass Plug-In for SBR Administrator Reference Login Options 

10 Login Options 

10.1 Login Permutations 

The information required to be entered during a login will vary according to the configuration 

settings of the relevant Policy, the login method, and any actions to be performed during the 

login. 

Login Methods 

The login methods specified are: 

Response Only 

Challenge/Response 

Virtual Digipass - Primary or Backup 

Login Actions 

A User may be allowed to do these things during a login: 

Set their Server PIN – on first use or after a PIN reset. 

Change their Server PIN. 

Inform the SBR Plug-In that their static password for the back-end authenticator – eg. 

Windows - has been modified. 

Perform a Self-Assignment for a Digipass in their possession. 

Login Variables 

The variables which a User may need to enter, in order to do one of the above functions are 

listed below. The code or word used to designate each variable in the following tables is 

included in brackets. 

One Time Password (OTP) 

Password (Password) 

Server PIN (PIN) 

Serial Number of their Digipass (Serial No) 

Serial Number Separator (Sep.) 

Request Keyword (Keyword) 

Policy Settings 

The Policy settings which will affect the variables required in logins are: 

Stored Password Proxy 

If this attribute is set to Enabled, each User's password must be kept up to date in the 

SBR Plug-In. This is typically achieved by enabling Password Autolearn. 


If the SBR Plug-In is informed of a User's password change, the new password will only 

be recorded by the SBR Plug-In if Password Autolearn is enabled in the relevant Policy. 



Serial Number Separator 

If a Serial Number Separator is specified, the User may enter their Digipass serial 

number exactly as it appears on the back of their Digipass (or in the documentation 

provided to the User), including dashes. If a Serial Number Separator is not specified, 

the Digipass serial number must be padded to 10 characters, with all non-numerical 

characters removed. 

Back-End Authentication 

In the following login permutations tables, 'Back-End Authentication Required' means 

that the Back-End Auth. attribute is set to Always or If Needed. 

Note 

Back-End Authentication is required for Self-Assignment and Password 

Autolearn logins. 

10.1.1 Response Only – PAP 

Table 50: Login Permutations - Response Only PAP (1) 

Server PIN 

Required 

No Server 

PIN 

Required 

Login Type Existing PIN? 

Serial Number 

Separator? 

Normal login Yes N/A PIN+OTP 

Password Field Contents 

Stored Password Proxy On 

OR 

No Back-End Authentication 1 

Set PIN No N/A OTP+NewPIN+NewPIN 

Change PIN Yes N/A PIN+OTP+NewPIN+NewPIN 

Changed Password Yes N/A Password+PIN+OTP 

Set PIN and Changed Password No N/A Password+OTP+NewPIN+NewPIN 

Change PIN and Changed Password Yes N/A Password+PIN+OTP+NewPIN+NewPIN 

Self-Assignment 2 

Normal login N/A N/A OTP 

Yes Yes SerialNo+Sep.+Password+PIN+OTP 

No SerialNo+Password+PIN+OTP 

Changed Password N/A N/A Password+OTP 

No Yes SerialNo+Sep.+Password+OTP+NewPIN+NewPIN 

No SerialNo+Password+OTP+NewPIN+NewPIN 

Self-Assignment N/A Yes SerialNo+Sep.+Password+OTP 

No SerialNo+Password+OTP 

1 Back-End Authentication is required for Self-Assignment and Password Autolearn logins. 

2 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be 

padded to 10 characters with preceding zeroes. 



Table 51: Login Permutations - Response Only PAP (2) 

Server PIN 

Required 

No Server 

PIN 

Required 

Examples 

Login Type Existing PIN? 

Serial Number 

Separator? 

Normal login Yes N/A Password+PIN+OTP 


Stored Password Proxy Off 

AND 

Back-End Authentication Required 3 

Set PIN No N/A Password+OTP+NewPIN+NewPIN 

Change PIN Yes N/A Password+PIN+OTP+NewPIN+NewPIN 

Changed Password Yes N/A Password+PIN+OTP 

Set PIN and Changed Password No N/A Password+OTP+NewPIN+NewPIN 

Change PIN and Changed Password Yes N/A Password+PIN+OTP+NewPIN+NewPIN 

Self-Assignment 4 

Yes Yes SerialNo+Sep.+Password+PIN+OTP 

No SerialNo+Password+PIN+OTP 

Normal login N/A N/A Password+OTP 

Changed Password N/A N/A Password+OTP 

No Yes SerialNo+Sep.+Password+OTP+NewPIN+NewPIN 

No SerialNo+Password+OTP+NewPIN+NewPIN 

Self-Assignment N/A Yes SerialNo+Sep.+Password+OTP 

No SerialNo+Password+OTP 

Self-Assignment of a GO 1 Digipass with no existing Server PIN and Serial Number Separator 

set to '::'. 

3-179-0987::pA192ss086382012341234 

Self-Assignment of a GO 3 Digipass with no Server PIN required and no Serial Number 

Separator set. 

0031790987PA192ss0863820 

10.1.2 Response Only – CHAP/MS-CHAP 

The table below assumes that Stored Password Proxy is enabled, or Backend Authentication is 

not in use. 

Table 52: Login Permutations - Response Only CHAP 

Login Type Server PIN 

Required? 

Normal login Yes PIN+OTP 

No OTP 







10.1.3 Challenge/Response 

Challenge/Response is supported with PAP only. 

Table 53: Login Permutations – Challenge/Response 

Login Type Serial Number 

Separator? 

Request 

Method 

2-Step Challenge/Response 

Stored 

Password 

Proxy Off 

AND 

Back-End 

Auth. 

Required 5 

Pre-Challenge Response 

Normal login N/A Keyword Yes Keyword Password+OTP 

Changed 

Password 

Self- 

Assignment 6 

No Keyword OTP 

Password N/A Password OTP 

Keyword-Password N/A Keyword+Password OTP 

Password-Keyword N/A Password+Keyword OTP 

N/A Keyword N/A Keyword Password+OTP 

Password N/A Password OTP 

Keyword-Password N/A Keyword+Password OTP 

Password-Keyword N/A Password+Keyword OTP 

Yes N/A N/A SerialNo+Sep.+Password OTP 

No N/A N/A SerialNo+Password OTP 






10.1.4 Virtual Digipass 

The 2-step login is possible when using the RADIUS Access-Challenge mechanism or an IIS 

Module in form-based authentication mode. The Password is required in either the first or the 

second step, but not both. 

However, many RADIUS environments and web 'basic authentication' do not support the 2step 

login process. If the 2-step login process is not possible, two separate 1-step logins are 

required. The second login must include the Password as well as the OTP, but it is not 

necessary to provide the Password in the first login, if only a Keyword is used. 

When using the Virtual Digipass OTP Request web site, the 2-step login is not applicable. 

Table 54: Login Permutations – Virtual Digipass 

Login 

Type 

Normal 

login 

Changed 

Password 

Request 

Method 

2-step login 7 

Two 1-step logins 8 

Step 1 Step 2 Step 1 Step 2 

Keyword Keyword Password+OTP Keyword Password+OTP 

Password Password OTP Password Password+OTP 

Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP 

Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP 

Keyword Keyword Password+OTP Keyword Password+OTP 

Password Password OTP Password Password+OTP 

Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP 

Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP 

7 2-step logins are compatible with PAP only 

8 Two 1-step logins may be used with any protocol compatible with Digipass Plug-In for SBR. 


Digipass Plug-In for SBR Administrator Reference Configuration Settings 

11 Configuration Settings 

11.1 SBR Plug-In 

A Graphical User Interface (GUI) is available for use in configuring the SBR Plug-In To open 

the SBR Plug-In Configuration GUI, click on the Start Button and select Programs -> VASCO 

-> Digipass Plug-In for SBR -> SBR Plug-In Configuration. 

Note 

A restart of the Steel-Belted RADIUS service is required after any change to 

SBR Plug-In configuration settings. When exiting the Configuration GUI, you 

will be prompted to allow an automatic restart of the service. 

11.1.1 RADIUS Attributes 

See the RADIUS Attributes topic in the Product Guide for a description of the use of RADIUS 

profiles and attributes in the SBR Plug-In. 

RADIUS Profile 

To use a RADIUS Profile from SBR, these conditions must be met: 

The Attribute Group and Profile Attribute Name settings in the Configuration GUI 

must have a value. 

The Digipass User account must have an entry in their Authorization 

Profile/Attribute list as follows: 

Attribute Group matches the Attribute Group configuration setting 

Name matches the Profile Attribute Name setting 

Usage = Profile 

Value matches the name of a RADIUS Profile that exists in SBR 

Alternatively, if the above conditions are not met, the Default RADIUS Profile 

configuration setting matches the name of a RADIUS Profile that exists in SBR. 

To configure the SBR Plug-In to use a RADIUS Profile from SBR: 

1. Enter an Attribute Group. 

2. Enter a Profile Attribute Name. 

3. If needed, enter the name of a RADIUS Profile in the Default RADIUS Profile field. 

4. Click on Apply. 

User Attributes 

To set user-specific RADIUS attributes, these conditions must be met: 

The Attribute Group setting in the SBR Plug-In Configuration must have a value. 

The Set User Attributes checkbox in the SBR Plug-In Configuration must be ticked. 



The Digipass User account must have an entry per required attribute in their 

Authorization Profile/Attribute list as follows: 

Attribute Group matches the Attribute Group configuration setting 

Name matches a RADIUS attribute that appears in one of the dictionaries loaded 

into SBR 

Usage = Check or Return according to the usage required in SBR 

Value contains a textual representation of the attribute value (as it would appear in 

the SBR Administrator interface) 

To configure the SBR Plug-In to set user-specific RADIUS attributes from the Digipass User 

account: 

1. Enter an Attribute Group. 

2. Tick the Set User Attributes checkbox. 


11.1.2 Set Component Location 

1. Enter the location of the SBR Plug-In Component in the Component Location field. 

This will be the licensed IP address and must be present on the machine. 


11.1.3 Configure for Unknown Users 

SBR passes authentication requests to each listed Authentication Method until it receives an 

accept or reject response. By default, the SBR Plug-In supports this process by sending a 

'continue' response if it cannot find a record for the User. However, if authentication fails for 

another reason, the Plug-In will send a 'reject' response. 

To prevent SBR from passing an authentication request to the next Authentication Method 

when a User is unknown, disable the Pass onto next Authentication Method when user is 

unknown option. 

To disable this option: 

1. Untick the Pass onto next Authentication Method when user is unknown 

checkbox. 


11.1.4 Library Path and Type 

The Library Path setting tells the SBR Plug-In where to find the data access (Active Directory 

or ODBC) library. This setting may not be edited in the Configuration GUI. 

11.1.5 Turn Tracing On or Off 

1. Select a Tracing option. 

2. To send tracing output to a text file, enter a path and filename for the tracing file into 

the File Name field. The file path entered must be the full absolute path. 



Note 

If the File Name field is left blank or the file path does not exist, the SBR Plug- 

In will not output tracing. If the file does exist, tracing will be appended to the 

file. If the path is valid but the file does not exist, it will be created. 

3. To include tracing output in SBR's log files, tick the Integrate tracing into SBR log 

files checkbox. 

Note 

Tracing must be enabled in SBR for the SBR Plug-In tracing to appear. In the 

RADIUS.INI file, make sure that the LogLevel setting is set to 2. 

4. Click on the Apply button. 



11.1.6 Active Directory Connection 

To view Active Directory settings, open the configuration GUI and click on the Active 

Directory Connection tab. These settings will only be available if Active Directory was 

selected as the data store during installation of the Digipass Plug-In for SBR. 

11.1.6.1 Configuration Domain 

The configuration domain is the main Active Directory domain which the SBR Plug-In should 

use for User authentications, and the domain in which the Digipass Configuration Container is 

located. This domain will be set automatically during the Digipass Plug-In for SBR installation. 

To set the default domain: 

1. Click on the Edit... button next to the Configuration Domain field. 

The Domain window will be displayed. 

2. Enter the fully qualified domain name for the configuration domain into the Name field. 

3. If required, enter the name of the server in the domain to which the SBR Plug-In 

should connect, in the Preferred Server field. 

4. Tick the Preferred Server Only checkbox to limit the SBR Plug-In to connecting only 

to that server in the configuration domain. 

5. Enter the server port to use in making encrypted connections (SSL) to the configuration 

domain into the Encrypted Server Port field. 

6. Enter the server port to use in making unencrypted connections to the configuration 

domain into the Unencrypted Server Port field. 

7. Tick the Encrypt checkbox to use an encrypted connection (using SSL) from the SBR 

Plug-In to Active Directory, or leave the checkbox unticked to leave the connection 

unencrypted. Note that SSL is not used when the SBR Plug-In is on a Domain 

Controller and connects to Active Directory using that. 

8. Enter the maximum amount of time (in minutes) that the SBR Plug-In should stay 

connected to a server before re-synching in the Max Bind Lifetime field. 



11.1.6.2 Domains List 

The Domains list contains the names of all other domains that the SBR Plug-In may need to 

use in User authentications. Note that this list is only needed if you wish to configure how the 

SBR Plug-In will connect to the other domains – if a domain is not in the list, it will still try to 

connect to it. 

Add a Domain 

To add a domain to the Domains List: 

1. Click on the Add... button. 

The Domain window will be displayed. 

2. Enter the fully qualified domain name for the domain into the Name field. 



3. If required, enter the name of the server in the domain to which the SBR Plug-In 

should connect, in the Preferred Server field. 

4. Tick the Preferred Server Only checkbox to limit the SBR Plug-In to connecting only 

to that server in the domain. 

5. Enter the server port to use in making encrypted connections (SSL) to the domain into 

the Encrypted Server Port field. 

6. Enter the server port to use in making unencrypted connections to the domain into the 

Unencrypted Server Port field. 

