DIGIPASS Authentication for OWA Basic Manual
Contents
1. 5 1 2 Checking Permissions 5 1 2 1 Trace file directory Permissions need to be set to allow the DIGIPASS Authentication Plug In to access and write to the trace file By default the trace file is stored in lt INSTALLATION DIRECTORY gt Log Follow these steps for the folder the trace file will be written to 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 55 DIGIPASS Authentication for OWA Basic User Manual Troubleshooting gt To set permissions for tracing 1 Open Windows Explorer and browse to the directory that the trace file will be written to lt INSTALLATION DIRECTORY gt Log by default 2 Right click on the relevant directory and select Properties The Log Properties Dialog is displayed x General Sharing Security Previous Versions Customize Object name C Program Files VASCO DIGIPASS Authenticatio Group or user names CREATOR OWNER Figure 21 Setting Permissions for Tracing Switch to the Security tab Ensure that the IUSR account has Write permissions selected Ensure that the lIS_IUSRS group has Write permissions selected oO po w If changes need to be made to the permissions make changes and click Apply If the IIS_IUSRS group and or the IUSR account are not listed see Section 5 1 2 3 Adding the IUSR account and IIS_IUSRS group 5 1 2 2 Configuration file gt To set permissions fo2. configuring using Configuration wizard 23 configuring using the Configuration Center 28 OXIA ALON WW DD mnb u u M 12 Installation problems EEE 54 QVEIVIGW k av E A rsp aves 11 DIGIPASS Authentication Plug In 11 DIGIPASS Authentication Plug In Configuration Center 28 atriDUtE GOUD enii enasini 34 Character encoding E ue 33 CHEMUNG ssi Ace i 231i yaya arsi s Mien iid indie indi L a SEMANE N 33 Configuring authentication settings 32 Configuring Servers and connection 29 configuring tracing ooo eeecccccesscsesscetecsetscsetseserseerseeees 35 enabling DIGIPASS authentication 33 enabling load SHADO aiiis 30 failed login settings u eee 34 failed login settings HTML file 34 failed login settings realm 34 replace password with user attributes 33 replace user names with user attributes 33 secure CONNECTION Settings eee 31 Server SOL Sc dand ara a dakan di ad kk e de W n b 30 Specifying connection settinge 31 STAMINO cennari baya na vara kad bA Aka nad 28
3. DIGIPASS authentication DIGIPASS Authentication for OWA Basic User Manual DIGIPASS Authentication for OWA Basic User Manual Disclaimer Disclaimer of Warranties and Limitations of Liabilities The Product is provided on an as is basis without any other warranties or conditions express or implied including but not limited to warranties of merchantable quality merchantability of fitness for a particular purpose or those arising by law statute usage of trade or course of dealing The entire risk as to the results and performance of the product is assumed by you Neither we nor our dealers or suppliers shall have any liability to you or any other person or entity for any indirect incidental special or consequential damages whatsoever including but not limited to loss of revenue or profit lost or damaged data of other commercial or economic loss even if we have been advised of the possibility of such damages or they are foreseeable or for claims by a third party Our maximum aggregate liability to you and that of our dealers and suppliers shall not exceed the amount paid by you for the Product The limitations in this section shall apply whether or not the alleged breach or default is a breach of a fundamental condition or term or a fundamental breach Some states countries do not allow the exclusion or limitation or liability for consequential or incidental damages so the above limitation may not apply to you Copyright 2
4. HH HHH HHHH HH HH HH HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH m 49 4 4 2 3 Default DOMAIN ccc ceccccecsecscsecscsesscsecsssecscsecsssecsesecsesessessssessssessssessssessesessesassesassesesseseesessesassesassesassesesseseeasansases 49 4 4 3 WI LD e Sesto e e chests Sessa E a estas cesses ass nests nist ene 49 4 4 3 1 DIGIPASS users log in with OTP only Windows user ACCOUNLS cccceccsecscsecsssecseecsesecsecscsecsssecsssecsssessssessesesseaes 50 4 4 3 2 DIGIPASS users log in with password and OTP Windows user ACCOUNTS cccccecsecscecscecscsecsssecsssecsssessetessetssseaes 50 AAZ 3 Sn dll NNN DD DD gt DDgggg__ ZZ_ _ m_m_ _m__ _ mmnb 51 4 4 3 4 Virtua DIGI PASS cz iscczcsvarcecustareressdinstersnaverctddiuansranciattetavaaesatatascuadatabcnssitancesienat easstanstaraancnanstinatatiiannnstarcaanadcssiss 52 5 Nal bibl yi ninn na e a eed 53 5 1 DIGIPASS Authentication Plug In Installation Problems ccccccsessssscstecessesesssseeeeeeeeeseseessateneeerseseessaaes 54 5 1 1 elli Za Kc Naa n TE gggg mnmnnmg mmmr mm 54 5 1 2 CHECKING PermisSiONS reiii eorna os N DE E E AE NIE E a 55 SA21 Trace TIC GINECTORY Si ivicasstsheiveeiavwucviateseaaueaeideeerucielaacsdagueadiantecuaeearaaueuenaieataaaiaendechataueadaguestaasgudaqueataaisuraguaaaentaeans 55 5122 Configuration Mecer TEE r rg 56 5 1 2 3 Adding the IUSR account and IIS_IUSRS gl0UD ici nnn EEE EEE kk kaka ka kak raa kk aa kaka ak keke ke kwa
5. 192 168 1 1 lt Value gt lt Value Name ServerPort Type INT gt 20003 lt Value gt lt Value Name ServerType Type STRING gt Primary lt Value gt lt Value Name MaxConcurrentConnections Type INT gt 10 lt Value gt lt Value Name ConnectionTimeoutSeconds Type INT gt 10 lt Value gt lt Value Name MinReconnectIntervalSeconds Type INT gt 10 lt Value gt lt Value Name MaxReconnectIntervalSeconds Type INT gt 10 lt Value gt akey Maye SAW a eli A gt gt lt Value Name EnableSSL Type BOOL gt TRUE lt Value gt lt Value Name EnableCustomCertificateArchiveFile Type BOOL gt FALSE lt Value gt lt Value Name CustomCertificateArchiveFilePath Type STRING gt lt Value gt lt Key gt lt Key gt lt Key gt lt Key gt lt Key Name Tracing gt lt Value Name TraceFilePath Type STRING gt C Program Files VASCO DIGIPASS Authentication for OWA Basic Log DIGIPASSPlugin_IIS OWABasic trace lt Value gt 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 37 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic lt Value Name TraceFileEnable Type BOOL gt FALSE lt Value gt lt Value Name TraceCodeInfo Type BOOL gt FALSE lt Value gt lt Value Name TraceProcessInfo Type BOOL gt FALSE lt Value gt lt Value Name TraceLevel Type
6. Authentication Settings ccccccccsscscsecsccsccscseesescsessscseesescsscssvseesaseasssteseesascsesstsststascatsitestenaeeites 32 Figure 16 Configuring Tracing Options ccccccscccsscsecssscscseesesesecsscseesescsscssssteseseascsssseeaserssstssteaserssitestessscatsitesestaseates 35 Figure 17 Modifying Authentication Settings Exchange 2007 L ll aaay 43 Figure 18 Setting Microsoft Exchange Server 2010 to Basic Authentication 1 45 Figure 19 Setting Microsoft Exchange Server 2010 to Basic Authentication 2 uue 46 Figure 20 Setting Microsoft Exchange Server 2010 to Basic Authentication 8 47 Figure 21 Setting Permissions for Tracing L lake b6 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 5 DIGIPASS Authentication for OWA Basic User Manual Table of Contents Figure 22 Setting Permissions for Accessing the Configuration Fil ccccccccccccscsscssssecssscscsseeesescrsrstesestescstssteseseaeeieys 5 Figure 23 Adding the IIS IUSRS GhOUp oi lt yn y mila na kan yaya kayan Kiri era Lava n ka xw Daka tec AW xaka Mr eed wt se ka n encodes 58 Figure 24 Ensuring the DIGIPASS Authentication Plug In Is REQiStered cccccsscscssccscscsseececscsscsseecsssessassesesissaseesees 59 Figure 25 Registering DIGIPASS Authentication for OWA Basic in IS 1 4 kaka 59 Figure 26 Registering DIGIPASS Authentication for OWA Basic in II
7. Character encoding Western ISO 8859 1 X Session parameters Timeout in min 5 Credential overrides Authentication r Replace user names with user attributes T Replace passwords with user attributes Attribute group SSS Failed login m n TT TT T TT TO FER Realm OO Figure 15 Configuring Authentication Settings 2 Select Enable OWA Basic authentication to allow the DIGIPASS Authentication Plug in to intercept authentication requests using the authentication server 3 Specify the settings for basic authentication as needed e Identify as client type Select a client type from the list The client type is used when connecting to an authentication server to assist in finding the correct client record The client type must match the license s client type or authentication will not be possible 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 32 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic e Character encoding Select the character encoding for the plain user credentials as passed on by the browser Session parameters e Timeout in min Specify the session timeout in minutes After this period of time users need to re authenticate if no HTTP requests have been submitted If a static password was used in the login rather than an OTP the session may not appear t
8. a kan dan 3 4 2 2 Configuration Setting S wge gt gt oppp popo po n nnon eoeaerrrrr inveeesi ae i e Se 38 AD 21 Say aS ANA COMNECUONS Dy EAEE REAR E EE AER A aia 38 4222 TKOGING isznsvsasciceas teasd Sevdaytetnds thdetuluabdsvadeshladstiaede datas sisdbtieed mm r rrr roma 40 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 3 DIGIPASS Authentication for OWA Basic User Manual Table of Contents A 22 3 BASIC Authenticate nanan yn Met MR Malik kam ka ir Wiz a i k V k M R HAR HEK H KA H KE M R M RA K K KA Ma b k M r H s Mek n k ta 41 4 3 Configuring Exchange to Work with the DIGIPASS Authentication Plug Iln 43 4 3 1 Configuring Exchange 2007 ccccccccccsssessecsscsvsessecsesssessesseccesssessessecessseesessecrsssesseseeessessesaeesesritssesateeenes 43 4 3 2 Configuring Exchange 2010 cccccccscscsecsescsscsscseessscsscsecseesasesssseeseesascsssseesesascsssstesesaecssssteseseassitsstesseateas 44 4 4 Configuring the Authentication Server ccccccscccscccessssesssseeeeeeeesssseesseeeeeseessesesueeeeeeeeessesesnssaneneesessees 48 4 4 1 Client N U RN HHHH HH HH HRHHHHHRHRHDIHHHH MM HHHHHHMNMMMDMMn 48 4 4 2 Configuring for Windows User ACCOUI S Wla llke 48 4 4 2 1 Windows user name resolution e eee 48 C RR KISS ZIBIL ae HHH a
9. a o vnc vest testi ait deed a o e a 19 3 2 3 Horman Needed terre Corrente A gr gr gd 19 3 2 4 Do a a a lulhlhlrhnrlrnrnrnhna nanrbnbnenbana bnahanrn g_mmnn m D m _gggggggggggggg 20 3 3 Installing DIGIPASS Authentication for OWA Basi C lll kk aaay aka aa 21 3 4 Using the DIGIPASS Authentication for OWA Basic Configuration Wizard eeeLE elle 23 3 4 1 Configuring DIGIPASS Authentication for OWA BaSiC c cccccccscscsecseccsscssseesescsecsssseesesesecssssteseseassitestestserteas 23 4 Configuring DIGIPASS Authentication for OWA Basic c ccsesssssrecceceeseseessenseeeeeeesesessesseneteneeseess 27 4 1 Using the DIGIPASS Authentication Plug In Configuration Center cccsccccccccsssssessserreeesssssessssanereeeeesees 28 4 1 1 Starting DIGIPASS Authentication Plug In Configuration Center cccccccccscsccscsscseesescssssseseesssersritestesaeeiens 28 4 1 2 Configuring Servers ANG CONNECTIONS cccccccsceccssscsecsscseesescsessssseeascsssstesescascstssteseseascsteatesescassstesteaseateas 29 4 1 3 Configuring AUTHENTICATION SEWING fevvzssseasiearddeetisnteasteat ienntdaadverboalidnedvaareae tea i aE aR NENA R NARTNIK NET 32 4 1 4 contounno MacNN Onenean TT n gg TA 35 4 2 Editing the Configuration File kk kk kk kk k kk kk kk kaka kk KA kK kK KA 37 4 2 1 Example Contiguraton FIGS sei n la caves duavadgund dsdtanssadsondadiuiiatarsbcaabenna laden bined N n
