A dm inistrator Reference

Transcription

1 Digipass Plug-In for IAS IAS Plug-In Digipass Extension for Active Directory Users and Computers Administration MMC Interface IAS Microsoft's Internet Authentication Service SBR Funk Steel-Belted RADIUS Steel-Belted RADIUS A dm inistrator Reference

2 Disclaimer of Warranties and Limitations of Liabilities Disclaimer of Warranties and Limitations of Liabilities The Product is provided on an 'as is' basis, without any other warranties, or conditions, express or implied, including but not limited to warranties of merchantable quality, merchantability of fitness for a particular purpose, or those arising by law, statute, usage of trade or course of dealing. The entire risk as to the results and performance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to you or any other person or entity for any indirect, incidental, special or consequential damages whatsoever, including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss, even if we have been advised of the possibility of such damages or they are foreseeable; or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers and suppliers shall not exceed the amount paid by you for the Product. The limitations in this section shall apply whether or not the alleged breach or default is a breach of a fundamental condition or term, or a fundamental breach. Some states/countries do not allow the exclusion or limitation or liability for consequential or incidental damages so the above limitation may not apply to you. Copyright All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc. Trademarks VACMAN and Digipass are registered trademarks of VASCO Data Security International Inc. Microsoft and Windows are registered trademarks of Microsoft Corporation. All other trademarks are the property of their respective holders. 2

3 Table of Contents Table of Contents 1 Introduction Available Reference Guides... 8 Active Directory Schema Schema Extensions Added Object Classes Added Attributes Added Permission Property Sets Active Directory Auditing Custom Search Options Using the Custom Search Sensitive Data Encryption Encrypted Data Which Encryption Algorithms can be used? Exporting Encryption Settings Active Directory Replication Issues Old Data Used After Attribute Modified Old Data Used Overwrites New Data Factors Affecting Replication Issues Solutions and Mitigations Single Plug-In using more than one Domain Controller Administrator and Plug-In using different Domain Controllers Multiple Plug-Ins Using Different Domain Controllers Two Administrators Modifying the Same Attribute Digipass Cache...18 Identification Threshold Setting Administrator Connection Strategy...19 Set a Preferred Server...20 Use Preferred Server Only Option Set Up Active Directory Permissions Permissions Needed by the IAS Plug-In Giving Permissions to the IAS Plug-In Permissions Needed by Administrators Domain Administrators Delegated Administrators Reduced-Rights Administrators System Administrators Assign Administration Permissions to a User Multiple Domains Scenario 1 Each IAS Server Handles One Domain Scenario 2 One IAS Server Handles All Domains Scenario 3 - Combination Backup and Recovery What Must be Backed Up Configuration files Web Sites

4 4.1.3 Audit Log Data Write to File Write to Windows Event Log...31 Active Directory Table of Contents Cold Backup...32 DPX files Recovery Field Listings User Property Sheet Digipass Property Sheet Digipass Application Tab Policy Property Sheet Component Property Sheet...44 Licensing How is Licensing Handled? Licensing Parameters Sample License File View License Information Obtain a License Key for a Component Change IP Address Web Sites Customizing the Web Sites CGI Program Configuration Settings Form Fields User Self Management Web Site Registration Main Pages Registration Challenge Page Server PIN Change Login Test Main Page...53 Login Test Challenge Page...54 OTP Request Site Request Page Query String Variables Failure/Error Handling Query String Variable List Return Code Listing API Return Codes CGI Errors Internal Errors...59 Command line utilities DPADadmin Utility Extend Active Directory Schema Prerequisite Information Extend the Schema on the Schema Master...61 Extend the Schema on the IAS Server Command Line Syntax...61 Check Schema Extensions

5 Prerequisite Information Set Up Digipass Configuration Container Command Syntax Assign Digipass Permissions to a Group Prerequisite Information Check the Schema on the IAS Server Check the Schema on a Machine in the Domain to Check Command Line Syntax...63 Set Up Digipass Configuration Container in Domain Table of Contents Pre-requisites...64 Command Syntax Login Options Login Permutations Response Only - PAP Response Only CHAP/MS-CHAP Challenge/Response Virtual Digipass Configuration Settings IAS Plug-In Configuration GUI Enable IAS Plug-In...70 Allow Passthrough Set Component Location...70 Library Path Turn Tracing On or Off...70 Active Directory Settings Data Encryption Configuration File MDC Required Information MDC Configuration GUI Set IAS Server Connection Details Modify Gateway Account Login Details Configure Internet Connection Details Configure Tracing Import HTTP Gateway settings Edit Advanced Settings...80 Export HTTP Gateway settings...80 Gateway Result Pages MDC Configuration File Configuration Settings CGI How to troubleshoot Enable Tracing Installation Check Installation Log File Check file placement Registry Entries DLLs to be Registered Check Permissions IAS Server Registered in Active Directory Domain

6 Table of Contents Default Policy and Component Created Fix Installation Errors Register IAS Plug-In View Audit Information Windows Event Log Audit log text file Delete all Digipass Data from Active Directory Run Delete Script on a Domain Audit Messages Audit Message Listing Audit Message Fields Error and Status Codes Error Code Listing Status Code Listing Technical Support Support Contact Information

7 Table of Contents Index of Tables Table 1: Custom Object Classes...9 Table 2: Custom Object Attributes...11 Table 3: Custom Permission Property Sets Table 4: Custom Search options...13 Table 5: Encrypted Data Attributes...14 Table 6: User Fields...35 Table 7: Digipass Fields Table 8: Digipass Application Fields Table 9: Policy Fields Table 10: Component Fields Table 11: License Parameters for Digipass Plug-In for IAS Table 12: Configuration Settings for CGI Program Table 13: Form Fields for Main Registration Page Table 14: Form Fields for Registration Challenge Page Table 15: Form Fields for Server PIN Change Page Table 16: Form Fields for Main Login Test Page...53 Table 17: Form Fields for Login Test Challenge Page...54 Table 18: Form Fields for OTP Request Page...54 Table 19: Query String Variable List Table 20: API Return Codes...57 Table 21: CGI Error Return Codes Table 22: Internal Error Codes...59 Table 23: DPADadmin addschema Command Line Options...62 Table 24: DPADadmin checkschema Command Line Options...63 Table 25: DPADadmin setupdomain Command Line Options...64 Table 26: DPADadmin setupaccess Command Line Options...64 Table 27: Login Permutations - Response Only PAP Table 28: Login Permutations - Response Only CHAP Table 29: Login Permutations Challenge/Response Table 30: Login Permutations Virtual Digipass Table 31: MDC Audit Message Variables Table 32: Message Delivery Component Configuration Settings Table 33: Required Files...89 Table 34: Registry Entries Table 35: DLLs to be Registered...90 Table 36: Permissions Required Table 37: IAS Plug-In Registry Entries Table 38: Audit Messages List...97 Table 39: Audit Message Fields Table 40: Error Code List Table 41: Status Code List

8 Introduction 1 Introduction 1.1 Available Reference Guides These Reference Guides are included with every VASCO product: Product Guide The Product Guide will introduce you to the features of this product and the various options you have for using it. Installation Guide Use this guide when planning and working through an installation of the product. Getting Started To get you up and running quickly with a simple installation and setup of the product. Administrator Reference In-depth information required for administration of the product. Data Migration Tool Guide Takes you through a data migration from one VASCO product to another, using the VASCO Data Migration Tool. Help Files These accompany various utilities and the administration interfaces. 8

9 Active Directory Schema 2 Active Directory Schema 2.1 Schema Extensions The following tables document the changes made by the Digipass Plug-In for IAS to the Active Directory schema Added Object Classes Attribute Type Location Explanation vasco-userext Aux. Class User record Extra VASCO attributes are added to an Active Directory User record via an 'auxiliary class' vasco-userext on the User class. vasco-dptoken Class Unassigned Optional The vasco-dptoken class is used to store Digipass attributes. It is also a container, in which vascodpapplication records for that Digipass are stored. Upon assignment to a User, the Digipass record is stored in the same location as the User. Assigned with User record vasco-dpapplication Class Within Digipass record This class is used to store Digipass Application attributes, such as Server PIN and expected OTP length. vasco-policy Class Digipass Configuration Container Policy attributes. Attributes will commonly be shared via inheritance. vasco-component Class Digipass Configuration Container Component attributes include the License Key for IAS Plug-In Components. vasco-backendserver Class Digipass Configuration Container Information required for connection to back-end servers. This class is not used with the Digipass Plug-In for IAS, but is included for compatibility with other VASCO products. Table 1: Custom Object Classes Added Attributes Name Class vasco-serialnumber vasco-dptoken vasco-tokentype vasco-dptoken vasco-applicationnames vasco-dptoken vasco-applicationtypes vasco-dptoken vasco-linkvascodigipasstouserext vasco-dptoken vasco-tokenassigneddate vasco-dptoken vasco-graceperiod vasco-dptoken vasco-enablebvdp vasco-dptoken vasco-bvdpexpirydate vasco-dptoken vasco-bvdpusesleft vasco-dptoken vasco-directassignonly vasco-dptoken vasco-additionalattribute vasco-dptoken vasco-serialnumber vasco-dpapplication vasco-applicationname vasco-dpapplication vasco-applicationnumber vasco-dpapplication vasco-applicationtype vasco-dpapplication 9

10 Name Active Directory Schema Class vasco-dpblob vasco-dpapplication vasco-active vasco-dpapplication vasco-linkuserexttovascodigipass vasco-userext vasco-linkuserexttouser vasco-userext vasco-staticpassword vasco-userext vasco-localauth vasco-userext vasco-backendserverauth vasco-userext vasco-disable vasco-userext vasco-profile Vasco-UserExt vasco-createtime Vasco-UserExt vasco-modifytime Vasco-UserExt vasco-id vasco-backendserver vasco-protocol vasco-backendserver vasco-domain vasco-backendserver vasco-priority vasco-backendserver vasco-configurationvalue vasco-backendserver vasco-id vasco-component vasco-location vasco-component vasco-linkvascopolicytovascopolicy vasco-component vasco-protocol vasco-component vasco-configurationvalue vasco-component vasco-publickey Vasco-Component vasco-additionalattribute vasco-policy vasco-enablebvdp vasco-policy vasco-localauth vasco-policy vasco-backendauth vasco-policy vasco-applicationnames vasco-policy vasco-id vasco-policy vasco-description vasco-policy vasco-dur vasco-policy vasco-autolearn vasco-policy vasco-storedpasswordproxy vasco-policy vasco-assignmentmode vasco-policy vasco-assignsearchupoupath vasco-policy vasco-graceperiod vasco-policy vasco-allowedappltype vasco-policy vasco-alloweddptypes vasco-policy vasco-protocol vasco-policy vasco-domain vasco-policy vasco-grouplist vasco-policy vasco-groupcheckmode vasco-policy vasco-onestepchalresp vasco-policy 10

11 Name Active Directory Schema Class vasco-onestepchallength vasco-policy vasco-onestepchalcheckdigit vasco-policy vasco-bvdpmaximumdays vasco-policy vasco-bvdpmaximumuses vasco-policy vasco-pinchangeallowed vasco-policy vasco-selfassignseparator vasco-policy vasco-challengerequestmethod vasco-policy vasco-challengerequestkeyword vasco-policy vasco-primaryvdprequestmethod vasco-policy vasco-primaryvdprequestkeyword vasco-policy vasco-backupvdprequestmethod vasco-policy vasco-backupvdprequestkeyword vasco-policy vasco-itimewindow vasco-policy vasco-stimewindow vasco-policy vasco-eventwindow vasco-policy vasco-syncwindow vasco-policy vasco-ithreshold vasco-policy vasco-sthreshold vasco-policy vasco-checkchallenge vasco-policy vasco-onlinesg vasco-policy vasco-chkinactdays vasco-policy vasco-linkpolicytoparentpolicy vasco-policy vasco-linkpolicytochildpolicy vasco-policy vasco-linkpolicytocomponent vasco-policy Version-Number vasco-policy Table 2: Custom Object Attributes Added Permission Property Sets Property sets have been created for typical groups of permissions required for administration tasks. Property Set Applicable Object Actions Allowed Digipass Assignment Link Digipass Assign and unassign Digipass for Digipass User accounts. Digipass Application Data Digipass Application Digipass record functions. Digipass User Account Information User Modify Digipass User information. Digipass User Account to User Link User Link and unlink Digipass Users. This is also required when assigning Digipass to linked Digipass User records. Digipass User Account Stored Password User Read and modify the stored password for a Digipass User. Table 3: Custom Permission Property Sets 11

12 Active Directory Schema 2.2 Active Directory Auditing Active Directory auditing may be configured to record access and modifications to custom objects used by the Digipass Plug-In for IAS. If you currently have default auditing enabled, it might include already include actions on custom objects. See these Microsoft articles for information on turning on and configuring auditing: Windows Windows The basic process you will need to follow is: 1. Select a scope for the the auditing (eg. Domain Root). 2. Select a Windows User or Windows Group (eg. Everyone or Domain Administrators) 3. Select the object classes to audit (eg. Digipass objects) if required 4. Select the permissions which should be audited (eg. Read, Write, Delete, Create) What Should I Audit? This will depend on what you need to audit. For example, if you wanted to record all Digipass assignments in the domain, you might set up auditing in the Domain Root for Everyone, with the Digipass Assignment Link property set. See the topic for more information on custom objects and permission property sets created for the Digipass Plug-In for IAS. 12

13 Active Directory Schema 2.3 Custom Search Options The Digipass Extension adds functionality to the Active Directory Users and Computers snap-in which allows searching for specific Digipass and Digipass User records throughout a domain, or within the limits of a delegated administrator's permissions. This functionality is especially useful where unassigned Digipass have been allocated to various Organizational Units. The table below displays the custom search attributes available for Digipass User accounts and Digipass records. Object Type Users, Contacts and Groups Digipass Available Search attributes Location (tab) Digipass Assignment Link Advanced Digipass Back-End Authentication Advanced Digipass Local Authentication Advanced Digipass RADIUS Profile Advanced Digipass User Account Disabled Advanced Digipass User Account Locked Advanced Digipass User to User Link Advanced Serial Number From Digipass Serial Number To Digipass Digipass Type Digipass Application Name Digipass Application Type Digipass Digipass Assignment Digipass Reserved Digipass Backup Virtual Digipass Enabled Advanced Table 4: Custom Search options Using the Custom Search This set of instruction shows the sort of use to which the Digipass custom search options can be put, and the basic steps required for a search. 1. Right-click on the Organisational Unit to search in. 2. Click on Find Select the object type from the Find drop down list. 4. If you are searching on advanced attributes (see table above): 5. a. Click on the Advanced tab. b. Click on Field and select the attribute from the list (for User attributes, click on Field -> User -> attribute). Enter the search criteria. Note When a search is run with a Digipass Application criteria set, only Digipass records with that Application set to Active will be returned. 13

14 Active Directory Schema Either exact text or wildcards should be used the Search is performed on whole words only, not partial words. Example A search for Digipass records run with only the following text entered into the Serial Number field, would return these results: * *76 No records returned All Digipass with serial number starting with 0097 Digipass with serial number only All Digipass with serial number ending in Sensitive Data Encryption Sensitive data is encrypted by the IAS Plug-In using an embedded key. If needed, this encryption may be strengthened by adding a custom key in the Configuration GUI. The embedded and custom keys are subjected to a logical XOR process to produce a new key derived from both. Note Encryption settings must be set before importing Digipass Encrypted Data Attribute Class vasco-dpblob vasco-dpapplication vasco-staticpassword vasco-userext vasco-sharedsecret vasco-component Table 5: Encrypted Data Attributes Which Encryption Algorithms can be used? AES blowfish cast5 3DES 3DES with 3 keys Exporting Encryption Settings Encryption settings may be exported to a password-protected text file from the IAS Plug-In Configuration GUI. This file may then be loaded to other IAS Plug-In modules. 14

15 Active Directory Schema 2.5 Active Directory Replication Issues Active Directory replication is not instantaneous. Intra-site replication is usually quite fast, especially under Windows Server 2003, but changes on one Domain Controller may still take several minutes to be replicated to other Domain Controllers. Inter-site replication may be quite slow an hour or more between replications is common. Replication occurs when more than one Domain Controller exists in a domain Old Data Used After Attribute Modified The time period between replications becomes a problem where information is changed on one Domain Controller (for example, a Digipass User's Server PIN is reset), but old information is used on another Domain Controller before the changed information has been replicated to it. There are a few scenarios where this may occur. These are listed below: Single Plug-In using more than one Domain Controller A single Plug-In may make a change to a record, have to switch to another Domain Controller, and read the same record where the change has not yet been applied. Example A User logs in with an OTP, and the Plug-In connects to DC-01 to retrieve and update the Digipass data. The connection to the DC-01 fails soon after login, before replication has occurred. The User needs to log in again, and the Plug-In connects to DC-02 this time. The User can log in using the same OTP as the last login the login should fail (OTP replay) but instead succeeds, because DC-02 does not yet know that the OTP has been previously used. Time DC-01 8:32 DC-02 Replication occurs 8:34 User logs in with OTP The Plug-In records the use of the OTP in the Digipass record. 8:35 Connection to DC-01 is broken, and Plug-In switches to DC-02. 8:35 8:37 User retries login using same OTP The login succeeds where it should have failed (OTP replay). The Plug-In records the use of the OTP in the Digipass record. Replication occurs Digipass record changes are replicated between DC-01 and DC-02. The example timeline above shows the sequence of events. 15

16 Active Directory Schema Administrator and Plug-In using different Domain Controllers The administrator may not be connected to the same Domain Controller (via the Administration Interfaces) as the Plug-In. Example An administrator changes a User's Server PIN through the Active Directory Users and Computers extension, which is connected to DC-01. The Plug-In connects to DC-03. The User attempts a login using the new PIN, which fails because DC-03 is not yet aware of the change of Server PIN. Time DC-01 9:02 9:03 DC-03 Replication occurs Administrator changes a User's Server PIN from 1234 to :04 User attempts to log in using new PIN (9876) and the login fails. 9:05 Replication occurs Digipass record changes are replicated between DC-01 and DC-03. The example timeline above shows the sequence of events Multiple Plug-Ins Using Different Domain Controllers Multiple Plug-Ins may connect to different Domain Controllers in a domain or site. Example A User changes their own PIN during a login through a Plug-In which connects to DC-01. The server on which the Plug-In is installed becomes unavailable, and the User attempts another login via the Plug-In on a backup server, which connects to DC-02. The login fails because DC-02 is not yet aware of the change of Server PIN. Time DC-01 11:54 11:55 Replication occurs User changes their Server PIN from 1234 to 9876 during login. The Plug-In records the PIN change in the Digipass record. 11:57 11:59 DC-02 User attempts to log in using new PIN (9876) and the login fails. Replication occurs Digipass record changes are replicated between DC-01 and DC-02. The example timeline above shows the sequence of events Two Administrators Modifying the Same Attribute Two administrators attempt to modify the same attribute on a single User account or Digipass record within the same replication interval. The later modification will overwrite the earlier when replication occurs. 16

