sms passcode 4.0 - administrators guide - rev1.0
Post on 12-Sep-2014
221 Views
Preview:
TRANSCRIPT
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 1 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
SMS PASSCODE® 4.0
ADMINISTRATOR’S GUIDE
REV. 1.0 (JUNE 2010)
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 2 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
TABLE OF CONTENTS
1 Introduction .............................................................................................................................. 5
2 Notation ................................................................................................................................... 5
3 New Features .......................................................................................................................... 7
3.1 ISA/TMG Web Site Protection ........................................................................................... 7
3.2 Windows Logon Protection ............................................................................................... 7
3.2.1 VMware View Protection ............................................................................................ 7
3.3 Citrix Web Interface Protection ......................................................................................... 8
3.4 memoPasscodes™ ........................................................................................................... 8
3.5 Terminal Service / Remote Desktop Protection ................................................................. 8
3.5.1 TS/RD Web with Form-Based Authentication ............................................................. 8
3.5.2 RD Web with Single Sign-on ...................................................................................... 8
3.6 Configuration Tool ............................................................................................................ 9
4 Feature Overview..................................................................................................................... 9
4.1 Authentication Clients ....................................................................................................... 9
4.2 Security........................................................................................................................... 11
4.3 Installation ...................................................................................................................... 11
4.4 Administration ................................................................................................................. 12
4.5 Enterprise Environment Support ..................................................................................... 12
5 Components .......................................................................................................................... 14
6 System Requirements ............................................................................................................ 18
6.1 Terminal Service / Remote Desktop Service Protection .................................................. 21
6.2 SharePoint Portal Server Protection ............................................................................... 22
6.3 Citrix iPhone Receiver Protection ................................................................................... 22
7 Hardware – GSM Modems ..................................................................................................... 27
8 Infrastructure .......................................................................................................................... 27
8.1 Component Communication ............................................................................................ 28
8.2 Single Server Installation ................................................................................................ 30
8.3 Multi Server Installation – Citrix Web Interface ................................................................ 31
8.4 Multi Server Installation – RADIUS Clients ...................................................................... 34
8.5 Multi Server Installation – Enterprise Setup .................................................................... 35
8.6 Multi Server Installation – Total Distribution .................................................................... 37
9 Pre-Installation Actions .......................................................................................................... 39
9.1 Check SIM Cards ............................................................................................................ 39
9.2 Check System Requirements .......................................................................................... 40
9.2.1 Installation of IAS ..................................................................................................... 41
9.2.2 Installation of NPS .................................................................................................... 43
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 3 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
9.2.3 Protection of TS/RD Web Access on Windows Server 2008 (R2) ............................. 44
9.2.4 Protecting VMware View 4.0 ..................................................................................... 54
9.2.5 Protection of SharePoint Portal Server ..................................................................... 54
10 Upgrade ................................................................................................................................. 59
11 First-time Installation .............................................................................................................. 59
11.1 Installation of Hardware .................................................................................................. 59
11.2 Installation of the SMS PASSCODE® Software ............................................................... 60
11.2.1 Single Server Installation .......................................................................................... 60
11.2.2 Multi Server Installation ............................................................................................ 75
12 SMS PASSCODE® Configuration........................................................................................... 98
12.1 Web Administration Interface .......................................................................................... 99
12.1.1 Starting the Web Administration Interface ................................................................. 99
12.1.2 Maintaining Users ................................................................................................... 103
12.1.3 Importing Users ...................................................................................................... 110
12.1.4 Transmitter Hosts ................................................................................................... 111
12.1.5 Load Balancing Hosts ............................................................................................. 112
12.1.6 GSM Modems ........................................................................................................ 114
12.1.7 GSM Modem Groups .............................................................................................. 118
12.1.8 Load Balancing Policies ......................................................................................... 122
12.1.9 Modem Monitoring .................................................................................................. 137
12.1.10 General Settings ..................................................................................................... 139
12.1.11 Passcode Settings .................................................................................................. 140
12.1.12 Active Directory Integration Settings ....................................................................... 142
12.1.13 Maintaining License Information ............................................................................. 151
12.2 Importing and Synchronizing Users from other Data Sources ....................................... 152
12.3 Configuring Citrix Web Interface Protection .................................................................. 153
12.4 Configuring RADIUS Protection .................................................................................... 154
12.4.1 Configuring RADIUS Protection on Windows Server 2003 ..................................... 154
12.4.2 Configuring RADIUS Protection on Windows Server 2008 ..................................... 162
12.4.3 Advanced Configuration of the RADIUS Protection Component ............................. 171
12.4.4 RADIUS Forwarding ............................................................................................... 183
12.5 Configuring ISA/TMG Web Site Protection .................................................................... 198
12.6 Configuring IIS Web Site Protection .............................................................................. 203
12.6.1 ISAPI Filter ............................................................................................................. 203
12.6.2 ISAPI Filter Configuration File ................................................................................ 203
12.6.3 The IsapiAdmin Tool ............................................................................................... 204
12.6.4 ISAPI Filter Configuration File Syntax ..................................................................... 208
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 4 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.7 Configuring Windows Logon Protection ........................................................................ 212
12.7.1 Windows Logon User Exclusion Groups ................................................................. 212
12.7.2 Windows Logon Lock Time ..................................................................................... 213
12.7.3 RDP Listener Exclusion .......................................................................................... 214
12.7.4 Credential Provider Filtering ................................................................................... 217
12.7.5 GINA Chaining ....................................................................................................... 218
12.8 Configuring CAGAE Protection ..................................................................................... 218
12.8.1 Protecting and Unprotecting Logon Points .............................................................. 218
12.8.2 Redundant CAGAE Setup ...................................................................................... 223
12.8.3 Uninstalling CAGAE Protection .............................................................................. 226
12.9 Configuration Tool ........................................................................................................ 226
12.9.1 Command line arguments....................................................................................... 229
13 Add/Remove Components ................................................................................................... 231
14 Troubleshooting ................................................................................................................... 232
14.1 SMS Transmission Problems ........................................................................................ 232
14.2 Error message “No mobile number for user” During Authentication .............................. 233
14.3 Component Communication Problems in a Multi Server Setup ..................................... 236
14.4 Active Directory Integration does not Work as Expected ............................................... 238
© 2010 SMS PASSCODE A/S. SMS PASSCODE is a registered trademark of SMS PASSCODE
A/S. All other trademarks are the property of their respective owners.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 5 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
1 INTRODUCTION
This document describes how to install, configure and administer SMS PASSCODE® version 4.0.
