Digipass Plug-In for SBR Administrator Reference - Vasco

More documents

Recommendations

Info

Digipass Plug-In for SBR Administrator Reference Active Directory Schema 2.4.1.2 Administrator and SBR Plug-In using different Domain Controllers The administrator may not be connected to the same Domain Controller (via the Administration Interfaces) as the SBR Plug-In. Example An administrator changes a User's Server PIN through the Active Directory Users and Computers extension, which is connected to DC-01. The SBR Plug-In connects to DC-03. The User attempts a login using the new PIN, which fails because DC-03 is not yet aware of the change of Server PIN. Time DC-01 DC-03 9:02 Replication occurs 9:03 Administrator changes a User's Server PIN from 1234 to 9876. 9:04 User attempts to log in using new PIN (9876) and the login fails. 9:05 Replication occurs Digipass record changes are replicated between DC-01 and DC-03. The example timeline above shows the sequence of events. 2.4.1.3 Multiple SBR Plug-Ins Using Different Domain Controllers Multiple SBR Plug-Ins may connect to different Domain Controllers in a domain or site. Example A User changes their own PIN during a login through one SBR Plug-In which connects to DC- 01. The server on which the SBR Plug-In is installed becomes unavailable, and the User attempts another login via the SBR Plug-In on a backup server, which connects to DC-02. The login fails because DC-02 is not yet aware of the change of Server PIN. Time DC-01 DC-02 11:54 Replication occurs 11:55 User changes their Server PIN from 1234 to 9876 during login. The SBR Plug-In records the PIN change in the Digipass record. 11:57 User attempts to log in using new PIN (9876) and the login fails. 11:59 Replication occurs Digipass record changes are replicated between DC-01 and DC-02. The example timeline above shows the sequence of events. 2.4.1.4 Two Administrators Modifying the Same Attribute Two administrators attempt to modify the same attribute on a single User account or Digipass record within the same replication interval. The later modification will overwrite the earlier when replication occurs. © 2006 VASCO Data Security Inc. 26
Digipass Plug-In for SBR Administrator Reference Active Directory Schema 2.4.2 Old Data Used Overwrites New Data The problems above are exacerbated when the old information used on the second Domain Controller is updated based on the old information. As the updated record on the second Domain Controller now has a later modification date, the end result is that the changed information on the first Domain Controller is overwritten incorrectly. Example An administrator connects to DC-01 and sets a User's PIN from '1234' to '9876'. The User logs in through the SBR Plug-In, which connects to DC-02. The User enters the new Server PIN and his One Time Password. However, the PIN set on DC-01 has not yet been replicated to DC-02, so because the PIN entered does not match the old PIN still recorded in the Digipass record on DC-02, the login fails. Because the Policy setting of Identification Threshold is in use, his login failure is written back to the Digipass record. When replication occurs, the Digipass record on DC-02 has the latest modification date – and is copied to DC-01, wiping out the original PIN setting made by the administrator. Both DC-01 and DC-02 now consider '1234' to be the correct Server PIN for the Digipass. Time DC-01 DC-02 10:45 Replication 10:46 Administrator changes User's PIN from 9876 to 1234. 10:48 User login (with new PIN of 1234) fails. SBR Plug-In writes failure information to Digipass record. 10:50 Replication Active Directory finds last instance of the Digipass blob having been modified. Active Directory overwrites DC-01 Digipass record with DC-02 Digipass record. The example timeline above shows how the problem can occur. The problem shown in the example above may also occur in a Force PIN Change set by an administrator. 2.4.3 Factors Affecting Replication Issues A number of factors determine the likelihood and severity of the Active Directory issues described: Redundancy and load-balancing settings for the SBR Plug-In There are a number of SBR Plug-In configuration settings which may affect replication issues: Preferred Server The SBR Plug-In will attempt to connect to the named Domain Controller, rather than simply polling the domain for an available Domain Controller. Preferred Server Only The SBR Plug-In may be restricted to connecting only to the Domain Controller named in the above setting. If this is enabled, the SBR Plug-In will not switch to any other Domain Controller, so it will never retrieve data older than its own. Max. Bind Lifetime The maximum bind lifetime controls how long the SBR Plug-In will stay connected to a Domain Controller before polling the domain for a Domain Controller connection. © 2006 VASCO Data Security Inc. 27
Page 1 and 2: Modify these field values (right-cl
Page 3 and 4: Digipass Plug-In for SBR Administra
Page 25: Digipass Plug-In for SBR Administra
Page 77 and 78:
Digipass Plug-In for SBR Administra
Page 79 and 80:
Page 81 and 82:
Page 83 and 84:
Page 85 and 86:
Page 87 and 88:
Page 89 and 90:
Page 91 and 92:
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Page 115 and 116:
Page 117 and 118:
Page 119 and 120:
Page 121 and 122:
Page 123 and 124:
Page 125 and 126:
Page 127 and 128:
Page 129 and 130:
Page 131 and 132:
Page 133 and 134:
Page 135 and 136:
Page 137 and 138:
Page 139 and 140:
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
Page 157 and 158:
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167 and 168:
Page 169 and 170:
Page 171 and 172:
Page 173 and 174:
Page 175 and 176:
Page 177 and 178:
Page 179 and 180:
Page 181 and 182:
Page 183 and 184:
Page 185:
show all

Digipass Plug-In for SBR Administrator Reference - Vasco

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?