17 Active Directory Schema Old Data Used Overwrites New Data The problems above are exacerbated when the old information used on the second Domain Controller is updated based on the old information. As the updated record on the second Domain Controller now has a later modification date, the end result is that the changed information on the first Domain Controller is overwritten incorrectly. Example An administrator connects to DC-01 and sets a User's PIN from '1234' to '9876'. The User logs in through the Plug-In, which connects to DC-02. The User enters the new Server PIN and his One Time Password. However, the PIN set on DC-01 has not yet been replicated to DC-02, so because the PIN entered does not match the old PIN still recorded in the Digipass record on DC-02, the login fails. Because the Policy setting of Identification Threshold is in use, his login failure is written back to the Digipass record. When replication occurs, the Digipass record on DC-02 has the latest modification date and is copied to DC-01, wiping out the original PIN setting made by the administrator. Both DC-01 and DC-02 now consider '1234' to be the correct Server PIN for the Digipass. Time DC-01 10:45 10:46 Replication Administrator changes User's PIN from 9876 to :48 10:50 DC-02 User login (with new PIN of 1234) fails. Digipass Plug-In writes failure information to Digipass record. Replication Active Directory finds last instance of the Digipass blob having been modified. Active Directory overwrites DC-01 Digipass record with DC-02 Digipass record. The example timeline above shows how the problem can occur. The problem shown in the example above may also occur in a Force PIN Change set by an administrator Factors Affecting Replication Issues A number of factors determine the likelihood and severity of the Active Directory issues described: Redundancy and load-balancing settings for the Plug-In There are a number of Plug-In configuration settings which may affect replication issues: Preferred Server The Plug-In will attempt to connect to the named Domain Controller, rather than simply polling the domain for an available Domain Controller. Preferred Server Only The Plug-In may be restricted to connecting only to the Domain Controller named in the above setting. If this is enabled, the Plug-In will not switch to any other Domain Controller, so it will never retrieve data older than its own. Max. Bind Lifetime 17

18 Active Directory Schema The maximum bind lifetime controls how long the Plug-In will stay connected to a Domain Controller before polling the domain for a Domain Controller connection. Replication Interval In Windows 2000, the intra-site replication interval can be configured the default is 5 minutes. On Windows Server 2003, the intra-site replication interval is not configurable, but is set to approximately 15 seconds, as replication is much more efficient. Inter-site replication is fully configurable on both Windows 2000 and Windows Server The longer the replication interval, the more likelihood of these problems occuring. Number of Domain Controllers in the Site Each Domain Controller regularly requires replication with all other local Domain Controllers. As this is done sequentially, it will affect the amount of time between replications Solutions and Mitigations Digipass Cache The Digipass cache collects Digipass records as they are modified, and keeps them in memory for a certain length of time. A newer entry from the cache is always used in preference to an older record from Active Directory. The cache age should be a little longer than the typical replication interval. The default is 10 minutes (600 seconds). This option will help in problems caused by a single Plug-In accessing more than one Domain Controller in a domain see Single Plug-In using more than one Domain Controller). It will not affect the scenarios of multiple Plug-Ins or a Administration Interface being connected to a different Domain Controller to the Plug-In. If you calculate that your typical replication interval will be more than ten minutes, the cache age may be increased by modifying the Blob-Cache Max-Age setting in the configuration file (<install dir>\bin\dpiasext.xml): <Blob-Cache> <Max-Age type="unsigned" data="600"/> <Max-Size type="unsigned" data="0"/> <Clean-Threshold type="unsigned" data="10"/> <Min-Clean-Interval type="unsigned" data="60"/> </Blob-Cache> A large cache may slow down processing slightly for the Plug-In, so monitor performance to check the impact caused after modifying the cache age. Warning If the Plug-In is installed on a member server, this server must be closely time-synchronised with the Domain Controller(s). If the server is not timesynchronised, the Policy may select an older record when comparing records in the Digipass cache with those on the Domain Controller. If the Plug-In is installed on a Domain Controller, time-synchronisation is assumed. 18

19 Active Directory Schema Identification Threshold Setting Reconsider use of the Identification Threshold setting in the relevant Policy(s). The User Lock setting may be used instead in most cases (see and for more information on these two settings). Discontinuing use of the Identification Threshold setting will avoid the scenario shown in Old Data Used Overwrites New Data, where a failed login overwrites an administrator's modification Administrator Connection Strategy The option exists in the Active Directory Users and Computers Plug-In to connect to a specific Domain Controller in a domain. An administrator should select the same Domain Controller as used by the Plug-In for urgent administration tasks likely to be affected by this issue for example, resetting a User's Server PIN so they may login while on the phone to the administrator. To connect to a specific Domain Controller, right-click on the domain and select Connect to Domain Controller... 19

20 Active Directory Schema Set a Preferred Server This option decreases some replication problems, as the Plug-In will be primarily connected to the Domain Controller named as its Preferred Server. This gives less opportunity for loadbalancing, however. If the Plug-In is installed on a Domain Controller, the Preferred Server will not need to be set for that domain, as the Plug-in will normally select that Domain Controller for connections. To set a Preferred Server for a domain: 1. Open the IAS Plug-In Configuration GUI (Start -> Programs -> VASCO -> Digipass Plug-In for IAS -> Configuration GUI). 2. Click on the Active Directory Connections tab. 3. If the domain is the Configuration Domain, click on Edit... If the domain is in the Domains list, select the domain name and click on Edit... If the domain is not in the Domains list, click on Add Enter the Fully Qualified Domain Name for the domain in the FQDN field. 20

21 5. Active Directory Schema Enter the name of the Domain Controller in the Preferred Server field. This name should be the first part of the FQDN for the Domain Controller, eg. dc01 from dc01.support.vasco.com. 6. Enter any other information required. 7. Click on OK. The IAS Plug-In will now always connect to the Preferred Server when it is available. 21

22 Active Directory Schema Use Preferred Server Only Option In some cases this setting may be enabled. As it forces the Plug-In to use the same Domain Controller at all times. It will eliminate load-balancing and any fail-over for the Plug-In, though, so is not normally recommended. 22

23 Set Up Active Directory Permissions 3 Set Up Active Directory Permissions 3.1 Permissions Needed by the IAS Plug-In The IAS Plug-In runs inside Microsoft's Internet Authentication Service, which runs as a Service. The Service runs as the 'Local System' account rather than as a named user account. Therefore, when connecting to Active Directory, the IAS Plug-In connects as the computer account, not a user account. The permissions that it has within Active Directory are the permissions of the computer account. An important exception to this occurs if you install IAS and the IAS Plug-In onto a Domain Controller. Any Service running as 'Local System' on a Domain Controller has all possible permissions to that Domain. In this case, no additional setup of permissions is required. Therefore, the rest of this section applies to the case where IAS is not on the Domain Controller. When you register IAS in Active Directory, this adds the computer account to the built-in 'RAS and IAS Servers' group in the Domain. This built-in group has the permissions required by IAS itself within Active Directory, but it does not have the extra permissions required by the IAS Plug-In. In order to function correctly, the IAS Plug-In requires the following permissions in Active Directory, that are not granted to the 'RAS and IAS Servers' by default: Read access to the Digipass Configuration Container Read access to all User accounts (or at least, all who might need to be authenticated by the IAS Plug-In) Write access to the new attributes that are added to the User class for the Digipass PlugIn for IAS (these are in the auxiliary class vasco-userext) Full control over all Digipass (vasco-dptoken) and Digipass Application (vascodpapplication) objects Create and delete permission for Digipass (vasco-dptoken) objects in Organizational Units and containers (specifically the Digipass-Pool and Users containers) Giving Permissions to the IAS Plug-In During installation, these additional permissions are granted to the 'RAS and IAS Servers' group automatically. There is also a manual way to grant these permissions, by running the 'setupaccess' command at the command prompt: dpadadmin.exe setupaccess -group RAS and IAS Servers See 8.1 DPADadmin Utility for more information on the setupaccess command. As mentioned above, this is not necessary if IAS is installed onto a Domain Controller. 23

24 Set Up Active Directory Permissions 3.2 Permissions Needed by Administrators Domain Administrators Domain Administrators already have all required permissions within their Domain Delegated Administrators The term 'Delegated Administrators' is used here to refer to administrators who have been delegated control over an Organizational Unit. Generally speaking, they have administrative control over the user and computer accounts within their Organizational Unit. See the Digipass Records topic in the Product Guide for more information on possible approaches to delegating Digipass administration. By default, these administrators will be able to view the Digipass User Account data for their users and the Digipass that are located within their Organizational Unit. However, they will not be able to modify any of that data or assign Digipass. If you wish to delegate responsibility for all Digipass-related administration within an Organizational Unit, the following additional permissions are required by the Delegated Administrator: Within the scope of the Organizational Unit, write permission to the new attributes that are added to the User class for the Digipass Plug-In for IAS (these are in the auxiliary class vasco-userext) you can add write permissions for each individual Property Set or if appropriate, grant 'Write All Properties' permission Within the scope of the Organizational Unit, full control over all Digipass (vascodptoken) and Digipass Application (vasco-dpapplication) objects Create and delete permission for Digipass (vasco-dptoken) objects within the Organizational Unit If the Delegated Administrator should be allowed to assign Digipass from the Digipass Pool to their users, they need: the Delete Digipass objects permission in the Digipass-Pool container Write All Properties permission on Digipass objects in the Digipass-Pool container If the Delegated Administrator should be allowed to move unassigned Digipass back to the Digipass-Pool, they need the Create Digipass objects permission in the Digipass-Pool container Reduced-Rights Administrators The term 'Reduced-Rights Administrator' is used here to refer to administrators who are granted permissions to perform only selected Digipass-related administration tasks. They may be granted these permissions within the scope of the whole Domain, or only within an Organizational Unit. An example is a Helpdesk operator who is permitted to troubleshoot Digipass operations, but not to assign/unassign Digipass to/from users. 24

25 Set Up Active Directory Permissions By default, all users have read access to everything in the Active Directory. The modification permissions that can be granted to this kind of administrator are: Write permission for any of three Property Sets on the Digipass User Account fields: Digipass User Account Information all attributes except those covered by the other two Property Sets Digipass User Account Link the link attribute used to share a Digipass between two user accounts Digipass User Account Stored Password the Stored Password attribute Write permission for any individual properties on Digipass objects, except for one Property Set that is defined to control the Digipass assignment link Write permission for any individual properties on Digipass Application objects, except for one Property Set that is defined to include the Digipass 'blob' that is required for any administrative operation such as Reset PIN, Test, Set Event Counter, etc. Create and delete permission on Digipass and Digipass Application objects If the administrator should be allowed to move Digipass, they need: the Delete Digipass objects and Create Digipass objects permissions in the relevant Domain and/or Organizational Unit Write All Properties permission on Digipass objects Note that this can be necessary for assigning Digipass to users, because a move from one location to another is controlled by permissions to delete from the source and create in the destination System Administrators The term 'System Administrator' is used here to refer to an administrator who will be responsible for management of the Component and Policy records, rather than Digipass User Accounts and Digipass. They need permissions within the Digipass Configuration Container to create, modify and delete Policy (vasco-policy) and Component (vasco-component) objects. In practice, System Administrators can typically be given full control over the DigipassConfiguration container. If you wish to grant more limited permissions, this can be handled with the standard Active Directory permissions on these objects within the scope of the container. 3.3 Assign Administration Permissions to a User Note This example assumes that the administrator's User account has read permissions for all User records already. To grant permissions to manage Digipass records, you will need to follow these steps: 1. Right-click on the Organizational Unit in which to assign permissions. 2. Select Delegate Control... from the right-click menu. The Delegate Control Wizard will be displayed. 25

26 Set Up Active Directory Permissions 3. Select the User or Windows Group to assign permissions. 4. Click on OK. 5. Select the Delegate Common Tasks option button. 6. Select Create, Delete and Manage Digipass from the list. 7. Click on Next. 8. Click on Finish. If you wish to grant permissions to modify Digipass User Account properties, you will need to follow these steps: 9. Select View -> Advanced Features from the main menu. 10. Right-click on the Organizational Unit in which to assign permissions. 11. Select Properties from the right-click menu. 12. Click on the Security tab. 13. Click on the Advanced button. The Advanced Security Settings window will be displayed. 14. Click on Add Type the username of the User to assign the permissions to and click OK. 16. Click on the Properties tab. 17. Select User Objects from the Apply onto drop down list. 18. Select the required permissions from: Write Digipass User Account Information Write Digipass User Account Link Write Digipass User Account Stored Password 19. Click on OK. 20. Click on OK. 21. Click on OK. If the administrator requires permissions to take Digipass out of the Digipass Pool for assignment, you will need to follow these steps: 22. Right-click on the Digipass Pool. 23. Select Properties from the right-click menu. 24. Click on the Security tab. 25. Click on the Advanced button. The Advanced Security Settings window will be displayed. 26. Click on Add Select the User account. 28. Click on OK. 29. Click on the Object tab. 30. Select Child objects only from the Apply onto drop down list. 26

27 31. Set Up Active Directory Permissions Tick the Allow box for: Delete Digipass Objects Create Digipass Objects (if you wish to allow the administrator to move Digipass records into the Digipass Pool) 32. Click on OK. 33. Click on Add Select the User account. 35. Click on OK. 36. Click on the Object tab. 37. Select Digipass objects from the Apply onto drop down list. 38. Tick the Allow box for Write All Properties. 39. Click on OK. 40. Click on OK. 41. Click on OK. 27

28 Set Up Active Directory Permissions 3.4 Multiple Domains When using the IAS Plug-In with multiple domains, extra steps must be followed to ensure that both the IAS Plug-In and administrators have permissions sufficient to access required data. The main issues are: The Digipass Configuration Container is only in one Domain. All IAS Plug-Ins need read access to this container, even when they are in a different Domain. CrossDomain access for administrators is a less likely requirement however. If an IAS Plug-In handles users and Digipass in more than one Domain, they need to be granted the necessary permissions in all the necessary Domains. In this manual, we will handle cross-domain permissions using a combination of Domain Local and Domain Global groups. It is possible in a 'native' mode Domain to use Universal groups, but these are not recommended in Windows 2000 due to replication issues. The replication efficiency has been improved in Windows Server 2003, however Universal groups are still not used as commonly as Domain Local/Global groups. Three possible scenarios for multiple domain setup are outlined below: Scenario 1 Each IAS Server Handles One Domain Each IAS server handles only the domain in which it is a member. Install IAS in each domain (the result will be at least as many IAS servers as domains). Give each IAS server access to the Digipass Configuration Domain: Domain Global Group(s) For each domain (apart from the Digipass Configuration Domain) 1. Create a Domain Global group 2. Add the IAS server(s) to the Domain Global group (check which machines are in the 'RAS and IAS Servers' group to ensure the correct additions) Domain Local group In the Digipass Configuration Domain 3. Create or use an existing Domain Local group. 4. Give the Domain Local group full read access to the Digipass Configuration Container. 5. Add the Domain Global Group from each other domain to the Domain Local group Scenario 2 One IAS Server Handles All Domains IAS servers in one domain handle all domains. The Digipass Configuration Container should be located in the domain to which the IAS servers belong. Give the necessary access to User and Digipass data: Domain Global group In the IAS server Domain 28

29 Set Up Active Directory Permissions 1. Create a Domain Global group. 2. Add the IAS servers to the Domain Global group (check which machines are in the 'RAS and IAS Servers' group to ensure the correct additions). Domain Local groups For each other Domain 3. Create a Domain Local group. 4. Give the Domain Local group the required permissions (run the setupaccess command - See 8.1 DPADadmin Utility for more information). 5. Add the Domain Global group from the IAS Domain to the Domain Local group Scenario 3 - Combination This scenario represents more complex setups, where a combination of steps from Scenarios 1 and 2 will be required. Use the steps given in the first two scenarios as a guide for what you will need to do for the combination scenario. 29

30 Backup and Recovery 4 Backup and Recovery This section explores the measures that Administrators can undertake in backing up and recovering VASCO datafiles in the event of a system failure. Note This section does not cover backup of executables and system files. In the event of a catastrophic failure these can be restored or reinstalled from the original distribution media. Once the IAS Plug-In is installed and operational, backups should be made of important files and data. Any time changes are made to the system, file backups may need to be performed again. These changes include, but are not limited to: Changing any configuration settings including the IP address of an IAS server Adding/removing a Component Modifying a Policy 4.1 What Must be Backed Up Configuration files for IAS Plug-In and Message Delivery Component User Self-Management Web Site pages and graphics (if customized) Virtual Digipass OTP Request Web Site pages and graphics (if customized) Audit Log data Active Directory DPX files (except for demo Digipass) Important Note The Digipass Plug-In for IAS installation includes a DPX directory containing sample DPX files for demo Digipass. These do not need to be backed up. However, if you have copied the DPX files for your real Digipass into that directory, ensure you still have the original files (normally on floppy disk). If you no longer have the DPX file(s) stored elsewhere, it is very important that you take a backup Configuration files The configuration files for the IAS Plug-In and Virtual Digipass Message Delivery Component can be copied from the bin directory (by default C:\Program Files\VASCO\Digipass Plug-In for IAS\bin) to a secure location. The files to be copied are: dpiasext.xml keep backups from all IAS servers. 30

31 Backup and Recovery mdcconfig.xml a backup of one working file is sufficient. Tip Save the files above with an extension that describes the server from which the file(s) were backed up. This makes it easier and quicker to locate the correct file during recovery Web Sites In some cases, the web pages and graphics provided with the Digipass Plug-In for the User Self Management Web Site and Virtual Digipass OTP Request Web Site will have been customized to suit the organization s colors/languages/themes/etc. If these web pages and graphics have been modified, it is important to have a backup stored in a secure location away from the production server. This will allow the web site to be restored for the look and feel of the organization. To back up the web site pages and graphics, you can copy the html, js, and gif files to another location. If the site is highly modified, or the location of the files on disk is not known, contact your web administrator for further guidance. Note Maintaining the directory structure will make restoration of the site, if required, quicker and easier Audit Log Data If your organization requires that the Audit Log data be archived, the method required will depend on the audit settings Write to File Ensure you make copies of all files contained in the directory into which the audit log files are written. By default this will be <install dir>\log, however it may have been configured to another location. Check the audit configuration settings if you are unsure Write to Windows Event Log By default, Event Log entries are written to the Application log. However, you can configure the entries to be written to another log. Check the audit configuration if you are unsure. Important Note The Event Log may be configured with a maximum size. When this size is reached, the oldest entries may be overwritten by new ones. To check this, view the Properties of the log in the Event Viewer. If older entries will be overwritten, you will need to archive them before that occurs. 31

32 Backup and Recovery To archive an Event Log: 1. Select Start -> Settings -> Control Panel. 2. Double-click on Administrative Tools. 3. Double-click on Event Viewer. 4. Right-click on Application (or the correct log, if not Application). 5. Click on Save log file as Select a path and enter a filename. 7. Select a file format from the Type drop down list. 8. Click on the Save button. Note The Audit Log data is not required for system recovery purposes but may contain useful data in the event of a server failure Active Directory Cold Backup In most cases the server running IAS will belong to an Active Directory domain consisting of several Domain Controllers. Replication should automatically occur between Domain Controllers, providing simple data backup. It is highly recommended, however, that you perform a cold backup of the System State Data, which includes the Active Directory repository. This will allow recovery if data is corrupted and then replicated. For more information about backing up and restoring System State Data, refer to Windows Help on your Domain Controller and enter 'backing up data, System State data' in the index tab. In particular, this should be performed on the Digipass Configuration Domain and any other Domains containing Digipass User accounts and/or Digipass records. Additional information can be found at: DPX files The DPX files are normally provided on a floppy disk, which can be stored securely as a backup. If you prefer another method of archive, copy the files to your preferred location. It is important to keep the DPX file transport keys secure and preferably in a separate location to the DPX files themselves. 32

