A dm inistrator Reference

(1)

Digipass Plug-In for IAS

IAS Plug-In

Digipass Extension for Active Directory Users and Computers

Administration MMC Interface

IAS

Microsoft's Internet Authentication Service

SBR

Funk Steel-Belted RADIUS

Steel-Belted RADIUS

(2)

Disclaimer of Warranties and Limitations of Liabilities

Disclaimer of Warranties and Limitations of Liabilities

The Product is provided on an 'as is' basis, without any other warranties, or conditions, express

or implied, including but not limited to warranties of merchantable quality, merchantability of

fitness for a particular purpose, or those arising by law, statute, usage of trade or course of

dealing. The entire risk as to the results and performance of the product is assumed by you.

Neither we nor our dealers or suppliers shall have any liability to you or any other person or

entity for any indirect, incidental, special or consequential damages whatsoever, including but

not limited to loss of revenue or profit, lost or damaged data of other commercial or economic

loss, even if we have been advised of the possibility of such damages or they are foreseeable;

or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers

and suppliers shall not exceed the amount paid by you for the Product. The limitations in this

section shall apply whether or not the alleged breach or default is a breach of a fundamental

condition or term, or a fundamental breach. Some states/countries do not allow the exclusion

or limitation or liability for consequential or incidental damages so the above limitation may

not apply to you.

Copyright

© 2006 VASCO Data Security Inc. All rights reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in

any form or by any means, electronic, mechanical, photocopying, recording, or otherwise,

without the prior written permission of VASCO Data Security Inc.

Trademarks

VACMAN and Digipass are registered trademarks of VASCO Data Security International Inc.

Microsoft and Windows are registered trademarks of Microsoft Corporation.

(3)

Digipass Plug-In for IAS Administrator Reference Table of Contents

1 Introduction...8

1.1 Available Reference Guides... 8

2 Active Directory Schema... 9

2.1 Schema Extensions...9

2.1.1 Added Object Classes... 9

2.1.2 Added Attributes... 9

2.1.3 Added Permission Property Sets... 11

2.2 Active Directory Auditing...12

2.3 Custom Search Options...13

2.3.1 Using the Custom Search... 13

2.4 Sensitive Data Encryption...14

2.4.1 Encrypted Data... 14

2.4.2 Which Encryption Algorithms can be used?... 14

2.4.3 Exporting Encryption Settings... 14

2.5 Active Directory Replication Issues... 15

2.5.1 Old Data Used After Attribute Modified... 15

2.5.1.1 Single Plug-In using more than one Domain Controller... 15

2.5.1.2 Administrator and Plug-In using different Domain Controllers... 16

2.5.1.3 Multiple Plug-Ins Using Different Domain Controllers... 16

2.5.1.4 Two Administrators Modifying the Same Attribute... 16

2.5.2 Old Data Used Overwrites New Data... 17

2.5.3 Factors Affecting Replication Issues... 17

2.5.4 Solutions and Mitigations... 18

2.5.4.1 Digipass Cache...18

2.5.4.2 Identification Threshold Setting... 19

2.5.4.3 Administrator Connection Strategy...19

2.5.4.4 Set a Preferred Server...20

2.5.4.5 Use Preferred Server Only Option... 22

3 Set Up Active Directory Permissions ... 23

3.1 Permissions Needed by the IAS Plug-In... 23

3.1.1 Giving Permissions to the IAS Plug-In... 23

3.2 Permissions Needed by Administrators... 24

3.2.1 Domain Administrators... 24

3.2.2 Delegated Administrators... 24

3.2.3 Reduced-Rights Administrators... 24

3.2.4 System Administrators... 25

3.3 Assign Administration Permissions to a User ...25

3.4 Multiple Domains... 28

3.4.1 Scenario 1 – Each IAS Server Handles One Domain... 28

3.4.2 Scenario 2 – One IAS Server Handles All Domains... 28

3.4.3 Scenario 3 - Combination... 29

4 Backup and Recovery...30

(4)

4.1.3 Audit Log Data... 31

4.1.3.1 Write to File... 31

4.1.3.2 Write to Windows Event Log...31

4.1.4 Active Directory... 32

4.1.4.1 Cold Backup...32

4.1.5 DPX files... 32

4.2 Recovery... 33

5 Field Listings...34

5.1 User Property Sheet... 34

5.2 Digipass Property Sheet... 36

5.2.1 Digipass Application Tab... 36

5.3 Policy Property Sheet... 37

5.4 Component Property Sheet...44

6 Licensing...45

6.1 How is Licensing Handled?... 45

6.2 Licensing Parameters... 45

6.2.1 Sample License File... 45

6.3 View License Information... 45

6.4 Obtain a License Key for a Component...46

6.5 Change IP Address... 47

7 Web Sites...48

7.1 Customizing the Web Sites... 48

7.2 CGI Program...48

7.2.1 Configuration Settings... 49

7.3 Form Fields...49

7.3.1 User Self Management Web Site... 49

7.3.1.1 Registration – Main Pages...49

7.3.1.2 Registration – Challenge Page... 51

7.3.1.3 Server PIN Change... 52

7.3.1.4 Login Test – Main Page...53

7.3.1.5 Login Test – Challenge Page...54

7.3.2 OTP Request Site... 54

7.3.2.1 Request Page... 54

7.4 Query String Variables...55

7.4.1 Failure/Error Handling... 55

7.4.2 Query String Variable List... 56

7.4.3 Return Code Listing... 57

7.4.3.1 API Return Codes... 57

7.4.3.2 CGI Errors... 58

7.4.3.3 Internal Errors...59

8 Command line utilities...60

8.1 DPADadmin Utility... 60

8.1.1 Extend Active Directory Schema... 60

8.1.1.1 Prerequisite Information... 60

8.1.1.2 Extend the Schema on the Schema Master...61

8.1.1.3 Extend the Schema on the IAS Server... 61

8.1.1.4 Command Line Syntax...61

(5)

