Digipass Plug-In for IAS
IAS Plug-In
Digipass Extension for Active Directory Users and Computers
Administration MMC Interface
IAS
Microsoft's Internet Authentication Service
SBR
Funk Steel-Belted RADIUS
Steel-Belted RADIUS
Disclaimer of Warranties and Limitations of Liabilities
Disclaimer of Warranties and Limitations of Liabilities
The Product is provided on an 'as is' basis, without any other warranties, or conditions, express
or implied, including but not limited to warranties of merchantable quality, merchantability of
fitness for a particular purpose, or those arising by law, statute, usage of trade or course of
dealing. The entire risk as to the results and performance of the product is assumed by you.
Neither we nor our dealers or suppliers shall have any liability to you or any other person or
entity for any indirect, incidental, special or consequential damages whatsoever, including but
not limited to loss of revenue or profit, lost or damaged data of other commercial or economic
loss, even if we have been advised of the possibility of such damages or they are foreseeable;
or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers
and suppliers shall not exceed the amount paid by you for the Product. The limitations in this
section shall apply whether or not the alleged breach or default is a breach of a fundamental
condition or term, or a fundamental breach. Some states/countries do not allow the exclusion
or limitation or liability for consequential or incidental damages so the above limitation may
not apply to you.
Copyright
© 2006 VASCO Data Security Inc. All rights reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in
any form or by any means, electronic, mechanical, photocopying, recording, or otherwise,
without the prior written permission of VASCO Data Security Inc.
Trademarks
VACMAN and Digipass are registered trademarks of VASCO Data Security International Inc.
Microsoft and Windows are registered trademarks of Microsoft Corporation.
Digipass Plug-In for IAS Administrator Reference Table of Contents
Table of Contents
1
Introduction...8
1.1 Available Reference Guides... 8
2
Active Directory Schema... 9
2.1 Schema Extensions...9
2.1.1 Added Object Classes... 9
2.1.2 Added Attributes... 9
2.1.3 Added Permission Property Sets... 11
2.2 Active Directory Auditing...12
2.3 Custom Search Options...13
2.3.1 Using the Custom Search... 13
2.4 Sensitive Data Encryption...14
2.4.1 Encrypted Data... 14
2.4.2 Which Encryption Algorithms can be used?... 14
2.4.3 Exporting Encryption Settings... 14
2.5 Active Directory Replication Issues... 15
2.5.1 Old Data Used After Attribute Modified... 15
2.5.1.1 Single Plug-In using more than one Domain Controller... 15
2.5.1.2 Administrator and Plug-In using different Domain Controllers... 16
2.5.1.3 Multiple Plug-Ins Using Different Domain Controllers... 16
2.5.1.4 Two Administrators Modifying the Same Attribute... 16
2.5.2 Old Data Used Overwrites New Data... 17
2.5.3 Factors Affecting Replication Issues... 17
2.5.4 Solutions and Mitigations... 18
2.5.4.1 Digipass Cache...18
2.5.4.2 Identification Threshold Setting... 19
2.5.4.3 Administrator Connection Strategy...19
2.5.4.4 Set a Preferred Server...20
2.5.4.5 Use Preferred Server Only Option... 22
3
Set Up Active Directory Permissions ... 23
3.1 Permissions Needed by the IAS Plug-In... 23
3.1.1 Giving Permissions to the IAS Plug-In... 23
3.2 Permissions Needed by Administrators... 24
3.2.1 Domain Administrators... 24
3.2.2 Delegated Administrators... 24
3.2.3 Reduced-Rights Administrators... 24
3.2.4 System Administrators... 25
3.3 Assign Administration Permissions to a User ...25
3.4 Multiple Domains... 28
3.4.1 Scenario 1 – Each IAS Server Handles One Domain... 28
3.4.2 Scenario 2 – One IAS Server Handles All Domains... 28
3.4.3 Scenario 3 - Combination... 29
4
Backup and Recovery...30
Digipass Plug-In for IAS Administrator Reference Table of Contents
4.1.3 Audit Log Data... 31
4.1.3.1 Write to File... 31
4.1.3.2 Write to Windows Event Log...31
4.1.4 Active Directory... 32
4.1.4.1 Cold Backup...32
4.1.5 DPX files... 32
4.2 Recovery... 33
5
Field Listings...34
5.1 User Property Sheet... 34
5.2 Digipass Property Sheet... 36
5.2.1 Digipass Application Tab... 36
5.3 Policy Property Sheet... 37
5.4 Component Property Sheet...44
6
Licensing...45
6.1 How is Licensing Handled?... 45
6.2 Licensing Parameters... 45
6.2.1 Sample License File... 45
6.3 View License Information... 45
6.4 Obtain a License Key for a Component...46
6.5 Change IP Address... 47
7
Web Sites...48
7.1 Customizing the Web Sites... 48
7.2 CGI Program...48
7.2.1 Configuration Settings... 49
7.3 Form Fields...49
7.3.1 User Self Management Web Site... 49
7.3.1.1 Registration – Main Pages...49
7.3.1.2 Registration – Challenge Page... 51
7.3.1.3 Server PIN Change... 52
7.3.1.4 Login Test – Main Page...53
7.3.1.5 Login Test – Challenge Page...54
7.3.2 OTP Request Site... 54
7.3.2.1 Request Page... 54
7.4 Query String Variables...55
7.4.1 Failure/Error Handling... 55
7.4.2 Query String Variable List... 56
7.4.3 Return Code Listing... 57
7.4.3.1 API Return Codes... 57
7.4.3.2 CGI Errors... 58
7.4.3.3 Internal Errors...59
8
Command line utilities...60
8.1 DPADadmin Utility... 60
8.1.1 Extend Active Directory Schema... 60
8.1.1.1 Prerequisite Information... 60
8.1.1.2 Extend the Schema on the Schema Master...61
8.1.1.3 Extend the Schema on the IAS Server... 61
8.1.1.4 Command Line Syntax...61
Digipass Plug-In for IAS Administrator Reference Table of Contents
8.1.2.1 Prerequisite Information... 62
8.1.2.2 Check the Schema on the IAS Server... 62
8.1.2.3 Check the Schema on a Machine in the Domain to Check... 63
8.1.2.4 Command Line Syntax...63
8.1.3 Set Up Digipass Configuration Container in Domain... 63
8.1.3.1 Prerequisite Information... 63
8.1.3.2 Set Up Digipass Configuration Container... 63
8.1.3.3 Command Syntax... 64
8.1.4 Assign Digipass Permissions to a Group... 64