7. Tick the Encrypt checkbox to use an encrypted connection (using SSL) from the SBR 

Plug-In to Active Directory, or leave the checkbox unticked to leave the connection 

unencrypted. 

8. Enter the maximum amount of time (in minutes) that the SBR Plug-In should stay 

connected to a server in the domain before re-synching in the Max Bind Lifetime 

field. 



Modify a domain record in the Domains List 

To modify information for a domain in the Domains List: 

1. Select the domain to be modified from the Domains List. 

2. Click on the Edit... button. 

3. Modify the required information. 



Delete a domain record from the Domains List 

To remove a domain record from the Domains List: 

1. Select the domain to be deleted from the Domains List. 

2. Click on the Delete button. 

3. The record will be deleted. 



11.1.7 ODBC Connection 

To view ODBC Database connection settings, open the Configuration GUI and click on the 

ODBC Connection tab. These settings will only be available if an ODBC database was 

selected as the data store during installation of Digipass Plug-In for SBR. 

11.1.7.1 Connect to an ODBC Database 

The database(s) used to store data required by Digipass Plug-In for SBR are listed in the ODBC 

Data Sources list on this tab. 

You may wish to add another database to this list if load-balancing or fail-over mechanisms 

need to be implemented. 

1. Click on the ODBC Connection tab. 


3. The Data Source window will be displayed. 

4. Enter a display name for the data source (this will be used in data source lists in the 

Configuration GUI). 

5. Enter the name (DSN) of the ODBC data source. 

6. Enter the User ID and password of a database administrator account with permissions 

to read, write, create and delete Digipass-related data. 

7. Click on the Test Connection button. 

If the information has been entered correctly, the test should be successful. 

8. Enter the minimum time the system should wait to reconnect to this data source (in 

seconds). 

9. Enter the maximum time the system should wait before retrying the connection. 

11.1.7.2 Connection Settings 

You may need to fine-tune database connection settings to increase performance of the 

database and the database driver in use, or if you are implementing load-balancing between 

two or more databases for the SBR Plug-In. 

1. Select a database from the list. 

2. Click on the Advanced Settings button. 

3. Enter the maximum number of concurrent connections which the SBR Plug-In should 

make to the database in the Max. Connections field. 

4. Enter the number of milliseconds for which the SBR Plug-In should wait while 

establishing a connection to the database. 

5. Enter the period (in minutes) before unused connections to the database should be 

closed by the Plug-In in the Idle Timeout field. 

6. If you have multiple databases and want the Plug-In to switch to another database if it 

has exceeded the connection limit or if the database becomes unavailable, tick the 

Enable Load Sharing checkbox. 




11.1.7.3 User ID and Domain Conversion 

User ID and Domain Case 

The case in which the SBR Plug-In will save and retrieve User IDs and domain names will 

depend on: 

The capabilities and settings of the database used as the data store for the SBR Plug-In. 

Your database may require case sensitivity in queries, or may store all data in lower or 

upper case. 

Configuration settings for the SBR Plug-In. 

The SBR Plug-In may be configured to save and retrieve User IDs and domain names in: 

Lower case 

Upper case 

No conversion – data is saved or searched on exactly as entered. 

The default configuration setting for the SBR Plug-In when using an embedded database is 

Convert to Lower. When using another ODBC database, the default is No Conversion. 

Caution 

Before changing the configuration setting, you need to make sure that existing 

User IDs and Domain names will not be invalidated by the new setting, or that 

they are deleted before the setting is changed. For example, if the current 

setting is No Conversion and you change to Convert to Lower, a User ID 

“TestUser” would become invalid. This Digipass User account must be deleted 

before changing the Case Conversion setting. 

Typically, this setting should be changed shortly after installation, so you do 

not have to deal with a lot of existing Digipass User account and Domain 

records. 

If you want to move from Convert to Lower to Convert to Upper, or vice versa, 

it will be necessary to make the change in two steps, via No Conversion. While 

the setting is No Conversion, upper or lower case User IDs and Domains can 

be created and deleted as necessary. 

This is especially important for the Master Domain name. The default Master 

Domain “master” will become invalid if you change to Convert to Upper. 

Therefore, you will need to create a new Domain with an upper case name and 

make it the Master Domain, while the Case Conversion setting is No 

Conversion. See 11.1.7.4 Master Domain for instructions to change the 

Master Domain. 

To modify the Case Conversion setting for the SBR Plug-In: 



3. If you wish the SBR Plug-In to convert User IDs and domains to upper or lower case, 

select Convert to Upper or Convert to Lower from the Case drop down list. 

To leave User IDs and domains as they are entered, select No Conversion. 




Windows User Name Resolution 

Digipass Plug-In for SBR can use Windows functions to identify User IDs as Windows User 

accounts. This may be required if Windows is used as the back-end authenticator for Digipass 




3. To have the Plug-In look up a User ID with Windows to find the Distinguished Name for 

the account, tick the Use Windows User Name Resolution checkbox. 


11.1.7.4 Master Domain 

The Master Domain is used as a default Domain as well as having special significance for 

administrative access. For more details, see 3.5.1.1 Master Domain. 

Note 

All User accounts must be deleted from a domain before the domain record can 

be deleted. 

To modify the domain used as the Master Domain: 

1. If the new Master Domain does not already have a Domain record, create the new 

Domain using the Administration MMC Interface. 

2. Make sure there is an administrator account in the new Master Domain that has Set 

Administrative Privileges permission. 

3. Click on the ODBC Connection tab. 

4. Click on Configure Advanced Settings. 

5. Modify the name in the Master Domain field. 


7. Login to the Administration MMC Interface as the administrator account identified in 

step 2. Give this account any privileges that it requires that are missing. You will need 

to log off and on again as this account for the new privileges to take effect. 

8. Delete the original 'master' domain if no longer required. 

Caution 

Ensure that the name of the Master Domain is set to the correct case, as 

required by the Case Conversion setting. For example, if the Case Conversion 

setting is Convert to Lower, the Master Domain name must be all lower case. 

11.1.7.5 Domains and Organizational Units 

Other Domains and Organizational Units used in the SBR Plug-In may be created and edited 

using the Administration MMC Interface. 



11.1.8 Auditing 

To configure auditing for the SBR Plug-In, add at least one auditing plug-in to the Methods list. 

To view or edit auditing settings, click on the Auditing tab in the Configuration GUI. For more 

information about setting up auditing, see 12 Auditing. 

Add an Audit Method 


2. Select a Plug-in type from the drop down list. 


The Plugin window will be displayed. 

4. Enter a name to use for display purposes in the Display Name field. 

5. Tick the Enabled checkbox to enable auditing to this plug-in. 

6. Tick the Fail on Error checkbox if you want the SBR Plug-In to return an error if it fails 

to record an auditing message. 

7. Tick the Unhandled Only checkbox if messages should only be logged by this auditing 

plug-in if they have not been previously logged by any other plug-in. 

8. Select one or more audit message types to be logged by this plug-in: 

Error 

Warning 

Information 

Success 

Failure 

9. Enter other required information. 



Edit an Audit Method 

1. Select an auditing plug-in from the Methods list. 

2. Click on the Edit... button. 

The Plug-In window will be displayed. 

3. Make the required changes. 



Delete an Audit Method 

1. Select an auditing plug-in from the Methods list. 

2. Click on the Delete button. 

The record will be deleted. 



11.1.9 Data Encryption 

See 4 Sensitive Data Encryption for more information on encryption in the SBR Plug-In. 

To modify encryption settings for the SBR Plug-In: 

1. Click on the Active Directory Connection or ODBC Connection tab. 

2. Click on Configure Encryption Settings. 

3. The Configure Encryption Settings window will be displayed. 

4. Enter the custom encryption key in the Storage Key field. 

5. Select an encryption algorithm from the Cipher Name drop down list. 


Export Encryption Settings 




4. Click on Export... 

5. Browse to the desired directory. 

6. Enter a file name to export the settings to. 


8. Enter a password. 


Import Encryption Settings 




4. Click on Import... 







11.1.10 Configuration File 

The Configuration GUI for the SBR Plug-In writes to an .xml file named dpsbrauth.xml in the 

install/bin directory. It is possible to edit this file directly instead of using the Configuration 

GUI, but is not recommended. 

Example Configuration File 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



11.2 MDC 

11.2.1 Required Information 

To configure gateway settings you will need: 

Gateway details: 

OR 

Protocol to use in connecting to the gateway. 

An address string and port to use in connecting to the gateway. 

The path and filename of a certificate file, if required. 

The required Query String. 

The Query Method (GET or POST) required by the gateway. 

A customized configuration file ordered from your VASCO supplier. This will need to be 

imported using the Configuration GUI. 

Username and password for the gateway account. 

11.2.2 MDC Configuration GUI 

A Graphical User Interface (GUI) is available for use in configuring the MDC. To open the MDC 

Configuration GUI, click on the Start Button and select Programs -> VASCO -> Digipass 

Plug-In for SBR -> Virtual Digipass MDC Configuration. 

Note 

The MDC must be restarted after any change is made in the Configuration GUI. 

11.2.2.1 Modify Gateway Account Login Details 

The MDC needs a Username and password for the gateway in order to send text messages 

through it. 

1. Modify the Username if needed. 

2. Change the Password and Confirm Password fields if required. 

The Password and Confirm Password fields must contain identical data. 

11.2.2.2 Configure Internet Connection Details 

Enable or disable the use of an HTTP Proxy and enter details if required. 

1. Enable or disable the use of the HTTP Proxy by ticking or clearing the Use HTTP Proxy 

checkbox. 

2. If required, enter an IP address, port and timeout for the HTTP Proxy. 

3. Enter a maximum number of internet connections to allow in the Max. Connections 

field. 



11.2.2.3 Configure Tracing 

The MDC makes use of a trace file to record information about events that occur on the 

system, for use in troubleshooting. This could include generic information, changing 

conditions, or problems and errors that have been encountered. 

The level of tracing that the MDC employs depends on its configuration settings. 

Caution 

Enabling Full Tracing should only be done for troubleshooting purposes. There 

are no limits set on the size of the tracing file, so if the option is left on too 

long on a high-load system the file may dramatically slow down or crash 

Windows, due to excessive I/O or filling up the hard drive. This is not highly 

likely for MDC, but should be considered. 

Because there are no size limitations set on the trace file, it is not recommended that you have 

tracing permanently enabled. If your system is set up with Basic Tracing always enabled, 

ensure that the file size does not cause problems by deleting or archiving it whenever it gets 

too large. 

Basic tracing includes: 

Critical error/warning messages [CRITC] 

Major error/warning messages [MAJOR] 

Minor error/warning messages [MINOR] 

Configuration messages [CONFG] 

Full tracing includes: 

Critical error/warning messages [CRITC] 

Major error/warning messages [MAJOR] 

Minor error/warning messages [MINOR] 

Configuration messages [CONFG] 

Informational messages [INFOR] 

Data tracing messages [DATA] 

Debugging messages (useful for support purposes) [DEBUG] 

Security messages, messages that may contain security sensitive data [SECUR] 

Turn Tracing On or Off 

1. Select a Tracing option. 

2. If you have selected Basic Tracing or Full Tracing, enter a path and filename for the 

tracing file into the File Name field. 

The file path entered must be the full absolute path. 



Note 

If the File Name field is left blank or the file path does not exist, the MDC will 

not output tracing. If the file does exist, tracing will be appended to the file. If 

it does not exist, it will be created. 

11.2.2.4 Import HTTP Gateway settings 

Import a customized configuration file ordered from your VASCO supplier, containing the 

configuration details for your gateway needed by the MDC. 

1. Click on the Gateway Settings tab. 

2. Enter a name for the gateway. 

3. Click on Import Settings. 

4. Select a file from the Browse window. 


The import progress will be displayed. 


11.2.2.5 Edit Advanced Settings 


2. Ensure that the Edit Advanced Settings checkbox is ticked. 

3. Select a protocol to use in connecting to the gateway from the Protocol drop down list 

(typically HTTP). 

4. Enter an address string to use in connecting to the gateway in the Address field. 

5. Enter a port in the Port field (typically 80 for HTTP connections). 

6. Enter the path and filename of a certificate file if required. 

7. Modify the Query String field if required. 

Example Query String: 

username=[acc_user]&password=[acc_pwd]&device=[otp_dest]&network=tgsm&message= 

[otp_msg] 

8. Select a Query Method according to what the gateway requires (typically POST). 

11.2.2.6 Export HTTP Gateway settings 

Once you have entered the necessary gateway configuration information into the Configuration 

GUI, you may wish to export the settings into a file for backup purposes or to transfer to 

another server. 


2. Ensure that the Edit Advanced Settings checkbox is ticked. 

3. Click on Export Settings. 

4. Select a directory from the Browse window. 

5. Enter a filename. 




The export progress will be displayed. 

11.2.2.7 Gateway Result Pages 

A result page is returned by the gateway service when a text message is submitted by the GET 

or POST methods. This page would normally be a HTML formatted page containing specific 

error codes and/or additional messages for success/failure. 

Three types of result messages are generally categorized as: 


Success of message delivery (the message has been accepted by the server) 

Warning 

The submission/delivery failed, but it is most likely a specific error only affecting this User. 

The User’s login will fail on the first step. Possible causes are: 

Error 

Phone number invalid 

Temporary gateway failure 

Error(s) occurred while attempting delivery. This means that the delivery failed for a particular 

User, but the error might be affecting all Users. In this case, the User’s login will fail 

immediately. Possible such errors are: 

Account data incorrect (Account User or password wrong) 

Account credit expired (for a pre-paid gateway account) 

Communication error with gateway (network error) 

Other permanent gateway errors 

Audit Console Logging 

A gateway result page can be recognized by key words and phrases, and an alternate message 

created for logging to the audit console whenever the result is received. Variables can be 

extracted from the result page and used in the log message to provide extra information. 

