Digipass Plug-In for IAS Product Guide - Vasco

Digipass Plug-In for IAS 

IAS Plug-In 

Digipass Extension for Active Directory Users and Computers 

Administration MMC Interface 

IAS 

Microsoft's Internet Authentication Service 

Product Guide

Disclaimer of Warranties and Limitations of Liabilities 

Disclaimer of Warranties and Limitations of Liabilities 

The Product is provided on an 'as is' basis, without any other warranties, or conditions, express 

or implied, including but not limited to warranties of merchantable quality, merchantability of 

fitness for a particular purpose, or those arising by law, statute, usage of trade or course of 

dealing. The entire risk as to the results and performance of the product is assumed by you. 

Neither we nor our dealers or suppliers shall have any liability to you or any other person or 

entity for any indirect, incidental, special or consequential damages whatsoever, including but 

not limited to loss of revenue or profit, lost or damaged data of other commercial or economic 

loss, even if we have been advised of the possibility of such damages or they are foreseeable; 

or for claims by a third party. Our maximum aggregate liability to you, and that of our dealers 

and suppliers shall not exceed the amount paid by you for the Product. The limitations in this 

section shall apply whether or not the alleged breach or default is a breach of a fundamental 

condition or term, or a fundamental breach. Some states/countries do not allow the exclusion 

or limitation or liability for consequential or incidental damages so the above limitation may 

not apply to you. 

RADIUS Documentation Disclaimer 

The RADIUS documentation featured in this manual is focused on supplying required 

information pertaining to the RADIUS server and its operation in the VACMAN Middleware 

environment. It is recommended that further information be gathered from your NAS/RAS 

vendor for information on the use of RADIUS. 

Copyright 

© 2005 VASCO Data Security Inc. All rights reserved. 

No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in 

any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, 

without the prior written permission of VASCO Data Security Inc. 

Trademarks 

VACMAN and Digipass are registered trademarks of VASCO Data Security International Inc. 

Microsoft and Windows are registered trademarks of Microsoft Corporation. 

All other trademarks are the property of their respective holders. 

© 2005 VASCO Data Security Inc. ii

Digipass Plug-In for IAS Product Guide Table of Contents 

Table of Contents 

1 Overview............................................................................................................... 9 

1.1 Digipass Plug-In for IAS............................................................................................... 9 

1.2 Digipass Introduction................................................................................................. 10 

1.2.1 What is a Digipass?................................................................................................ 10 

1.2.2 Logging in with a Digipass....................................................................................... 10 

1.2.3 Types of Digipass................................................................................................... 11 

1.3 Software Components................................................................................................ 12 

1.3.1 Required Components............................................................................................ 12 

1.3.2 Optional Components............................................................................................. 12 

1.3.3 Extra Utilities........................................................................................................ 12 

1.4 Authentication Process............................................................................................... 14 

1.4.1 Local and Back-End Authentication........................................................................... 14 

1.4.2 Policies................................................................................................................. 15 

1.4.3 Digipass User Account............................................................................................ 15 

1.4.3.1 Digipass User Account Settings..........................................................................................15 

1.4.3.2 Static Passwords..............................................................................................................16 

1.5 Features..................................................................................................................... 17 

1.5.1 Active Directory Integration..................................................................................... 17 

1.5.2 User Management.................................................................................................. 17 

1.5.3 Digipass Management............................................................................................. 17 

1.6 Supported Protocols................................................................................................... 18 

1.7 Unsupported by Digipass Plug-In for IAS................................................................... 18 

1.7.1 Windows 2000 Limitations....................................................................................... 18 

1.7.2 Other Unsupported Protocols................................................................................... 18 

1.7.3 IAS Remote Access Policy Limitations........................................................................ 18 

1.8 Available Reference Guides........................................................................................ 19 

2 Digipass...............................................................................................................20 

2.1 Types of Digipass........................................................................................................20 

2.1.1 Hardware Digipass................................................................................................. 20 

2.1.2 Software Digipass.................................................................................................. 21 

2.1.3 Virtual Digipass..................................................................................................... 22 

2.2 How do Digipass Work?.............................................................................................. 23 

2.2.1 Digipass Applications.............................................................................................. 23 

2.2.2 Virtual Digipass Differences..................................................................................... 23 

2.2.2.1 Virtual Digipass Login Process........................................................................................... 24 

2.2.2.2 How Does a User Request an OTP?.....................................................................................25 

2.2.3 Digipass Programming............................................................................................ 25 

2.2.3.1 Digipass PIN................................................................................................................... 25 

2.2.3.2 Time/Event-based Digipass Applications............................................................................. 25 

2.2.3.3 OTP Length.....................................................................................................................26 

2.2.3.4 Challenge Length.............................................................................................................26 

2.2.4 Digipass Record Settings......................................................................................... 27 

2.2.4.1 Time/Event-based Settings............................................................................................... 27 

2.2.4.2 Response Length............................................................................................................. 27 

2.2.4.3 Server PIN......................................................................................................................28 

2.2.4.4 Backup Virtual Digipass.................................................................................................... 28 

© 2005 VASCO Data Security Inc. iii


2.3 Digipass Records........................................................................................................ 30 

2.3.1 Location of Digipass Records................................................................................... 30 

2.3.2 Typical Digipass Location Models.............................................................................. 32 

2.3.3 Search for Digipass Records.................................................................................... 35 

2.4 Digipass Record Functions..........................................................................................36 

2.4.1 Reset Application................................................................................................... 36 

2.4.2 Set Event Counter.................................................................................................. 36 

2.4.3 Reset PIN............................................................................................................. 36 

2.4.4 Force PIN Change.................................................................................................. 36 

2.4.5 Set PIN................................................................................................................ 36 

2.4.6 Unlock Digipass..................................................................................................... 36 

2.4.7 Reset Application Lock............................................................................................ 36 

2.4.8 Test a Digipass Application...................................................................................... 36 

2.5 Assigning Digipass to Users........................................................................................37 

2.5.1 Digipass Assignment Options................................................................................... 37 

2.5.1.1 Self-Assignment.............................................................................................................. 38 

2.5.1.2 Auto-Assignment............................................................................................................. 38 

2.5.1.3 Manual Assignment..........................................................................................................38 

2.6 Security Levels........................................................................................................... 38 

2.7 Virtual Digipass Implementation Considerations........................................................ 39 

2.7.1 Digipass Assignment Options................................................................................... 39 

2.7.2 Cost..................................................................................................................... 39 

2.7.3 Security................................................................................................................ 39 

2.7.4 Convenience......................................................................................................... 39 

2.7.5 Gateway and account............................................................................................. 39 

2.7.6 Limiting Usage of Virtual Digipass............................................................................. 40 

2.7.6.2 Backup Virtual Digipass Usage Guidelines........................................................................... 40 

2.7.7 Resetting Virtual Digipass Restrictions....................................................................... 41 

2.7.8 Virtual Digipass Login options.................................................................................. 41 

2.7.9 Location of OTP Request Site................................................................................... 41 

3 Digipass User Accounts....................................................................................... 42 

3.1 User Account Identification........................................................................................ 42 

3.2 Digipass User Account Creation.................................................................................. 42 

3.2.1 Manual Creation.................................................................................................... 42 

3.2.2 User Self-Management Web Site.............................................................................. 42 

3.2.3 Dynamic User Registration...................................................................................... 42 

3.2.4 Changes to Stored Static Password........................................................................... 43 

3.2.4.1 Password Autolearn..........................................................................................................43 

3.2.4.2 User Self-Management Web Site........................................................................................43 

3.3 Logging in with a Digipass..........................................................................................45 

3.3.1 Login Processes..................................................................................................... 45 

3.3.2 Multiple Digipass or Digipass Applications.................................................................. 46 

3.3.3 Password Field Information..................................................................................... 46 

3.4 Administration Privileges........................................................................................... 47 

3.5 Authenticating Users.................................................................................................. 48 

3.5.1 Authentication Settings........................................................................................... 48 

© 2005 VASCO Data Security Inc. iv


3.5.2 Local Authentication............................................................................................... 48 

3.5.3 Back-End Authentication......................................................................................... 48 

3.5.4 User Account Locking............................................................................................. 49 

3.5.5 Windows Group Check............................................................................................ 49 

3.5.5.2 Windows Group Check Process.......................................................................................... 50 

3.5.6 Linking User Accounts............................................................................................. 51 

4 Policies................................................................................................................52 

4.1 What are Policies?...................................................................................................... 52 

4.2 How Do They Work?................................................................................................... 52 

4.3 Policy Settings............................................................................................................53 

4.4 Multiple Policies......................................................................................................... 55 

4.4.1 Inheritance........................................................................................................... 55 

4.4.2 Show Effective Settings.......................................................................................... 56 

4.5 Pre-Loaded Policies.................................................................................................... 57 

4.6 Differences from VACMAN Middleware 2.3..................................................................58 

4.6.1 Authenticator Setting............................................................................................. 58 

5 Components........................................................................................................ 59 

5.1 What is a Component Record?.................................................................................... 59 

5.1.1 No Component Record Exists for a RADIUS Client....................................................... 60 

5.1.2 Policy Selection..................................................................................................... 61 

5.2 Pre-loaded Component............................................................................................... 61 

5.3 Licensing.................................................................................................................... 61 

6 Active Directory Integration................................................................................62 

6.1 What is Stored in Active Directory?............................................................................ 62 

6.2 Schema Extensions.....................................................................................................62 

6.3 Permissions Needed by the IAS Plug-In..................................................................... 62 

6.4 Sensitive Data Encryption...........................................................................................62 

6.5 Administrative Permissions........................................................................................ 63 

6.6 Active Directory Command Line Utility....................................................................... 63 

7 Administration Interfaces....................................................................................64 

7.1 Digipass Extension for Active Directory Users & Computers....................................... 64 

7.2 Administration MMC Interface.................................................................................... 64 

8 Licensing............................................................................................................. 65 

8.1 Overview.................................................................................................................... 65 

8.2 Obtaining a License Key File....................................................................................... 65 

8.2.1 Digipass Plug-In Activation Page.............................................................................. 65 

9 Auditing and Tracing........................................................................................... 66 

9.1 Auditing......................................................................................................................66 

9.1.1 Audit System........................................................................................................ 66 

9.1.1.1 Audit message types........................................................................................................ 66 

9.1.1.2 Audit messages location................................................................................................... 66 

9.1.2 Active Directory Auditing......................................................................................... 67 

9.2 Tracing....................................................................................................................... 67 

10 User Self Management Web Site..........................................................................68 

© 2005 VASCO Data Security Inc. v


10.1 Customizing the User Self Management Web Site.......................................................69 

11 OTP Request Site.................................................................................................70 

12 Message Delivery Component..............................................................................71 

12.1 Configuration..............................................................................................................71 

Alphabetical Index.............................................................................................. 72 

© 2005 VASCO Data Security Inc. vi


Index of Tables 

Table 1: Login static password Requirements................................................................................ 16 

Table 2: Backup Virtual Digipass Policy/Digipass Settings................................................................ 28 

Table 3: Summary of Digipass Record Location Options.................................................................. 31 