2 NOTATION
Shorthand Description
AD Active Directory
CAE Citrix Access Essentials
CAG Citrix Access Gateway
CAGAE Citrix Access Gateway Advanced Edition
IAG Microsoft Intelligent Application Gateway
IAS Internet Authentication Service: Optional component on a Windows Server 2003. This component is the Microsoft implementation of a RADIUS server.
IIS Internet Information Server: Optional component/role on a Windows Server 2003/2008
ISA Internet Security and Acceleration Server. A Microsoft security gateway server.
Machine This is a general term used to denote a server or a workstation.
memoPasscodes™ memoPasscodes™ refers to a new SMS PASSCODE innovation making codes easier to memorize during authentication.
NPS Network Policy Server: Optional Role on a Windows Server 2008. This Role is the Microsoft implementation of a RADIUS server.
OWA Microsoft Outlook Web Access
RD Remote Desktop
RDS Microsoft Remote Desktop Services
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 6 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Shorthand Description
SMS PASSCODE® authentication client One of the SMS PASSCODE® components Citrix Web Interface Protection, RADIUS Protection, IIS Web Site Protection, ISA/TMG Web Site Protection, Windows Logon Protection or Citrix Access Gateway Advanced Edition Protection, i.e. one of the components responsible for authentication for a specific type of client.
SMS PASSCODE® core component One of the SMS PASSCODE® components Database Service, Web Administration Interface, Transmitter Service or Load Balancing Service.
TMG Thread Management Gateway. A Microsoft security gateway server (the successor of the Microsoft ISA Server)
TS Microsoft Terminal Service
UAG Microsoft Unified Application Gateway (the successor of the Microsoft Intelligent Application Gateway)
WAI SMS PASSCODE® Web Administration Interface
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 7 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
3 NEW FEATURES
This section summarizes the most important new features in SMS PASSCODE® version 4.0.
3.1 ISA/TMG Web Site Protection
Previously, SMS PASSCODE® contained a component called Web Site Protection that offered
protection of IIS web sites using SMS PASSCODE® authentication. SMS PASSCODE® 4.0
introduces a new component which offers protection of web sites published through a Microsoft
ISA Server 2006 or Microsoft TMG 2010. This new type of protection performs SMS PASSCODE®
authentication directly on the ISA/TMG server, before the authenticated user is forwarded to the
web server.
To differentiate these two types of protection, the former Web Site Protection component has been
renamed IIS Web Site Protection. The new component is called ISA/TMG Web Site Protection.
3.2 Windows Logon Protection
Previously, SMS PASSCODE® offered Windows Logon Protection on Windows XP and
Windows Server 2003. Protection of Windows Logon on Windows Vista and later was not
supported because Microsoft changed the Windows Logon architecture completely starting from
Windows Vista by introducing the so-called Credential Provider architecture.
SMS PASSCODE® 4.0 includes a custom credential provider that offers Windows Logon
protection on Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2.
This means that SMS PASSCODE® Windows Logon Protection is now supported on all newer
Microsoft operating systems.
SMS PASSCODE® Windows Logon Protection is useful in several scenarios. Examples:
Protecting administrators’ RDP access to critical servers
Protecting RDP access to Terminal Servers / Remote Desktop Servers1
Protecting RDP access to virtual workstations, e.g. VMware View and XenDesktop
workstations
The Windows Logon Protection component now also supports RDP Listener exclusion. This
means that when you have multiple RDP listeners on a machine you can now apply SMS
PASSCODE® authentication to selected RDP listeners only. E.g. if you have two RDP listeners,
one for internal and one for external access, respectively, then you can apply SMS PASSCODE®
authentication to the external RDP access only.
3.2.1 VMware View Protection
SMS PASSCODE® 4.0 introduces a first-of-brand solution for protecting VMware View virtual
clients using an SMS based two-factor authentication system.
1 In case SMS PASSCODE
® authentication has not been applied to a TS/RD Web Access site
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 8 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
3.3 Citrix Web Interface Protection
The Citrix Web Interface Protection component has been updated and now also supports Citrix
Web Interface 5.3.