Result Page Rules 

The result page rule patterns use the following syntax: 

[Var-Name1] [] [Var-Name2] … 

Where the template is constructed in the following way: 

: a character string which must be matched in the page returned by the 

gateway. Note that multiple can appear in a single template, but they 

must not be overlapping. Matching is case-sensitive. 



[]: Omits a variable part of the result page between two segments, when 

matching a template. This can be useful to ignore arbitrary data or time/date data in the 

returned web page. 

[Var-Namex]: Describes a segment of the result page between two 

segments or at the end of the result page, which will be written to a variable. Usually 

this will be data that can provide more detailed information why a particular message 

submission has failed. The variable name inside the [] brackets can then be used as part 

of the audit message template to create a meaningful message. 

Example 

If the server returns the following result page 

“Submission successful at 10:00, 11/11/02, status: 00 - message delivery in 

progress.” 

for successful transmission, or 

“Submission unsuccessful at 10:05, 11/11/02, status: 47 – number too short” 

for an unsuccessful submission, then the following result page rules can be configured: 

Message Rule Name: Success 

Message Rule Pattern: successful at [DateTime], status: [Status] – [Message] 

Variables retrieved: DateTimeStatusMessage 

Message Rule Name: Warning 

Message Rule Pattern: unsuccessful at [DateTime], status: 47 – [Message] 

Variables retrieved: DateTimeMessage 

Message Rule Name: Error 

Message Rule Pattern: unsuccessful at [DateTime], status: [status] – [Message] 

Variables retrieved: DateTimeStatusMessage 

No Match Available If no Rule matches a Result page returned, an error will be logged to the 

Audit Console, reporting that the result page returned from the gateway could not be matched. 

Ordering Rules The order of the result page template in the configuration data can be used to 

match more specific messages first and finally catch any “other” message, which the gateway 

might send. 

Audit message template 

Once a result page template a matched, a corresponding audit message is constructed with the 

variables retrieved from the result page rule. 

The message template will use the following syntax: 

[VAR-Name1] [Var-Name2] … 

: a character string which will appear literally in the constructed audit 

message. 



[Var-Namex]: Variable which is derived from the matched variables from the 

corresponding result page template. 

The following variables are predefined and can be used in the audit message template: 

Table 55: MDC Audit Message Variables 

[otp_dest] The destination address (a mobile phone number) the OTP was sent to. 

[otp_msg] The message that was submitted. This variable will also contain the OTP, so should not be used for the 

construction of audit messages. 

[acc_user] Account name for the gateway.Not recommended for use in audit messages. 

[acc_pwd] Account password for the gateway.Not recommended for use in audit messages. 

[Username] the User ID of the User requesting the OTP 

Examples of variable use: 

Insufficient credit on account [acc_user] when sending to [username] 

Message not sent to User "[Username]"/[otp_dest]. Gateway reported: [message] 

Modify a Gateway Result Message Rule 

Ensure that the Edit Advanced Settings checkbox on the Gateway Settings tab is ticked. 

1. Click on the Gateway Results tab. 

2. Select a Rule to modify. 

3. Click on Edit. 

4. Make any required changes. 


Add a Gateway Result Message Rule 

1. Click on the Gateway Results tab. 

2. Click on Add. 

3. Enter a descriptive name for the Rule in the Description field. 

4. Enter the full text or a partial match of the text displayed by the gateway in the 

Matching Pattern field. 

5. Select an Audit Message Level for the Rule. 

Each level of message will be displayed with a different color background in the Audit 

Console. 

Info – normal 

Warning – yellow 

Error – red 

6. Enter the message text you wish the User to see into the Message Text field. 




11.2.3 MDC Configuration File 

The MDC Configuration GUI writes to an .xml file named MDCConfig.xml in the install/bin 

directory. It is possible to edit this file directly instead of using the MDC Configuration GUI. 

Example Configuration File 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Caution 

The configuration file is UTF8 encoded. Non-UTF8 encoded characters should 

not be added to the configuration file, or it will not load. 



11.2.4 Configuration Settings 

The table below lists the options, their default values, and a brief explanation of each. 

Table 56: Message Delivery Component Configuration Settings 

Option 

Name 

General tab 

Config. 

GUI Field 

Server/ IP Server IP 

Address 

Default 

Value 

 

Notes 

This string is the IP address of the local server. It needs to correspond 

with the licensing as well as the IP address configured for the 

server.Data type: String with valid IP4 address or hostname that can be 

resolved through DNS 

Server/ Port Port 20003 This integer is the TCP/IP port on which the local server is listening. 

Must correspond with the SBR server settings.Data type: Integer with 

valid Port address (1-65535) 

Gateway/ 

ProxyIP 

Gateway/ 

ProxyPort 

Gateway/ 

Timeout 

Gateway/ 

MaxConnecti 

ons 

Tracing/ 

TraceFile 

Tracing/ 

TraceMask 

Gateway- 

Acnt/ 

Username 

Gateway- 

Acnt/ 

Password 

Proxy IP IP address of the HTTP proxy used by the MDC to contact the HTTP 

gateway. This can be used when the firewall settings do not allow a 

direct connection.Empty - no proxy being used.Data type: String with 

valid IP4 address 

Port Port number to contact the HTTP proxy on.Must be supplied if the 

ProxyIP setting is used.Data type: Integer with valid Port address (1- 

65535) 

Proxy 

Timeout 

Max 

Connections 

30 Time in seconds that the MDC will wait on a response from the 

HTTP/gateway.Data type: integer 

10 Maximum allowed number of concurrent connections to the HTTP 

gateway.Data type: Integer (1-100) 

File Name The file that tracing output should be written to.None – no tracing.Data 

type: String 

Tracing 0 The tracemask specifies how much tracing is done.0 – no tracing1 – 

basic tracing2 – full tracingData type: Integer 

(General 

tab)Usernam 

e 

(General 

tab)Password 

& Confirm 

Password 

Gateway Settings tab 

Gateway/ 

Description 

Gateway/ 

HTTPMethod 

Gateway/ 

URL 

Gateway 

Name 

Query 

Method 

Protocol and 

Address 

 

 

Sets the account Username the HTTP gateway. The given value will be 

used as content for the variable [acc_User] in the query string.Data 

type: String 

Sets the account password the HTTP gateway. The given value will be 

used as content for the variable [acc_pwd] in the query string.Data 

type: String 

This is an informational field, naming or describing the HTTP gateway. It 

can be set to provide a description for a particular service, but is ignored 

by the MDC.Data type: String 

POST Designates either the GET or POST method for use in transferring 

account and message data to the HTTP/HTTPS gateway.Data type: 

String (“GET” or “POST”) 

 

Required parameter.Sets the URL to the HTTP gateway. The address 

should not contain any variables, but is should contain the protocol 

identifier.Note: the protocol identifier of “https://” can be used to SSLencrypt 

the link between the MDC and the HTTP gateway. In this case it 

is required to specify a filename where the server certificates can be 

found.Data type: String 

Gateway/ Query String


Option 

Name 

Config. 

GUI Field 

Default 

Value 

Notes 

HTTPQuery parameter> the http server, either using POST or GET (as specified by HttpGw- 

Method). This string must contain all required variables that are 

expected by the HTTP gateway. Contained in the query string must be 

the following parameters which will be set by the MDC before submitting 

the query: 

[acc_user] specifies the account name for the gateway which will be 

used to submit the information§ 

[acc_pwd]password for the gateway account specified by the 

[Username] parameters§ 

[otp_msg]specifies the part of the query string, where the OTP message 

will be substituted§ 

[otp_dest]specifies the part of the query string, where the destination 

for the OTP (usually the mobile phone number) will be substituted.The 

query string should also incorporate any other parameters which might 

be expected by the gateway.Example:Data type: String 

Gateway/ 

CertFile 

Certificate 

File 

Gateway Results tab 

Results/ 

Resultnn/ 

Name 

Results/ 

Resultnn/ 

Pagematch 

Results/ 

Resultnn/ 

MsgType 

Results/ 

Resultnn/ 

Message 

11.3 CGI 

.\curl-cabundle.crt 

When using the HTTPS protocol, the server certificate file is used to 

authenticate the message gateway and to derive the data encryption 

keys. It can contain either one or multiple server certificates.The file 

needs to be PEM-encoded,X.509 compliant certificate.It can be created 

by exporting the required Root CA from any browser (eg. Internet 

Explorer) using the base-64 format - equivalent to PEM.Data type: 

String 

Description Name of this entry, as displayed by the MDC Configuration GUI. This 

field has no functional meaning.Data type: String 

Matching 

Pattern 

Audit 

Message 

Level 

Message 

Text 

 

Result Page Template to match the result page returned by the HTTP 

service. If this template is matched, the corresponding audit message is 

composed and returned to the SBR Plug-In Audit message.Data type: 

String 

2 Type of message to appear in the audit log:0 INFO – informational 

message (login on)1 WARNING – warning message (login fails)2 

ERROR – error message (login fails)Data type: Integer (0-2) 

 

Audit Message Template for the message to be compiled and sent back 

to the SBR Plug-In. The message is returned as Information, Warning or 

Error, depending on the MsgType parameter in the same section. 

Includes [variable] options.Data type: String 

See 9.3.1 Configuration Settings for VASCO CGI configuration settings and location. 

11.4 Digipass TCL Command Line Utility 

See 14.3 Configuration File for Digipass TCL Command Line Utility configuration settings and 

file location. 


Digipass Plug-In for SBR Administrator Reference Auditing 

12 Auditing 

Setting up auditing in the Digipass Plug-In for SBR requires three basic steps: 

1. Set up audit message destination. If this will be a text file or the Windows Event Log, 

no configuration is required. 

2. Configure auditing in the SBR Plug-In to send audit messages to the correct 

destination. 

3. Configure Audit Viewer to retrieve, filter and display audit messages. 

12.1 Text File 

12.1.1 Text File Name Variables 

A number of variables may be included in the name or path of an audit text file.Time/date 

variables will influence how often a new text file is created. 

Table 57: Audit Text File Name/Path Variables 

Variable Notes 

{year} Current year in format 'YYYY' eg. 2006 

{month} Current month in format 'MM' eg. November becomes 11 

{mday} Current day of the month in format 'DD' eg. 06 

{yday} Current day of the year in format 'DDD' – this will be a number between 1 and 366 

{week} Current week of the year in format 'WW' eg. The 6 th week of the year will be 06 

{source} The name of the program from which the audit message was received by the Audit System eg. 

Authentication Server 

Example 

Entering the following into the Log File field in the SBR Plug-In Configuration: 

c:\Audit Files\{source}\audit-{year}-{month}-{mday}.audit 

would cause: 

A directory named Digipass Plug-In for SBR to be created in the Audit Files directory 

A new audit text file to be created daily 

A file named audit-2006-11-06.audit to be created on the 6 th November 2006 

12.1.2 Configure Auditing to Text File 

1. Open the SBR Plug-In Configuration GUI. 

2. Click on the Auditing tab. 


4. Select Text File from the drop down list. 












Error 

Warning 


Success 

Failure 

11. Enter the location and a name for the text file. See 12.1.1 Text File Name 

Variables for more information. 

12. To speed up the auditing process, tick the Always keep file open checkbox. This will 

mean that the file is locked while the SBR Plug-In is running. 

13. Tick the Use GMT/UTC checkbox to record dates and times in GMT/UTC. Otherwise, 

they will be recorded in local time. The text file will indicate the time zone used. 





12.2 Windows Event Log 




4. Select Event Log from the drop down list. 










Error 

Warning 


Success 

Failure 

11. Select a log type or enter a new log type to be created in the Log Type drop down 

list. 





12.3 ODBC Audit Message Database 

12.3.1 Set up ODBC Database 

12.3.1.1 Create database 

See 3.1 Database Support for information on the ODBC databases supported by the Digipass 


12.3.1.2 Create database schema 

Two tables are required in the database. These can be created by the DPDBadmin utility using 

the -audit parameter (see 3.8.1 Modify Database Schema), 

or manually. 

Table 58: Required Audit Database Tables 

Table Name Purpose 

vdsAuditMessage Basic audit message, including mandatory fields 

vdsAuditMsgField Contains extra (non-mandatory) audit message fields which may be included in an audit 

message 

Image 3: Audit Database Table Relationships 

vdsAuditMessage Table 

This table will contain one record per audit message generated, with non-mandatory 

information held in the vdsAuditMsgField table. 

Table 59: vdsAuditMessage Required Fields 

Column Name Data Type Primary 

Key 

Allow 

NULL 

vdsTimeStamp timestamp* Yes No Date/time of event. 

Details 

vdsAMID varchar(32) Yes No 32 hex digit Audit Message ID (without “0x” prefix). 

vdsSource varchar(64) No Source component name. 




Key 

Allow 

NULL 

vdsType integer No Numeric type. 

Details 

vdsCode varchar(8) No Message code eg. “I-010003”. 

vdsDesc varchar(255) No Standard description for audit message. 

vdsCategory varchar(32) No Name of category eg. “Authentication”. 

* For some databases, this is DATETIME (SQL Server, Sybase Enterprise) or DATE (Oracle) – this is not an 

automatically generated timestamp, but just a date/time field. Millisecond precision or greater is required. 

vdsAuditMsgField Table 

This table may contain several records for a single audit message. 

Table 60: vdsAuditMsgField Required Fields 


Key 

Allow 

NULL 

vdsTimeStamp timestamp* Yes No Date/time of event. 

Details 

vdsAMID varchar(32) Yes No 32 hex digit AMID (without “0x” prefix). 

vdsFieldID integer Yes No Integer (dataset) ID of optional field. 

vdsFieldValue varchar(1024) No Yes Value of optional field, represented as string. 