8.1.2.2 Check the Schema on the IAS Server... 62

8.1.2.3 Check the Schema on a Machine in the Domain to Check... 63

8.1.2.4 Command Line Syntax...63

8.1.3 Set Up Digipass Configuration Container in Domain... 63

8.1.3.2 Set Up Digipass Configuration Container... 63

8.1.3.3 Command Syntax... 64

8.1.4 Assign Digipass Permissions to a Group... 64

8.1.4.1 Pre-requisites...64

8.1.4.2 Command Syntax... 64

9 Login Options...65

9.1 Login Permutations... 65

9.1.1 Response Only - PAP... 67

9.1.2 Response Only – CHAP/MS-CHAP... 68

9.1.3 Challenge/Response... 68

9.1.4 Virtual Digipass... 69

10 Configuration Settings... 70

10.1 IAS Plug-In... 70

10.1.1 Configuration GUI... 70

10.1.1.1 Enable IAS Plug-In...70

10.1.1.2 Allow Passthrough... 70

10.1.1.3 Set Component Location...70

10.1.1.4 Library Path... 70

10.1.1.5 Turn Tracing On or Off...70

10.1.1.6 Active Directory Settings... 71

10.1.1.7 Data Encryption...73

10.1.2 Configuration File... 75

10.2 MDC... 78

10.2.1 Required Information... 78

10.2.2 MDC Configuration GUI... 78

10.2.2.1 Set IAS Server Connection Details... 78

10.2.2.2 Modify Gateway Account Login Details...78

10.2.2.3 Configure Internet Connection Details... 79

10.2.2.4 Configure Tracing... 79

10.2.2.5 Import HTTP Gateway settings... 80

10.2.2.6 Edit Advanced Settings...80

10.2.2.7 Export HTTP Gateway settings...80

10.2.2.8 Gateway Result Pages... 81

10.2.3 MDC Configuration File... 85 10.2.4 Configuration Settings... 86 10.3 CGI... 87

11 How to troubleshoot...88

11.1 Enable Tracing...88 11.2 Installation Check... 88

11.2.1 Installation Log File... 88

11.2.2 Check file placement... 88

11.2.3 Registry Entries... 89

11.2.4 DLLs to be Registered... 90

(6)

11.2.7 Default Policy and Component Created... 91

11.3 Fix Installation Errors...92

11.3.1 Register IAS Plug-In... 92

11.4 View Audit Information... 92

11.4.1 Windows Event Log... 92

11.4.2 Audit log text file... 92

11.5 Delete all Digipass Data from Active Directory... 93

11.5.1 Run Delete Script on a Domain... 93

12 Audit Messages... 94

12.1 Audit Message Listing...94

12.2 Audit Message Fields... 98

13 Error and Status Codes...100

13.1 Error Code Listing... 100

13.2 Status Code Listing...102

14 Technical Support... 105

(7)

Index of Tables

Table 1: Custom Object Classes...9

Table 2: Custom Object Attributes...11

Table 3: Custom Permission Property Sets... 11

Table 4: Custom Search options...13

Table 5: Encrypted Data Attributes...14

Table 6: User Fields...35

Table 7: Digipass Fields... 36

Table 8: Digipass Application Fields... 37

Table 9: Policy Fields...43

Table 10: Component Fields... 44

Table 11: License Parameters for Digipass Plug-In for IAS...45

Table 12: Configuration Settings for CGI Program... 49

Table 13: Form Fields for Main Registration Page... 50

Table 14: Form Fields for Registration Challenge Page... 51

Table 15: Form Fields for Server PIN Change Page... 52

Table 16: Form Fields for Main Login Test Page...53

Table 17: Form Fields for Login Test Challenge Page...54

Table 18: Form Fields for OTP Request Page...54

Table 19: Query String Variable List... 56

Table 20: API Return Codes...57

Table 21: CGI Error Return Codes... 58

Table 22: Internal Error Codes...59

Table 23: DPADadmin addschema Command Line Options...62

Table 24: DPADadmin checkschema Command Line Options...63

Table 25: DPADadmin setupdomain Command Line Options...64

Table 26: DPADadmin setupaccess Command Line Options...64

Table 27: Login Permutations - Response Only PAP... 67

Table 28: Login Permutations - Response Only CHAP... 68

Table 29: Login Permutations – Challenge/Response... 68

Table 30: Login Permutations – Virtual Digipass...69

Table 31: MDC Audit Message Variables... 83

Table 32: Message Delivery Component Configuration Settings... 87

Table 33: Required Files...89

Table 34: Registry Entries... 90

Table 35: DLLs to be Registered...90

Table 36: Permissions Required... 91

Table 37: IAS Plug-In Registry Entries... 92

Table 38: Audit Messages List...97

Table 39: Audit Message Fields... 99

(8)

Digipass Plug-In for IAS Administrator Reference Introduction

1 Introduction

1.1 Available Reference Guides

These Reference Guides are included with every VASCO product:

Product Guide

The Product Guide will introduce you to the features of this product and the various options

you have for using it.

Installation Guide

Use this guide when planning and working through an installation of the product.

Getting Started

To get you up and running quickly with a simple installation and setup of the product.

Administrator Reference

In-depth information required for administration of the product.

Data Migration Tool Guide

Takes you through a data migration from one VASCO product to another, using the VASCO

Data Migration Tool.

Help Files

(9)

Digipass Plug-In for IAS Administrator Reference Active Directory Schema

2 Active Directory Schema

2.1 Schema Extensions

The following tables document the changes made by the Digipass Plug-In for IAS to the Active

Directory schema.

2.1.1 Added Object Classes

Attribute

Type

Location

Explanation

vasco-UserExt Aux. Class

User record Extra VASCO attributes are added to an Active Directory User record via an 'auxiliary class' vasco-UserExt on the User class.

vasco-DPToken Class Unassigned – Optional Assigned – with User record

The vasco-DPToken class is used to store Digipass attributes. It is also a container, in which vasco-DPApplication records for that Digipass are stored. Upon assignment to a User, the Digipass record is stored in the same location as the User.

vasco-DPApplication Class Within Digipass record This class is used to store Digipass Application attributes, such as Server PIN and expected OTP length.

vasco-Policy Class Digipass Configuration Container

Policy attributes. Attributes will commonly be shared via inheritance.

vasco-Component Class Digipass Configuration Container

Component attributes include the License Key for IAS Plug-In Components.

vasco-BackEndServer Class Digipass Configuration Container

Information required for connection to back-end servers. This class is not used with the Digipass Plug-In for IAS, but is included for compatibility with other VASCO products.

