TMS & OTP 2.0 – Frequently Asked Questions: TMS Installation & Configuration 1 Do we have a reference to Microsoft’s official approval of the schema enhancement we execute? Yes. We have a confirmation from Microsoft that we worked according to the guidelines and guides they provided us with, and therefore are OK. Amit Berkner is the contact person regarding this issue 2 Why is it necessary to upgrade the domain level to 2003 functional level in order to save the data in Active Directory and not in XML file? This is how Microsoft Authorization Management works. Raising the functional level adds more classes and attributes to the AD schema and thus allows the usage of AD for AZMAN data. 3 When installing an additional TMS server in the same domain, how do we distribute the AZMAN XML configuration file? It is recommended to use disk sharing and refer all the servers to the same file. Please note that copying the file is not the best way to handle this situation. When the XML file is distributed between TMS servers of the same domain no change in the file is required 4 What happens to the TMS data storage when we mix domains with 2000 and 2003 domain functional level? Can there be conflicts between XML stored data and AD stored data? Not that we know of 5 What is required in order to change the TMS web sites from HTTP to HTTPS? Hardly anything. Simply define them as HTTPS 6 When several TMS installations are installed in an NLB, how is the security key being passed? Manual Export and Import using the TMS configuration tool 7 Are we aware of any problems that might occur when installing TMS on several different geographical locations? No problems are expected. We recommend following one of the installation scenarios: TMS will be installed on one site and then connected through the web to all other domains. © 2009 SafeNet, Inc., and/or Aladdin Knowledge Systems Ltd. All rights reserved. Information provided is confidential and proprietary to SafeNet, Inc. (“SafeNet”) and Aladdin Knowledge Systems, Ltd. (“Aladdin”). Neither SafeNet nor Aladdin assume any responsibility or liability for the accuracy of the information contained in this presentation. When there is a concern for poor connectivity, the TMS server can be installed in each geographical site. You can then address the local TMS server from each site. What are the privileges required for the user who installs the schema? 8 In case the schema is modified during the installation, the user who installs TMS must be a member of the Schema Admins group. If the installation is in ADAM configuration, he does not have to be a member of this group. What is the advantage of using XML files for the Authorization Manager settings? 9 Actually, in Multi site environments it is better to save the setting in Active Directory. AD replicates automatically. However, this requires Domain level 2003. 10 “TMS reports “No encryption key” This happens when TMS 2.0 Beta was removed and then immediately installed again. Will not happen in the GA version. 11 Why is the TMS backend service required? The TMS Backend service is required for automatic maintenance performance. For example – a user has a virtual token valid for the next two weeks. The administrator, who does not want to remember to manually revoke it after two weeks, will use the back end service to do it automatically for him when the time comes. There are 5 types of actions enabled by the TMS backend service: Revoke token of disabled users. Revoke token of deleted users. Revoke token which its matching eToken Virtual is being used. Block temporary domain password. Update user properties on token to improve search engine. The TMS backend service runs per domain Working with Certificates What happens when the CA is installed on a separate server? 1 No problem. This is the common scenario 2 Should it be in the same domain? No. But the domains should trust each other 3 Which files must be installed on the CA and how? © 2009 SafeNet, Inc., and/or Aladdin Knowledge Systems Ltd. All rights reserved. Information provided is confidential and proprietary to SafeNet, Inc. (“SafeNet”) and Aladdin Knowledge Systems, Ltd. (“Aladdin”). Neither SafeNet nor Aladdin assume any responsibility or liability for the accuracy of the information contained in this presentation. None 4 Which other configurations must be done? Basically None. There are only two components that should be on a management station (scrdenrl.dll and xenroll.dll) 5 How is the enrolment agent being handled in TMS 2.0? The enrolment agent certificate should be manually generated and placed on the enrolment station. 6 Which certificate requests can be backed up during enrolment? During user self service enrolment, any certificate request can be backed up. During Admin enrolment it is possible to backup only offline requests. In the GA version, all requests, offline and online, can be backed up. When using Vista online requests can be enrolled only with Backup enabled 7 How can smartcard logon certificates be backed up during enrolment? During eToken enrolment we create a temporary token, where we generate the keys and enrol the certificates. Then we import the keys & certificates to the hardware eToken and delete the temporary software token 8 How to create an offline certificate request? Create a duplicate template. Verify that the option “Supplying the request is on” is selected. The required data will be then supplied during enrolment. When the option is not selected, all data is retrieved from Active Directory and the request is therefore an online request. Multi Domain Environment How many domains can be supported form one IIS? 1 Basically there is no restriction on the number of domains. We have tested 5 DCs successfully with different databases 2 Must all supported domains be in the same forest? Yes. Unless there is full trust between the TMS’s domain server and the domains in other forests for which you install TMS. 3 In order to manage TMS from the IIS, to which domain should the IIS belong? You can choose any domain you like as long as there is trust between that domain © 2009 SafeNet, Inc., and/or Aladdin Knowledge Systems Ltd. All rights reserved. Information provided is confidential and proprietary to SafeNet, Inc. (“SafeNet”) and Aladdin Knowledge Systems, Ltd. (“Aladdin”). Neither SafeNet nor Aladdin assume any responsibility or liability for the accuracy of the information contained in this presentation. and all other domains TMS manages 4 In order to manage TMS from the IIS, to which domain should the IIS belong? You can choose any domain you like as long as there is trust between that domain and all other domains TMS manages 5 In a multi-domain environment – how will the domain partition replication run on each domain for TMS 2.0? The TMS Configuration wizard must run on each domain 6 How is the licensing mechanism built when working in a multi domain environment? License is granted per domain. It is required to run the configuration wizard on each domain managed by the TMS 7 How do we upgrade a multi domain system? Upgrade to a shadow domain or ADAM to store all domains’ info on one computer. Multiple migration processes will run – one for each upgraded domain. You can also use the production domain configuration for each of the domains; in this case the TMS data will be stored in each relevant domain 8 Can several TMS servers be installed and all domains can be managed from each installed TMS server? Yes eToken Virtual 1 Is eToken Virtual supported by TMS SDK? When I develop a connector, can I define storing the profile of an eToken virtual? Yes 2 Where can the user see the eToken Virtual’s expiration date? Where can the administrator see it? eToken Virtual expiry date can be viewed through the expiry report. 3 How can eToken Virtual be used for logon? eToken virtual can be used only with GINA since SC logon requires a physical device. In eToken SSO 3.0 GA you will be able to use eToken Virtual also for smartcard © 2009 SafeNet, Inc., and/or Aladdin Knowledge Systems Ltd. All rights reserved. Information provided is confidential and proprietary to SafeNet, Inc. (“SafeNet”) and Aladdin Knowledge Systems, Ltd. (“Aladdin”). Neither SafeNet nor Aladdin assume any responsibility or liability for the accuracy of the information contained in this presentation. logon. The solution requires PKI Client 4.5 and up 4 Who defines the expiration date of the eToken Virtual? The Admin sets the maximum period of time for eToken Virtual to be active, the user can select a shorter period of time Audit and Reports 1 Can we see a real-time report of which token is connected to which Workstation? Yes, for this purpose you have the “Token Connections” report. To use this report effectively you need to utilize the desktop agent on all the relevant workstations. I suggest waiting for the GA RC where these reports are significantly improved. 2 How can we see the token usage in the reports? There is such a report. To view the report in action, deploy some OTP authentications and run the report. 3 What will be in the eToken Usage report? OTP usage & tokens insertions 4 How is information passed form the workstation to the TMS? The Desktop Agent must be installed- enabling a web service on the client machine. It is an online system – only when the tokens are connected to the network is the information passed. The intervals for information delivery can be pre-set. In order to use this option we must edit the Microsoft ADM and manually add our policy template which defines the TMS server URL to which the clients report. Each client will get a Registry entry specifying the URL of the IIS to which the desktop agent reports Security How does the XML file store the Roles configuration being protected? Is it 1 encrypted? Can we have it encrypted? The TMS computer should be highly protected, and this file (among others) on the server should be highly protected through MS ACL. 2 On which algorithm is the security key based? © 2009 SafeNet, Inc., and/or Aladdin Knowledge Systems Ltd. All rights reserved. Information provided is confidential and proprietary to SafeNet, Inc. (“SafeNet”) and Aladdin Knowledge Systems, Ltd. (“Aladdin”). Neither SafeNet nor Aladdin assume any responsibility or liability for the accuracy of the information contained in this presentation. Triple DES 2 How is the GINA revocation done with eToken? If the profile is defined with a random password then the user password in the domain is changed, otherwise nothing happens. TMS and PKI Client When is the PKI Client required? 1 For each TMS operation done over tokens, except for OTP operations such as OTP PIN reset / change. On the server, PKI client is required for eToken Virtual related operations and for challenge response. 2 Why is it required to install the PKI Client on the TMS server and not only on the computer from which the enrolment is done? For challenge response and for eToken Virtual. 2 What is eToken Proxy mode? This parameter refers to the token initialization settings. When we have an eToken password policy, the details in proxy mode are taken from the client settings (Registry) and not form the eToken settings (on board) TMS 1.5 to 2.0 Migration Questions: What do the override flags refer to? Which data can be overridden? 1 All migrated data can be overridden. The security setting of the TPO which are defined under the “Apply to” options are not migrated 2 Why do we need to migrate only some of the TMS data? In case you only want to test TMS 2.0 but still use the old 1.5 system, you can migrate only part of the data. © 2009 SafeNet, Inc., and/or Aladdin Knowledge Systems Ltd. All rights reserved. Information provided is confidential and proprietary to SafeNet, Inc. (“SafeNet”) and Aladdin Knowledge Systems, Ltd. (“Aladdin”). Neither SafeNet nor Aladdin assume any responsibility or liability for the accuracy of the information contained in this presentation. OTP 2.0 For OTP to function, registration of the IAS plug-in was required. Why and 1 when does the Plug-in have to be registered? What does the registration do? The IAS plug-in is registered during the installation process; the registration notifies MS IAS that it should use our plug-in for authentication requests. 2 Were the actual calculations of the OTP value are done? By the plug-in on the IAS or in the TMS? The calculation is done by TMS. 3 Which domain controller does the TMS address for retrieving the users’ OTP information? You can connect the TMS server either to a specific DC, or to the closest and most available DC (default). 4 Did we test if the OTP times out when experiencing slow connection to the domain? The time out depends on the clients. Some clients timeout while others wait for an answer. The client time out is not related to us. There is an option for setting the time out for the plug-in in order to avoid waiting for the time out of the client machine. The timeout of the plug-in can be controlled through TMS 5 When TMS 2.0 is connected to several domains, is there a specific security key per domain? This is correct for TMS version 2.0. 6 What is the maximum number of domains supported with the eToken OTP Authentication solution 2.0? Same as supported in TMS server 7 When there are several domains, how will the user write his username? Will it be domain name\username? Yes, he can also use his UPN user@domain.com. Note that this depends on the system to which the user logs on. , e.g. in Check Point VPN there is a different notation. 8 What happens when the user forgets to write the domain name? If there is more than one domain and the user does not belong to the default domain, the authentication will fail. 9 Will one domain serve as a default domain for authentication? Which one will be the default domain? © 2009 SafeNet, Inc., and/or Aladdin Knowledge Systems Ltd. All rights reserved. Information provided is confidential and proprietary to SafeNet, Inc. (“SafeNet”) and Aladdin Knowledge Systems, Ltd. (“Aladdin”). Neither SafeNet nor Aladdin assume any responsibility or liability for the accuracy of the information contained in this presentation. Yes. It will be the domain to which the IAS belongs 10 What will be written when working with only one domain? When working with one domain you do not need a domain name. But again, please note that all these issues are client dependent 11 I want to enrol OTP tokens to only a part of the OU users The solution when using TMS 2.0 is to create a group of OTP users and assign a TPO with OTP definitions only to them. © 2009 SafeNet, Inc., and/or Aladdin Knowledge Systems Ltd. All rights reserved. Information provided is confidential and proprietary to SafeNet, Inc. (“SafeNet”) and Aladdin Knowledge Systems, Ltd. (“Aladdin”). Neither SafeNet nor Aladdin assume any responsibility or liability for the accuracy of the information contained in this presentation.