TMS & OTP 2.0 Frequently Asked Questions:

snortfearΔιακομιστές

4 Δεκ 2013 (πριν από 3 χρόνια και 10 μήνες)

184 εμφανίσεις


© 2009 SafeNet
, Inc., and/or Aladdin Knowledge Systems Ltd. All rights reserved.

Information provided is confidential and proprietary to SafeNet, Inc. (“SafeNet”) and Aladdin Knowledge Systems, Ltd. (“Aladd
in”).

Neither SafeNet nor Aladdin assume any responsibility or

liability for the accuracy of the information contained in this presentation.


TMS & OTP 2.0



Frequently Asked Questions:


TMS Installation & Configuration

1

Do we have a reference to Microsoft’s official approval of the schema
敮ea湣敭敮e w攠數e捵c政


Yes. We have a confirmation from Microsoft that we worked according to the guidelines


and guides they provided us with, and therefore are OK. Amit Berkner is the contact


person regarding this issue

2

Why is it necessary to upgrade the domain level to 2003 functional level in
order to save the data in Active Directory and not in XML file?

This is how Microsoft Authorization Management works. Raising the functional level adds
more classes and attribute
s to the AD schema and thus allows the usage of AD for
AZMAN data.


3

When installing an additional TMS server in the same domain, how do we
distribute the AZMAN XML configuration file?

It is recommended to use disk sharing and refer all the servers to

the same file. Please
note that copying the file is not the best way to handle this situation.


When the XML file is distributed between TMS servers of the same domain no change in


the file is required

4

What happens to the TMS data storage when we mix domains with 2000 and
2003 domain functional level? Can there be conflicts between XML stored data
and AD stored data?

Not that we know of

5

What is required in order to change the TMS web sites from HTTP to HTTPS?

Hardly anything. Simply define them as HTTPS


6

When several TMS installations are installed in an NLB, how is the security key
being passed?

Manual Export and Import using the
TMS configuration tool

7

Are we aware of any problems that might occur when installing TMS on several
different geographical locations?

No problems are expected. We recommend following one of the installation scenarios:

TMS will be installed on one site
and then connected through the web to all other
domains.


© 2009 SafeNet
, Inc., and/or Aladdin Knowledge Systems Ltd. All rights reserved.

Information provided is confidential and proprietary to SafeNet, Inc. (“SafeNet”) and Aladdin Knowledge Systems, Ltd. (“Aladd
in”).

Neither SafeNet nor Aladdin assume any responsibility or

liability for the accuracy of the information contained in this presentation.

When there is a concern for poor connectivity, the TMS server can be installed in each
geographical site. You can then address the local TMS server from each site.

8

What are the privileges
required for the user who installs the schema?

In case the schema is modified during the installation, the user who installs TMS must be
a member of the Schema Admins group.

If the installation is in ADAM configuration, he does not have to be a member of

this
group.

9

What is the advantage of using XML files for the Authorization Manager
settings?

Actually, in Multi site environments it is better to save the setting in Active Directory. AD
replicates automatically. However, this requires Domain level
2003.

10

“TMS reports “No encryption key”

This happens when TMS 2.0 Beta was removed and then immediately installed again. Will
not happen in the GA version.

11

Why is the TMS backend service required?

The TMS Backend service is required for automatic maintenance performance. For
example


a user has a virtual token valid for the next two weeks. The administrator,
who does not want to remember to manually revoke it after two weeks, will use the back
end
service to do it automatically for him when the time comes.

There are 5 types of actions enabled by the TMS backend service:



Revoke token of disabled users.



Revoke token of deleted users.



Revoke token which its matching eToken Virtual is being used.



Bloc
k temporary domain password.



Update user properties on token to improve search engine.


The TMS backend service runs per domain


Working with Certificates

1

What happens when the CA is installed on a separate server?


No problem. This is the
common scenario

2

Should it be in the same domain?

No. But the domains should trust each other

3

Which files must be installed on the CA and how?


© 2009 SafeNet
, Inc., and/or Aladdin Knowledge Systems Ltd. All rights reserved.

Information provided is confidential and proprietary to SafeNet, Inc. (“SafeNet”) and Aladdin Knowledge Systems, Ltd. (“Aladd
in”).

Neither SafeNet nor Aladdin assume any responsibility or

liability for the accuracy of the information contained in this presentation.


No
ne

4

Which other configurations must be done?

Basically None. There are only two components
that should be on a management
station (scrdenrl.dll and xenroll.dll)

5

How is the enrolment agent being handled in TMS 2.0?