10. also be used Local authentication The typical setting for local authentication would be DIGIPASS Password meaning that users usually need to use an OTP when logging in but are not required to in some circumstances e g in grace period 4 4 3 2 DIGIPASS users log in with password and OTP Windows user accounts The following settings are recommended for this scenario 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 50 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic Back end authentication e Back end authentication if needed e Back end protocol Windows IDENTIKEY Server or Microsoft AD aXsGUARD Identifier These settings allow the authentication server to check user login details with Windows or Active Directory in case of DUR and Self Assignment logins through the DIGIPASS Authentication Plug In DIGIPASS user account handling e Dynamic user registration enabled e Password autolearn disabled e Stored password proxy disabled These settings allow the authentication server to create an account for an unrecognized user based on a successful Windows or Active Directory authentication The authentication server will not store or replay a user s Active Directory password DIGIPASS assignment mode Either Self Assignment or Auto Assignment would typically be used in this scenario although manual
11. appears DIGIPASS Authentication Plug In Configuration Center e p General Servers and Connections Change IDENTIKEY Server and connection options Servers and Connections Authentication Servers Tra TEJ Authentication servers DIGIPASS Authentication for OWA Basic A Authentication Connect from IP address x IDENTIKEY Server s used T Enable load sharing as j Delete Mave up zi nee Note IP address should match the DIGIPASS Authentication Plug In license configured at the Configuration for Main Server Server details SEAL port 20003 F Use SSL Server type Primary Connection parameters Timeout in sec 10 Maximum connections fo a Minimum reconnect interval in sec e7 a Maximum reconnect interval in sec m Secure connections Use Windows built in CA certificate repository C Load CA certificates from file specified in the authentication servers list Display name Main Server IP address Test Certificate file Browse Note The certificate file must contain CA certificates for all SSL connections Figure 14 Configuring Servers and Connections 2 Select an IP address from which to connect to the authentication server Select Enable load sharing if you want to use a backup server For more information refer to Section 2 4 1 Connection Profiles Specify the server settin
12. assignment may also be used Local authentication The typical setting for local authentication would be DIGIPASS Password meaning that users usually need to use an OTP when logging in but are not required to in some circumstances e g in grace period 4 4 3 3 Local authentication only These settings are typically used where e The authentication server does not check authentication details against Windows accounts Back end authentication e Back end authentication none The authentication server will not check user login details with Active Directory DIGIPASS user account handling e Dynamic user registration disabled e Password autolearn disabled e Stored password proxy disabled New DIGIPASS user accounts must be created manually no DUR An Active Directory password is not stored because back end authentication is disabled 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 51 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic DIGIPASS assignment mode Manual assignment would be used in this scenario Local authentication The typical setting for local authentication would be Digipass Only requiring users to log in with an OTP 4 4 3 4 Virtual DIGIPASS If you use Virtual DIGIPASS login you will need these policy settings e Delivery method as required e Primary Backup Virtual DIGIP
13. backup authentication servers This allows redundancy and load sharing over multiple servers 2 4 1 Connection Profiles Two connection profiles are available Primary The server s to which the DIGIPASS Authentication Plug In will first attempt to connect using a round robin scheme Backup Backup servers will be used if load sharing is enabled and the primary server s are busy 2 4 2 Connection Options Maximum connections The maximum number of connections that the DIGIPASS Authentication Plug In may have open to the authentication server at one time Timeout The time that the DIGIPASS Authentication Plug In should wait for a reply from the authentication server Reconnect interval If the DIGIPASS Authentication Plug In cannot connect to an authentication server it will make another connection attempt to this server only after a time period defined by the reconnect interval If other servers are configured connection attempts to these servers are made in the meantime 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 14 DIGIPASS Authentication for OWA Basic User Manual DIGIPASS Authentication for OWA Basic Overview 2 4 3 Standard Server Setup Web Server Main Server link Secondary Server link Authentication Server Authentication Server B Work Site Figure 2 Standard Server Connection Configuration This setup
14. connection diagnostics information The default value is 100 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 40 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic 4 2 2 3 Basic authentication BasicAuthentication gt Enabled Enable disable basic authentication with the DIGIPASS Authentication Plug In The default value is TRUE BasicAuthentication gt ComponentType The DIGIPASS Authentication Plug In component type to use The default value is Outlook Web Access BasicAuthentication gt Encoding Character set to use in sending a login request to the Web server If you are using non Western European characters the DIGIPASS Authentication Plug In may need to be configured to use a specific character set when submitting login requests to the Web site The default value is ISO 8859 1 CAUTION The DIGIPASS Authentication Plug In can only be configured to use a single character set it is not able to handle multiple character sets simultaneously Table 1 Language Codes Language ISO Code Windows Code Other Code s Arabic ISO 8859 6 CP1256 Baltic ISO 8859 4 or ISO CP1257 8859 13 Central European ISO 8859 2 CP1257 Chinese Simplified ISO 2022 CN GB2312 Chinese Traditional Big5 Cyrillic ISO 8859 2 CP1251 Greek ISO 8859 7
15. not create a client record this must be done manually e The Component type should be set to Outlook Web Access e The Location should be set to the same IP address as in the Connect from IP address setting in the DIGIPASS Authentication Plug In Configuration Center e Select a policy for the authentication server to use when processing authentication requests from the DIGIPASS Authentication Plug In A valid license key must be obtained for the DIGIPASS Authentication Plug In and loaded in to the client record 4 4 2 Configuring for Windows User Accounts 4 4 2 1 Windows user name resolution If the authentication server is installed on a Windows platform and is using an ODBC database including the embedded database as its data store it is recommended that you enable Windows user name resolution This allows the authentication server to use Windows functionality to resolve a user ID as entered during a login into a user ID and domain It is highly recommended if dynamic user registration will be enabled This setting is not required where the authentication server is using Active Directory as its data store name resolution will occur automatically This setting is not available on IDENTIKEY Server on Linux or aXsGUARD Identifier If the Use Windows user name resolution feature is disabled or unavailable it is essential that users always use the same login name If they try to log in using a different form of their Windows a
16. provide e g select Server name in the list box UPPERCASE Keyboard keys e g CTRL for the Control key Monospace Commands you are supposed to type in or are displayed in a command prompt shell including directories and filenames API functions and source code examples blue underlined Internet links The following visual hint colour schemes are used throughout this document NOTE Notes contain important supplementary information 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 8 DIGIPASS Authentication for OWA Basic User Manual Introduction CAUTION Cautions contain warnings about possible data loss breaches of security or other more serious problems 1 1 3 Providing Feedback Every effort has been made to ensure the accuracy and usefulness of this manual However as the reader of this documentation you are our most important critic and commentator We appreciate your judgment and would like you to write us your opinions suggestions critics questions and ideas Please send your commentary to documentation vasco com To recognize the particular document you are referring to please include the following information in your subject header DAOWAB UM 01032012 Please note that product support is not offered through the above mail address 2012 VASCO Data Security International Inc All rights reserved Unauthor
17. testing the CONNECTION iiser 31 TIT GOU amp a sana nayen b ke ker y pener EET 33 document conventi0nS8 eeeeeee 8 dynamic user registration 48 installation pre installation tasks ccccccsecsecsecececsecsecsecsecseeseeseesees 19 installation iNStrUCTIONS en 21 Internet Information Services IIS manually registering the DIGIPASS Authentication Plug In 59 WOUDIESHOOUING a aya 12551 Xl a 58 L IGEN c a cuebta vesed Goessatedevs dexttensesnaduzesesbdenecialagevels 20 M Microsoft Exchange eee 43 COMMQUPING Arasszseeteetsvcviacs A R 43 configuring Exchange 2007 eee 43 Configuring Exchange 2010 sssi 44 P pre installation tasks ccccccsscsecsecsecsecsecsecsecsecsecseeseeseeseeses 19 authentication server installing 19 OEO E A A E E EN 19 IIS 19 licensing information E EEE 20 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited DIGIPASS Authentication for OWA Basic User Manual S server connection management UUeUEj eEjUEEU E E 14 nale NI N N DD ND DD AN 14 MAXIMUM connect 08 E ueeeeeEe 14 WNINESL N i HHH n MM H NMNMNMMM 14 r Conl GO DIN IGIV 5 yi yi 2yaka ni l alir balk raz nar nanin n 14 NEN N MD r rr rrr 14 SUpport information Leeele
18. that the Use Windows user name resolution feature on the authentication server is enabled This uses Windows functions to identify user IDs as Windows user accounts including the domain to which the account belongs This feature is not available on Linux platforms or the aXsGUARD Identifier lf the Use Windows user name resolution feature is disabled it is essential that users always use the same login name If they try to log in using a different form of their Windows account name their login will be rejected unless a second DIGIPASS user account has been created 3 2 2 IIS and Exchange Ensure IIS and Exchange are installed and working correctly The DIGIPASS Authentication Plug In must be installed on the IIS server where Outlook Web Access is running 3 2 3 Information Needed Before you begin installation of the DIGIPASS Authentication Plug In ensure that you have the following information easily accessible as you will need to enter this during the installation e IP address and port number of the authentication server To check this open the authentication server configuration and check the Component location and SEAL port fields e Source IP address on the local machine to use when connecting to the authentication server if multiple IP addresses are configured for this machine as this affects licensing see below 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distributi