* For some databases, this is DATETIME (SQL Server, Sybase Enterprise) or DATE (Oracle) – this is not an 

automatically generated timestamp, but just a date/time field. Millisecond precision or greater is required. 

12.3.1.3 Create Database Account(s) 

Create at least one database account. These permissions are required for the SBR Plug-In and 

Audit Viewer: 

Program Table Permission(s) 

required 

SBR Plug-In All Write 

Audit Viewer All Read 

12.3.1.4 Create DSN on SBR Plug-In machine 

Create a Data Source Name for the database on the machine on which the SBR Plug-In is 

installed. 

12.3.1.5 Create DSN on Audit Viewer machine 

Create a Data Source Name for the database on the machine on which the Audit Viewer is 

installed. 

12.3.2 Configure SBR Plug-In 




4. Select ODBC Database from the drop down list. 












Error 

Warning 


Success 

Failure 

11. Enter the DSN for the database. 

12. Enter the username and password of the database account to be used by the SBR 

Plug-In (if required). 



12.3.3 Configure Audit Viewer 

Note 

A Data Source Name must be configured on the Audit Viewer computer for the 

database. 

1. Select New Audit Source -> ODBC Database from the File menu. 

2. Enter a display name to be used for the database within the Audit Viewer. 

3. Enter the Data Source Name for the database. 

4. Enter the User ID and password of an administrator account for the database. 

5. Tick the Store User ID and Password checkbox to save login details in the Audit Viewer. 



Digipass Plug-In for SBR Administrator Reference Tracing 

13 Tracing 

13.1 Trace Message Types 

Table 61: Tracing Message Types 

Messag 

e Type 

Code 

[CRITC] Critical error/warning 

Notes Examples 

[MAJOR] Major error/warning [MAJOR] > Failed to execute command. Error 

[MINOR] Minor error/warning [MINOR]> Cannot get License Key from Component record 

[CONFG] Configuration/initialization [CONFG] > ODBC Database audit plugin is successfully loaded 

[CONFG] > Component cache configured as: 

max age : 900 

max size : 1000 

clean threshold : 800 

min clean interval : 60 

[ALERT] Alerts [ALERT] > disconnecting from server. 

[INFO] Informational messages [INFO ] > Audit: {Info} {Initialization} {I-002002} {The Digipass 

Authentication library has been initialized successfully.} 

[INFO ] > Creating Digipass object. 

[VINFO] Verbose informational messages [VINFO] > Event log source is 

[VINFO][ODBCConnection::OpenConnection] > Established 

connection to ODBC database 

[DATA] Data tracing [DATA ] > Prepared SQL statement "SELECT vdsDomain, 

vdsDescription, vdsCreateTime, vdsModifyTime FROM vdsDomain 

ORDER BY vdsDomain" 

[TEMP] Temporary data values [TEMP ] > Updated list is 

[RESRC] Resource usage [RESRC] > Socket Bound to 

[DEBUG] Debugging (useful for support 

purposes) 

[SECUR] Security messages, messages that 

may contain security sensitive 

data 

13.2 Tracing Levels 

[DEBUG] > Registering Binary with Event log for 

Source 

[DEBUG] > Committed transaction 

There are two tracing levels available when configuring tracing from the Configuration GUI – 

Basic and Full. This can be customised further if required by directly editing the configuration 

file. The message types recorded by each level are shown in the table below. 


Digipass Plug-In for SBR Administrator Reference Tracing 

Table 62: Tracing Message Levels 

CRITC 

MAJOR 

MINOR 

CONFG 

ALERT 

INFO 

Basic Full 

CRITC 

MAJOR 

MINOR 

CONFG 

ALERT 

INFO 

VINFO 

DATA 

TEMP 

RESRC 

DEBUG 

SECUR 

13.3 Trace Message Contents 

Basic and Full tracing levels output different amounts of information in trace messages. 

Table 63: Tracing Message Contents 

Trace Level Message Contents 

Basic [date_time] [thread ID] [level code] message 

Full [date_time] [thread ID] [level code] [internal function name] message 


Digipass Plug-In for SBR Administrator Reference Digipass TCL Command-Line Administration 

14 Digipass TCL Command-Line Administration 

14.1 Introduction 

Digipass TCL Command-Line Administration (DPCLA) allows interactive command-line and 

scripted administration of Digipass related data. It has a number of possible uses: 

Interactive command-line administration 

Scripted administration 

Complex bulk administration tasks 

Reporting on the data in the data store 

The DPCLA consists of the following components: 

DPADMINCMD 

This is a command-line program that can be used interactively or called from within a batch 

file, script or other program. This provides a command shell based on the TCL interpreter. 

VASCO TCL Extension Library 

The main functionality is provided by the VASCO extensions to TCL. This provides a set of 

additional commands in a “vasco” namespace. 

The extension library is used by DPADMINCMD, which loads the namespace automatically. 

However, if you have your own TCL environment already, you can load the extension library 

directly into it, without having to use DPADMINCMD. In that case, you will need to use the 

namespace qualifier. 

Other scripting environments such as Python, Perl and VBScript also have modules available 

that enable them to use TCL, allowing the VASCO extensions to be used in a variety of 

environments. 

TCL Runtime 

The Digipass Plug-In for SBR installation program also installs the TCL 8.4 runtime 

environment, which is necessary to run DPADMINCMD. 

14.1.1 Knowledge Requirements 

Digipass TCL Command-Line Administration is an extension of the TCL 8.4 scripting language, 

and administrators will require a basic competence in TCL in order to use the command-line 

utility. However, for simple usage, no great knowledge of TCL is required. 

For an introduction to TCL, see http://www.tcl.tk/about/language.html. Other pages on the 

www.tcl.tk web site may also provide useful background on TCL and its capabilities. For a more 

comprehensive tutorial, see http://www.tcl.tk/man/tcl8.5/tutorial/tcltutorial.html (but note 

that we install version 8.4, so there may be minor differences in 8.5). 



14.1.2 Data Store Connection 

DPCLA makes a direct connection to Active Directory in a similar way to the Administration 

MMC Interface. Similarly, if an ODBC or embedded database is used as the data store, DPCLA 

makes a connection to the SBR Plug-In. 

This connection requires an administrative login. In the case of Active Directory, an implicit 

login can be used based on your Windows login context, or you can specify explicit credentials. 

For ODBC, credentials are required exactly the same as the Administration MMC Interface. 



14.2 Using DPADMINCMD – Basics 

You can use TCL interactively with a command prompt or you can use it to run a script. 

14.2.1 Using an Interactive TCL Command Prompt 

Using DPADMINCMD to open an interactive TCL command prompt can be done as follows: 

1. Open a Windows command prompt in the \Bin directory. 

2. Enter the following command and press Enter: 

dpadmincmd 

A command prompt will be opened, at which you can enter TCL commands. DPADMINCMD 

automatically loads the VASCO TCL extensions, so that they can be used without needing to 

specify the VASCO 'namespace'. 

C:\Program Files\VASCO\VACMAN Middleware\Bin>dpadmincmd.exe 

Digipass TCL Command-Line Administration Version 3.0.0.12 

Copyright (C) VASCO Data Security Inc. 2006 

All rights reserved 

% 

Before any data administration commands will work, you need to perform an administrative 

logon, directly to Active Directory or to the database. 

The Active Directory logon does not need explicit credentials if you are logged into Windows as 

an administrator with the necessary rights: 

% logon 

1 

% 

The ODBC or embedded database logon does need explicit credentials. The Active Directory 

logon can also be done with explicit credentials if necessary: 

% logon {userid admin password password} 

1 

% 

If the logon is successful, the output indicates a session number. Otherwise, an error message 

will be displayed. 

Once there has been a successful logon, you can enter other commands, for example: 

% user query {userid admin} 

{domain master userid admin has_dp Unassigned status 0 created {2006/05/11 11:05 

:32} modified {2006/05/11 11:05:32}} 

% 

To log off, use the logoff command; to exit, use the exit command. 



14.2.2 Running a Script 

Using DPADMINCMD to run a script requires an administration logon to be specified with 

command-line parameters, unless the script itself contains a logon command. 

For an implicit Active Directory logon, the -i (implicit) parameter is sufficient. 

For a logon requiring credentials, the -u (userid) and -p (password) parameters are required. 

1. Open a Windows command prompt in the \Bin directory. 

2. Enter the following command for an implicit logon and press Enter: 

dpadmincmd -i scriptname 

3. Or, enter the following command for an explicit logon and press Enter: 

dpadmincmd -u userid -p password scriptname 

The scriptname parameter can be a file name or path and file name. 

If your script requires parameters, enter these after the scriptname. 

Example 

dpadmincmd -i myscript.tcl param1 param2 

The script file must contain a sequence of TCL commands. DPADMINCMD will first perform the 

logon, and if successful, will execute each command in the script in sequence. The TCL 

language allows you to write simple sequential scripts or add more complex control flow, 

functions and so on. 

The script does not need to use the logoff or exit commands explicitly. DPADMINCMD will 

logoff the session if necessary at exit time. 

Character Substitution 

When using a non-printing ASCII character substitution (eg. \t for a horizontal tab) in a string, 

enclose the string in double quotes. If the string is enclosed in { }, the string will be displayed 

exactly as entered. 

eg. “Error: \t Component does not exist. \n \t \t Please check the Component name.” will be 

displayed as: 

Error: Component does not exist. 

Please check the Component name. 

Whereas {Error: \t Component does not exist. \n \t \t Please check the Component name.} 

will be displayed as: 

Error: \t Component does not exist. \n \t \t Please check the Component 

name. 



14.2.3 Help 

To access help from the command prompt, use these commands: 

Table 64: DPADMINCMD Help Commands 

Command Notes 

help Provides basic information about DPADMINCMD, including a list of all 

commands available. 

help Provides information about the specific command, including required 

parameters, optional parameters and available subcommands. 

help Provides information about the specific subcommand, including required and 

optional parameters. 

14.2.4 Command Parameters 

Some notes on command parameters in TCL: 

Parameters are given in list form: {field1 value1 field2 value2 ...} 

Parameter values that include whitespace require double quotes or { }, for example 

{field1 “value 1” field2 {value 2} ...} 

Commands may be substituted for parameters using square brackets, where the 

command will return the type of parameter(s) required. eg. 

foreach i [user query {domain master} {domain userid has_dp}] { puts 

$i } 

In this example, a query returns a list of Users with Digipass assigned, which is used in 

the foreach command. 

14.2.5 Result Output 

Results are typically returned in list form, with pairs of field names and values, eg: 

{domain master userid user0001 has_dp Assigned} 

Some commands do not return field information, only a simple message, eg: 

Created Component. 

Queries return a list of list results, with only the requested fields displayed. These may be 

formatted for better readability by wrapping the query in another command, eg: 

foreach i [user query {domain master} {domain userid has_dp}] { puts $i } 

The result from the example above will display each user record in the master domain on a 

separate line, and only display the requested fields (domain, userid and has_dp), eg: 

domain master userid admin has_dp Assigned 

domain master userid user0001 has_dp Unassigned 



14.2.6 Error Handling 

When an error occurs in a VASCO TCL Extension command, information about the error will be 

written to the standard TCL error variables. This allows error handling in scripts, and allows a 

user to obtain information about the last error received when using an interactive command 

line. For example, if this command was entered: 

% user get {userid doesnotexist} 

and a User with the ID of doesnotexist could not be found, then this error would be returned: 

Error code: Error message: 

Information about that error could be retrieved from standard TCL error variables using these 

commands: 

% puts $errorCode 

Returns: 

And 

-13 

% puts $errorInfo 

Returns: 

Error code: Error message: 

while executing 

"user get {userid doesnotexist}" 

14.2.7 International Characters 

DPADMINCMD supports international characters, but your console window must be able to 

support the characters or they will not display correctly. The Lucida Console font is typically 

used. 

14.2.8 Syntax Notes 

The following points should be remembered for basic interactive and scripted usage: 

Result values that include whitespace, including date/time values, are given { } by TCL 

Comments in scripts are preceded with a # 

A backslash character at the end of a line indicates that the command is continued on 

the next line. 



14.2.9 Sample Scripts 

Below are some sample scripts which perform basic tasks. They range in complexity to provide 

an example of what can be done, and the techniques required. 

Check if a Component Record exists 

This script checks for the existence of a RADIUS Client Component record with a specific IP 

address. If a Component record of that type and location does not exist, a message will be 

displayed onscreen. 

# Check if a specified RADIUS Client Component exists 

if [catch {component get {comp_type "RADIUS Client" location 

192.168.122.213 }} result] { 

puts "Component does not exist: $result" 

} 

Create a Record if it doesn't exist 

This script builds on the previous sample to check for the existence of a RADIUS Client 

Component record and, if one does not currently exist, to create one. It requires a location 

parameter to be passed to the script when it is run from DPADMINCMD. 

# Get IP-address location from command-line argument 

set loc [lindex $argv 0] 

# Create the component if it does not exist 

if [catch "component get {comp_type {RADIUS Client} location $loc}" result] 

{ 

if [catch "component create {comp_type {RADIUS Client} \ 

location $loc \ 

policy_id {VM3 Local Authentication} \ 

shared_secret default \ 

protocol RADIUS}" result] { 

puts "Error creating component: $result" 

} else { 

puts "Created component" 

} 

} else { 

puts "Component already exists" 

} 

To run this script from DPADMINCMD, you would need to use the following syntax: 

dpadmincmd -i scriptname loc 

Bulk User Administration 

This script collects all Digipass User records belonging to the domain named Domain1 and 

unlocks any which were locked. 

