12.1.1 What is Stored in Active Directory?
The following information is stored in Active Directory:
Digipass User accounts
Digipass and Digipass Application records
Digipass configuration records (Policies, Components, Back-End Servers, Reports and Report Formats) Identikey Server Configuration information
12.1.2 Schema Extensions
User attributes – vasco-UserExt class
Extra VASCO attributes are added to an Active Directory User record via an 'auxiliary class' vasco-UserExt on the User class.
Digipass and Digipass Application records
The vasco-DPToken class is used to store Digipass attributes. It is also a container, in which vasco-DPApplication records for that Digipass are stored.
Upon assignment to a User, the Digipass record is stored in the same location as the User.
Policies, Components and Back-End Servers
Policy, Component, Back-End Server, Report and Report Format records are stored in Policy, vasco-Component, vasco-BackEndServer, vasco-Report and vasco-ReportFormat objects respectively. They are located in a single “Digipass-Configuration” container in a single Domain.
12.1.3 Digipass Records
12.1.3.1 Location of Digipass Records
When a Digipass is assigned to a User, it is moved to the same location as the Digipass User account it is assigned to. This makes it easier to set up the permissions necessary for delegated administration.
Note
A Digipass record will not automatically be moved when the User account to which it is assigned is moved to another location. When moving User accounts within Active Directory, ensure that the records of any assigned Digipass are manually moved to the same location.
Unassigned Digipass records may be stored in various places in the data store:
Digipass Pool
A container called Digipass-Pool is created during installation. This is intended as a general store for unassigned Digipass.
Organizational Units
If an Organizational Unit structure is used in the data store, Digipass can be loaded or moved either into the exact Organizational Units where the User accounts to which they will be assigned are located, or into a few key Organizational Units in the hierarchy where they may be assigned to Users in lower level Organizational Units.
Users Container
When Active Directory is used as the data store, Digipass can be loaded into the Users container so they are available for Users in that container. However, it is not recommended to use the Users container for either User accounts or Digipass.
When looking for an available Digipass to assign to a User, the Identikey Server will first look in the same Organizational Unit as the specific User account. The Search Upwards in Organizational Unit hierarchy option, when enabled, allows the Identikey Server to search in parent Organizational Units and the Digipass Pool container. This option may be set at the Policy level for system searches (eg. Auto-Assignment and Self-Assignment) or at the time of the search for manual assignment.
Note
The Identikey Server will always find or assign the closest available Digipass record to the selected User record(s).
12.1.3.2 Delegated Administration in Active Directory
If the assignment is manual (performed by an administrator), it will only find and successfully assign Digipass from locations where the administrator has the correct permissions. The administrator must have read permission for Digipass objects in the location to find a Digipass record, and if it needs to be moved to the User's location, they must have delete permission for Digipass objects to successfully assign the Digipass. If the administrator has sufficient permissions to view a Digipass record but not to assign it, the assignment will fail.
Table 5: Summary of Digipass Record Location Options
Record Location Pros Cons
Digipass Pool Digipass are available to be assigned to all Users, regardless of the Organizational Unit structure.
Only administrators with access to the Digipass Pool may view or modify records for unassigned Digipass. This also means that only those administrators may manually assign Digipass.
An extra permission must be assigned to all administrators who should be able to assign Digipass (if they are not Domain Admins). It is not possible to strictly subdivide the unassigned Digipass among the Organizational Units according to quotas.
Organizational Unit Digipass may be portioned out to various Organizational Units. This is particularly useful where a company is contracted to provide authentication services to multiple companies, or where various departments have different Digipass quota.
If an Organizational Unit runs out of Digipass to assign its Users, more Digipass records must be manually moved to the right location.
Users Container Digipass can be assigned to any User in the Users container.
Digipass in the Users container are only available to User accounts stored there.
12.1.3.3 Typical Digipass Location Models
Digipass Pool
A centralised point of access and importation can be implemented by using the Digipass Pool to hold unassigned Digipass records. This option requires less calculation and high-level administration, as Digipass records are all imported into one area and there is no need to manually move records or calculate the exact number of Digipass required for each Organizational Unit or group of Units. However, permissions will need to be set up to permit delegated administrators access to move the Digipass out of the container upon assignment.
The Digipass Pool is treated as the Domain Root by the Identikey Server, as Digipass records may not be saved in the Domain Root.