Table 1: Custom Object Classes

2.1.2 Added Attributes

Name

Class

vasco-SerialNumber vasco-DPToken vasco-TokenType vasco-DPToken vasco-ApplicationNames vasco-DPToken vasco-ApplicationTypes vasco-DPToken vasco-LinkVascoDigipassToUserExt vasco-DPToken vasco-TokenAssignedDate vasco-DPToken vasco-GracePeriod vasco-DPToken vasco-EnableBVDP vasco-DPToken vasco-BVDPExpiryDate vasco-DPToken vasco-BVDPUsesLeft vasco-DPToken vasco-DirectAssignOnly vasco-DPToken vasco-AdditionalAttribute vasco-DPToken vasco-SerialNumber vasco-DPApplication vasco-ApplicationName vasco-DPApplication

(10)

Name

Class

vasco-DPBlob vasco-DPApplication vasco-Active vasco-DPApplication vasco-LinkUserExtToVascoDigipass vasco-UserExt vasco-LinkUserExtToUser vasco-UserExt vasco-StaticPassword vasco-UserExt vasco-LocalAuth vasco-UserExt vasco-BackEndServerAuth vasco-UserExt vasco-Disable vasco-UserExt vasco-Profile Vasco-UserExt vasco-CreateTime Vasco-UserExt vasco-ModifyTime Vasco-UserExt vasco-ID vasco-BackEndServer vasco-Protocol vasco-BackEndServer vasco-Domain vasco-BackEndServer vasco-Priority vasco-BackEndServer vasco-ConfigurationValue vasco-BackEndServer vasco-ID vasco-Component vasco-Location vasco-Component vasco-LinkVascoPolicyToVascoPolicy vasco-Component vasco-Protocol vasco-Component vasco-ConfigurationValue vasco-Component vasco-PublicKey Vasco-Component vasco-AdditionalAttribute vasco-Policy vasco-EnableBVDP vasco-Policy vasco-LocalAuth vasco-Policy vasco-BackEndAuth vasco-Policy vasco-ApplicationNames vasco-Policy vasco-ID vasco-Policy vasco-Description vasco-Policy vasco-DUR vasco-Policy vasco-Autolearn vasco-Policy vasco-StoredPasswordProxy vasco-Policy vasco-AssignmentMode vasco-Policy vasco-AssignSearchUpOUPath vasco-Policy vasco-GracePeriod vasco-Policy vasco-AllowedApplType vasco-Policy vasco-AllowedDPTypes vasco-Policy vasco-Protocol vasco-Policy vasco-Domain vasco-Policy vasco-GroupList vasco-Policy vasco-GroupCheckMode vasco-Policy vasco-OneStepChalResp vasco-Policy

(11)

Name

Class

vasco-OneStepChalLength vasco-Policy vasco-OneStepChalCheckDigit vasco-Policy vasco-BVDPMaximumDays vasco-Policy vasco-BVDPMaximumUses vasco-Policy vasco-PINChangeAllowed vasco-Policy vasco-SelfAssignSeparator vasco-Policy vasco-ChallengeRequestMethod vasco-Policy vasco-ChallengeRequestKeyword vasco-Policy vasco-PrimaryVDPRequestMethod vasco-Policy vasco-PrimaryVDPRequestKeyword vasco-Policy vasco-BackupVDPRequestMethod vasco-Policy vasco-BackupVDPRequestKeyword vasco-Policy vasco-ITimeWindow vasco-Policy vasco-STimeWindow vasco-Policy vasco-EventWindow vasco-Policy vasco-SyncWindow vasco-Policy vasco-IThreshold vasco-Policy vasco-SThreshold vasco-Policy vasco-CheckChallenge vasco-Policy vasco-OnLineSG vasco-Policy vasco-ChkInactDays vasco-Policy vasco-LinkPolicyToParentPolicy vasco-Policy vasco-LinkPolicyToChildPolicy vasco-Policy vasco-LinkPolicyToComponent vasco-Policy Version-Number vasco-Policy

Table 2: Custom Object Attributes

2.1.3 Added Permission Property Sets

Property sets have been created for typical groups of permissions required for administration

tasks.

Property Set

Applicable

Object

Actions Allowed

Digipass Assignment Link Digipass Assign and unassign Digipass for Digipass User accounts. Digipass Application Data Digipass

Application

Digipass record functions. Digipass User Account Information User Modify Digipass User information.

Digipass User Account to User Link User Link and unlink Digipass Users. This is also required when assigning Digipass to linked Digipass User records.

Digipass User Account Stored Password User Read and modify the stored password for a Digipass User.

(12)

2.2 Active Directory Auditing

Active Directory auditing may be configured to record access and modifications to custom

objects used by the Digipass Plug-In for IAS. If you currently have default auditing enabled, it

might include already include actions on custom objects. See these Microsoft articles for

information on turning on and configuring auditing:

Windows 2000

http://support.microsoft.com/?kbid=314955

Windows 2003

http://support.microsoft.com/?kbid=814595

The basic process you will need to follow is:

1. Select a scope for the the auditing (eg.

Domain Root

).

2. Select a Windows User or Windows Group (eg.

Everyone

or

Domain Administrators

)

3. Select the object classes to audit (eg.

Digipass objects

) – if required

4. Select the permissions which should be audited (eg.

Read

,

Write

,

Delete

,

Create

)

What Should I Audit?

This will depend on what you need to audit. For example, if you wanted to record all Digipass

assignments in the domain, you might set up auditing in the Domain Root for Everyone, with

the Digipass Assignment Link property set.

See the

topic for more information on custom objects and permission property sets created

for the Digipass Plug-In for IAS.

(13)

2.3 Custom Search Options

The Digipass Extension adds functionality to the Active Directory Users and Computers snap-in

which allows searching for specific Digipass and Digipass User records throughout a domain, or

within the limits of a delegated administrator's permissions. This functionality is especially

useful where unassigned Digipass have been allocated to various Organizational Units.

The table below displays the custom search attributes available for Digipass User accounts and

Digipass records.

Object Type

Available Search attributes

Location (tab)

Users, Contacts and Groups Digipass Assignment Link Advanced Digipass Back-End Authentication Advanced Digipass Local Authentication Advanced

Digipass RADIUS Profile Advanced

Digipass User Account Disabled Advanced Digipass User Account Locked Advanced Digipass User to User Link Advanced

Digipass Serial Number From Digipass

Serial Number To Digipass

Digipass Type Digipass

Application Name Digipass

Application Type Digipass

Digipass Assignment Digipass

Reserved Digipass

Backup Virtual Digipass Enabled Advanced

Table 4: Custom Search options

2.3.1 Using the Custom Search

This set of instruction shows the sort of use to which the Digipass custom search options can

be put, and the basic steps required for a search.