Table 4: Digipass Options........................................................................................................... 39 

Table 5: Backup Virtual Digipass Example Guidelines...................................................................... 41 

Table 6: User Account Identification Methods................................................................................ 42 

Table 7: VACMAN Middleware and IAS Plug-In Authentication Settings.............................................. 58 

Table 8: DPADadmin tasks......................................................................................................... 63 

Table 9: Audit message types..................................................................................................... 66 

Index of Images 

Image 1: Digipass Plug-In for IAS Overview................................................................................... 9 

Image 2: Login Method Processes................................................................................................ 10 

Image 3: Authentication Process................................................................................................. 14 

Image 4: GO 1......................................................................................................................... 20 

Image 5: GO 3......................................................................................................................... 20 

Image 6: DP 300....................................................................................................................... 20 

Image 7: DP 585....................................................................................................................... 20 

Image 8: DP 260....................................................................................................................... 20 

Image 9: GO 2......................................................................................................................... 21 

Image 10: DP 800..................................................................................................................... 21 

Image 11: Digipass for Pocket PC................................................................................................ 21 

Image 12: Digipass for SIM........................................................................................................ 21 

Image 13: Digipass for Palm....................................................................................................... 21 

Image 14: Virtual Digipass Login................................................................................................. 24 

Image 15: Digipass Record Locations - Digipass Pool...................................................................... 32 

Image 16: Digipass Record Locations - Parent Organizational Unit.................................................... 33 

Image 17: Digipass Record Locations - Individual Organizational Units.............................................. 34 

Image 18: Assignment Method Processes..................................................................................... 37 

Image 19: Dynamic User Registration.......................................................................................... 43 

Image 20: Login Method Processes.............................................................................................. 45 

Image 21: Windows Group Check Process..................................................................................... 50 

Image 22: Policy Selection......................................................................................................... 52 

Image 23: Policy Inheritance...................................................................................................... 55 

Image 24: Component Overview................................................................................................. 59 

Image 25: Component Use by IAS Plug-In.................................................................................... 61 

© 2005 VASCO Data Security Inc. vii


Image 26: OTP Request Site....................................................................................................... 70 

© 2005 VASCO Data Security Inc. viii

Digipass Plug-In for IAS Product Guide Overview 

1 Overview 

1.1 Digipass Plug-In for IAS 

The main purpose of the Digipass Plug-In for IAS is to improve your network security by 

adding two-factor authentication to Microsoft's Internet Authentication Service (IAS). It 

consists of two main parts - 

The IAS Plug-In is an Authentication Module for IAS which enables two-factor 

authentication using Digipass. 

Digipass are devices used to generate a One Time Password. 

The IAS Plug-In interacts with IAS by performing the authentication check when IAS passes 

the Access-Request to it. When this occurs depends on the Authentication Policies defined in 

IAS. The IAS Plug-In does not perform any authorization checks, however if authentication is 

successful, it can instruct IAS to use a specific RADIUS Profile. 

The User logs in through 

the usual channel, using 

their Digipass to generate 

a One Time Password. 

Image 1: Digipass Plug-In for IAS Overview 

What is Two-Factor Authentication? 

Methods of identifying an individual can be separated into three main categories - 

Something they have (eg ID card) 

Something they know (eg static password) 

Something they are (eg thumbprint) 

Standard authentication is usually based on a UserID and a static password, and relies on only 

one factor of identification - something the User knows. 

In contrast, Digipass authentication relies on two factors of identification – something the User 

has (the Digipass) and something the User knows (a static PIN or password). This is 

commonly referred to as two-factor authentication. 

What is a One Time Password? 

The IAS Plug-In checks the User 

details and, if correct, passes 

the authentication request on to 

IAS. 

A One Time Password (OTP) is a dynamic password created by a Digipass. It is either timebased 

(valid for a specific time interval) or event-based (valid for a specific usage count of the 

Digipass). 

© 2005 VASCO Data Security Inc. 9


1.2 Digipass Introduction 

1.2.1 What is a Digipass? 

A Digipass is a device for providing a One Time Password to a User. The Digipass is provided to 

each person whom a company wishes to be able to log into their system using One Time 

Passwords. The User obtains a One Time Password from the Digipass to use instead of, or as 

well as, a static password when logging in. 

Virtual Digipass is a mechanism where an OTP is generated by the server and sent by text 

message to the User's mobile phone. In this case, a physical Digipass is not needed. 

1.2.2 Logging in with a Digipass 

The diagram below shows a typical login process for the three basic login methods supported 

by the IAS Plug-In. The actual details entered by the User may vary, depending on Policy 

settings. 

Image 2: Login Method Processes 



1.2.3 Types of Digipass 

There are three basic types of Digipass: 

Hardware Digipass 

Hardware Digipass are devices specifically designed for creation of One Time Passwords. 

Depending on the model supplied, they may be used for Response Only, Challenge/Response 

and Digital Signature (not supported by the IAS Plug-In) methods. 

Software Digipass 

Software Digipass may be installed on a PDA or other mobile device. The User then accesses a 

Digipass program to obtain a One Time Password. They typically support Response Only, 

Challenge/Response and Digital Signature (not supported by the IAS Plug-In) methods. 

Virtual Digipass 

Virtual Digipass can be used instead of hardware Digipass tokens, or as a backup mechanism 

when a User has mislaid their hardware Digipass. Using Virtual Digipass means that a User 

may receive a One Time Password on their mobile phone via text message. 



1.3 Software Components 

The Digipass Plug-In for IAS consists of various components, some required and some 

optional: 

1.3.1 Required Components 

IAS Plug-In 

This module is an addition to Microsoft's Internet Authentication Service which permits an 

increase in IAS security by adding two-factor authentication. Versions 5.0 of IAS and later are 

supported. 

Data Store 

Additional User account information, Digipass records and other required Digipass-related 

settings are stored in Active Directory. 

Administration Interfaces 

Digipass Extension for Active Directory Users and Computers 

VASCO Extension to the Active Directory Users and Computers interface. Allows integrated 

administration of additional User settings and Digipass records. 

Administration MMC Interface 

This interface allows easy administration of Digipass Configuration data. 

1.3.2 Optional Components 

User Self Management Web Site 

Allows Users to make appropriate changes to their own Digipass settings, including PIN 

changes. 

Virtual Digipass 

The VASCO components used for Virtual Digipass are: 

Message Delivery Component 

Sends a One Time Password through a text message HTTP gateway to a User’s mobile phone. 

OTP Request Site 

Allows a User to specifically request an OTP to be sent to their mobile phone. 

1.3.3 Extra Utilities 

These extra utilities may be used with the Digipass Plug-In for IAS, but require separate 

installations. 

Data Migration Tool 

The VASCO Data Migration Tool is a utility which allows you to migrate your data from one 

VASCO product to another. 



RADIUS Client Simulator 

The RADIUS Client Simulator is a program that simulates RADIUS Authentication and 

Accounting processing in a similar fashion to RADIUS enabled Network Access Server and 

Firewall devices. The RCS can be used to test User authentication, Digipass authentication, 

estimate RADIUS Server performance, test system overload, and assist in detection of 

resource (memory, handle, etc.) leakage. 



1.4 Authentication Process 

The authentication process used by the IAS Plug-In will vary depending on settings in the 

applicable Policy and Digipass User account. The diagram below shows the basic process 

followed by the IAS Plug-In when authenticating a Digipass User login. 

Image 3: Authentication Process 

1.4.1 Local and Back-End Authentication 

The IAS Plug-In authenticates logins in two basic ways: 

Using information from its data store ('local' authentication) 

Asking Windows for verification of information ('back-end' authentication) 

'Local' Authentication 

The IAS Plug-In checks the details given in the authentication request against the details in its 

data store. This is when a Digipass User's One Time Password is checked. See 3.5.2 Local 

Authentication for more information. 

'Back-End' Authentication 

The IAS Plug-In checks the details given in the authentication request – User ID and domain - 

with Windows. The User's static password is also checked, and may be retrieved from the 

stored static password or from the authentication request, depending on Policy settings. See 

3.5.3 Back-End Authentication for more information. 



1.4.2 Policies 

Policies specify various login settings which can affect how a User must log in. The Policy used 

for a specific authentication request is decided based on the RADIUS Client that transmitted 

the request or based on the IAS Plug-In component that handles the request. 

Some policy settings include: 

Whether Local and/or Back-End Authentication should be used 

Whether various automatic management features should be used 

The Digipass Application types required for login 

Backup Virtual Digipass settings 

1.4.3 Digipass User Account 

A Digipass User account is attached to an Active Directory User account, by including 

additional attributes. These attributes are stored in an auxiliary class attached to the User 

object class. The account is created to hold authentication settings for the IAS Plug-In. It 

includes settings such as Digipass assignment and authentication overrides. 

The Digipass User account contains some login settings that affect how a User must log in. 

These settings can be used to override equivalent settings in the relevant Policy. 

A Digipass User account is created as required for a User record in Active Directory – for 

example when a Digipass must be assigned or Digipass User account settings modified. When 

Auto-Assignment is enabled (see later), creation of the account via Dynamic User Registration 

is the trigger for a Digipass to be automatically assigned to the User. 

1.4.3.1 Digipass User Account Settings 

Stored Static Password 

This may be used when local authentication is enabled and back-end authentication disabled, 

to avoid using the Windows static password for remote network access. It can be used for 

authenticating a User when a Digipass has not been assigned, or the assigned Digipass is still 

in the grace period. It can also be used for the Virtual Digipass feature, which requires a static 

password to be used in addition to the transmitted OTP. 

Local Authentication 

See 1.4.1 Local and Back-End Authentication. 

The Digipass User account setting overrides 

the Policy setting of the same name. 

Back-End Authentication 

See 1.4.1 Local and Back-End Authentication. 

The Digipass User account setting overrides 

the Policy setting of the same name. 

Disabled 

Specifies whether the Active Directory User account has been disabled. If so, the User will be 

rejected by the IAS Plug-In. 

Locked 

If a Digipass User account is locked, the User will be unable to log in until it is unlocked by an 

administrator. 



User Account Link 

Link to another Active Directory User account utilized by the same person. This may be used 

where an administrator needs to use their Digipass to log in via two different accounts. 

RADIUS Profiles 

Provides an authorisation link to IAS by selecting a RADIUS Profile. 

Record Creation Time 

The time and date when the Digipass User account was created. This is significant because it 

is used as an indicator of whether a given Active Directory User has a Digipass User account. 

1.4.3.2 Static Passwords 

When a static password is required for a login through the IAS Plug-In, which static password 

is checked depends on the settings in the relevant Policy. It will be either: 

Stored (local) static password in the Digipass User account 

If back-end authentication is in use, this will be a copy of the Windows static password – 

this is not typically required for the IAS Plug-In. Otherwise it will be a static password 

unrelated to the Windows static password. 

Windows static password 

Common Scenarios 

The table below shows common scenarios and the static password that the User would be 

required to enter on login. 

