Digipass Plug-In for SBR Administrator Reference - Vasco
Digipass Plug-In for SBR Administrator Reference - Vasco
Digipass Plug-In for SBR Administrator Reference - Vasco
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>Digipass</strong> <strong>Plug</strong>-<strong>In</strong> <strong>for</strong> <strong>SBR</strong> <strong>Administrator</strong> <strong>Reference</strong> Set Up Active Directory Permissions<br />
5.4 Multiple Domains<br />
When using the <strong>SBR</strong> <strong>Plug</strong>-<strong>In</strong> with multiple domains, extra steps must be followed to ensure<br />
that both the <strong>SBR</strong> <strong>Plug</strong>-<strong>In</strong> and administrators have permissions sufficient to access required<br />
data. The main issues are:<br />
The <strong>Digipass</strong> Configuration Container is only in one Domain. All <strong>SBR</strong> <strong>Plug</strong>-<strong>In</strong>s need read<br />
access to this container, even when they are in a different Domain. Cross-Domain access<br />
<strong>for</strong> administrators is a less likely requirement however.<br />
If a <strong>SBR</strong> <strong>Plug</strong>-<strong>In</strong> handles users and <strong>Digipass</strong> in more than one Domain, they need to be<br />
granted the necessary permissions in all the necessary Domains.<br />
<strong>In</strong> this manual, we will handle cross-Domain permissions using a combination of Domain Local<br />
and Domain Global groups. It is possible in a 'native' mode Domain to use Universal groups,<br />
but these are not recommended in Windows 2000 due to replication issues. The replication<br />
efficiency has been improved in Windows Server 2003, however Universal groups are still not<br />
used as commonly as Domain Local/Global groups.<br />
Three possible scenarios <strong>for</strong> multiple domain setup are outlined below:<br />
5.4.1 Scenario 1 – Each <strong>SBR</strong> <strong>Plug</strong>-<strong>In</strong> Handles One Domain<br />
Each <strong>SBR</strong> <strong>Plug</strong>-<strong>In</strong> handles only the domain in which it is a member.<br />
<strong>In</strong>stall the <strong>SBR</strong> <strong>Plug</strong>-<strong>In</strong> in each domain (the result will be at least as many <strong>SBR</strong> <strong>Plug</strong>-<strong>In</strong>s as<br />
domains).<br />
Give each <strong>SBR</strong> <strong>Plug</strong>-<strong>In</strong> access to the <strong>Digipass</strong> Configuration Domain:<br />
Domain Global Group(s)<br />
For each domain (apart from the <strong>Digipass</strong> Configuration Domain) -<br />
1. Create a Domain Global group<br />
2. Add the <strong>SBR</strong> <strong>Plug</strong>-<strong>In</strong>(s) to the Domain Global group (check which machines are in the<br />
'RAS and IAS Servers' group to ensure the correct additions)<br />
Domain Local group<br />
<strong>In</strong> the <strong>Digipass</strong> Configuration Domain -<br />
3. Create or use an existing Domain Local group.<br />
4. Give the Domain Local group full read access to the <strong>Digipass</strong> Configuration Container.<br />
5. Add the Domain Global Group from each other domain to the Domain Local group.<br />
© 2006 VASCO Data Security <strong>In</strong>c. 66