The enrolment agent certificate should be manually generated and placed on the
enrolment station.

6

Which certificate requests can be backed up during enrolment?

During user self service enrolment, any certificate request can be backed up. During
Admin enrolment it is possible to backup only offline requests. In the GA version, all
requests
,

offline an
d online, can be backed up. When using Vista online requests can be
enrolled only with Backup enabled

7

How can smartcard logon certificates be backed up during enrolment?

During eToken enrolment we create a temporary token, where we generate the keys
and enrol the certificates. Then we import the keys & certificates to the hardware
eToken and delete the temporary software token

8

How to create an offline certificate request?

Create a duplicate template. Verify that the option “Supplying the request
is on” is
selected. The required data will be then supplied during enrolment. When the option is
not selected, all data is retrieved from Active Directory and the request is therefore an
online request.


Multi Domain Environment

1

How many domains can be
supported form one IIS?

Basically

there is no restriction on the number of domains. We have tested 5 DCs
successfully with different databases

2

Must all supported domains be in the same forest?

Yes. Unless there is full trust between the TMS’s domain
server and the domains in other
forests for which you install TMS.

3

In order to manage TMS from the IIS, to which domain should the IIS belong?

You can choose any domain you like as long as there is trust between that domain

© 2009 SafeNet
, Inc., and/or Aladdin Knowledge Systems Ltd. All rights reserved.

Information provided is confidential and proprietary to SafeNet, Inc. (“SafeNet”) and Aladdin Knowledge Systems, Ltd. (“Aladd
in”).

Neither SafeNet nor Aladdin assume any responsibility or

liability for the accuracy of the information contained in this presentation.

and all other domains TMS
manages

4

In order to manage TMS from the IIS, to which domain should the IIS belong?

You can choose any domain you like as long as there is trust between that domain
and all other domains TMS manages

5

In a multi
-
domain environment


how will the domain partition replication run
on each domain for TMS 2.0?

The TMS Configuration wizard must run on each domain

6

How is the licensing mechanism built when working in a multi domain
environment?

License is

granted per domain. It is required to run the configuration wizard on each
domain managed by the TMS

7

How do we upgrade a multi domain system?

Upgrade to a shadow domain or ADAM to store all domains’ info on one computer.
Multiple migration processes w
ill run


one for each upgraded domain.

You can also use the production domain configuration for each of the domains; in this
case the TMS data will be stored in each relevant domain

8

Can several TMS servers be installed and all domains can be managed
from
each installed TMS server?

Yes



eToken Virtual

1

Is eToken Virtual supported by TMS SDK? When I develop a connector, can I
define storing the profile of an eToken virtual?

Yes

2

Where can the user see the eToken Virtual’s

數灩ra瑩t渠da瑥㼠t桥he can 瑨t
a摭i湩獴sa瑯r 獥e it㼠

eToken Virtual expiry date can be viewed through the expiry report.

3

How can eToken Virtual be used for logon?

eToken

virtual can be used only with GINA since SC logon requires a physical device.
In eToken SSO 3.0 GA you will be able to use eToken Virtual also for smartcard

© 2009 SafeNet
, Inc., and/or Aladdin Knowledge Systems Ltd. All rights reserved.

Information provided is confidential and proprietary to SafeNet, Inc. (“SafeNet”) and Aladdin Knowledge Systems, Ltd. (“Aladd
in”).

Neither SafeNet nor Aladdin assume any responsibility or

liability for the accuracy of the information contained in this presentation.

logon. The solution requires PKI Client 4.5 and up

4

Who defines the expiration date of the eToken Virtual?

The Admin sets the maximum period of time for eToken Virtual to be active, the user
can select a shorter period of time



Audit and Reports

1

Can we see a real
-
time report of which token is connected to which
Workstation?

Yes, for this purpose

you have the “Token Connections” report. To use this report
effectively you need to utilize the desktop agent on all the relevant workstations.


I suggest waiting for the GA RC where these reports are significantly improved.


2

How can we see the token usage in the reports?

There is such a report. To view the report in action, deploy some OTP authentications
and run the report.

3

What will be
in the eToken Usage report?

OTP usage & tokens insertions

4

How is information passed form the workstation to the TMS?

The Desktop Agent must be installed
-

enabling a web service on the client machine. It
is an online system


only when the tokens are
connected to the network is the
information passed. The intervals for information delivery can be pre
-
set. In order to
use this option we must edit the Microsoft ADM and manually add our policy template
which defines the TMS server URL to which the clients

report.