33 Backup and Recovery 4.2 Recovery The recovery process for IAS Plug-In data requires the following procedure. assumptions have been made for these instructions: Some Assumptions: Active Directory is still valid and operational. Up-to-date backups of the configuration files for the IAS Plug-In are available. Steps: 1. Rebuild the server with your operating system SOE, using the same IP address as before, in the same Domain as before. 2. Retrieve your backup copy of the dpiasext.xml file. 3. Reinstall the Digipass Plug-In for IAS on the server, ensuring you are logged in as a domain administrator. The same settings as those chosen in the previous installation should be selected, except that the This is not the first IAS Plug-In to be installed checkbox on the Active Directory Prerequisites screen should be ticked. 4. Tick the Use an evaluation license checkbox (the existing Digipass data in Active Directory contains all necessary licensing information, which will be retrieved when the IAS Plug-In is operational). 5. At the end of the installation, you will be prompted to select a license activation method. Select Just Continue. Before you restart the machine, carry out the following: 6. Restore the backup copy of the configuration file dpiasext.xml into the same directory. 7. Restore any customised files for the web sites (see and for more information). After restarting the machine: 8. Check that you can view Digipass-specific information in the Administration MMC Interface and Digipass Extension for Active Directory Users and Computers. 33

34 Field Listings 5 Field Listings 5.1 User Property Sheet Field Name in Administration Interfaces Description New Password Confirm Password These fields are used to modify the static password that is stored in the Digipass User account. If they are left blank, no modification is made. Local Authentication Specifies whether authentication requests for the User account will be handled by the IAS Plug-In using Local Authentication (see the Authenticating Users section in the Product Guide for more details on Local Authentication and Back-End Authentication). Normally, this field will be Default, meaning that the Policy applicable to the authentication request determines the setting. This field on the Digipass User account is used to override the Policy setting for special cases. When Local Authentication is used, there are two factors that determine whether Digipass authentication is used any Policy restrictions on Digipass Types and/or Applications that can be used and whether the Digipass User account has any assigned Digipass that meet the restrictions. For example, if the Policy requires a DP300 and the User just has a DP700, they cannot use Digipass authentication under that Policy. Options: Default Use the setting of the effective Policy. None The IAS Plug-In will not carry out Local Authentication for this User account. They may be handled using Back-End Authentication, or not handled at all by the IAS Plug-In. Digipass/Password The IAS Plug-In will always carry out Local Authentication for this User, using Digipass authentication if possible, otherwise the static password. Back-End Authentication may also be utilized. Digipass Only Back-End Authentication the IAS Plug-In will always carry out Local Authentication for this User, using Digipass authentication. If Digipass authentication is not possible, the user cannot log in. Back-End Authentication may also be utilized. Specifies whether authentication requests for the User account will be handled by the IAS Plug-In using Back-End Authentication (see the Authenticating Users section in the Product Guide for more details on Local Authentication and Back-End Authentication). Normally, this field will be Default, meaning that the Policy applicable to the authentication request determines the setting. This field on the Digipass User account is used to override the Policy setting for special cases. Options: Default Use the setting of the effective Policy. None Back-End Authentication will not be used. If Needed The IAS Plug-In will utilize Back-End Authentication but only in certain cases: Dynamic User Registration Self-Assignment Password Autolearn Requesting a Challenge or Virtual Digipass OTP, when the Request Method includes a Password Static password authentication, when verifying a Virtual Digipass password-otp combination or during the Grace Period Always The IAS Plug-In will utilize Back-End Authentication for every authentication request. 34

35 Field Name in Administration Interfaces Field Listings Description Disabled Specifies whether a Digipass User account is enabled or disabled. If disabled, authentication for the User will be rejected by the IAS Plug-In. This attribute will be set to disabled and made read-only if the Active Directory User account is disabled or expired. Otherwise, this attribute will be editable. Locked Specifies whether a Digipass User account is locked or not. If locked, authentication for the User will be rejected by the IAS Plug-In. The Locked indicator is normally set automatically when the User exceeds a certain number of failed authentication attempts. The User Lock Threshold is set in the Policy. Linked User Account It is possible to share Digipass between different User accounts, by linking User accounts together. This feature is intended for the case where one person, such as an administrator, has multiple User accounts. If their accounts are linked, there is no need to give more than one Digipass to that person. This feature is used by assigning the Digipass to one User account, then linking all the other User accounts for the person to the one that has the Digipass. If a User is linked to another User, their Linked User Account field will show the Active Directory DN (Distinguished Name) of the linked User. The DN shows the full address within Active Directory of the linked User, for example: CN=Test User,OU=Admin,OU=Europe,DC=vasco,DC=dom In this example, the linked User is called Test User and they are located in an Organizational Unit Admin, which is inside another Organizational Unit Europe in the vasco.com domain. Read-only. RADIUS Profiles NOTE: Not applicable to the IAS Plug-In. Included for compatibility with other VASCO products, eg. Digipass Plug-In for Funk. Created On The date and time that the Digipass User account was created. Read-only. Last Modified On The date and time that the Digipass User account was last modified. Read-only. Assigned Digipass list This lists all Digipass that are assigned to the User. For each Digipass, the list of active Applications is given with the Application Type indicated in brackets(). For example: RESP_ONL(RO), CHALLENGE(CR) In this example line, the Digipass with Serial Number has two active Applications: one Response Only Application RESP_ONL and one Challenge/Response Application CHALLENGE. If the User does not have any Digipass assigned directly, but is linked to another User to use their Digipass (see Linked User Account), the linked User's Digipass list is shown with the Serial Numbers in square brackets (eg. [ ]). When a Digipass in the list is selected, the remainder of the property sheet tab indicates values from the corresponding Digipass record. Read-only. Table 6: User Fields 35

36 Field Listings 5.2 Digipass Property Sheet Field Name in Administration Interfaces Digipass Type Description The type of Digipass represented by the Digipass record (eg. DP300). Reserve for Individual When used, this option prevents the Digipass from being assigned using the Auto-Assignment Assignment feature. It also prevents it from being assigned by an administrator who uses the 'Assign next available...' option in the assignment dialog. Assigned to User User ID of the Digipass User account that the Digipass is assigned to, if it is assigned. Read-only. Date Assigned The date and time when the Digipass was assigned to its current User. Read-only. Grace Period End The date on which the Grace Period will expire, or did expire, for this Digipass. If the date shows today's date or before, the Grace Period has already expired. If it is blank, there is no Grace Period. Enable Backup VDP Specifies whether and how the Backup Virtual Digipass feature can be used for this Digipass. Note that in order for the Backup Virtual Digipass feature to function, it must also be activated in the DPX file for the Digipass. Normally, this field will be Default, meaning that the Policy applicable to the authentication request determines the setting. This field on the Digipass record is used to override the Policy setting for special cases. Options: Default Use the setting of the effective Policy. No Backup Virtual Digipass is not permitted. es - Permitted Backup Virtual Digipass is permitted, but not mandatory. The Enabled Until date is not applicable when using this option, but the Uses Remaining count is. es Time Limited Backup Virtual Digipass is permitted, but not mandatory. Both the Enabled Until date and the Uses Remaining count will be in effect. es - Required Backup Virtual Digipass is mandatory. This may be useful if the User may have lost the Digipass, to prevent it from being used until they have found it again. The Enabled Until date is not applicable when using this option, but the Uses Remaining count is. Enabled Until The date on which the Backup Virtual Digipass feature may no longer be used, provided that the effective Enable Backup VDP setting is es Time Limited (it is ignored otherwise). If this date is blank, it will be set automatically the first time that the User requests a Backup Virtual Digipass OTP, using the Backup Virtual Digipass Time Limit defined in the Policy. Once this date has expired, it requires administrator intervention either to extend it or to reset it to blank for the next time that the User needs to use Backup Virtual Digipass. Uses Remaining The remaining number of times that the Backup Virtual Digipass feature may be used for this Digipass. Once this number has reached zero, Backup Virtual Digipass can no longer be used with this Digipass, unless the administrator increases it or resets it to blank. If this number is blank and there is a Backup Virtual Digipass Max. Uses/User defined in the Policy, it will be set automatically the first time that the User requests a Backup Virtual Digipass OTP, based on the Max. Uses/User. Created On The date and time that the Digipass was created. Read-only. Last Modified On The date and time that the Digipass was last modified. Read-only. Table 7: Digipass Fields Digipass Application Tab 36

37 Field Listings Field Name in Administration Interfaces Description Application Type The type of Digipass Application: RO Response Only CR Challenge/Response SG Signature Active This field can be used to deactivate an Application, so that it cannot be used. Attribute/Value list This list indicates various internal settings of the Digipass Application. Created On The date and time that the Digipass Application was created. Read-only. Last Modified On The date and time that the Digipass Application was last modified. Read-only. Table 8: Digipass Application Fields 5.3 Policy Property Sheet Note: Changes to Policy settings will not take effect until IAS is restarted. Field Name in Administration Interfaces Description Description This description can be entered to record the purpose of the Policy. Inherits from Policy Contains the Name of the Policy from which settings will be inherited, referred to as the 'parent Policy'. Settings are inherited individually, depending on the value in the Policy field; they inherit the parent Policy value in the following cases: Choice lists/radio buttons if the selected value is Default Text fields if the field is blank Numeric fields if the field is blank (not 0) List fields if the list is empty The Show Effective Policy Settings... button can be used to display the result of inheriting settings combined with settings on the current Policy. Local Authentication Specifies whether authentication requests using the Policy will be handled by the IAS PlugIn using Local Authentication (see the Authenticating Users section in the Product Guide for more details on Local Authentication and Back-End Authentication). When Local Authentication is used, there are two factors that determine whether Digipass authentication is used any Policy restrictions on Digipass Types and/or Applications that can be used and whether the Digipass User account has any assigned Digipass that meet the restrictions. For example, if the Policy requires a DP300 and the User just has a DP700, they cannot use Digipass authentication under that Policy. Options: Default Use the setting of the parent Policy. None The IAS Plug-In will not carry out Local Authentication under this Policy. They may be handled using Back-End Authentication, or not handled at all by the IAS Plug-In. Digipass/Password The IAS Plug-In will always carry out Local Authentication under this Policy, using Digipass authentication if possible, otherwise the static password. Back-End Authentication may also be utilized. Digipass Only the IAS Plug-In will always carry out Local Authentication under this Policy, using Digipass authentication. If Digipass authentication is not possible, the user cannot log in. Back-End Authentication may also be utilized. 37

38 Field Name in Administration Interfaces Back-End Authentication Field Listings Description Specifies whether authentication requests using the Policy will be handled by the IAS PlugIn using Back-End Authentication (see the Authenticating Users section in the Product Guide for more details on Local Authentication and Back-End Authentication). Options: Default Use the setting of the parent Policy. None Back-End Authentication will not be used. If Needed The IAS Plug-In will utilize Back-End Authentication but only in certain cases: Dynamic User Registration Self-Assignment Password Autolearn Requesting a Challenge or Virtual Digipass OTP, when the Request Method includes a Password Static password authentication, when verifying a Virtual Digipass password-otp combination or during the Grace Period Always Back-End Protocol The IAS Plug-In will utilize Back-End Authentication for every authentication request. Specifies the protocol to be used for Back-End Authentication. There is currently only one option: Windows Authentication using the Windows operating system. Created On The date and time that the Policy was created. Read-only. Last Modified On The date and time that the Policy was last modified. Read-only. Dynamic User Registration Specifies whether the Dynamic User Registration (DUR) feature is enabled for the Policy. If this feature is used, when the IAS Plug-In receives an authentication request for a User for the first time and Back-End Authentication is successful, it will create a Digipass User account automatically. If DUR is used in conjunction with Auto-Assignment, a Digipass will be assigned to the new User account immediately. Password Autolearn Specifies whether the Password Autolearn feature is enabled for the Policy. This feature enables the IAS Plug-In to update the password stored in the Digipass User account when Back-End Authentication is successful. In Digipass Plug-In for IAS it is normally not necessary to store the password in the Digipass User account, so this feature is not typically used. Stored Password Proxy Specifies whether the Stored Password Proxy feature is enabled for the Policy. This feature can be used in conjunction with the Back-End Authentication Always setting and the Password Autolearn feature, so that even though a Back-End Authentication check is done every login, it is done using the password stored in the Digipass User account, so the User does not have to enter it during their login unless it has just changed. In Digipass Plug-In for IAS it is normally not necessary to perform a Back-End Authentication check at each login, so this feature is not typically used. Default Domain The default Domain in which the IAS Plug-In should look for and create Digipass User accounts, if a Domain is not specified by the login credentials. If the User logs in with the User-Principal-Name format (eg. [email protected]) or the NT4 style format (eg. VASCO\testuser), the Default Domain is not used. However, if they log in with just a UserId (eg. testuser), the Default Domain will be used if specified. In the case that no Domain is implied by the login credentials and there is no Default Domain, the IAS Plug-In will search in its Configuration Domain. Must be the fully qualified domain name. 38

39 Field Name in Administration Interfaces Field Listings Description User Lock Threshold This indicates the number of consecutive failed login attempts that will cause a Digipass User account to become Locked. For example, if the User Lock Threshold is 3, the account will become Locked on the third failed login attempt. Unlocking the account requires administrator action. Note that not all kinds of login failure will result in locking. For example, if the UserId is incorrect or the account is Disabled, the failure would not count towards the lock threshold. Locking is used mainly for incorrect OTPs and static passwords. Windows Group Check (radio buttons) Specifies whether and how the Windows Group Check feature is to be used. This feature is typically used for a staged deployment of Digipass when the Auto-Assignment method is used. It can also be used when only some Users are required to use Digipass or when only some Users will be permitted access and they have to use Digipass. Options: Group List Default Use the setting of the parent Policy. Authenticate all groups Do not use the Windows Group Check feature. Authenticate listed groups, pass others through Use the Windows Group Check so that any Users who are not in one of the listed groups are ignored by the IAS Plug-In. Authenticate listed groups, reject others Use the Windows Group Check so that any Users who are not in one of the listed groups are rejected by the IAS Plug-In. This lists the names of the Windows Groups to be checked according to the Windows Group Check radio button setting. There are some important limitations of this check: Certain built-in Active Directory groups such as Domain Users and Everyone will not be checked. The check is intended to be used with a new group created specifically for this purpose. Nested group membership will not be detected by the check. There is no Domain qualifier for a group. The named group must be created in each Domain where User accounts exist that need to be added to the group. Assignment Mode Grace Period Specifies the method of automated Digipass Assignment that will be used for this Policy, if any. There are two methods, Auto-Assignment and Self-Assignment. Auto-Assignment is used in conjunction with Dynamic User Registration (DUR). When DUR occurs, the next available Digipass is assigned to the new Digipass User account. A Grace Period is set for the Digipass according to the Grace Period setting in the Policy. Self-Assignment is typically used with DUR also, but if the Digipass User accounts are created first by the administrator, DUR is not necessary. In the Self-Assignment mode, a User is able to assign themselves a Digipass by entering the Serial Number, a valid OTP from the Digipass and their static password. There is no Grace Period associated with SelfAssignment, because the User has to use the Digipass to perform Self-Assignment. In both cases, any Applicable Digipass restrictions for the Policy apply. For example, it will not be permitted to self-assign a DP300 if the Policy restricts Digipass Types to DPGO3 and DPGO1. In addition, if the User already has a Digipass assigned that meets the Policy restrictions, they will not be able to self-assign another Digipass. Options: Default Use the setting of the parent Policy. Auto-Assignment Use the Auto-Assignment method. Self-Assignment Use the Self-Assignment method. Neither Do not use either method of automated assignment. Default time period (in days) to give Users between Auto-Assignment of a Digipass and the date they must start using their Digipass to login. Before that time they can still use a static password (unless the Local Authentication setting is Digipass Only). However, the first time that an OTP is used to log in, the Grace Period is ended at that point if it has not already ended. This setting does not affect manual assignment by an administrator. 39

40 Field Name in Administration Interfaces Serial No. Separator Field Listings Description The character (or short sequence of characters) that will be included at the end of the Digipass Serial Number during a Self-Assignment login. It allows the IAS Plug-In to easily recognise that a Self-Assignment attempt is being made and extract the Serial Number from the credentials. Search Upwards in Org. This controls the search scope for an available Digipass for Auto-Assignment or for a Unit hierarchy specific Digipass for Self-Assignment. This setting does not affect manual assignment by an administrator. Options: Default Use the setting of the parent Policy. No The search scope is only the Organizational Unit in which the User account belongs. es The search will start in the User account's Organizational Unit, but if necessary it will then move upwards through the Organizational Unit hierarchy until it reaches the top. At the top, the Digipass-Pool container will be searched. See the Location of Digipass Records topic in the Product Guide for more information. Application Names The Policy can specify a restriction on which Digipass Applications may be used when it is effective. If the list is empty, there is no restriction. If there are one or more entries, they will indicate the Application Names that are permitted. Application Type The Policy can restrict which Digipass Application Type (eg. Response Only, Challenge/Response) may be used when it is effective. Options: Default Use the setting of the parent Policy. No Restriction Digipass Application Type is not restricted. Response Only Only Digipass Applications of Type RO (Response Only) may be used. Challenge/Response Only Digipass Applications of Type CR (Challenge/Response) may be used. Digipass Types The Policy can specify a restriction on which Digipass Types may be used when it is effective. If the list is empty, there is no restriction. If there are one or more entries, they will indicate the Digipass Types that are permitted. Allow PIN change Specifies whether Digipass Users will be allowed to change their Server PIN during logins to which the current Policy applies. Normally this setting is enabled, but it can be used to prevent PIN changes if required. 1-Step Challenge/Response Permitted Controls whether 1-step Challenge/Response logins will be enabled for the current Policy and, if so, where the challenge should originate. Note that 1-step Challenge/Response is not applicable in a RADIUS environment. Options: Default No 1-step Challenge/Response may not be used. es Server Challenge 1-step Challenge/Response may be used provided that the authentication server that verifies the response generated the challenge. es Any Challenge 1-step Challenge/Response may be used with any random challenge. 1-Step Challenge/Response Challenge Length Specifies the length of the challenge (excluding a check digit) which should be generated for 1-step Challenge/Response logins. 1-Step Challenge/Response Add Check Digit A check digit may be added to the geneated challenge. This allows the Digipass to more quickly identify invalid Challenges. 40

41 Field Name in Administration Interfaces 2-Step Challenge/Response Request Method 2-Step Challenge/Response Request Keyword Field Listings Description The method by which a User has to request a 2-step Challenge/Response login. This is the only mode of Challenge/Response available in a RADIUS environment. The 'request' is made in the password field during login. The request will be ignored if the User does not have a Challenge/Response-capable Digipass assigned. Options: Default Use the setting of the parent Policy. None Do not use 2-step Challenge/Response. Keyword Use the Request Keyword. For Challenge/Response, this is permitted to be blank. Password Use the static password. KeywordPassword Use the Request Keyword followed by the static password. No separator characters or whitespace should be between them. PasswordKeyword Use the static password followed by the Request Keyword. No separator characters or whitespace should be between them. Defines the Keyword that a User must enter to request a 2-step Challenge/Response login, if a method using a Keyword is selected in the Request Method. For Challenge/Response, this is permitted to be blank. Primary Virtual Digipass The method by which a User has to request a Primary Virtual Digipass login. Request Method The 'request' is made in the password field during login. The request will be ignored if the User does not have a Primary Virtual Digipass assigned. Options: Default Use the setting of the parent Policy. None Do not use Primary Virtual Digipass. Keyword Use the Request Keyword. For Primary Virtual Digipass, this is not permitted to be blank. Password Use the static password. KeywordPassword Use the Request Keyword followed by the static password. No separator characters or whitespace should be between them. PasswordKeyword Use the static password followed by the Request Keyword. No separator characters or whitespace should be between them. Primary Virtual Digipass Defines the Keyword that a User must enter to request a Primary Virtual Digipass login, if a Request Keyword method using a Keyword is selected in the Request Method. For Primary Virtual Digipass, this is not permitted to be blank. Backup Virtual Digipass Specifies whether and how the Backup Virtual Digipass feature can be used when this Policy Enable Backup VDP is effective. Note that in order for the Backup Virtual Digipass feature to function, it must also be activated in the DPX file for the Digipass. Options: Default Use the setting of the parent Policy. No Backup Virtual Digipass is not permitted. es Permitted Backup Virtual Digipass is permitted, but not mandatory. The Time Limit is not applicable when using this option, but the Max. Uses/User limit is. es Time Limited Backup Virtual Digipass is permitted, but not mandatory. Both the Time Limit and the Max. Uses/User limit will be in effect. es Required Backup Virtual Digipass is mandatory. The Time Limit is not applicable when using this option, but the Max. Uses/User limit is. 41