8.1.4.1 Pre-requisites...64
8.1.4.2 Command Syntax... 64
9
Login Options...65
9.1 Login Permutations... 65
9.1.1 Response Only - PAP... 67
9.1.2 Response Only – CHAP/MS-CHAP... 68
9.1.3 Challenge/Response... 68
9.1.4 Virtual Digipass... 69
10 Configuration Settings... 70
10.1 IAS Plug-In... 70
10.1.1 Configuration GUI... 70
10.1.1.1 Enable IAS Plug-In...70
10.1.1.2 Allow Passthrough... 70
10.1.1.3 Set Component Location...70
10.1.1.4 Library Path... 70
10.1.1.5 Turn Tracing On or Off...70
10.1.1.6 Active Directory Settings... 71
10.1.1.7 Data Encryption...73
10.1.2 Configuration File... 75
10.2 MDC... 78
10.2.1 Required Information... 78
10.2.2 MDC Configuration GUI... 78
10.2.2.1 Set IAS Server Connection Details... 78
10.2.2.2 Modify Gateway Account Login Details...78
10.2.2.3 Configure Internet Connection Details... 79
10.2.2.4 Configure Tracing... 79
10.2.2.5 Import HTTP Gateway settings... 80
10.2.2.6 Edit Advanced Settings...80
10.2.2.7 Export HTTP Gateway settings...80
10.2.2.8 Gateway Result Pages... 81
10.2.3 MDC Configuration File... 85 10.2.4 Configuration Settings... 86 10.3 CGI... 87
11 How to troubleshoot...88
11.1 Enable Tracing...88 11.2 Installation Check... 8811.2.1 Installation Log File... 88
11.2.2 Check file placement... 88
11.2.3 Registry Entries... 89
11.2.4 DLLs to be Registered... 90
Digipass Plug-In for IAS Administrator Reference Table of Contents
11.2.7 Default Policy and Component Created... 91
11.3 Fix Installation Errors...92
11.3.1 Register IAS Plug-In... 92
11.4 View Audit Information... 92
11.4.1 Windows Event Log... 92
11.4.2 Audit log text file... 92
11.5 Delete all Digipass Data from Active Directory... 93
11.5.1 Run Delete Script on a Domain... 93
12 Audit Messages... 94
12.1 Audit Message Listing...94
12.2 Audit Message Fields... 98
13 Error and Status Codes...100
13.1 Error Code Listing... 100
13.2 Status Code Listing...102
14 Technical Support... 105
Digipass Plug-In for IAS Administrator Reference Table of Contents
Index of Tables
Table 1: Custom Object Classes...9
Table 2: Custom Object Attributes...11
Table 3: Custom Permission Property Sets... 11
Table 4: Custom Search options...13
Table 5: Encrypted Data Attributes...14
Table 6: User Fields...35
Table 7: Digipass Fields... 36
Table 8: Digipass Application Fields... 37
Table 9: Policy Fields...43
Table 10: Component Fields... 44
Table 11: License Parameters for Digipass Plug-In for IAS...45
Table 12: Configuration Settings for CGI Program... 49
Table 13: Form Fields for Main Registration Page... 50
Table 14: Form Fields for Registration Challenge Page... 51
Table 15: Form Fields for Server PIN Change Page... 52
Table 16: Form Fields for Main Login Test Page...53
Table 17: Form Fields for Login Test Challenge Page...54
Table 18: Form Fields for OTP Request Page...54
Table 19: Query String Variable List... 56
Table 20: API Return Codes...57
Table 21: CGI Error Return Codes... 58
Table 22: Internal Error Codes...59
Table 23: DPADadmin addschema Command Line Options...62
Table 24: DPADadmin checkschema Command Line Options...63
Table 25: DPADadmin setupdomain Command Line Options...64
Table 26: DPADadmin setupaccess Command Line Options...64
Table 27: Login Permutations - Response Only PAP... 67
Table 28: Login Permutations - Response Only CHAP... 68
Table 29: Login Permutations – Challenge/Response... 68
Table 30: Login Permutations – Virtual Digipass...69
Table 31: MDC Audit Message Variables... 83
Table 32: Message Delivery Component Configuration Settings... 87
Table 33: Required Files...89
Table 34: Registry Entries... 90
Table 35: DLLs to be Registered...90
Table 36: Permissions Required... 91
Table 37: IAS Plug-In Registry Entries... 92
Table 38: Audit Messages List...97
Table 39: Audit Message Fields... 99
Digipass Plug-In for IAS Administrator Reference Introduction
1
Introduction
1.1
Available Reference Guides
These Reference Guides are included with every VASCO product:
Product Guide
The Product Guide will introduce you to the features of this product and the various options
you have for using it.
Installation Guide
Use this guide when planning and working through an installation of the product.
Getting Started
To get you up and running quickly with a simple installation and setup of the product.
Administrator Reference
In-depth information required for administration of the product.
Data Migration Tool Guide
Takes you through a data migration from one VASCO product to another, using the VASCO
Data Migration Tool.
Help Files
Digipass Plug-In for IAS Administrator Reference Active Directory Schema
2
Active Directory Schema
2.1
Schema Extensions
The following tables document the changes made by the Digipass Plug-In for IAS to the Active
Directory schema.
2.1.1
Added Object Classes
Attribute
Type
Location
Explanation
vasco-UserExt Aux. Class
User record Extra VASCO attributes are added to an Active Directory User record via an 'auxiliary class' vasco-UserExt on the User class.
vasco-DPToken Class Unassigned – Optional Assigned – with User record
The vasco-DPToken class is used to store Digipass attributes. It is also a container, in which vasco-DPApplication records for that Digipass are stored. Upon assignment to a User, the Digipass record is stored in the same location as the User.
vasco-DPApplication Class Within Digipass record This class is used to store Digipass Application attributes, such as Server PIN and expected OTP length.
vasco-Policy Class Digipass Configuration Container
Policy attributes. Attributes will commonly be shared via inheritance.
vasco-Component Class Digipass Configuration Container
Component attributes include the License Key for IAS Plug-In Components.
vasco-BackEndServer Class Digipass Configuration Container
Information required for connection to back-end servers. This class is not used with the Digipass Plug-In for IAS, but is included for compatibility with other VASCO products.
Table 1: Custom Object Classes
2.1.2
Added Attributes
Name
Class
vasco-SerialNumber vasco-DPToken vasco-TokenType vasco-DPToken vasco-ApplicationNames vasco-DPToken vasco-ApplicationTypes vasco-DPToken vasco-LinkVascoDigipassToUserExt vasco-DPToken vasco-TokenAssignedDate vasco-DPToken vasco-GracePeriod vasco-DPToken vasco-EnableBVDP vasco-DPToken vasco-BVDPExpiryDate vasco-DPToken vasco-BVDPUsesLeft vasco-DPToken vasco-DirectAssignOnly vasco-DPToken vasco-AdditionalAttribute vasco-DPToken vasco-SerialNumber vasco-DPApplication vasco-ApplicationName vasco-DPApplicationDigipass Plug-In for IAS Administrator Reference Active Directory Schema
Name
Class
vasco-DPBlob vasco-DPApplication vasco-Active vasco-DPApplication vasco-LinkUserExtToVascoDigipass vasco-UserExt vasco-LinkUserExtToUser vasco-UserExt vasco-StaticPassword vasco-UserExt vasco-LocalAuth vasco-UserExt vasco-BackEndServerAuth vasco-UserExt vasco-Disable vasco-UserExt vasco-Profile Vasco-UserExt vasco-CreateTime Vasco-UserExt vasco-ModifyTime Vasco-UserExt vasco-ID vasco-BackEndServer vasco-Protocol vasco-BackEndServer vasco-Domain vasco-BackEndServer vasco-Priority vasco-BackEndServer vasco-ConfigurationValue vasco-BackEndServer vasco-ID vasco-Component vasco-Location vasco-Component vasco-LinkVascoPolicyToVascoPolicy vasco-Component vasco-Protocol vasco-Component vasco-ConfigurationValue vasco-Component vasco-PublicKey Vasco-Component vasco-AdditionalAttribute vasco-Policy vasco-EnableBVDP vasco-Policy vasco-LocalAuth vasco-Policy vasco-BackEndAuth vasco-Policy vasco-ApplicationNames vasco-Policy vasco-ID vasco-Policy vasco-Description vasco-Policy vasco-DUR vasco-Policy vasco-Autolearn vasco-Policy vasco-StoredPasswordProxy vasco-Policy vasco-AssignmentMode vasco-Policy vasco-AssignSearchUpOUPath vasco-Policy vasco-GracePeriod vasco-Policy vasco-AllowedApplType vasco-Policy vasco-AllowedDPTypes vasco-Policy vasco-Protocol vasco-Policy vasco-Domain vasco-Policy vasco-GroupList vasco-Policy vasco-GroupCheckMode vasco-Policy vasco-OneStepChalResp vasco-PolicyDigipass Plug-In for IAS Administrator Reference Active Directory Schema
Name
Class
vasco-OneStepChalLength vasco-Policy vasco-OneStepChalCheckDigit vasco-Policy vasco-BVDPMaximumDays vasco-Policy vasco-BVDPMaximumUses vasco-Policy vasco-PINChangeAllowed vasco-Policy vasco-SelfAssignSeparator vasco-Policy vasco-ChallengeRequestMethod vasco-Policy vasco-ChallengeRequestKeyword vasco-Policy vasco-PrimaryVDPRequestMethod vasco-Policy vasco-PrimaryVDPRequestKeyword vasco-Policy vasco-BackupVDPRequestMethod vasco-Policy vasco-BackupVDPRequestKeyword vasco-Policy vasco-ITimeWindow vasco-Policy vasco-STimeWindow vasco-Policy vasco-EventWindow vasco-Policy vasco-SyncWindow vasco-Policy vasco-IThreshold vasco-Policy vasco-SThreshold vasco-Policy vasco-CheckChallenge vasco-Policy vasco-OnLineSG vasco-Policy vasco-ChkInactDays vasco-Policy vasco-LinkPolicyToParentPolicy vasco-Policy vasco-LinkPolicyToChildPolicy vasco-Policy vasco-LinkPolicyToComponent vasco-Policy Version-Number vasco-PolicyTable 2: Custom Object Attributes
2.1.3
Added Permission Property Sets
Property sets have been created for typical groups of permissions required for administration
tasks.
Property Set
Applicable
Object
Actions Allowed
Digipass Assignment Link Digipass Assign and unassign Digipass for Digipass User accounts. Digipass Application Data Digipass
Application
Digipass record functions. Digipass User Account Information User Modify Digipass User information.
Digipass User Account to User Link User Link and unlink Digipass Users. This is also required when assigning Digipass to linked Digipass User records.
Digipass User Account Stored Password User Read and modify the stored password for a Digipass User.
Digipass Plug-In for IAS Administrator Reference Active Directory Schema
2.2
Active Directory Auditing
Active Directory auditing may be configured to record access and modifications to custom
objects used by the Digipass Plug-In for IAS. If you currently have default auditing enabled, it
might include already include actions on custom objects. See these Microsoft articles for
information on turning on and configuring auditing:
Windows 2000
http://support.microsoft.com/?kbid=314955
Windows 2003
http://support.microsoft.com/?kbid=814595
The basic process you will need to follow is:
1.
Select a scope for the the auditing (eg.
Domain Root
).
2.
Select a Windows User or Windows Group (eg.
Everyone
or
Domain Administrators
)
3.
Select the object classes to audit (eg.
Digipass objects
) – if required
4.
Select the permissions which should be audited (eg.
Read
,
Write
,
Delete
,
Create
)
What Should I Audit?
This will depend on what you need to audit. For example, if you wanted to record all Digipass
assignments in the domain, you might set up auditing in the Domain Root for Everyone, with
the Digipass Assignment Link property set.
See the
topic for more information on custom objects and permission property sets created
for the Digipass Plug-In for IAS.
Digipass Plug-In for IAS Administrator Reference Active Directory Schema
2.3
Custom Search Options
The Digipass Extension adds functionality to the Active Directory Users and Computers snap-in
which allows searching for specific Digipass and Digipass User records throughout a domain, or
within the limits of a delegated administrator's permissions. This functionality is especially
useful where unassigned Digipass have been allocated to various Organizational Units.
The table below displays the custom search attributes available for Digipass User accounts and
Digipass records.
Object Type
Available Search attributes
Location (tab)
Users, Contacts and Groups Digipass Assignment Link Advanced Digipass Back-End Authentication Advanced Digipass Local Authentication Advanced
Digipass RADIUS Profile Advanced
Digipass User Account Disabled Advanced Digipass User Account Locked Advanced Digipass User to User Link Advanced
Digipass Serial Number From Digipass
Serial Number To Digipass
Digipass Type Digipass
Application Name Digipass
Application Type Digipass
Digipass Assignment Digipass
Reserved Digipass
Backup Virtual Digipass Enabled Advanced
Table 4: Custom Search options
2.3.1
Using the Custom Search
This set of instruction shows the sort of use to which the Digipass custom search options can
be put, and the basic steps required for a search.
1.
Right-click on the Organisational Unit to search in.
2.
Click on Find...
3.
Select the object type from the Find drop down list.