19. used to process the request e To hold a license key for the DIGIPASS Authentication Plug In DIGIPASS Authentication Plug in General term for a plug in to IIS to allow DIGIPASS authentication to take place 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 12 DIGIPASS Authentication for OWA Basic User Manual DIGIPASS Authentication for OWA Basic Overview 2 3 Authentication Methods See the Product Guide for your authentication server product for detailed information on login methods and options Response only login Users log in via the current login page with their user name and a one time password OTP Virtual DIGIPASS login Users logging in with a Virtual DIGIPASS need to use a two step process They attempt a login with their user ID password and or a keyword The login fails and triggers the sending of a one time password to the user s mobile via text message The user re attempts a login using their password and OTP Challenge response logins are not supported for basic authentication 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 13 DIGIPASS Authentication for OWA Basic User Manual DIGIPASS Authentication for OWA Basic Overview 2 4 Server Connection Management The DIGIPASS Authentication Plug In provides flexibility in managing connections to multiple primary and or
20. 012 VASCO Data Security International Inc All rights reserved No part of this publication may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical photocopying recording or otherwise without the prior written permission of VASCO Data Security Inc Trademarks VASCO VACMAN IDENTIKEY aXsGUARD DIGIPASS CertilD and the Vasco V logo are registered or unregistered trademarks of VASCO Data Security Inc and or VASCO Data Security International GmbH in the U S and other countries Date 2012 03 01 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 2 DIGIPASS Authentication for OWA Basic User Manual Table of Contents Table of Contents 1 Introduction E REH HHHHHHHHHHHHHHHHRDRDeIHHHaH Hm 7 1 4 About This Malllldl a i xisl anka sema kokennenin ni kanin kan k ek daka kala s na nek dan Kawa e nR kan bana k kek a ka ken dakan k s W n a wa G 8 1 1 1 How to Use This MANUal ccccccccccscsscecsecsscsscsssecsscsscessecsessscessessecsssessesessecsssesessesessesseseseesessesesesessassaseess 8 11 2 DOCUMENT CONVENTIONS ses SL E E EE E EE IE EE 8 1 1 3 PROVICING El DD YD rr nd e dah of Pecan Mea sa Lod es Oc die hPL ea ane 9 2 DIGIPASS Authentication for OWA Basic OvervieW sssssssssssnsernrrrnrnsssnnnrnrrrnrnsssnnnrnrrrnrrssserrrnrn 10 ARD DN VIEW vesi
21. ASS as required e Request method as required e Request keyword as required e BVDP mode as required e Time limit as required e Max uses user as required For more information see the Policies section of the IDENTIKEY Server Administrator Guide 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 52 DIGIPASS Authentication for OWA Basic User Manual Troubleshooting 5 Troubleshooting This chapter provides information about possible issues that may occur when working with DIGIPASS Authentication for OWA Basic Read this chapter carefully as it may help you find and identify issues This chapter covers the following topics e DIGIPASS Authentication Plug In Installation Problems e Other Troubleshooting Options e Repairing the Installation 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 53 DIGIPASS Authentication for OWA Basic User Manual Troubleshooting 5 1 DIGIPASS Authentication Plug In Installation Problems The installation program for the DIGIPASS Authentication Plug In will usually complete the following tasks automatically However if it fails in these tasks for some reason an error message will be displayed during installation These steps can then be followed to complete the installation manually If you are having trouble running the authentication server and the DIGIPAS
22. CP1253 Hebrew ISO 8859 8 CP1255 Japanese ISO 2022 JP Korean ISO 2022 KR Thai ISO 8859 11 CP874 Turkish ISO 8859 9 Vietnamese CP1258 Western European ISO 8859 1 CP1252 BasicAuthentication gt IdleTimeout 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 41 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic The session timeout in minutes After this period of time users need to re authenticate if no HTTP requests have been submitted The default value is 5 BasicAuthentication gt CredentialOverrides gt ReplaceUsernameEnabled Enable disable user name replacement with user attribute If enabled the DIGIPASS Authentication Plug In will retrieve a user name attribute from a DIGIPASS user account It will replace the user ID entered during login with the attribute value before passing the request to the Web server The default value is FALSE BasicAuthentication gt CredentialOverrides gt ReplacePasswordEnabled Enable disable password replacement with user attribute If enabled the DIGIPASS Authentication Plug In will retrieve a password attribute from a DIGIPASS user account It will replace the password entered during login with the attribute value before passing the request to the Web server The default value is FALSE BasicAuthentication
23. DIGIPASS Authentication Plug In installation 1 Locate and double click on the DIGIPASS Authentication for OWA Basic msi file 2 Click Next 3 Select Repair to enter the repair function and click Next j DIGIPASS Authentication for OWA Basic 3 4 0 x Program Maintenance Modify repair or remove the program DIGIPASS authentication Repair installation errors in the program This option fixes missing or corrupt files shortcuts and registry entries Remove Fa Remove DIGIPASS Authentication for OWA Basic from your computer IF Keep trace files Figure 28 Repairing the Installation 4 Click Install to confirm the repair 5 Click Finish to exit the setup program If you have deleted or moved the configuration file changed the IP address for the machine or received a new license for the DIGIPASS Authentication Plug In you will need to run the DIGIPASS Authentication for OWA Basic configuration wizard after the installation repair 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 63 DIGIPASS Authentication for OWA Basic User Manual Uninstalling DIGIPASS Authentication for OWA Basic 6 Uninstalling DIGIPASS Authentication for OWA Basic This chapter contains instructions to remove an existing DIGIPASS Authentication for OWA Basic installation This chapter covers the following topics e Uninstalling DIGIPASS Authentication for OWA Bas
24. E 52 SEAL DOF eee eee 24 Windows user accounts configuring 48 Windows user name resolution 48 B basic authentication OXDIAN ALON enetan ina DD 12 C character set language CodeS icai oaae n 41 client record explanation oo ccccececcsecsecsecsecseesecsecsecsecsecsecsecseeseeseeseestesees 12 configuration TGS cruas Vues ceed r r rm 37 authentication s uu Ha tie ke RRR R AR ARR AR ARES 41 Configuration Selli08 issa daakelkike 38 configuration settings authentication 41 configuration settings servers and connectione 38 Configuration settings tracing 40 language CO S8 l ekey 41 revision NUMEN siir aaaeeeaa epeka 37 alipl file lt ii to ntovtdvaensd dosent dt ntoueatiegs 37 servers ANG CONNECTIONS i i K Aaaa Awan 38 WACING es D m _rm _ mmmm 40 configuration Wizard i 2 css sevsesvstereesecagetssaccrevcairitaaerconetses 23 Client record EEE Ee 25 IP address of authentication server 24 IP address of the local machine 24 lice S KEY en al lll ki naa tecetestesaeedsciceesdettecsedhedueascctensiets 25 SEAL port of authentication server 24 D DIGIPASS Authentication Plug In Index
25. INT gt 100 lt Value gt lt Key gt lt Key Name BasicAuthentication gt lt Value Name Enabled Type BOOL gt TRUE lt Value gt lt Value Name ComponentType Type STRING gt Outlook Web Access lt Value gt lt Value Name Encoding Type STRING gt ISO 8859 1 lt Value gt lt Value Name IdleTimeout Type INT gt 5 lt Value gt lt Key Name CredentialOverrides gt lt Value Name ReplaceUsernameEnabled Type BOOL gt TRUE lt Value gt lt Value Name ReplacePasswordEnabled Type BOOL gt TRUE lt Value gt lt Value Name AttributeGroup Type STRING gt groupname lt Value gt lt Key gt lt Key Name FailedLogin gt lt Value Name HTIMLFile Type STRING gt C custom50lerror html lt Value gt lt Value Name Realm Type STRING gt IDENTIKEY lt Value gt lt Key gt lt Key gt lt Profile gt 4 2 2 Configuration Settings This section lists configuration settings and their default values After DIGIPASS Authentication Plug In installation Settings xml contains only a few basic settings After the configuration wizard is completed the file is filled with the default configuration for OWA basic 4 2 2 1 Servers and connections Servers and Connections gt LocallPAddress The address from which to connect to the authentication server The default value is the IP address automatically detec
26. RECTORY gt Properties Dialog is displayed 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 57 DIGIPASS Authentication for OWA Basic User Manual Troubleshooting 2 Switch to the Security tab and click Edit The Permissions for lt FILE DIRECTORY gt Dialog is displayed 3 Click Add The Select Users or Groups Dialog is displayed 4 Type IUSR or IIS_IUSRS into the Enter the object names to select field and click OK Select this object type Users Groups or Buitin security principals Object Types Erom this location VMSRV2K8 EEB Locations Enter the object names to select examples BE proces n cows Figure 23 Adding the lIS_IUSRS Group 5 Check that the IIS_IUSRS group or IUSR user is listed 6 Click OK The account should now be listed in the Group or user names list 5 1 3 Ensuring the DIGIPASS Authentication Plug In Is Registered in IIS gt To ensure the DIGIPASS Authentication Plug In is registered 1 Open Internet Information Services IIS Manager and select the appropriate server 2 Select Modules 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 58 DIGIPASS Authentication for OWA Basic User Manual Troubleshooting 3 Verify that DIGIPASS Authentication for OWA Basic is in the Modules list Internet Information Services IIS M
27. S 2 4 60 Figure 27 Registering DIGIPASS Authentication for OWA Basic in IIS 8 cccccccccscssecsscscsssecsecscsteseecsssssessesesesasesees 60 Figure 28 Repairing the INSTANAUON owed Aa aa aiotaan a debi eee i 63 Figure 29 Removing DIGIPASS Authentication for OWA BaSiC ccccccccccscsscsscseesescsscsssseesescsscsscsteseserssstesesascatritesessasenees 65 Index of Tables Table 1 Lang age COdeS iwi 4n n vaescvrscivaes tries yayle cues evens bace ka ya r Svsentindvesstesdutgnttelvacnertetgeedetvisntisbetsnatrnraenss 41 Table 2 Installation Structure of DIGIPASS Authentication for OWA Basic 54 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 6 DIGIPASS Authentication for OWA Basic User Manual Introduction 1 Introduction Welcome to the DIGIPASS Authentication for OWA Basic User Manual This document provides information you will need to install and use DIGIPASS Authentication for OWA Basic This guide provides information about e the DIGIPASS Authentication for OWA Basic features and functionalities e how to install DIGIPASS Authentication for OWA Basic e how to configure DIGIPASS Authentication for OWA Basic e how to troubleshoot possible issues that may occur when working with DIGIPASS Authentication for OWA Basic This guide does not provide e detailed information about IDENTIKEY Server or aXsGUARD Identifier refer to the