1. Right-click on the Organisational Unit to search in.

2. Click on Find...

3. Select the object type from the Find drop down list.

4. If you are searching on advanced attributes (see table above):

a.

Click on the Advanced tab.

b.

Click on Field and select the attribute from the list (for User attributes, click on Field

-> User -> attribute).

5. Enter the search criteria.

Note

(14)

Either exact text or wildcards should be used – the Search is performed on whole words only,

not partial words.

Example

A search for Digipass records run with only the following text entered into the Serial Number field, would return these results:

0097 No records returned

0097* All Digipass with serial number starting with 0097 0097987654 Digipass with serial number 0097987654 only *76 All Digipass with serial number ending in 76

2.4 Sensitive Data Encryption

Sensitive data is encrypted by the IAS Plug-In using an embedded key. If needed, this

encryption may be strengthened by adding a custom key in the Configuration GUI. The

embedded and custom keys are subjected to a logical XOR process to produce a new key

derived from both.

Note

Encryption settings must be set before importing Digipass.

2.4.1 Encrypted Data

Attribute

Class

vasco-DPBlob vasco-DPApplication

vasco-StaticPassword vasco-UserExt vasco-SharedSecret vasco-Component

Table 5: Encrypted Data Attributes

2.4.2 Which Encryption Algorithms can be used?

AES

blowfish

cast5

3DES

3DES with 3 keys

2.4.3 Exporting Encryption Settings

Encryption settings may be exported to a password-protected text file from the IAS Plug-In

Configuration GUI. This file may then be loaded to other IAS Plug-In modules.

(15)

2.5 Active Directory Replication Issues

Active Directory replication is not instantaneous. Intra-site replication is usually quite fast,

especially under Windows Server 2003, but changes on one Domain Controller may still take

several minutes to be replicated to other Domain Controllers. Inter-site replication may be

quite slow – an hour or more between replications is common.

Replication occurs when more than one Domain Controller exists in a domain.

2.5.1 Old Data Used After Attribute Modified

The time period between replications becomes a problem where information is changed on one

Domain Controller (for example, a Digipass User's Server PIN is reset), but old information is

used on another Domain Controller before the changed information has been replicated to it.

There are a few scenarios where this may occur. These are listed below:

2.5.1.1 Single Plug-In using more than one Domain Controller

A single Plug-In may make a change to a record, have to switch to another Domain Controller,

and read the same record – where the change has not yet been applied.

Example

A User logs in with an OTP, and the Plug-In connects to DC-01 to retrieve and update the Digipass data. The connection to the DC-01 fails soon after login, before replication has occurred. The User needs to log in again, and the Plug-In connects to DC-02 this time. The User can log in using the same OTP as the last login – the login should fail (OTP replay) but instead succeeds, because DC-02 does not yet know that the OTP has been previously used.

Time

DC-01

DC-02

8:32 Replication occurs

8:34 User logs in with OTP 10457920.

The Plug-In records the use of the OTP in the Digipass record.

8:35 Connection to DC-01 is broken, and Plug-In switches to DC-02.

8:35 User retries login using same OTP

10457920. The login succeeds where it should have failed (OTP replay).

The Plug-In records the use of the OTP in the Digipass record.

Digipass record changes are replicated between DC-01 and DC-02. The example timeline above shows the sequence of events.

(16)

2.5.1.2 Administrator and Plug-In using different Domain Controllers

The administrator may not be connected to the same Domain Controller (via the

Administration Interfaces) as the Plug-In.

Example

An administrator changes a User's Server PIN through the Active Directory Users and Computers extension, which is connected to DC-01. The Plug-In connects to DC-03. The User attempts a login using the new PIN, which fails because DC-03 is not yet aware of the change of Server PIN.

Time

DC-01

DC-03

9:03 Administrator changes a User's Server PIN from 1234 to 9876.

9:04 User attempts to log in using new PIN

(9876) and the login fails.

2.5.1.3 Multiple Plug-Ins Using Different Domain Controllers

Multiple Plug-Ins may connect to different Domain Controllers in a domain or site.

Example

A User changes their own PIN during a login through a Plug-In which connects to DC-01. The server on which the Plug-In is installed becomes unavailable, and the User attempts another login via the Plug-In on a backup server, which connects to DC-02. The login fails because DC-02 is not yet aware of the change of Server PIN.

Time

DC-01

DC-02

11:55 User changes their Server PIN from 1234 to

9876 during login.

The Plug-In records the PIN change in the Digipass record.

11:57 User attempts to log in using new PIN

(9876) and the login fails.

2.5.1.4 Two Administrators Modifying the Same Attribute

Two administrators attempt to modify the same attribute on a single User account or Digipass

record within the same replication interval. The later modification will overwrite the earlier

when replication occurs.

(17)

2.5.2 Old Data Used Overwrites New Data

The problems above are exacerbated when the old information used on the second Domain

Controller is updated based on the old information. As the updated record on the second

Domain Controller now has a later modification date, the end result is that the changed

information on the first Domain Controller is overwritten incorrectly.

Example

An administrator connects to DC-01 and sets a User's PIN from '1234' to '9876'. The User logs in through the Plug-In, which connects to DC-02. The User enters the new Server PIN and his One Time Password. However, the PIN set on DC-01 has not yet been replicated to DC-02, so because the PIN entered does not match the old PIN still recorded in the Digipass record on DC-02, the login fails.

Because the Policy setting of Identification Threshold is in use, his login failure is written back to the Digipass record. When replication occurs, the Digipass record on DC-02 has the latest modification date – and is copied to DC-01, wiping out the original PIN setting made by the administrator. Both DC-01 and DC-02 now consider '1234' to be the correct Server PIN for the Digipass.

Time

DC-01

DC-02

10:45 Replication

10:46 Administrator changes User's PIN from 9876

to 1234.

10:48 User login (with new PIN of 1234) fails.

Digipass Plug-In writes failure information to Digipass record.

10:50 Replication

Active Directory finds last instance of the Digipass blob having been modified. Active Directory overwrites DC-01 Digipass record with DC-02 Digipass record. The example timeline above shows how the problem can occur.

The problem shown in the example above may also occur in a Force PIN Change set by an

administrator.