3.4 memoPasscodes™
SMS PASSCODE® 4.0 introduces a brand new type of passcodes called memoPasscodes™.
memoPasscodes™ are a special type of random passcodes that are easier to memorize for the
users. This makes authentication more convenient for users without compromising security (the
number of possible random codes is still enormous).
3.5 Terminal Service / Remote Desktop Protection
3.5.1 TS/RD Web with Form-Based Authentication
When using a Terminal Service (TS) / Remote Desktop (RD) Web Access site for accessing
TS/RD session host servers remotely, you have two options for protection the site with SMS
PASSCODE® authentication:
Protect the TS/RD Web Access site directly on the IIS by installing SMS PASSCODE® IIS
Web Site Protection on the server hosting the TS/RD Web Access site.
If the TS/RD Web access site has been published through an ISA/TMG server using a Web
Listener:
Protect the TS/RD Web Access site by installing the SMS PASSCODE® ISA/TMG Web
Site Protection on the ISA/TMG server.
In both cases, SMS PASSCODE® authentication supports Form-Based authentication in a fully
integrated way. However, please note that Form-Based authentication directly on the IIS is not
supported by RD Web Access prior to Windows Server 2008 R2.
3.5.2 RD Web with Single Sign-on
When running RD Web Access on a Windows Server 2008 R2, the RD Web Access site can be
configured to use single sign-on (SSO).
This SSO feature is supported by the SMS PASSCODE® IIS Web Site Protection component.
If you are planning to make use of SSO, please, prior to applying SMS PASSCODE® IIS Web Site
Protection to the RD Web Access site ensure that SSO works without SMS PASSCODE®
authentication.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 9 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
3.6 Configuration Tool
The SMS PASSCODE® Configuration Tool has been extended considerably. This tool now also
offers the following features:
Configuration of all RADIUS protection settings using a graphical user interface
Configuration of all Windows Logon protection settings using a graphical user interface
Exporting all settings to a file
Importing all settings from a file
Performing import/export from a command line (BAT-file / script)
4 FEATURE OVERVIEW
SMS PASSCODE® is a versatile two-factor authentication system with an extensive list of great
features. This section gives an overview of the most important features.
4.1 Authentication Clients
SMS PASSCODE® provides comprehensive protection for a broad range of authentication clients.
The following clients are currently supported:
Citrix Web Interface
RADIUS clients
Supported are:
Checkpoint
Cisco
Citrix Access Gateway
Juniper
Microsoft Intelligent/Unified Application Gateway (IAG/UAG)
Microsoft SharePoint Portal Server2
Any other RADIUS client supporting challenge/response
SMS PASSCODE® designed clients such as the Citrix Receiver for iPhone
ISA/TMG Web Sites
Supports protection of web sites that have been published through a Microsoft ISA/TMG
server using a Web Listener, e.g.:
Outlook Web Access 2003 / 2007 / 2010
Terminal Service Web Access (Windows Server 2008)
Remote Desktop Web Access (Windows Server 2008 R2)
Microsoft SharePoint Portal Server
IIS web sites using Basic or Integrated Windows Authentication
2 Protection of SharePoint Portal Server using RADIUS is only supported, if the SharePoint Portal server is
published through an Application Gateway, which will ensure that the user is only requested to authenticate once during the initial logon. E.g. using the Microsoft IAG/UAG, Citrix Access Gateway Enterprise Edition or Juniper SA, all configured to use persistent cookies.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 10 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Any web site not requiring any pass-through authentication
(authentication delegation).
Internet Information Server (IIS) Web Sites
Supports protection of the following types of IIS web sites:
Outlook Web Access 2003 / 2007 / 2010
Terminal Service Web Access (Windows Server 2008)
Remote Desktop Web Access (Windows Server 2008 R2)
IIS Web Sites using Basic or Integrated Windows Authentication
Windows Logon
Protection of:
Terminal Service (RDP Connections)
Windows servers
Windows workstations
Logon Points of Citrix Access Gateway Advanced Edition
SMS PASSCODE® is fully integrated into all supported authentication clients. No extra user
actions are necessary to trigger the transmission of passcodes – the authentication is very intuitive,
which makes user training unnecessary.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 11 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
4.2 Security
SMS PASSCODE® provides improved security from several aspects. From a technical point of
view, SMS PASSCODE® provides these important security features:
Strong authentication security with protection against modern internet threats such as
advanced Phishing-attacks, because passcodes are:
o Session-specific (opposite to hardware-token based solutions!)
o Challenge-based
o Time-constrained
Cryptographically strong random passcodes are generated using FIPS-140 validated
crypto modules
Configurable passcode length, complexity and lifetime
Strong encryption
o Build-in 256bit AES encryption of all network communication
Brute force attack protection
o Automatic lockout of users on consecutive incorrect passcode entries
Denial-of-service attack protection
From a user perspective, SMS PASSCODE® provides increased security compared to e.g.
traditional hardware-token based solutions due to:
High user awareness of stolen or lost cell phone means shorter period before counter-
actions are taken.
High user awareness of the need to block SIM card of stolen or lost cell phone to prevent
misuse, which implies lock down of access using SMS PASSCODE®.
Users can lock their stolen or lost cell phone (SIM card) themselves – meaning faster
reaction and shorter period of security breach.
4.3 Installation
Installation of SMS PASSCODE® is very simple, since SMS PASSCODE® is an “out-of-the-box”
end-to-end solution containing all necessary software and hardware. Simply connect the included
GSM modem(s) to your servers, install the software, and you are ready.
