Creation date: 09/05/2007 Last Review: 31/01/2008 Revision number: 3



Similar documents
Digipass Plug-In for IAS troubleshooting guide. Creation date: 15/03/2007 Last Review: 24/09/2007 Revision number: 3

Digipass for Citrix VM3.0: troubleshooting guide. Creation date: 11/07/2007 Last Review: 30/11/2007 Revision number: 2

DIGIPASS Pack for Citrix on WI 4.5 does not detect a login attempt. Creation date: 28/02/2008 Last Review: 04/03/2008 Revision number: 2

DIGIPASS Authentication for GajShield GS Series

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

Move a VM 3.0 with AD Integration to a new server. Creation date: 17/06/2008 Last Review: 26/06/2008 Revision number: 1

Identikey Server Getting Started Guide 3.1

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

DIGIPASS Authentication for Juniper ScreenOS

DIGIPASS Authentication for SonicWALL SSL-VPN

DIGIPASS Authentication for Check Point Connectra

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

How to move an IDENTIKEY Authentication Server with embedded PostgreSQL DB to a new machine with new IP address?

INTEGRATION GUIDE. DIGIPASS Authentication for Microsoft Exchange ActiveSync 2007

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

DIGIPASS Authentication for Cisco ASA 5500 Series

MIGRATION GUIDE. Authentication Server

INTEGRATION GUIDE. General Radius Config

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

2007 Digipass Pack for OWA 2007 Basic Authentication IIS IIS 6 Module Authentication Server web site Digipass Pack for OWA 2007 Basic Authentication

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

IDENTIKEY Appliance Administrator Guide

A dm inistrator Reference

INTEGRATION GUIDE. DIGIPASS Authentication for Office 365 using IDENTIKEY Authentication Server with Basic Web Filter

INTEGRATION GUIDE. DIGIPASS Authentication for F5 FirePass

DIGIPASS Authentication for Windows Logon Product Guide 1.1

SQL Server Setup for Assistant/Pro applications Compliance Information Systems

Authenticate vsftpd (a secure FTP server for UNIXlike systems) with IDENTIKEY Authentication Sever

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

Digipass Authentication For IIS Basic 3.2

Two-Factor Authentication

DPH TOKEN SELF SERVICE SITE INSTRUCTIONS:

DIGIPASS Authentication for Check Point Security Gateways

Creating a User Profile for Outlook 2013

INTEGRATION GUIDE. DIGIPASS Authentication for Citrix NetScaler (with AGEE)

Integrating LANGuardian with Active Directory

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

IDENTIKEY Server Product Guide

Use Enterprise SSO as the Credential Server for Protected Sites

Identikey Server Product Guide

Implementation Guide for. Juniper SSL VPN SSO with OWA. with. BlackShield ID

Active Directory Self-Service FAQ

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

Windows XP Exchange Client Installation Instructions

Set Up Instructions

Identikey Server Administrator Reference 3.1

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

IDENTIKEY Server Administrator Reference 3.1

Quick Troubleshooting Guide: Authentication Issues

How to Set Up Outlook 2007 and Outlook 2010 for Hosted Microsoft Exchange if the Program is Already Installed

External Authentication with Windows 2003 Server with Routing and Remote Access service Authenticating Users Using SecurAccess Server by SecurEnvoy

Microsoft Outlook 2010

IIS SECURE ACCESS FILTER 1.3

Configuring Sponsor Authentication

Active Directory Integration for Greentree

Sage Intelligence Financial Reporting for Sage ERP X3 Version 6.5 Installation Guide

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

Installation & Maintenance Guide

PowerLink for Blackboard Vista and Campus Edition Install Guide

I n s t a lla t io n G u id e

Group Management Server User Guide

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

Identikey Server Windows Installation Guide 3.1

Check Point FDE integration with Digipass Key devices

Creating Home Directories for Windows and Macintosh Computers

Cloud Services ADM. Agent Deployment Guide

McAfee One Time Password

How To Fix A Backup Error In A Windows Xp Server On A Windows (Windows) On A Pc Or Mac Xp (Windows 7) On An Uniden Computer (Windows 8) On Your Computer Or Your Computer (For

BlackShield ID Best Practice

Accessing Derbyshire County Council s Outlook Web Access (OWA) Service. Smart Phone App version