Scenario Password Required 

Local Authentication enabled and Back-End Authentication disabled Stored static password 

Dynamic User Registration enabled and needed for the login Windows static password 

Virtual Digipass login with Back-End Authentication enabled Windows static password 

Challenge/Response login with Back-End Authentication enabled 1 

Table 1: Login static password Requirements 

1 

If static password is required to request a Challenge/Response login 

Windows static password 



1.5 Features 

The IAS Plug-In includes many features to make administration simple and easy. These 

include integration with your current User Management system and automated processes for 

Digipass and User management. 

1.5.1 Active Directory Integration 

The Digipass Plug-In for IAS uses Active Directory to store VASCO-specific User attributes, 

Digipass records and Digipass Configuration information (eg Policies). 

1.5.2 User Management 

These features help your administrators streamline their User management: 

Dynamic User Registration (DUR) 

A Digipass User Account can be automatically created for a User new to the IAS Plug-In upon 

successful login through IAS. This allows the User to be assigned a Digipass, and the IAS 

Plug-In to process their future logins. 

Windows Group Check 

The IAS Plug-In can be configured to only authenticate Users belonging to specific Windows 

Groups. See 3.5.5 Windows Group Check for more information. 

1.5.3 Digipass Management 

These features will assist your administrators by automating the main Digipass management 

tasks required: 

Self-Assignment 

Your company might decide to distribute all of the Digipass to your Users, then require each 

User to self-assign their Digipass. On their first login, the User must enter a password 

combination which includes the Digipass serial number, to inform the IAS Plug-In of the 

assignment. The User account is then linked with the relevant Digipass record. 

Auto-Assignment 

A Digipass may be automatically assigned to a User upon creation of a Digipass User account, 

when Dynamic User Registration is used. 

Grace Period 

The Grace Period supplies a User with a set amount of time (eg. 7 days) between assignment 

of a Digipass and the User being required to log in for the first time using an OTP from their 

Digipass. 



1.6 Supported Protocols 

The following protocols are supported by the Digipass Plug-In for IAS: 

PAP 

CHAP 

MS-CHAP with MPPE (Microsoft Point-to-Point Encryption) 

MS-CHAP2 with MPPE 

EAP-MD5 

1.7 Unsupported by Digipass Plug-In for IAS 

1.7.1 Windows 2000 Limitations 

These are not supported with Windows 2000: 

EAP-MD5 

Challenge/Response 

1.7.2 Other Unsupported Protocols 

These protocols are not supported by the Digipass Plug-In for IAS: 

Other EAP types 

PEAP 

EAP-TTLS 

Various EAP types 

1.7.3 IAS Remote Access Policy Limitations 

Windows Server 2003 

Remote Access Policy Conditions may be set based the password protocol being used for an 

authentication request, using the Authentication-Type option. 

When the IAS Plug-In authenticates a login, the Authentication-Type is recorded within IAS as 

"Extension", regardless of the actual password protocol used. Therefore, any Remote Access 

Policy Conditions limiting the password protocol being used will not work with the IAS Plug-In. 

Example 

Authentication-Type is set to PAP, meaning that any authentication requests which 

do not use the PAP password protocol will be rejected. If the IAS Plug-In is 

configured to use the PAP protocol, the Authentication-Type recognised when it 

makes an authentication request will be 'Extension' (meaning that IAS has 

recognised it as an IAS extension). The request will be failed by IAS because the 

password protocol being used by the Plug-In was only registered as 'Extension', not 

as 'PAP'. 



1.8 Available Reference Guides 

Reference Guides are included with every VASCO product: 

Product Guide 

The Product Guide will introduce you to the features of this product and the various options 

you have for using it. 

Installation Guide 

Use this guide when planning and working through an installation of the product. 

Getting Started 

To get you up and running quickly with a simple installation and setup of the product. 

Administrator Reference 

In-depth information required for administration of the product. This includes references such 

as data attribute lists, backup and recovery and utility commands. 

Data Migration Tool Guide 

Takes you through a data migration from one VASCO product to another, using the VASCO 

Data Migration Tool. 

Help Files 

Context-sensitive help accompanies the administration interfaces. 


Digipass Plug-In for IAS Product Guide Digipass 

2 Digipass 

This section contains information specific to Digipass, their setup and management on your 

network. 

2.1 Types of Digipass 

2.1.1 Hardware Digipass 

The three basic types of hardware Digipass are: 

Digipass without keypads 

These are the simplest type of Digipass. They have a triggering mechanism - typically a button 

or action, such as pulling the Digipass open – which causes a One Time Password to be 

generated. They have only one Application, which is Response Only. 

Digipass with keypads 

Image 4: GO 1 Image 5: GO 3 

These are typically capable of supporting more than one Application, and can be programmed 

so that a PIN must be entered before a One Time Password may be accessed. 

Image 6: DP 300 Image 7: DP 585 Image 8: DP 260 



Smartcard reader Digipass 

These provide two-factor authentication based on smartcard technology. 

2.1.2 Software Digipass 

Image 11: Digipass for 

Pocket PC 

Digipass for Pocket PC 

Image 9: GO 2 Image 10: DP 800 


SIM 


Palm 

Digipass for Pocket PC turns Pocket PCs and smart phones into a personal hardware security 

device to provide One Time Passwords and Digital Signatures. 

Digipass for Palm 

Like Digipass for Pocket PC, Digipass for Palm allows generation of One Time Passwords and 

Digital Signatures from Palm Pilots and other devices utilising the Palm technology. 

Digipass for SIM 

Digipass for SIM allows a GSM mobile phone SIM card to be used to generate One Time 

Passwords. 

Digipass for Windows 

Digipass for Windows can be installed directly onto a PC. One Time Passwords and Digital 

Signatures can be generated on your computer and pasted into the required login window. 



2.1.3 Virtual Digipass 

There are two forms of Virtual Digipass available: 

Primary Virtual Digipass are treated by the IAS Plug-In almost identically to hardware 

Digipass – a record of each Primary Virtual Digipass must be imported into the data store, and 

may then be assigned to a User automatically or manually. The User will typically log in with 

their User ID and static password, have a text message sent to their mobile phone, and then 

enter the One Time Password from the text message in the second stage of their login. 

The Backup Virtual Digipass feature allows a User to request a One Time Password sent to 

their mobile phone if they do not have their usual Digipass at hand. It may be limited by 

number of uses or days of use – eg. a User may be limited to 2 days' usage, after which they 

will again need to use their usual Digipass to log in. 



2.2 How do Digipass Work? 

2.2.1 Digipass Applications 

Each Digipass is programmed with at least one Digipass Application, and a unique algorithm. 

The Digipass uses this unique algorithm when generating One Time Passwords. 

Each type of Digipass Application generates One Time Passwords from different data, and in 

slightly different ways: 

Response Only 

Creates a One Time Password based on the date and time, or on the number of uses (events). 


Creates a One Time Password (also referred to as a 'Response' in this context) based on a 

numerical challenge given on a login page. This may be either a challenge custom-created for 

the specific Digipass, or a randomly created challenge. The One Time Password may also be 

based on the date and time. 

Digital Signature 

Digital Signature Digipass Applications are typically used in online banking. The Digipass 

generates a unique code - referred to as a 'Digital Signature' - based on a number of factors 

entered, plus (optionally) the date and time, or number of uses (events). In an online banking 

environment, the factors used to generate the Digital Signature during a funds transfer might 

be the debit account number, the destination account number and the amount of money being 

transferred. 

Digital Signatures are not currently in use with the Digipass Plug-In for IAS. 

2.2.2 Virtual Digipass Differences 

The IAS Plug-In treats Primary Virtual Digipass slightly differently to other Digipass. The two 

main differences are: 

Grace Period 

A Primary Virtual Digipass cannot be used until its grace period has expired, if the method of 

requesting an OTP is the static password. This is to ensure that text messages are only sent 

when needed – avoiding unnecessary cost to the company and/or Users. However, in this 

case the OTP Request Site or User Self Management Web Site may be used to prematurely end 

the grace period. 

Backup Virtual Digipass 

The Backup Virtual Digipass feature cannot be enabled for a Primary Virtual Digipass. 



2.2.2.1 Virtual Digipass Login Process 

The diagram below shows the basic process that occurs when a User logs in with a Virtual 

Digipass: 

Image 14: Virtual Digipass Login 



2.2.2.2 How Does a User Request an OTP? 

There are three ways a User might request a One Time Password to be delivered with either a 

Primary or Backup Virtual Digipass: 

2-step Login 

Two login prompts are used to provide an easy-to-use login interface for Users with Virtual 

Digipass. The first prompt is used to request an OTP, the second to enter the received OTP. 

This can be used with applications which support 2-step logins eg. Citrix Web Interface, 

RADIUS with support for Challenge/Response. 

Two 1-step Logins 

The User must attempt two logins, the first of which will fail but will initiate the sending of an 

OTP to the User’s mobile. This is used when the 2-step login process is not supported – eg. 

RADIUS without support for Challenge/Response. 

OTP Request Site 

Alternatively – especially if a more user-friendly option than the previous is needed - Users can 

go to the OTP Request site when they need an OTP sent to their mobile phone, then login 

normally at the usual login screen. 

2.2.3 Digipass Programming 

A Digipass is programmed using a Digipass Programmer and the necessary software. This may 

be done by your company or by your supplier. 

Common settings which may affect your administration tasks are explained below. 

2.2.3.1 Digipass PIN 

A Digipass PIN may be required for a Digipass. If set, the PIN must be entered into the 

Digipass before obtaining a One Time Password. This means that just possessing the Digipass 

is not enough to log in to a network – the person logging in must also know the Digipass PIN. 

Digipass PIN settings include: 

An Initial PIN can be set for a Digipass. The PIN must then be sent to the User of the 

Digipass, typically separate from the Digipass delivery. 

First Use PIN Modification allows a Digipass to require a PIN change from the User 

upon first use. 

PIN Change allows a User to change their PIN as desired. 

The PIN Length can be set for a Digipass. 

Digipass Lock sets the number of consecutive faulty PIN entries allowed before the 

Digipass is locked. 

2.2.3.2 Time/Event-based Digipass Applications 

Response Only 

Response Only Digipass Applications can be either time-based or event-based: 



Time-based 

A time-based Application will change the OTP to be displayed based on the current time. The 

common time step used is 36 seconds – and means that the OTP to be displayed will change 

every 36 seconds, whether or not an OTP has been requested from the Digipass. 

Event-based 

An event-based Digipass Application will display a new OTP each time a request for an OTP is 

made. 


Challenge/Response Digipass Applications can be either time-based or non-time-based: 

Time-based 

A time-based Challenge/Response Digipass Application will generate an OTP based on the 

Challenge given and the current time. The common time step used is 9 hours ('slow 

challenge'). This would mean that if the exact same Challenge were given to a Digipass within 

a 9 hour period, the Digipass Application will generate the same OTP. However, Challenges 

are very rarely repeated within such a time period. 

Non-time-based 

A non-time-based Challenge/Response Digipass Application will generate an OTP based only on 

the Challenge given. 

2.2.3.3 OTP Length 

The length of the OTP (excluding check digit) generated by the Digipass for Response Only 

and Challenge/Response Digipass Applications. 

Check Digit 

A check digit may be added to each OTP. This is generated from the response and allows for 

faster invalidation of incorrect OTPs. 