The component architecture of SMS PASSCODE® offers maximum flexibility of installation,
allowing distribution of SMS PASSCODE® components according to your specific needs.
Unlike traditional hardware-token based solutions, SMS PASSCODE® works without distribution of
any hardware-tokens. As a result, the logistic overhead involved is minimal and roll-out is
much faster. You can get SMS PASSCODE® up and running with thousands of users within
minutes. Just extract all cell phone numbers from your Active Directory or import them from a
comma-separated file.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 12 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
4.4 Administration
The daily administration of SMS PASSCODE® is simple due to:
No logistic overhead regarding administration and distribution of hardware-tokens.
No need to involve IT personnel in the event of a lost cell phone, since users will quickly
discover the loss and act on own impulse to block the SIM card.
Additionally SMS PASSCODE® includes an excellent Active Directory Integration feature that
allows administration of SMS PASSCODE® users in your Active Directory. The list of AD
Integration features are:
Works “out-of-the-box”. No schema extension of your AD is needed!
Supports both LDAP and Global Catalog lookups.
Supports extraction of users from multiple separate AD Domains.
Supports nested groups including groups from child domains and trusted domains.
Configurable AD attribute containing the users’ cell phone numbers.
You can even specify a prioritized list of attributes.
4.5 Enterprise Environment Support
Failover and scalability is very important in enterprise environments. SMS PASSCODE® provides
failover and scalability on all levels thus providing unmatched support for enterprise
environments:
Database level:
Each SMS Transmitter service and Load Balancing service cache all data locally –
meaning independence of backend database and high scalability. I.e. system operation is
maintained even in the event that the backend database is down.
Transmitter level:
A load balancing service provides intelligent distribution of all incoming requests to many
SMS transmitter services, thereby providing full failover and load balancing between all
SMS transmitter services. I.e. system operation is maintained even in the event that a
transmitter service is down. An unlimited number of transmitter services are supported.
GSM Modem level:
Each transmitter supports a modem pool containing up to 32 GSM modems, thereby
providing full failover and load balancing between all modems in a pool. I.e. system
operation is maintained even in the event of a GSM modem being down. If SIM cards from
different carriers are used, then you can even obtain failover on the GSM service provider
level.
Authentication client level:
Each authentication client may forward incoming requests to several SMS transmitter
services or load balancing services. I.e. system operation is maintained even in case some
of the transmitter services or load balancing services are down. An unlimited number of
transmitter services and load balancing services are supported.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 13 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Additionally, using Modem Groups and Load Balancing Policies it is possible to control the load
balancing of SMS messages across all modems at a granular level. Since the Load Balancing
Policies are very flexible, the number of possibilities is enormous. Some examples of the usage
are:
Prefix load balancing: Group modems according to the country where they are located.
Preferable send SMS messages from GSM modems with SIM cards having the same
mobile number prefix as the receiver.
GSM service provider failover: Group modems according to the GSM service provider of
the SIM cards. Preferable send SMS messages using a selected GSM service provider, but
use another one for failover (e.g. automatically send another passcode using a second
service provider if the first passcode could not be sent or was not entered within a specified
time limit).
GSM receiver failover: Allocate both a primary and a secondary cell phone number to
some users. Automatically send another passcode to the secondary cell phone if the first
passcode could not be sent or was not entered within a specified time limit.
This clearly demonstrates that SMS PASSCODE® has been designed and built with even the most
demanding enterprise environments in mind.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 14 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
5 COMPONENTS
SMS PASSCODE® is composed of the following software components:
Component Description
Database Service Database for storing all SMS PASSCODE® user data and configuration data.
Web Administration Interface Web site for maintaining SMS PASSCODE® user data and configuration data.
Transmitter Service Service responsible for communication with GSM modems and validation of SMS PASSCODE® logons. Handles load balancing and failover between all GSM modems connected to the service.
Load Balancing Service Service responsible for handling load balancing and failover between all Transmitter services. This optional service is recommended for enterprise multi server installations where multiple Transmitter services are present. It should only be installed in the following cases: 1) advanced failover and load balancing of SMS messages between all Transmitter services is required, or 2) the usage of Load Balancing Policies is required.
Citrix Web Interface Protection
Integrates SMS PASSCODE® with Citrix Web Interface providing SMS PASSCODE® authentication for Citrix Web Interface users. It is optionally possible to run the Citrix Web Interface protection side-by-side with hardware-token based two-factor authentication systems, e.g. RSA SecurID® or SafeWord®. Both AD and NDS authentication is supported.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 15 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Component Description
RADIUS Protection Integrates with RADIUS systems providing SMS PASSCODE® authentication for RADIUS clients. It is optionally possible to run this integration side-by-side with other RADIUS authentication systems, e.g. hardware-token based two-factor authentication systems. When using Windows Server 2003, RADIUS protection is provided by means of an extension for the Microsoft Internet Authentication Service (IAS). When using Windows Server 2008, RADIUS protection is provided by means of an extension for the Microsoft Network Policy Server (NPS). Besides VPN systems the RADIUS protection component is also useful for protecting access to Microsoft SharePoint Portal servers using application gateways, e.g. using Microsoft Intelligent Application Gateway, Microsoft Unified Application Gateway, Citrix Access Gateway Enterprise Edition or Juniper SA.