42 Field Name in Administration Interfaces Field Listings Description Backup Virtual Digipass When the Enable Backup VDP setting is es Time Limited, the Time Limit setting Time Limit indicates the number of days for which the Backup Virtual Digipass feature may be used by a User, once they start using it. The Backup Virtual Digipass Enabled Until setting on the Digipass record will be set automatically the first time that the User requests a Backup Virtual Digipass OTP, using the Time Limit defined in the Policy. Once this date has expired, it requires administrator intervention either to extend it or to reset it to blank for the next time that the User needs to use Backup Virtual Digipass. Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they will have a separate limit for each one. Backup Virtual Digipass The maximum number of uses of the Backup Virtual Digipass feature permitted for each Max. Uses/User User, if they do not have a specific limit set for them. If the Backup Virtual Digipass Uses Remaining on the Digipass record is blank and there is a Max. Uses/User limit defined in the Policy, the Uses Remaining will be set automatically the first time that the User requests a Backup Virtual Digipass OTP. Once the Uses Remaining has reached zero, Backup Virtual Digipass can no longer be used with this Digipass, unless the administrator increases it or resets it to blank. Note that if a User has more than one Digipass capable of Backup Virtual Digipass, they will have a separate limit for each one. Backup Virtual Digipass The method by which a User has to request a Backup Virtual Digipass login. Request Method The 'request' is made in the password field during login. The request will be ignored if the User does not have a Digipass assigned that is activated for the Backup Virtual Digipass feature, or if other Policy or Digipass settings do not permit Backup Virtual Digipass use. Options: Default Use the setting of the parent Policy. None Do not use Backup Virtual Digipass. Keyword Use the Request Keyword. For Backup Virtual Digipass, this is not permitted to be blank. Password Use the static password. KeywordPassword Use the Request Keyword followed by the static password. No separator characters or whitespace should be between them. PasswordKeyword Use the static password followed by the Request Keyword. No separator characters or whitespace should be between them. Backup Virtual Digipass Defines the Keyword that a User must enter to request a Backup Virtual Digipass login, if a Request Keyword method using a Keyword is selected in the Request Method. For Backup Virtual Digipass, this is not permitted to be blank. Identification Time Window Controls the maximum number of time steps' variation allowable between a Digipass and the authentication server during login. This only applies to time-based Response Only and Challenge/Response Applications. The Dynamic Time Window option may be used to allow more variation according to the length of time since the last successful login. If this setting is not specified at all, there is an inbuilt default value of 20. Signature Time Window Controls the maximum number of time steps' variation allowable between a Digipass and the authentication server during Digital Signature verification. This only applies to timebased Signature Applications. If this setting is not specified at all, there is an inbuilt default value of 24. Signature Applications are not currently used in RADIUS environments. 42

43 Field Name in Administration Interfaces Field Listings Description Initial Time Window Controls the maximum allowed time variation allowable between a Digipass and the authentication server, the first time that the Digipass is used. The time is specified in hours. This Initial Time Window is also used directly after a Reset Application operation, which can be used if it appears that the internal clock in the Digipass has drifted too much since the last successful login. This only applies to time-based Applications. In either case, after the first successful login, the Initial Time Window is no longer active. If this setting is not specified at all, there is an inbuilt default value of 6. Event Window Controls the maximum number of events' variation allowable between a Digipass and the authentication server during login that uses an event-based Application. If this setting is not specified at all, there is an inbuilt default value of 20. Identification Threshold Specifies the number of consecutive failed authentication attempts allowed before the Digipass Application is locked from future authentication attempts. This locking mechanism is separate from the User Lock Threshold and is normally not necessary. It only applies when a single Digipass Application can be used for a login, either because the User only has one Digipass with one Application, or because the Policy restrictions narrow the list down to one Digipass Application. If Policy restrictions are used in this way, the Identification Threshold can be used to lock a User out of one kind of login (eg. a VPN) while still permitting them to use another kind (eg. Wireless). If this setting is not specified at all, this feature is not used. Signature Threshold Specifies the number of consecutive failed Digital Signature authentication attempts allowed before the Digipass Application is set to be locked from future authentication attempts. If this setting is not specified at all, this feature is not used. Signature Applications are not currently used in RADIUS environments. Max. Days Since Last Use This setting specifies the maximum number of days for which a Digipass Application can go unused for authentication. After this limit, authentication will be rejected until an admnistrator performs a Reset Application operation. If this setting is not specified at all, this feature is not used. Challenge Check Mode This setting is for advanced control over time-based Challenge/Response authentication. The value 1 should be used for standard RADIUS challenge/response. This is the inbuilt default value if the setting is not specified at all. Online Signature Level 0 No check is made. This is necessary for 1-step Challenge/Response. 1 The challenge presented for verification must be the last one that was generated specifically for that Digipass. This is the normal mode of operation in 2-step Challenge/Response. 2 The challenge presented for verification is ignored; the last one that was generated specifically for that Digipass is used. This is rarely applicable. 3 Only one verification is permitted per time step. This option only applies to time-based Challenge/Response. This is a method of avoiding a potential replay of a captured response if the same challenge comes up again in the same time step. 4 If the same challenge and response are presented for verification twice in a row during the same time step, they are rejected. This is an advanced method of avoiding a potential replay of a capture challenge/response. This setting is for advanced control of Digital Signature authentication, and is not applicable currently. Signature Applications are not currently used in RADIUS environments. Table 9: Policy Fields 43

44 Field Listings 5.4 Component Property Sheet Field Name in Administration Interfaces Component Type Description The type of Component represented by the record. Options: RADIUS Client IAS Plug-In Funk SBR Plug-In Location The IP address or name of the machine represented by the record. For a Plug-In, it must be the licensed IP address; for a RADIUS Client, it must be the NAS-IP-Address or NAS-Identifier values sent in the RADIUS requests. Policy The name of the Policy that should be used for authentication requests from the Component. Protocol The network protocol used by the Component to communicate with the authentication server. This is not applicable to the RADIUS Plug-Ins at this stage. Shared Secret The RADIUS Shared Secret for the Component. This is not used by the RADIUS Plug-Ins. TCP Port TCP port to send to the Component. This is not applicable to the RADIUS Plug-Ins. Created On The date and time that the Component was created. Read-only. Last Modified On The date and time that the Component was last modified. Read-only. Table 10: Component Fields 44

45 Licensing 6 Licensing 6.1 How is Licensing Handled? VASCO products are licensed per IAS Plug-In Component record in the Digipass Configuration Container(s). A license key file is created for each IAS Plug-In installed, and the license key is loaded into the data store using the Administration MMC Interface. 6.2 Licensing Parameters Parameter Value Product The name of the VASCO product. eg. Digipass Plug-In for IAS Component The type of Component licensed. eg. RADIUS Version Current version number of the licensed VASCO product. Location The IP address or DNS name for the machine represented by the Component record. Company The name of your company. Username our name. SerialNo The serial number for the VASCO product. Generated The date and time that the license file was generated. Expires Used for evaluation license only expiry date. Signature Encrypted combination of the above parameters. Table 11: License Parameters for Digipass Plug-In for IAS Sample License File VASCO PRODUCT LICENCE ----Product=Digipass Plug-In for IAS Component=IAS Plug-In Version=1.0 Expires=2005/06/19 02:40:32 GMT Location=test.vasco.com Company=Vasco Data Security Username=Mr Mark J Eaton SerialNo=8174F715E0 Generated=2005/05/20 02:40:32 GMT SIGNATURE ----3:302C02147A48E891E0745D 6866E0A08DDB7D6AF092BFCD D4FCE5B500 D F048EDB159B END LICENCE View License Information To view the license information for a specific Component: 1. Open the Administration MMC Interface. 2. Click on the Components node. The Component List will be displayed in the Result pane. 45

46 3. Licensing Double-click on the required Component record. The Component property sheet will be displayed. 4. Click on the License Key Details... button. The License Key Details window will be displayed. 6.4 Obtain a License Key for a Component Note An active internet connection is required to obtain a License Key. 1. Open the Administration MMC Interface. 2. Click on the Components node. The Component List will be displayed in the Result pane. 3. Double-click on the required Component record. The Component property sheet will be displayed. 4. Click on the License Key Details... button. The License Key Details window will be displayed. 5. Click on the Request License Key... button. A browser window will be opened, with the VASCO Licensing site loaded. Any required information which the IAS Plug-In has will be entered as the site is loaded. 6. Enter any other required information in the browser window. 7. Click on the Request License Key button in the browser window. A download of your license key file should begin. Keep note of where you save the file, and its name. 8. Once the download is complete, go back to the Administration MMC Interface and the License Key Details window. 9. Click on the Load License Key... button. 10. Browse to the download location and select the license key file. 11. Click on Open. A message window will display the success or failure of loading the license key into the data store. 46

47 Licensing 6.5 Change IP Address To change the IP address for a IAS Plug-In server: 1. Create a new Component record for the server, using the new IP address for the location. 2. Request and download a License Key for the new Component record. 3. Load the License Key into the new Component record. 4. Test that the IAS Plug-In works with the new IP address and Component record. 5. Delete the old Component record. 47

48 Web Sites 7 Web Sites 7.1 Customizing the Web Sites It is anticipated that you may want to customize the web pages that are provided by default, for the following kinds of reason: to change the colours and graphics to match your corporate colours/logos. to integrate the pages into a larger web site. For example, you may wish to control the pages using a sub-menu within the overall site menu. to modify the navigation in such a way that you believe would suit your users better. For example, you may wish to have a failure page that just reports failure, without the form fields to try again, which gives troubleshooting hints. The sites are both designed to permit extensive customization, provided that you post the right data to the CGI program. This section provides the instructions and reference material that you require to successfully customize the site. It is assumed that the reader will have some web development knowledge. ou can change any cosmetic part of the web pages. ou can even write completely new web pages, provided that you provide the correct posted form fields to the CGI program, and interpret the query string variables correctly. ou do not need to use plain HTML pages server scripting languages such as PHP or ASP, or any other way of generating HTML, can be used. 7.2 CGI Program A single CGI script is used for both the User Self Management Web Site and the OTP Request Site. The functionality provided depends on the Site. For each function, the CGI program carries out the following actions: Read and validate the input. This input is gathered from: Configuration settings from the registry Form variables posted Send an authorisation request to the IAS Server (provided that there were no validation errors) and interpret the response. Requests are sent to the Server using the RADIUS protocol. A component identifier Self-Mgt Site will indicate in the Audit Console which audit messages relate to requests from the User Self-Management Web Site or OTP Request Site. (OTP Request Site only) Send a request to the Message Delivery Component to send an OTP to the User's mobile phone via text message. Output the HTML to direct the user to the page that will indicate success or failure, or display a challenge. This is achieved by returning the HTML for a basic please wait page with a meta-refresh instruction to go directly to the appropriate page. The meta-refresh will happen immediately, but on a slow link you may notice the intermediate page. 48

49 Web Sites The CGI program cannot be customized. Its behaviour is controlled by the configuration settings and the posted form variables. The configuration settings are listed below; the posted form variables are specified in the Customizing the Web Site section Configuration Settings Various configuration settings are used by the CGI program to locate the IAS server(s) and to enable tracing. These can be modified using the Start->Programs menu option User CGI Configuration. The configuration settings are stored in the Windows Registry, at the path: HKE_LOCAL_MACHINE\Software\VASCO\User CGI Name Type Value Default Trace-Mask Number (DWORD) Used to enable internal tracing levels. In general, just use these 0 values:0 = no tracingffffffff (hexadecimal) = full tracing Trace-File String Full path and filename of output file for internal tracing. NB: the <No default> file will be created if it is missing, but not the directory. Source-IPAddress String Source IP address to bind to when sending API requests, if any (only required if there are multiple IP addresses on the machine).eg <Blank> Server1-IPAddress String IP address of primary IAS Server. eg Server1-Port Number (DWORD) API port of primary IAS Server (in general, this should not be changed from the default) Server2-IPAddress String IP address of backup IAS Server, or blank if there is no backup. <Blank> Server2-Port Number (DWORD) API port of backup IAS Server (in general, this should not be changed from the default) Table 12: Configuration Settings for CGI Program 7.3 Form Fields User Self Management Web Site Registration Main Pages User Registration (UR), Digipass Assignment (DA) and Password Synchronization (PS) are all implemented using a single invocation of the CGI program. This permits them to be carried out either separately or in any combination. ou can choose to separate them in your customized web site or keep them together as you prefer. If Challenge/Response or a Virtual Digipass is used, the user will enter their User ID, static password and Serial Number into the main page without a Digipass Response. They will be directed to a challenge page, which is specified in the next topic, in which they should enter either a Response to the challenge or the OTP sent to their mobile phone. The following table applies only to the main page. 49

50 Web Sites The following posted form fields must be used on the main page, according to the particular function and other conditions specified below: Form Field Name Visible Label (Default) Value(s) Required? UR PS DA dpcgi_operation <hidden> register for User Registration, Digipass Assignment or Password Synchronization. dpcgi_success_page <hidden> Relative or absolute URL of web page to go to if the function is successful. dpcgi_fail_page <hidden> Relative or absolute URL of web page to go to if the function fails. dpcgi_challenge_page <hidden> Relative or absolute URL of web page to go to if a challenge is returned for the user. (4) (1) dpcgi_userid UserId UserID in the IAS Plug-In. dpcgi_password Password Static password. dpcgi_serialno Serial Number Digipass serial number. dpcgi_response Digipass Response Digipass response (without static PIN if there is one). dpcgi_newpin New PIN New static PIN (for Go 1/Go 3). (3) dpcgi_confirmpin Confirm New PIN Confirm the new static PIN. (3) dpcgi_usecombinedpwd <hidden> True to send the password, serial number, response and PIN to the IAS Plug-In in one attribute. False to send the contents of the password field (5) (2) Table 13: Form Fields for Main Registration Page (1) If any users may self-assign a Challenge/Response Digipass, provide this form field. (2) If any users may self-assign a Response Only Digipass, provide this form field. (3) If any users may self-assign a Response Only Digipass which uses a static PIN at the beginning of the response (eg. Go 1/Go 3), where the Digipass are initialized with no initial static PIN, they have to enter a new PIN the first time they use the Digipass. If they are self-assigning the Digipass, that means that they have to enter the new PIN and confirm it during the self-assignment process. They can do this by adding the new PIN twice at the end of the Digipass Response, however it may be more user-friendly to provide these two separate form fields. (4) If any users have a Challenge/Response application or a Primary Virtual Digipass, include this field. (5) If any users have a Response Only application, include this field. 50

51 Web Sites Registration Challenge Page The Registration challenge page will be used for Digipass Challenge/Response or Virtual Digipass. The user enters their response to the challenge, to complete the registration process. The following posted form fields must be used on the challenge page: Form Field Name Visible Label (Default) Value(s) Required? dpcgi_operation <hidden> register for User Registration, Digipass Assignment or Password Synchronization. dpcgi_success_page <hidden> Relative or absolute URL of web page to go to if the function is successful. dpcgi_fail_page <hidden> Relative or absolute URL of web page to go to if the function fails. dpcgi_userid UserId UserID in the IAS Plug-In. dpcgi_response Digipass Response Digipass response or Virtual Digipass OTP. dpcgi_challenge Challenge Digipass challenge returned to the user. Table 14: Form Fields for Registration Challenge Page Note If you make dpcgi_challenge a visible form field, ensure that it is not modifiable. An alternative is to make it a hidden form field, while also displaying the challenge in HTML text rather than as a form field. 51

52 Web Sites Server PIN Change The PIN Change function is only applicable for Digipass Response Only where a Server PIN is entered at the start of the response (eg. Go 1/Go 3). The following posted form fields must be used on the PIN Change page: Form Field Name Visible Label (Default) Value(s) Required? dpcgi_operation <hidden> changepin for PIN Change. dpcgi_success_page <hidden> Relative or absolute URL of web page to go to if the function is successful. dpcgi_fail_page <hidden> Relative or absolute URL of web page to go to if the function fails. dpcgi_userid UserId UserID in the IAS Plug-In. dpcgi_response Digipass Response Digipass response (without static PIN if there is one). dpcgi_currentpin Current PIN Current static PIN to be changed. (6) dpcgi_newpin New PIN New static PIN. dpcgi_confirmpin Confirm New PIN Confirm the new static PIN. Table 15: Form Fields for Server PIN Change Page (6) If the Digipass has had its Server PIN reset by the administrator, because the user has forgotten it, there is no current Server PIN to enter here. In all other cases, the current Server PIN must be provided to permit the PIN change. 52

53 Web Sites Login Test Main Page If a Challenge/Response application or Primary Virtual Digipass is used, the user will enter just their UserId (and maybe password) into the main page without a Digipass Response. If using the Backup Virtual Digipass, they will need to enter the trigger specified in server settings (password and/or a Keyword) into the password field. They will be directed to a challenge page, specified in the next topic. The following table applies only to the main page. The following posted form fields must be used on the main page: Form Field Name Visible Label (Default) Value(s) Required? dpcgi_operation <hidden> testlogin for Login Test. dpcgi_success_page <hidden> Relative or absolute URL of web page to go to if the function is successful. dpcgi_fail_page <hidden> Relative or absolute URL of web page to go to if the function fails. dpcgi_challenge_page <hidden> Relative or absolute URL of web page to go to if a challenge is returned for the user. (7) dpcgi_userid UserId UserID in the IAS Plug-In. dpcgi_response Digipass Response Digipass response (with static PIN if there is one). (8) Table 16: Form Fields for Main Login Test Page (7) If any users have a Challenge/Response Digipass, a Primary Digipass or use the Backup Virtual Digipass feature, provide this form field. (8) If any users have a Response Only Digipass, provide this form field. 53

54 Web Sites Login Test Challenge Page The user enters their response to the challenge or the OTP sent to their mobile phone to complete the login test. The following posted form fields must be used on the challenge page: Form Field Name Visible Label (Default) Value(s) Required? dpcgi_operation <hidden> testlogin for Login Test. dpcgi_success_page <hidden> Relative or absolute URL of web page to go to if the function is successful. dpcgi_fail_page <hidden> Relative or absolute URL of web page to go to if the function fails. dpcgi_userid UserID User ID in the IAS Plug-In. dpcgi_response Digipass Response Digipass response. dpcgi_challenge Challenge Digipass challenge returned to the user. Table 17: Form Fields for Login Test Challenge Page Note If you make vmcgi_challenge a visible form field, make sure that it is not modifiable. An alternative is to make it a hidden form field, while also displaying the challenge in HTML text rather than as a form field OTP Request Site Request Page The request page must contain the following fields: Name Type Username text Visible Password Password Visible dpcgi_operation VDPrequest Hidden dpcgi_vdp_success_page Name of OTP was sent Page Hidden dpcgi_vdp_fail_page Name of OTP not sent Page Hidden dpcgi_vdp_wrongtoken_page Name of Not a Virtual Digipass Page Hidden Table 18: Form Fields for OTP Request Page 54