2.2.3.4 Challenge Length 

The length of the Challenge (excluding check digit) which should be expected by the Digipass. 

This is used by the Challenge/Response Digipass Application. 

Check Digit 

A check digit may be expected with each Challenge. This is generated by the server from the 

Challenge and allows the Digipass to reject most invalid Challenges. 



2.2.4 Digipass Record Settings 

These settings are kept in the record for a Digipass Application, and affect which OTP is 

expected by the IAS Plug-In. 

2.2.4.1 Time/Event-based Settings 

Time Based 

Specifies whether the algorithm for the Digipass application is time-based (see Time/Eventbased 

Digipass Applications for more information). 

Time Step Used 

The time step used by the Digipass Application (see Time/Event-based Digipass 

Applications for more information). 

Last Time Shift 

Time Shift records any misalignments between the time recorded on the Digipass and the time 

recorded on the server, each time a User logs in. This ensures that if either clock drifts from 

the correct time, an allowance can be made by the IAS Plug-In and the User will still be able to 

log in. If the time drift goes beyond the allowable time window between User logins, the 

Digipass record will have to be reset (this allows for recalculation of the time drift). 

Example 

Time window may be 5 steps in either direction. 

This means that 11 OTPs would be considered valid – the exact OTP for that time, 

and the OTPs for the 5 time steps either side of the exact time. If the OTP given is 

for a different time step, the time shift for that Digipass will be recorded. The next 

time the User logs in, the expected OTP will be calculated based on that time shift. 

Last Event Value 

The current number of uses of the Digipass Application, according to the Digipass. This can 

get out of sync with the number of uses recorded by the IAS Plug-In when: 

login failures occur for other reasons than incorrect OTP 

the Digipass has been used without a login (eg. children have been playing with it) 

The Digipass is being used to log in to two separate systems 

The purpose of this setting is much the same as the Last Time Shift setting – it allows the IAS 

Plug-In to track any shifts between the event count recorded by itself and the Digipass. 

2.2.4.2 Response Length 

This setting determines the length of the OTP (excluding check digit) expected by the server 

from the Digipass Application. 



Response Check Digit 

Whether a check digit may be expected with each OTP from the Digipass Application. This is 

generated from the response and allows for faster invalidation of incorrect OTPs. 

2.2.4.3 Server PIN 

The term 'Server PIN' is used to mean a PIN that the user enters into the login password field 

in front of the OTP displayed on the Digipass. It is checked by the authenticating server. The 

'Digipass PIN' referred to earlier indicates a PIN entered into a keypad on the Digipass. That is 

checked by the device itself, and is never transmitted to the server. 

There are a number of Server settings regulating Server PINs: 

PIN Supported 

Whether a PIN must be included in a User's login. 

PIN Change On 

Is a User allowed to change their Server PIN for this Digipass? 

Force PIN Change 

Must the User change their Server PIN the next time they log in? 

PIN Length 

The length of the current Server PIN. 

PIN Minimum Length 

The minimum PIN length required by the Server. 

2.2.4.4 Backup Virtual Digipass 

Policy and Digipass settings 

Several settings dictate how a User may utilize the Backup Virtual Digipass feature. These 

settings are: 

Enable or disable Backup Virtual Digipass and enable method (eg. Required). 

Time limit/expiry (applies to Time Limited enable only) 

Maximum number of times a User may make use of the Backup Virtual Digipass. 

The above settings may be set both at the Policy level and at the Digipass record level. 

Individual settings override Policy settings for an individual Digipass, but some Policy settings 

(see below) may be used to automatically set Digipass settings which are blank when the 

Backup Virtual Digipass is first utilized by the User. 

Time Limit and Max. Uses/User 

Server Setting User Setting 

Time Limit Enabled Until 

Max. Uses/User Uses Remaining 

Table 2: Backup Virtual Digipass Policy/Digipass Settings 



If Backup Virtual Digipass is enabled for a Digipass and set to Time Limited, and the Enabled 

Until field in the Digipass property sheet is blank on their first use of the Backup Virtual 

Digipass, their time limit will begin on their first use of the feature. The expiry date (today’s 

date + Time Limit) will then be displayed in the Enabled Until field. 

If a Max. Uses/User is set for the relevant Policy and a Digipass record's Uses Remaining field 

in their User property sheet is blank on their first use of the Backup Virtual Digipass, a number 

(Max Uses/User) will be automatically entered into their Uses Remaining field and immediately 

decremented by 1. 

Note 

If a User has Backup Virtual Digipass enabled with Enabled Until date set and 

their Uses Remaining has been set (automatically or manually), whichever of 

these expires first will disable Backup Virtual Digipass for the User. 

eg. Backup Virtual Digipass is enabled for a User as Time Limited, and the 

server Time Limit setting is 3 days. The Max. Uses/User Policy setting is 5. 

When the User first makes use of the Backup Virtual Digipass, their Enabled 

Until is set to a date 3 days hence and their Uses Remaining to 4. During 

the next 48 hours, they log in 4 more times. Although the User’s time limit 

does not run out for another 24 hours, their Uses Remaining is now 0 and 

Backup Virtual Digipass is disabled. 



2.3 Digipass Records 

2.3.1 Location of Digipass Records 

When a Digipass is assigned to a User, it is moved to the same location as the Digipass User 

account it is assigned to. This makes it easier to set up the permissions necessary for 

delegated administration. 

Note 

A Digipass record will not automatically be moved when the User account to 

which it is assigned is moved to another location. When moving User accounts 

within Active Directory, ensure that the records of any assigned Digipass are 

manually moved to the same location. 

Unassigned Digipass records may be stored in various places in the domain: 

Digipass Pool 

During installation, a container is created in the Domain called Digipass-Pool. This is intended 

as a general store for unassigned Digipass, regardless of which administrator is performing 

assignment. 

Organizational Units 

Digipass can be loaded or moved either into the exact Organizational Units where the User 

accounts to which they will be assigned are located, or into a few key Organizational Units in 

the hierarchy where they may be assigned to Users in lower level Organizational Units. 

Users Container 

Digipass can be loaded into the Users container, so they are available for Users in that 

container. However, it is not recommended to use the Users container for either User accounts 

or Digipass. 

Note 

The IAS Plug-In will always find or assign the closest available Digipass record 

to the selected User record(s). 

When looking for an available Digipass to assign to a User, the IAS Plug-In will first look in the 

same location as the specific User account. The Search Upwards in Organizational Unit 

hierarchy option, when enabled, allows the IAS Plug-In to search in parent Organizational 

Units and the Digipass Pool container. This option may be set at the Policy level for system 

searches (eg. Auto-Assignment and Self-Assignment) or at the time of the search for manual 

assignment. 

If the assignment is manual (performed by an administrator), it will only find and successfully 

assign Digipass from locations where the administrator has the correct permissions. The 

administrator must have read permission for Digipass objects in the location to find a Digipass 

record, and if it needs to be moved to the User's location, they must have delete permission 

for Digipass objects to successfully assign the Digipass. If the administrator has sufficient 



permissions to view a Digipass record but not to assign it, the assignment will fail. 

Record 

Location 

Digipass Pool Only administrators with access to the Digipass 

Pool may view or modify records for unassigned 

Digipass. This also means that only those 

administrators may manually assign Digipass. 

Organizational 

Unit 

Users 

Container 

Pros Cons 

Digipass may be portioned out to various 

Organizational Units. This is particularly useful 

where a company is contracted to provide 

authentication services to multiple companies, 

or where various departments have different 

Digipass quota. 

Digipass can be assigned to any User in the 

Users container. 

Table 3: Summary of Digipass Record Location Options 

An extra permission must be assigned all 

administrators who should be able to assign 

Digipass (if they are not Domain Admins). It is 

not possible to strictly subdivide the unassigned 

Digipass among the Organizational Units 

according to quotas. 

If an Organizational Unit runs out of Digipass to 

assign its Users, more Digipass records must be 

manually moved to the right location. 

Digipass in the Users container are only available 

to User accounts stored there. 



2.3.2 Typical Digipass Location Models 

Digipass Pool 

A centralised point of access and importation can be implemented by using the Digipass Pool 

to hold unassigned Digipass records. This option requires less calculation and high-level 

administration, as Digipass records are all imported into one area and there is no need to 

manually move records or calculate the exact number of Digipass required for each 

Organizational Unit or group of Units. However, permissions will need to be set up to permit 

delegated administrators access to move the Digipass out of the container upon assignment. 

The Digipass Pool is treated as the Domain Root by the IAS Plug-In, as Digipass records may 

not be saved in the Domain Root. 

Image 15: Digipass Record Locations - Digipass Pool 

In the diagram above, Administrator 1 has delegated administrator permissions for the 

Organizational Unit B and its child Organizational Units. They must also have read and delete 

permissions for Digipass objects in the Digipass Pool container. 

The Search Upwards in Organizational Unit hierarchy option must be enabled for this 

model to function correctly. 



Parent Organizational Units 

Unassigned Digipass can be kept in key Organizational Units, and made available to their lower 

level Organizational Units. This requires a delegated administrator to have permissions not 

only for the Organizational Unit in which the User accounts are stored, but also read, write and 

delete permissions for Digipass objects in the Organizational Unit in which the Digipass are 

stored. 

Image 16: Digipass Record Locations - Parent Organizational Unit 

In the diagram above, Administrator 1 has full admin permissions for Organizational Unit B and 

its child Organizational Units. She does not require any other permissions to assign Digipass 

from Organizational Unit B to a User in Organizational Unit B1. Administrator 2 has full admin 

permissions for Organizational Unit A2 only. He has read and delete permissions for Digipass 

objects in Organizational Unit A in order to assign Digipass from Organizational Unit A to a 

User in Organizational Unit A2. 

The Search Upwards in Organizational Unit hierarchy option must be enabled for this 

model to function correctly. 



Individual Organizational Units 

Digipass can be loaded or moved into each Organizational Unit where and when they are 

required. It is then easy to set up permissions for delegated administrators to assign them 

only within their scope of control. If all Digipass in the Organizational Unit are assigned, more 

Digipass will need to be moved in manually by a Domain Admin before they can be assigned 

by a delegated administrator. 

Image 17: Digipass Record Locations - Individual Organizational Units 

In the diagram above, each delegated administrator only requires permissions within their 

specific Organizational Unit(s), as unassigned Digipass are stored in the Organizational Units in 

which they will be assigned. 

The Search Upwards in Organizational Unit hierarchy option does not need to be enabled 

for this model. 

Combination of models 

Digipass may be stored in the Digipass Pool as well as some or all Organizational Units. If no 

unassigned Digipass records are found in the Organizational Unit, and the Search Upwards in 

Organization Unit hierarchy option is enabled, the IAS Plug-In will search upwards to the 

Domain Root and search in the Digipass Pool for an available, unassigned Digipass record. 



2.3.3 Search for Digipass Records 

The Digipass Extension for Active Directory Users and Computers allows you to search for 

specific Digipass records, or Digipass records meeting set criteria. This functionality can be 

useful when you have Digipass records in various places throughout Active Directory. 