4.
If you are searching on advanced attributes (see table above):
a.
Click on the Advanced tab.
b.
Click on Field and select the attribute from the list (for User attributes, click on Field
-> User -> attribute).
5.
Enter the search criteria.
Note
Digipass Plug-In for IAS Administrator Reference Active Directory Schema
Either exact text or wildcards should be used – the Search is performed on whole words only,
not partial words.
Example
A search for Digipass records run with only the following text entered into the Serial Number field, would return these results:
0097 No records returned
0097* All Digipass with serial number starting with 0097 0097987654 Digipass with serial number 0097987654 only *76 All Digipass with serial number ending in 76
2.4
Sensitive Data Encryption
Sensitive data is encrypted by the IAS Plug-In using an embedded key. If needed, this
encryption may be strengthened by adding a custom key in the Configuration GUI. The
embedded and custom keys are subjected to a logical XOR process to produce a new key
derived from both.
Note
Encryption settings must be set before importing Digipass.
2.4.1
Encrypted Data
Attribute
Class
vasco-DPBlob vasco-DPApplication
vasco-StaticPassword vasco-UserExt vasco-SharedSecret vasco-Component
Table 5: Encrypted Data Attributes
2.4.2
Which Encryption Algorithms can be used?
AES
blowfish
cast5
3DES
3DES with 3 keys
2.4.3
Exporting Encryption Settings
Encryption settings may be exported to a password-protected text file from the IAS Plug-In
Configuration GUI. This file may then be loaded to other IAS Plug-In modules.
Digipass Plug-In for IAS Administrator Reference Active Directory Schema
2.5
Active Directory Replication Issues
Active Directory replication is not instantaneous. Intra-site replication is usually quite fast,
especially under Windows Server 2003, but changes on one Domain Controller may still take
several minutes to be replicated to other Domain Controllers. Inter-site replication may be
quite slow – an hour or more between replications is common.
Replication occurs when more than one Domain Controller exists in a domain.
2.5.1
Old Data Used After Attribute Modified
The time period between replications becomes a problem where information is changed on one
Domain Controller (for example, a Digipass User's Server PIN is reset), but old information is
used on another Domain Controller before the changed information has been replicated to it.
There are a few scenarios where this may occur. These are listed below:
2.5.1.1
Single Plug-In using more than one Domain Controller
A single Plug-In may make a change to a record, have to switch to another Domain Controller,
and read the same record – where the change has not yet been applied.
Example
A User logs in with an OTP, and the Plug-In connects to DC-01 to retrieve and update the Digipass data. The connection to the DC-01 fails soon after login, before replication has occurred. The User needs to log in again, and the Plug-In connects to DC-02 this time. The User can log in using the same OTP as the last login – the login should fail (OTP replay) but instead succeeds, because DC-02 does not yet know that the OTP has been previously used.
Time
DC-01
DC-02
8:32 Replication occurs
8:34 User logs in with OTP 10457920.
The Plug-In records the use of the OTP in the Digipass record.
8:35 Connection to DC-01 is broken, and Plug-In switches to DC-02.
8:35 User retries login using same OTP
10457920. The login succeeds where it should have failed (OTP replay).
The Plug-In records the use of the OTP in the Digipass record.
8:37 Replication occurs
Digipass record changes are replicated between DC-01 and DC-02. The example timeline above shows the sequence of events.
Digipass Plug-In for IAS Administrator Reference Active Directory Schema
2.5.1.2
Administrator and Plug-In using different Domain Controllers
The administrator may not be connected to the same Domain Controller (via the
Administration Interfaces) as the Plug-In.
Example
An administrator changes a User's Server PIN through the Active Directory Users and Computers extension, which is connected to DC-01. The Plug-In connects to DC-03. The User attempts a login using the new PIN, which fails because DC-03 is not yet aware of the change of Server PIN.
Time
DC-01
DC-03
9:02 Replication occurs
9:03 Administrator changes a User's Server PIN from 1234 to 9876.
9:04 User attempts to log in using new PIN
(9876) and the login fails.
9:05 Replication occurs
Digipass record changes are replicated between DC-01 and DC-03. The example timeline above shows the sequence of events.
2.5.1.3
Multiple Plug-Ins Using Different Domain Controllers
Multiple Plug-Ins may connect to different Domain Controllers in a domain or site.
Example
A User changes their own PIN during a login through a Plug-In which connects to DC-01. The server on which the Plug-In is installed becomes unavailable, and the User attempts another login via the Plug-In on a backup server, which connects to DC-02. The login fails because DC-02 is not yet aware of the change of Server PIN.
Time
DC-01
DC-02
11:54 Replication occurs
11:55 User changes their Server PIN from 1234 to
9876 during login.
The Plug-In records the PIN change in the Digipass record.
11:57 User attempts to log in using new PIN
(9876) and the login fails.
11:59 Replication occurs
Digipass record changes are replicated between DC-01 and DC-02. The example timeline above shows the sequence of events.
2.5.1.4
Two Administrators Modifying the Same Attribute
Two administrators attempt to modify the same attribute on a single User account or Digipass
record within the same replication interval. The later modification will overwrite the earlier
when replication occurs.
Digipass Plug-In for IAS Administrator Reference Active Directory Schema
2.5.2
Old Data Used Overwrites New Data
The problems above are exacerbated when the old information used on the second Domain
Controller is updated based on the old information. As the updated record on the second
Domain Controller now has a later modification date, the end result is that the changed
information on the first Domain Controller is overwritten incorrectly.
Example
An administrator connects to DC-01 and sets a User's PIN from '1234' to '9876'. The User logs in through the Plug-In, which connects to DC-02. The User enters the new Server PIN and his One Time Password. However, the PIN set on DC-01 has not yet been replicated to DC-02, so because the PIN entered does not match the old PIN still recorded in the Digipass record on DC-02, the login fails.
Because the Policy setting of Identification Threshold is in use, his login failure is written back to the Digipass record. When replication occurs, the Digipass record on DC-02 has the latest modification date – and is copied to DC-01, wiping out the original PIN setting made by the administrator. Both DC-01 and DC-02 now consider '1234' to be the correct Server PIN for the Digipass.
Time
DC-01
DC-02
10:45 Replication
10:46 Administrator changes User's PIN from 9876
to 1234.
10:48 User login (with new PIN of 1234) fails.
Digipass Plug-In writes failure information to Digipass record.
10:50 Replication
Active Directory finds last instance of the Digipass blob having been modified. Active Directory overwrites DC-01 Digipass record with DC-02 Digipass record. The example timeline above shows how the problem can occur.
The problem shown in the example above may also occur in a Force PIN Change set by an
administrator.
2.5.3
Factors Affecting Replication Issues
A number of factors determine the likelihood and severity of the Active Directory issues
described:
Redundancy and load-balancing settings for the Plug-In
There are a number of Plug-In configuration settings which may affect replication issues:
Preferred Server
The Plug-In will attempt to connect to the named Domain Controller, rather than simply
polling the domain for an available Domain Controller.
Preferred Server Only
The Plug-In may be restricted to connecting only to the Domain Controller named in the
above setting. If this is enabled, the Plug-In will not switch to any other Domain
Digipass Plug-In for IAS Administrator Reference Active Directory Schema
The maximum bind lifetime controls how long the Plug-In will stay connected to a
Domain Controller before polling the domain for a Domain Controller connection.
Replication Interval
In Windows 2000, the intra-site replication interval can be configured – the default is 5
minutes. On Windows Server 2003, the intra-site replication interval is not configurable, but is
set to approximately 15 seconds, as replication is much more efficient.
Inter-site replication is fully configurable on both Windows 2000 and Windows Server 2003.
The longer the replication interval, the more likelihood of these problems occuring.
Number of Domain Controllers in the Site
Each Domain Controller regularly requires replication with all other local Domain Controllers.
As this is done sequentially, it will affect the amount of time between replications.
2.5.4
Solutions and Mitigations
2.5.4.1
Digipass Cache
The Digipass cache collects Digipass records as they are modified, and keeps them in memory
for a certain length of time. A newer entry from the cache is always used in preference to an
older record from Active Directory. The cache age should be a little longer than the typical
replication interval. The default is 10 minutes (600 seconds).
This option will help in problems caused by a single Plug-In accessing more than one Domain
Controller in a domain – see
2.5.1.1
Single Plug-In using more than one Domain
Controller
). It will not affect the scenarios of multiple Plug-Ins or a Administration Interface
being connected to a different Domain Controller to the Plug-In.
If you calculate that your typical replication interval will be more than ten minutes, the cache
age may be increased by modifying the Blob-Cache Max-Age setting in the configuration file
(<install dir>\bin\dpiasext.xml):
<Blob-Cache>
<Max-Age type="unsigned" data="600"/> <Max-Size type="unsigned" data="0"/>
<Clean-Threshold type="unsigned" data="10"/> <Min-Clean-Interval type="unsigned" data="60"/> </Blob-Cache>
A large cache may slow down processing slightly for the Plug-In, so monitor performance to
check the impact caused after modifying the cache age.
Warning
If the Plug-In is installed on a member server, this server must be closely
synchronised with the Domain Controller(s). If the server is not
time-synchronised, the Policy may select an older record when comparing records in
the Digipass cache with those on the Domain Controller.
Digipass Plug-In for IAS Administrator Reference Active Directory Schema
2.5.4.2
Identification Threshold Setting
Reconsider use of the
Identification Threshold
setting in the relevant Policy(s). The User
Lock setting may be used instead in most cases (see
and
for more information on these two
settings). Discontinuing use of the Identification Threshold setting will avoid the scenario
shown in
2.5.2
Old Data Used Overwrites New Data
, where a failed login overwrites an
administrator's modification.
2.5.4.3
Administrator Connection Strategy
The option exists in the Active Directory Users and Computers Plug-In to connect to a specific
Domain Controller in a domain. An administrator should select the same Domain Controller as
used by the Plug-In for urgent administration tasks likely to be affected by this issue – for
example, resetting a User's Server PIN so they may login while on the phone to the
administrator.
To connect to a specific Domain Controller, right-click on the domain and select
Connect to
Domain Controller...
Digipass Plug-In for IAS Administrator Reference Active Directory Schema
2.5.4.4
Set a Preferred Server
This option decreases some replication problems, as the Plug-In will be primarily connected to
the Domain Controller named as its Preferred Server. This gives less opportunity for
load-balancing, however.
If the Plug-In is installed on a Domain Controller, the Preferred Server will not need to be set
for that domain, as the Plug-in will normally select that Domain Controller for connections.
To set a Preferred Server for a domain:
1.
Open the IAS Plug-In Configuration GUI (Start -> Programs -> VASCO -> Digipass
Plug-In for IAS -> Configuration GUI).
2.
Click on the Active Directory Connections tab.
3.
If the domain is the Configuration Domain, click on Edit...
If the domain is in the Domains list, select the domain name and click on Edit...
If the domain is not in the Domains list, click on Add...
Digipass Plug-In for IAS Administrator Reference Active Directory Schema
5.
Enter the name of the Domain Controller in the Preferred Server field.
This name should be the first part of the FQDN for the Domain Controller, eg.
dc01
from
dc01.support.vasco.com
.
6.
Enter any other information required.
7.
Click on OK.
Digipass Plug-In for IAS Administrator Reference Active Directory Schema
2.5.4.5
Use Preferred Server Only Option
In some cases this setting may be enabled. As it forces the Plug-In to use the same Domain
Controller at all times. It will eliminate load-balancing and any fail-over for the Plug-In,
though, so is not normally recommended.
Digipass Plug-In for IAS Administrator Reference Set Up Active Directory Permissions
3
Set Up Active Directory Permissions
3.1
Permissions Needed by the IAS Plug-In
The IAS Plug-In runs inside Microsoft's Internet Authentication Service, which runs as a
Service. The Service runs as the 'Local System' account rather than as a named user account.
Therefore, when connecting to Active Directory, the IAS Plug-In connects as the computer
account, not a user account. The permissions that it has within Active Directory are the
permissions of the computer account.
An important exception to this occurs if you install IAS and the IAS Plug-In onto a Domain
Controller. Any Service running as 'Local System' on a Domain Controller has all possible
permissions to that Domain. In this case, no additional setup of permissions is required.
Therefore, the rest of this section applies to the case where IAS is not on the Domain
Controller.
When you register IAS in Active Directory, this adds the computer account to the built-in 'RAS
and IAS Servers' group in the Domain. This built-in group has the permissions required by IAS
itself within Active Directory, but it does not have the extra permissions required by the IAS
Plug-In.
In order to function correctly, the IAS Plug-In requires the following permissions in Active
Directory, that are not granted to the 'RAS and IAS Servers' by default:
Read access to the Digipass Configuration Container
Read access to all User accounts (or at least, all who might need to be authenticated by
the IAS Plug-In)
Write access to the new attributes that are added to the User class for the Digipass
Plug-In for IAS (these are in the auxiliary class vasco-UserExt)
Full control over all Digipass DPToken) and Digipass Application
(vasco-DPApplication) objects
Create and delete permission for Digipass (vasco-DPToken) objects in Organizational
Units and containers (specifically the Digipass-Pool and Users containers)
3.1.1
Giving Permissions to the IAS Plug-In
During installation, these additional permissions are granted to the 'RAS and IAS Servers'
group automatically.
