Digipass Plug-In for SBR Administrator Reference - Vasco
Digipass Plug-In for SBR Administrator Reference - Vasco
Digipass Plug-In for SBR Administrator Reference - Vasco
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>SBR</strong> <strong>Administrator</strong> <strong>Reference</strong> Active Directory Schema<br />
2.4 Active Directory Replication Issues<br />
Active Directory replication is not instantaneous. <strong>In</strong>tra-site replication is usually quite fast,<br />
especially under Windows Server 2003, but changes on one Domain Controller may still take<br />
several minutes to be replicated to other Domain Controllers. <strong>In</strong>ter-site replication may be<br />
quite slow – an hour or more between replications is common.<br />
Replication occurs when more than one Domain Controller exists in a domain.<br />
2.4.1 Old Data Used After Attribute Modified<br />
The time period between replications becomes a problem where in<strong>for</strong>mation is changed on one<br />
Domain Controller (<strong>for</strong> example, a <strong>Digipass</strong> User's Server PIN is reset), but old in<strong>for</strong>mation is<br />
used on another Domain Controller be<strong>for</strong>e the changed in<strong>for</strong>mation has been replicated to it.<br />
There are a few scenarios where this may occur. These are listed below:<br />
2.4.1.1 Single <strong>SBR</strong> <strong>Plug</strong>-<strong>In</strong> using more than one Domain Controller<br />
A single <strong>SBR</strong> <strong>Plug</strong>-<strong>In</strong> may make a change to a record, have to switch to another Domain<br />
Controller, and read the same record – where the change has not yet been applied.<br />
Example<br />
A User logs in with an OTP, and the <strong>SBR</strong> <strong>Plug</strong>-<strong>In</strong> connects to DC-01 to retrieve and update<br />
the <strong>Digipass</strong> data. The connection to the DC-01 fails soon after login, be<strong>for</strong>e replication has<br />
occurred. The User needs to log in again, and the <strong>SBR</strong> <strong>Plug</strong>-<strong>In</strong> connects to DC-02 this time.<br />
The User can log in using the same OTP as the last login – the login should fail (OTP replay)<br />
but instead succeeds, because DC-02 does not yet know that the OTP has been previously<br />
used.<br />
Time DC-01 DC-02<br />
8:32 Replication occurs<br />
8:34 User logs in with OTP 10457920.<br />
The <strong>SBR</strong> <strong>Plug</strong>-<strong>In</strong> records the use of the OTP<br />
in the <strong>Digipass</strong> record.<br />
8:35 Connection to DC-01 is broken, and the <strong>SBR</strong><br />
<strong>Plug</strong>-<strong>In</strong> switches to DC-02.<br />
8:35 User retries login using same OTP<br />
10457920. The login succeeds where it<br />
should have failed (OTP replay).<br />
The <strong>SBR</strong> <strong>Plug</strong>-<strong>In</strong> records the use of the OTP<br />
in the <strong>Digipass</strong> record.<br />
8:37 Replication occurs<br />
<strong>Digipass</strong> record changes are replicated between DC-01 and DC-02.<br />
The example timeline above shows the sequence of events.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 25