2.5.3 Factors Affecting Replication Issues

A number of factors determine the likelihood and severity of the Active Directory issues

described:

Redundancy and load-balancing settings for the Plug-In

There are a number of Plug-In configuration settings which may affect replication issues:

Preferred Server

The Plug-In will attempt to connect to the named Domain Controller, rather than simply

polling the domain for an available Domain Controller.

Preferred Server Only

The Plug-In may be restricted to connecting only to the Domain Controller named in the

above setting. If this is enabled, the Plug-In will not switch to any other Domain

(18)

The maximum bind lifetime controls how long the Plug-In will stay connected to a

Domain Controller before polling the domain for a Domain Controller connection.

Replication Interval

In Windows 2000, the intra-site replication interval can be configured – the default is 5

minutes. On Windows Server 2003, the intra-site replication interval is not configurable, but is

set to approximately 15 seconds, as replication is much more efficient.

Inter-site replication is fully configurable on both Windows 2000 and Windows Server 2003.

The longer the replication interval, the more likelihood of these problems occuring.

Number of Domain Controllers in the Site

Each Domain Controller regularly requires replication with all other local Domain Controllers.

As this is done sequentially, it will affect the amount of time between replications.

2.5.4 Solutions and Mitigations

2.5.4.1 Digipass Cache

The Digipass cache collects Digipass records as they are modified, and keeps them in memory

for a certain length of time. A newer entry from the cache is always used in preference to an

older record from Active Directory. The cache age should be a little longer than the typical

replication interval. The default is 10 minutes (600 seconds).

This option will help in problems caused by a single Plug-In accessing more than one Domain

Controller in a domain – see

2.5.1.1 Single Plug-In using more than one Domain

Controller

). It will not affect the scenarios of multiple Plug-Ins or a Administration Interface

being connected to a different Domain Controller to the Plug-In.

If you calculate that your typical replication interval will be more than ten minutes, the cache

age may be increased by modifying the Blob-Cache Max-Age setting in the configuration file

(<install dir>\bin\dpiasext.xml):

<Blob-Cache>

<Max-Age type="unsigned" data="600"/> <Max-Size type="unsigned" data="0"/>

<Clean-Threshold type="unsigned" data="10"/> <Min-Clean-Interval type="unsigned" data="60"/> </Blob-Cache>

A large cache may slow down processing slightly for the Plug-In, so monitor performance to

check the impact caused after modifying the cache age.

Warning

If the Plug-In is installed on a member server, this server must be closely

synchronised with the Domain Controller(s). If the server is not

time-synchronised, the Policy may select an older record when comparing records in

the Digipass cache with those on the Domain Controller.

(19)

2.5.4.2 Identification Threshold Setting

Reconsider use of the

Identification Threshold

setting in the relevant Policy(s). The User

Lock setting may be used instead in most cases (see

and

for more information on these two

settings). Discontinuing use of the Identification Threshold setting will avoid the scenario

shown in

2.5.2 Old Data Used Overwrites New Data

, where a failed login overwrites an

administrator's modification.

2.5.4.3 Administrator Connection Strategy

The option exists in the Active Directory Users and Computers Plug-In to connect to a specific

Domain Controller in a domain. An administrator should select the same Domain Controller as

used by the Plug-In for urgent administration tasks likely to be affected by this issue – for

example, resetting a User's Server PIN so they may login while on the phone to the

administrator.

To connect to a specific Domain Controller, right-click on the domain and select

Connect to

Domain Controller...

(20)

2.5.4.4 Set a Preferred Server

This option decreases some replication problems, as the Plug-In will be primarily connected to

the Domain Controller named as its Preferred Server. This gives less opportunity for

load-balancing, however.

If the Plug-In is installed on a Domain Controller, the Preferred Server will not need to be set

for that domain, as the Plug-in will normally select that Domain Controller for connections.

To set a Preferred Server for a domain:

1. Open the IAS Plug-In Configuration GUI (Start -> Programs -> VASCO -> Digipass

Plug-In for IAS -> Configuration GUI).

2. Click on the Active Directory Connections tab.

3. If the domain is the Configuration Domain, click on Edit...

If the domain is in the Domains list, select the domain name and click on Edit...

If the domain is not in the Domains list, click on Add...

(21)

5. Enter the name of the Domain Controller in the Preferred Server field.

This name should be the first part of the FQDN for the Domain Controller, eg.

dc01

from

dc01.support.vasco.com

.

6. Enter any other information required.

7. Click on OK.

(22)

2.5.4.5 Use Preferred Server Only Option

In some cases this setting may be enabled. As it forces the Plug-In to use the same Domain

Controller at all times. It will eliminate load-balancing and any fail-over for the Plug-In,

though, so is not normally recommended.

(23)

Digipass Plug-In for IAS Administrator Reference Set Up Active Directory Permissions

3 Set Up Active Directory Permissions

3.1 Permissions Needed by the IAS Plug-In

The IAS Plug-In runs inside Microsoft's Internet Authentication Service, which runs as a

Service. The Service runs as the 'Local System' account rather than as a named user account.

Therefore, when connecting to Active Directory, the IAS Plug-In connects as the computer

account, not a user account. The permissions that it has within Active Directory are the

permissions of the computer account.

An important exception to this occurs if you install IAS and the IAS Plug-In onto a Domain

Controller. Any Service running as 'Local System' on a Domain Controller has all possible

permissions to that Domain. In this case, no additional setup of permissions is required.

Therefore, the rest of this section applies to the case where IAS is not on the Domain

Controller.

When you register IAS in Active Directory, this adds the computer account to the built-in 'RAS

and IAS Servers' group in the Domain. This built-in group has the permissions required by IAS

itself within Active Directory, but it does not have the extra permissions required by the IAS

Plug-In.

In order to function correctly, the IAS Plug-In requires the following permissions in Active

Directory, that are not granted to the 'RAS and IAS Servers' by default:

Read access to the Digipass Configuration Container

Read access to all User accounts (or at least, all who might need to be authenticated by

the IAS Plug-In)

Write access to the new attributes that are added to the User class for the Digipass

Plug-In for IAS (these are in the auxiliary class vasco-UserExt)

Full control over all Digipass DPToken) and Digipass Application

(vasco-DPApplication) objects

Create and delete permission for Digipass (vasco-DPToken) objects in Organizational

Units and containers (specifically the Digipass-Pool and Users containers)

3.1.1 Giving Permissions to the IAS Plug-In

During installation, these additional permissions are granted to the 'RAS and IAS Servers'

group automatically.

There is also a manual way to grant these permissions, by running the 'setupaccess' command

at the command prompt:

dpadadmin.exe setupaccess -group “RAS and IAS Servers”

(24)

3.2 Permissions Needed by Administrators

3.2.1 Domain Administrators

Domain Administrators already have all required permissions within their Domain.

3.2.2 Delegated Administrators

The term 'Delegated Administrators' is used here to refer to administrators who have been

delegated control over an Organizational Unit. Generally speaking, they have administrative

control over the user and computer accounts within their Organizational Unit.

See the

Digipass Records

topic in the Product Guide for more information on possible

approaches to delegating Digipass administration.

By default, these administrators will be able to view the Digipass User Account data for their

users and the Digipass that are located within their Organizational Unit. However, they will not

be able to modify any of that data or assign Digipass.

If you wish to delegate responsibility for all Digipass-related administration within an

Organizational Unit, the following additional permissions are required by the Delegated

Administrator:

Within the scope of the Organizational Unit, write permission to the new attributes that

are added to the User class for the Digipass Plug-In for IAS (these are in the auxiliary

class vasco-UserExt) – you can add write permissions for each individual Property Set or

if appropriate, grant 'Write All Properties' permission

Within the scope of the Organizational Unit, full control over all Digipass

(vasco-DPToken) and Digipass Application (vasco-DPApplication) objects

Create and delete permission for Digipass (vasco-DPToken) objects within the

Organizational Unit

If the Delegated Administrator should be allowed to assign Digipass from the Digipass

Pool to their users, they need:

the Delete Digipass objects permission in the Digipass-Pool container

Write All Properties permission on Digipass objects in the Digipass-Pool container

If the Delegated Administrator should be allowed to move unassigned Digipass back to

the Digipass-Pool, they need the Create Digipass objects permission in the Digipass-Pool

container

3.2.3 Reduced-Rights Administrators

The term 'Reduced-Rights Administrator' is used here to refer to administrators who are

granted permissions to perform only selected Digipass-related administration tasks. They may

be granted these permissions within the scope of the whole Domain, or only within an

Organizational Unit.

An example is a Helpdesk operator who is permitted to troubleshoot Digipass operations, but

not to assign/unassign Digipass to/from users.

(25)

By default, all users have read access to everything in the Active Directory. The modification

permissions that can be granted to this kind of administrator are:

Write permission for any of three Property Sets on the Digipass User Account fields:

Digipass User Account Information – all attributes except those covered by the other

two Property Sets

Digipass User Account Link – the link attribute used to share a Digipass between two

user accounts

Digipass User Account Stored Password – the Stored Password attribute

Write permission for any individual properties on Digipass objects, except for one

Property Set that is defined to control the Digipass assignment link

Write permission for any individual properties on Digipass Application objects, except for

one Property Set that is defined to include the Digipass 'blob' that is required for any

administrative operation such as Reset PIN, Test, Set Event Counter, etc.

Create and delete permission on Digipass and Digipass Application objects

If the administrator should be allowed to move Digipass, they need:

the Delete Digipass objects and Create Digipass objects permissions in the relevant

Domain and/or Organizational Unit

Write All Properties permission on Digipass objects

Note that this can be necessary for assigning Digipass to users, because a move from

one location to another is controlled by permissions to delete from the source and create

in the destination

3.2.4 System Administrators

The term 'System Administrator' is used here to refer to an administrator who will be

responsible for management of the Component and Policy records, rather than Digipass User

Accounts and Digipass. They need permissions within the Digipass Configuration Container to

create, modify and delete Policy (vasco-Policy) and Component (vasco-Component) objects.

In practice, System Administrators can typically be given full control over the

Digipass-Configuration container. If you wish to grant more limited permissions, this can be handled

with the standard Active Directory permissions on these objects within the scope of the

container.

3.3 Assign Administration Permissions to a User

Note

This example assumes that the administrator's User account has read

permissions for all User records already.

To grant permissions to manage Digipass records, you will need to follow these steps:

1. Right-click on the Organizational Unit in which to assign permissions.

(26)

3. Select the User or Windows Group to assign permissions.

4. Click on OK.

5. Select the Delegate Common Tasks option button.

6. Select

Create, Delete and Manage Digipass

from the list.

7. Click on Next.

8. Click on Finish.

If you wish to grant permissions to modify Digipass User Account properties, you will need to

follow these steps:

9. Select View -> Advanced Features from the main menu.

10. Right-click on the Organizational Unit in which to assign permissions.

11. Select Properties from the right-click menu.

12. Click on the Security tab.

13. Click on the Advanced button.

The Advanced Security Settings window will be displayed.

14. Click on Add...

15. Type the username of the User to assign the permissions to and click OK.

16. Click on the Properties tab.

17. Select

User Objects

from the Apply onto drop down list.

18. Select the required permissions from:

Write Digipass User Account Information

Write Digipass User Account Link

Write Digipass User Account Stored Password

19. Click on OK.

20. Click on OK.

21. Click on OK.

If the administrator requires permissions to take Digipass out of the Digipass Pool for

assignment, you will need to follow these steps:

22. Right-click on the Digipass Pool.

23. Select Properties from the right-click menu.

24. Click on the Security tab.

25. Click on the Advanced button.

The Advanced Security Settings window will be displayed.

26. Click on Add...

27. Select the User account.

28. Click on OK.

29. Click on the Object tab.

(27)

31. Tick the Allow box for:

Delete Digipass Objects

Create Digipass Objects (if you wish to allow the administrator to move Digipass

records into the Digipass Pool)

32. Click on OK.

33. Click on Add...

34. Select the User account.

35. Click on OK.

36. Click on the Object tab.

37. Select

Digipass objects

from the Apply onto drop down list.

38. Tick the Allow box for Write All Properties.

39. Click on OK.

40. Click on OK.

(28)

3.4 Multiple Domains

When using the IAS Plug-In with multiple domains, extra steps must be followed to ensure

that both the IAS Plug-In and administrators have permissions sufficient to access required

data. The main issues are:

The Digipass Configuration Container is only in one Domain. All IAS Plug-Ins need

read access to this container, even when they are in a different Domain.

Cross-Domain access for administrators is a less likely requirement however.