55 Web Sites 7.4 Query String Variables The query string variables that are passed to the web pages by the CGI program are mainly concerned with status and error reporting. There is also a variable that is used to pass a challenge to the pages that display one Failure/Error Handling There are three main groups of failures that can occur, which should be handled in a different manner. In all cases there is a numeric error code, however in some cases there is an auxiliary code and message such as the return code and message from the VACMAN Controller. The main error codes will be assigned in three separate ranges, so that the web pages can identify which category of error is returned. API return codes these are returned by the VASCO API used to make the authentication request to the Server. In some cases there will be an auxiliary code and message. CGI errors these errors are detected by the CGI program, mainly when the web pages are not providing or enforcing the posted form fields correctly. These will not generally have an auxiliary code and message, but it is possible. Internal errors these are technical errors that should not occur. In some cases there will be an auxiliary code and message. The intention of using this code-based scheme is to allow translation and customization of the messages. The main error code will be translated into a message by the web pages themselves. The pages can also translate the auxiliary code into a message, for the VACMAN Controller codes, but normally, the pages would not know how to translate it into a message, and should display the auxiliary message as provided. 55

56 Web Sites Query String Variable List The following table indicates which variables are used for the User Self Management Web Site and OTP Request Site, and the required conditions: Variable result Value Condition Used by Site 0 Successful authentication request Both <API return code, numeric> Unsuccessful authentication request Both <error code, numeric> CGI or internal error occurred Both challenge <challenge returned by API, string> Challenge returned by API User Self Management Web Site only auxcode <VACMAN Controller return code, numeric> Unsuccessful authentication request due to Controller rejecting password Both <additional error code for CGI or internal error, numeric> CGI or internal error occurred, where another Both error code is relevant <Message for VACMAN Controller return code, string> Unsuccessful authentication request due to Controller rejecting password <message for CGI or internal error, string> CGI or internal error occurred, where an error Both message is relevant auxmsg Both Table 19: Query String Variable List Examples: success: /vmsite/success.html?result=0 invalid Digipass response due to code /vmsite/fail.html?result=1000&auxcode=2&auxmsg=code+replay+attempt replay: challenge: /vmsite/challenge.html?challenge=

57 Web Sites Return Code Listing In the following tables, the Message is the one that is provided by the standard web pages that we install API Return Codes The following codes are the ones that in normal cases might be returned: Code -1 Message Error during request to Server Auxiliary Code/ Message? N Notes We are unable to distinguish the error from the client side of the API the administrator would have to look at the Audit Console. Table 20: API Return Codes 57

58 Web Sites CGI Errors Code Message Auxiliary Code/ Message? -100 Only the POST method is permitted N -101 No dpcgi_operation was posted N -102 An invalid dpcgi_operation was posted N -103 dpcgi_challenge_page cannot be used for this operation N -104 dpcgi_password cannot be used for this operation N -105 dpcgi_serialno cannot be used for this operation N -106 dpcgi_currentpin cannot be used for this operation N -107 dpcgi_newpin cannot be used for this operation N -108 dpcgi_confirmpin cannot be used for this operation N -109 dpcgi_challenge cannot be used for this operation N -110 dpcgi_success_page must be entered for this operation N -111 dpcgi_fail_page must be entered for this operation N -112 dpcgi_userid must be entered for this operation N -113 dpcgi_password must be entered for this operation N -114 dpcgi_response must be entered for this operation N -115 dpcgi_newpin must be entered for this operation N -116 dpcgi_confirmpin must be entered for this operation N -117 A Digipass Response is required to assign a Digipass N -118 A New PIN can only be set when assigning a Digipass N -119 Enter the new PIN in the New PIN and Confirm New PIN fields N -120 The New PIN and Confirm New PIN fields have different values N -121 A challenge was returned, but there is no dpcgi_challenge_page N -122 Unknown parameter N -123 The Content-Length passed in was invalid N -124 vmcgi_serialno must be entered for this operation N Table 21: CGI Error Return Codes 58

59 Web Sites Internal Errors Code Message Auxiliary Code/ Message? Cannot read Trace-Mask configuration setting Cannot read Trace-File configuration setting Cannot open Trace-File Cannot read Source-IP-Address configuration setting Cannot read Server1-IP-Address configuration setting Cannot read Server1-Port configuration setting Cannot read Server2-IP-Address configuration setting Cannot read Server2-Port configuration setting Invalid configuration setting Source-IP-Address Invalid configuration setting Server1-IP-Address Invalid configuration setting Server1-Port Invalid configuration setting Server2-IP-Address Invalid configuration setting Server2-Port Cannot read HTTP request data N Request to Server not completed Cannot read Self-Management Site registry key The specified Source-IP-Address is not on this machine N Cannot read Trace-Header configuration setting Invalid configuration setting Trace-Header Table 22: Internal Error Codes 59

60 Command line utilities 8 Command line utilities 8.1 DPADadmin Utility Extend Active Directory Schema The addschema command is used to create all the Active Directory Schema extensions, if they are not already there. Each element will be checked individually to see if it is already there and if not, will be added. This command is intended to be run manually by a domain administrator before the main Digipass Plug-In for IAS installation is run, as recommended by Microsoft. It may be necessary to go through an approval process in your company before running this command, as it involves changes to Active Directory Schema. ou may also need to have another administrator run the command for you, possibly in another part of your network. This depends on your company s structure and rules for Active Directory control Prerequisite Information Schema Master Machine This command may technically be run on any Windows 2000, XP or 2003 machine, however it needs to contact the Domain Controller which has the Schema Master role. There can be only one Domain Controller in the Forest with that role. It may be simplest to run the command directly on the Schema Master, to avoid any potential connectivity or permission issues. Warning Warning: If you are passing the credentials to the command in the parameters, and you are not running the command on the Schema Master, check that you do not have any shares on the Schema Master open. This will cause the command to fail. Domain Administrator Account In order to successfully update the Schema, you must know the username and password of a Domain Administrator account that is able to log into the Schema Master. ou must either run the command while logged in as that user, or pass the credentials to the command in the parameters. The Domain Administrator must have permission to extend the Schema they must be a member of the Schema Admins group in the Forest-Root-Domain (the first Domain created in the Forest). Schema Changes Allowed By default, Active Directory does not permit Schema extensions to be made. There is a registry setting that must be changed to allow extensions. If this is not already set, VMADUTIL will ask you whether it should change the setting itself or not. If you click on es, it will change the setting itself, make the extensions then change it back again. 60

61 Command line utilities If you would prefer to change the setting manually, log into the Schema Master and change the value of the HKE_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\ Parameters\Schema Update Allowed registry key to 1, adding it as a value of type DWORD if it does not already exist. Alternatively, if the Schema Manager MMC snap-in is installed on the machine, this can be used to enable or disable Schema extensions. If you have disabled the Schema extensions after removing a previous installation in the Forest, reactivate them before using this command. This can be done using the Schema Manager MMC snap-in used to deactivate them Extend the Schema on the Schema Master 1. Log into the Schema Master as a member of the Schema Administrators group. 2. Copy dpadadmin.exe onto the Schema Master 3. Open a command prompt in the location to which it was copied. 4. Type: dpadadmin addschema 5. If DPADadmin detects that Schema extensions are not currently permitted, it will prompt you whether to enable them or not. Enter y to enable them, or n to cancel. The progress and success/failure of the command will be displayed in the command prompt window. If there was a failure, it can be run again after the problem has been rectified Extend the Schema on the IAS Server Open a command prompt and navigate to the installation s bin directory by typing: cd <install dir>\bin 2. Type: dpadadmin addschema master schema_master u user_name p password 3. See Command Line Syntax for more details regarding the required parameters. 4. If VMADUTIL detects that Schema extensions are not allowed, it will prompt you to enable them. Enter y to enable them, or n to cancel. The progress and success/failure of the command will be displayed in the command prompt window. If there was a failure, it can be run again after the problem has been rectified Command Line Syntax dpadadmin addschema [ master schema_master] [ u user_name [ p password]] [-q] 61

62 Option Command line utilities Description -master Fully qualified name of the Domain Controller with the Schema Master role. This option may be omitted if the command is run directly on the Schema Master. -u User name of a Domain Administrator in the Schema Administrators group. This option may be omitted if you are logged into the machine as that Domain Administrator when you run the command. -p Password of the Domain Administrator. This option may be omitted if you are logged in as that Domain Administrator or if they have a blank password. -q Quiet mode, will not output commentary text. Table 23: DPADadmin addschema Command Line Options DPADadmin addschema Command Sample dpadadmin addschema master dc1.vasco.com u schema_admin p sa_password Check Schema Extensions This command is called from the Digipass Plug-In for IAS installation program to check that all the Active Directory Schema extensions have been applied. Each element is checked individually to see if it is already there, but it will not be added if not. It is not practical for the installation program to check that the Schema extensions have been replicated to all parts of the Domain Forest. The check will be restricted to checking the Digipass Configuration Domain, since that needs to have the Schema extensions before anything else. In a complicated, multi-site Domain Forest structure, where long delays may occur before the Schema extensions have been fully replicated around the Forest, you may have to wait a while before you use the IAS Plug-In. ou can run this command manually a number of times, specifying a different Domain to check each time, if you want to be sure that the Schema extensions have finally reached all the necessary Domains. This will include all the Domains in which Active Directory Users of interest to the IAS Plug-In may be located Prerequisite Information Domain Administrator Ensure that you know the username and password of a Domain Administrator in the Domain that will be checked for the Schema extensions (normally the Digipass Configuration Domain) Check the Schema on the IAS Server Open a command prompt and go to the installation s bin directory by typing: cd <install dir>\bin 2. Type dpadadmin checkschema domain domain_name u user_name p password. 3. See the VMADUTIL checkschema Command Line Syntax section for more details regarding the parameters. The progress and success/failure of the command will be displayed in the command prompt window. 62

63 Command line utilities Check the Schema on a Machine in the Domain to Check 1. Log into the machine as a Domain Administrator in that Domain. 2. Copy dpadadmin.exe onto the machine and open a command prompt in the location to which it was copied. 3. Type: dpadadmin checkschema The progress and success/failure of the command will be displayed in the command prompt window Command Line Syntax dpadadmin checkschema [ domain domain_name] [ u user_name [ p password]] [-q] Option Description -domain Name of the Domain in which you wish to check the Schema extensions. This option may be omitted if the command is run directly on a machine belonging to that Domain. -u User name of a Domain Administrator in this Domain. This option may be omitted if you are logged into the machine as that Domain Administrator when you run the command. -p Password of the Domain Administrator. This option may be omitted if you are logged in as that Domain Administrator or if they have a blank password. -q Quiet mode, will not output commentary text. Table 24: DPADadmin checkschema Command Line Options DPADadmin checkschema Command Sample dpadadmin checkschema domain mdd.vasco.com u mdd_admin p mdd_password Set Up Digipass Configuration Container in Domain This command sets up the Digipass Configuration Container in the specified domain Prerequisite Information Domain Administrator ou must be logged into the machine as a Domain Admin in the target domain Set Up Digipass Configuration Container 1. Log into the machine as a Domain Administrator in that Domain. 2. Copy dpadadmin.exe onto the machine and open a command prompt in the location to which it was copied. 3. Type: dpadadmin setupdomain -config The progress and success/failure of the command will be displayed in the command prompt window. 63

64 Command line utilities Command Syntax dpadadmin setupdomain [-config] [-domain <FQDN>] [-q] Option Description -config OPTIONAL. Specifies that this is the Digipass Configuration Domain, so the Digipass-Configuration container must be created. -domain <FQDN> OPTIONAL. Specifies the FQDN of the domain to set up. If omitted, the domain to which the current machine belongs will be used. -q OPTIONAL. Specifies that quiet mode should be used. Table 25: DPADadmin setupdomain Command Line Options DPADadmin setupdomain Command Sample dpadadmin setupdomain -config -q Assign Digipass Permissions to a Group This command assigns Digipass-specific permissions to a Windows group, applicable at the domain root and downwards. The permissions assigned are: Full read access to everything in the domain Full control over vasco-dptoken objects Full control over vasco-dpapplication objects Full write access to vasco-userext auxiliary objects Pre-requisites ou must be logged into the machine as a Domain Admin in the target domain Command Syntax dpadadmin.exe setupaccess -group <group name> [-domain <FQDN>] [-q] [-c] [-c] Option Description -group <group name> MANDATOR. Specify the name of the group to assign the permissions. Double-quotes are required if there are any spaces. -domain <FQDN> OPTIONAL. Specify the fully-qualified domain name for the domain to which the group or user belongs. If omitted, the domain to which the current machine belongs will be used. -q OPTIONAL. Specify that quiet mode should be used. -c OPTIONAL. Add the local computer to the group named. Table 26: DPADadmin setupaccess Command Line Options DPADadmin setupdomain Command Sample dpadadmin.exe setupaccess -group RAS and IAS Servers -q 64

65 Login Options 9 Login Options 9.1 Login Permutations The information required to be entered during a login will vary according to the configuration settings of the relevant Policy, the login method, and any actions to be performed during the login. Login Methods The login methods specified are: Response Only Challenge/Response Virtual Digipass - Primary or Backup Login Actions A User may be allowed to do these things during a login: Set their Server PIN on first use or after a PIN reset. Change their Server PIN. Inform the IAS Plug-In that their static password for the back-end authenticator eg. Windows - has been modified. Perform a Self-Assignment for a Digipass in their possession. Login Variables The variables which a User may need to enter, in order to do one of the above functions are listed below. The code or word used to designate each variable in the following tables is included in brackets. One Time Password (OTP) Password (Password) Server PIN (PIN) Serial Number of their Digipass (Serial No) Serial Number Separator (Sep.) Request Keyword (Keyword) Policy Settings The Policy settings which will affect the variables required in logins are: Stored Password Proxy If this attribute is set to Enabled, each User's password must be kept up to date in the IAS Plug-In. This is typically achieved by enabled Password Autolearn. Serial Number Separator If a Serial Number Separator is specified, the User may enter their Digipass serial number exactly as it appears on the back of their Digipass (or in the documentation 65

66 Login Options provided to the User), including dashes. If a Serial Number is not specified, the Digipass serial number must be padded to 10 characters, with all non-numerical characters removed. Back-End Authentication In the following login permutations tables, 'Back-End Authentication Required' means that the Back-End Auth. attribute is set to Always or If Needed. Password Autolearn If the IAS Plug-In is informed of a User's password change, the new password will only be recorded by the IAS Plug-In if Password Autolearn is enabled in the relevant Policy. 66

67 Login Options Stored Password Proxy On OR No Back-End Authentication Normal login es N/A PIN+OTP Password+PIN+OTP Set PIN No N/A OTP+NewPIN+NewPIN Password+OTP+NewPIN+NewPIN Change PIN es N/A PIN+OTP+NewPIN+NewPIN Password+PIN+OTP+NewPIN+NewPIN Changed Password es N/A Password+PIN+OTP Password+PIN+OTP Set PIN and Changed Password No N/A Password+OTP+NewPIN+NewPIN Password+OTP+NewPIN+NewPIN Change PIN and Changed Password es N/A Password+PIN+OTP+NewPIN+NewPIN Password+PIN+OTP+NewPIN+NewPIN Self-Assignment es SerialNo+Sep.+Password+PIN+OTP SerialNo+Sep.+Password+PIN+OTP No SerialNo+Password+PIN+OTP SerialNo+Password+PIN+OTP es SerialNo+Sep.+Password+OTP+NewPIN+NewPIN SerialNo+Sep.+Password+OTP+NewPIN+NewPIN Existing PIN? Serial Number Separator? Response Only - PAP Login Type Server PIN Required 1 es No No Server PIN Required Password Field Contents Stored Password Proxy Off AND Back-End Authentication Required No SerialNo+Password+OTP+NewPIN+NewPIN SerialNo+Password+OTP+NewPIN+NewPIN Normal login N/A N/A OTP Password+OTP Changed Password N/A N/A Password+OTP Password+OTP Self-Assignment N/A es SerialNo+Sep.+Password+OTP SerialNo+Sep.+Password+OTP No SerialNo+Password+OTP SerialNo+Password+OTP Table 27: Login Permutations - Response Only PAP Examples Self-Assignment of a GO 1 Digipass with no existing Server PIN and Serial Number Separator set to '::' ::pA192ss Self-Assignment of a GO 3 Digipass with no Server PIN required and no Serial Number Separator set pA192ss If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be padded to 10 characters with preceding zeroes VASCO Data Security Inc. 67

68 Login Options Response Only CHAP/MS-CHAP The table below assumes that Stored Password Proxy is enabled, or Backend Authentication is not in use. Login Type Normal login Server PIN Required? Password Field Contents es PIN+OTP No OTP Table 28: Login Permutations - Response Only CHAP Challenge/Response Challenge/Response is supported with PAP only. Login Type Normal login Changed Password SelfAssignment2 Serial Number Separator? 2-Step Challenge/Response N/A Request Method Pre-Challenge Response es Keyword Password+OTP No Keyword OTP Password N/A Password OTP Keyword-Password N/A Keyword+Password OTP Password-Keyword N/A Password+Keyword OTP Keyword N/A Keyword Password+OTP Password N/A Password OTP Keyword-Password N/A Keyword+Password OTP Password-Keyword N/A Password+Keyword OTP es N/A N/A SerialNo+Sep.+Password OTP No N/A N/A SerialNo+Password OTP N/A Keyword Stored Password Proxy Off AND Back-End Auth. Required Table 29: Login Permutations Challenge/Response 2 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be padded to 10 characters with preceding zeroes. 68

69 Login Options Virtual Digipass Login Type Normal login Changed Password Request Method 2-step login3 Step 1 Step 2 Two 1-step logins4 Step 1 Step 2 Keyword Keyword Password+OTP Keyword Password+OTP Password Password OTP Password Password+OTP Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP Keyword Keyword Password+OTP Keyword Password+OTP Password Password OTP Password Password+OTP Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP Table 30: Login Permutations Virtual Digipass step logins are compatible with PAP only Two 1-step logins may be used with any protocol compatible with the Digipass Plug-In for IAS. 69

70 Configuration Settings 10 Configuration Settings 10.1 IAS Plug-In Configuration GUI A Graphical User Interface (GUI) is available for use in configuring the IAS Plug-In. To open the IAS Plug-In Configuration GUI, click on the Start Button and select Programs -> VASCO -> Digipass Plug-In for IAS Configuration Enable IAS Plug-In Enable the plug-in within IAS. 1. Tick the Enabled checkbox. 2. Click on Apply Allow Passthrough Allow the IAS Plug-In to pass the static password to IAS for checking after it has checked the One Time Password. This option is not required for typical usage. 1. Tick the Allow Passthrough checkbox. 2. Click on Apply Set Component Location 1. Enter the location of the IAS Plug-In Component which will be generating audit messages in the Component Location field. 2. Click on Apply Library Path The Library Path setting tells the IAS Plug-In where to find the LDAP library file. 1. Enter the path and name of the LDAP library file (typically <install dir>\bin). 2. Click on Apply Turn Tracing On or Off 1. Select a Tracing option. 2. To send tracing output to a text file, enter a path and filename for the tracing file into the File Name field. The file path entered must be the full absolute path. Click on the Apply button. Note If the File Name field is left blank or the file path does not exist, the IAS PlugIn will not output tracing. If the file does exist, tracing will be appended to the file. If the path is valid but the file does not exist, it will be created. 70