IDENTIKEY Server Windows Installation Guide 3.1

1.6 HOW-TO GUIDELINES

SafeWord Domain Login Agent Step-by-Step Guide

OVERVIEW. DIGIPASS Authentication for Office 365

Aradial Installation Guide

Using Vasco IDENTIKEY Server with NetScaler

CIMHT_006 How to Configure the Database Logger Proficy HMI/SCADA CIMPLICITY

Security Provider Integration RADIUS Server

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

External Authentication with Citrix Secure Gateway - Presentation server Authenticating Users Using SecurAccess Server by SecurEnvoy

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

Matrix Logic WirelessDMS Service 2.0

qliqdirect Active Directory Guide

Configuring Steel-Belted RADIUS Proxy to Send Group Attributes

1. Open Thunderbird. If the Import Wizard window opens, select Don t import anything and click Next and go to step 3.

Professional Mailbox Software Setup Guide

Installation Steps for PAN User-ID Agent

FREQUENTLY ASKED QUESTIONS

Accessing Derbyshire County Council s Outlook Web Access (OWA) Service. Mobile Phone SMS version

VMware vcenter Support Assistant 5.1.1

ASAS Management Plug-in for MS Active Directory English Only

DIGIPASS as a Service. Google Apps Integration

Active Directory Management. Agent Deployment Guide

OUTLOOK EXPRESS ACCOUNT SETUP FOR USE WITH ELLIPSE ADVANCED SPAM FILTER

Description of Microsoft Internet Information Services (IIS) 5.0 and

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

OCS Training Workshop LAB14. Setup

Strong Authentication for Juniper Networks

Transcription:

Middleware 3.0 troubleshooting Creation date: 09/05/2007 Last Review: 31/01/2008 Revision number: 3 Document type: Whitepaper Security status: EXTERNAL Summary This document explains how to troubleshoot your VACMAN Middleware 3.0 installation. Details This document is mainly intended to discover and resolve configuration issues with Vacman Middleware. In this document, we will: - Explain some basic checks to perform - Explain what tools and methods are available to troubleshoot - Explain a few parameters and mechanisms that are often the cause of problems - Provide a list of common errors Vacman Middleware Version Make sure that you have installed the latest version of the software and have all additional patches. At the time of publishing of this KB; the current version is VACMAN Middleware service Release 10. The latest patch level is Patch 12 You can check for the latest patches on http://www.vasco.com/mymaintenance. Trouble shooting tools and methods Different tools are available to help you troubleshooting the VACMAN Middleware configuration: The Full Tracing option. This option will write all configuration, server and user activity to a logfile. To Enable Full Tracing: Open the Authentication Server Configuration (Start Programs Vasco Authentication Server Configuration).doc (1.0) 31/01/2008 14:01 Page 1 of 6

Select the Full Tracing option and click OK Eventually, you can change the default log filename To activate the new configuration, the service has to be restarted. After enabling this option all Middleware events are logged to a text file. The default file name is C:\Program Files\Vasco\Vacman Middleware 3\Log.doc (1.0) 31/01/2008 14:01 Page 2 of 6

The DIGIPASS Audit Viewer The Audit Viewer is a Windows application that can display and filter audit messages from the Authentication Server. It can read the data from text files and ODBC databases, or receive a live feed from the Authentication Server. The Show effective policy settings button. This button allows you to show the settings of the policy you are using even when this policy inherits its settings from a base policy. The Radius Client Simulator You can test your Radius authentications to the Middleware using the Vasco Radius Client simulator. This tool can be found on the Middleware CD image under Windows\Utilities\Radius Simulator. Depending on the options you have specified in the Middleware Server authenticator and authentication options (see Configuring your Middleware Server) you can test your setup by: 1) Create a user test on your backend server (for example Active Directory) 2) Copy the default policy you want to create a new policy. (for example copy the VM3.0 Windows Password replacement policy to test policy ) 3) In the test policy properties On the Main Settings tab: Set the authenticator to Digipass/Password Backend Authentication: Always Protocol: Windows On the User Settings tab: Enable DUR, Autolearn, Stored Password Proxy Set the Windows Group Check to No Check 4) Change the policy used on the default Radius client component to test policy 5) Since DUR is enabled and the authenticator is configured to also use a backend server you can use the Vasco Radius Client Simulator to login using your username and static windows password 6) Your user should be created in the Middleware if the backend authentication was successful. Check this in the Middleware MMC (for an ODBC setup) or Active Directory Users and Computers for a setup with AD as data repository. (make sure to refresh the screen) 7) If DUR was disabled you need to create the user manually in the Middleware (through the MMC or via import of a CSV file,...) as well as configure the correct static password 8) If the authentication was successful, import a demo DPX file (Check the dpx subdirectory directory under the Middleware installation directory) The Demo DPX key is always 32 times the nr 1.doc (1.0) 31/01/2008 14:01 Page 3 of 6