2.4 Digipass Record Functions 

A number of functions are available in the Digipass Extension for Active Directory Users and 

Computers to administer Digipass records. These are typically required for maintenance – eg. 

a User has forgotten their Server PIN, or a Digipass has been locked. 

2.4.1 Reset Application 

A Digipass Application may need to be reset if the time difference between it and the server 

needs to be recalculated. This would typically be for time-based Response Only Digipass after 

a very long period of inactivity. The 'reset' widens the allowable time window for the next 

login, allowing the User to log in and the IAS Plug-In to calculate the current time shift. 

2.4.2 Set Event Counter 

If the event count for an event-based application has become unsynchronised between the 

Digipass and the server, this function can be used to set the server event count to the event 

count on the Digipass. 

2.4.3 Reset PIN 

If a User’s Server PIN needs to be changed – usually because the User has forgotten it – then 

it can be reset, and the User can create a new Server PIN when they next log in. This may be 

done when unassigning or re-assigning a Digipass. 

2.4.4 Force PIN Change 

This function can be used when an administrator wants a User to change their Server PIN on 

their next login. This may be desirable as a security measure. 

2.4.5 Set PIN 

A User’s Server PIN can be set to a specific value and communicated to the User. 

2.4.6 Unlock Digipass 

If a User incorrectly enters their Digipass PIN into their Digipass a predetermined number of 

times, the Digipass will become locked. Once locked, the assistance of an administrator will be 

required to unlock it. This function allows an administrator to provide the User with an Unlock 

Code to enter into their Digipass. 

2.4.7 Reset Application Lock 

If a User has attempted to log in with incorrect details too many times, the Digipass 

Application used may be locked, depending on Policy settings. This function can be used to set 

the record for the Digipass Application to the status of unlocked. This differs from User 

locking, as the User may still log in with a different Digipass. 

2.4.8 Test a Digipass Application 

Use this function to check that a Digipass Application is working as expected. There is also a 

function to test the Backup Virtual Digipass functionality. 



2.5 Assigning Digipass to Users 

Digipass may be assigned to Users in a number of ways, depending on the requirements of 

your company. For example, a company with only a few User accounts may use Manual 

Assignment. A larger company needing to distribute large numbers of Digipass may find it 

easier to simply distribute the Digipass and require each User to go through Self-Assignment. 

Note 

Digipass records must be imported into Active Directory before being assigned 

to Users. They may be imported into a general-purpose 'Digipass Pool' or into 

the specific Organizational Units where they are needed. They must be in the 

same domain as the User to whom they are being assigned. 

2.5.1 Digipass Assignment Options 

The diagram below shows the basic assignment process used for the three main assignment 

methods which may be set in a Policy. 

Image 18: Assignment Method Processes 



2.5.1.1 Self-Assignment 

A Digipass may be assigned to a User by their own action. The User must log in and include 

the serial number, Windows static password and One Time Password. This informs the IAS 

Plug-In of the assignment, and provided that the User enters the details correctly, a link will be 

made between the Digipass record and the User account. A grace period is not used for this 

method. 

2.5.1.2 Auto-Assignment 

The IAS Plug-In can automatically assign an available Digipass when a Digipass User account 

is created using Dynamic User Registration (DUR). The correct Digipass must then be 

delivered to the User. A grace period is typically set, which allows a number of days in which 

the User may still log in using only their static password. 

2.5.1.3 Manual Assignment 

A selected Digipass is manually assigned to a specific Digipass User account. The Digipass 

must then be sent out to the User. A grace period is typically set, during which the User may 

still log in using only their static password. 

2.6 Security Levels 

The following will affect the security level of your setup for the IAS Plug-In: 

Using the Windows Static Password instead of a Server PIN 

You can configure the authentication process so that a User is required to use their Windows 

static password in place of a Server PIN when logging on through a remote access server. This 

is a valid two-factor authentication combination, but it is important to consider the security of 

the machines from which the User will log in. If there is a risk of key logging for example, it 

would still not be possible for the hacker to log in, but they would have captured the Windows 

static password of the User. If a PIN was used, they would only have captured the PIN. 

This has to be balanced against the need for a User to learn and remember an additional item, 

the Server PIN. 



2.7 Virtual Digipass Implementation Considerations 


With the introduction of Virtual Digipass, there are several different assignment combinations 

that can be used. The first option in the table below does not utilize Virtual Digipass. The 

others include a Virtual Digipass in either a backup or primary mode. 

Primary Backup 

Digipass None User must log in using a Digipass. 

Digipass Backup Virtual 

Digipass 


(temporarily 

disallowed) 

Primary Virtual 


Table 4: Digipass Options 

2.7.2 Cost 

Backup Virtual 


User usually logs in using a Digipass, but may utilize the Backup 

Virtual Digipass feature where required. Usage of the feature may 

be limited. 

User must log in using the Backup Virtual Digipass feature. This 

might be used while a User’s Digipass is lost, until the Digipass is 

recovered. 

N/A User is assigned a Virtual Digipass and must log in using it. 

Your company will probably need to pay an amount for each text message sent. In some 

countries, mobile phone owners might need to pay an amount for each text message received 

on their mobile phone. This will need to be taken into consideration when deciding how to 

implement Virtual Digipass functionality. 

2.7.3 Security 

Hardware Digipass devices provide the highest level of security. Virtual Digipass provides a 

lower, although still high, level of security. This needs to be weighed against other 

considerations before deciding whether your company will implement Virtual Digipass, and if 

so, how it will be implemented. 

2.7.4 Convenience 

Virtual Digipass is more convenient than a hardware Digipass for many Users. Only one’s 

usual mobile phone is required: there are no extra devices to carry around. Users who do not 

habitually carry their mobile phone with them, though, are likely to find a GO 3 or GO 1 easier 

to transport. 

For Users with the Backup Virtual Digipass enabled, it might be the difference between going 

to work to pick up a forgotten Digipass and getting important work done at home. 

2.7.5 Gateway and account 

Your company will need the use of an text message gateway and an account with the gateway. 

The Message Delivery Component will need configuration information for the gateway and the 

Username and static password for the account. Your VASCO supplier can assist with this 

process. 



2.7.6 Limiting Usage of Virtual Digipass 

Use of Virtual Digipass may be limited by: 

Using Backup Virtual Digipass only. 

Minimizing the number of Users assigned a Primary Virtual Digipass. 

A User’s Primary Virtual Digipass use cannot be limited. 

The Backup Virtual Digipass feature may be enabled as an ‘emergency’ backup for Users who 

have left their primary Digipass at home, or for other reasons do not have access to their 

primary Digipass. Use of this feature can be limited for each User by: 

Time period 

Set a time period in which a User may access the Backup Virtual Digipass. After this period 

has expired, any Virtual Digipass requests from the User will be rejected. If the User is still 

unable to use their Digipass, the time period must then be extended by an administrator. 

Once they have started using their Digipass again, the administrator must reset the time 

period if the User is to be allowed to use Backup Virtual Digipass again. 

Number of Uses 

Set a maximum number of times a User may request an OTP using the Backup Virtual Digipass 

feature. When the User has reached this number of uses, any further OTP requests from the 

User will be rejected. This must be reset by an administrator if further use of the Backup 

Virtual Digipass is required for the User. 

Global and Individual Backup Virtual Digipass settings 

Backup Virtual Digipass options can be set globally or individually, to allow a standard policy 

for all Digipass with exceptions made where necessary. Global settings will affect all Digipass 

whose individual option is set to 'Default'. 

Global options are defined in the Policy that controls authentication. Therefore, by using 

multiple Policies, you have some additional flexibility. 

2.7.6.2 Backup Virtual Digipass Usage Guidelines 

Some questions which will need to be answered before arriving at a Backup Virtual Digipass 

usage guidelines are: 

Will any users have access to Backup Virtual Digipass? 

If so, will all users have access to Backup Virtual Digipass? 

Will usage of Backup Virtual Digipass be limited? If so, how? 

Time-limited 

Limited number of uses 



Some Possible Guidelines 

Guideline Pro Con 

Backup Virtual Digipass disabled for all - enabled 

for individual Users as required. 

Backup Virtual Digipass enabled for all - either 

time/number of usage limit set. 

Backup Virtual Digipass enabled for all - no limits 

set. 

Table 5: Backup Virtual Digipass Example Guidelines 

Low text message costs Manual enable for each User 

and circumstance. Possible 

heavy administration load. 

Predictable text message 

costs 

2.7.7 Resetting Virtual Digipass Restrictions 

Administrator may need to reset 

limits frequently – medium 

administration load. 

Lighter administration load Possible high text message 

costs. 

When a User has reached their limit of Virtual Digipass use, an administrator must reset their 

limit. 

2.7.8 Virtual Digipass Login options 

A decision must be made as to how Users will log in using Virtual Digipass. In particular, Users 

with a hardware Digipass and the Backup Virtual Digipass enabled must be able to request an 

OTP to be sent to their mobile when required, but to login using the hardware Digipass at 

other times. 

The simplest method for the User is to allow a 2-step login process, where the User enters 

their User ID and static password only, triggering an OTP Request, and are redirected to a 

second login page to enter the OTP sent to them. To use this method, though, your system 

must be set up to allow 2-step logins. Check with your system administrator if unsure. 

Alternatives to the 2-step login are a sequence of two 1-step logins or the use of the OTP 

Request Site. 

See the Administrator Reference for information on possible login permutation. 

2.7.9 Location of OTP Request Site 

If the OTP Request Site is to be used, its location must be decided. You may choose to install 

the Web Site onto any web server, bearing the following in mind: 

If the Web Site is installed onto a web server in the DMZ, you need to permit TCP/IP 

access from the web server to the IAS Plug-In on port 20003. This is the recommended 

option. 

The Web Site can be used on the Internet, however it would be essential to provide SSL 

(or TLS) encryption for access to it. Otherwise, an attacker could discover static 

passwords and PINs. The other point to take into consideration is that publishing the 

Web Site on the Internet would allow anyone in the world to send requests to the IAS 

Plug-In – this would provide the potential for denial of service and brute force attacks. It 

would be strongly advised to protect the Web Site from general use in some way. 

If the Web Site is installed onto a web server that communicates over a WAN link to the 

IAS Server(s), the WAN link must be encrypted. For example, an IPSEC-based VPN 

connection would be sufficient. 


Digipass Plug-In for IAS Product Guide Digipass User Accounts 

3 Digipass User Accounts 

3.1 User Account Identification 

The IAS Plug-In requires a User ID (SAM-Account-Name) and domain (Fully Qualified Domain 

Name) for each User logging in through it. These are collected in various ways, depending on 

the information entered by the User. 

If the User enters: 

Format Example Method Used to Identify User Account 

UPN user@domain.com The Global Catalog is utilized to translate this into User ID and 

domain. * 

Windows NT format DOMAIN\user The Global Catalog is utilized to translate this into User ID and 

domain. * 

User ID User IAS Plug-In will use the default domain set in the applicable Policy 

if defined, otherwise it will use the Configuration Domain set in 

the configuration file for the Plug-In. 

Table 6: User Account Identification Methods 

* Access to a Global Catalog is therefore required by the Plug-In. 