28. S Authentication Plug In for the first time following these steps may help you track down the problem and fix it manually 5 1 1 Checking File Placement 2012 VASCO Da The following files must be placed in the directory they are listed under If they have been moved to another directory or incorrectly copied the DIGIPASS Authentication Plug In will not function correctly Table 2 Installation Structure of DIGIPASS Authentication for OWA Basic Folders and Files 32 bit 64 bit Description lt PROGRAMS FOLDER gt VASCO DIGIPASS Authentication for OWA Basic VdsContig32 exe X DIGIPASS Authentication Plug ln VdsConfig64 exe X Configuration Center VdsDIGIPASSPlugin_ConfigWizard32 exe X Configuration wizard VdsDIGIPASSPlugin_ConfigWizard64 exe X DIGIPASSPlugin_llS_OWABasicMT32 dll X Dynamic link libraries for the DIGIPASS DIGIPASSPIugin_IIS_OWABasicMT64 dll X Authentication Plug In Configuration GUI32 dll X Center and the configuration wizard GUI64 dll ikaal3seal dll libeay32 dll libxml2 dll PPDIGIPASSPlugin_Common32 dll PPDIGIPASSPlugin_Common64 dll X PPDIGIPASSPlugin_IIS_Basic32 dll X PPDIGIPASSPlugin_IIS_Basic64 dll X ProcCore32 dll X ProcCore64 dll X gt lt ssleay32 dll X StdGUI32 dll gt lt StdGUI64 dll stlport 5 2 dll vdsconfig dll vdscore dll vdscrypto dll vdsdata dll X X gt lt gt lt gt lt
29. anager GO gt VMSRV2KEEEB gt j a File View Help as Modules Ezan li e eJ Add Managed Module Wy Start Page Configure Native Modules 5 95 VUSRTAKO EB CIYERYASIZESI Use this feature to configure the native and managed code modules that process requests made to the Web server 2 RN Application Pools Group by No Grouping y E i stes Name Tode Modde T gE AnonymousAuthenticationModule windir System32 netsrv au Native Local X Remove CustomErrorModule ewindir System32 netsrv cu Native Local View Ordered List DefaultDocumentModule windir e System32 netsrv de Native Local IPASS cation for asic C Program Files VASCO IPA DirectoryListingModule windir System32 netsrv dirl Native Local Online Help HttpCacheModule ewindir System32 netsrv ca Native Local HttpLoggingModule Swindir System32 netsrv jog Native Local ProtacolSupportModule windir System32 jnetsrv pr Native Local RequestFilteringModule Yewindir System32 netsrv no Native Local StaticCompressionModule Swindir System32 netsrv co Native Local StaticFileModule Sewindir System32 netsrv st Native Local SS 4 pf Features View Content View Configuration localhost applicationHost config Figure 24 Ensuring the DIGIPASS Authentication Plug In Is Registered gt If DIGIPASS Authentication for OWA Basic is not listed 1 Inthe Act
30. ation for OWA Basic 3 4 0 x License Agreement Please read the following license agreement carefully D GIPASS8 authenticatk IMPORTANT NOTICE PLEASE CAREFULLY READ THE TERMS AND CONDITIONS OF THIS AGREEMENT THE AGREEMENT BEFORE USING VASCO PRODUCTS IF YOU ARE A CONSUMER YOU MAY HAVE CERTAIN STATUTORY RIGHTS THAT CANNOT BE MODIFIED BY CONTRACT NO PROVISION IN THIS AGREEMENT SHALL HAVE THE EFFECT OF MODIFYING THOSE STATUTORY RIGHTS TO THE EXTENT SUCH MODIFICATIONS ARE EXPRESSLY PROHIBITED BY APPLICABLE LAW accept the terms in the license agreement eit I do not accept the terms in the license agreement lt Back Cancel Figure 4 Installing DIGIPASS Authentication for OWA Basic 2 3 Specify the destination folder for DIGIPASS Authentication for OWA Basic and click Next The default destination folder referred to as lt INSTALLATION DIRECTORY gt in this document is 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 21 DIGIPASS Authentication for OWA Basic User Manual Installing DIGIPASS Authentication for OWA Basic a Program Files VASCO DIGIPASS Authentication for Te Basic DIGIPASS Authentication for OWA Basic 3 4 0 Destination Folder a Click Next to install to this folder or dick Change to install to a different folder Pea authentication Figure 5 Installing DIGIPASS Authen
31. bleshooting Options If you are still having problems after checking that all installation and configuration settings for the DIGIPASS Authentication Plug In are correct follow these steps to check for other possible problems 5 2 1 Application Pools If the DIGIPASS Authentication Plug In stops working properly open Internet Information Services IIS Manager and make sure the corresponding application pool is started Restarting the server does not restart the application pool 5 2 2 No Trace File If there is no trace file or no new entries are written to the file check the Windows events for any warnings or errors generated by a failure to load the DIGIPASS Authentication Plug In into IIS 5 2 3 Information from Trace File gt To view trace file information 1 Setthe DIGIPASS Authentication Plug In to tracing 2 Attempt a login 3 Check the trace file for information on the start up conditions of the DIGIPASS Authentication Plug In and of the login attempt 5 2 4 Authentication Server If the DIGIPASS Authentication Plug In appears to load and update but you are unable to achieve a successful login check the authentication server Open the Audit Viewer to e check available audit messages in the audit files or database e configure a live audit connection from the authentication server and retry a login 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohib
32. ccount name their login will be rejected unless a second DIGIPASS user account has been created 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 48 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic 4 4 2 2 Case sensitivity Windows user names are not case sensitive If the ODBC database used by the authentication server is case sensitive ensure that user ID case is converted to lower case Upper case may also be used but will involve extra configuration steps The embedded PostgreSQL database is set to convert to lower case by default See the Encoding and Case Sensitivity section in the IDENTIKEY Server Administrator Guide for more information 4 4 2 3 Default domain Where users log in without entering a domain name or UPN the authentication server will need to be configured to use the correct domain There are two basic scenarios that might apply Change master domain If users will only ever be logging in to one domain via the authentication server the simplest solution is to set the master domain name to the fully qualified domain name of the required domain This option is not available for aXsGUARD Identifier Set default domain in policy This strategy should be used if e You wish to keep the master domain strictly for administration accounts and separate from user accounts e The authentication ser
33. change 2010 Exchange must have forms authentication enabled and Windows integrated authentication disabled to allow the DIGIPASS Authentication Plug In to intercept authentication requests and where appropriate pass them to the authentication server gt To configure Exchange 2010 1 or zk LE JI9 Open Exchange Management Console Expand the required server Expand Server Configuration Select Client Access Switch to the Outlook Web App tab 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 44 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic 6 Right click owa and select Properties The owa Default Web Site Properties Dialog is displayed Public Computer File Access Private Computer File Access Remote File Servers General Authentication Segmentation Use one or more standard authentication methods J Integrated Windows authentication T Digest authentication for Windows domain servers IV Basic authentication password is sent in clear text Use forms based authentication Logon format Domain user name User principal name UPN User name only Logon domain m Browse To configure SSL settings for this Outlook Web App virtual directory use the Internet Information Services IIS snap in Cancel Apply Help Figure 18 Setting Microsoft Exchan
34. cks Advanced users may prefer to edit the configuration file directly This chapter covers the following topics e Using the DIGIPASS Authentication Plug In Configuration Center e Editing the Configuration File e Configuring Exchange to Work with the DIGIPASS Authentication Plug In e Configuring the Authentication Server 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 27 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic 4 1 Using the DIGIPASS Authentication Plug In Configuration Center A graphical user interface GUI called DIGIPASS Authentication Plug In Configuration Center is available for use in configuring the DIGIPASS Authentication Plug In This provides a simple intuitive way to set up the DIGIPASS Authentication Plug In to work with your current system If this is the first time you have opened the DIGIPASS Authentication Plug In Configuration Center and the configuration file has not been edited the values you will see are those entered when the Wizard was last run 4 1 1 Starting DIGIPASS Authentication Plug In Configuration Center gt To start DIGIPASS Authentication Plug In Configuration Center e Select Start gt All Programs gt VASCO gt DIGIPASS Authentication for OWA Basic gt Configuration Center OR Open Windows Explorer and launch lt INSTALLATION DIRECTORY gt VdsContig32 ex
35. d Replacement policy lf you need different settings either select a different policy e g Self Assignment or Auto Assignment for the DIGIPASS Authentication Plug In component or copy the password replacement policy to a new record modify the new policy as required and use the new policy for the DIGIPASS Authentication Plug In component 4 4 3 1 DIGIPASS users log in with OTP only Windows user accounts The following settings are recommended for this scenario Back end authentication e Back end authentication if needed e Back end protocol Windows IDENTIKEY Server or Microsoft AD aXsGUARD Identifier These settings allow the authentication server to check user login details with Active Directory in case of DUR password autolearn and Self Assignment logins through the DIGIPASS Authentication Plug In DIGIPASS user account handling e Dynamic user registration enabled e Password autolearn enabled e Stored password proxy enabled These settings allow the authentication server to create an account for an unrecognized user based on a successful Windows or Active Directory authentication The authentication server can then store the user s Active Directory password and replay it to the DIGIPASS Authentication Plug In in place of the one time password entered by the user on future logins DIGIPASS assignment mode Either Self Assignment or Auto Assignment would typically be used in this scenario although manual assignment may
36. e 32 bit systems or lt INSTALLATION DIRECTORY gt VdsContig64 exe 64 bit systems 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 28 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic 4 1 2 Configuring Servers and Connections gt To add and configure authentication servers 1 Start DIGIPASS Authentication Plug In Configuration Center and select Servers and Connections lolx General Servers and Connections TN Change IDENTIKEY Server and connection options Servers and Connections Authentication Servers A T Authentication servers DIGIPASS Authentication for OWA Basic a a Delete Authentication Moye up Move down Connect from IP address z Note IP address should match the DIGIPASS Authentication Plug in license configured at the IDENTIKEY Server s used T Enable load sharing Figure 13 Configuring Servers and Connections 1 2 Doone of the following e Click Add if you want to add a new authentication server e To modify the settings for an authentication server select the server from the Authentication servers list 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 29 DIGIPASS Authentication for OWA Basic User Manual The Configuration for lt Authentication Server gt section