There is also a manual way to grant these permissions, by running the 'setupaccess' command
at the command prompt:
dpadadmin.exe setupaccess -group “RAS and IAS Servers”
Digipass Plug-In for IAS Administrator Reference Set Up Active Directory Permissions
3.2
Permissions Needed by Administrators
3.2.1
Domain Administrators
Domain Administrators already have all required permissions within their Domain.
3.2.2
Delegated Administrators
The term 'Delegated Administrators' is used here to refer to administrators who have been
delegated control over an Organizational Unit. Generally speaking, they have administrative
control over the user and computer accounts within their Organizational Unit.
See the
Digipass Records
topic in the Product Guide for more information on possible
approaches to delegating Digipass administration.
By default, these administrators will be able to view the Digipass User Account data for their
users and the Digipass that are located within their Organizational Unit. However, they will not
be able to modify any of that data or assign Digipass.
If you wish to delegate responsibility for all Digipass-related administration within an
Organizational Unit, the following additional permissions are required by the Delegated
Administrator:
Within the scope of the Organizational Unit, write permission to the new attributes that
are added to the User class for the Digipass Plug-In for IAS (these are in the auxiliary
class vasco-UserExt) – you can add write permissions for each individual Property Set or
if appropriate, grant 'Write All Properties' permission
Within the scope of the Organizational Unit, full control over all Digipass
(vasco-DPToken) and Digipass Application (vasco-DPApplication) objects
Create and delete permission for Digipass (vasco-DPToken) objects within the
Organizational Unit
If the Delegated Administrator should be allowed to assign Digipass from the Digipass
Pool to their users, they need:
the Delete Digipass objects permission in the Digipass-Pool container
Write All Properties permission on Digipass objects in the Digipass-Pool container
If the Delegated Administrator should be allowed to move unassigned Digipass back to
the Digipass-Pool, they need the Create Digipass objects permission in the Digipass-Pool
container
3.2.3
Reduced-Rights Administrators
The term 'Reduced-Rights Administrator' is used here to refer to administrators who are
granted permissions to perform only selected Digipass-related administration tasks. They may
be granted these permissions within the scope of the whole Domain, or only within an
Organizational Unit.
An example is a Helpdesk operator who is permitted to troubleshoot Digipass operations, but
not to assign/unassign Digipass to/from users.
Digipass Plug-In for IAS Administrator Reference Set Up Active Directory Permissions
By default, all users have read access to everything in the Active Directory. The modification
permissions that can be granted to this kind of administrator are:
Write permission for any of three Property Sets on the Digipass User Account fields:
Digipass User Account Information – all attributes except those covered by the other
two Property Sets
Digipass User Account Link – the link attribute used to share a Digipass between two
user accounts
Digipass User Account Stored Password – the Stored Password attribute
Write permission for any individual properties on Digipass objects, except for one
Property Set that is defined to control the Digipass assignment link
Write permission for any individual properties on Digipass Application objects, except for
one Property Set that is defined to include the Digipass 'blob' that is required for any
administrative operation such as Reset PIN, Test, Set Event Counter, etc.
Create and delete permission on Digipass and Digipass Application objects
If the administrator should be allowed to move Digipass, they need:
the Delete Digipass objects and Create Digipass objects permissions in the relevant
Domain and/or Organizational Unit
Write All Properties permission on Digipass objects
Note that this can be necessary for assigning Digipass to users, because a move from
one location to another is controlled by permissions to delete from the source and create
in the destination
3.2.4
System Administrators
The term 'System Administrator' is used here to refer to an administrator who will be
responsible for management of the Component and Policy records, rather than Digipass User
Accounts and Digipass. They need permissions within the Digipass Configuration Container to
create, modify and delete Policy (vasco-Policy) and Component (vasco-Component) objects.
In practice, System Administrators can typically be given full control over the
Digipass-Configuration container. If you wish to grant more limited permissions, this can be handled
with the standard Active Directory permissions on these objects within the scope of the
container.
3.3
Assign Administration Permissions to a User
Note
This example assumes that the administrator's User account has read
permissions for all User records already.
To grant permissions to manage Digipass records, you will need to follow these steps:
1.
Right-click on the Organizational Unit in which to assign permissions.
Digipass Plug-In for IAS Administrator Reference Set Up Active Directory Permissions
3.
Select the User or Windows Group to assign permissions.
4.
Click on OK.
5.
Select the Delegate Common Tasks option button.
6.
Select
Create, Delete and Manage Digipass
from the list.
7.
Click on Next.
8.
Click on Finish.
If you wish to grant permissions to modify Digipass User Account properties, you will need to
follow these steps:
9.
Select View -> Advanced Features from the main menu.
10.
Right-click on the Organizational Unit in which to assign permissions.
11.
Select Properties from the right-click menu.
12.
Click on the Security tab.
13.
Click on the Advanced button.
The Advanced Security Settings window will be displayed.
14.
Click on Add...
15.
Type the username of the User to assign the permissions to and click OK.
16.
Click on the Properties tab.
17.
Select
User Objects
from the Apply onto drop down list.
18.
Select the required permissions from:
Write Digipass User Account Information
Write Digipass User Account Link
Write Digipass User Account Stored Password
19.
Click on OK.
20.
Click on OK.
21.
Click on OK.
If the administrator requires permissions to take Digipass out of the Digipass Pool for
assignment, you will need to follow these steps:
22.
Right-click on the Digipass Pool.
23.
Select Properties from the right-click menu.
24.
Click on the Security tab.
25.
Click on the Advanced button.
The Advanced Security Settings window will be displayed.
26.
Click on Add...
27.
Select the User account.
28.
Click on OK.
29.
Click on the Object tab.
Digipass Plug-In for IAS Administrator Reference Set Up Active Directory Permissions
31.
Tick the Allow box for:
Delete Digipass Objects
Create Digipass Objects (if you wish to allow the administrator to move Digipass
records into the Digipass Pool)
32.
Click on OK.
33.
Click on Add...
34.
Select the User account.
35.
Click on OK.
36.
Click on the Object tab.
37.
Select
Digipass objects
from the Apply onto drop down list.
38.
Tick the Allow box for Write All Properties.
39.
Click on OK.
40.
Click on OK.
Digipass Plug-In for IAS Administrator Reference Set Up Active Directory Permissions
3.4
Multiple Domains
When using the IAS Plug-In with multiple domains, extra steps must be followed to ensure
that both the IAS Plug-In and administrators have permissions sufficient to access required
data. The main issues are:
The Digipass Configuration Container is only in one Domain. All IAS Plug-Ins need
read access to this container, even when they are in a different Domain.
Cross-Domain access for administrators is a less likely requirement however.
If an IAS Plug-In handles users and Digipass in more than one Domain, they need to
be granted the necessary permissions in all the necessary Domains.
In this manual, we will handle cross-Domain permissions using a combination of Domain
Local and Domain Global groups. It is possible in a 'native' mode Domain to use Universal
groups, but these are not recommended in Windows 2000 due to replication issues. The
replication efficiency has been improved in Windows Server 2003, however Universal
groups are still not used as commonly as Domain Local/Global groups.
Three possible scenarios for multiple domain setup are outlined below:
3.4.1
Scenario 1 – Each IAS Server Handles One Domain
Each IAS server handles only the domain in which it is a member.
Install IAS in each domain (the result will be at least as many IAS servers as domains).
Give each IAS server access to the Digipass Configuration Domain:
Domain Global Group(s)
For each domain (apart from the Digipass Configuration Domain)
-1.
Create a Domain Global group
2.
Add the IAS server(s) to the Domain Global group (check which machines are in the
'RAS and IAS Servers' group to ensure the correct additions)
Domain Local group
In the Digipass Configuration Domain
-3.
Create or use an existing Domain Local group.
4.
Give the Domain Local group full read access to the Digipass Configuration Container.
5.
Add the Domain Global Group from each other domain to the Domain Local group.
3.4.2
Scenario 2 – One IAS Server Handles All Domains
IAS servers in one domain handle all domains. The Digipass Configuration Container should be
located in the domain to which the IAS servers belong.
Give the necessary access to User and Digipass data:
Domain Global group
-Digipass Plug-In for IAS Administrator Reference Set Up Active Directory Permissions
1.
Create a Domain Global group.
2.
Add the IAS servers to the Domain Global group (check which machines are in the
'RAS and IAS Servers' group to ensure the correct additions).
Domain Local groups
For each other Domain
-3.
Create a Domain Local group.
4.
Give the Domain Local group the required permissions (run the setupaccess command
- See
8.1
DPADadmin Utility
for more information).
5.
Add the Domain Global group from the IAS Domain to the Domain Local group.
3.4.3
Scenario 3 - Combination
This scenario represents more complex setups, where a combination of steps from Scenarios 1
and 2 will be required. Use the steps given in the first two scenarios as a guide for what you
will need to do for the combination scenario.
Digipass Plug-In for IAS Administrator Reference Backup and Recovery
4
Backup and Recovery
This section explores the measures that Administrators can undertake in backing up and
recovering VASCO datafiles in the event of a system failure.
Note
This section does not cover backup of executables and system files. In the
event of a catastrophic failure these can be restored or reinstalled from the
original distribution media.
Once the IAS Plug-In is installed and operational, backups should be made of important files
and data.
Any time changes are made to the system, file backups may need to be performed again.
These changes include, but are not limited to:
Changing any configuration settings including the IP address of an IAS server
Adding/removing a Component
Modifying a Policy
4.1
What Must be Backed Up
Configuration files for IAS Plug-In and Message Delivery Component
User Self-Management Web Site pages and graphics (if customized)
Virtual Digipass OTP Request Web Site pages and graphics (if customized)
Audit Log data
Active Directory
DPX files (except for demo Digipass)
Important Note
The Digipass Plug-In for IAS installation includes a DPX directory containing
sample DPX files for demo Digipass. These do not need to be backed up.
However, if you have copied the DPX files for your real Digipass into that
directory, ensure you still have the original files (normally on floppy disk). If
you no longer have the DPX file(s) stored elsewhere, it is very important that
you take a backup.
4.1.1
Configuration files
The configuration files for the IAS Plug-In and Virtual Digipass Message Delivery Component
can be copied from the bin directory (by default C:\Program Files\VASCO\Digipass Plug-In for
IAS\bin) to a secure location.
The files to be copied are:
Digipass Plug-In for IAS Administrator Reference Backup and Recovery
mdcconfig.xml – a backup of one working file is sufficient.
Tip
Save the files above with an extension that describes the server from which the
file(s) were backed up. This makes it easier and quicker to locate the correct file
during recovery.
4.1.2
Web Sites
In some cases, the web pages and graphics provided with the Digipass Plug-In for the User
Self Management Web Site and Virtual Digipass OTP Request Web Site will have been
customized to suit the organization’s colors/languages/themes/etc.
If these web pages and graphics have been modified, it is important to have a backup stored
in a secure location away from the production server. This will allow the web site to be
restored for the look and feel of the organization.
To back up the web site pages and graphics, you can copy the html, js, and gif files to another
location. If the site is highly modified, or the location of the files on disk is not known, contact
your web administrator for further guidance.
Note
Maintaining the directory structure will make restoration of the site, if required,
quicker and easier.
4.1.3
Audit Log Data
If your organization requires that the Audit Log data be archived, the method required will
depend on the audit settings.
4.1.3.1
Write to File
Ensure you make copies of all files contained in the directory into which the audit log files are
written. By default this will be
<install dir>\Log
, however it may have been configured to
another location. Check the audit configuration settings if you are unsure.
4.1.3.2
Write to Windows Event Log
By default, Event Log entries are written to the Application log. However, you can configure
the entries to be written to another log. Check the audit configuration if you are unsure.
Important Note
The Event Log may be configured with a maximum size. When this size is
reached, the oldest entries may be overwritten by new ones. To check this,
view the Properties of the log in the Event Viewer. If older entries will be
overwritten, you will need to archive them before that occurs.
Digipass Plug-In for IAS Administrator Reference Backup and Recovery
To archive an Event Log:
1.
Select Start -> Settings -> Control Panel.
2.
Double-click on Administrative Tools.
3.
Double-click on Event Viewer.
4.
Right-click on Application (or the correct log, if not Application).
5.
Click on Save log file as...
6.
Select a path and enter a filename.
7.
Select a file format from the Type drop down list.
8.
Click on the Save button.
Note
The Audit Log data is not required for system recovery purposes but may
contain useful data in the event of a server failure.
4.1.4
Active Directory
4.1.4.1
Cold Backup
In most cases the server running IAS will belong to an Active Directory domain consisting of
several Domain Controllers. Replication should automatically occur between Domain
Controllers, providing simple data backup.