ISA/TMG Web Site Protection Integrates SMS PASSCODE® with Microsoft ISA/TMG Server, providing SMS PASSCODE® authentication for web sites directly on an ISA/TMG Server. The web sites are required to be
published through the ISA/TMG server using a Web Listener. Currently the following types of web sites are supported:
Microsoft Outlook Web Access 2003 / 2007 / 2010
Microsoft Terminal Service Web Access (TS Web Access)
Microsoft Remote Desktop Web Access (RD Web Access)
Microsoft SharePoint Portal Server
IIS web sites using Basic or Integrated Windows Authentication
Any web site not requiring any pass-through authentication (authentication delegation)
SMS PASSCODE® authentication can be enabled/disabled for each specific Web Listener in the ISA/TMG server. ISA/TMG Web Site protection is provided by means of an ISA/TMG filter.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 16 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Component Description
IIS Web Site Protection Integrates SMS PASSCODE® with Microsoft Internet Information Server (IIS) providing SMS PASSCODE® authentication for IIS Web Sites. Currently the following types of Web Sites are supported:
Microsoft Outlook Web Access 2003 / 2007 / 2010
Microsoft Terminal Service Web Access (TS Web Access)
Microsoft Remote Desktop Web Access (RD Web Access)
IIS Web Sites using Basic or Integrated Windows Authentication
SMS PASSCODE® authentication can be enabled/disabled for each specific IIS web site – it is even possible to configure different settings for specific URL’s and/or specific client IP addresses. IIS Web Site protection is provided by means of an ISAPI filter.
Windows Logon Protection
Integrates SMS PASSCODE® with Windows Logon, thereby providing SMS PASSCODE® authentication for users logging on Windows. This is for example useful for protecting Microsoft Terminal Service / Remote Dekstop server environments, or VMware View virtual clients.
SMS PASSCODE® authentication can be enabled/disabled for each specific RDP Listener.
Windows Logon integration is provided by means of a custom GINA (Windows XP and Windows Server 2003) and a custom
Credential Provider (Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2).
Citrix Access Gateway Advanced Edition Protection
Integrates SMS PASSCODE® with CAGAE, thereby providing SMS PASSCODE® authentication for CAGAE logon points. SMS PASSCODE® authentication can be enabled/disabled for each specific logon point. CAGAE integration is provided by means of an HTTP Module.
The components Database Service, Web Administration Interface and Transmitter Service are
required components – i.e. they must always be present in an SMS PASSCODE® installation. The
remaining components are optional.
The term SMS PASSCODE® core component is used in the subsequent sections of this
documentation to denote one of the components: Database Service, Web Administration
Interface, Transmitter Service or Load Balancing Service.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 17 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
The term SMS PASSCODE® Authentication client is used in the subsequent sections of this
documentation to denote one of the components: Citrix Web Interface Protection, RADIUS
Protection, ISA/TMG Web Site Protection, IIS Web Site Protection, Windows Logon
Protection or Citrix Access Gateway Advanced Edition Protection.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 18 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
6 SYSTEM REQUIREMENTS
In this section the system requirements are listed for each SMS PASSCODE® software component
(cf. section 5).
Please note: All SMS PASSCODE® components require the Microsoft .NET 3.5 SP1
Framework, but you do not have to install it beforehand. The SMS PASSCODE® installation will
detect whether the Microsoft .NET 3.5 SP1 Framework is missing – and will automatically
download and install it if necessary.
Component Requirement
Database Service Supported operating systems:
Windows Server 2003 (x86/x64)
Windows Server 2008 (x86/x64)
Windows Server 2008 R2 (x64)
If you are planning to enable the Active Directory Integration feature, it is recommended to install this component on a domain member server or a domain controller.
Web Administration Interface
Supported operating systems: o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64)
IIS 6.0 or 7.0/7.5 required
It is recommended to install this component on the same server as the Database Service component.
Transmitter Service
Supported operating systems: o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64)
An unused serial port3 (COM port) for each GSM modem.
An active SIM card for each GSM modem in use.
Load Balancing Service
Supported operating systems: o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64)
3 If the server does not have a free serial port, you may use a serial port server instead. When using this
solution, you map a virtual serial port on the computer to a serial port on a device, which is connected to the network. SMS PASSCODE
® has been tested with serial port servers (“Terminal Servers”) from Moxa
(http://www.moxa.com/Zones/Serial_to_Ethernet). It is recommended to use secure serial port servers, which encrypt the network communication (e.g. Moxa Nport 6000 series). It is also advantageous to use serial port servers in case you need to connect a lot of GSM modems to the same computer, since serial port servers with many serial ports are available. Moxa also offers a serial port server with an integrated GSM modem. This device is called Moxa OnCell (http://www.moxa.com/Product/OnCell_G3110_G3150.htm). If you plan to use a Moxa Oncell device, please contact support@smspasscode.com to get a detailed installation guide, how to set it up correctly with SMS PASSCODE
®.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 19 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Component Requirement
Citrix Web Interface Protection
Supported operating systems: o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64)
You must install Citrix Web Interface on the server and publish at least one Web Interface before installing this component. The following Citrix Web Interface versions are supported on Windows Server 2003:
o Citrix Web Interface 4.0, 4.2, 4.5 and 4.6 o Citrix Web Interface 5.0, 5.0.1, 5.1.1, 5.1.2, 5.2.0 and 5.3.0. o Citrix Access Essentials 1.x o Citrix Access Essentials 2.0
The following Citrix Web Interface versions are supported on Windows Server 2003 x64:
o Citrix Web Interface 4.5 and 4.6 o Citrix Web Interface 5.0, 5.0.1, 5.1.1, 5.1.2, 5.2.0 and 5.3.0. o Citrix Access Essentials 2.0
The following Citrix Web Interface versions are supported on Windows Server 2008 x86, Windows Server 2008 x64 and Windows Server 2008 R2 x64:
o Citrix Web Interface 5.0, 5.0.1, 5.1.1, 5.1.2, 5.2.0 and 5.3.0.