If an IAS Plug-In handles users and Digipass in more than one Domain, they need to

be granted the necessary permissions in all the necessary Domains.

In this manual, we will handle cross-Domain permissions using a combination of Domain

Local and Domain Global groups. It is possible in a 'native' mode Domain to use Universal

groups, but these are not recommended in Windows 2000 due to replication issues. The

replication efficiency has been improved in Windows Server 2003, however Universal

groups are still not used as commonly as Domain Local/Global groups.

Three possible scenarios for multiple domain setup are outlined below:

3.4.1 Scenario 1 – Each IAS Server Handles One Domain

Each IAS server handles only the domain in which it is a member.

Install IAS in each domain (the result will be at least as many IAS servers as domains).

Give each IAS server access to the Digipass Configuration Domain:

Domain Global Group(s)

For each domain (apart from the Digipass Configuration Domain)

-1.

Create a Domain Global group

2. Add the IAS server(s) to the Domain Global group (check which machines are in the

'RAS and IAS Servers' group to ensure the correct additions)

Domain Local group

In the Digipass Configuration Domain

-3.

Create or use an existing Domain Local group.

4. Give the Domain Local group full read access to the Digipass Configuration Container.

5. Add the Domain Global Group from each other domain to the Domain Local group.

3.4.2 Scenario 2 – One IAS Server Handles All Domains

IAS servers in one domain handle all domains. The Digipass Configuration Container should be

located in the domain to which the IAS servers belong.

Give the necessary access to User and Digipass data:

Domain Global group

(29)

-Digipass Plug-In for IAS Administrator Reference Set Up Active Directory Permissions

1. Create a Domain Global group.

2. Add the IAS servers to the Domain Global group (check which machines are in the

'RAS and IAS Servers' group to ensure the correct additions).

Domain Local groups

For each other Domain

-3.

Create a Domain Local group.

4. Give the Domain Local group the required permissions (run the setupaccess command

- See

8.1 DPADadmin Utility

for more information).

5. Add the Domain Global group from the IAS Domain to the Domain Local group.

3.4.3 Scenario 3 - Combination

This scenario represents more complex setups, where a combination of steps from Scenarios 1

and 2 will be required. Use the steps given in the first two scenarios as a guide for what you

will need to do for the combination scenario.

(30)

Digipass Plug-In for IAS Administrator Reference Backup and Recovery

4 Backup and Recovery

This section explores the measures that Administrators can undertake in backing up and

recovering VASCO datafiles in the event of a system failure.

Note

This section does not cover backup of executables and system files. In the

event of a catastrophic failure these can be restored or reinstalled from the

original distribution media.

Once the IAS Plug-In is installed and operational, backups should be made of important files

and data.

Any time changes are made to the system, file backups may need to be performed again.

These changes include, but are not limited to:

Changing any configuration settings including the IP address of an IAS server

Adding/removing a Component

Modifying a Policy

4.1 What Must be Backed Up

Configuration files for IAS Plug-In and Message Delivery Component

User Self-Management Web Site pages and graphics (if customized)

Virtual Digipass OTP Request Web Site pages and graphics (if customized)

Audit Log data

Active Directory

DPX files (except for demo Digipass)

Important Note

The Digipass Plug-In for IAS installation includes a DPX directory containing

sample DPX files for demo Digipass. These do not need to be backed up.

However, if you have copied the DPX files for your real Digipass into that

directory, ensure you still have the original files (normally on floppy disk). If

you no longer have the DPX file(s) stored elsewhere, it is very important that

you take a backup.

4.1.1 Configuration files

The configuration files for the IAS Plug-In and Virtual Digipass Message Delivery Component

can be copied from the bin directory (by default C:\Program Files\VASCO\Digipass Plug-In for

IAS\bin) to a secure location.

The files to be copied are:

(31)

mdcconfig.xml – a backup of one working file is sufficient.

Tip

Save the files above with an extension that describes the server from which the

file(s) were backed up. This makes it easier and quicker to locate the correct file

during recovery.

4.1.2 Web Sites

In some cases, the web pages and graphics provided with the Digipass Plug-In for the User

Self Management Web Site and Virtual Digipass OTP Request Web Site will have been

customized to suit the organization’s colors/languages/themes/etc.

If these web pages and graphics have been modified, it is important to have a backup stored

in a secure location away from the production server. This will allow the web site to be

restored for the look and feel of the organization.

To back up the web site pages and graphics, you can copy the html, js, and gif files to another

location. If the site is highly modified, or the location of the files on disk is not known, contact

your web administrator for further guidance.

Note

Maintaining the directory structure will make restoration of the site, if required,

quicker and easier.

4.1.3 Audit Log Data

If your organization requires that the Audit Log data be archived, the method required will

depend on the audit settings.

4.1.3.1 Write to File

Ensure you make copies of all files contained in the directory into which the audit log files are

written. By default this will be

<install dir>\Log

, however it may have been configured to

another location. Check the audit configuration settings if you are unsure.

4.1.3.2 Write to Windows Event Log

By default, Event Log entries are written to the Application log. However, you can configure

the entries to be written to another log. Check the audit configuration if you are unsure.

Important Note

The Event Log may be configured with a maximum size. When this size is

reached, the oldest entries may be overwritten by new ones. To check this,

view the Properties of the log in the Event Viewer. If older entries will be

overwritten, you will need to archive them before that occurs.

(32)

To archive an Event Log:

1. Select Start -> Settings -> Control Panel.

2. Double-click on Administrative Tools.

3. Double-click on Event Viewer.

4. Right-click on Application (or the correct log, if not Application).

5. Click on Save log file as...

6. Select a path and enter a filename.

7. Select a file format from the Type drop down list.

8. Click on the Save button.

Note

The Audit Log data is not required for system recovery purposes but may

contain useful data in the event of a server failure.

4.1.4 Active Directory

4.1.4.1 Cold Backup

In most cases the server running IAS will belong to an Active Directory domain consisting of

several Domain Controllers. Replication should automatically occur between Domain

Controllers, providing simple data backup.

It is highly recommended, however, that you perform a cold backup of the System State Data,

which includes the Active Directory repository. This will allow recovery if data is corrupted and

then replicated. For more information about backing up and restoring System State Data, refer

to Windows Help on your Domain Controller and enter '

backing up data, System State data

' in

the index tab. In particular, this should be performed on the Digipass Configuration Domain

and any other Domains containing Digipass User accounts and/or Digipass records.