71 Configuration Settings Active Directory Settings To view Active Directory settings, open the configuration GUI and click on the Active Directory tab. Configuration Domain The configuration domain is the main Active Directory domain which the IAS Plug-In should use for User authentications, and the domain in which the Digipass Configuration Container is located. This domain will be set automatically during the Digipass Plug-In for IAS installation. To set the default domain: 1. Click on the Edit... button next to the Configuration Domain field. The Domain window will be displayed. 2. Enter the fully qualified domain name for the configuration domain into the Name field. 3. If required, enter the name of the server in the domain to which the IAS Plug-In should connect, in the Preferred Server field. 4. Tick the Preferred Server Only checkbox to limit the IAS Plug-In to connecting only to that server in the configuration domain. 5. Enter the server port to use in making encrypted connections (SSL) to the configuration domain into the Encrypted Server Port field. 6. Enter the server port to use in making unencrypted connections to the configuration domain into the Unencrypted Server Port field. 7. Tick the Encrypt checkbox to use an encrypted connection (using SSL) from the IAS Plug-In to Active Directory, or leave the checkbox unticked to leave the connection unencrypted. Note that SSL is not used when the IAS Plug-In is on a Domain Controller and connects to Active Directory using that. 8. Enter the maximum amount of time (in minutes) that the IAS Plug-In should stay connected to a server before re-synching in the Max Bind Lifetime field. 9. Click on OK. 10. Click on Apply. Domains List The Domains list contains the names of all other domains that the IAS Plug-In may need to use in User authentications. Note that this list is only needed if you wish to configure how the IAS Plug-In will connect to the other domains if a domain is not in the list, it will still try to connect to it. Add a Domain To add a domain to the Domains List: 1. Click on the Add... button. The Domain window will be displayed. 2. Enter the fully qualified domain name for the domain into the Name field. 3. If required, enter the name of the server in the domain to which the IAS Plug-In should connect, in the Preferred Server field. 71

72 Configuration Settings 4. Tick the Preferred Server Only checkbox to limit the IAS Plug-In to connecting only to that server in the domain. 5. Enter the server port to use in making encrypted connections (SSL) to the default domain into the Encrypted Server Port field. 6. Enter the server port to use in making unencrypted connections to the default domain into the Unencrypted Server Port field. 7. Tick the Encrypt checkbox to use an encrypted connection (using SSL) from the IAS Plug-In to Active Directory, or leave the checkbox unticked to leave the connection unencrypted. 8. Enter the maximum amount of time (in minutes) that the IAS Plug-In should stay connected to a server in the domain before re-synching in the Max Bind Lifetime field. 9. Click on OK. 10. Click on Apply. Modify a domain record in the Domains List To modify information for a domain in the Domains List: 1. Select the domain to be modified from the Domains List. 2. Click on the Edit... button. 3. Modify the required information. 4. Click on OK. 5. Click on Apply. Delete a domain record from the Domains List To remove a domain record from the Domains List: 1. Select the domain to be deleted from the Domains List. 2. Click on the Delete button. 3. The record will be deleted. Auditing To configure auditing for the IAS Plug-In, add at least one auditing plug-in to the Methods list. To view or edit auditing settings, click on the Auditing tab in the Configuration GUI. Add an Audit Method 1. Click on the Add... button. 2. Select a Plug-in type from the drop down list. 3. Click on OK. The Plugin window will be displayed. 4. Enter a name to use for display purposes in the Display Name field. 5. Tick the Enabled checkbox to enable auditing to this plug-in. 6. Tick the Fail on Error checkbox if you want the IAS Plug-In to return an error if it fails to record an auditing message. 72

73 Configuration Settings 7. Tick the Unhandled Only checkbox if messages should only be logged by this auditing plug-in if they have not been previously logged by any other plug-in. 8. Select one or more audit message types to be logged by this plug-in: Error Warning Information Success Failure 9. Enter other required information. 10. Click on OK. 11. Click on Apply. Edit an Audit Method 1. Select an auditing plug-in from the Methods list. 2. Click on the Edit... button. The Plug-In window will be displayed. 3. Make the required changes. 4. Click on OK. 5. Click on Apply. Delete an Audit Method 1. Select an auditing plug-in from the Methods list. 2. Click on the Delete button. The record will be deleted Data Encryption See 2.4 Sensitive Data Encryption for more information on encryption in the IAS Plug-In. To modify encryption settings for the IAS Plug-In: 1. Click on the Active Directory tab. 2. Click on Configure Encryption Settings. The Configure Encryption Settings window will be displayed. 3. Enter the custom encryption key in the Storage Key field. 4. Select an encryption algorithm from the Cipher Name drop down list. 5. Click on OK. Export Encryption Settings 1. Click on the Active Directory tab. 2. Click on Configure Encryption Settings. The Configure Encryption Settings window will be displayed. 3. Click on Export Browse to the desired directory. 73

74 5. Enter a file name to export the settings to. 6. Click on OK. 7. Enter a password. 8. Click on OK. Configuration Settings Import Encryption Settings 1. Click on the Active Directory tab. 2. Click on Configure Encryption Settings. The Configure Encryption Settings window will be displayed. 3. Click on Import Browse to the encryption settings file. 5. Click on OK. 6. Enter the required password. 7. Click on OK. See 2.4 Sensitive Data Encryption for more information on encryption in the IAS Plug-In. To modify encryption settings for the IAS Plug-In: 1. Click on the Active Directory tab. 2. Click on Configure Encryption Settings. The Configure Encryption Settings window will be displayed. 3. Enter the custom encryption key in the Storage Key field. 4. Select an encryption algorithm from the Cipher Name drop down list. 5. Click on OK. Export Encryption Settings 1. Click on the Active Directory tab. 2. Click on Configure Encryption Settings. The Configure Encryption Settings window will be displayed. 3. Click on Export Browse to the desired directory. 5. Enter a file name to export the settings to. 6. Click on OK. 7. Enter a password. 8. Click on OK. Import Encryption Settings 1. Click on the Active Directory tab. 2. Click on Configure Encryption Settings. The Configure Encryption Settings window will be displayed. 3. Click on Import... 74

75 4. Browse to the encryption settings file. 5. Click on OK. 6. Enter the required password. 7. Click on OK. Configuration Settings Configuration File The Configuration GUI for the IAS Plug-In writes to an.xml file named dpiasext.xml in the install/bin directory. It is possible to edit this file directly instead of using the Configuration GUI, but is not recommended. Example Configuration File <?xml version="1.0"?> <VASCO> <Tracing> <Trace-Header type="unsigned" data="47"/> <Trace-Mask type="unsigned" data="0x "/> <Trace-File type="string" data="c:\program Files\VASCO\Digipass Plug-In for IAS\Log\dpiasext.log"/> </Tracing> <IAS> <Enabled type="bool" data="true"/> <Allow-Passthrough type="bool" data="false"/> <!-- Note: These settings should not be altered --> <Request-Cache> <Max-Age type="unsigned" data="30"/> <Max-Size type="unsigned" data="1200"/> <Clean-Threshold type="unsigned" data="1000"/> <Min-Clean-Interval type="unsigned" data="5"/> </Request-Cache> <EAP-Cache> <Max-Age type="unsigned" data="30"/> <Max-Size type="unsigned" data="1000"/> <Clean-Threshold type="unsigned" data="10"/> <Min-Clean-Interval type="unsigned" data="1"/> </EAP-Cache> <Component-Cache> <Max-Age type="unsigned" data="3"/> <Max-Size type="unsigned" data="1000"/> <Clean-Threshold type="unsigned" data="10"/> <Min-Clean-Interval type="unsigned" data="1"/> </Component-Cache> <SharedSecret-Cache> <Max-Age type="unsigned" data="60"/> <Max-Size type="unsigned" data="100"/> <Clean-Threshold type="unsigned" data="80"/> <Min-Clean-Interval type="unsigned" data="1"/> </SharedSecret-Cache> </IAS> <AAL3> <Library-Path type="string" data="c:\program Files\VASCO\Digipass Plug-In for IAS\bin\aal3ad30.dll"/> <Authlib> <Policy-Cache> <Max-Age type="unsigned" data="10"/> <Max-Size type="unsigned" data="100"/> <Clean-Threshold type="unsigned" data="10"/> <Min-Clean-Interval type="unsigned" data="1"/> </Policy-Cache> <Challenge-Cache> <Max-Age type="unsigned" data="10"/> <Max-Size type="unsigned" data="10000"/> <Clean-Threshold type="unsigned" data="10"/> <Min-Clean-Interval type="unsigned" data="1"/> 75

76 Configuration Settings </Challenge-Cache> </Authlib> <Encryption> <Storage-Key type="string" data=""/> <Cipher-Name type="string" data="des_ede"/> <Cipher-Module type="string" data=""/> <Enable-Engine type="bool" data="false"/> <Engine-Module type="string" data=""/> <Engine-Parameters/> </Encryption> <LDAP> <Default-Domain> <Name type="string" data="mordor.test.vasco"/> <Encrypt-Remote-Connections type="bool" data="true"/> <Preferred-Server type="string" data=" "/> <Server-Port type="unsigned" data="636"/> <Preferred-Server-Only type="bool" data="false"/> <Max-Bind-LifeTime type="unsigned" data="12"/> <Container-Name type="string" data="digipass-container"/> </Default-Domain> <Domain01> <Name type="string" data="domain1.test.vasco"/> <Encrypt-Remote-Connections type="bool" data="true"/> <Preferred-Server type="string" data=" "/> <Server-Port type="unsigned" data="636"/> <Preferred-Server-Only type="bool" data="false"/> <Max-Bind-LifeTime type="unsigned" data="12"/> </Domain01> <Domain02> <Name type="string" data="domain2.test.vasco"/> <Encrypt-Remote-Connections type="bool" data="false"/> <Preferred-Server type="string" data=" "/> <Server-Port type="unsigned" data="389"/> <Preferred-Server-Only type="bool" data="false"/> <Max-Bind-LifeTime type="unsigned" data="12"/> </Domain02> <Domain03> <Name type="string" data="domain3.test.vasco"/> <Encrypt-Remote-Connections type="bool" data="true"/> <Preferred-Server type="string" data=" "/> <Server-Port type="unsigned" data="636"/> <Preferred-Server-Only type="bool" data="false"/> <Max-Bind-LifeTime type="unsigned" data="12"/> </Domain03> </LDAP> </AAL3> <Audit> <Disable-AMID type="bool" data="false"/> <Libraries/> <Plugins> <Profile00> <Enabled type="bool" data="true"/> <Type type="string" data="eventlog"/> <Display-Name type="string" data="event Log"/> <Fail-On-Error type="bool" data="false"/> <Unhandled-Only type="bool" data="false"/> <Error type="bool" data="true"/> <Warning type="bool" data="true"/> <Info type="bool" data="true"/> <Success type="bool" data="false"/> <Failure type="bool" data="false"/> <Plugincfg> <Location type="string" data="application"/> </Plugincfg> </Profile00> <Profile01> <Enabled type="bool" data="false"/> <Type type="string" data="utf8file"/> 76

77 Configuration Settings <Display-Name type="string" data="text File"/> <Fail-On-Error type="bool" data="false"/> <Unhandled-Only type="bool" data="false"/> <Error type="bool" data="true"/> <Warning type="bool" data="true"/> <Info type="bool" data="true"/> <Success type="bool" data="false"/> <Failure type="bool" data="false"/> <Plugincfg> <Log-File type="string" data="c:\program Files\VASCO\Digipass PlugIn for IAS\audit\{ear}-audit.txt"/> <Keep-Open type="bool" data="false"/> <Use-GMT type="bool" data="false"/> </Plugincfg> </Profile01> </Plugins> </Audit> </VASCO> 77

78 Configuration Settings 10.2 MDC Required Information To configure gateway settings you will need: Gateway details: Protocol to use in connecting to the gateway. An address string and port to use in connecting to the gateway. The path and filename of a certificate file, if required. The required Query String. The Query Method (GET or POST) required by the gateway. OR A customized configuration file ordered from your VASCO supplier. This will need to be imported using the Configuration GUI. Username and password for the gateway account MDC Configuration GUI A Graphical User Interface (GUI) is available for use in configuring the MDC. To open the MDC Configuration GUI, click on the Start Button and select Programs -> VASCO -> Digipass Plug-In for IAS -> Message Delivery Component Configuration. Note The MDC must be restarted after any change is made in the Configuration GUI Set IAS Server Connection Details Set the IAS Server IP address and port. 1. Modify the Server IP Address if needed. 2. Change the Port number for the server if needed Modify Gateway Account Login Details The MDC needs a Username and password for the gateway in order to send text messages through it. 1. Modify the Username if needed. 2. Change the Password and Confirm Password fields if required. The Password and Confirm Password fields must contain identical data. 78

79 Configuration Settings Configure Internet Connection Details Enable or disable the use of an HTTP Proxy and enter details if required. 1. Enable or disable the use of the HTTP Proxy by ticking or clearing the Use HTTP Proxy checkbox. 2. If required, enter an IP address, port and timeout for the HTTP Proxy. 3. Enter a maximum number of internet connections to allow in the Max. Connections field Configure Tracing The MDC makes use of a trace file to record information about events that occur on the system, for use in troubleshooting. This could include generic information, changing conditions, or problems and errors that have been encountered. The level of tracing that the MDC employs depends on its configuration settings. Caution Enabling Full Tracing should only be done for troubleshooting purposes. There are no limits set on the size of the tracing file, so if the option is left on too long on a high-load system the file may dramatically slow down or crash Windows, due to excessive I/O or filling up the hard drive. This is not highly likely for MDC, but should be considered. Because there are no size limitations set on the trace file, it is not recommended that you have tracing permanently enabled. If your system is set up with Basic Tracing always enabled, ensure that the file size does not cause problems by deleting or archiving it whenever it gets too large. Basic tracing includes: Critical error/warning messages [CRITC] Major error/warning messages [MAJOR] Minor error/warning messages [MINOR] Configuration messages [CONFG] Full tracing includes: Critical error/warning messages [CRITC] Major error/warning messages [MAJOR] Minor error/warning messages [MINOR] Configuration messages [CONFG] Informational messages [INFOR] Data tracing messages [DATA] Debugging messages (useful for support purposes) [DEBUG] Security messages, messages that may contain security sensitive data [SECUR] 79

80 Configuration Settings Turn Tracing On or Off 1. Select a Tracing option. 2. If you have selected Basic Tracing or Full Tracing, enter a path and filename for the tracing file into the File Name field. The file path entered must be the full absolute path. Note If the File Name field is left blank or the file path does not exist, the MDC will not output tracing. If the file does exist, tracing will be appended to the file. If it does not exist, it will be created Import HTTP Gateway settings Import a customized configuration file ordered from your VASCO supplier, containing the configuration details for your gateway needed by the MDC. 1. Click on the Gateway Settings tab. 2. Enter a name for the gateway. 3. Click on Import Settings. 4. Select a file from the Browse window. 5. Click on OK. The import progress will be displayed. 6. Click on OK Edit Advanced Settings 1. Click on the Gateway Settings tab. 2. Ensure that the Edit Advanced Settings checkbox is ticked. 3. Select a protocol to use in connecting to the gateway from the Protocol drop down list (typically HTTP). 4. Enter an address string to use in connecting to the gateway in the Address field. 5. Enter a port in the Port field (typically 80 for HTTP connections). 6. Enter the path and filename of a certificate file if required. 7. Modify the Query String field if required. Example Query String: username=[acc_user]&password=[acc_pwd]&device=[otp_dest]&network=tgsm&message= [otp_msg] 8. Select a Query Method according to what the gateway requires (typically POST) Export HTTP Gateway settings Once you have entered the necessary gateway configuration information into the Configuration GUI, you may wish to export the settings into a file for backup purposes or to transfer to another IAS server. 80

81 1. Click on the Gateway Settings tab. 2. Ensure that the Edit Advanced Settings checkbox is ticked. 3. Click on Export Settings. 4. Select a directory from the Browse window. 5. Enter a filename. 6. Click on OK. Configuration Settings The export progress will be displayed Gateway Result Pages A result page is returned by the gateway service when a text message is submitted by the GET or POST methods. This page would normally be a HTML formatted page containing specific error codes and/or additional messages for success/failure. Three types of result messages are generally categorized as: Information Success of message delivery (the message has been accepted by the server) Warning The submission/delivery failed, but it is most likely a specific error only affecting this User. The User s login will fail on the first step. Possible causes are: Phone number invalid Temporary gateway failure Error Error(s) occurred while attempting delivery. This means that the delivery failed for a particular User, but the error might be affecting all Users. In this case, the User s login will fail immediately. Possible such errors are: Account data incorrect (Account User or password wrong) Account credit expired (for a pre-paid gateway account) Communication error with gateway (network error) Other permanent gateway errors Audit Console Logging A gateway result page can be recognized by key words and phrases, and an alternate message created for logging to the audit console whenever the result is received. Variables can be extracted from the result page and used in the log message to provide extra information. Result Page Rules The result page rule patterns use the following syntax: <FixedText1> [Var-Name1] <FixedText2> [] <FixedText3> [Var-Name2] 81

82 Configuration Settings Where the template is constructed in the following way: <FixedTextx>: a character string which must be matched in the page returned by the gateway. Note that multiple <FixedTextx> can appear in a single template, but they must not be overlapping. Matching is case-sensitive. []: Omits a variable part of the result page between two <FixedText> segments, when matching a template. This can be useful to ignore arbitrary data or time/date data in the returned web page. [Var-Namex]: Describes a segment of the result page between two <FixedText> segments or at the end of the result page, which will be written to a variable. Usually this will be data that can provide more detailed information why a particular message submission has failed. The variable name inside the [] brackets can then be used as part of the audit message template to create a meaningful message. Example If the server returns the following result page <b>submission successful at 10:00, 11/11/02, status: 00 - message delivery in progress.</b> for successful transmission, or <b> Submission unsuccessful at 10:05, 11/11/02, status: 47 number too short </b> for an unsuccessful submission, then the following result page rules can be configured: Message Rule Name: Success Message Rule Pattern: successful at [DateTime], status: [Status] [Message]</b> Variables retrieved: DateTimeStatusMessage Message Rule Name: Warning Message Rule Pattern: unsuccessful at [DateTime], status: 47 [Message]</b> Variables retrieved: DateTimeMessage Message Rule Name: Error Message Rule Pattern: unsuccessful at [DateTime], status: [status] [Message]</b> Variables retrieved: DateTimeStatusMessage No Match Available If no Rule matches a Result page returned, an error will be logged to the Audit Console, reporting that the result page returned from the gateway could not be matched. Ordering Rules The order of the result page template in the configuration data can be used to match more specific messages first and finally catch any other message, which the gateway might send. Audit message template Once a result page template a matched, a corresponding audit message is constructed with the variables retrieved from the result page rule. The message template will use the following syntax: 82

83 Configuration Settings <FixedText1> [VAR-Name1] <FixedText3> [Var-Name2] <FixedTextx>: a character string which will appear literally in the constructed audit message. [Var-Namex]: Variable which is derived from the matched variables from the corresponding result page template. The following variables are predefined and can be used in the audit message template: [otp_dest] The destination address (a mobile phone number) the OTP was sent to. [otp_msg] The message that was submitted. This variable will also contain the OTP, so should not be used for the construction of audit messages. [acc_user] Account name for the gateway.not recommended for use in audit messages. [acc_pwd] Account password for the gateway.not recommended for use in audit messages. [Username] the User ID of the User requesting the OTP Table 31: MDC Audit Message Variables Examples of variable use: Insufficient credit on account [acc_user] when sending to [username] Message not sent to User "[Username]"/[otp_dest]. Gateway reported: [message] Modify a Gateway Result Message Rule Ensure that the Edit Advanced Settings checkbox on the Gateway Settings tab is ticked. 1. Click on the Gateway Results tab. 2. Select a Rule to modify. 3. Click on Edit. 4. Make any required changes. 5. Click on OK. 83

84 Configuration Settings Add a Gateway Result Message Rule 1. Click on the Gateway Results tab. 2. Click on Add. 3. Enter a descriptive name for the Rule in the Description field. 4. Enter the full text or a partial match of the text displayed by the gateway in the Matching Pattern field. 5. Select an Audit Message Level for the Rule. Each level of message will be displayed with a different color background in the Audit Console. Info normal Warning yellow Error red 6. Enter the message text you wish the User to see into the Message Text field. 7. Click on OK. 84