AD and NDS authentication is supported. Please note: The SMS PASSCODE
® installation will automatically patch Citrix
Web Interface version 4.0/4.2 and CAE 1.x, thereby ensuring that the Citrix Access Suite Console will work correctly together with the Microsoft .NET 2.0/3.5 Framework. The patch is described here:
http://support.citrix.com/article/CTX109099
http://support.citrix.com/article/CTX108104
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 20 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Component Requirement
RADIUS Protection
Supported operating systems: o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64)
Please note: Windows Server 2003 Web Edition and Windows Server 2008 Web Edition are not feasible because IAS/NPS is not part of these editions.
Windows Server 2003: Internet Authentication Service (IAS) must be installed before installing this component.
Windows Server 2008: Network Policy Service (NPS) must be installed before installing this component.
Supported RADIUS clients: All RADIUS clients that support the PAP authentication protocol. The best user experience is achieved using RADIUS clients that support PAP with Challenge Response. Among others the following RADIUS clients support Challenge Response:
o Juniper SSL VPN o Fortigate SSL VPN o Cisco PIX 5XX
min. Cisco VPN client 4.84 (PC)
min. Cisco VPN client 4.9 (MAC) o Cisco ASA 5XXX
min. Cisco VPN client 4.8 (PC) min. Cisco VPN client 4.9 (MAC)
o Cisco VPN Concentrator 3000 min. Cisco VPN client 4.8 (PC) min. Cisco VPN client 4.9 (MAC)
o Check Point FW-1/VPN-1 NG/FP3 Check Point VPN-1 SecuRemote Connection Client
o Citrix Access Gateway5
Standard Edition (min. ver. 4.5) Enterprise Edition
o Microsoft Intelligent/Unified Application Gateway (IAG/UAG) o WatchGuard Firebox
WatchGuard Windows VPN Client
Please contact your SMS PASSCODE® reseller or
support@smspasscode.com for further information regarding supported RADIUS clients.
ISA/TMG Web Site Protection
Supported scenarios: o Windows Server 2003 x86 with Microsoft ISA Server 2006
installed. o Windows Server 2008 x64 with Microsoft TMG 2010 installed. o Windows Server 2008 R2 x64 with Microsoft TMG 2010 installed.
4 Please note, that versions 5.0.00.x - 5.0.01.x had problems with the RADIUS challenge/response
implementation. You must upgrade to a newer version of the Cisco VPN client 5.x. 5 Please note, that Citrix Access Gateway Advanced Edition does NOT currently support Challenge
Response. However, the CAGAE Protection component is used in this case.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 21 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Component Requirement
IIS Web Site Protection
Supported operating systems: o Windows Server 2003 (x86/x64) o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64)
IIS 6.0, 7.0 or 7.5 required
Windows Logon Protection
Supported operating systems: o Windows XP (x86/x64)
6
o Windows Server 2003 (x86/x64)
o Windows Vista (x86/x64)6
o Windows 7 (x86/x64)6
o Windows Server 2008 (x86/x64) o Windows Server 2008 R2 (x64)
Terminal Service / Remote Desktop is supported
Citrix Access Gateway Advanced Edition Protection
Supported operating system: Windows Server 2003 x86
IIS 6.0 required
You must install the Advanced Access Control software for Citrix Access Gateway Advanced Edition, version 4.5 before installing this component.
IMPORTANT: Hotfix AAC450W001 for Citrix Advanced Access Control 4.5 is NOT supported. Please upgrade to a newer hotfix, i.e. AAC450W002 or later.
6.1 Terminal Service / Remote Desktop Service Protection
Access to Terminal Services or Remote Desktop Services can be protected by SMS PASSCODE®
authentication in several ways.
Windows Server 2003: When using Terminal Services on Windows Server 2003, please
install the SMS PASSCODE® Windows Logon Protection component on each Terminal
Service host requiring SMS PASSCODE® protection.
Windows Server 2008 (R2): When using Terminal Services / Remote Desktop Services on
Windows Server 2008 (R2) you have three options to implement SMS PASSCODE®
authentication:
1. Protecting a TS / RD Web Access site directly on the IIS:
Install the SMS PASSCODE® IIS Web Site Protection component on the server
hosting the TS / RD Web Access site. It is mandatory, that the TS / RD Web Access
site and the TS / RD Gateway site are installed on the same IIS. If the RD Web Access
site is hosted on a Windows Server 2008 R2, then form-based authentication and single
sign-on (SSO) is supported.