It is highly recommended, however, that you perform a cold backup of the System State Data,
which includes the Active Directory repository. This will allow recovery if data is corrupted and
then replicated. For more information about backing up and restoring System State Data, refer
to Windows Help on your Domain Controller and enter '
backing up data, System State data
' in
the index tab. In particular, this should be performed on the Digipass Configuration Domain
and any other Domains containing Digipass User accounts and/or Digipass records.
Additional information can be found at:
http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/distsys/part1/dsgch09.mspx
4.1.5
DPX files
The DPX files are normally provided on a floppy disk, which can be stored securely as a
backup. If you prefer another method of archive, copy the files to your preferred location. It is
important to keep the DPX file transport keys secure and preferably in a separate location to
the DPX files themselves.
Digipass Plug-In for IAS Administrator Reference Backup and Recovery
4.2
Recovery
The recovery process for IAS Plug-In data requires the following procedure. Some
assumptions have been made for these instructions:
Assumptions:
Active Directory is still valid and operational.
Up-to-date backups of the configuration files for the IAS Plug-In are available.
Steps:
1.
Rebuild the server with your operating system SOE, using the same IP address as
before, in the same Domain as before.
2.
Retrieve your backup copy of the dpiasext.xml file.
3.
Reinstall the Digipass Plug-In for IAS on the server, ensuring you are logged in as a
domain administrator. The same settings as those chosen in the previous installation
should be selected, except that the This is not the first IAS Plug-In to be
installed checkbox on the Active Directory Prerequisites screen should be ticked.
4.
Tick the Use an evaluation license checkbox (the existing Digipass data in Active
Directory contains all necessary licensing information, which will be retrieved when the
IAS Plug-In is operational).
5.
At the end of the installation, you will be prompted to select a license activation
method. Select Just Continue.
Before you restart the machine, carry out the following:
6.
Restore the backup copy of the configuration file
dpiasext.xml
into the same directory.
7.
Restore any customised files for the web sites (see
and
for more information).
After restarting the machine:
8.
Check that you can view Digipass-specific information in the Administration MMC
Interface and Digipass Extension for Active Directory Users and Computers.
Digipass Plug-In for IAS Administrator Reference Field Listings
5
Field Listings
5.1
User Property Sheet
Field Name in
Administration
Interfaces
Description
New Password Confirm PasswordThese fields are used to modify the static password that is stored in the Digipass User account. If they are left blank, no modification is made.
Local Authentication Specifies whether authentication requests for the User account will be handled by the IAS Plug-In using Local Authentication (see the Authenticating Users section in the Product Guide for more details on Local Authentication and Back-End Authentication).
Normally, this field will be Default, meaning that the Policy applicable to the authentication request determines the setting. This field on the Digipass User account is used to override the Policy setting for special cases.
When Local Authentication is used, there are two factors that determine whether Digipass authentication is used – any Policy restrictions on Digipass Types and/or Applications that can be used and whether the Digipass User account has any assigned Digipass that meet the restrictions. For example, if the Policy requires a DP300 and the User just has a DP700, they cannot use Digipass authentication under that Policy.
Options:
Default Use the setting of the effective Policy.
None The IAS Plug-In will not carry out Local Authentication for this User account. They may be handled using Back-End Authentication, or not handled at all by the IAS Plug-In.
Digipass/Password The IAS Plug-In will always carry out Local Authentication for this User, using Digipass authentication if possible, otherwise the static password. Back-End Authentication may also be utilized.
Digipass Only the IAS Plug-In will always carry out Local Authentication for this User, using Digipass authentication. If Digipass authentication is not possible, the user cannot log in. Back-End Authentication may also be utilized. Back-End
Authentication
Specifies whether authentication requests for the User account will be handled by the IAS Plug-In using Back-End Authentication (see the Authenticating Users section in the Product Guide for more details on Local Authentication and Back-End Authentication). Normally, this field will be Default, meaning that the Policy applicable to the authentication request determines the setting. This field on the Digipass User account is used to override the Policy setting for special cases.
Options:
Default Use the setting of the effective Policy.
None Back-End Authentication will not be used.
If Needed The IAS Plug-In will utilize Back-End Authentication but only in certain cases:
Dynamic User Registration Self-Assignment
Password Autolearn
Requesting a Challenge or Virtual Digipass OTP, when the Request Method includes a Password
Static password authentication, when verifying a Virtual Digipass password-OTP combination or during the Grace Period
Always The IAS Plug-In will utilize Back-End Authentication for every authentication request.
Digipass Plug-In for IAS Administrator Reference Field Listings
Field Name in
Administration
Interfaces
Description
Disabled Specifies whether a Digipass User account is enabled or disabled. If disabled, authentication for the User will be rejected by the IAS Plug-In.
This attribute will be set to disabled and made read-only if the Active Directory User account is disabled or expired. Otherwise, this attribute will be editable.
Locked Specifies whether a Digipass User account is locked or not. If locked, authentication for the User will be rejected by the IAS Plug-In.
The Locked indicator is normally set automatically when the User exceeds a certain number of failed authentication attempts. The User Lock Threshold is set in the Policy.
Linked User Account It is possible to share Digipass between different User accounts, by linking User accounts together. This feature is intended for the case where one person, such as an administrator, has multiple User accounts. If their accounts are linked, there is no need to give more than one Digipass to that person.
This feature is used by assigning the Digipass to one User account, then linking all the other User accounts for the person to the one that has the Digipass.
If a User is linked to another User, their Linked User Account field will show the Active Directory DN (Distinguished Name) of the linked User. The DN shows the full address within Active Directory of the linked User, for example:
CN=Test User,OU=Admin,OU=Europe,DC=vasco,DC=dom
In this example, the linked User is called Test User and they are located in an Organizational Unit Admin, which is inside another Organizational Unit Europe in the vasco.com domain. Read-only.
RADIUS Profiles NOTE: Not applicable to the IAS Plug-In.
Included for compatibility with other VASCO products, eg. Digipass Plug-In for Funk. Created On The date and time that the Digipass User account was created. Read-only.
Last Modified On The date and time that the Digipass User account was last modified. Read-only. Assigned Digipass list This lists all Digipass that are assigned to the User. For each Digipass, the list of active
Applications is given with the Application Type indicated in brackets(). For example:
0058384426 RESP_ONLY(RO), CHALLENGE(CR)
In this example line, the Digipass with Serial Number 0058384426 has two active Applications: one Response Only Application RESP_ONLY and one Challenge/Response Application CHALLENGE.
If the User does not have any Digipass assigned directly, but is linked to another User to use
their Digipass (see Linked User Account), the linked User's Digipass list is shown with the Serial Numbers in square brackets (eg. [0058384426]).
When a Digipass in the list is selected, the remainder of the property sheet tab indicates values from the corresponding Digipass record.
Read-only.