37. e Exchange 2007 1 Open Exchange Management Console Expand the required server Expand Server Configuration Select Client Access T J oe IN Right click owa and select Properties The owa Default Web Site Properties Dialog is Jal Public Computer File Access Private Computer File Access Remote File Servers a General Authentication Segmentation Use one or more standard authentication methods J Integrated Windows authentication IF Digest authentication for Windows domain servers IV Basic authentication password is sent in clear text Use forms based authentication Logon format Domain user name User principal name UPN Username only Logon domain J Browse To configure SSL settings for this Outlook Web App virtual directory use the Internet Information Services IIS snap in ES Cancel Apply Help Figure 17 Modifying Authentication Settings Exchange 2007 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 43 DIGIPASS Authentication for OWA Basic User Manual 6 7 8 9 Switch to the Authentication tab Configuring DIGIPASS Authentication for OWA Basic Select Use one or more standard authentication methods Ensure that Basic authentication is selected Ensure that Integrated Windows authentication is not selected 10 Click OK 11 Restart the Exchange Server 4 3 2 Configuring Ex
38. e and select Properties The ecp Default Web Site Properties Dialog is displayed f Use one or more standard authentication methods Integrated Windows authentication IT Digest authentication for Windows domain servers IV Basic authentication password is sent in clear text Use forms based authentication Exchange Control Panel uses the same sign in format as Outlook Web App Q To configure SSL settings for this Exchange Control Panel virtual directory use the Intemet Information Services IIS snapin Figure 20 Setting Microsoft Exchange Server 2010 to Basic Authentication 3 14 Switch to the Authentication tab 15 Select Use one or more standard authentication methods 16 Ensure that Basic authentication is selected 17 Ensure that Integrated Windows authentication is not selected 18 Click OK 19 Restart the Exchange server 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 47 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic 4 4 Configuring the Authentication Server 4 4 1 Client Record A client record must be configured in the authentication server for the DIGIPASS Authentication Plug In The configuration wizard can create the required record if a connection to the authentication server and an administrator account with sufficient privileges is available If the configuration wizard does
39. ec Specify the minimum amount of time that the DIGIPASS Authentication Plug In should wait before attempting to reconnect to the authentication server e Maximum reconnect interval in sec Specify the maximum amount of time that the DIGIPASS Authentication Plug In should wait before attempting to reconnect to the authentication server 8 Specify secure connection settings e Select Use Windows built in CA certificate repository if you want to trust the certificate authorities in the Windows CA certificate repository e Select Load CA certificates from file if you want to use your own CA certificate list Browse to the certificate file and click Open 9 Click Apply for your changes to take effect 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 31 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic 4 1 3 Configuring Authentication Settings gt To configure authentication settings 1 Star DIGIPASS Authentication Plug In Configuration Center and select Authentication DIGIPASS Authentication Plug In Configuration Center 10 x General Authentication Change OWA Basic authentication options Servers and Connections General Tracing I Enable OWA Basic authentication DIGIPASS Authentication for OWA Basic a Basic Authentication a Identify as client type outiook Web Access z
40. eeEe 66 system requirements cccccsessesecsecsecsecsecsecsecsecsecseeseeseeseeaes 18 authentication Server LEEEE eee 18 IIS 18 T dO a na nnn kani KE A 16 DOSIG N U es ee ee DD a 16 Tn otters gg 16 tracing CAUTION esisiini antea 16 troubleshooting application DOO 5s iiy yy ian i wy ka i iaa 61 authentication SeNet orei 61 checking file placement 54 checking permissions ccccsecesecsstecscsecsssessesessesssseeaees 55 checking permissions configuration file 56 checking permissions trace file directory 55 DIGIPASS Authentication Plug In installation problems 54 IS_IUSRS group adding EEEEEEEEEeEEEEE 57 USR account adding eEeEE 57 ICQMSIING eieiei irii a kb ka p esa 62 manually registering the DIGIPASS Authentication Plug In in IS E E EE E E E E ver n 59 NO Waca filesinin anean Enie 61 registration in IS EE uue 58 repairing the installation 63 DOL leke sewl anada a dan in 62 W Windows user name resolution dynamic user registration 48 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 68
41. entication for OWA Basic 34 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic 4 1 4 Configuring Tracing gt To configure settings for tracing 1 Start DIGIPASS Authentication Plug In Configuration Center and select Tracing 2 Specify the tracing level For more information refer to Section 2 5 Tracing n x General O Tracing Change tracing options Servers and Connections Tracing Tracing N Tracing level DIGIPASS Authentication for OWA Basic No tracing Basic tracing Authentication Full tracing Tracing destination Tracing file Program Files VASCO DIGIPASS Authentication for OWA Basic Log DIGIPASSPlugin_IIS_O Browse Note Make sure IIS has access rights to the selected location or there will be no output Figure 16 Configuring Tracing Options 3 Ifyou have selected basic or full tracing specify the path and filename for the tracing file The file path must be the full absolute path Relative paths may be misinterpreted in the IIS environment so that the trace file cannot be written to 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 35 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic 4 Click Apply for your changes to take effect 2012 VASCO Data Security International Inc All rights reserved Una
42. ept reject EE te Authentication amp Plug In 252 User ID and 2 OTP Authentication request User ID and OTP and server PIN if required Static password IDENTIKEY Server or aXsGUARD Figure 1 DIGIPASS Authentication for OWA Basic Overview 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 11 DIGIPASS Authentication for OWA Basic User Manual DIGIPASS Authentication for OWA Basic Overview 2 2 DIGIPASS Authentication Plug In Terminology The following definitions describe how these terms are used in this document They are also used in other IIS package manuals Authentication server The term authentication server refers to the component to which the DIGIPASS Authentication Plug In sends authentication requests This component is e For IDENTIKEY Server the IDENTIKEY Server service or daemon e For aXsGUARD Identifier the IDENTIKEY Server daemon Basic authentication A method of authentication that uses the HTTP basic authentication mechanism This uses a login pop up box provided by the browser Client record The client record is the record defined in the authentication server s data store to represent an installed instance of the DIGIPASS Authentication Plug in It is used for the following main purposes e To indicate that the authentication server is permitted to process a request from that client e To specify a policy to be
43. figuring DIGIPASS Authentication for OWA Basic gt To configure DIGIPASS Authentication for OWA Basic 1 When the wizard is started click Next The configuration wizard is started automatically after you have completed the installation wizard Afterwards if you want to modify your settings using the wizard select Start gt All Programs gt VASCO gt DIGIPASS Authentication for OWA Basic gt Configuration Wizard DIGIPASS Authentication Plug In Configuration x Configure DIGIPASS Authentication Plug In for OWA Basic x This wizard helps you to configure the DIGIPASS Authentication Plug In for Internet Information Services IIS for the first time Click Next to continue Figure 7 Using the Configuration Wizard 1 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 23 DIGIPASS Authentication for OWA Basic User Manual Installing DIGIPASS Authentication for OWA Basic 2 Specify the IP address and SEAL port of the authentication server zi 4 Specify the connection details k Enter the connection details of the IDENTIKEY Server to use for DIGIPASS authentication After installation the connection can be configured in detail induding use of SSL IP address SEAL port 20003 lt e gt ome Figure 8 Using the Configuration Wizard 2 3 Select an IP address from the list which contains IP addresses assigned to the cur
44. ge Server 2010 to Basic Authentication 1 7 Switch to the Authentication tab 8 Select Use one or more standard authentication methods 9 Ensure that Basic authentication is selected 10 Ensure Integrated Windows authentication is not selected 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 45 DIGIPASS Authentication for OWA Basic User Manual 11 Click OK 12 Switch to the Exchange Control Panel tab ta Exchange Management Console Configuring DIGIPASS Authentication for OWA Basic Microsoft Exchange 1 object amp Microsoft Exchange On Pren sa2 Organization Configurati Gis Unified Messaging KS Recipient Configuration i Toolbox Client Access J88 Configure External Client Access li Export List View Q Refresh fd Hep PC BRI EXCH2010 2 j Manage Mailbox Role n Manage Hub Transport Role Gm Manage Diagnostic Logging Pr Enable Outlook Anywhere Properties ecp Default Web Site Properties Figure 19 Setting Microsoft Exchange Server 2010 to Basic Authentication 2 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 46 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic 13 Right click the required ECP sit
45. gs as needed e Display name Type a name for the authentication server in this field This name is then used to distinguish the authentication server in the Authentication servers list but has no effect on the behaviour of the DIGIPASS Authentication Plug In e IP address Type the IP address for the authentication server 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited Configuring DIGIPASS Authentication for OWA Basic 30 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic e SEAL port Type the port for the authentication server The default port is 20003 for standard and 20004 for SSL connections e Use SSL Select this if you want to use SSL when connecting to the authentication server This option is only available for IDENTIKEY Server 3 1 or later e Server type Select the server type For more information refer to Section 2 4 1 Connection Profiles 6 OPTIONAL Click Test to test if a connection to the authentication server can be established A message will appear indicating if the test was successful 7 Specify the connection parameters as needed e Timeout in sec Specify a timeout period in seconds e Maximum connections Specify the maximum number of concurrent connections to be made from the DIGIPASS Authentication Plug In to the authentication server e Minimum reconnect interval in s
46. gt CredentialOverrides gt AttributeGroup The attribute group name to use in retrieving credentials from a DIGIPASS user account BasicAuthentication gt FailedLogin gt HTMLFile The HTML page that will be presented to a user if their login is rejected by the DIGIPASS Authentication Plug In BasicAuthentication gt FailedLogin gt Realm Specify the realm The realm is usually the computer system etc that is being logged on to If the realm property is set in IIS its value will appear in a standard basic authentication logon dialog box displayed by the browser when IIS requests user login details 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 42 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic 4 3 Configuring Exchange to Work with the DIGIPASS Authentication Plug In Authentication settings in Exchange must be compatible with the DIGIPASS Authentication Plug In The following section describes how to configure Exchange for use with the DIGIPASS Authentication Plug in 4 3 1 Configuring Exchange 2007 Exchange must have basic authentication enabled and Windows integrated authentication disabled to allow the DIGIPASS Authentication Plug In to intercept authentication requests and where appropriate pass them to the authentication server gt To configur
47. gt lt X X gt lt gt lt gt lt gt lt gt lt vdsdatamodel dll a Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 54 DIGIPASS Authentication for OWA Basic User Manual Troubleshooting Folders and Files 32 bit 64 bit Description vdsnetwork dll X X vdsprocess dll X X vdsseal dll X X zlib1 dll X X Config sxml Configuration file of the DIGIPASS Authentication Plug In Configuration X X Center and the configuration wizard NOTE Do not edit this file Settings xml X X Configuration file containing settings for servers and connections tracing and authentication This file is written to by the DIGIPASS Authentication Plug In Configuration Center and the configuration wizard For information about how to work with the file refer to Section 4 2 Editing the Configuration File lt PROGRAMS FOLDER gt VASCO DIGIPASS Authentication for OWA Basic 1033 String xml X X Resource files Config xrs X X DIGIPASSPlugin_ConfigWizard xrs X X GUIFx xrs X X PPDIGIPASSPlugin_Common xrs X X PPDIGIPASSPlugin_llS_Basic xrs X X StdGUI xrs X X lt PROGRAMS FOLDER gt VASCO DIGIPASS Authentication for OWA Basic Documentation 1033 DIGIPASS Authentication for OWA Basic x x Product documentation and license agreement Manual pdf DIGIPASS Authentication for OWA Basic X X Release Notes pdf License pdf X X
48. ic 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 64 DIGIPASS Authentication for OWA Basic User Manual Uninstalling DIGIPASS Authentication for OWA Basic 6 1 Uninstalling DIGIPASS Authentication for OWA Basic gt To uninstall DIGIPASS Authentication for OWA Basic 1 Locate and double click on the DIGIPASS Authentication for OWA Basic msi file Click Next Select Remove 2 Select Keep trace files if you want to preserve existing trace files xl Program Maintenance 2 Modify repair or remove the program DIGIPASS authentication Repair Repair installation errors in the program This option fixes missing or corrupt files shortcuts and registry entries Remove DIGIPASS Authentication for OWA Basic from your computer I7 Keep trace files Figure 29 Removing DIGIPASS Authentication for OWA Basic Click Next Click Remove to confirm the remove function Click Finish to exit the setup program oN So After uninstallation restart the system 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 65 DIGIPASS Authentication for OWA Basic User Manual Technical Support 7 Technical Support If you encounter problems with a VASCO product please do the following 1 Check whether your problem has already been solved and reported in the Knowledge Base at the fol
49. ient record This setting is typically used when a dient record for the DIGIPASS Authentication Plug In already exists lt e gt cme Figure 10 Using the Configuration Wizard 4 e Select Create client record automatically if you want to specify the administrator login for the authentication server to register the DIGIPASS Authentication Plug In as a client in the authentication server database Provide the user name and password to allow administrative access to the authentication server e Select Don t create client record if the client record for the DIGIPASS Authentication Plug In already exists in the authentication server database or you prefer to create it manually 5 Specify a license key This option is available only if you selected Create client record automatically DIGIPASS Authentication Plug In Configuration E xi 4 Specify license key x Select a license key for the DIGIPASS Authentication Plug In or skip to activate later License key Browse If you don t have a valid license key for this machine you need to request one via the VASCO Web site Request license from www vasco com Figure 11 Using the Configuration Wizard 5 e Browse to the license dat file to load the license key from where you saved it on your local machine and click Open to load the license key from the file 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribut
50. in a aa aea ane eons 11 2 2 DIGIPASS Authentication Plug In Terminology ccccsssssccscccessssesscceeeceesseseeesseeeeeeseesseessseeetesenssssessaaes 12 2 3 A lhentiGati h Methods sss rsisi ioraa Gada eins denk ra ka ar dalan ka da baas a daa 13 2 4 Server Connection Management ccccssscccccssscccecsssscecessseeeeesssseeeeesssaeesessseeeeesssaaeeessssaaeeesssnaeeeeesnaas 14 2 4 1 jh Be a N ILE N Tn rb a n Da Ya a ra ne aa N 14 2 4 2 Connection ODUO Ss 3 s ni aunn kn akan Mine y ni beranan kre yen kenare n k n p Ra sues bure k n pe br ye ra VE n pena ker beren pen berv ara 14 2 4 3 Standard Server Setup E aaay yyy 15 29 cA MM N aa anteater 16 3 Installing DIGIPASS Authentication for OWA BaSicC ssssssssccsessesessseneeeeeeeseeseseesseneteneeseesesseeas 17 3 1 System Requirements cccccesssccssccesessesssceeeeeecessesesssseeeeeceeuseesaueeeeeeesesseseseeeneeeesussenessaueenesenssaeesages 18 3 1 1 Software Requirements cccccccscescsecssssessecseccsssseesecseccssvsessecsessstssesseccrsssesaesaecsuessesseeaesitssesseeatriteseeseenens 18 3 2 Pre Installation Tasks kk kk kk keka ka kaka kaka kaka ka KA KAKA KAKA kK A KA A AK Kw AR 19 3 2 1 Installing the Authentication Server cccccccssssssccssssessecseccsrssessesseccrsssesseeseccsrssessessecutssesaneseesstssteaeeeesnny 19 3 2 2 Sel EXC MAN GG vis cdecccvncsiedeeedeancvvrvvacceeuivi nce
51. ion for OWA Basic User Manual Table of Contents Illustration Index Figure 1 DIGIPASS Authentication for OWA Basic OVerv W cccccccseccscsecscseesescsscsesseesesererstsstesesestsstesesascitrstesteeaeentes 11 Figure 2 Standard Server Connection Configuration cccccccccccecccsscsecsescsecsscseesesesecsssseesesesssstestesaserssiteseseascatiitesestaeeates 15 Figure 3 Installing DIGIPASS Authentication for OWA Basic 1 kaka 21 Figure 4 Installing DIGIPASS Authentication for OWA Basic 2 aaay 21 Figure 5 Installing DIGIPASS Authentication for OWA Basic 3 cccccccsccscsscccsecsscssssssecscscsseecsesssssstesessssessesiessesessassasees 22 Figure 6 Installing DIGIPASS Authentication for OWA Basic 4 22 Figure 7 Using the Configuration Wizard 1 aaay 23 Figure 8 Using the Configuration Wizard 2 ccccccccccsccscsscccsscsscscscsscscsscsssececssssssessessssessesecsesessesteseessssessaseeseesessaseasaes 24 Figure 9 Using the Configuration Wizard 3 cccccccccsccscsssssscsscseecsecssssscessecsecssssssesesesseseesessesesseseesaesesseseeseesessessaseasats 24 Figure 10 Using the Configuration Wizard 4 lake 25 Figure 11 Using the Configuration Wizard DB aaay 25 Figure 12 Using the Configuration Wizard B u aaay 26 Figure 13 Configuring Servers and Connections 1 l aaay 29 Figure 14 Configuring Servers and Connections 2 aaay 30 Figure 15 Configuring
52. ion is prohibited 25 DIGIPASS Authentication for OWA Basic User Manual e If you do not already have a license key file click on Request license from www vasco com This will take you to the VASCO Web site where you can request a license key and save it to your local machine 6 Review the settings you have specified and click Finish DIGIPASS Authentication Plug In Configuration x Ready to complete DIGIPASS Authentication Plug In configuration Li The DIGIPASS Authentication Plug In will be configured after you dick Finish You have specified the following settings a IDENTIKEY IP address ab IDENTIKEY SEAL port 20003 a Local IP address licensing Automatic web site configuration Save configuration ab Create IDENTIKEY dient record Figure 12 Using the Configuration Wizard 6 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited Installing DIGIPASS Authentication for OWA Basic 26 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic 4 Configuring DIGIPASS Authentication for OWA Basic This chapter describes how to configure the DIGIPASS Authentication Plug In Configuration settings can be modified in two ways The easiest method is via the DIGIPASS Authentication Plug In Configuration Center a graphical interface that allows you to make changes with a few mouse cli
53. ions panel select Configure Native Modules The Configure Native Modules Dialog is displayed 21x Select one or more registered modules to enable Figure 25 Registering DIGIPASS Authentication for OWA Basic in IIS 1 2 Click Register The Register Native Modules Dialog is displayed 3 Type DIGIPASS Authentication for OWA Basic into the Name field browse to lt INSTALLATION DIRECTORY gt DIGIPASSPlugin_lIS_OWABasicMT32 dll 32 bit systems or lt INSTALLATION 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 59 DIGIPASS Authentication for OWA Basic User Manual Troubleshooting vace eee llIS _OWABasicMT64 dIl 64 bit systems and click OK 4x Register Native Module DIGIPASS Authentication for OWA Basic fe Progra FiesWASCO BIGPASS Authentcaten for OWA Bas x oa Figure 26 Registering DIGIPASS Authentication for OWA Basic in IIS 2 4 Select DIGIPASS Authentication for OWA Basic and click OK Configure Native Modules Figure 27 Registering DIGIPASS Authentication for OWA Basic in IIS 3 DIGIPASS Authentication for OWA Basic appears in the Modules list 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 60 DIGIPASS Authentication for OWA Basic User Manual Troubleshooting 5 2 Other Trou
54. ited 61 DIGIPASS Authentication for OWA Basic User Manual Troubleshooting See the authentication server s Administrator Reference or Administrator Guide for more information 5 2 5 Web Browser If you experience login problems that occur in Windows Internet Explorer only i e login is possible in other Web browsers you may need to delete the IE browser history the corresponding cookies and temporary files 5 2 6 Licensing Check that the DIGIPASS Authentication Plug In has a valid client record in the authentication server data store which has a valid license loaded Make sure the configured local IP address and component type correspond to the client record See the Licensing section of the authentication server s Administrator Reference or Administrator Guide for more information on licensing options 5 2 7 SSL lf the DIGIPASS Authentication Plug In is configured to use a custom certificate archive permission issues may cause a communication error with an IDENTIKEY Server Check that the IUSR account and IIS_IUSRS group have read permission on the configured file 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 62 DIGIPASS Authentication for OWA Basic User Manual Troubleshooting 5 3 Repairing the Installation The installation of the DIGIPASS Authentication Plug In may need to be repaired if files have been corrupted deleted or lost gt To repair the