Image 38: Digipass Record Locations - Digipass Pool
In the diagram above, the Identikey Server is shown searching upwards through the Organizational Unit structure for available Digipass to assign to a Digipass User in the Organizational Unit B1. Because no available Digipass are found in B1, it searches in B, then in the Digipass Pool.
Administrator 1 needs delegated administrator permissions for the Organizational Unit B and its child Organizational Units. They must also have read and delete permissions for Digipass objects in the Digipass Pool container.
Note
The Search Upwards in Organizational Unit hierarchy option must be enabled for this model to function correctly.
Parent Organizational Units
Unassigned Digipass can be kept in key Organizational Units, and made available to their lower level Organizational Units. This requires a delegated administrator to have permissions not only for the Organizational Unit in which the User accounts are stored, but also read, write and delete permissions for Digipass objects in the Organizational Unit in which the Digipass are stored.
Image 39: Digipass Record Locations - Parent Organizational Unit
In the diagram above, the Identikey Server can search in the parent Organizational Unit for available Digipass.
The delegated administratration permissions can be set up in two basic ways:
Administrator 1 has full admin permissions for Organizational Unit B and its child Organizational Units. She does not require any other permissions to assign Digipass from Organizational Unit B to a User in
Organizational Unit B1.
Administrator 2 has full admin permissions for Organizational Unit A2 only. He has read and delete permissions for Digipass objects in Organizational Unit A in order to assign Digipass from Organizational Unit A to a User in Organizational Unit A2.
Note
The Search Upwards in Organizational Unit hierarchy option must be enabled for this model to function correctly.
Individual Organizational Units
Digipass can be loaded or moved into each Organizational Unit where and when they are required. It is then easy to set up permissions for delegated administrators to assign them only within their scope of control. If all Digipass in the Organizational Unit are assigned, more Digipass will need to be moved in manually by a Domain Admin before they can be assigned by a delegated administrator.
Image 40: Digipass Record Locations - Individual Organizational Units
In the diagram above, unassigned Digipass are stored in the exact Organizational Units in which they will be assigned.
Each delegated administrator only requires permissions within their specific Organizational Unit(s).
Note
The Search Upwards in Organizational Unit hierarchy option does not need to be enabled for this model.
Combination of models
Digipass may be stored in the Digipass Pool as well as some or all Organizational Units. If no unassigned Digipass records are found in the Organizational Unit, and the Search Upwards in Organization Unit hierarchy option is enabled, the Identikey Server will search upwards to the Domain Root and search in the Digipass Pool for an available, unassigned Digipass record.
12.1.4 Permissions Needed by the Identikey Server
The installation process will ensure that the Identikey Server has sufficient permissions. This is achieved by assigning permissions in the domain to the in-built “RAS and IAS Servers” group. It is necessary to make sure that the Identikey Server is added to that group.
12.1.5 Administrative Permissions
Administrative permissions for Identikey Server administrators are controlled using Active Directory security
properties. See the Permissions Needed by Administrators topic in the Administrator Reference for more information.
Domain Administrators may view and edit all Digipass and Digipass User information in their domain, plus Digipass Configuration information if the Digipass Configuration Container is located in their domain. No permissions setup is required for them.
Delegated Administrators may view and edit all Digipass and Digipass User information within their administrative scope of control. It is necessary to grant them full control, create and delete permissions over the Digipass and Digipass Application objects within their scope.
Reduced Rights Administrators may perform a subset of the administration tasks. 'Property sets' are defined with the directory which can be used to enable or limit them in various Digipass administration tasks (eg. Access to the Digipass blob).
12.1.6 Active Directory Command Line Utility
This utility has to perform several tasks that are needed at various times during installation and upgrade if Active Directory is selected, or afterwards for maintenance. Some of the commands are run automatically by the installation program, while others are run manually. The commands that are run automatically can be run manually also, for example to troubleshoot why the installation is not succeeding.
Table 6: DPADadmin tasks
Command Description
addschema Extend the Active Directory schema.
checkschema Check that the schema extensions are all present.
setupdomain Sets up the Digipass Configuration Container in the specified domain.
setupaccess Assign permissions to a Windows group including:
Full read access to everything in the domain Full control over vasco-DPToken objects Full control over vasco-DPApplication objects Ability to create and delete vasco-DPToken objects Full write access to extension attributes on user objects
This command can optionally be used to also add a machine to the group.
12.1.7 Active Directory Replication
For more details of Active Directory Replication see Active Directory Replication Issues in the Administration Reference Guide.