3.2 Digipass User Account Creation 

A Digipass User account can be created in a number of ways: 

3.2.1 Manual Creation 

A Digipass User Account can be created manually for a User account in Active Directory. 

3.2.2 User Self-Management Web Site 

Enabling Dynamic User Registration on a system which includes the User Self-Management 

Web Site will allow Users to create their own Digipass User Account via the web site. 

3.2.3 Dynamic User Registration 

When the IAS Plug-In receives an authentication request for a User without a Digipass User 

account, it can check the credentials with Windows. If the authentication is successful with 

Windows, the IAS Plug-In can create a Digipass User account automatically for the User. This 

process is called Dynamic User Registration (DUR) and can be enabled via the Administration 

MMC Interface. 

This feature is commonly used in conjunction with Auto-Assignment, so that the new account 

is immediately assigned a Digipass. 



Image 19: Dynamic User Registration 

3.2.4 Changes to Stored Static Password 

Any changes to a User's stored static password need to be communicated to the IAS Plug-In if 

Stored Password Proxy is enabled. There are two ways to do this: 

3.2.4.1 Password Autolearn 

If Password Autolearn is enabled, a User may directly log in with their new static password. If 

it does not match the static password stored by the IAS Plug-In, it can be verified with 

Windows. If correct, the IAS Plug-In will store the new static password for future use and 

authenticate the User. 

3.2.4.2 User Self-Management Web Site 

When the User Self Management Web Site is utilized, the User may modify the IAS Plug-In's 

record of their stored static password. They must be able to log in according to current settings 



to do this, and the Password Autolearn feature must be enabled. 



3.3 Logging in with a Digipass 

This topic explains the basic steps required to log in using the three available authentication 

methods. Depending on your settings, a User may be required to enter other information in 

the password field during login (see 3.3.3 Password Field Information). 

3.3.1 Login Processes 

The diagram below shows a typical login process for the three basic login methods supported 

by the IAS Plug-In. The actual details entered by the User may vary, depending on Policy 

settings. 

Image 20: Login Method Processes 



3.3.2 Multiple Digipass or Digipass Applications 

A User may have multiple Digipass assigned to their User account, and/or multiple Applications 

enabled for a Digipass. If so, the IAS Plug-In will need to know which Digipass and Digipass 

Application will be used for a particular login for the User. 

The Digipass and Digipass Application required for a login is selected by the Policy applicable to 

the login scenario. Policy settings may determine the Application Names, Application Type, 

and/or Digipass Types to be used. 

Once the Policy settings are taken into account, there may still be more than one Digipass 

Application that could be used. In that case, the IAS Plug-In will check each one. 

3.3.3 Password Field Information 

Information which may be required to be entered into the password field during login: 

Static Password 

The static password may be entered to: 

authenticate the User if they do not have a Digipass assigned (or if all Digipass assigned 

to the User are in the grace period). 

request a challenge or Virtual Digipass OTP 

be passed on to Windows during back-end authentication (Stored Password Proxy off). 

inform the IAS Plug-In of a change to the User's Windows static password (Password 

Autolearn and Stored Password Proxy on). 

Serial Number 

The serial number for a User's assigned Digipass will be required if: 

this is the first time the User has logged in using a Digipass, AND 

the User is required to Self-Assign the Digipass using the login process (as opposed to 

the User Self Management Web Site) 

Server PIN 

If a Server PIN is required for the User's Digipass, this must be entered every time the User 

logs in. The User can change their PIN by providing the new PIN twice after the OTP (unless 

CHAP, MS-CHAP or EAP-MD5 is being used). 

Request Keyword 

A Keyword can be used to indicate a request to the IAS Plug-In for an OTP to be sent to the 

User's mobile phone, or for a 2-step Challenge/Response login. A keyword may be used in 

conjunction with the static password or just on its own. However, if the keyword is used on its 

own to request a Virtual Digipass OTP, the static password must be entered in the second login 

step as well as the OTP. 

One Time Password 

A One Time Password is typically required to login via the IAS Plug-In. 



3.4 Administration Privileges 

The IAS Plug-In will allow access to Digipass User accounts and Digipass records based on a 

User's Active Directory privileges. Extra privileges may be granted via the Active Directory 

Users and Computers console. 

See the Administrator Reference for more information. 



3.5 Authenticating Users 

Authentication settings may be applied to an individual User account, although typically these 

will be set by the Policy. 

3.5.1 Authentication Settings 

Digipass User account and Policy settings control the authentication process as follows: 

The authentication settings for a Digipass User account override a Policy setting. 

The relevant Policy is referred to if the authentication setting for a Digipass User account 

is “Default” or if a Digipass User account does not exist for the login. 

3.5.2 Local Authentication 

'Local' authentication is a term used to describe the IAS Plug-In authenticating a login based 

on information in its data store and the One Time Password entered during the login. 

The Local Authentication setting specifies whether the IAS Plug-In will authenticate a login 

based on an OTP or stored static password. Back-end authentication may also be utilized – in 

the latter two options, an authentication request will only be checked with the back-end 

authenticator if it passes authentication by the IAS Plug-In. 

None 

The IAS Plug-In will not authenticate the User's credentials – the request will typically be 

checked with the back-end authenticator. 

Digipass/Password 

The IAS Plug-In will always process authentication requests. If a User has had a Digipass 

assigned, they must use an OTP during login, unless a Grace Period is still active for the 

Digipass. If a User does not have a Digipass assigned, they can use their static password to 

log in. The static password entered will be checked against the stored static password or if 

Back-End Authentication is used, the Windows static password. 

Digipass Only 

The IAS Plug-In will always process authentication requests. Users must login using an OTP. 

Users without Digipass will not be able to log in. 

3.5.3 Back-End Authentication 

'Back-end' authentication applies to the IAS Plug-In checking login details (User ID and static 

password) with another system – Windows. This is used by the IAS Plug-In mostly for the 

Dynamic User Registration and Self-Assignment processes. 

Back-end authentication settings specify whether the IAS Plug-In will pass on an 

authentication request to Windows. The User's static password is required for this step, and is 

retrieved from either the login, or the stored static password in the Digipass User Account. 

None 

The IAS Plug-In will not utilize back-end authentication. 



Always 

The IAS Plug-In will send an authentication request to a back-end authenticator, using the 

protocol set for the Policy (Windows only at this stage). 

If Needed 

Back-end authentication will be used in situations where local authentication is not sufficient: 

Protocol 

Dynamic User Registration 


Password Autolearn 

Requesting a challenge or Virtual Digipass OTP, when the Request Method includes a 

static password 

Static password authentication, when verifying a Virtual Digipass static password-OTP 

combination or during the Grace Period 

The IAS Plug-In needs to know the protocol to use in requesting authentication of a User's 

information. Windows is currently the only option. 

3.5.4 User Account Locking 

A Digipass User account may be locked if the User has attempted, and failed, to log in a 

particular number of times. This number can be set in the Policy. Once the account is locked, 

an administrator must manually unlock it. Until it is unlocked, the User will be unable to log 

in. 

3.5.5 Windows Group Check 

Specific Windows Groups can be selected for authentication by the IAS Plug-In. This feature 

might be used when: 

Deploying Digipass in stages, using Dynamic User Registration and Auto-Assignment. 

Two-factor authentication is needed only for access to sensitive data, which has been 

granted to certain Users (for example, administrators). Only this group of people will 

require Digipass, and will be authenticated by the IAS Plug-In. Other Users will be 

authenticated only by IAS using another authentication method. 

Most Users will have Digipass and be permitted to log in to the system, but some Users 

should not be authenticated under any circumstances. 

The Group Check can work in one of two ways: 

Authenticate listed groups, pass others through 

Only process authentication requests for users in a group in the Group List; let requests for 

other users pass through unmodified to IAS for authentication. 

Authenticate listed groups, reject others 

Only permit access for users belonging to a group in the Group List; reject access for other 

users. 



The group check is typically used with these settings: 

Dynamic User Registration enabled 

Auto-Assignment enabled 

3.5.5.2 Windows Group Check Process 

The diagram below shows the basic process involved in a Windows Group Check, when DUR 

and Auto-Assignment are enabled. It occurs during the User authentication process (see 

Image 21: 

Windows Group Check Process for an overview). 

Image 21: Windows Group Check Process 



3.5.6 Linking User Accounts 

If a User has more than one Active Directory user account, for example an administrative 

account and a 'normal user' account, the two Digipass User accounts can be linked together. 

This provides the ability for the two accounts to share a Digipass. The Digipass is assigned to 

one of the accounts, then the other account is linked to it. 


Digipass Plug-In for IAS Product Guide Policies 

4 Policies 

4.1 What are Policies? 

Policies allow you comprehensive control over the authentication process. At least one Policy 

is required to determine whether various features are enabled, and how logins should be 

handled by the IAS Plug-In. A number of example Policies are included when the Digipass 

Plug-In for IAS is installed. 

4.2 How Do They Work? 

The principle of Policies is that a single Policy is applied to an authentication request. The 

choice of Policy is made by the Component (eg. IAS Plug-In or RADIUS Client). All login 

requests for a particular Component are handled according to the settings of its chosen Policy. 

In the case of the Digipass Plug-In for IAS, a Component must be present for the IAS Plug-In. 

This Component will identify the Policy to be used as a default for any requests that it handles. 

However, if you wish to apply a different Policy according to the RADIUS Client (eg. NAS, VPN 

appliance), you are allowed to create additional Component records that will specify the 

preferred Policies for those cases. 

User attempts to log into RADIUS Client 

RADIUS Client sends authentication 

request to IAS 

IAS Plug-In checks if there is a 

Component record for the RADIUS Client 

If there is no RADIUS Client Component 

record, the IAS Plug-In looks up its own 

Component record 

IAS Plug-In selects the Policy set for 

the Component 

IAS Plug-In handles authentication 

request according to Policy settings 

Image 22: Policy Selection 



4.3 Policy Settings 

Settings controlled by Policies include the following groupings. 

Note 

The IAS service must be restarted before Policy setting changes will become 

effective. 

Local and/or Back-end Authentication 

Whether the IAS Plug-In should authenticate logins, and whether logins authenticated with 

information held by the IAS Plug-In should be checked with another system (eg. Windows). 

See these topics for more information: 

3.5.2 Local Authentication 

3.5.3 Back-End Authentication 

User Accounts 

Determines how the IAS Plug-In will handle Digipass User account creation, logins and 

passwords. See these topics for more information: 

3.2.3 Dynamic User Registration 

3.5.4 User Account Locking 

3.2.4.1 Password Autolearn 

Windows Group Check 

Windows Group checks allow regulation of the local and back-end authentication for Users 

belonging to specified Windows Groups. See 3.5.5 Windows Group Check for more 

information. 

Digipass Assignment 

The method for assignment of Digipass to Users, and settings relevant to Digipass assignment. 

See these topics for more information: 


Digipass Settings 

Specifies the Digipass Applications, Types and actions allowed. See these topics for more 

information: 

2.1 Types of Digipass 

2.2.1 Digipass Applications 

1-Step Challenge/Response 

Whether 1-Step Challenge/Response is enabled, and settings relevant to it. 



Note 

1-Step Challenge/Response is not supported for use with RADIUS, but the 

settings are included for compatibility with other products. 

2-Step Challenge/Response 

How Digipass Users may request a 2-Step Challenge/Response login. See 3.3.1 

Processes for more information. 

Primary Virtual Digipass 

Login 

How Digipass Users may request a Primary Virtual Digipass login if multiple Digipass, including 

a Primary Virtual Digipass, are assigned to them. See 2.7.8 Virtual Digipass Login options 

for more information. 

Backup Virtual Digipass 

Whether the Backup Virtual Digipass feature is enabled, and how it may be used. See 2.2.4.4 

Backup Virtual Digipass for more information. 

Digipass Control Parameters 

Settings which control how the IAS Plug-In handles the OTP provided by a Digipass, such as 

the time shift allowed, and how many days the Digipass may be inactive (not used for logins 

through this plug-in) before being flagged as inactive. See 2.2.4 Digipass Record Settings 

for more information. 



4.4 Multiple Policies 

Multiple Policies can be created. The Policy selected for use by the IAS Plug-In will depend on 

the Component making the authentication request, as illustrated above. 

4.4.1 Inheritance 

Policies may be set up in a hierarchy, where one Policy will inherit most of its attributes from a 

parent Policy, but with some modifications for a slightly different scenario. 

Image 23: Policy Inheritance 

In the example above, all attributes are inherited from the parent Policy, except those 

explicitly set. 



4.4.2 Show Effective Settings 

As the various levels of settings in Policy inheritance can get confusing, functionality is 

available which allows you to view the settings effective for a selected Policy, taking inherited 

settings into account. The text below shows the effective settings for the IAS Windows Self- 

Assignment Policy: 

Effective Policy Settings 

[Local/Back-End Authentication] : 

Local Authentication : Digipass/Password 

Back-End Authentication : If Needed 

Back-End Protocol : Windows : 

[User Accounts] : 

Dynamic User Registration : Yes 

Password Autolearn : No 

Stored Password Proxy : No 

Default Domain : 

User Lock Threshold : 0 

[Windows Group Check] : 

Group Check Option : No Check 

Group List : 

[Digipass Assignment] : 

Assignment Mode : Self-Assignment 

Grace Period (days) : 0 

Serial No. Separator : | 

Search up Organizational Unit Hierarchy : Yes 

[Digipass Settings] : 

Application Names : 

Application Type : No Restriction 

Digipass Types : 

PIN Changed Allowed : Yes 

[1-Step Challenge Response] : 

Enabled : No 

Challenge Length : 0 

Challenge Check Digit : No 

[2-Step Challenge Response] : 

Request Method : Keyword 

Request Keyword : 

[Primary Virtual Digipass] : 

Request Method : None 

Request Keyword : 

[Backup Virtual Digipass] : 

Enabled : No 

Maximum Days : 0 

Maximum Uses : 0 

Request Method : KeywordPassword 

Request Keyword : otp 

[Digipass Control Parameters] : 

Identification Time Window : 20 

Signature Time Window : 24 

Event Window : 20 

Initial Time Window : 6 

Identification Threshold : 0 

Signature Threshold : 0 

Check Challenge Flag : 1 

Level of Online Signature : 0 

Allowed Inactive Days : 0 

You will note that the settings listed above include those set in Policies from which the IAS 

Windows Self-Assignment Policy inherit. 



4.5 Pre-Loaded Policies 

These Policies are created for the IAS Plug-In on installation of the Digipass Plug-In for IAS. 

They provide an example for setting up Policies in a typical environment. 

Policy Name Parent 

Policy 

Base Policy - Globally applicable settings. 

In general, all other Policies 

should inherit from this, 

directly or indirectly. 

IAS Base Policy Base Policy Settings applicable to all IAS 

Plug-In Policies, including 

local authentication. In 

general, all other IAS 

policies should inherit from 

this, directly or indirectly. 

IAS Windows Auto- 

Assignment 

IAS Windows Self- 

Assignment 

IAS Base 

Policy 

IAS Base 

Policy 

Description Non-Default Settings 

IAS Plug-In model for Auto- 

Assignment with Dynamic 

User Registration, using 

Windows back-end 

authentication and a 

Windows group check. 

IAS Plug-In model for Self- 

Assignment with Dynamic 

User Registration, using 

Windows back-end 

authentication. 

User Lock Threshold = 3, 

PIN Change Allowed = Yes 

Challenge Request Method = Keyword (Note: 

the keyword is blank though) 

PVDP Request Method = Password 

BVDP Request Method = KeywordPassword 

BVDP Keyword = “otp” 

ITimeWindow = 100, EventWindow = 100 

SyncWindow = 6, IThreshold = 0 

Local Authentication = Digipass/Password 

Back-End Authentication = If Needed 

Back-End Protocol = Windows 

Dynamic User Registration = Yes 

Assignment Mode = Auto-Assignment 

Search up OU Path = Yes 

Grace Period = 7 

Group Check Mode = Passthrough 

Group List = “Digipass Users” 

Back-End Authentication = If Needed 

Back-End Protocol = Windows 

Dynamic User Registration = Yes 

Assignment Mode = Self-Assignment 

Search up OU Path = Yes 

Serial No. Separator = “|” 



4.6 Differences from VACMAN Middleware 2.3 

Some settings used in VACMAN Middleware have been modified in the IAS Plug-In. Most 

Server settings are found in Policies. 

4.6.1 Authenticator Setting 

The Authenticator field from VACMAN Middleware has been split into several fields in the plugins: 

Local Auth 

Back-End Authentication 

Back-End Protocol 

Disabled (User setting) 

The correspondence of the other fields is different for (VM) RADIUS and Web: 

VACMAN 

Middleware 

Setting 

RADIUS 

IAS Plug-In Settings 

Local Auth setting Back-End Auth 

setting 

Back-End Protocol 

setting 

Local Server Digipass/Password None No 

Local and Proxy 

Proxy Server 

Local and Windows Digipass/Password Always Windows No 

Windows None Always Windows No 

Disabled Yes 

Web 

Local Server Digipass/Password None No 

Local and Proxy Digipass/Password If Needed Windows No 

Proxy Server None If Needed Windows No 

Local and Windows Digipass/Password If Needed Windows No 

Windows None If Needed Windows No 

Disabled Yes 

Table 7: VACMAN Middleware and IAS Plug-In Authentication Settings 

Disabled 

checkbox 


Digipass Plug-In for IAS Product Guide Components 

5 Components 

5.1 What is a Component Record? 

A Component record should exist when a special authentication settings are required for logins 

from a particular server. For example, a company may have Users logging in via a NAS, a VPN 

appliance or the User Self-Management Web Site. A standard remote access Policy may be 

used for logins via the NAS, but some options may need to be disabled when the VPN 

appliance is used, or extra options enabled for the User Self-Management Web Site. 

Image 24: Component Overview 



5.1.1 No Component Record Exists for a RADIUS Client 

Any RADIUS Client which does not have an explicit Component record will be handled using 

the default IAS Plug-In Component. 



5.1.2 Policy Selection 

Each Component record will have a Policy selected for use in processing its authentication 

requests. 

Image 25: Component Use by IAS Plug-In 

5.2 Pre-loaded Component 

A IAS Plug-In Component is created on installation of the Digipass Plug-In for IAS. The IAS 

Base Policy is set as its Policy. Unless other Components are created or the Policy for the IAS 

Plug-In Component is modified, all authentication requests handled by the IAS Plug-In will use 

the settings for the IAS Base Policy. 

5.3 Licensing 

The Digipass Plug-In for IAS is licensed per IAS Plug-In Component. The License Key provided 

upon licensing of the product is loaded into the Component record itself, and details of the 

license may be viewed via the Component property sheet. 


Digipass Plug-In for IAS Product Guide Active Directory Integration 

6 Active Directory Integration 

6.1 What is Stored in Active Directory? 

The following information is stored in Active Directory: 

Digipass User accounts 

Digipass and Digipass Application records 

Digipass configuration records (Policies, Components) 

6.2 Schema Extensions 

User attributes – vasco-UserExt class 

Extra VASCO attributes are added to an Active Directory User record via an 'auxiliary class' 

vasco-UserExt on the User class. 

Digipass and Digipass Application records 

The vasco-DPToken class is used to store Digipass attributes. It is also a container, in which 

vasco-DPApplication records for that Digipass are stored. 

Upon assignment to a User, the Digipass record is stored in the same location as the User. 

Policies and Components 

Policy and Component records are stored in vasco-Policy and vasco-Component objects. They 

are located in a single “Digipass-Configuration” container in a single Domain. 

As the data model is shared with other Digipass Plug-In and Digipass Pack products, the 

schema will also include the vasco-BackEndServer class. However, this is not used in Digipass 

Plug-In for IAS. 

6.3 Permissions Needed by the IAS Plug-In 

The installation process will ensure that the IAS Plug-In has sufficient permissions. This is 

achieved by assigning permissions in the domain to the in-built “RAS and IAS Servers” group. 

It is necessary to make sure that the IAS server is added to that group. 

6.4 Sensitive Data Encryption 

Sensitive data is encrypted by the IAS Plug-In using an embedded key. If needed, this 

encryption may be strengthened by including a custom encryption key. See the Administrator 

Reference for more information. 


Digipass Plug-In for IAS Product Guide Active Directory Integration 

6.5 Administrative Permissions 

Administrative permissions for the IAS Plug-In administrators are controlled using Active 

Directory security properties. See the Permissions Needed by Administrators topic in the 

Administrator Reference for more information. 

Domain Administrators may view and edit all Digipass and Digipass User information in their 

domain, plus Digipass Configuration information if the Digipass Configuration Container is 

located in their domain. No permissions setup is required for them. 

Delegated Administrators may view and edit all Digipass and Digipass User information 

within their administrative scope of control. It is necessary to grant them full control, create 

and delete permissions over the Digipass and Digipass Application objects within their scope. 

Reduced Rights Administrators may perform a subset of the administration tasks. 'Property 

sets' are defined with the directory which can be used to enable or limit them in various 

Digipass administration tasks (eg. Access to the Digipass blob). 

6.6 Active Directory Command Line Utility 

This utility has to perform several tasks that are needed at various times during installation 

and upgrade if Active Directory is selected, or afterwards for maintenance. Some of the 

commands are run automatically by the installation program, while others are run manually. 

The commands that are run automatically can be run manually also, for example to 

troubleshoot why the installation is not succeeding. 

Command Description 

addschema Extend the Active Directory schema. 

checkschema Check that the schema extensions are all present. 

setupdomain Sets up the Digipass Configuration Container in the specified domain. 

setupaccess Assign permissions to a Windows group including: 

Table 8: DPADadmin tasks 

Full read access to everything in the domain 

Full control over vasco-DPToken objects 

Full control over vasco-DPApplication objects 

Ability to create and delete vasco-DPToken objects 

Full write access to extension attributes on user objects 

This command can optionally be used to also add a machine to the group. 