6 It is not recommended to install Windows Logon Protection on laptops because SMS PASSCODE
® logon
is only possible when the laptop is able to connect to a SMS PASSCODE® Transmitter Service. Since this
connection is typically established via the network, the laptop may lose its connection to the Transmitter service when it is undocked – and thereby prohibit user authentication.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 22 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
2. Protecting a TS / RD Web Access site that has been published through an ISA/TMG
Server using a Web Listener:
Install the SMS PASSCODE® ISA/TMG Web Site Protection component on the
ISA/TMG server and enable SMS PASSCODE® authentication on the Web Listener
used to publish the TS / RD Web Access site. Single sign-on is not supported in this
case7.
3. Protecting Windows Logon on all TS / RD session host servers:
Install the SMS PASSCODE® Windows Logon Protection component directly on each
Terminal Service / Remote Desktop Service session host requiring SMS PASSCODE®
protection.
Please refer to section 9.2.3 (page 44) for more setup details regarding cases 1 and 2, which use
the TS / RD Web Access site.
6.2 SharePoint Portal Server Protection
SMS PASSCODE® supports protection of Microsoft SharePoint Portal Server (version 2003 and
newer). Please refer to section 9.2.5 (page 54) for more details regarding SharePoint Portal server
protection.
6.3 Citrix iPhone Receiver Protection
This section describes the prerequisites to use SMS PASSCODE® authentication when using the
Citrix iPhone Receiver 2.0.
One or more dedicated RADIUS servers are required to authenticate Citrix iPhone Receiver clients
because of the special format the SMS passcode should be send in.
One or more Citrix Access Gateways (Standard Edition or Enterprise Edition) are also required.
Please follow the procedure below to set up Citrix iPhone Receiver protection:
1. Install and configure one or more dedicated RADIUS servers, i.e. Windows servers with the
IAS/NPS service installed. Please read sections 9.2.1 (page 41) and 9.2.2 (page 43)
regarding installation of the IAS and NPS service, respectively.
2. On each RADIUS server add the Citrix Access Gateway (Standard or Enterprise Edition) as
a normal RADIUS client.
3. Configure the Citrix Access Gateway(s) and iPhones to allow a standard authentication
without SMS PASSCODE® authentication (set the iPhone to “Domain Only” authentication).
Please read the documentation from Citrix regarding this.
4. Now install the SMS PASSCODE® RADIUS Protection component on each RADIUS server
that was installed in step 1.
7 This is not a restriction due to SMS PASSCODE
®. Single sign-on is not possible with RD Web Access in
general when the site is configured to use Basic or Integrated Windows Authentication (which is required when publishing the site through an ISA/TMG Server using a Web Listener).
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 23 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
5. On each RADIUS server start the SMS PASSCODE® Configuration Tool and add the IP
address(es) of the Citrix Access Gateway(s) to the Clients not supporting challenge
packets setting. This setting is located on the Miscellaneous tab, which is located on the
RADIUS Client Protection tab:
Remember to save the settings and restart the IAS/NPS service.
6. On each server with the SMS PASSCODE® Transmitter service installed, configure the
Transmitter service to send all SMS PASSCODEs requested from the dedicated RADIUS
server(s) in a special iPhone format. This is achieved by creating a new MULTI_STRING
value named TrIPhoneAuthenticationServers below the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\SMS PASSCODE
on each Transmitter server. Add the hostname(s) of the dedicated RADIUS server(s) to the
registry value.
7. Restart each Transmitter service.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 24 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
8. Verify that an iPhone can now authenticate using SMS PASSCODE® authentication.
Configure the iPhone to use “SMS Authentication” and ensure that the Receiver client is
closed before attempting a new login.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 25 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
The end-user workflow on the iPhone should be like this:
1. Start the Citrix iPhone Receiver.
2. Enter your credentials and click the OK button:
3. The following message appears:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 26 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
4. After a short period an SMS PASSCODE is received. Click the Reply button:
5. Click the passcode link in the reply message:
This will automatically transfer the one-time-passcode to the Citrix Receiver application.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 27 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
6. The authentication is now complete and the published XenApp applications are displayed:
7 HARDWARE – GSM MODEMS
When acquiring an SMS PASSCODE® license you always start with the acquisition of the SMS
PASSCODE® starter pack. This starter pack includes the first user licenses (CALs) and a modem
license.
If you would like to use more modems in your SMS PASSCODE® solution to support failover or
extended scalability, then you must acquire an additional modem license for each modem.
Both, the SMS PASSCODE® starter pack and each additional modem license, include a modem
pack. Each modem pack includes the following hardware:
A Cinterion8 (former Siemens) GSM modem.
Power supply for the modem.
Serial cable for the modem.
Antenna for the modem.
In short: SMS PASSCODE® includes all hardware necessary to send SMS from a server.
IMPORTANT: SMS PASSCODE® does NOT include an active SIM card for each GSM modem.
You must acquire a SIM card for each GSM modem yourself. SIM cards protected by a PIN code
are supported by SMS PASSCODE®.
8 INFRASTRUCTURE
SMS PASSCODE® is composed of various software components (cf. section 5) which can
communicate with each other across the network. This provides great flexibility regarding the
8 SMS PASSCODE
® supports the Cinterion MC35i, MC52i, MC55i, TC65 and MC75 modems.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 28 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
distribution of the components on different severs which enables optimizing the SMS PASSCODE®
installation to your specific server infrastructure.