Each client will get a Registry entry specifying the URL of the IIS to which the desktop
agent reports



Security

1

How does the XML file store the Roles configuration being protected? Is it
encrypted? Can we have it encrypted?

The TMS computer
should be highly protected, and this file (among others) on the
server should be highly protected through MS ACL.


2

On which algorithm is the security key based?


© 2009 SafeNet
, Inc., and/or Aladdin Knowledge Systems Ltd. All rights reserved.

Information provided is confidential and proprietary to SafeNet, Inc. (“SafeNet”) and Aladdin Knowledge Systems, Ltd. (“Aladd
in”).

Neither SafeNet nor Aladdin assume any responsibility or

liability for the accuracy of the information contained in this presentation.

Triple DES

2

How is the GINA revocation done with eToken?

If the profile is defined with
a random password then the user password in the domain
is changed, otherwise nothing happens.



TMS and PKI Client

1

When is the PKI Client required?

For each TMS operation done over tokens, except for OTP operations such as OTP PIN
reset / change. On
the server, PKI client is required for eToken Virtual related
operations and for challenge response.


2

Why is it required to install the PKI Client on the TMS server and not only on
the computer from which the enrolment is done?


For challenge response and for eToken Virtual.

2

What is eToken Proxy mode?

This parameter refers to the token initialization settings. When we have an eToken
password policy, the details in proxy mode are taken from the client settings (Registry)
and
not form the eToken settings (on board)


TMS 1.5 to 2.0 Migration Questions:

1

What do the override flags refer to? Which data can be overridden?

All migrated data

can be overridden.

The security setting of the TPO which are defined
under the “Apply to” options are not migrated

2

Why do we need to migrate only some of the TMS data?

In case you only want to test TMS 2.0 but still use the old 1.5 system, you can migrate
only part of t
he data.










© 2009 SafeNet
, Inc., and/or Aladdin Knowledge Systems Ltd. All rights reserved.

Information provided is confidential and proprietary to SafeNet, Inc. (“SafeNet”) and Aladdin Knowledge Systems, Ltd. (“Aladd
in”).

Neither SafeNet nor Aladdin assume any responsibility or

liability for the accuracy of the information contained in this presentation.

OTP 2.0

1

For OTP to function, registration of the IAS plug
-
in was required. Why and
when does the Plug
-
in have to be registered? What does the registration do?

The IAS plug
-
in is registered during the installation process; the
registration notifies MS
IAS that it should use our plug
-
in for authentication requests.



2

Were the actual calculations of the OTP value are done? By the plug
-
in on the
IAS or in the TMS?

The calculation is done

by TMS.

3

Which domain controller does

the TMS address for retrieving the users’ OTP
i湦nrma瑩t渿

You can connect the TMS server either to a specific DC, or to the closest and most
available DC (default).

4

Did we test if the OTP times out when experiencing slow connection to the
domain?

The time out depends on the clients. Some clients timeout while others wait for an
answer. The client time out is not related to us. There is an option for setting the time
out for the plug
-
in in order to avoid waiting for the time out of the client machin
e. The
timeout of the plug
-
in can be controlled through TMS

5

When TMS 2.0 is connected to several domains, is there a specific security key
per domain?

This is correct for TMS version 2.0.

6

What is the maximum number of domains supported with the
eToken OTP
Authentication solution 2.0?

Same as supported in TMS server

7

W
hen there are several domains, how will the user write his username? Will it
be domain name
\
username?

Yes, he can also use his UPN
user@domain.com
. Note that this depends on the system to
which the user logs on. , e.g. in Check Point VPN there is a different notation.

8

What happens when the user forgets to write the domain name?

If there is more than one domain

and the user does not belong to the default domain,
the authentication will fail.

9

Will one domain serve as a default domain for authentication? Which one will
be the default domain?


© 2009 SafeNet
, Inc., and/or Aladdin Knowledge Systems Ltd. All rights reserved.

Information provided is confidential and proprietary to SafeNet, Inc. (“SafeNet”) and Aladdin Knowledge Systems, Ltd. (“Aladd
in”).

Neither SafeNet nor Aladdin assume any responsibility or

liability for the accuracy of the information contained in this presentation.

Yes. It will be the domain to which the IAS belongs

10

What will be written when working with only one domain?

When working with one domain you do not need a domain name. But again, please
note that all these issues are client dependent

11

I want to enrol OTP tokens to only a part of the OU users

The
solution when using TMS 2.0 is to create a group of OTP users and assign a TPO
with OTP definitions only to them.