# Get all the users of the domain Domain1 

if [catch {user query {domain Domain1}} users] { 

puts "Unable to retrieve users: $users" 

} else { 

# Loop for each user 

foreach user $users { 

# Get the user information into an array for easier access 



} 

} 

array set userinfo $user 

# Check if the locked information is present as it may not return a 

# value is the user is not locked 

if [info exists userinfo(locked)] { 

# If the user is locked, try to unlock it 

if [string equal $userinfo(locked) yes] { 

if [catch "user update {userid $userinfo(userid) domain 

Domain1 locked no}" result] { 

puts "Error unlocking $userinfo(userid): $result" 

} else { 

puts "Unlocked $userinfo(userid)" 

} 

} 

} 

# Clear-out the current user information 

array set userinfo [list] 



14.3 Configuration File 

The Digipass Command Line Utility uses a xml file to store necessary configuration settings. 

This file can be found at \Bin\dpadmincmd.xml. 

14.3.1 Sample Configuration File 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


Digipass Plug-In for SBR Administrator Reference How to troubleshoot 

15 How to troubleshoot 

15.1 View Audit Information 

The SBR Plug-In can be configured to output audit messages to a number of locations: 

Windows Event Log 

Text file 

ODBC database 

If you are unsure how and where the SBR Plug-In is recording audit messages, open the SBR 

Plug-In Configuration GUI and click on the Auditing tab. 

15.1.1 Windows Event Log 

Filter for audit messages from the SBR Plug-In by: 

1. Click on View -> Filter... 

2. Select Digipass Plug-In for SBR from the Event Source drop down list. 


15.1.2 Text file 

To view audit messages written to a text file by the SBR Plug-In, either open the text file 

direct, or use the Audit Viewer. 

See 12.1 Text File for information on configuring the SBR Plug-In to write audit messages to 

a text file and viewing audit text files in the Audit Viewer. 

15.1.3 ODBC Database 

To view audit messages written to an ODBC database by the SBR Plug-In, open the Audit 

Viewer. 

See 12.3 ODBC Audit Message Database for information on configuring the SBR Plug-In to 

write audit messages to an ODBC database and viewing audit messages from the database in 

the Audit Viewer. 



15.2 Tracing 

15.2.1 SBR Plug-In 

If you are having problems starting the SBR Plug-In or logging in via the SBR Plug-In, enabling 

tracing may allow you to track down the cause. 

1. Open the SBR Plug-In Configuration. 

2. Select either Basic Tracing or Full Tracing (see the Auditing and Tracing section of 

the Product Guide for more information). 

3. Enter a path and filename to which tracing information should be written, or use the 

default. 


5. Attempt a login. 

6. Check the trace file for information on the start-up conditions of the SBR Plug-In and of 

the login attempt. 

15.2.2 Web Sites 

Enabling tracing for the User Self Management Web Site or the OTP Request Site may allow 

you to find the cause of problems experienced. It is important that the Web Site not only have 

tracing enabled, but that it has sufficient permissions to access and write to the designated 

trace file. 

15.2.2.1 Enable Tracing 

1. Open the Configuration GUI for the Web Site. 



3. Enter a path and filename to which tracing information should be written. 


15.2.2.2 Trace File Permissions 

Permissions need to be set to allow the Web Sites to access and write to the trace file. By 

default, the trace file is stored in \log. Follow these steps for the folder the 

trace file will be written to. 

1. Open Windows Explorer and browse to the directory that the trace file will be written to 

(\log by default). 

2. Right-click on the relevant directory. 

3. Select Properties. 



The Properties window will be displayed. 


5. Ensure that the IUSR_ account has Read and Write permissions 

ticked. 

6. If changes need to be made to the permissions, make changes and click on the Apply 

button. 



Adding IUSR_ account 

If the IUSR_ account is not listed for the trace file directory, you will need to 

add it manually. 

1. Click on the Add… button 

The Select Users, Computers, or Groups window will be displayed. 

2. Click on the Advanced… button. 

3. Enter search criteria (see example below) and click on the Find Now button. 

If no search criteria are entered, a list of all users and groups in the selected location 

will be returned. 

4. Select the IUSR_ account. 

5. Click on the OK button. 

6. Check that the IUSR_ account is listed. 



7. Click on the OK button. 

8. The account should now be listed in the Security group and user list. 

15.2.3 Message Delivery Component 

15.2.3.1 Enable Tracing 

1. Open the Configuration GUI for the Message Delivery Component. 



3. Enter a path and filename to which tracing information should be written. 


15.3 Installation Check 

The information in this section will enable you to check that various files have been installed in 

the correct locations and registered (where required), and Windows registry entries have been 

created and the correct values inserted. 

15.3.1 Installation Log File 

Check the log file created during the installation of Digipass Plug-In for SBR. The log file 

should be found in \install.log. 

Example Log Entries 

File successfully created 

CreateDirectory: "C:\Program Files\VASCO\Digipass Plug-In for SBR\Bin" (1) 

File: overwriteflag=0, allowskipfilesflag=2, name="aal3ad30.dll" 

File: wrote 2416640 to "C:\Program Files\VASCO\Digipass Plug-In for SBR\Bin\aal3ad30.dll" 

DLL could not be registered 

Error registering DLL: Could not load dpmmccom.dll 

15.3.2 Registry Entries 

Table 65: Registry Entries 

General 

Registry Path Key Name Value Notes 



Registry Path Key Name Value Notes 

HKEY_LOCAL_MACHINE\ 

Software\VASCO Data Security\ 



InstalledProducts\ 



InstalledComponents\ 

HKEY_LOCAL_MACHINE\Softwar 

e\VASCO Data Security\Digipass 

Plug-In for SBR\ 



e\VASCO Data Security\MMC 

Admin Interface\ 













InstallDirectory Typically c:\program 

files\VASCO\Digipass Plug-In for 


Digipass Plug-In 

for SBR 

1 1 = installed 

0 = not installed 

If the Pack has been incorrectly 

installed, the key will typically be 

missing rather than having a value 

of 0. 

Check the recorded version numbers 

for various components. 

Version 1.0.0. Version number for the Digipass 


ApiLibrary \Bin\ 

aal3ad30.dll 


aal3seal30.dll 

DialogLibrary \Bin\ 

dpwxlib.dll 

HelpFile \Doc\ 

Admin_MMC_Interface_A 

D_Help.chm 

HelpFile \Doc\ 

Admin_MMC_Interface_ 

ODBC_Help.chm 

Digipass Extension for Active Directory Users and Computers 



AD U&C Extension\ 







Message Delivery Component 


System\CurrentControlSet\ 

Services\EventLog\Application\ 

Virtual Digipass Message 

Delivery Component\ 


System\CurrentControlSet\ 

Services\EventLog\Application\ 

Virtual Digipass Message 

Delivery Component\ 


aal3ad30.dll 

DialogLibrary \Bin\ 

dpwxlib.dll 

HelpFile \ Doc\ 

AD_Extension_Help.chm 

EventMessageFile \Bin\ 

mdcserver.exe 

Included only where Active Directory 

is used as the data store. 

Included only where an ODBC 

database is used as the data store. 

Included only where Active Directory 

is used as the data store. 

Included only where an ODBC 

database is used as the data store. 

TypesSupported 1 1 = EVENTLOG_ERROR_TYPE 



Note 

See 9.3.1 Configuration Settings for VASCO CGI configuration settings in 

the Windows registry. 

15.3.3 Check Permissions 

Table 66: Permissions Required 

Directory or File Permission(s) required Notes 

User Self Management Web Site (IIS) 

/dpselfservice/cgi execute 

\UserSite\CGI\usercgi.exe 

OTP Request Site (IIS) 

/requestotp/cgi execute 

execute This is required on Windows Server 

2003 only. 

\VDPSite\CGI\vdpcgi.exe execute This is required on Windows Server 

2003 only. 

15.3.4 SBR Plug-In Registered in Active Directory Domain 

If Active Directory is used as the data store, check that the SBR Plug-In is registered in the 

relevant Active Directory domain(s): 

1. Open Active Directory Users and Computers. 

2. Click on Users. 

3. A list of Windows Users and Groups will be displayed in the Result pane. 

4. Double-click on the RAS and IAS Servers group. 

5. Check that the SBR Plug-In is listed in the group members. 

If the SBR Plug-In is not registered in the domain, add it to the group. 

15.3.5 Default Policy and Component Created 

A default Policy and a Component for the SBR Plug-In should have been created during the 

installation. If they have not been created, the SBR Plug-In will not process authentication 

requests. 

Note 

These steps should only be followed if the Policies and Components have not 

been modified since installation. 

To check that Policies and Components were created successfully during installation: 


2. Click on the Policies node. 

A Policy named VM3 Administration Logon should be included in the Policies List. 




4. Check that a Component named SBR Plug-In is included in the Components List. 

5. Double-click on the SBR Plug-In Component record. 

The Component Properties window will be displayed. 

6. VM3 Administration Logon should be selected in the Policy drop down list. 


Digipass Plug-In for SBR Administrator Reference Audit Messages 

16 Audit Messages 

To set up auditing in the SBR Plug-In, see 11.1.8 

16.1 Audit Message Listing 

Table 67: Audit Messages List 

Message 

Code 

Auditing. 

Description Notes 

E000001 A system error has occurred. This message is used whenever there is a general 

processing error. It will contain full details of the error. 

E001001 The Digipass Plug-In failed to start up. The Plug-In encountered a fatal error on startup such as an 

invalid or missing configuration file. 

E001002 The Digipass Plug-In has been forced 

into the disabled state. 

E001003 The Authentication Server failed to start 

up 

E002001 The Active Directory AAL3 library failed 

to initialize. 

E002002 The Digipass Authentication library 

failed to initialize. 

E002004 The RADIUS protocol handler failed to 

initialize. 

E002006 The Replication library failed to 

initialize. 

E002007 Initialization of a Replication destination 

server failed. 

E002008 The Authentication Server protocol 

handler failed to initialize. 

E002009 The VM2 Compatibility protocol handler 

failed to initialize. 

The Plug-In has started up, but is in a disabled state in 

which it will not process authentication requests. This is 

typically due to a license problem (an invalid or missing 

License Key in the Plug-In's Component record); an invalid 

Component Location setting in the configuration file; or a 

missing Component record for the Plug-In. 

The Authentication Server encountered a fatal error on 

startup. This is typically due to an invalid or missing 

configuration file or failure to connect to the data store. 

The Active Directory 'AAL3' library encountered a fatal 

error on initialization, eg. invalid configuration settings in 

the configuration file. 

The 'Authentication' library encountered a fatal error on 

initialization, eg. invalid configuration settings in the 

configuration file. 

The protocol handler that receives and processes RADIUS 

requests did not start up. This may be because of a 

missing License Key in the Authentication Server 

Component record, or because the License Key in that 

Component record does not enable RADIUS support. Look 

for the line RADIUS=Yes in the License Key details. 

A common reason for this error, when RADIUS is enabled 

in the License Key, is that the RADIUS ports are already in 

use by another process on the machine. 

Alternatively, the configuration settings may be invalid. 

The Replication library encountered a fatal error on 

initialization, eg. invalid configuration settings in the 

configuration file. 

The Replication library found the configuration of a 

Destination Server to be invalid. The library will still start 

up if its main configuration settings are valid and there is 

at least one valid Destination Server. For the invalid 

Destination Servers, this audit message is generated. 

The protocol handler that receives and processes 

administration requests and authentication requests from 

the IIS modules failed initialization. This is typically due to 

invalid configuration settings or because the API port is 

already in use by another process on the machine. 


authentication requests from the VACMAN Middleware 



Message 

Code 

E009001 An error occurred in the Virtual Digipass 

Message Delivery Component. 

E012001 The RADIUS Profile was not found in 


E012002 The RADIUS Attribute was not known by 


E013001 A connection to an ODBC data source 

could not be established. 

E013002 A connection to an ODBC data source is 

broken. 

W004001 A connection attempt to Active 

Directory failed. 

W004004 A connection attempt to a Replication 

destination server failed. 

W005001 A connection to Active Directory has 

terminated due to an error. 


version 2 IIS modules failed initialization. This is typically 

due to invalid configuration settings or because the API 

port is already in use by another process on the machine. 

The MDC encountered an error during the process of 

submitting a request to the HTTP gateway and interpreting 

the response. This may indicate a configuration problem for 

the gateway or connectivity issues. The audit message may 

contain further details from the gateway. 

When a RADIUS Profile name is in the Digipass User 

Account but that name is not found in SBR, the login is 

failed with this error. 

This can also occur if there is no RADIUS Profile in the 

Digipass User Account, but there is a Default RADIUS 

Profile configured that was not found in SBR. 

When the Digipass User Account has a RADIUS attribute in 

its Authorization Profiles/Attributes list, the attribute 

must be found in SBR. When such an attribute is not 

known to SBR, the login is failed with this error. 

The most likely reason for this error to occur is that the 

spelling of the attribute Name is different in SBR compared 

to the Digipass User account. This may also occur if the 

Value of the attribute does not convert to the correct data 

type expected by SBR. For example, if an IP address 

attribute has a Value which is not a representation of an IP 

address. 

An attempt to connect to an ODBC data source failed. This 

may occur because: 

the database is unavailable for some reason such as 

rebooting 

the database is too busy temporarily to service the 

connection 

there are networking problems 

your credentials used in connecting to the database 

are invalid. 

An established connection to an ODBC data source has 

broken. This may occur because: 

the database suddenly becomes unavailable for some 

reason such as rebooting 

the database becomes too busy temporarily to 

service the connection 

there are networking problems. 

An attempt to connect to an Active Directory Domain 

Controller failed. This may occur because: the Domain 

Controller is unavailable for some reason such as 

rebooting; the Domain Controller is too busy temporarily to 

service the connection; or there are DNS or networking 

problems. 

An attempt by the Replication library to connect to a 

Destination Server failed. This may occur because: the 

incorrect IP address or port is configured; the Destination 

Server is unavailable for some reason such as rebooting; or 

there are networking/connectivity problems such as an 

intermediate firewall blocking the port. 

An established connection to an Active Directory Domain 

Controller has broken. This may occur because: the 



Message 

Code 

W005004 A connection to a Replication 

destination server has terminated due 

to an error. 

W006001 An invalid RADIUS packet has been 

received. 

W006002 A RADIUS request has been received 

from an unknown source. 

W006003 A request has been received from a 

RADIUS Client with no Shared Secret 

defined. 

W006004 A RADIUS request forwarded by this 

server has been received – there must 

be a circular proxy chain. 

W006005 An Access-Challenge received from the 

RADIUS Server cannot be handled. 


Domain Controller suddenly becomes unavailable for some 

reason such as rebooting; the Domain Controller becomes 

too busy temporarily to service the connection; or there 

are DNS or networking problems. 

An established connection to a Destination Server has 

broken. This may occur because the Destination Server 

suddenly becomes unavailable for some reason such as 

rebooting, or because of a temporary networking or 

connectivity problem. 

A RADIUS request received was invalid (did not conform to 

the RADIUS protocol). The request is discarded. 

This can also occur when a response is received from a 

RADIUS Server to which a request was forwarded, if the 

response was invalid. The response is discarded. 

A RADIUS request was received but there is no RADIUS 

Client Component for the source of the request, and there 

is no “default” RADIUS Client Component. The request is 

discarded. 

This audit message will be repeated at intervals when the 

same unknown source sends requests, but not for every 

request. 

A RADIUS request was received where there is a RADIUS 

Client Component for the source of the request, but that 

Component record does not have a Shared Secret defined. 

Therefore, it is not possible to handle the request and it is 

discarded. 

This will not occur if there is a “default” RADIUS Client 

Component that has a Shared Secret. 

This audit message will be repeated at intervals when the 

same source sends requests, but not for every request. 

This can occur when the SBR Plug-In forwards a request to 

a RADIUS Server, and the RADIUS Server forwards the 

request back, due to its own proxy rules. It can also occur 

indirectly in a longer 'proxy chain'. The request is 

discarded, otherwise an infinite loop could be created. 

If this occurs, there must be an error in the proxy 

configuration of the RADIUS Server(s). 

This can occur when the SBR Plug-In forwards a request to 

a RADIUS Server and the RADIUS Server responds with an 

Access-Challenge. An Access-Challenge can only be 

handled when the SBR Plug-In forwards the password 

unmodified to the RADIUS Server. If the SBR Plug-In 

verifies an OTP and forwards the static password to the 

RADIUS Server, it is not possible to handle an Access- 

Challenge from the RADIUS Server. 

W006006 A RADIUS Server is not responding. The SBR Plug-In has not managed to get a response from 

the RADIUS Server for some time. This message indicates 

that there may be a problem with the RADIUS Server. 

W009001 Virtual Digipass One Time Password 

delivery failed. 

W010001 A blank password was used for Back- 

End Authentication, as Stored Password 

Proxy is disabled and the user did not 

enter a static password. 

The MDC could not successfully deliver a text message via 

the HTTP gateway. The audit message should contain 

further details from the gateway. 

This message only occurs when the Back-End 

Authentication setting is Always. 

When Stored Password Proxy is disabled, the SBR Plug- 

In does not pass on the password stored in the Digipass 



Message 

Code 

W011001 A Backup Virtual Digipass quota of uses 

has been finished. 

W011002 No Digipass was found to assign to a 

new Digipass User Account for Auto- 

Assignment. 

W011003 A Digipass User Account has become 

locked. 


W012002 A Replication update received has been 

ignored, as the local data is more up-todate. 

W012003 A Replication queue entry has not been 

inserted. 

W013001 An invalid request has been received by 

the Authentication Server. 

W013002 A request has been received by the 

Authentication Server from an unknown 

source. 

User Account to Windows for Back-End Authentication. If a 

User does not enter their password as well as their OTP, 

the login will fail because their password has not been 

provided to Windows. 

BVDP Uses Remaining has just been decremented to 0 

for a Digipass. The User will not be able to use that 

Digipass for Backup Virtual Digipass logins until the Uses 

Remaining is increased or cleared. 

No available Digipass were found for Auto-Assignment. 

This may be because: there were no unassigned Digipass 

in the right location; the unassigned Digipass did not 

conform to Policy restrictions; the unassigned Digipass 

were Reserved for individual assignment. 

The location in which the SBR Plug-In searches for 

available Digipass records can be controlled to some extent 

using the Search Upwards in Org. Unit hierarchy 

setting. 

A User just exceeded the User Lock Threshold of failed 

logins and their Digipass User Account is now Locked. 

Administrator action is required to unlock the account. 

The Authentication Server has received a data update from 

another Authentication Server via the Replication process, 

but its local data is already newer than the data received 

via Replication. 

It is normal that this can occur, but it can also indicate a 

potential synchronization issue. 

This can occur when a replication queue has reached its 

maximum size. This is most likely to occur when the 

destination server is down or cannot be contacted due to a 

networking problem. 

The Authentication Server has received an invalid 

authentication, administration or Replication request. 

The Authentication Server has received an authentication, 

administration or Replication request from an unknown or 

unauthorized source. If the request was from a valid 

source, this message indicates that a Component record is 

missing (or that a required restart of the Service has not 

been made since the creation of the necessary Component 

record). 

W014001 The License Key is missing or invalid. A valid, unexpired license key is required to process any 

kind of authentication request. This message will be 

generated periodically when authentication requests are 

received by the Authentication Server, when it does not 

have a valid License Key. 

I001001 The Digipass Plug-In has started up 

successfully. 

I001002 The Authentication Server has started 

up successfully. 

I002001 The Active Directory AAL3 library has 

been initialized successfully. 

Configuration details are given in the audit message. 


Note that the Authentication Server can start up 

successfully even if a component such as the RADIUS 

protocol handler does not start up successfully. 

The Active Directory 'AAL3' library has completed 

initialization. Configuration details are given in the audit 

message. 

I002002 The Digipass Authentication library has The 'Authentication' library has completed initialization. 



Message 

Code 


been initialized successfully. Configuration details are given in the audit message. 

I002004 The RADIUS protocol handler has been 

initialized successfully. 

I002006 The Replication library has been 

initialized successfully. 

I002007 Initialization of a Replication destination 

server succeeded. 

I002008 The Authentication Server protocol 

handler has been initialized successfully. 

I002009 The VM2 Compatibility protocol handler 

has been initialized successfully. 

I003001 The Digipass Plug-In has shut down. 

I003002 The Authentication Server has shut 

down. 

I004001 A connection attempt to Active 

Directory was successful. 

I004004 A connection attempt to a Replication 

destination server was successful. 

I005001 A connection to Active Directory has 

been terminated normally. 

I005002 A connection to Active Directory has 

been timed out for load-balancing. 

I005004 A connection to a Replication 

destination server has been terminated 

normally. 

I006001 A RADIUS Access-Request has been 

received. 

I006002 A RADIUS Accounting-Request has been 

received. 

I006003 A RADIUS Server has started 

responding again. 

I007001 A RADIUS Access-Accept has been 

issued. 

I007002 A RADIUS Access-Challenge has been 

issued. 

The protocol handler that receives and processes RADIUS 

requests started up. Configuration details are given in the 

audit message. 

The Replication library was initialized successfully. 


The Replication library initialized a Destination Server 

successfully. Configuration details are given in the audit 

message. 


administration requests and authentication requests from 

the IIS modules was initialized successfully. Configuration 

details are given in the audit message. 


authentication requests from the VACMAN Middleware 

version 2 IIS modules was initialized successfully. 



Controller has ended with a normal disconnection. 


Controller has been ended for load-balancing purposes. 

Periodically the connections will be dropped and new ones 

established, in case there is a less busy Domain Controller 

available. The time period is defined by the configuration 

setting Max-Bind-LifeTime in the file, in minutes. 

An established connection to a Replication Destination 

Server has ended with a normal disconnection. 

The SBR Plug-In has received an Access-Request. The 

audit message will indicate what action will be taken as 

well as key details of the request. 

The SBR Plug-In has received an Accounting-Request. The 

audit message will indicate what action will be taken as 

well as key details of the request. 

After the SBR Plug-In had not managed to get a response 

from the RADIUS Server for some time, this message 

indicates that it is responding again. 

The SBR Plug-In has accepted an Access-Request. Note 

however that it is still possible that after the SBR Plug-In 

has accepted the request, another component of the 

overall process may still decide to reject the request 

ultimately. 

The SBR Plug-In has issued a challenge, either 

Challenge/Response or Virtual Digipass. 



Message 

Code 

I007003 A RADIUS Access-Reject has been 

issued. 

I007004 A RADIUS Accounting-Response has 

been issued. 

I008001 A Digipass has been moved for 

assignment to a user. 

I008002 A user-to-user link has been removed 

due to assignment of a Digipass. 

I009001 A Virtual Digipass One Time Password 

has been delivered. 


The SBR Plug-In has rejected an Access-Request. 

The SBR Plug-In has acknowledged an Accounting-Request. 

Note however that unless the request is forwarded to a 

RADIUS Server, no processing is carried out by the SBR 

Plug-In. 

Upon assignment of a Digipass to a User, if the Digipass is 

not already in the same location (Organizational Unit) as 

the User, it is moved to that location. 

If a Digipass User Account is linked to another in order to 

share the Digipass, it must not have a Digipass assigned 

itself. If a Digipass is assigned, the link will be broken. 

The MDC successfully delivered a text message via the 

HTTP gateway, as reported by the gateway. The audit 

message may contain further details from the gateway. 

Note that depending on the gateway, it may still be 

possible for delivery to fail after the gateway has reported 

success. 

I010001 User authentication was not handled. The SBR Plug-In decided not to handle an authentication 

request due to Policy and/or Digipass User Account 

settings. The main reasons why this may occur are: the 

effective Local Authentication and Back-End 

Authentication settings were both None; the User failed 

the Windows Group Check, using the Pass requests for 

users not in listed groups back to host system option. 

Note that the 'effective' settings are the effective settings 

of the Policy, unless the Digipass User Account overrides 

the Policy. 

I010002 A stored password change was 

unhandled. 

I011001 A Digipass Grace Period has been ended 

by the use of a One Time Password. 

I011002 A Backup Virtual Digipass expiration 

date has been set due to the first 

request for a Virtual One Time 

Password. 

I011003 A Backup Virtual Digipass time limit has 

been expired by the use of the normal 

One Time Password. 

The SBR Plug-In decided not to handle a password change 

request due to Policy and/or Digipass User Account 

settings. The main reasons why this may occur are: the 

effective Local Authentication and Back-End 

Authentication settings were both None; the User failed 

the Windows Group Check, using the Pass requests for 

users not in listed groups back to host system option. 



the Policy. 

The first time that an assigned Digipass is used 

successfully to log in, if a Grace Period is still active, it is 

ended immediately. They must continue to use their 

Digipass to log in after that point. 

A User has requested a Backup Virtual Digipass OTP for the 

first time, when the effective Backup VDP Enabled 

setting is Yes – Time Limited and they did not already have 

an Enabled Until date set on their Digipass. At this time, 

they are given the Time Limit from the Policy by adding it 

to the current date. 

A User who has been using Backup Virtual Digipass has 

used their normal OTP login using the Digipass again. 

When the effective Backup VDP Enabled setting is Yes – 

Time Limited, using the normal OTP login ends their time 

limit immediately. This is done by setting the Enabled 

Until date on their Digipass to the current date. 

An administrator action is required to reset their Enabled 



Message 

Code 

I011004 A Backup Virtual Digipass quota of uses 

has been set due to the first request for 

a Virtual One Time Password. 

I011005 A Digipass User Account has been 

created using Dynamic User 

Registration. 

I011006 A new static password has been stored 

using Password Autolearn. 

I011007 A Digipass has been assigned to a new 

Digipass User Account using Auto- 

Assignment. 

I011008 A Digipass has been assigned to a 

Digipass User Account using Self- 

Assignment. 

I011009 A Digipass challenge has been issued 

for a Self-Assignment attempt. 


Until date, if the User is to be allowed to use Backup 

Virtual Digipass again. 

A User has requested a Backup Virtual Digipass OTP for the 

first time, when the effective Backup VDP Max. 

Uses/User setting is greater than 0 and they did not 

already have a Uses Remaining date set on their 

Digipass. At this time, they are given the Max. Uses/User 

limit from the Policy. 

A Digipass User Account has been created automatically 

upon successful Back-End Authentication. This occurs 

when the Dynamic User Registration feature is enabled. 

A new static password has been stored in the Digipass User 

Account after successful Back-End Authentication. This 

occurs when the Password Autolearn feature is enabled. 

Upon creation of a new Digipass User Account through 

Dynamic User Registration, an available Digipass has 

been assigned to the new account automatically. This 

occurs when the Auto-Assignment feature is enabled. 

A User has successfully assigned a Digipass to themselves 

using the Self-Assignment feature. 

A User has obtained a challenge during an attempt to 

assign a Digipass to themselves using the Self- 

Assignment feature. In order to complete the assignment, 

they must provide the correct response to the challenge 

from the Digipass. 

I011010 A user has changed their Digipass PIN. A User has changed their Server PIN during their login, or 

set it up on first use or after a PIN reset. 

I013001 A connection to an ODBC data source 

has been made successfully. 

I013002 A connection to an ODBC data source 

has been terminated normally. 

S001001 A query for a single [object] record was 

successful. 

S001002 A query for [object] records was 

successful. 

S001003 A command of type [object] [command] 

was successful. 

An established connection to an ODBC data source has 

ended with a normal disconnection. 

The SBR Plug-In or an administrator has made a successful 

query to the data store for a single record. In the case of 

the SBR Plug-In this may be a search for its Component 

record; for an administrator it could be any single record 

query. The audit message has details of the record found. 