Digipass Plug-In for IAS Product Guide Administration Interfaces 

7 Administration Interfaces 

7.1 Digipass Extension for Active Directory Users & Computers 

The Digipass Extension for Active Directory Users and Computers allows administration of 

Digipass User accounts and Digipass records within the Active Directory Users and Computers 

interface. 

7.2 Administration MMC Interface 

The Administration MMC Interface allows administration of Policies and Components in the 

Digipass Configuration Container. 


Digipass Plug-In for IAS Product Guide Licensing 

8 Licensing 

8.1 Overview 

VASCO products are licensed per Component record in the Digipass Configuration container. 

The licensing relies upon a License Key which is checked when the IAS Plug-In starts. This 

License Key is tied to the location (usually IP address) where the IAS Plug-In is installed, and 

stored in the Component for the plug-in. The IAS Plug-In will not function without a correct 

License Key. 

Evaluation Licenses 

If you have downloaded the Digipass Plug-In for IAS from the VASCO website, you will note 

that it comes with an evaluation license. This means that you can use its full functionality until 

the evaluation period runs out. At the end of this period, you will need to either uninstall the 

product or buy a permanent license. Contact your distributor or the appropriate VASCO 

Reseller representative to acquire the licences you will need. 

8.2 Obtaining a License Key File 

The installation process will guide you through the process of requesting and loading a License 

Key. However, if for some reason it is not possible to complete the licensing at installation 

time, the Administration MMC Interface can be used to obtain and load a License Key for a 

Component. This process must be completed for each IAS Plug-In, and requires an active 

internet connection to open the Digipass Plug-In Activation Page. 

8.2.1 Digipass Plug-In Activation Page 


Digipass Plug-In for IAS Product Guide Auditing and Tracing 

9 Auditing and Tracing 

9.1 Auditing 

9.1.1 Audit System 

The VASCO Audit System records audit messages generated by the IAS Plug-In. The level of 

audit messages generated may be configured using the Administration MMC Interface. 

Audit messages are generated by: 

IAS Plug-In (using default settings) 

Administration MMC Interface (when enabled) 

Digipass Extension for Active Directory Users and Computers (when enabled) 

Audit messages may be recorded to and viewed in: 

Windows Event Log 

Text file 

9.1.1.1 Audit message types 

Type Description 

Error The message contains details about a system, configuration, licensing or some internal error. 

Errors do not include normal processing events such as failed logins. 

Warning Warning messages contain details about potential problems within the system. This could include 

details such as a failed connection attempt to a Domain Controller. 

Information Informational messages provide details about events within the system that need to be recorded 

but do not indicate errors or potential errors. An example of this may be a re-connection to 

Active Directory for load-balancing reasons. 

Success Success messages contain details about processing events that were correctly processed. This 

may include successful authentications or successful administration commands. 

Failure Failure messages contain details about processing events that failed. This may include rejected 

authentications, or administration actions that failed. 

Table 9: Audit message types 

9.1.1.2 Audit messages location 

Default 

The default auditing configuration is: 

All messages recorded to a text file 

Error messages also recorded to Windows Events log 

If a message was not recorded successfully to text file, it will be recorded to the 

Windows Event Log 


Digipass Plug-In for IAS Product Guide Auditing and Tracing 

Custom 

Auditing may be configured to suit your company's needs. For example, all messages might 

be recorded to the Windows Event Log, as this can be searched and filtered more easily than a 

simple text file. It also allows you to view audit messages as they are generated. 

9.1.2 Active Directory Auditing 

Active Directory auditing may be enabled and configured to record access and modifications to 

Digipass related data used by the IAS Plug-In. See the Active Directory Auditing topic in the 

Administrator Reference for more information. 

9.2 Tracing 

The level of tracing for the IAS Plug-In can be configured using the IAS Plug-In Configuration 

utility. 

Tracing messages will be recorded to a text file. 

Basic Tracing 

Basic Tracing will record: 

Critical error/warning messages [CRITC] 

Major error/warning messages [MAJOR] 

Minor error/warning messages [MINOR] 

Configuration messages [CONFG] 

Full Tracing 

Full tracing will record: 

Critical error/warning messages [CRITC] 

Major error/warning messages [MAJOR] 

Minor error/warning messages [MINOR] 

Configuration messages [CONFG] 

Informational messages [INFO] and [VINFO] (verbose) 

Data tracing messages [DATA] 

Debugging messages (useful for support purposes) [DEBUG] 

Security messages, messages that may contain security sensitive data [SECUR] 


Digipass Plug-In for IAS Product Guide User Self Management Web Site 

10 User Self Management Web Site 

The User Self Management Web Site allows Users to perform functions which are unavailable 

during a usual login – either because the functionality is disabled within the IAS Plug-In 

configuration, or because CHAP or another protocol is in use which does not allow the 

functionality: 

User Registration and Auto-Assignment 


Password Synchronization 

PIN Change 

Login Test 


Digipass Plug-In for IAS Product Guide User Self Management Web Site 

The site can also be used to help Users get started with their Digipass while they are still in the 

office and help is available. 

10.1 Customizing the User Self Management Web Site 

It is anticipated that you may want to customize the web pages that are provided by default. 

You may wish to: 

change the colors and graphics to match your corporate colors/logos. 

integrate the pages into a larger web site. 

translate or customize the text 

The web site is designed to permit extensive customization, provided that you post the correct 

data to the CGI program. This section provides the instructions and reference material that 

you require to customize the site. It is assumed that the reader has some web development 

knowledge. 

You can change any cosmetic part of the web pages. You can even write completely new web 

pages, provided that you provide the correct posted form fields to the CGI program, and 

interpret the query string variables correctly. You do not need to use plain HTML pages – 

server scripting languages such as PHP or ASP, or any other way of generating HTML, can be 

used. 


Digipass Plug-In for IAS Product Guide OTP Request Site 

11 OTP Request Site 

The OTP Request site provides a method for Users to request an OTP to be sent to their 

mobile, for use in logging in. 

Image 26: OTP Request Site 

The OTP Request Site is designed to customized in a similar way to the User Self Management 

Web Site. 


Digipass Plug-In for IAS Product Guide Message Delivery Component 

12 Message Delivery Component 

The Message Delivery Component (MDC) interfaces with the gateway service to send a One 

Time Password to a User’s mobile phone. The MDC acts as a service, accepting messages from 

the IAS server, which are then forwarded to a text message gateway via the HTTP/HTTPS 

protocol. 

Since every gateway uses different submission parameters, a set of configuration values is 

required, which can be administered by the MDC Configuration GUI. 

The MDC service can be started and stopped through the Windows Service Manager Console. 

12.1 Configuration 

To configure gateway settings you will need: 

Gateway details OR a customized configuration file ordered from your VASCO supplier. 

This will need to be imported using the Configuration GUI. 

If you will not be using a configuration file, these details are required: 

Protocol to use in connecting to the gateway. 

An address string and port to use in connecting to the gateway. 

The path and filename of a certificate file, if required. 

The required Query String. 

The Query Method (GET or POST) required by the gateway. 

Username and password for the gateway account. 


Digipass Plug-In for IAS Product Guide Index 

Alphabetical Index 

Active Directory...................... 12, 17, 42, 62-64 

Administration MMC Interface.......................... 1 

Application.................................................. 27 

Auditing..................................................... 66 

Authentication......................................... 9, 13 

Auto-Assignment......................................... 17 

Backup Virtual Digipass.... 15, 22, 23, 25, 28, 29, 

39-41 

Challenge........................................ 23, 25, 26 

Challenge/Response.......................... 23, 25, 26 

CHAP......................................................... 18 

Check Digit............................................ 26-28 

Components............................... 12, 59, 62, 64 

Considerations............................................. 39 

Data Migration Tool................................ 12, 19 

Digipass.....ii, 9-13, 15, 17, 20-23, 25-30, 36-42, 

45-48, 51, 62, 64 

Digipass......................................................... 

Hardware Digipass........................ 11, 20, 39 

Software Digipass.............................. 11, 21 

Virtual Digipass 11, 12, 15, 22, 23, 25, 28, 29, 

39-41 

Digipass .................................................... 12 

Digipass Application................ 15, 23, 26-28, 36 

Digipass Configuration Container.................... 64 

Digipass Extension for Active Directory Users and 

Computers.................................................... 1 

Digipass for Palm......................................... 21 

Digipass for Pocket PC.................................. 21 

Digipass for SIM.......................................... 21 

Digipass for Windows................................... 21 

Digipass may be assigned............................. 38 

Digipass record................................. 17, 27, 38 

Digipass User...17, 30, 38, 42, 47, 48, 51, 62, 64 

Digital Signature.......................................... 23 

DP 260....................................................... 20 

DP 300....................................................... 20 

DP 585....................................................... 20 

DP 800....................................................... 21 

DUR..................................................... 17, 42 

EAP............................................................ 18 

Event-based........................................... 25-27 

GO 1.................................................... 20, 39 

GO 2.......................................................... 21 

GO 3.................................................... 20, 39 

Grace Period............................................... 23 

Hardware Digipass................. 11, 20, 22, 39, 41 

Keyword..................................................... 46 

Licensing.................................................... 65 

MD5........................................................... 18 

Message Delivery Component............. 12, 39, 71 

MS-CHAP.................................................... 18 

MS-CHAP2.................................................. 18 

One Time Password. 9, 12, 23, 25-28, 40, 41, 46, 

70 

OTP Request Site................... 12, 23, 25, 41, 70 

Palm.......................................................... 21 

PAP............................................................ 18 

Password Autolearn........................... 43, 44, 46 

PIN............................................................... 

Digipass PIN...................................... 25, 36 

Reset PIN............................................... 36 

Server PIN................................... 28, 36, 46 

Set........................................................ 36 

Pocket PC................................................... 21 

Policies............................................ 48, 52, 55 

Primary Virtual Digipass................22, 23, 39, 40 

Programming.............................................. 25 

RADIUS............................................. ii, 13, 25 

RADIUS Client............................................. 13 

RADIUS Client Simulator............................... 13 

RADIUS Server........................................ ii, 13 

Reset............................................................. 

Application............................................. 27 

Digipass Application............ 15, 23, 26-28, 36 


Digipass Plug-In for IAS Product Guide Index 

PIN........................................................ 36 

Response Only............................ 20, 23, 25, 26 

Schema...................................................... 62 

Self-Assignment..................................... 17, 37 

Serial Number.................................. 17, 38, 46 

Set PIN.......................................................... 

PIN........................................................ 36 

SIM........................................................... 21 

Smartcard.................................................. 21 

Stored Password Proxy............................ 43, 46 

Time limit.............................................. 28, 29 

Time-based................................................. 26 

Tracing................................................. 66, 67 

Unlock........................................................ 36 

User Self Management Web Site... 12, 23, 43, 46, 

69 

Virtual Digipass.... 11, 12, 15, 22, 23, 25, 28, 29, 

39-41 

Virtual Digipass............................................... 

Backup Virtual Digipass 15, 22, 23, 25, 28, 29, 

39-41 

Primary Virtual Digipass........... 22, 23, 39, 40 

2-step Login.......................................... 25, 41

Digipass Plug-In for IAS Product Guide - Vasco

Create successful ePaper yourself

Delete template?

Save as template?