Additional information can be found at:

http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part1/dsgch09.mspx

4.1.5 DPX files

The DPX files are normally provided on a floppy disk, which can be stored securely as a

backup. If you prefer another method of archive, copy the files to your preferred location. It is

important to keep the DPX file transport keys secure and preferably in a separate location to

the DPX files themselves.

(33)

4.2 Recovery

The recovery process for IAS Plug-In data requires the following procedure. Some

assumptions have been made for these instructions:

Assumptions:

Active Directory is still valid and operational.

Up-to-date backups of the configuration files for the IAS Plug-In are available.

Steps:

1. Rebuild the server with your operating system SOE, using the same IP address as

before, in the same Domain as before.

2. Retrieve your backup copy of the dpiasext.xml file.

3. Reinstall the Digipass Plug-In for IAS on the server, ensuring you are logged in as a

domain administrator. The same settings as those chosen in the previous installation

should be selected, except that the This is not the first IAS Plug-In to be

installed checkbox on the Active Directory Prerequisites screen should be ticked.

4. Tick the Use an evaluation license checkbox (the existing Digipass data in Active

Directory contains all necessary licensing information, which will be retrieved when the

IAS Plug-In is operational).

5. At the end of the installation, you will be prompted to select a license activation

method. Select Just Continue.

Before you restart the machine, carry out the following:

6. Restore the backup copy of the configuration file

dpiasext.xml

into the same directory.

7. Restore any customised files for the web sites (see

and

for more information).

After restarting the machine:

8. Check that you can view Digipass-specific information in the Administration MMC

Interface and Digipass Extension for Active Directory Users and Computers.

(34)

Digipass Plug-In for IAS Administrator Reference Field Listings

5 Field Listings

5.1 User Property Sheet

Field Name in

Administration

Interfaces

Description

New Password Confirm Password

These fields are used to modify the static password that is stored in the Digipass User account. If they are left blank, no modification is made.

Local Authentication Specifies whether authentication requests for the User account will be handled by the IAS Plug-In using Local Authentication (see the Authenticating Users section in the Product Guide for more details on Local Authentication and Back-End Authentication).

Normally, this field will be Default, meaning that the Policy applicable to the authentication request determines the setting. This field on the Digipass User account is used to override the Policy setting for special cases.

When Local Authentication is used, there are two factors that determine whether Digipass authentication is used – any Policy restrictions on Digipass Types and/or Applications that can be used and whether the Digipass User account has any assigned Digipass that meet the restrictions. For example, if the Policy requires a DP300 and the User just has a DP700, they cannot use Digipass authentication under that Policy.

Options:

Default Use the setting of the effective Policy.

None The IAS Plug-In will not carry out Local Authentication for this User account. They may be handled using Back-End Authentication, or not handled at all by the IAS Plug-In.

Digipass/Password The IAS Plug-In will always carry out Local Authentication for this User, using Digipass authentication if possible, otherwise the static password. Back-End Authentication may also be utilized.

Digipass Only the IAS Plug-In will always carry out Local Authentication for this User, using Digipass authentication. If Digipass authentication is not possible, the user cannot log in. Back-End Authentication may also be utilized. Back-End

Authentication

Specifies whether authentication requests for the User account will be handled by the IAS Plug-In using Back-End Authentication (see the Authenticating Users section in the Product Guide for more details on Local Authentication and Back-End Authentication). Normally, this field will be Default, meaning that the Policy applicable to the authentication request determines the setting. This field on the Digipass User account is used to override the Policy setting for special cases.

Options:

Default Use the setting of the effective Policy.

None Back-End Authentication will not be used.

If Needed The IAS Plug-In will utilize Back-End Authentication but only in certain cases:

Dynamic User Registration Self-Assignment

Password Autolearn

Requesting a Challenge or Virtual Digipass OTP, when the Request Method includes a Password

Static password authentication, when verifying a Virtual Digipass password-OTP combination or during the Grace Period

Always The IAS Plug-In will utilize Back-End Authentication for every authentication request.

(35)

Digipass Plug-In for IAS Administrator Reference Field Listings

Field Name in

Administration

Interfaces

Description

Disabled Specifies whether a Digipass User account is enabled or disabled. If disabled, authentication for the User will be rejected by the IAS Plug-In.

This attribute will be set to disabled and made read-only if the Active Directory User account is disabled or expired. Otherwise, this attribute will be editable.

Locked Specifies whether a Digipass User account is locked or not. If locked, authentication for the User will be rejected by the IAS Plug-In.

The Locked indicator is normally set automatically when the User exceeds a certain number of failed authentication attempts. The User Lock Threshold is set in the Policy.

Linked User Account It is possible to share Digipass between different User accounts, by linking User accounts together. This feature is intended for the case where one person, such as an administrator, has multiple User accounts. If their accounts are linked, there is no need to give more than one Digipass to that person.

This feature is used by assigning the Digipass to one User account, then linking all the other User accounts for the person to the one that has the Digipass.

If a User is linked to another User, their Linked User Account field will show the Active Directory DN (Distinguished Name) of the linked User. The DN shows the full address within Active Directory of the linked User, for example:

CN=Test User,OU=Admin,OU=Europe,DC=vasco,DC=dom

In this example, the linked User is called Test User and they are located in an Organizational Unit Admin, which is inside another Organizational Unit Europe in the vasco.com domain. Read-only.

RADIUS Profiles NOTE: Not applicable to the IAS Plug-In.

Included for compatibility with other VASCO products, eg. Digipass Plug-In for Funk. Created On The date and time that the Digipass User account was created. Read-only.

Last Modified On The date and time that the Digipass User account was last modified. Read-only. Assigned Digipass list This lists all Digipass that are assigned to the User. For each Digipass, the list of active

Applications is given with the Application Type indicated in brackets(). For example:

0058384426 RESP_ONLY(RO), CHALLENGE(CR)

In this example line, the Digipass with Serial Number 0058384426 has two active Applications: one Response Only Application RESP_ONLY and one Challenge/Response Application CHALLENGE.

If the User does not have any Digipass assigned directly, but is linked to another User to use

their Digipass (see Linked User Account), the linked User's Digipass list is shown with the Serial Numbers in square brackets (eg. [0058384426]).

When a Digipass in the list is selected, the remainder of the property sheet tab indicates values from the corresponding Digipass record.

Read-only.