2007 Digipass Pack for OWA 2007 Basic Authentication IIS IIS 6 Module Authentication Server web site Digipass Pack for OWA 2007 Basic Authentication

Similar documents
Digipass Authentication For IIS Basic 3.2

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Installation Guide

Identikey Server Getting Started Guide 3.1

Digipass Plug-In for IAS. IAS Plug-In IAS. Microsoft's Internet Authentication Service. Getting Started

DIGIPASS Authentication for Citrix Access Gateway VPN Connections

DIGIPASS Authentication for Remote Desktop Web Access User Manual 3.4

Identikey Server Windows Installation Guide 3.1

DIGIPASS Authentication for Windows Logon Getting Started Guide 1.1

DIGIPASS Authentication for GajShield GS Series

Creation date: 09/05/2007 Last Review: 31/01/2008 Revision number: 3

Identikey Server Administrator Reference 3.1

DIGIPASS Authentication for Windows Logon Product Guide 1.1

I n s t a lla t io n G u id e

Release Notes. Identikey Server Release Notes 3.1

IDENTIKEY Server Windows Installation Guide 3.1

IDENTIKEY Server Administrator Reference 3.1

IDENTIKEY Server Windows Installation Guide 3.2

Digipass for Citrix VM3.0: troubleshooting guide. Creation date: 11/07/2007 Last Review: 30/11/2007 Revision number: 2

Identikey Server Performance and Deployment Guide 3.1

A dm inistrator Reference

DIGIPASS Pack for Citrix on WI 4.5 does not detect a login attempt. Creation date: 28/02/2008 Last Review: 04/03/2008 Revision number: 2

DIGIPASS Authentication for SonicWALL SSL-VPN

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Internet Information Services (IIS)

Agent Configuration Guide

DIGIPASS Authentication for Sonicwall Aventail SSL VPN

Identikey Server Product Guide

DIGIPASS Authentication for Check Point Connectra

IDENTIKEY Server Product Guide

DIGIPASS Authentication for Check Point Security Gateways

IDENTIKEY Appliance Administrator Guide

WhatsUp Gold v16.3 Installation and Configuration Guide

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

DIGIPASS Authentication for Juniper ScreenOS

INTEGRATION GUIDE. DIGIPASS Authentication for Office 365 using IDENTIKEY Authentication Server with Basic Web Filter

DIGIPASS KEY series and smart card series for Juniper SSL VPN Authentication

WhatsUp Gold v16.2 Installation and Configuration Guide

Installation Guide for Pulse on Windows Server 2012

Installation Guide. Novell Storage Manager for Active Directory. Novell Storage Manager for Active Directory Installation Guide

Installation Guide for Pulse on Windows Server 2008R2

Strong Authentication for Microsoft TS Web / RD Web

2X ApplicationServer & LoadBalancer Manual

INTEGRATION GUIDE. DIGIPASS Authentication for Microsoft Exchange ActiveSync 2007

Strong Authentication for Microsoft SharePoint

DIGIPASS CertiID. Getting Started 3.1.0

Strong Authentication for Juniper Networks SSL VPN

Digipass Plug-In for IAS troubleshooting guide. Creation date: 15/03/2007 Last Review: 24/09/2007 Revision number: 3

formerly Help Desk Authority Upgrade Guide

DIGIPASS Authentication for Cisco ASA 5500 Series

Siteminder Integration Guide

CA Nimsoft Monitor. Probe Guide for IIS Server Monitoring. iis v1.5 series

Citrix EdgeSight for Load Testing User s Guide. Citrix EdgeSight for Load Testing 3.8

Citrix Systems, Inc.

WhatsUp Gold v16.1 Installation and Configuration Guide

RSM Web Gateway RSM Web Client INSTALLATION AND ADMINISTRATION GUIDE

High Availability Setup Guide

BlackShield ID Agent for Remote Web Workplace

Quick Install Guide. Lumension Endpoint Management and Security Suite 7.1

TIBCO Spotfire Web Player 6.0. Installation and Configuration Manual

Server Installation Guide ZENworks Patch Management 6.4 SP2

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web Access 1.06

How To Manage Storage With Novell Storage Manager 3.X For Active Directory

CA Nimsoft Monitor Snap

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

2X Cloud Portal v10.5

Installation Guide Supplement

MadCap Software. Upgrading Guide. Pulse

GFI Product Manual. Outlook Connector User Manual

Modular Messaging. Release 4.0 Service Pack 4. Whitepaper: Support for Active Directory and Exchange 2007 running on Windows Server 2008 platforms.

NTP Software File Auditor for Windows Edition

MailEnable Connector for Microsoft Outlook

Installation and Configuration Guide

Backup Exec 15. Quick Installation Guide

SafeGuard Enterprise Web Helpdesk. Product version: 6 Document date: February 2012

HELP DOCUMENTATION SSRPM WEB INTERFACE GUIDE

FortiAuthenticator Agent for Microsoft IIS/OWA. Install Guide

Sharp Remote Device Manager (SRDM) Server Software Setup Guide

Dell InTrust Preparing for Auditing Microsoft SQL Server

Sample Configuration: Cisco UCS, LDAP and Active Directory

2X ApplicationServer & LoadBalancer Manual

2X ApplicationServer & LoadBalancer & VirtualDesktopServer Manual

Migrating TimeForce To A New Server

Sophos Mobile Control Installation guide. Product version: 3.5

CA Spectrum and CA Service Desk

SELF SERVICE RESET PASSWORD MANAGEMENT WEB INTERFACE GUIDE

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

[The BSD License] Copyright (c) Jaroslaw Kowalski

2X ApplicationServer & LoadBalancer Manual

Drake Hosted User Guide

Enterprise Vault Installing and Configuring

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

Portions of this product were created using LEADTOOLS LEAD Technologies, Inc. ALL RIGHTS RESERVED.