The SBR Plug-In or an administrator has made a successful 

query to the data store for some records. In the case of the 

SBR Plug-In this may be a search for a RADIUS Client 

Component record; for an administrator it could be any list 

query. The audit message has details of the records found 

but this may be truncated. 

An administrator has issued a successful data modification 

command such as an update of settings or one of the 

Digipass Application operations like Reset PIN. The audit 

message has details of the command and results. 

S002001 User authentication was successful. The 'Authentication' library has passed authentication for a 

request. Note however that the SBR Plug-In or another 

component of the overall process may still decide to reject 

the request ultimately. 

S002002 User authentication issued a challenge. The 'Authentication' library has issued a challenge for an 

authentication request, either Challenge/Response or 



Message 

Code 

S002004 A stored password change was 

successful. 

S003001 A Replication update was sent 

successfully. 

S003002 A Replication update received has been 

processed successfully. 


Virtual Digipass. 

The Authentication Server has successfully processed a 

password change request. 

This message is audited at the source server, when a 

database change is sent to a destination server and 

processed successfully. 

This message is audited at the destination server, when a 

database change is received and processed successfully. 

S004001 An administrative logon was successful. An administrative logon to the Authentication Server was 

successful. 

S004002 A Live Audit connection was successful. A Live Audit connection to the Authentication Server was 

successful. 

F001001 A query for a single [object] record 

failed. 

The SBR Plug-In or an administrator has made an 

unsuccessful query to the data store for a single record. In 

the case of the SBR Plug-In this may be a search for its 

Component record; for an administrator it could be any 

single record query. The audit message has basic details of 

the failure, but there should be a preceding E000001 with 

more details. 

F001002 A query for [object] records failed. The SBR Plug-In or an administrator has made an 

unsuccessful query to the data store for some records. In 

the case of the SBR Plug-In this may be a search for a 

RADIUS Client Component record; for an administrator it 

could be any list query. The audit message has basic 

details of the failure, but there should be a preceding 

E000001 with more details. 

F001003 A command of type [object] [command] 

failed. 

An administrator has issued an unsuccessful data 

modification command such as an update of settings or one 

of the Digipass Application operations like Reset PIN. The 

audit message has basic details of the failure, and there 

may be a preceding E000001 with more details. 

F002001 User authentication failed. The 'Authentication' library has failed authentication for a 

request. The audit message has details of the failure (see 

17 Error and Status Codes) and there may be a preceding 

E000001 with error details. 

F002003 A stored password change failed. The Authentication Server has not processed a password 

change request. The audit message has details of the 

failure (see 17 Error and Status Codes) 

and there may 

be a preceding E000001 with error details. 

F003001 Sending a Replication update was 

unsuccessful. 

F003002 Processing a Replication update 

received was unsuccessful. 

This message is audited at the source server, when a 

database change is not sent to a destination server 

successfully, or it was sent but the processing at the 

destination was unsuccessful. 

This message is audited at the destination server, when a 

database change is received but is not processed 

successfully. 

F004001 An administrative logon was rejected. The 'Authentication' library has failed an administrative 

login request. The audit message has details of the failure 

(see 17 Error and Status Codes) 

and there may be a 

preceding E000001 with error details. 

Note that this may occur even when preceded by a 

successful authentication (S002001) message, for example 

if the user's credentials were OK but they did not have 



Message 

Code 


Administrative Logon privilege. 

F004002 A Live Audit connection was rejected. The 'Authentication' library has failed a Live Audit 

connection request. The audit message has details of the 

failure (see 17 Error and Status Codes) 

and there may 

be a preceding E000001 with error details. 

Note that this may occur even when preceded by a 

successful authentication (S002001) message, for example 

if the user's credentials were OK but they did not have 

Administrative Logon or Live Audit Connection privilege. 



16.2 Audit Message Fields 

Table 68: Audit Messages Fields 

Display Name Description 

Area Area of code/functionality in which the audit event occurred. Eg. “Active Directory search”. 

Operation Operation being attempted/processed when the audit event occurred. 

Error Code Standard error code. 

Error Message Fixed error message corresponding to ERROR_CODE. 

Error Details Full dump of 'error stack'. 

Source Location Location of source of audit message, typically IP address or host name. 

Server Location When the server itself is not the source of the audit message, this is the location of the 

server (IP/host name). 

Client Location When the client itself is not the source of the audit message, this is the location of the client 

(IP/host name). 

Version Full version string. Eg. “2.5.2.0045”. 

Data Source Type of data source. Eg. “File”, “Registry”. 

Data Source Location Specific location of data source. Eg. for a File, the path/filename. 

Configuration Details Breakdown of configuration settings. 

Outcome Outcome of an attempt to do something. Eg. “Success”, “Failure”, “Challenge”. 

Reason Generally a short phrase indicating a reason for a failure. 

Characteristics Space-separated list of keywords indicating characteristics of interest. Eg. for a connection 

attempt, keywords such as “SSL” , “TCP”, “IPv6” may be useful. 

User ID UserID. Can be in various formats, unless it refers to a Digipass User Account UserID, when 

it must be exact (SAM-Account-Name). 

Domain Domain name (FQDN). 

Credentials What kind of credential was offered for a connection/login attempt. Eg. “Password”, “None”. 

Session ID Session identifier. 

Serial No Digipass Serial No. 

Application Digipass Application Name. 

Request ID Any request identifier(s). Eg. a RADIUS packet ID. 

Password Protocol The way in which a password is encoded. Eg. “PAP”, “CHAP”, “MS-CHAP1”, “MS-CHAP2”. 

Input Details Breakdown of request parameters/attributes. 

Action Intended action to take for a request received. Eg. “Ignore”, “Process”. 

Output Details Breakdown of response parameters/attributes. 

Policy ID Name of Policy used to handle a request. 

Mobile No Mobile phone no. for sending a text message. 

From Location from which something is moved. Eg. an Active Directory location. 

To Location to which something is moved. Eg. an Active Directory location. 

User Link Identification of user to which another user is linked. 

Message This is used where something external (eg. the MDC) returns a message for auditing. 

Expiration Date Value of an expiry date such as Grace Period. 

Quota Value of a quota such as Backup Virtual Digipass Uses Remaining. 

Local Authentication Whether Local Authentication was done or not. 

Back-End 


If Back-End Authentication was done, the Back-End Protocol used, otherwise “None”. 



Display Name Description 

Object Name of data object of query/command. 

Command Name of command. 

Downtime Length of downtime in minutes. 

Fields The list of fields to be returned by the query, or 'All Fields'. 

RADIUS Profile Name of RADIUS Profile (eg. for Funk SBR). 

Request Type Type of request or response, eg. “Access-Request”, “Access-Accept”, “Access-Reject”. 


Digipass Plug-In for SBR Administrator Reference Error and Status Codes 

17 Error and Status Codes 

This section lists the standard error and status codes with the associated messages. 

17.1 Error Code Listing 

Table 69: Error Code List 

Error 

Code 

0 (No error) 

Message Notes 

-1 An unspecified error occurred This error code may occur when a more specific error code is 

not available or was recorded separately. 

-2 The parameters supplied were invalid Parameters supplied to a function or command were invalid. 

-3 A memory error occurred Memory allocation failed. This is normally due to the system 

running low on memory. 

-10 A communications error occurred Inter-process or inter-component communication failed. This 

may also occur with communications to Active Directory or a 

database. This error is normally accompanied by further details. 

-11 A license error has occurred General-purpose license failure when a more specific code is 

not available or was recorded separately. 

-12 An operating system call failed A system call failed. This may include file handling, Active 

Directory Services Interface and other calls. It is normally 

accompanied by further details. 

-13 The object was not found An attempt was made to perform an operation on an object, 

such as an Active Directory object, but the object did not exist. 

For example, this may occur when one administrator deletes a 

record that another administrator is about to update, when the 

update operation is attempted. 

-14 The object already exists An attempt was made to create an object, such as an Active 

Directory object, but the object already exists. For example, 

this may occur when two administrators try to create the same 

record at the same time. 

-15 The supplied buffer was of the 

incorrect size 

An internal data buffer was of insufficient length to hold the 

data required. 

-16 A version error has occurred A version mismatch has occurred. Further details in the error 

record will indicate what versions were mismatched. 

-17 The supplied data are invalid General-purpose error when input data to an operation is 

incorrect. Further details of the error will be recorded. 

-18 The object is invalid An attempt was made to perform an operation upon an object 

type that was not recognized. 

-19 The command is invalid An attempt was made to perform an operation using a 

command that was not recognized. 

-20 The object is in use An attempt was made to delete an object, such as an Active 

Directory object, but that object was in use. 

This may occur when you try to delete a Policy, but another 

Policy inherits from the one you are deleting, or a Component 

uses the Policy. 

-21 The operation is not supported General-purpose error when an operation is attempted on an 

object that does not support it. For example, an attempt is 

made to generate a Virtual Digipass OTP using a Digipass that 

is not enabled for Virtual Digipass. 



Error 

Code 

Message Notes 

-22 An object error has occurred General-purpose error on an operation on an object. This 

should be supplemented with more specific details. 

-23 A required field was missing An operation was attempted without specifying one or more 

mandatory input fields. 

-24 Auditing failed An operation failed because auditing was mandatory, but failed. 

-30 The configuration is invalid The configuration data in the configuration file are invalid. The 

error record should indicate which specific data were invalid. 

-31 A type mismatch has occurred General-purpose error when one datatype is expected but a 

different datatype was provided. 

-32 One or more objects were not 

initialized 

Internal initialization error. More specific error details will be 

recorded. 

-33 The cache is full An attempt was made to add an entry to a cache, but the cache 

has reached its configured maximum size. 

-34 The cache entry has reached the 

maximum reference count 

-35 The system is currently too busy to 

service the request 

An attempt was made to retrieve an item from a cache, but the 

item was already in use and the configuration indicates a limit 

on the number of times an item can be retrieved from the 

cache at one time. 

The system received a new request for processing, but hit a 

resource usage limit of some type. This indicates that the 

system is too loaded to handle the request. For example, there 

may be no spare database connection to use, even after 

waiting a short time for one to become available. 

-80 A timeout has occurred An operation failed because of a timeout. 

-140 A Digipass error has occurred General-purpose failure of a Digipass operation such as OTP 

verification, Reset PIN, Unlock, etc. This is normally 

accompanied by a more specific error code and message from 

the VACMAN Controller library. 

-150 Delivery of the Virtual Digipass One- 

Time Password failed 

A Virtual Digipass OTP was generated successfully, but delivery 

by text message failed. A separate message will give more 

details about the failure. 

-200 The license has expired The License Key has an expiration date set, and the date has 

passed. A permanent License Key must be obtained. 

-201 The license data are invalid One of the details embedded into the License Key is invalid for 

the Component in which it is being loaded. The Component will 

not be able to use the License Key. This may be IP address, 

Component Type, or any other detail that can be seen in the 

License Key text. 

-202 The License Key is corrupted The signature at the bottom of the License Key is invalid. This 

would typically occur if the License Key details were modified in 

any way. 

-250 Decryption has failed - no Storage Key 

is specified in the Encryption Settings 

-251 Decryption has failed - an incorrect 

Cipher is specified in the Encryption 

Settings 

Some encrypted data has been created or modified using 

configured, rather than default, encryption settings. This error 

occurs when that data is read by a component that does not 

have configured encryption settings – the component is 

therefore unable to decrypt the data. 

It is necessary to configure the encryption settings in the 

component. See 4 Sensitive Data Encryption for more 

information on encryption settings. 


differently configured encryption settings. This error occurs 

when that data is read by a component with configured 

encryption settings that use a different Cipher Name – the 



Error 

Code 

-252 Decryption has failed - an incorrect 

Storage Key is specified in the 

Encryption Settings 

Message Notes 

component is therefore unable to decrypt the data. 

It is necessary to make sure that the encryption settings in all 

components are identical. See 4 Sensitive Data Encryption 



differently configured encryption settings. This error occurs 

when that data is read by a component with configured 

encryption settings that use a different Storage Key – the 

component is therefore unable to decrypt the data. 

It is necessary to make sure that the encryption settings in all 

components are identical. See 4 Sensitive Data Encryption 


-300 A database error occurred General-purpose error on a database operation. This should be 

supplemented with more specific details. 

-350 The request received was discarded A replication update that was received was found to be 

superseded by a later change. In this case, the update is 

discarded, as it is no longer relevant. 

This may occur when creating a record, after a record has been 

deleted then re-created. 

It may occur when modifying a record, if a later modification 

occurred before replication could apply the first change. 

-351 The request received must be retried A replication update that was received could not be applied 

immediately. In this case, the update is rejected. The retry 

mechanism at the source server will re-send the update, 

according to its configuration settings. 

This may occur if a record does not exist yet, when trying to 

apply a modification or deletion. 

It may occur after a record has been deleted and re-created, 

when a modification of the record is replicated but the 

sequence of deletion and re-creation has not been followed in 

the correct order. 

-352 A replication queue entry had an 

invalid hash value 

When an entry was read from the replication queue before 

sending, its integrity hash value check failed. This suggests that 

the queue entry may have been modified since it was added to 

the queue. In this case, the queue entry is not trusted and an 

error is reported. 

-353 The replication queue is full An operation failed because it needed to update the database, 

but the update could not be added to the Replication queue. If 

the queue is full, no database updates are allowed, to avoid the 

databases getting too far out of synchronization. 

Check the Replication Status dialog in the Administration MMC 

Interface and the Replication audit messages to investigate why 

the queue has become full. It is necessary to reduce the queue 

size in order for the system to continue to function. 

If this error occurs often, without good reason, consider 

increasing the maximum queue size. This can be configured in 

the Replication tab of the Authentication Server Configuration 

GUI. 