(11111111111111111111111111111111) 9) Assign the Digipass to the user in the Middleware MMC or Active Directory Users and Computers 10) Login with username and One Time Password (OTP) If you do not have a Demo DIGIPASS, you can generate an OTP with this online demo DIGIPASS: http://demotoken.vasco.com 11) In case of unsuccessful authentications, check the dpauthserv.trace file for error messages. Configuring your Middleware Server By default the Middleware installation creates several policies. It is advisable not to change these policies but to create your own policy, based on one of these policies. For more information about policies check the Vacman Middleware Product Guide. Depending on how you would like your users to login you have several options that can be enabled or disabled. - Dynamic User Registration (DUR). This allows for users that exist on a backend server (e.g. Active Directory), to login to the Middleware server without having to create the user manually in the Middleware. At the first login, the user logs in using his static password. The Middleware server will check with the backend server if this is a valid user and password. If the backend server validates the password then the user will be created in the Middleware server, and the static password is remembered as the stored static password - Autolearn. This allows for a user to change his Middleware stored static password by logging in using his username and NewPassword+PIN+OTP. The Middleware server will go to a backend server with the username and new password for validation. If the validation is successful the new password will be remembered as the new stored static password. Note that the PIN is only needed if a Digipass with a server side PIN is used. - Stored Password Proxy If you want to your users to logon using only the OTP as password, but the authenticator is set to also use a backend server you need to enable this option..doc (1.0) 31/01/2008 14:01 Page 4 of 6

This option allows the Middleware to take the stored static password and use that to be sent to the backend server for validation. If you want your users to login using Static Password + PIN + OTP each time they log in, you should disable this option. This option is necessary for example for OWA and Citrix (which use Windows as backend authentication Common error messages and problems Error code: <1> Error message: <Serial [xxxxxxxxxx] Application [xxxxxx] OTP Incorrect - [Validation Failed]> Server (Static) PIN code or OTP mistyped Correctly enter the PIN and OTP Error code: <201> Error message: <Serial [xxxxxxxxxx] Application [xxxxxx] OTP Incorrect - [Code Replay Attempt]> The Digipass OTP has already been used before Wait at least 36 seconds before retrying to log in. Never login more than once with the same OTP. Error code: <-202> Error message: <Serial [xxxxxxxxxx] Application [xxxxxx] OTP Incorrect - [Response Too Small]> The user did not type his complete (PIN+)OTP Make sure the user enters his full OTP (With PIN if required) Error code: <-205> Error message: <Serial [xxxxxxxxxx] Application [xxxxxx] OTP Incorrect - [Response Not Decimal]> The user tries to login using his static password after the grace period has expired Make sure users only use their Digipass OTP after the Grace Period has expired..doc (1.0) 31/01/2008 14:01 Page 5 of 6

Windows Authentication failed: [1326] [Logon failure: unknown user name or bad password.] The user s static password does not correspond with the Middleware password while using Local and Windows authentication If Autolearn is enabled let the user login using Windows Password + PIN + OTP. If Autolearn is not enabled please make this change manually in the Middleware. Error code: <1007> Error message: <Digipass User account is locked> The password or OTP have been entered incorrectly too many times. By default the user lock threshold is set to 3 attempts. An administrator needs to uncheck the locked checkbox on the user record in the administration MMC or in the Active Directory Users & Computers. Cannot set password field. Possible shared secret mismatch? The Shared secret between the server and Radius client do not match. Make sure the shared secrets match The Vasco Radius Simulator will give the following error message: Login failed - invalid response authenticator. Mismatched shared-secret is a possibility Applies to: Vacman Middleware 3.0.x More information: Documentation: VACMAN Middleware Administration Guide VACMAN RADIUS Client Simulator Users Guide KB100036 : Outlook Web Access Troubleshooting guide KB100037 : Citrix Troubleshooting guide.doc (1.0) 31/01/2008 14:01 Page 6 of 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information