85 Configuration Settings MDC Configuration File The MDC Configuration GUI writes to an.xml file named MDCConfig.xml in the install/bin directory. It is possible to edit this file directly instead of using the MDC Configuration GUI. Example Configuration File <?xml version="1.0"?> <VASCO> <Tracing> <Trace-Header type="unsigned" data="31"/> <Trace-Mask type="unsigned" data="0x "/> <Trace-File type="string" data="c:\documents and Settings\Administrator\My Documents\vmiis.trace"/> </Tracing> <IAS-Server> <IP type="string" data=" "/> <Port type="unsigned" data="20003"/> </IAS-Server> <Gateway> <Description type="string" data="anything goes"/> <HTTPMethod type="string" data="post"/> <URL type="string" data="test"/> <HTTPQuery type="string" data="bla"/> <CertFile type="string" data="./curl-ca-bundle.crt"/> <Timeout type="unsigned" data="5"/> <ProxyIP type="string" data=""/> <ProxyPort type="unsigned" data="0"/> <MaxConnections type="unsigned" data="10"/> <Port type="unsigned" data="443"/> <Protocol type="string" data="https"/> </Gateway> <Gateway-Acct> <Username type="string" data="user"/> <Password type="string" data="pass"/> </Gateway-Acct> <Result01> <Name type="string" data="first entry"/> <Pagematch type="string" data="100"/> <MsgType type="unsigned" data="0"/> <Message type="string" data="success sending to [Username]"/> </Result01> <Result02> <Name type="string" data="first entry"/> <Pagematch type="string" data="-103 [remainder]"/> <MsgType type="unsigned" data="1"/> <Message type="string" data="phone number too short: [otp_dest] gateway reported: [remainder]"/> </Result02> <Result03> <Name type="string" data="first entry"/> <Pagematch type="string" data="(404)"/> <MsgType type="unsigned" data="2"/> <Message type="string" data="query string is incorrect. 404 Page not found."/> </Result03> </VASCO> Caution The configuration file is UTF8 encoded. Non-UTF8 encoded characters should not be added to the configuration file, or it will not load. 85

86 Configuration Settings Configuration Settings The table below lists the options, their default values, and a brief explanation of each. Option Name Config. GUI Field Default Value Notes General tab Server/ IP Server IP Address <IP address supplied in the license.dat file> This string is the IP address of the local server. It needs to correspond with the licensing as well as the IP address configured for the server.data type: String with valid IP4 address or hostname that can be resolved through DNS Server/ Port Port This integer is the TCP/IP port on which the local server is listening. Must correspond with the IAS server settings.data type: Integer with valid Port address ( ) Gateway/ ProxyIP Proxy IP <Empty> IP address of the HTTP proxy used by the MDC to contact the HTTP gateway. This can be used when the firewall settings do not allow a direct connection.empty - no proxy being used.data type: String with valid IP4 address Gateway/ ProxyPort Port <None> Port number to contact the HTTP proxy on.must be supplied if the ProxyIP setting is used.data type: Integer with valid Port address (165535) Gateway/ Timeout Proxy Timeout 30 Time in seconds that the MDC will wait on a response from the HTTP/gateway.Data type: integer Gateway/ MaxConnecti ons Max Connections 10 Maximum allowed number of concurrent connections to the HTTP gateway.data type: Integer (1-100) Tracing/ TraceFile File Name <None> The file that tracing output should be written to.none no tracing.data type: String Tracing/ TraceMask Tracing 0 The tracemask specifies how much tracing is done.0 no tracing1 basic tracing2 full tracingdata type: Integer GatewayAcnt/ Username (General <required tab)usernam parameter> e Sets the account Username the HTTP gateway. The given value will be used as content for the variable [acc_user] in the query string.data type: String GatewayAcnt/ Password (General <required tab)password parameter> & Confirm Password Sets the account password the HTTP gateway. The given value will be used as content for the variable [acc_pwd] in the query string.data type: String Gateway Settings tab Gateway/ Description Gateway Name This is an informational field, naming or describing the HTTP gateway. It can be set to provide a description for a particular service, but is ignored by the MDC.Data type: String Gateway/ HTTPMethod Query Method POST Designates either the GET or POST method for use in transferring account and message data to the HTTP/HTTPS gateway.data type: String ( GET or POST ) Gateway/ URL Protocol and Address <required parameter> Required parameter.sets the URL to the HTTP gateway. The address should not contain any variables, but is should contain the protocol identifier.note: the protocol identifier of can be used to SSLencrypt the link between the MDC and the HTTP gateway. In this case it is required to specify a filename where the server certificates can be found.data type: String 86

87 Configuration Settings Option Name Config. GUI Field Default Value Notes Gateway/ HTTPQuery Query String <required parameter> Required parameter.defines the query string which will be submitted to the http server, either using POST or GET (as specified by HttpGwMethod). This string must contain all required variables that are expected by the HTTP gateway. Contained in the query string must be the following parameters which will be set by the MDC before submitting the query: [acc_user] specifies the account name for the gateway which will be used to submit the information [acc_pwd]password for the gateway account specified by the [Username] parameters [otp_msg]specifies the part of the query string, where the OTP message will be substituted [otp_dest]specifies the part of the query string, where the destination for the OTP (usually the mobile phone number) will be substituted.the query string should also incorporate any other parameters which might be expected by the gateway.example:<query type= string data= UN=[Username]&PW=[password]&T=T&NB=[destination]&ME=[ message]&fl=f&on=fromvm&tm= />Data type: String Gateway/ CertFile Certificate File.\curl-cabundle.crt When using the HTTPS protocol, the server certificate file is used to authenticate the message gateway and to derive the data encryption keys. It can contain either one or multiple server certificates.the file needs to be PEM-encoded,X.509 compliant certificate.it can be created by exporting the required Root CA from any browser (eg. Internet Explorer) using the base-64 format - equivalent to PEM.Data type: String Gateway Results tab Results/ Resultnn/ Name Description <Empty> Name of this entry, as displayed by the MDC Configuration GUI. This field has no functional meaning.data type: String Results/ Resultnn/ Pagematch Matching Pattern <required parameter> Result Page Template to match the result page returned by the HTTP service. If this template is matched, the corresponding audit message is composed and returned to the IAS Plug-In Audit message.data type: String Results/ Resultnn/ MsgType Audit Message Level 2 Type of message to appear in the audit log:0 INFO informational message (login on)1 WARNING warning message (login fails)2 ERROR error message (login fails)data type: Integer (0-2) Results/ Resultnn/ Message Message Text <required parameter> Audit Message Template for the message to be compiled and sent back to the IAS Plug-In. The message is returned as Information, Warning or Error, depending on the MsgType parameter in the same section. Includes [variable] options.data type: String Table 32: Message Delivery Component Configuration Settings 10.3 CGI See Configuration Settings for VASCO CGI configuration settings and location. 87

88 How to troubleshoot 11 How to troubleshoot 11.1 Enable Tracing 1. Set the IAS Plug-In to tracing. 2. Restart IAS. 3. Attempt a login. 4. Check the trace file for information on the start-up conditions of the IAS Plug-In and of the login attempt Installation Check The information in this section will enable you to check that various files have been installed in the correct locations and registered (where required), and Windows registry entries have been created and the correct values inserted Installation Log File Check the log file created during the installation of the Digipass Plug-In for IAS. The log file should be found in <install dir>\install.log. Example Log Entries File successfully created CreateDirectory: "C:\Program Files\VASCO\Digipass Plug-In for IAS\Bin" (1) File: overwriteflag=0, allowskipfilesflag=2, name="aal3ad30.dll" File: wrote to "C:\Program Files\VASCO\Digipass Plug-In for IAS\Bin\aal3ad30.dll" DLL could not be registered Error registering DLL: Could not load dpmmccom.dll Check file placement File Name Location IAS Plug-In dpiasext.dll <install dir>\bin dpiasext.xml <install dir>\bin Administration MMC Interface dpmmc.dll <install dir>\bin dpmmcpol.dll <install dir>\bin dpmmccom.dll <install dir>\bin dpmmc.msc <install dir>\bin dpwxlib.dll <install dir>\bin Admin_MMC_Interface_Help.chm <install dir>\doc Digipass Extension for Active Directory Users and Computers dpextaduc.dll <install dir>\bin 88

89 AD_Extension_Help.chm How to troubleshoot <install dir>\doc VACMAN Controller aal2sdk.dll <install dir>\bin Demo Digipass demo.dpx <install dir>\dpx demogo1.dpx demovdp.dpx CGI Configuration Interface dpcgicfg.exe <install dir>\bin User Self Management Web Site *.html <install dir>\usersite usercgi.exe <install dir>\usersite\cgi *.gif <install dir>\usersite\images Message Delivery Component mdcserver.exe <install dir>\bin mdccfg.exe <install dir>\bin libcurl.dll <install dir>\bin libeay32.dll <install dir>\bin libssl32.dll <install dir>\bin mdcconfig.xml <install dir>\bin curl-ca-bundle.crt <install dir>\bin OTP Request Site *.html <install dir>\vdpsite vdpcgi.exe <install dir>\vdpsite\cgi *.gif <install dir>\vdpsite\images Version Information version.txt <install dir> Table 33: Required Files Registry Entries Registry Key Path\Name Value Notes General HKE_LOCAL_MACHINE\Software\VASCO Data <install dir> Security\InstallDirectory Typically c:\program files\vasco\digipass Plug-In for IAS HKE_LOCAL_MACHINE\Software\VASCO Data 1 Security\InstalledProducts\Digipass Plug-In for IAS 1 = installed 0 = not installed If the Pack has been incorrectly installed, the key will typically be missing rather than having a value of 0. HKE_LOCAL_MACHINE\Software\VASCO Data <version> Security\InstalledComponents\<various> Check the recorded version numbers for various components. HKE_LOCAL_MACHINE\Software\VASCO Data <build> Security\Digipass Plug-In for IAS\Version Version number for the Digipass Plug-In for IAS. IAS Plug-In 89

90 How to troubleshoot Registry Key Path\Name Value HKE_LOCAL_MACHINE\System\ CurrentControlSet\Services\AuthSrv\ Parameters\ExtensionDLLs <install dir>\bin\ dpiasext.dll HKE_LOCAL_MACHINE\System\ CurrentControlSet\Services\AuthSrv\ Parameters\AuthorizationDLLs <install dir>\bin\ dpiasext.dll Notes Administration MMC Interface HKE_LOCAL_MACHINE\Software\VASCO Data <install dir>\bin\ Security\MMC Admin Interface\ApiLibrary aal3ad30.dll HKE_LOCAL_MACHINE\Software\VASCO Data <install dir>\bin\ Security\MMC Admin Interface\DialogLibrary dpwxlib.dll HKE_LOCAL_MACHINE\Software\VASCO Data <install dir>\doc\ Security\MMC Admin Interface\HelpFile Admin_MMC_Interfa ce_help.chm Digipass Extension for Active Directory Users and Computers HKE_LOCAL_MACHINE\Software\VASCO Data <install dir>\bin\ Security\AD U&C Extension\ApiLibrary aal3ad30.dll HKE_LOCAL_MACHINE\Software\VASCO Data <install dir>\bin\ Security\AD U&C Extension\DialogLibrary dpwxlib.dll HKE_LOCAL_MACHINE\Software\VASCO Data <install dir>\doc\ Security\AD U&C Extension\HelpFile AD_Extension_Help. chm Message Delivery Component HKE_LOCAL_MACHINE\System\CurrentContr <install dir>\bin\ olset\services\eventlog\application\vdpmdc\ mdcserver.exe EventMessageFile HKE_LOCAL_MACHINE\System\CurrentContr 1 olset\services\eventlog\application\vdpmdc\ TypesSupported 1 = EVENTLOG_ERROR_TPE Table 34: Registry Entries Note See Configuration Settings for VASCO CGI configuration settings in the Windows registry DLLs to be Registered These DLLs need to be registered with Windows in order for the Digipass Plug-In for IAS to work correctly. See for information on registering them manually. DLL Location dpmmc.dll <install dir>\bin dpmmcpol.dll <install dir>\bin dpmmccom.dll <install dir>\bin dpextaduc.dll <install dir>\bin Table 35: DLLs to be Registered Check Permissions 90

91 Directory or File How to troubleshoot Permission(s) required Notes User Self Management Web Site (IIS) /dpselfservice/cgi execute <install dir>\usersite\cgi\usercgi.exe execute This is required on Windows Server 2003 only. OTP Request Site (IIS) /requestotp/cgi execute <install dir>\vdpsite\cgi\vdpcgi.exe execute This is required on Windows Server 2003 only. Table 36: Permissions Required IAS Server Registered in Active Directory Domain Check that the IAS server is registered in the relevant Active Directory domain(s): 1. Open Active Directory Users and Computers. 2. Click on Users. A list of Windows Users and Groups will be displayed in the Result pane. 3. Double-click on the RAS and IAS Servers group. 4. Check that the IAS server is listed in the group members. If the IAS Server is not registered in the domain: 1. Log on to the IAS server with an administrator account for the domain. 2. Open Internet Authentication Service. 3. Right-click on Internet Authentication Service. 4. Click on Register Server in Active Directory. The Register Internet Authentication Service in Active Directory window will be displayed. 5. Click OK Default Policy and Component Created A default Policy and a Component for the IAS Plug-In should have been created during the installation. If they have not been created, the IAS Plug-In will not process authentication requests. Note These steps should only be followed if the Policies and Components have not been modified since installation. To check that Policies and Components were created successfully during installation: 1. Open the Administration MMC Interface. 2. Click on the Policies node. A Policy named 'Base Policy' should be included in the Policies List. 91

92 How to troubleshoot 3. Click on the Components node. 4. Check that a Component named IAS Plug-In is included in the Components List. 5. Double-click on the IAS Plug-In Component record. The Component Properties window will be displayed. 6. Base Policy should be selected in the Policy drop down list Fix Installation Errors Register IAS Plug-In If they do not currently exist, create the following registry entries under HKE_LOCAL_MACHINE\SSTEM\CurrentControlSet\Services\AuthSrv\Parameters key: Name Type the Data AuthorizationDLLs REG_MULTI_SZ <install dir>\bin\dpiasext.dll ExtensionDLLs REG_MULTI_SZ <install dir>\bin\dpiasext.dll Table 37: IAS Plug-In Registry Entries 11.4 View Audit Information The IAS Plug-In can generate audit messages and save them either to the Windows Event Log or a text file. our audit settings in the Administration MMC Interface will determine where you should look for each type of audit message Windows Event Log Filter for audit messages from the IAS Plug-In by: 1. Click on View -> Filter Select Digipass Plug-In for IAS from the Event Source drop down list. 3. Click on OK Audit log text file The audit log file name and location is configured in the Administration MMC Interface. 92

93 How to troubleshoot 11.5 Delete all Digipass Data from Active Directory Digipass-specific information is not removed from Active Directory when the Digipass Plug-In for IAS is uninstalled from a computer. A custom VB script is available which will strip all information related to the IAS Plug-In from a domain. The data removed includes: Digipass-Configuration container if present Policy and Component records in container Digipass-Pool container if present Digipass records in container Digipass-Reserve container if present Digipass records in container All Digipass in the domain, including all Digipass Applications. Search for all Digipass User Accounts and delete them Each Digipass User account is deleted by searching for Active Directory Users with the vasco-createtime attribute set (indicating that a Digipass User account has been created for that User). All vasco-userext attributes on the Active Directory User are reset. Note The script must be run in each domain from which data is to be removed Run Delete Script on a Domain 1. Get dpdeleteall.vbs file from the CD \Windows\Utilities\VBScript directory and copy to the computer where you will run the command. 2. Open cmd prompt, logged in as domain admin in the domain required. 3. Enter the following: 'cscript dpdeleteall.vbs [<domain>] [-v]' If the machine does not belong to the target domain, specify the domain name If you want record-by-record progress display, specify -v (verbose mode). Example cscript dpdeleteall.vbs dm3.vasco.com -v 93

94 Audit Messages 12 Audit Messages To set up auditing in the IAS Plug-In, see Auditing Audit Message Listing Message Code Description Notes E A system error has occurred. This message is used whenever there is a general processing error. It will contain full details of the error. E The Digipass Plug-In failed to start up. The Plug-In encountered a fatal error on startup such as an invalid or missing configuration file. E The Digipass Plug-In has been forced into the disabled state. The Plug-In has started up, but is in a disabled state in which it will not process authentication requests. This is typically due to a license problem (an invalid or missing License Key in the IAS Plug-In Component record); an invalid Component Location setting in the configuration file; or a missing IAS Plug-In Component record. E The Active Directory AAL3 library failed to initialize. The Active Directory 'AAL3' library encountered a fatal error on initialization, eg. invalid configuration settings in the configuration file. E The Digipass Authentication library failed to initialize. The 'Authentication' library encountered a fatal error on initialization, eg. invalid configuration settings in the configuration file. E An error occurred in the Virtual Digipass The MDC encountered an error during the process of Message Delivery Component. submitting a request to the HTTP gateway and interpreting the response. This may indicate a configuration problem for the gateway or connectivity issues. The audit message may contain further details from the gateway. E The RADIUS Profile was not found in Funk SBR. Not applicable to IAS. W A connection attempt to Active Directory failed. An attempt to connect to an Active Directory Domain Controller failed. This may occur because: the Domain Controller is unavailable for some reason such as rebooting; the Domain Controller is too busy temporarily to service the connection; or there are DNS or networking problems. W A connection to Active Directory has terminated due to an error. An established connection to an Active Directory Domain Controller has broken. This may occur because: the Domain Controller suddenly becomes unavailable for some reason such as rebooting; the Domain Controller becomes too busy temporarily to service the connection; or there are DNS or networking problems. W Virtual Digipass One Time Password delivery failed. The MDC could not successfully deliver a text message via the HTTP gateway. The audit message should contain further details from the gateway. W A blank password was used for BackEnd Authentication, as Stored Password Proxy is disabled and the user did not enter a static password. This message only occurs when the Back-End Authentication setting is Always. When Stored Password Proxy is disabled, the IAS PlugIn does not pass on the password stored in the Digipass User Account to Windows for Back-End Authentication. If a User does not enter their password as well as their OTP, the login will fail because their password has not been provided to Windows. 94

95 Message Code Description Audit Messages Notes W A Backup Virtual Digipass quota of uses has been finished. BVDP Uses Remaining has just been decremented to 0 for a Digipass. The User will not be able to use that Digipass for Backup Virtual Digipass logins until the Uses Remaining is increased or cleared. W No Digipass was found to assign to a new Digipass User Account for AutoAssignment. No available Digipass were found for Auto-Assignment. This may be because: there were no unassigned Digipass in the right location; the unassigned Digipass did not conform to Policy restrictions; the unassigned Digipass were Reserved for individual assignment. The location in which the IAS Plug-In searches for available Digipass records can be controlled to some extent using the Search Upwards in Org. Unit hierarchy setting. W A Digipass User Account has become locked. A User just exceeded the User Lock Threshold of failed logins and their Digipass User Account is now Locked. Administrator action is required to unlock the account. I The Digipass Plug-In has started up successfully. Configuration details are given in the audit message. I The Active Directory AAL3 library has been initialized successfully. The Active Directory 'AAL3' library has completed initialization. Configuration details are given in the audit message. I The Digipass Authentication library has been initialized successfully. The 'Authentication' library has completed initialization. Configuration details are given in the audit message. I The Digipass Plug-In has shut down. I A connection attempt to Active Directory was successful. I A connection to Active Directory has been terminated normally. An established connection to an Active Directory Domain Controller has ended with a normal disconnection. I A connection to Active Directory has been timed out for load-balancing. An established connection to an Active Directory Domain Controller has been ended for load-balancing purposes. Periodically the connections will be dropped and new ones established, in case there is a less busy Domain Controller available. The time period is defined by the configuration setting Max-Bind-LifeTime in the file, in minutes. I A RADIUS Access-Request has been received. The IAS Plug-In has received an Access-Request. The audit message will indicate what action will be taken as well as key details of the request. I A RADIUS Access-Accept has been issued. The IAS Plug-In has accepted an Access-Request. Note however that it is still possible that after the IAS Plug-In has accepted the request, IAS rejects it. I A RADIUS Access-Challenge has been issued. The IAS Plug-In has issued a challenge, either Challenge/Response or Virtual Digipass. I A RADIUS Access-Reject has been issued. The IAS Plug-In has rejected an Access-Request. I A Digipass has been moved for assignment to a user. Upon assignment of a Digipass to a User, if the Digipass is not already in the same location (Organizational Unit) as the User, it is moved to that location. I A user-to-user link has been removed due to assignment of a Digipass. If a Digipass User Account is linked to another in order to share the Digipass, it must not have a Digipass assigned itself. If a Digipass is assigned, the link will be broken. I A Virtual Digipass One Time Password has been delivered. The MDC successfully delivered a text message via the HTTP gateway, as reported by the gateway. The audit message may contain further details from the gateway. 95