-500 The Service was already started When trying to start a Service, the Service was already 

running. 

-501 The Service was already stopped When trying to stop a Service, the Service was not running. 

-10051 File name is blank. No file name was specified. 

-10052 Failed to open File. The file could not be opened. The file does not exist or the user 

attempting to open the file does not have read permission for 

the file. 



Error 

Code 

Message Notes 

-10057 User ID is longer than 255 characters. The maximum User ID length has been exceeded. 

-10059 Password is longer than 255 

characters. 

-10060 User Name is longer than 64 

characters. 

-10061 Serial Number is longer than 10 

characters. 

-10062 Serial Number is less than 10 

characters long. 

-10063 Serial Number contains nonalphanumeric 

characters. 

-10064 Organizational Unit is longer than 255 

characters. 

The maximum Password length has been exceeded. 

The maximum User Name length has been exceeded. 

The maximum Serial Number length has been exceeded. Serial 

Number must be 10 characters, with no dashes (-) and with 

leading zeros (0) to make it up to 10 characters. 

The minimum Serial Number length has not been provided. 

Serial Number must be 10 characters, with no dashes (-) and 

with leading zeros (0) to make it up to 10 characters. 

The Serial Number contains non-alphanumeric characters. 

Serial Number must be 10 alphanumeric characters, with no 

dashes (-). 

The maximum Organizational Unit length has been exceeded. 

-10065 Domain is longer than 255 characters. The maximum Domain length has been exceeded. 

-10066 Distinguished Name is longer than 

1024 characters. 

-10067 Mobile Number is longer than 64 

characters. 

-10069 A syntax error occurred reading from 

the file. 

-10070 The file contains characters that are 

not UTF-8 encoded. 

-10072 Phone Number is longer than 64 

characters. 

-10073 Email Address is longer than 64 

characters. 

-10074 No User ID was given. Either the User 

ID or, for Active Directory, the 

Dishinguished Name is needed to 

import a user. 

-10075 The Mobile No. is invalid. Only 

numbers, spaces, dashes (-) and 

brackets are allowed with a + at the 

start to indicate a country code if 

needed. 

-10076 The Phone No. is invalid. Only 

numbers, spaces, dashes (-) and 

brackets are allowed with a + at the 

start to indicate a country code if 

needed. 

-10077 The specified email address contains 

invalid characters and is not in the 

form user@domain. 

-10078 The Field Header was not found or 

invalid when reading from the file. 

The maximum LDAP Distinguished Name (DN) length has been 

exceeded. 

The maximum Mobile Phone length has been exceeded. 

A syntax error occurred while reading lines from the import file: 

double-quotes were missing; there are too many fields in the 

line; a comma is missing between fields. 

The import file must be fully UTF-8 encoded when extended or 

Unicode characters are included. This message indicates that 

non-UTF-8 characters were found in the file. 

The maximum Phone Number length has been exceeded. 

The maximum Email Address length has been exceeded. 

A User ID must be supplied to import a user. The only 

exception is when using Active Directory, it is sufficient to give 

the Distinguished Name instead of the User ID. 

The Mobile Number is only allowed to include numeric 

characters, spaces, dashes(-) and brackets (){}[]. In addition a 

+ is allowed at the start for the country code. 

The Phone Number is only allowed to include numeric 

characters, spaces, dashes(-) and brackets (){}[]. In addition a 

+ is allowed at the start for the country code. 

The Email Address is only allowed to include alphanumeric 

characters, @, dots (.), underscores (_) and dashes (-). 

The first line of an import file must be a header line. The 

header line is a comma-separated list of field names, indicating 



Error 

Code 

17.2 Status Code Listing 

Table 70: Status Code List 

Status 

Code 

0 No error 

 

Message Notes 

which fields are included in every other line of the file. 

This message indicates that the header line was not found, that 

it included unknown field names or that it was not a commaseparated 

list of field names. 

See the Import User Records topic in the online Help for the 

Administration MMC Interface for a definition of the import file 

header format. 

Message Notes 

The status codes from -1 downwards match the Error 

Codes above. 

1000 The credentials were invalid General-purpose failure due to invalid username or 

password, when a more specific status is unavailable. 

1002 The user failed the Windows Group 

Check 

The SBR Plug-In rejected an authentication request due to 

the Windows Group Check failing. This can occur when 

the effective Windows Group Check option is Authenticate 

listed groups, reject others. 

Note that the 'effective' setting is the effective setting of 

the Policy, unless the Digipass User Account overrides the 

Policy. 

1004 The challenge has expired A response to challenge has been given, but the expiration 

time for the challenge has expired. The default expiration 

time is one minute, however this can be configured in the 

configuration file VASCO/AAL3/Authlib/Challenge- 

Cache/Max-Age setting (in seconds). 

1005 The user does not have permission to 

perform the specified action 

General-purpose failure of an administration command 

when the administrator does not have sufficient privileges 

to carry out the command. 

1007 The user account is locked The Digipass User Account is Locked. This is normally due 

to consecutive login failures, as determined by the Policy 

setting User Lock Threshold. Alternatively the 

administrator can actively lock the account. 

To unlock the User account, an administrator has to 

uncheck the Locked checkbox on the User record. 

1008 The One Time Password has already 

been used 

This status code occurs specifically when an OTP is rejected 

because it has already been used. It may also occur when 

the OTP has not been used but is older than the most 

recently used OTP. 

This can sometimes happen when an authentication 

request is re-sent automatically. 

1009 The user account is disabled The Digipass User Account is Disabled. This may be 

because the administrator has actively disabled the 

account, or because the corresponding Windows User 

account has become disabled or expired. 

1010 No user account was found An authentication request was rejected because no 



Status 

Code 

Message Notes 

Digipass User account was found and Local 

Authentication is required by the Policy. 

1011 The static password was incorrect As part of Local Authentication, verification of the static 

password failed. 

1012 The One Time Password was incorrect Verification of the OTP failed. More specific details may be 

found in the VACMAN Controller error code and message. 

1013 The challenge was invalid A response to a challenge was given, but the challenge was 

not the latest one issued for that Digipass. This is 

controlled by the Check Challenge Policy setting. 

1014 The Digipass Grace Period has expired A User attempted to log in with their static password, but 

their Grace Period had already expired. They have to use a 

Digipass to log in. 

If they do not have their Digipass yet, the administrator 

will have to allow them more time by modifying the Grace 

Period End date on their Digipass record. 

1015 Backup Virtual Digipass is not allowed A User attempted to request a Backup Virtual Digipass 

OTP, but they were not permitted. This would normally 

occur when either: 

The effective Backup VDP Enabled setting is Yes – 

Time Limited, and the Digipass Backup VDP 

Enabled Until date is the current date or before. 

The Digipass Backup VDP Uses Remaining 

counter has reached 0. 

In both cases, administrator intervention is required to 

permit the User to continue to use Backup Virtual Digipass. 

The Enabled Until or Uses Remaining limits need to be 

increased to permit this. 


the Policy, unless the Digipass record overrides the Policy. 

1016 The Digipass is not available A User attempted Self-Assignment, but the Digipass they 

requested either could not be found within the search 

scope or was already assigned to someone else. 

This may occur because of a mistyped Serial Number. 

Otherwise, the search scope may be incorrect or the 

Digipass may not be in the correct location to be made 

available to the User. See the Location of Digipass 

Records section in the Product Guide. 

1017 The user account has no mobile number 

for Virtual Digipass 

1018 No password was supplied for a Virtual 

Digipass login 

A User requested a Primary or Backup Virtual Digipass 

OTP, but it could not be delivered because the User 

account had no mobile phone number. In Active Directory 

this is the first Mobile No. on the record. 

A User attempted a Virtual Digipass login, but did not enter 

a password in the second stage of the login. See 10.1.4 

Virtual Digipass for more information. 

1019 The new password confirmation failed In a password change request, the new password was not 

confirmed correctly. 

1020 Local authentication failed General-purpose failure of Local Authentication when a 

more specific status code is not available. Additional 

information should provide more specific details. 

1021 Back-end authentication reported that 

the password has expired 

Back-End Authentication (eg. Windows) failed because 

the password was correct but it has expired. 

1022 Back-end authentication failed Back-End Authentication (eg. Windows) failed. A specific 

error code and message will accompany this record. 

1030 The policy was invalid An authentication request was rejected because the 



Status 

Code 

1031 The policy does not allow a selfassignment 

attempt 

1032 Hashed passwords cannot be verified by 

Windows 

Message Notes 

applicable Policy had invalid settings or failed to load. This 

should not occur, but is possible due to the delay in Active 

Directory replication for example. The two main ways in 

which a Policy can become invalid are: 

One or more choice list settings are Default in the 

Policy, and its parent Policy if it has one. 

A circular chain of Policies has been created, for 

example: Policy A inherits from Policy B; Policy B 

inherits from Policy C; Policy C inherits from Policy A. 

The Policy must be fixed in order for authentication to be 

permitted using that Policy. 

A User attempted Self-Assignment, but it is not 

permitted under the Policy. 

An authentication request could not be processed 

successfully because Back-End Authentication using 

Windows was required, but the User's password was 

hashed. It is not possible to verify hashed passwords with 

Windows. This can occur when a CHAP-based protocol is 

used – this includes CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 

and other more complex protocols that utilize a one-way 

hash of the password entered by the User. 

Note that the effective Back-End Authentication setting 

is the effective setting of the Policy, unless the Digipass 

User Account overrides the Policy. 

1033 A Digipass must be used The effective Local Authentication setting is Digipass 

Only and the User tried to log in with a static password. 



Policy. 

1034 Challenge/Response is not supported by 

CHAP-based protocols 

1035 Challenge/Response is not supported by 

Windows 2000 

Challenge/Response is only supported in RADIUS using the 

PAP protocol. An attempt was made to generate a 

challenge using a CHAP-based protocol – this includes 

CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 and other more 

complex protocols. 

This status code can only occur in the Digipass Plug-In for 

IAS. There is a product limitation on Windows 2000 only 

that Challenge/Response is not supported. It will occur if 

the User attempted to request a challenge. 

1036 1-Step Challenge/Response is disabled A request was made to generate a random challenge for 1step 

Challenge/Response, but the applicable Policy does 

not have 1-step Challenge/Response enabled or does not 

specify the challenge length and check digit indicator. 

1037 Password Autolearn is disabled A request was made to update a user's Stored Password, 

but Password Autolearn is disabled, so the update is not 

permitted. Password Autolearn must be enabled for the 

password update request to be processed. 

1038 The administration session ID is not 

known at this location 

1039 The administration session is no longer 

active 

An administration command has been received, but the 

internal session ID is not recognised at the location from 

which the command came. This can only occur by 

attempting to reuse a session ID from another location. 

An administration command has been received, but the 

session has stopped or is unrecognised. This can occur due 

to an idle timeout, a maximum session length timeout or a 

restart of the SBR Plug-In. 

1040 Back-end authentication returned a This can occur when the SBR Plug-In forwards a request to 



Status 

Code 

Message Notes 

Challenge that cannot be handled a RADIUS Server and the RADIUS Server responds with an 

Access-Challenge. An Access-Challenge can only be 

handled when the SBR Plug-In forwards the password 

unmodified to the RADIUS Server. If the SBR Plug-In 

verifies an OTP and forwards the static password to the 

RADIUS Server, it is not possible to handle an Access- 

Challenge from the RADIUS Server. 

It can also occur if you use RADIUS Back-End 

Authentication for an IIS Module. In that case, Access- 

Challenge is not supported from the RADIUS Server. 

1041 No Digipass was found for the given 

Serial Number 

During a Self-Assignment attempt, the Serial Number 

provided by the User was not found in the data store. This 

mainly occurs when the Serial Number is entered 

incorrectly. It can also occur because the Digipass record is 

not in the User's Domain or Organizational Unit. 

3001 A Digipass Challenge was returned This status code is the standard code when a challenge is 

issued and does not indicate any kind of error. 

3002 No challenge was identified for the 

authentication 

3003 Back-end authentication returned a 

Challenge 

5001 The user failed the Windows Group 

Check 

5002 Neither local nor back-end 

authentication was done due to policy 

and/or user settings 

A response to a challenge was given, but no challenge 

could be found. The most likely reason for this to occur is 

that the challenge is too old and has been removed from 

the challenge cache. It can also occur if no 'challenge key' 

was supplied with which to look up the challenge. 

This occurs when a RADIUS Server responds with an 

Access-Challenge, in a case where the SBR Plug-In can 

handle it. 

The SBR Plug-In decided not to handle an authentication 

request due to the Windows Group Check failing. This 

can occur when the effective Windows Group Check option 

is Pass requests for users not in listed groups back to host 

system. 



Policy. 

The SBR Plug-In decided not to handle an authentication 

request because the effective Local Authentication and 

Back-End Authentication settings were both None. 



the Policy. 


Digipass Plug-In for SBR Administrator Reference Technical Support 

18 Technical Support 

If you encounter problems with a VASCO product please do the following: 

1. Read the 15 How to troubleshoot topic for help in discovering the source of your 

problem. 

2. Check if your problem is resolved in the Knowledge Base located at the following URL: 

http://www.vasco.com/support. 

3. If you do not find the information you need in the Knowledge Base, please contact the 

company that sold you the VASCO product. 

Only after doing steps 1 and 2, if your needs are still not completely met please contact 

VASCO support: 

18.1 Support Contact Information 

E-mail 

support@vasco.com 

Website 

http://www.vasco.com/support/contacts.html 

Phone 

Australia +61 2 8920 9666 (Sydney) 

Belgium +32 2 609 9770 (Brussels) 

Singapore +65 6 232 2727 

USA +1 508 366 3400 (Boston)

Digipass Plug-In for SBR Administrator Reference - Vasco

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?