Since you can distribute the SMS PASSCODE® components in almost any way you like, there are
a huge number of possible installation scenarios. The possibilities span from the very simple
installation case, where all components are installed on the same server (Single Server
Installation), to the advanced “total distribution” installation case, where all components are
distributed onto different machines. A lot of other scenarios exist between these two extremes –
you can install some components together on a machine while other components are installed
individually on other machines.
The purpose of this section is to show selected network diagrams that illustrate different “sample”
SMS PASSCODE® installation scenarios. This is primarily intended for readers who would like to
perform a more advanced, multi server installation of SMS PASSCODE®. If you have already
decided to install all components on the same server, then you can skip this section and choose
Single Server Installation during the installation.
Active Directory Integration and Multi Server Installation
When using Active Directory Integration in single domain mode, it is recommended to install
the Database Service component on a domain member server or a domain controller. I.e. when
planning for a Multi Server Installation with some components being installed in a DMZ you will
typically locate the Database Service on the LAN side of the firewall.
8.1 Component Communication
The communication between SMS PASSCODE® components is handled differently depending on
whether all components are installed on the same server (Single Server Installation) or distributed
to several machines (Multi Server Installation).
In a Single Server Installation scenario all components communicate directly with each other
without involving the network9.
In a Multi Server Installation scenario the components communicate via the network.
Communication takes place using the TCP/IP protocol – all network messages are encrypted. SMS
PASSCODE® uses the different TCP ports described below:
9 In this case Inter-Process Communication (IPC) is used. No TCP port conflicts can occur in this case,
except in case of the Web Administration Interface, which will always use a TCP port (port 2000 by default)
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 29 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Component Incoming Outgoing
Database Service Listens by default on the two TCP ports 9090 and 9091
Communicates with all Transmitter services (TCP port 8989)
Communicates with all Load Balancing services (TCP port 8988), if any installed
Communicates with one or more Domain Controllers, in case Active Directory Integration has been enabled (using LDAP or Global Catalog)
Web Administration Interface
Listens by default on TCP port 2000
Communicates with the Database service (TCP port 9091)
Communicates with Transmitter services (TCP port 8989), when sending any test SMS and no Load Balancing service is in use
Communicates with Load Balancing services (TCP port 8988), when sending any test SMS and any Load Balancing service is in use
Transmitter Service Listens by default on TCP port 8989
Communicates with the Database service (TCP port 9090)
Load Balancing Service Listens by default on TCP port 8988
Communicates with the Database service (TCP port 9090)
Communicates with all Transmitter services (TCP port 8989)
SMS PASSCODE®
Authentication clients - Depending on the configuration, communicates
with either:
a list of Transmitter services (TCP port 8989)
-- or --
a list of Load Balancing services (TCP port 8988)
The usage of the different TCP ports during component communication is also illustrated using
network diagrams in the following sections (e.g. the network diagram in section 8.6, page 37, gives
a good overview).
You can change the default TCP ports during Multi Server Installation (or afterwards), in case they
are in conflict with other applications.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 30 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
8.2 Single Server Installation
The simplest form of SMS PASSCODE® installation is called Single Server Installation. The
following (required) components are always installed during this type of installation:
Database Service
Web Administration Interface
Transmitter Service
The remaining components are optional (except the Load Balancing service which cannot be
installed during a Single Server Installation).
Server can optionally
be placed in DMZ
Active Directory
Server
GSM Modem(s)
Firewall
LAN
INTERNET CLIENT
SMS PASSCODE® Database Service
SMS PASSCODE® Web Administration Interface
SMS PASSCODE® Transmitter Service
SMS PASSCODE® Citrix Web Interface Protection (optional)
SMS PASSCODE® RADIUS Protection (optional)
SMS PASSCODE® ISA/TMG Web Site Protection (optional)
SMS PASSCODE® IIS Web Site Protection (optional)
SMS PASSCODE® Windows Logon Protection (optional)
SMS PASSCODE® CAGAE Protection (optional)
serial
SMS PASSCODE®
Server
AD Sync.
(optional)
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 31 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
8.3 Multi Server Installation – Citrix Web Interface
In this section a Multi Server Installation example with several Citrix Web Interface servers is
shown. A possibility in this case is to install the Citrix Web Interface Protection component on
each Citrix Web Interface server and to install the Database Service, Web Administration
Interface and Transmitter Service components on a different server:
GSM Modem(s)
Citrix Web Interface Server
SMS PASSCODE® Citrix Web Interface Protection
Citrix Web Interface Server
SMS PASSCODE® Citrix Web Interface Protection
SMS PASSCODE® Server
SMS PASSCODE® Database Service
SMS PASSCODE® Web Administration Interface
SMS PASSCODE® Transmitter Service
Active Directory Server
Citrix Web Interface Server
SMS PASSCODE® Citrix Web Interface Protection
Firewall
LAN DMZ
Citrix Presentation
Server farm
AD Sync.
(optional)
TCP 8989
TCP
8989
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 32 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
For failover reasons it would be better to have several Transmitter Service components installed.
In this case, if any Transmitter service would become unavailable for some reason, then each
Citrix Web Interface server can communicate with another Transmitter service. You can install as
many Transmitter services as you like. The example below illustrates the usage of two Transmitter
services:
GSM Modem(s)
GSM Modem(s)
Citrix Web Interface Server
SMS PASSCODE® Citrix Web Interface Protection
Citrix Web Interface Server
SMS PASSCODE® Citrix Web Interface Protection
SMS PASSCODE® