3.4.1 Configure for Windows User Accounts
3.4.1.1 Windows User Name Resolution
If VACMAN Middleware is using an ODBC database (including the embedded database) as its data store, it is recommended that you enable Windows User Name Resolution on the Authentication Server(s). This allows the Authentication Server to use Windows functionality to resolve a User ID – as entered during a login – into a User ID and Domain. This is highly recommended if Dynamic User Registration will be enabled.
If the Use Windows User Name Resolution feature is disabled, it is essential that users always use the same login name. If they try to log in using a different form of their Windows account name, their login will be rejected, unless a second Digipass User account has been created.
This setting is not required where VACMAN Middleware is using Active Directory as its data store - name resolution will occur automatically.
3.4.1.2 Case Sensitivity
Windows User names are not case-sensitive. If the ODBC database used by VACMAN Middleware is case-sensitive, ensure that User ID case is converted to lower case. Upper case may also be used, but will involve extra configuration steps. The embedded PostgreSQL database is set to convert to lower case by default. See the Encoding and Case Sensitivity topic in the Administrator Reference for more information.
3.4.1.3 Configuration Instructions
1. Open the Authentication Server Configuration GUI.
2. Click on the ODBC Connection tab.
3. Select a database from the list.
4. Click on Configure Advanced Settings.
To enable Windows User Name Resolution:
5. Tick the Use Windows User Name Resolution checkbox.
6. Click on OK.
To modify the Case Conversion setting for the Authentication Server:
Caution
Existing Domains and User IDs must be in lower case before this setting is modified.
7. Select a database from the list.
8. Select Convert to Lower from the Case drop down list.
9. Click on OK.
© 2007 VASCO Data Security Inc. 40
The same setting must be applied in each database for each Authentication Server. This setting change is not replicated automatically to other databases.
3.4.1.4 Default Domain
Where Users log in without entering a domain name or UPN, the Authentication Server will need to be configured to use the correct domain. There are two basic scenarios that might apply:
Change Master Domain
If Users will only ever be logging in to one domain via the Authentication Server, the simplest solution is to set the Master Domain name to the Fully Qualified Domain Name of the required domain.
To modify the domain used as the Master Domain:
1. If the new Master Domain does not already have a Domain record, create the new Domain using the Administration MMC Interface.
2. Make sure there is an administrator account in the new Master Domain that has Set Administrative Privileges permission.
3. Click on the ODBC Connection tab.
4. Click on Configure Advanced Settings.
5. Modify the name in the Master Domain field.
6. Click on OK.
7. The same setting must be applied in each database for each Authentication Server. This setting change is not replicated automatically to other databases.
8. Login to the Administration MMC Interface as the administrator account identified in step 2. Give this account any privileges that it requires that are missing. You will need to log off and on again as this account for the new privileges to take effect.
9. Delete the original 'master' domain if no longer required. You will need to first remove all records dependent on the domain. This means:
a. Delete or unassign and move Digipass records b. Delete User accounts
c. Delete Organizational Units
Caution
Ensure that the name of the Master Domain is set to the correct case, as required by the Case Conversion setting. For example, if the Case Conversion setting is Convert to Lower, the Master Domain name must be all lower case.
Set Default Domain in Policy This strategy should be used if:
You wish to keep the Master Domain strictly for administration accounts and separate from User accounts
© 2007 VASCO Data Security Inc. 41
The Authentication Server may be required to handle a different default domain for different IIS 6 Modules or other clients
Each Policy may be configured with a Default Domain, to be used if a User does not enter a domain on login. Typically, you will need to modify the Policy used by each IIS 6 Module.
To set the Default Domain for a Policy:
1. Open the Administration MMC Interface.
2. Click on the Policies node.
3. Right-click on the required Policy.
4. Click on Properties.
5. Click on the User Settings tab.
6. Enter the Fully Qualified Domain Name in the Default Domain field.
7. Click on OK.
© 2007 VASCO Data Security Inc. 42
3.4.2 Policy
The Component record created during installation of the IIS 6 Module uses the default VM3 Windows Password Replacement Policy. This Policy is configured with the following settings:
Back-End Authentication is set to If Needed (used for DUR, Password Autolearn etc, not all logins). Windows is used as the back-end authenticator.
Dynamic User Registration, Password Autolearn and Stored Password Proxy are enabled.
If you will need different settings, either select a different Policy (eg. VM3 Windows Self-Assignment or VM3 Windows Auto-Self-Assignment) for the IIS 6 Module Component or copy the VM3 Windows Password Replacement Policy to a new record, modify the new Policy as required, and use the new Policy for the IIS 6 Module Component.
© 2007 VASCO Data Security Inc. 43