55. ized duplication or distribution is prohibited 9 DIGIPASS Authentication for OWA Basic User Manual DIGIPASS Authentication for OWA Basic Overview 2 DIGIPASS Authentication for OWA Basic Overview This chapter gives an overview of the DIGIPASS Authentication for OWA Basic features and functionalities It provides a list of terms you should be familiar with when working with DIGIPASS Authentication for OWA Basic and outlines various authorization scenarios This chapter covers the following topics e General Overview e DIGIPASS Authentication Plug In Terminology e Authentication Methods e Server Connection Management e Tracing 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 10 DIGIPASS Authentication for OWA Basic User Manual DIGIPASS Authentication for OWA Basic Overview 2 1 General Overview The DIGIPASS Authentication Plug In is an add on for Internet Information Services IIS and can be configured to intercept authentication requests to Web sites using the HTTP basic authentication mechanism It allows users to use one time passwords OTPs instead of static passwords The plug in intercepts authentication requests validates the OTP and replaces it with the static password expected by the back end The OTPs are validated using an IDENTIKEY Server or aXsGUARD Identifier The DIGIPASS Authentication Plug In is a native module for IIS 7 x DIGIPASS Acc
56. kk ke ka kk kk 57 5 1 3 Ensuring the DIGIPASS Authentication Plug In Is Registered in IS E u aaEnaE 58 5 2 Other Troubleshooting Options ccccccsesssssccscceescsessssceeeeceescseesssneeeeeeesseseseseeeeeeesusseesssaneneessssseesaees 61 5 2 1 Applicaton POOS ss neaei a a esata Hb gg dd 61 5 2 2 INO TAGGING sss xa yela da lee rak nda ekr yan Kena k EEOAE KAR R L n perb K k N ace eich 61 5 2 3 Information from Trace Fil cccccccscccsscccescsscsscessecsscsssscsecssssscsseecsesssseseessesssssssessesescssseseseesessesseseeseesessaseeses 61 5 2 4 Authentication Server c cccccccccscscccsscsscsssecsscsscsssececsscessecsecssssssesecsssessaseecsesesceseseesessessaseesessessaseeseesesseseasees 61 5 2 5 Wel eN S Y NNMNNnEnRaE aa EEDa2DxBBD BJ lt a P J JI E EE EE EEE R2 E nm 62 5 2 6 MIG OMSUV aroa nina aE A E O A EN TA T pcs A i E e 62 5 2 7 wenay E EEE Ea TED IE E DEM Por ce eee ere ae 62 5 3 Repairing the Installation kk kk kk kk kak k ka kk kk kk K k KAKA kk A A 63 6 Uninstalling DIGIPASS Authentication for OWA Basic u kk kk 64 6 1 Uninstalling DIGIPASS Authentication for OWA Basic cccccccccssecesssseeescsssreeesesseeessesseeesseseeeeseaas 65 7 Technical SUD DOM sutacsisheceniasdvennsvernaemsatecnan season aaa 66 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 4 DIGIPASS Authenticat
57. lowing URL http www vasco com support 2 If there is no solution in the Knowledge Base please contact the company which supplied you with the VASCO product If your supplier is unable to solve your problem they will automatically contact the appropriate VASCO expert 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 66 DIGIPASS Authentication for OWA Basic User Manual Index A authentication MEtNOTS cecsceecsesecsesecsssscsessssetsssesssseeeees 13 response only OGM xs YY DD mm o n 2n 2i2j 13 virtual DIGIPASS login EEeeEE 13 authentication server CASE sensitivity EEE eee 49 CAUTION sc nu daa ak direya xase a qy ean kay ka da ETEA 19 client recordi CO TU D O sis li y A kk w aA deryan 48 CONUN lt aa nial an a alan ne M LE ni a kaka ziz 48 default dolTall i 4si san aa earan ani 49 default domain changing master domain 49 default domain setting default domain in policy 49 explana Oeni Bl gg 12 P GES c sin A sila dayan igen a sec n b SK kA 24 policy Configuring eee 49 policy local authentication only 51 policy login With OTP nly iu 50 policy login with password and OTP 50 policy Virtual DIGIPASS eeeeEEe
58. ments 3 1 1 Software Requirements To install DIGIPASS Authentication for OWA Basic you need An authentication server running on another machine This should be one of the following e IDENTIKEY Server 3 1 or later IDENTIKEY Server component e aXsGUARD Identifier 3 1 3 x or later Internet Information Services IIS 7 or 7 5 Windows Server 2008 with SP1 or later 32 and 64 bit OR Windows Server 2008 R2 with SP1 or later 64 bit MS Exchange 2007 or 2010 using Outlook Web Access in basic authentication mode and SSL The user must have administration rights on the installation machine 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 18 DIGIPASS Authentication for OWA Basic User Manual Installing DIGIPASS Authentication for OWA Basic 3 2 Pre Installation Tasks Before installing the DIGIPASS Authentication Plug In there are several tasks which need to be completed Performing these tasks where applicable will assist in a quick smooth installation process 3 2 1 Installing the Authentication Server An authentication server should be installed on the network before the DIGIPASS Authentication Plug In is installed See Section 3 1 System Requirements for compatible servers and 4 4 Configuring the Authentication Server for configuration recommendations CAUTION If the users are Active Directory users on a Windows platform it is recommended
59. ncludes e Error messages e Warnings e High level information about plug in activity e Detailed information about plug in activity NOTE The DIGIPASS Authentication Plug In will require permissions for the directory in which the tracing file is kept See Section 5 1 2 Checking Permissions for more information 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 16 DIGIPASS Authentication for OWA Basic User Manual Installing DIGIPASS Authentication for OWA Basic 3 Installing DIGIPASS Authentication for OWA Basic This chapter contains instructions to install DIGIPASS Authentication for OWA Basic It lists system and other requirements as well as pre installation settings and tasks Be sure to check that all system requirements and pre installation tasks have been met before installing the DIGIPASS Authentication Plug In This will help ensure a smooth trouble free installation and integration process This chapter covers the following topics e System Requirements e Pre Installation Tasks e Installing DIGIPASS Authentication for OWA Basic e Using the DIGIPASS Authentication for OWA Basic Configuration Wizard 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 17 DIGIPASS Authentication for OWA Basic User Manual Installing DIGIPASS Authentication for OWA Basic 3 1 System Require
60. o time out as both browser and IIS can cache and automatically replay a password to reconnect However if an OTP was used in the login the session will time out as expected as the OTP cannot be reused Basic authentication credential overrides e Replace user names with user attributes Select this to replace each user ID with a user attribute If this option is not selected each user ID will be left unmodified There are three possible results Setting enabled and user attribute set the user ID set in the attributes for the relevant DIGIPASS user account will be passed to the Web site Setting enabled and user attribute not set the user ID entered during login will be passed to the Web site Setting disabled the user ID entered during login will be passed to the Web site e Replace passwords with user attributes Select this to replace each user s password with a user attribute There are three possible results Setting enabled and user attribute set the password set in the attributes for the relevant DIGIPASS user account will be passed to the Web site Setting enabled and user attribute not set the password entered during login will be passed to the Web site Setting disabled the password entered during login will be passed to the Web site NOTE The stored password will override the password entered during login if stored password proxy is ON and the user has a stored password e Attribute gro
61. on is prohibited 19 DIGIPASS Authentication for OWA Basic User Manual Installing DIGIPASS Authentication for OWA Basic 3 2 4 Licensing The authentication server will associate authentication requests from each incoming IP address with a different client record Your DIGIPASS Authentication Plug In license will be tied to that IP address The IP address of the computer where IIS is running must match the IP address of the license or authentication will not be possible 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 20 DIGIPASS Authentication for OWA Basic User Manual Installing DIGIPASS Authentication for OWA Basic 3 3 Installing DIGIPASS Authentication for OWA Basic gt To install DIGIPASS Authentication for OWA Basic 1 Locate DIGIPASS Authentication for OWA Basic msi and start the installation process j DIGIPASS Authentication for OWA Basic 3 4 0 xj Welcome to the DIGIPASS Authentication for OWA Basic Setup The setup will install DIGIPASS Authentication for OWA Basic on your computer To continue Next dG WARNING This ajan is protected by copyright law and international trea DIGIPASS authentication lt Back Mee Cancel Figure 3 Installing DIGIPASS Authentication for OWA Basic 1 2 Read the license agreement text select accept the terms in the license agreement and click Next E DIGIPASS Authentic
62. r accessing the configuration file 1 Open Windows Explorer and browse to the installation directory 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 56 DIGIPASS Authentication for OWA Basic User Manual Troubleshooting 2 Right click on the Settings xml file and select Properties The Settings Properties Dialog is displayed xi General Securty Details Previous Versions Object name C Program Files VASCO DIGIPASS Authenticatior Group or user names amp SYSTEM Administrators VMSRV2K8 EEB Administrators Users VMSRV2K8 EEB Users Figure 22 Setting Permissions for Accessing the Configuration File Switch to the Security tab 3 4 Ensure that the IUSR account has Read permission selected 5 Ensure that the IlS_IUSRS group has the Read permission selected 6 If changes were made to the permissions click Apply If the IIS_IUSRS group and or the IUSR account are not listed see Section 5 1 2 3 Adding the IUSR account and IIS_IUSRS group 5 1 2 3 Adding the IUSR account and IIS_IUSRS group If the IUSR account and or IIS_IUSRS group are not listed for the trace file directory or configuration file you will need to add them gt To add the IUSR account and or IIS_IUSRS group 1 Right click the file or directory for which you want to add the IIS_IUSRS group and or the IUSR account and select Properties The lt FILE DI
63. rent machine The DIGIPASS Authentication Plug In will use the selected IP address exclusively As VASCO component licensing operates on IP address this ensures that the DIGIPASS Authentication Plug In will only use up one component license slot For more information refer to Section 3 2 4 Licensing DIGIPASS Authentication Plug In Configuration xj Specify the IP address Select the IP address that the DIGIPASS Authentication Plug In should use for sending requests to the IDENTIKEY Server HERE SE O Note The DIGIPASS Authentication Plug In license will be tied to this IP address Figure 9 Using the Configuration Wizard 3 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 24 DIGIPASS Authentication for OWA Basic User Manual Installing DIGIPASS Authentication for OWA Basic 4 Specify whether to create an IDENTIKEY client record DIGIPASS Authentication Plug In Configuration xi Specify whether to create an IDENTIKEY client record Specify an administrator login required to create a dient record in the IDENTIKEY Server s database Create a dient record in the IDENTIKEY Server s database for the DIGIPASS Authentication Plug In unless such a record already exists for it with the IP address specified on the previous page This will optionally install a license you can specify on the next page User name DU mm Password C Don t create cl
64. respective product documentation 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 7 DIGIPASS Authentication for OWA Basic User Manual 1 1 About This Manual 1 1 1 How to Use This Manual Introduction You can use this manual in different ways depending on your skill and knowledge level You can read it from the beginning to the end highly recommended for novice users you can browse through the chapter abstracts and read specifically the chapters relevant to your needs or you can search by key words in the index if you need to find certain references quickly If you need to get an overview of the DIGIPASS Authentication for OWA Basic architecture and features Refer to 2 DIGIPASS Authentication for OWA Basic Overview get instructions to install DIGIPASS Authentication for OWA 3 Installing DIGIPASS Authentication for OWA Basic Basic configure DIGIPASS Authentication for OWA Basic and or 4 Configuring DIGIPASS Authentication for Exchange OWA Basic troubleshoot your DIGIPASS Authentication for OWA Basic 5 Troubleshooting installation 1 1 2 Document Conventions The following typographic style conventions are used throughout this document Typography Meaning Boldface Names of user interface widgets e g the OK button Blue Values for options placeholders for information or parameters that you
65. t connections which the DIGIPASS Authentication Plug In may hold open to the authentication server The default value is 10 Servers and Connections gt ConnectionList gt Connection0O gt ConnectionTimeoutSeconds Connection timeout in seconds The default value is 10 Servers and Connections gt ConnectionList gt Connection0 gt MinReconnectintervalSeconds The minimum amount of time in seconds that the DIGIPASS Authentication Plug In will leave between attempts to reconnect to an authentication server after an unsuccessful connection attempt e g server busy The default value is 10 Servers and Connections gt ConnectionList gt Connection0O gt MaxReconnectintervalSeconds The maximum amount of time in seconds that the DIGIPASS Authentication Plug In will leave between attempts to reconnect to an authentication server after an unsuccessful connection attempt e g server busy The default value is 10 Servers and Connections gt ConnectionList gt ConnectionO0 gt SSL gt EnableSSL Enable disable the use of SSL when connecting to this authentication server The default value is FALSE Servers and Connections gt ConnectionList gt Connection0 gt SSL gt EnableCustomCertificateArchiveFile 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or dis
66. ted by the install program If more than one IP address was detected this value will be the IP address selected during installation Servers and Connections gt ServerLoadBalancing Enable disable load balancing for connections to authentication servers The default value is FALSE Servers and Connections gt ConnectionList gt ConnectionO gt Name The server name that will be displayed in the Authentication servers list in the DIGIPASS Authentication Plug In Configuration Center The default value is Main Server 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 38 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic Servers and Connections gt ConnectionList gt ConnectionO gt ServerlPAddress The authentication server s IP address Servers and Connections gt ConnectionList gt ConnectionO gt ServerPort The authentication server s port The default value is 20003 Servers and Connections gt ConnectionList gt ConnectionO gt ServerType Either primary or backup authentication server This setting affects load balancing The default value is Primary Servers and Connections gt ConnectionList gt ConnectionO0 gt MaxConcurrentConnections The maximum number of concurren
67. tication for OWA Basic 3 4 Click Install to start the installation ji DIGIPASS Authentication for OWA Basic 3 4 0 Ready to Install the Program The setup is ready to begin installation Figure 6 Installing DIGIPASS Authentication for OWA Basic 4 5 After successful installation click Finish to exit the setup program The DIGIPASS Authentication for OWA Basic configuration wizard is started 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 22 DIGIPASS Authentication for OWA Basic User Manual Installing DIGIPASS Authentication for OWA Basic 3 4 Using the DIGIPASS Authentication for OWA Basic Configuration Wizard After you have finished the installation wizard the DIGIPASS Authentication for OWA Basic configuration wizard is started automatically Go through the wizard to define the basic settings for using the DIGIPASS Authentication Plug In Once the wizard is complete the DIGIPASS Authentication Plug In s Settings xml is filled with the default configuration for OWA basic and the DIGIPASS Authentication Plug In is ready for use For further configuration options and to change your initial settings use the DIGIPASS Authentication Plug In Configuration Center or edit Settings xml For more information refer to Sections 4 1 Using the DIGIPASS Authentication Plug In Configuration Center and 4 2 Editing the Configuration File 3 4 1 Con
68. tribution is prohibited 39 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic Enable disable certificate archive file for use instead of the Windows certificate store The default value is FALSE Servers and Connections gt ConnectionList gt ConnectionO0 gt SSL gt CustomCertificateArchiveFilePath File location and name of custom certificate store 4 2 2 2 Tracing Tracing gt TraceFilePath The absolute path and file name of the file to which internal state tracing will be written The file but not the path will be created by the DIGIPASS Authentication Plug In if it does not exist whenever information is logged The default value is lt INSTALLATION DIRECTORY gt Log DIGIPASSPlugin_ IS_OWABasic trace Tracing gt TraceFileEnable Enable disable tracing The default value is FALSE Tracing gt TraceCodelnfo Defines if source code information is traced Use this for troubleshooting in collaboration with VASCO support The default value is FALSE Tracing gt TraceProcessinfo Defines if process information is dumped at start and end of tracing session The default value is FALSE Tracing gt TraceLevel Basic or full tracing The possible values are e 300 for errors only e 200 for errors and warnings e 100 for basic tracing e 50 for full tracing e 25 for full tracing including
69. up Type the attribute group name to use Each user attribute is set using an attribute group name This allows multiple DIGIPASS Authentication Plug Ins to use different values for the same user attributes without confusion NOTE This option is not typically required for Outlook Web Access 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 33 DIGIPASS Authentication for OWA Basic User Manual Failed login NOTE The browser used for the login attempt may either display the page immediately or pop up the login dialog If the login dialog is popped up clicking Cancel will cause the failed login page to be displayed e HTML file Specify the HTML page that will be presented to a user if their login is rejected by the DIGIPASS Authentication Plug in e Realm Specify the realm The realm is usually the computer system etc that is being logged on to If the realm property is set in IIS its value will appear in a standard basic authentication logon dialog box displayed by the browser when IIS requests user login details NOTE This option is not typically required for Outlook Web Access as Exchange does not use the Realm property 4 Click Apply for your changes to take effect 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited Configuring DIGIPASS Auth
70. uses one main authentication server to handle requests from the Web server with a backup authentication server for use when the main server is busy or unavailable 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 15 DIGIPASS Authentication for OWA Basic User Manual DIGIPASS Authentication for OWA Basic Overview 20 Tracing The DIGIPASS Authentication Plug In allows use of a trace file to record plug in activity e g for troubleshooting This will include errors that have been encountered warnings and general information about performed authentication requests The level of tracing that the DIGIPASS Authentication Plug In employs depends on its configuration settings CAUTION Enabling full tracing should only be done for troubleshooting purposes There are no limits set on the size of the tracing file so if the option is left on too long on a high load system the file may dramatically slow down or crash Windows due to excessive 1 0 or filling up the hard drive Because there are no size limitations set on the trace file it is not recommended that you have tracing permanently enabled If your system is set up with tracing always enabled ensure that the file size does not cause problems by deleting or archiving it whenever it gets too large Basic tracing includes e Error messages e Warnings e High level information about plug in activity Full tracing i
71. uthorized duplication or distribution is prohibited 36 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic 4 2 Editing the Configuration File The DIGIPASS Authentication Plug In Configuration Center writes to an XML file named Settings xml in the installation directory It is possible to edit this file directly instead of using the Configuration Center NOTE This option is recommended only for advanced users The DIGIPASS Authentication Plug In Configuration Center will prevent most common configuration mistakes but there are no such checks made when edits are made directly to the configuration file Incorrect changes to the configuration file may cause the DIGIPASS Authentication Plug In to stop working lf Settings xml is damaged uses incorrect XML syntax etc the DIGIPASS Authentication Plug In will attempt to operate with default values with logging enabled and attempt to report the problems with Settings xml 4 2 1 Example Configuration File lt xml version 1 0 encoding UTF 8 gt lt Profile gt lt Key Name Servers and Connections gt lt Value Name LocalIPAddress Type STRING gt 192 168 47 11 lt Value gt lt Value Name ServerLoadBalancing Type BOOL gt FALSE lt Value gt lt Key Name ConnectionList gt lt Key Name Connection0 gt lt Value Name Name Type STRING gt Main Server lt Value gt lt Value Name ServerIPAddress Type STRING gt
72. ver may be required to handle a different default domain for different IIS 7 modules or other clients Each policy may be configured with a default domain to be used if a user does not enter a domain on login Typically you will need to modify the policy used by each DIGIPASS Authentication Plug in 4 4 3 Policy The client record created during installation of the DIGIPASS Authentication Plug In uses the default password replacement policy for the package It will be named e IDENTIKEY Windows Password Replacement IDENTIKEY Server e IDENTIKEY Microsoft AD Password Replacement aXsGUARD Identifier This policy is configured with the following settings e Back end authentication is set to Always used for dynamic user registration password autolearn etc Not all logins e Windows is used as the back end authenticator in the IDENTIKEY Windows Password Replacement policy e Dynamic user registration password autolearn and stored password proxy are enabled 2012 VASCO Data Security International Inc All rights reserved Unauthorized duplication or distribution is prohibited 49 DIGIPASS Authentication for OWA Basic User Manual Configuring DIGIPASS Authentication for OWA Basic e Group check mode is set to Pass Back and DIGIPASS Users is placed in the Group list This will mean that any logins by users not in the DIGIPASS users group will be ignored not rejected by the authentication server in the IDENTIKEY Windows Passwor
Download Pdf Manuals
Related Search