96 Message Code Description Audit Messages Notes Note that depending on the gateway, it may still be possible for delivery to fail after the gateway has reported success. I User authentication was not handled. I A Digipass Grace Period has been ended The first time that an assigned Digipass is used by the use of a One Time Password. successfully to log in, if a Grace Period is still active, it is ended immediately. They must continue to use their Digipass to log in after that point. I A Backup Virtual Digipass expiration date has been set due to the first request for a Virtual One Time Password. A User has requested a Backup Virtual Digipass OTP for the first time, when the effective Backup VDP Enabled setting is es Time Limited and they did not already have an Enabled Until date set on their Digipass. At this time, they are given the Time Limit from the Policy by adding it to the current date. I A Backup Virtual Digipass time limit has been expired by the use of the normal One Time Password. A User who has been using Backup Virtual Digipass has used their normal OTP login using the Digipass again. When the effective Backup VDP Enabled setting is es Time Limited, using the normal OTP login ends their time limit immediately. This is done by setting the Enabled Until date on their Digipass to the current date. An administrator action is required to reset their Enabled Until date, if the User is to be allowed to use Backup Virtual Digipass again. I A Backup Virtual Digipass quota of uses has been set due to the first request for a Virtual One Time Password. A User has requested a Backup Virtual Digipass OTP for the first time, when the effective Backup VDP Max. Uses/User setting is greater than 0 and they did not already have a Uses Remaining date set on their Digipass. At this time, they are given the Max. Uses/User limit from the Policy. I A Digipass User Account has been created using Dynamic User Registration. A Digipass User Account has been created automatically upon successful Back-End Authentication. This occurs when the Dynamic User Registration feature is enabled. I A new static password has been stored using Password Autolearn. A new static password has been stored in the Digipass User Account after successful Back-End Authentication. This occurs when the Password Autolearn feature is enabled. I A Digipass has been assigned to a new Digipass User Account using AutoAssignment. Upon creation of a new Digipass User Account through Dynamic User Registration, an available Digipass has been assigned to the new account automatically. This occurs when the Auto-Assignment feature is enabled. I A Digipass has been assigned to a Digipass User Account using SelfAssignment. A User has successfully assigned a Digipass to themselves using the Self-Assignment feature. I A Digipass challenge has been issued for a Self-Assignment attempt. A User has obtained a challenge during an attempt to assign a Digipass to themselves using the SelfAssignment feature. In order to complete the assignment, they must provide the correct response to the challenge The IAS Plug-In decided not to handle an authentication request due to Policy and/or Digipass User Account settings. The main reasons why this may occur are: the effective Local Authentication and Back-End Authentication settings were both None; the User failed the Windows Group Check, using the Authenticate listed groups, pass others through option. Note that the 'effective' settings are the effective settings of the Policy, unless the Digipass User Account overrides the Policy. 96

97 Message Code Audit Messages Description Notes from the Digipass. I A user has changed their Digipass PIN. A User has changed their Server PIN during their login, or set it up on first use or after a PIN reset. S A query for a single data object was successful. The IAS Plug-In or an administrator has made a successful query to Active Directory for a single record. In the case of the IAS Plug-In this will be a search for its Component record; for an administrator it could be any single record query. The audit message has details of the record found. S A query for a list of data objects was successful. The IAS Plug-In or an administrator has made a successful query to Active Directory for some records. In the case of the IAS Plug-In this will be a search for a RADIUS Client Component record; for an administrator it could be any list query. The audit message has details of the records found but this may be truncated. S A data object command was successful. An administrator has issued a successful data modification command such as an update of settings or one of the Digipass Application operations like Reset PIN. The audit message has details of the command and results. S User authentication was successful. The 'Authentication' library has passed authentication for a request. Note however that the IAS Plug-In or IAS itself may still decide to reject the request ultimately. S User authentication issued a challenge. The 'Authentication' library has issued a challenge for an authentication request, either Challenge/Response or Virtual Digipass. F A query for a single data object failed. The IAS Plug-In or an administrator has made an unsuccessful query to Active Directory for a single record. In the case of the IAS Plug-In this will be a search for its Component record; for an administrator it could be any single record query. The audit message has basic details of the failure, but there should be a preceding E with more details. F A query for a list of data objects failed. The IAS Plug-In or an administrator has made an unsuccessful query to Active Directory for some records. In the case of the IAS Plug-In this will be a search for a RADIUS Client Component record; for an administrator it could be any list query. The audit message has basic details of the failure, but there should be a preceding E with more details. F A data object command failed. An administrator has issued an unsuccessful data modification command such as an update of settings or one of the Digipass Application operations like Reset PIN. The audit message has basic details of the failure, and there may be a preceding E with more details. F User authentication failed. The 'Authentication' library has failed authentication for a request. The audit message has details of the failure (see ) and there may be a precedeing E with error details. Table 38: Audit Messages List 97

98 Audit Messages 12.2 Audit Message Fields Display Name Description Area Area of code/functionality in which the audit event occurred. Eg. Active Directory search. Operation Operation being attempted/processed when the audit event occurred. Error Code Standard error code. Error Message Fixed error message corresponding to ERROR_CODE. Error Details Full dump of 'error stack'. Source Location Location of source of audit message, typically IP address or host name. Server Location When the server itself is not the source of the audit message, this is the location of the server (IP/host name). Client Location When the client itself is not the source of the audit message, this is the location of the client (IP/host name). Version Full version string. Eg Data Source Type of data source. Eg. File, Registry. Data Source Location Specific location of data source. Eg. for a File, the path/filename. Configuration Details Breakdown of configuration settings. Outcome Outcome of an attempt to do something. Eg. Success, Failure, Challenge. Reason Generally a short phrase indicating a reason for a failure. Characteristics Space-separated list of keywords indicating characteristics of interest. Eg. for a connection attempt, keywords such as SSL, TCP, IPv6 may be useful. User ID UserID. Can be in various formats, unless it refers to a Digipass User Account UserID, when it must be exact (SAM-Account-Name). Domain Domain name (FQDN). Credentials What kind of credential was offered for a connection/login attempt. Eg. Password, None. Session ID Session identifier. Serial No Digipass Serial No. Application Digipass Application Name. Request ID Any request identifier(s). Eg. a RADIUS packet ID. Password Protocol The way in which a password is encoded. Eg. PAP, CHAP, MS-CHAP1, MS-CHAP2. Input Details Breakdown of request parameters/attributes. Action Intended action to take for a request received. Eg. Ignore, Process. Output Details Breakdown of response parameters/attributes. Policy ID Name of Policy used to handle a request. Mobile No Mobile phone no. for sending a text message. From Location from which something is moved. Eg. an Active Directory location. To Location to which something is moved. Eg. an Active Directory location. User Link Identification of user to which another user is linked. Message This is used where something external (eg. the MDC) returns a message for auditing. Expiration Date Value of an expiry date such as Grace Period. Quota Value of a quota such as Backup Virtual Digipass Uses Remaining. Local Authentication Whether Local Authentication was done or not. Back-End Authentication If Back-End Authentication was done, the Back-End Protocol used, otherwise None. Object Name of data object of query/command. 98

99 Command Name of command. Fields The list of fields to be returned by the query, or 'All Fields'. RADIUS Profile Name of RADIUS Profile Audit Messages Table 39: Audit Message Fields 99

100 Error and Status Codes 13 Error and Status Codes This section lists the standard error and status codes with the associated messages Error Code Listing Error Code Message Notes 0 (No error) -1 An unspecified error occurred This error code may occur when a more specific error code is not available or was recorded separately. -2 The parameters supplied were invalid Parameters supplied to a function or command were invalid. -3 A memory error occurred Memory allocation failed. This is normally due to the system running low on memory. -10 A communications error occurred Inter-process or inter-component communication failed. This may also occur with communications to Active Directory or a database. This error is normally accompanied by further details. -11 A license error has occurred General-purpose license failure when a more specific code is not available or was recorded separately. -12 An operating system call failed A system call failed. This may include file handling, Active Directory Services Interface and other calls. It is normally accompanied by further details. -13 The object was not found An attempt was made to perform an operation on an object, such as an Active Directory object, but the object did not exist. For example, this may occur when one administrator deletes a record that another administrator is about to update, when the update operation is attempted. -14 The object already exists An attempt was made to create an object, such as an Active Directory object, but the object already exists. For example, this may occur when two administrators try to create the same record at the same time. -15 The supplied buffer was of the incorrect size An internal data buffer was of insufficient length to hold the data required. -16 A version error has occurred A version mismatch has occurred. Further details in the error record will indicate what versions were mismatched. -17 The supplied data are invalid General-purpose error when input data to an operation is incorrect. Further details of the error will be recorded. -18 The object is invalid An attempt was made to perform an operation upon an object type that was not recognized. -19 The command is invalid An attempt was made to perform an operation using a command that was not recognized. -20 The object is in use An attempt was made to delete an object, such as an Active Directory object, but that object was in use. This may occur when you try to delete a Policy, but another Policy inherits from the one you are deleting, or a Component uses the Policy. -21 The operation is not supported General-purpose error when an operation is attempted on an object that does not support it. For example, an attempt is made to generate a Virtual Digipass OTP using a Digipass that is not enabled for Virtual Digipass. 100

101 Error Code Message Error and Status Codes Notes -22 An object error has occurred General-purpose error on an operation on an object. This should be supplemented with more specific details. -23 A required field was missing An operation was attempted without specifying one or more mandatory input fields. -30 The configuration is invalid The configuration data in the configuration file are invalid. The error record should indicate which specific data were invalid. -31 A type mismatch has occurred General-purpose error when one datatype is expected but a different datatype was provided. -32 One or more objects were not initialized Internal initialization error. More specific error details will be recorded. -33 The cache is full An attempt was made to add an entry to a cache, but the cache has reached its configured maximum size. -34 The cache entry has reached the maximum reference count An attempt was made to retrieve an item from a cache, but the item was already in use and the configuration indicates a limit on the number of times an item can be retrieved from the cache at one time A Digipass error has occurred General-purpose failure of a Digipass operation such as OTP verification, Reset PIN, Unlock, etc. This is normally accompanied by a more specific error code and message from the VACMAN Controller library Delivery of the Virtual Digipass OneTime Password failed A Virtual Digipass OTP was generated successfully, but delivery by text message failed. A separate message will give more details about the failure The license has expired The License Key has an expiration date set, and the date has passed. A permanent License Key must be obtained The license data are invalid One of the details embedded into the License Key is invalid for the Component in which it is being loaded. The Component will not be able to use the License Key. This may be IP address, Component Type, or any other detail that can be seen in the License Key text The License Key is corrupted The signature at the bottom of the License Key is invalid. This would typically occur if the License Key details were modified in any way Decryption has failed - no Storage Key Some encrypted data has been created or modified using is specified in the Encryption Settings configured, rather than default, encryption settings. This error occurs when that data is read by a component that does not have configured encryption settings the component is therefore unable to decrypt the data. It is necessary to configure the encryption settings in the component. See 2.4 Sensitive Data Encryption for more information on encryption settings Decryption has failed - an incorrect Cipher is specified in the Encryption Settings Some encrypted data has been created or modified using differently configured encryption settings. This error occurs when that data is read by a component with configured encryption settings that use a different Cipher Name the component is therefore unable to decrypt the data. It is necessary to make sure that the encryption settings in all components are identical. See 2.4 Sensitive Data Encryption for more information Decryption has failed - an incorrect Storage Key is specified in the Encryption Settings Some encrypted data has been created or modified using differently configured encryption settings. This error occurs when that data is read by a component with configured encryption settings that use a different Storage Key the 101

102 Error Code Message Error and Status Codes Notes component is therefore unable to decrypt the data. It is necessary to make sure that the encryption settings in all components are identical. See 2.4 Sensitive Data Encryption for more information. Table 40: Error Code List 13.2 Status Code Listing Status Code Message Notes 0 No error <all negative codes> <same as the Error Code see above> The status codes from -1 downwards match the Error Codes above The credentials were invalid General-purpose failure due to invalid username or password, when a more specific status is unavailable The user failed the Windows Group Check The IAS Plug-In rejected an authentication request due to the Windows Group Check failing. This can occur when the effective Windows Group Check option is Authenticate listed groups, reject others. Note that the 'effective' setting is the effective setting of the Policy, unless the Digipass User Account overrides the Policy The challenge has expired A response to challenge has been given, but the expiration time for the challenge has expired. The default expiration time is one minute, however this can be configured in the configuration file VASCO/AAL3/Authlib/Challenge-Cache/MaxAge setting (in seconds) The user does not have permission to perform the specified action General-purpose failure of an administration command when the administrator does not have sufficient privileges to carry out the command The user account is locked The Digipass User Account is Locked. This is normally due to consecutive login failures, as determined by the Policy setting User Lock Threshold. Alternatively the administrator can actively lock the account. To unlock the User account, an administrator has to uncheck the Locked checkbox on the User record The One Time Password has already been used This status code occurs specifically when an OTP is rejected because it has already been used. It may also occur when the OTP has not been used but is older than the most recently used OTP. This can sometimes happen when an authentication request is re-sent automatically The user account is disabled The Digipass User Account is Disabled. This may be because the administrator has actively disabled the account, or because the corresponding Windows User account has become disabled or expired No user account was found An authentication request was rejected because no Digipass User account was found and Local Authentication is required by the Policy The static password was incorrect As part of Local Authentication, verification of the static password failed. 102

103 Status Code Message Error and Status Codes Notes 1012 The One Time Password was incorrect Verification of the OTP failed. More specific details may be found in the VACMAN Controller error code and message The challenge was invalid A response to a challenge was given, but the challenge was not the latest one issued for that Digipass. This is controlled by the Check Challenge Policy setting The Digipass Grace Period has expired A User attempted to log in with their static password, but their Grace Period had already expired. They have to use a Digipass to log in. If they do not have their Digipass yet, the administrator will have to allow them more time by modifying the Grace Period End date on their Digipass record Backup Virtual Digipass is not allowed A User attempted to request a Backup Virtual Digipass OTP, but they were not permitted. This would normally occur when either: The effective Backup VDP Enabled setting is es Time Limited, and the Digipass Backup VDP Enabled Until date is the current date or before. The Digipass Backup VDP Uses Remaining counter has reached 0. In both cases, administrator intervention is required to permit the User to continue to use Backup Virtual Digipass. The Enabled Until or Uses Remaining limits need to be increased to permit this. Note that the 'effective' setting is the effective setting of the Policy, unless the Digipass record overrides the Policy The Digipass is not available A User attempted Self-Assignment, but the Digipass they requested either could not be found within the search scope or was already assigned to someone else. This may occur because of a mistyped Serial Number. Otherwise, the search scope may be incorrect or the Digipass may not be in the correct location to be made available to the User. See the Location of Digipass Records section in the Product Guide The user account has no mobile number for Virtual Digipass A User requested a Primary or Backup Virtual Digipass OTP, but it could not be delivered because the User account had no mobile phone number. In Active Directory this is the first Mobile No. on the record No password was supplied for a Virtual A User attempted a Virtual Digipass login, but did not enter a Digipass login password in the second stage of the login. See Virtual Digipass for more information Local authentication failed General-purpose failure of Local Authentication when a more specific status code is not available. Additional information should provide more specific details Back-end authentication reported that the password has expired Back-End Authentication (eg. Windows) failed because the password was correct but it has expired Back-end authentication failed Back-End Authentication (eg. Windows) failed. A specific error code and message will accompany this record The policy was invalid An authentication request was rejected because the applicable Policy had invalid settings or failed to load. This should not occur, but is possible due to the delay in Active Directory replication for example. The two main ways in which a Policy can become invalid are: One or more choice list settings are Default in the Policy, and its parent Policy if it has one. A circular chain of Policies has been created, for example: 103

104 Status Code Message Error and Status Codes Notes Policy A inherits from Policy B; Policy B inherits from Policy C; Policy C inherits from Policy A. The Policy must be fixed in order for authentication to be permitted using that Policy The policy does not allow a selfassignment attempt A User attempted Self-Assignment, but it is not permitted under the Policy Hashed passwords cannot be verified by Windows An authentication request could not be processed successfully because Back-End Authentication using Windows was required, but the User's password was hashed. It is not possible to verify hashed passwords with Windows. This can occur when a CHAP-based protocol is used this includes CHAP, MS-CHAP, MS-CHAP2, EAP-MD5 and other more complex protocols that utilize a one-way hash of the password entered by the User. Note that the effective Back-End Authentication setting is the effective setting of the Policy, unless the Digipass User Account overrides the Policy A Digipass must be used The effective Local Authentication setting is Digipass Only and the User tried to log in with a static password. Note that the 'effective' setting is the effective setting of the Policy, unless the Digipass User Account overrides the Policy Challenge/Response is not supported by CHAP-based protocols Challenge/Response is only supported in RADIUS using the PAP protocol. An attempt was made to generate a challenge using a CHAP-based protocol this includes CHAP, MS-CHAP, MSCHAP2, EAP-MD5 and other more complex protocols Challenge/Response is not supported by Windows 2000 This status code can only occur in the Digipass Plug-In for IAS. There is a product limitation on Windows 2000 only that Challenge/Response is not supported. It will occur if the User attempted to request a challenge A Digipass Challenge was returned This status code is the standard code when a challenge is issued and does not indicate any kind of error The user failed the Windows Group Check The IAS Plug-In decided not to handle an authentication request due to the Windows Group Check failing. This can occur when the effective Windows Group Check option is Authenticate listed groups, pass others through. In this case, IAS will process the request itself using other authentication methods. Note that the 'effective' setting is the effective setting of the Policy, unless the Digipass User Account overrides the Policy Neither local nor back-end authentication was done due to policy and/or user settings The IAS Plug-In decided not to handle an authentication request because the effective Local Authentication and Back-End Authentication settings were both None. In this case, IAS will process the request itself using other authentication methods. Note that the 'effective' settings are the effective settings of the Policy, unless the Digipass User Account overrides the Policy. Table 41: Status Code List 104

105 Technical Support 14 Technical Support If you encounter problems with a VASCO product please do the following: 1. Read the 11 How to troubleshoot topic for help in discovering the source of your problem. 2. Check if your problem is resolved in the FAQs section located at the following URL: 3. If you do not find the information you need in the FAQs, please contact the company that sold you the VASCO product. Only after doing steps 1 and 2, if your needs are still not completely met please contact VASCO support: 14.1 Support Contact Information [email protected] Website Phone Australia (Sydney) Belgium (Brussels) Singapore USA (Boston) 105