Nexio Connectus with Nexio G-Scribe

Dell Statistica Statistica Enterprise Installation Instructions

Mobile Device Management Version 8. Last updated:

Veritas Cluster Server Database Agent for Microsoft SQL Configuration Guide

MIGRATION GUIDE. Authentication Server

Preparing Your Server for an MDsuite Installation

4.0 SP1 ( ) November P Xerox FreeFlow Core Installation Guide: Windows Server 2008 R2

GFI Product Guide. GFI MailArchiver Archive Assistant

Universal Management Service 2015

Transcription:

2007 Digipass Pack for OWA 2007 Basic Authentication IIS IIS 6 Module Authentication Server web site Digipass Pack for OWA 2007 Basic Authentication 3.0 dppack Basic Forms

Disclaimer of Warranties and Limitations of Liabilities Disclaimer of Warranties and Limitations of Liabilities The Product is provided on an 'as is' basis, without any other warranties, or conditions, express or implied, including but not limited to warranties of merchantable quality, merchantability of fitness for a particular purpose, or those arising by law, statute, usage of trade or course of dealing. The entire risk as to the results and performance of the product is assumed by you. Neither we nor our dealers or suppliers shall have any liability to you or any other person or entity for any indirect, incidental, special or consequential damages whatsoever, including but not limited to loss of revenue or profit, lost or damaged data of other commercial or economic loss, even if we have been advised of the possibility of such damages or they are foreseeable; or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers and suppliers shall not exceed the amount paid by you for the Product. The limitations in this section shall apply whether or not the alleged breach or default is a breach of a fundamental condition or term, or a fundamental breach. Some states/countries do not allow the exclusion or limitation or liability for consequential or incidental damages so the above limitation may not apply to you. RADIUS Documentation Disclaimer The RADIUS documentation featured in this manual is focused on supplying required information pertaining to the RADIUS server and its operation in the environment. It is recommended that further information be gathered from your NAS/RAS vendor for information on the use of RADIUS. Copyright All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VASCO Data Security Inc. Trademarks VACMAN and Digipass are registered trademarks of VASCO Data Security International Inc. Microsoft and Windows are registered trademarks of Microsoft Corporation. All other trademarks are the property of their respective holders. 2

Table of Contents 1 Overview...5 1.1 VACMAN Middleware... 6 1.1.1 Components of VACMAN Middleware... 6 1.1.1.1 1.1.1.2 Required Components... 6 Optional Components...7 1.2 IIS 6 Module for OWA 2007 Basic Authentication... 8 1.2.1 Authentication Methods... 8 1.2.2 Server Connection Management... 8 1.2.2.1 1.2.2.2 1.2.2.3 1.2.3 1.2.4 Connection Profiles... 8 Connection Options...8 Standard Server setup... 9 Tracing... 10 International Characters... 11 2 Installation... 12 2.1 System Requirements... 12 2.1.1 Server Requirements - Software... 12 2.2 Pre-Installation Tasks... 12 2.2.1 Install or Upgrade VACMAN Middleware... 12 2.2.2 IIS... 13 2.2.3 Information Needed... 13 2.2.4 Licensing... 13 2.3 Install IIS 6 Module for OWA 2007... 14 3 Configuration... 23 3.1 IIS 6 Module Configuration... 23 3.1.1 Enable/Disable the IIS 6 Module... 23 3.1.2 Authentication Server Details... 25 3.1.2.1 3.1.2.2 3.1.2.3 3.1.2.4 3.1.3 3.1.4 3.1.5 3.1.6 3.1.7 3.1.8 3.1.9 Add a Server...25 Modify Server Details... 25 Delete a Server Record...26 Modify Connection Settings... 27 Turn Tracing On or Off... Component Type... Session Timeout... Basic Authentication Credential Overrides... Failed Login Page... Realm... Authentication Headers... 28 29 29 30 30 30 31 3.2 Configuration File... 32 3.2.1 Configuration Settings... 33 3.2.2 Modify Character Set Used... 35 3.3 Configuring Exchange to work with VM... 36 3.3.1 Modify Authentication Settings... 36 3.4 Configure Authentication Server... 40 3.4.1 Configure for Windows User Accounts... 40 3.4.1.1 3.4.1.2 3.4.1.3 Windows User Name Resolution... 40 Case Sensitivity...40 Configuration Instructions...40 3

3.4.1.4 3.4.2 Default Domain... 41 Policy... 43 4 Troubleshooting...44 4.1 Configuring IIS 6 to work with the IIS 6 Module... 44 4.1.1 Check file placement... 44 4.1.2 Check Permissions... 45 4.1.2.1 4.1.2.2 4.1.2.3 4.1.3 4.1.4 Trace File Directory...45 Configuration file... 46 Add the IIS_WPG Group... 46 Set System Environment Variable... 48 Install the ISAPI Filter... 50 4.2 Other Troubleshooting Options... 4.2.1 No Trace File... 4.2.2 Information from Trace File... 4.2.3 Authentication Server... 4.2.4 Licensing... 52 52 52 52 52 4.3 Repair Installation... 53 5 Uninstalling the IIS 6 Module...54 5.1 Uninstall the IIS 6 Module for OWA 2007... 54 6 Technical Support... 55 6.1 Support Contact Information... 55 4

Overview 1 Overview Digipass Pack for OWA 2007 Basic Authentication contains two main components: VACMAN Middleware Authenticates user logins using One Time Passwords. See the VACMAN Middleware Product Guide for more information. IIS 6 Module Intercepts authentication requests from a client s web browser to a web site and re-routes them to VACMAN Middleware for authentication. Figure 1 IIS 6 Module Overview 5

1.1 Overview VACMAN Middleware VACMAN Middleware (VM) is a VASCO product which consists of a number of component programs. Its main component is the Authentication Server and it also contains administration interfaces, an Audit System and optional components supporting various additional functionality (eg. Virtual Digipass). Combined with the IIS 6 Module, it enables One Time Password authentication for IIS. Figure 2 - VACMAN Middleware Overview 1.1.1 1.1.1.1 Components of VACMAN Middleware Required Components Authentication Server The Authentication Server is the central brain of the product. Its primary responsibility is to accept incoming authentication and administrative requests and process them. It verifies the identity of a User by checking the One Time Password they enter from their Digipass and then passes the user s static password to the web site. It also generates and distributes necessary database replication and auditing information to appropriate backup Authentication Servers and the Audit System. Data Store Additional User account information, Digipass records and other required Digipass-related settings are stored in Active Directory or an ODBC database. 6

Overview Administration Interfaces Administration MMC Interface This interface is used in slightly different ways, depending on the data store used by the Authentication Server: Table 1 - Uses for the Administration MMC Interface Data Store Use Active Directory Administration of Digipass Configuration data only (Policy, Component and Back-End Server records). Other data is administered via the Digipass Extension for Active Directory Users and Computers. ODBC database Administration of all Digipass-related data, including Digipass User accounts; Digipass, Policy, Component and Back-End Server records Active Directory Users and Computers Extension A VASCO Extension to the Active Directory Users and Computers interface allows administration of additional User settings and Digipass records integrated with standard Active Directory User administration. This is only available when Active Directory is used as the data store for VACMAN Middleware. 1.1.1.2 Optional Components User Self Management Web Site Allows Users to make appropriate changes to their own Digipass settings, including PIN changes. It uses RADIUS to send authentication requests and administration changes to VACMAN Middleware. Virtual Digipass The VASCO components used for Virtual Digipass are: Message Delivery Component Sends a One Time Password through a text message HTTP gateway to a User s mobile phone. OTP Request Site Allows a User to specifically request an OTP to be sent to their mobile phone. 7

1.2 Overview IIS 6 Module for OWA 2007 Basic Authentication The IIS 6 Module is an add-on to VACMAN Middleware 3.0 which can be configured to intercept authentication requests to a web site and redirect them to the Authentication Server. It is an ISAPI filter specifically designed for use with IIS 6 only. 1.2.1 Authentication Methods See the Logging in with VACMAN Middleware section in the VACMAN Middleware Product Guide for detailed information on login methods and options. Response Only login Users log in via the current login page with their username and One Time Password (OTP). Virtual Digipass login Users logging in with a Virtual Digipass need to use a 2-step process. They attempt a login with their User ID, password and/or a keyword (as required by VACMAN Middleware). The login will fail, and trigger the sending of an One Time Password to the User s mobile via text message. The User re-attempts a login, using their password and OTP. Challenge/Response logins are not supported for basic authentication. 1.2.2 Server Connection Management The IIS 6 Module provides flexibility in managing connections to multiple primary and/or backup Authentication Servers. This allows redundancy and load sharing over multiple Servers. 1.2.2.1 Connection Profiles Two connection profiles are available: Primary The Server(s) to which the IIS 6 Module will first attempt to connect. The Primary Authentication Server(s) take the majority of the data load. Load sharing may be implemented over all Primary Authentication Servers. Backup A Backup Server can provide redundancy and failover. It is typically a local machine which, if the Primary Authentication Server is busy or cannot be contacted, will be used until a connection to the Primary Authentication Server can be re-established. 1.2.2.2 Connection Options Terminology Maximum Connections The maximum number of connections that the IIS 6 Module may have open to the Authentication Server at one time. 8

Overview Timeout The time that the IIS 6 Module should wait for a reply from the Authentication Server. Reconnect Interval If the IIS 6 Module cannot connect to an Authentication Server, it will make connection attempts at increasing time intervals until it succeeds in establishing a connection. The time period between connection attempts is the Reconnect Interval. Some of the terms used in configuring server connections are explained below: 1.2.2.3 Standard Server setup Figure 3 Standard Server Connection Configuration This setup uses one main Authentication Server to handle requests from the Web Server, with a backup Authentication Server for use when the main Authentication Server is busy or unavailable. 9

1.2.3 Overview Tracing The IIS 6 Module makes use of a trace file to record information about events that occur on the system, for use in troubleshooting. This could include generic information, changing conditions, or problems and errors that have been encountered. The level of tracing that the IIS 6 Module employs depends on its configuration settings. Caution Enabling Full Tracing should only be done for troubleshooting purposes. There are no limits set on the size of the tracing file, so if the option is left on too long on a high-load system the file may dramatically slow down or crash Windows, due to excessive I/O or filling up the hard drive. Because there are no size limitations set on the trace file, it is not recommended that you have tracing permanently enabled. If your system is set up with Tracing always enabled, ensure that the file size does not cause problems by deleting or archiving it whenever it gets too large. Basic tracing includes: Critical error/warning messages [CRITC] Major error/warning messages [MAJOR] Minor error/warning messages [MINOR] Configuration messages [CONFG] Full tracing includes: Critical error/warning messages [CRITC] Major error/warning messages [MAJOR] Minor error/warning messages [MINOR] Configuration messages [CONFG] Informational messages [INFOR] 10

Data tracing messages [DATA] Debugging messages (useful for support purposes) [DEBUG] Security messages, messages that may contain security sensitive data [SECUR] Overview Note The IIS 6 Module will require permissions for the directory in which the tracing file is kept. See Check Permissions - Trace File Directory for more information. 1.2.4 International Characters The IIS 6 Module can be configured to use one specific character set when submitting login requests to the Exchange server. For more information, and instructions on configuring international characters in the IIS 6 Module, see Modify Character Set Used. 11

Installation 2 Installation Before installing the IIS 6 Module, check that all system requirements and pre-installation tasks have been met. This will help ensure a smooth, trouble-free installation and integration process. 2.1 System Requirements 2.1.1 Server Requirements - Software VACMAN Middleware 3.0 Authentication Server on another machine. The IIS 6 Module for VACMAN Middleware 3.0 will not function with VACMAN Middleware 2.3. See the VACMAN Middleware Installation Guide for VM s system requirements. Internet Information Services (IIS) 6.0 or higher (requires Windows Server 2003) MS Exchange 2007 using Outlook Web Access in basic authentication mode and SSL The User must have administration rights on the installation machine Note If Outlook Web Access 2007 is not in Basic Authentication mode, this Digipass Pack will not function. Use the Digipass Pack for OWA 2007 Forms Authentication instead. 2.2 Pre-Installation Tasks Before installing or upgrading the IIS 6 Module, there are several tasks which need to be completed. Performing these tasks (where applicable) will assist in a quick, smooth installation process. Note Digipass Pack for OWA 2007 Basic Authentication cannot be installed on the same machine as Digipass Pack for OWA 2007 Forms Authentication or Digipass Pack for Citrix Web Interface. 2.2.1 Install or Upgrade VACMAN Middleware VACMAN Middleware 3.0 Authentication Server must be installed on the network before the IIS 6 Module is installed. If you have VACMAN Middleware 2.3, upgrade to version 3.0. See the VACMAN Middleware Installation Guide for more information on installing or upgrading to VACMAN Middleware 3.0. Warning It is recommended that the Use Windows User Name Resolution feature on the 12

Installation Authentication Server is enabled. This uses Windows functions to identify User IDs as Windows User accounts, including the domain to which the account belongs. If the Use Windows User Name Resolution feature is disabled, it is essential that users always use the same login name. If they try to log in using a different form of their Windows account name, their login will be rejected, unless a second Digipass User account has been created. 2.2.2 IIS Ensure IIS and Exchange 2007 are installed and working correctly. The IIS 6 Module must be installed on the IIS server where OWA 2007 is running. 2.2.3 Information Needed Before you begin installation of the Authentication Server, ensure that you have the following information easily accessible, as you will need to enter this during the installation. IP address and port number of the Authentication Server. To check this, open the Authentication Server Configuration and check the Component Location and API Port fields. Source IP address on the local machine to use when connecting to the Authentication Server (if multiple IP addresses are configured for this machine, as this affects licensing see below). 2.2.4 Licensing The Authentication Server will regard each incoming IP address as a different Component. This is the reason for selecting a single IP address in connecting to the Authentication Server if there is more than one IP address for a machine. 13

2.3 Installation Install IIS 6 Module for OWA 2007 1. Start the Digipass Pack for OWA Basic Authentication installation process. If you are not using the CD Autorun interface, locate and double-click on the Digipass_Pack_for_OWA_2007_basic_310.msi file. 2. Click Next. 3. The License Agreement screen will be displayed. 14

Installation 4. Click the box marked 'I accept the terms in the License Agreement'. Click Next. 5. Enter the destination folder for the module. Click Next to accept the default or choose your preferred destination and click Next. 15

6. Installation Click Install to install the Digipass Pack for OWA Basic Authentication. 16

Installation 7. The files will be installed to the directory you specified. 8. To finish the install click Finish 9. On exit, the installer launches the IIS 6 Module Configuration GUI. You need to 17

Installation configure the location of the IIS 6 Module and the local IP address. 10. Enter the local IP address from which the IIS 6 Module should connect to the Authentication Server into the Connect from IP Address field. It must be an IP address present on this machine. 11. Click on the row in the Server list then click the Edit button. The Edit Server dialog will display. 18

Installation 12. Enter a Display Name for the Authentication Server. This name will be used to distinguish the Authentication Server in the Server list, but has no effect on the behavior of the IIS 6 Module. 13. Enter the IP Address and Port (normally 20003) that the IIS 6 Module should use to connect to the Authentication Server. 14. Select the Primary option for the Server Type. 15. Click OK to close the New Server dialog and OK to save the configuration changes. 16. You now need to restart the IIS Admin Service or restart the machine. The remaining steps below can take place during the restart. 17. Configure the Authentication Server by creating a Component record and loading a License Key into it. Open the Administration MMC Interface, log in as an administrator with permission to create and modify Component records and carry out the following steps. 18. Right-click on the Components folder and select the New Component option. 19. The New Component dialog will display. 19

Installation 20. Select the Outlook Web Access option in the Component Type. 21. Set the Location to the same IP address as you set in the Connect from IP Address field in the IIS 6 Module Configuration GUI earlier. 22. Select a Policy for the Authentication Server to use when processing authentication requests from the IIS 6 Module. Select VM3 Windows Password Replacement if you are not sure yet which one to use. The Standard Policy Configurations for OWA 2007 section provides further information on the choice of Policy. 23. Click Create to create the Component record and Close the dialog. 24. A valid License Key must be obtained and loaded into the Component record. 25. Right click on the new Outlook Web Access Component record in the list and select License Key Details... 20

Installation 26. The License Key Details dialog will display. 27. If you do not already have a license.dat file containing a License Key for the Outlook Web Access Component at this Location, click on the Request License Key button. 21

Installation This will take you to the vasco.com web site, where you can request a license key and save it to a file called license.dat. 28. Click on the Load License Key button to open a file browse dialog. 29. Select the license.dat file to load from where you saved it on your machine. Click Open to load the License Key from the file. 30. Finally, Close the License Key Details dialog. The Authentication Server will now process authentication requests from the IIS 6 Module. 31. If the Authentication Server uses Active Directory as its data store, you may need to restart the Authentication Server before it will recognize the new Component record. This will be necessary if the IIS 6 Module has already tried to connect to the Authentication Server. 22

Configuration 3 Configuration Configuration settings can be modified in two ways. The easiest method is via the IIS 6 Module Configuration a graphical interface that allows you to make changes with a few mouse clicks. Advanced users may prefer to edit the configuration file directly. 3.1 IIS 6 Module Configuration A Graphical User Interface (GUI) is available for use in configuring the IIS 6 Module. This provides a simple, intuitive way to set up the IIS 6 Module to work with your current system. To open the IIS 6 Module Configuration GUI, click on the Start Button and select Programs VASCO Digipass Pack for OWA Basic Authentication Basic Authentication Configuration Alternatively, open Windows Explorer and open <IIS 6 Module install directory>\bin\ vmiisfiltcfg.exe. If this is the first time you have opened the IIS 6 Module Configuration and the configuration file has not been edited, the values you will see are those entered during installation of the IIS 6 Module. 3.1.1 Enable/Disable the IIS 6 Module This option starts or stops the IIS 6 Module from redirecting authentication requests to the Authentication Server. 23

Configuration 1. Click on the General tab. 2. Tick or untick the Enable VACMAN Middleware Authentication checkbox. 3. Click on the Apply button. 24

3.1.2 Configuration Authentication Server Details The Server list contains all Authentication Servers which may be utilized by the IIS 6 Module. Authentication Server records can be added, deleted, or their details modified. 3.1.2.1 1. Add a Server Click on the Add button. The New Server window will be displayed. 2. Enter a name for the Authentication Server in the Display Name field. This name will be used to distinguish the Authentication Server in the Server list, but has no effect on the behaviour of the IIS 6 Module. 3. Enter an IP address and port (typically 20003) for the Authentication Server, in the IP Address and Port fields. 4. Select a Server Type (see 1.2.2 Server Connection Management). 5. Enter a timeout period (in seconds) in the Timeout field. 6. Enter the maximum number of concurrent connections to be made from the IIS 6 Module to the Server, in the Max. Connections field. 7. Enter a minimum and maximum amount of time that the IIS 6 Module should wait before attempting to reconnect to the Authentication Server in the Min. Reconnect Interval and Max. Reconnect Interval fields. 8. Click on the OK button. 3.1.2.2 1. Modify Server Details Select the Server to be edited. 25

2. Configuration Click on the Edit button. The Edit Server window will be displayed. 3. Make required changes. 4. Click on the OK button. 3.1.2.3 Delete a Server Record 1. Select the Server record to be deleted. 2. Click on the Delete button. A confirmation window will be displayed. 3. Click on OK to delete the Server record. 26

3.1.2.4 Configuration Modify Connection Settings Connect from IP Address If a server has multiple IP addresses configured, the IIS 6 Module needs to know which to use in connecting to the Authentication Server(s). 1. Enter the IP address from which to connect to Authentication Servers in the Connect from IP Address field. This may be left blank if there is only one IP address for the machine. 2. Click on the Apply button. Load Sharing Load sharing allows the IIS 6 Module to connect to multiple Authentication Servers when it has reached the maximum number of concurrent connections for the first primary Authentication Server in the Server list. 1. Tick the Enable Load Sharing checkbox. 2. Click on the Apply button. 27

3.1.3 Configuration Turn Tracing On or Off 1. Select a Tracing option. 2. If you have selected Basic Tracing or Full Tracing, enter a path and filename for the tracing file into the File Name field. The file path entered must be the full absolute path. 3. Click on the Apply button. Note If the File Name field is left blank or the file path does not exist, the IIS 6 Module will not output tracing. If the file does exist, tracing will be appended to the file. If the path is valid but the file does not exist, it will be created. If the IIS_WPG group does not have Write permissions for the directory specified, tracing will not be successful. See 4.1.2.1 Trace File Directory for more information. 28

3.1.4 Configuration Component Type The Component Type is used when connecting to an Authentication Server, to assist in finding the correct Component record. Caution Modifying this setting may cause the IIS 6 Module to cease working. The Component Type set here must match the Component Type set in the Component record for this IIS 6 Module, or the Authentication Server will reject authentication requests from it. 3.1.5 Session Timeout After the timeframe entered, the IIS 6 Module will cause an idle session to time out. If a static password was used in the login (rather than an OTP), the session may not appear to timeout, as both browser and IIS can cache and automatically replay a password to reconnect. However if an OTP was used in the login, the session will timeout as expected, as the OTP cannot be reused. 1. Click on the Authentication tab. 2. Enter a value in the Timeout field. 3. Click on the Apply button. 29

3.1.6 Configuration Basic Authentication Credential Overrides The IIS 6 Module may be configured to substitute a User Attribute for the User ID or password entered during login. These Attributes are taken from the Digipass User account. 1. Tick the Replace User Name with User Attribute checkbox to replace each User ID with a User Attribute. If unticked, each User ID will be left unmodified. 2. Tick the Replace Password with User Attribute checkbox to replace each User's password with a User Attribute. 3. Enter the Attribute Group name to use. Note This option is not typically required for OWA 2007. 3.1.7 Failed Login Page This option allows you to specify a HTML page which will be presented to a User if their login is rejected by the IIS 6 Module. Note The browser used for the login attempt may either display the page immediately or pop up the login dialog. If the login dialog is popped up, clicking on the Cancel button will cause the failed login page to be displayed. 1. Click on the Authentication tab. 2. Enter the file location and name in the HTML File field or browse to the correct file. 3. Click on the Apply button. 3.1.8 Realm If the Realm property is set in IIS, its value will appear in a standard Basic Authentication 30

Configuration logon dialog box when IIS requests User login details. When the IIS 6 Module needs to request User login details, it needs the Realm value in order to conform to IIS. As the IIS configuration cannot be read by the IIS 6 Module, the Realm value must also be configured here. Note This option is not typically required for OWA 2007, as Exchange does not use the Realm property 1. Click on the Authentication tab. 2. Enter the Realm name. 3. Click on the Apply button. 3.1.9 Authentication Headers This is an advanced option which should only be enabled on advice from Technical Support, as it may slow down authentication processing. 1. Click on the Authentication tab. 2. Tick or untick the Modify Basic Authentication Headers checkbox. 3. Click on the Apply button. 4. The IIS server will need to be restarted before this change takes effect. 31

3.2 Configuration Configuration File The IIS 6 Module Configuration writes to an.xml file named vmfiltercfg.xml in the installation directory. It is possible to edit this file directly instead of using the IIS 6 Module Configuration. Increment the Revision number by 1 to have your changes take effect. Note This option is recommended only for advanced users. The IIS 6 Module Configuration GUI will prevent most common configuration mistakes, but there are no such checks made when edits are made directly to the configuration file. Incorrect changes to the configuration file may cause the IIS 6 Module to stop working. Example configuration file <VASCO> <Revision type="unsigned" data="13"/> <Enabled type="unsigned" data="1"/> <Tracing> <Trace-Header type="unsigned" data="31"/> <Trace-Mask type="unsigned" data="0x00000000"/> <Trace-File type="string" data="c:\program Files\VASCO\Digipass Pack for OWA Basic Authentication\log\vmiis.trace"/> </Tracing> <Idle-Timeout type="unsigned" data="5"/> <Modify-Auth-Headers type="unsigned" data="0"/> <Component-Type type="string" data="outlook Web Access"/> <Error-Page type="string" data=""/> <Encoding type="string" data="utf-8"/> <Realm type="string" data=""/> <Attribute-Group type="string" data=""/> <Use-Attribute-For-User-Name type="unsigned" data="0"/> <Use-Attribute-For-Password type="unsigned" data="0"/> <AAL3> <SEAL> <Local-Address type="string" data="10.2.20.90"/> <Connection-List> <Load-Balancing type="bool" data="false"/> <Connection00> <Name type="string" data="main_server"/> <Address type="string" data="10.2.10.101"/> <Port type="unsigned" data="20003"/> <Server-Type type="string" data="primary"/> <Nr-Connections type="unsigned" data="10"/> <Min-Reconnect-Interval type="unsigned" data="30"/> <Max-Reconnect-Interval type="unsigned" data="300"/> <Timeout type="unsigned" data="60"/> </Connection00> </Connection-List> </SEAL> </AAL3> </VASCO> Caution The configuration file is UTF8 encoded. Non-UTF8 encoded characters should not be added to the configuration file, or it will not load. 32

3.2.1 Configuration Configuration Settings The table below lists the options, their default values, and a brief explanation of each. Table 2 Configuration Options Option Name Default Value Notes Revision 1 The current revision of the configuration. This is incremented each time the configuration is changed and allows the IIS 6 Module to automatically reload its configuration parameters. If you have manually changed configuration settings in the file, increment this setting by 1 so that your changes take effect. Enabled 1 Whether the IIS 6 Module is enabled or disabled. If disabled, does not block access, but does not intercept authentication requests they pass through unmodified. Default-Component-Type Outlook Web Access Default Component type to specify when connecting to an Authentication Server. Trace/Trace-Header 31 The tracing header fields that have been enabled. This is a bitmask constructed by adding the following values: 1 2 4 8 16 32 Enable Enable Enable Enable Enable Enable the the the the the the Date field Time field Tracing level field Thread ID field File field Line field eg. for DATE,TIME,LEVEL = 1 + 2 + 4 = 7 A value of 0 will result in no header being added to the trace output. Trace/Trace-Mask 0x00000000 Hexadecimal or decimal values: Hex 0x00000000 0x0010000E Decimal 0 1048590 0xFFFFFFFF 4294967295 No tracing Configuration and messages only All levels enabled. error Trace/Trace-File <installation directory>\ Log\vmiis.trace The absolute path and filename of the file to which internal state tracing will be written. The file but not the path will be created by the filter / extension if it does not exist. If this option is blank, the IIS 6 Module will not output tracing. AAL3/SEAL/Local-Address 127.0.0.1 The local IP address to be used when connecting to Authentication Servers. AAL3/SEAL/ ConnectionList/Load-Balancing False Whether load balancing is enabled for connections to Authentication Servers. AAL3/SEAL/ Connection-List/ Connection <number>/ Name <blank> Text to display in the Servers list on the Configuration. AAL3/SEAL/ Connection-List/ Connection <number>/ Address 127.0.0.1 IP Address of the Authentication Server. AAL3/SEAL/ Connection-List/ Connection<number>/ Port 20003 Port to use in connecting to the Authentication Server. 33

Option Name Configuration Default Value Notes AAL3/SEAL/ Connection-List/ Connection<number>/ Server-Type Primary Either Primary or Backup Authentication Server. This setting affects load-balancing. AAL3/SEAL/ Connection-List/ Connection <number>/ Nr-Connections 10 The maximum number of concurrent connections which the IIS 6 Module may hold open to the Authentication Server. AAL3/SEAL/ Connection-List/ Connection <number>/minreconnect-interval 30 The minimum amount of time that the IIS 6 Module will leave between attempts to reconnect to a higher-priority server after losing connection to it. AAL3/SEAL/ Connection-List/ Connection <number>/maxreconnect-interval 300 The maximum amount of time that the IIS 6 Module will leave between attempts to reconnect to a higher-priority server after losing connection to it. Idle-Timeout 5 Session idle timeout. Modify-Auth-Headers 0 A boolean flag indicates whether the filter should perform manipulation of the raw authentication headers within the request. If modification of the headers is not required this should be disabled to improve the performance of the filter. 0 False. The headers will not be modified 1 True. The headers will be modified if necessary NOTE: Enabling this feature requires IIS to be restarted. Error-Page <blank> This option allows you to specify a HTML page which will be presented to a User if their login is rejected by the IIS 6 Module. Realm <blank> Not used for OWA 2007. Encoding UTF-8 The character encoding to use in sending a login request to the web site. This allows the use of international character sets (see 3.2.2 Modify Character Set Used) Attribute-Group <blank> The Attribute Group name to use in retrieving credentials from a Digipass User account. Use-Attribute-For-User-Name 0 If this option is enabled, the IIS 6 Module will retrieve a UserName attribute from a Digipass User account. It will replace the User ID entered during login with the attribute value before passing the request to the web site. Use-Attribute-For-Password 0 0 Disabled. The User ID will not be replaced with the User attribute. 1 Enabled. The User ID will be replaced with the UserName attribute. If this option is enabled, the IIS 6 Module will retrieve a Password attribute from a Digipass User account. It will replace the password entered during login with the attribute value before passing the request to the web site. 0 Disabled. The password will not be replaced with the User attribute. 1 Enabled. The password will be replaced with the Password User attribute. 34

3.2.2 Configuration Modify Character Set Used If you are using non-western European characters, the IIS 6 Module may need to be configured to use a specific character set when submitting login requests to the web site. The character set to be used can be modified in the IIS 6 Module configuration file (vmfiltercfg.xml) in the <installation directory>\bin directory. Edit the Encoding setting to the desired character set code these are listed in the table below. Caution The IIS 6 Module can only be configured to use a single character set it is not able to handle multiple character sets simultaneously. Table 3 - Character Set Codes Language ISO code Windows code Arabic ISO-8859-6 CP1256 Baltic ISO-8859-4 or ISO-8859-13 CP1257 Central European ISO-8859-2 CP1257 Chinese Simplified ISO-2022-CN GB2312 Chinese Traditional Big5 Cyrillic ISO-8859-2 CP1251 Greek ISO-8859-7 CP1253 Hebrew ISO-8859-8-I CP1255 Japanese ISO-2022-JP Korean ISO-2022-KR Thai ISO-8859-11 Turkish ISO-8859-9 Vietnamese Western European Other code(s) CP874 CP1258 ISO-8859-1 CP1252 35

3.3 Configuration Configuring Exchange to work with VM Authentication settings in Exchange must be compatible with the IIS 6 Module. The following section will explain how to configure Exchange for use with the IIS 6 Module. 3.3.1 Modify Authentication Settings Exchange must have Basic Authentication enabled, and Windows Integrated Authentication disabled, to allow the IIS 6 Module to intercept authentication requests and, where appropriate, pass them to the Authentication Server. Exchange 1. Open Exchange Management Console. 2. Expand the Server Configuration heading. 3. Click on Client Access. 4. Right-click on Exchange and click on Properties. 5. The Exchange Properties window will be displayed. 36

Configuration 6. Click on the Authentication tab. 7. Ensure that the Basic authentication checkbox is ticked. 8. Ensure that the Integrated Windows Authentication checkbox is not ticked. 9. Click on the OK button. 10. Right click on OWA and click on Properties. 37

Configuration 11. The OWA Properties window will be displayed. 12. Click on the Authentication tab. 38

Configuration 13. Ensure that the Basic authentication checkbox is ticked. 14. Ensure that the Integrated Windows Authentication checkbox is not ticked. 15. Click on the OK button. 39

3.4 Configuration Configure Authentication Server 3.4.1 Configure for Windows User Accounts 3.4.1.1 Windows User Name Resolution If VACMAN Middleware is using an ODBC database (including the embedded database) as its data store, it is recommended that you enable Windows User Name Resolution on the Authentication Server(s). This allows the Authentication Server to use Windows functionality to resolve a User ID as entered during a login into a User ID and Domain. This is highly recommended if Dynamic User Registration will be enabled. If the Use Windows User Name Resolution feature is disabled, it is essential that users always use the same login name. If they try to log in using a different form of their Windows account name, their login will be rejected, unless a second Digipass User account has been created. This setting is not required where VACMAN Middleware is using Active Directory as its data store - name resolution will occur automatically. 3.4.1.2 Case Sensitivity Windows User names are not case-sensitive. If the ODBC database used by VACMAN Middleware is case-sensitive, ensure that User ID case is converted to lower case. Upper case may also be used, but will involve extra configuration steps. The embedded PostgreSQL database is set to convert to lower case by default. See the Encoding and Case Sensitivity topic in the Administrator Reference for more information. 3.4.1.3 Configuration Instructions 1. Open the Authentication Server Configuration GUI. 2. Click on the ODBC Connection tab. 3. Select a database from the list. 4. Click on Configure Advanced Settings. To enable Windows User Name Resolution: 5. Tick the Use Windows User Name Resolution checkbox. 6. Click on OK. To modify the Case Conversion setting for the Authentication Server: Caution Existing Domains and User IDs must be in lower case before this setting is modified. 7. Select a database from the list. 8. Select Convert to Lower from the Case drop down list. 9. Click on OK. 40

Configuration The same setting must be applied in each database for each Authentication Server. This setting change is not replicated automatically to other databases. 3.4.1.4 Default Domain Where Users log in without entering a domain name or UPN, the Authentication Server will need to be configured to use the correct domain. There are two basic scenarios that might apply: Change Master Domain If Users will only ever be logging in to one domain via the Authentication Server, the simplest solution is to set the Master Domain name to the Fully Qualified Domain Name of the required domain. To modify the domain used as the Master Domain: 1. If the new Master Domain does not already have a Domain record, create the new Domain using the Administration MMC Interface. 2. Make sure there is an administrator account in the new Master Domain that has Set Administrative Privileges permission. 3. Click on the ODBC Connection tab. 4. Click on Configure Advanced Settings. 5. Modify the name in the Master Domain field. 6. Click on OK. 7. The same setting must be applied in each database for each Authentication Server. This setting change is not replicated automatically to other databases. 8. Login to the Administration MMC Interface as the administrator account identified in step 2. Give this account any privileges that it requires that are missing. You will need to log off and on again as this account for the new privileges to take effect. 9. Delete the original 'master' domain if no longer required. You will need to first remove all records dependent on the domain. This means: a. Delete or unassign and move Digipass records b. Delete User accounts c. Delete Organizational Units Caution Ensure that the name of the Master Domain is set to the correct case, as required by the Case Conversion setting. For example, if the Case Conversion setting is Convert to Lower, the Master Domain name must be all lower case. Set Default Domain in Policy This strategy should be used if: You wish to keep the Master Domain strictly for administration accounts and separate from User accounts 41

Configuration The Authentication Server may be required to handle a different default domain for different IIS 6 Modules or other clients Each Policy may be configured with a Default Domain, to be used if a User does not enter a domain on login. Typically, you will need to modify the Policy used by each IIS 6 Module. To set the Default Domain for a Policy: 1. Open the Administration MMC Interface. 2. Click on the Policies node. 3. Right-click on the required Policy. 4. Click on Properties. 5. Click on the User Settings tab. 6. Enter the Fully Qualified Domain Name in the Default Domain field. 7. Click on OK. 42

3.4.2 Configuration Policy The Component record created during installation of the IIS 6 Module uses the default VM3 Windows Password Replacement Policy. This Policy is configured with the following settings: Back-End Authentication is set to If Needed (used for DUR, Password Autolearn etc, not all logins). Windows is used as the back-end authenticator. Dynamic User Registration, Password Autolearn and Stored Password Proxy are enabled. If you will need different settings, either select a different Policy (eg. VM3 Windows SelfAssignment or VM3 Windows Auto-Assignment) for the IIS 6 Module Component or copy the VM3 Windows Password Replacement Policy to a new record, modify the new Policy as required, and use the new Policy for the IIS 6 Module Component. 43

Troubleshooting 4 Troubleshooting 4.1 Configuring IIS 6 to work with the IIS 6 Module The installation program for the IIS 6 Module will usually complete the following tasks automatically. However, if it fails in these tasks for some reason, an error message will be displayed during installation. These steps can then be followed to complete the installation manually. If you are having trouble running VM and the IIS 6 Module for the first time, following these steps may help you track down the problem and fix it manually. 4.1.1 Check file placement The following files must be placed in the directory they are listed under. If they have been moved to another directory, or incorrectly copied, the IIS 6 Module will not function correctly. <install directory> version.txt <install directory>\bin ikaal3seal.dll libeay32.dll libxml2.dll openssl.exe ssleay32.dll stlport.5.1.dll vmfiltercfg.xml vmiisfil.dll vmiisfiltcfg.exe wxmsw28u_vc_custom.dll <install directory>\doc Digipass Pack for OWA Basic Authentication Guide.pdf 44

4.1.2 Troubleshooting Check Permissions 4.1.2.1 Trace File Directory Permissions need to be set to allow the IIS 6 Module to access and write to the trace file. By default, the trace file is stored in <install directory>\log. Follow these steps for the folder the trace file will be written to. 1. Open Windows Explorer and browse to the directory that the trace file will be written to (<install directory>\log by default). 2. Right-click on the relevant directory. 3. Select Properties. The <directory name> Properties window will be displayed. 4. Click on the Security tab. 5. Ensure that the IIS_WPG group has Write permissions ticked. 6. If changes need to be made to the permissions, make changes and click on the Apply button. If the IIS_WPG group is not listed, see Add the IIS_WPG Group. 45

4.1.2.2 Troubleshooting Configuration file 1. Open Windows Explorer and browse to the installation directory. 2. Right-click on the vmfiltercfg.xml file. 3. Select Properties. The <directory name> Properties window will be displayed. 4. Click on the Security tab. 5. Ensure that the IIS_WPG group has the Read permission ticked. 6. If changes were made to the permissions, click on the Apply button. If the IIS_WPG group is not listed for the configuration file, see Add the IIS_WPG Group for instructions on adding the account manually. 4.1.2.3 Add the IIS_WPG Group If the IIS_WPG group is not listed for the trace file directory or configuration file, you will need to add it. 1. Click on the Add button The Select Users, Computers, or Groups window will be displayed. Click on the Advanced button. 46

Troubleshooting 2. Enter search criteria (see example below) and click on the Find Now button. 3. If no search criteria are entered, a list of all users and groups in the selected location will be returned. 4. Select the IIS_WPG group. 5. Click on the OK button. 6. Check that the IIS_WPG group is listed. 7. Click on the OK button. 8. The account should now be listed in the Security group and user list. 47

4.1.3 Troubleshooting Set System Environment Variable 1. Right-click on My Computer. 2. Click on Properties. The System Properties window will be displayed. 3. Click on the Advanced tab. 4. Click on the Environment Variables button. The Environment Variables window will be displayed. 48

Troubleshooting If VMIISModuleDirectory is not displayed in the System variables list, create it manually: 5. Click on the New button. 6. Enter the following values: Variable Name: VMIISModuleDirectory Variable Value: <IIS 6 Module installation path> 7. Click on the OK button 8. Click on the OK button again. The new System variable should now appear in the System variables list. 49

4.1.4 Troubleshooting Install the ISAPI Filter 1. Right-click on My Computer. 2. Click on Manage. The Computer Management window will be displayed. 3. Expand the Internet Information Services heading. 4. Right-click on Web Sites. 5. Click on Properties. The Web Sites Properties window will be displayed. 50

6. Troubleshooting Click on the ISAPI Filters tab If the VM Filter is not included in the list, add it manually: 7. Click on the Add button. 8. Enter these values: Filter Name: Executable: 9. VM Filter <install directory>\bin\ vmiisfil.dll Click on the OK button. The VM Filter should now appear in the list of ISAPI filters however the status will not be set to until the IIS 6 Module has been successfully loaded into IIS. This will occur when the first authorisation request is processed by the IIS 6 Module. 51

4.2 Troubleshooting Other Troubleshooting Options If you are still having problems after checking all installation and configuration settings for the IIS 6 Module are correct, follow these steps to check for other possible problems. 4.2.1 No Trace File If there is no trace file, or the trace file information does not help, first check that the ISAPI filter has been loaded (see Install the ISAPI Filter for instructions). Next, check the Windows Events for any warnings or errors generated by a failure to load the IIS 6 Module into IIS. 4.2.2 Information from Trace File 1. Set the IIS 6 Module to tracing. 2. Restart IIS. 3. Attempt a login. 4. Check the trace file for information on the start-up conditions of the IIS 6 Module and of the login attempt. 4.2.3 Authentication Server If the IIS 6 Module appears to load and update but you are unable to achieve a successful login, check the Authentication Server. Open the Audit Viewer to: check available audit messages in the audit files or database. configure a live audit connection from the Authentication Server and retry a login. See the VACMAN Middleware Administrator Reference for more information. 4.2.4 Licensing Check that the IIS 6 Module has a valid Component in the Authentication Server data store, which has a valid license loaded. See the Licensing section of the VACMAN Middleware Administrator Reference for more information on licensing options. 52

4.3 Troubleshooting Repair Installation The installation of the IIS 6 Module may need to be repaired if files have been corrupted, deleted or lost. 1. Locate and double-click on Digipass_Pack_for_OWA_2007_basic_310.msi file. 2. Click on the Next button. 3. Select the Repair radio button to enter the repair function. 4. Click on the Repair radio button to confirm the repair. 5. Click on the Finish button. Note The configuration file (vmfiltercfg.xml) will not be copied over if it exists in the standard directory. To repair this file, delete or move it and run the installation repair. 53

Uninstalling the IIS 6 Module 5 Uninstalling the IIS 6 Module 5.1 1. Uninstall the IIS 6 Module for OWA 2007 Open the Windows Add or Remove Programs utility. Select Digipass Pack for OWA Basic Authentication. Click on the Change/Remove button. OR Locate and double-click on the Digipass_Pack_for_OWA_2007_basic_310.msi file to start the MSI. 2. Click on the Next button. 3. Select the Remove radio button to select the remove function. 4. Click on the Remove radio button to confirm the remove function. 5. Click on the Finish button. The Uninstallation Progress screen will be displayed, showing the progress of your uninstall. 6. After uninstallation, the system must be restarted. 54

Technical Support 6 Technical Support If you encounter problems with a VASCO product please do the following: 1. Read the How to Troubleshoot topic in the Administrator Reference or the Troubleshooting section of this guide for help in discovering the source of your problem. 2. Check if your problem is resolved in the Knowledge Base located at the following URL: http://www.vasco.com/support. 3. If you do not find the information you need in the Knowledge Base, please contact the company that sold you the VASCO product. Only after doing these steps, if your needs are still not completely met please contact VASCO support: 6.1 Support Contact Information E-mail support@vasco.com Website http://www.vasco.com/support/contacts.html Phone Australia +61 2 8061 3700 (Sydney) Belgium +32 2 609 9770 (Brussels) Singapore +65 6 232 2727 USA +1 508 366 3400 (Boston) 55

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information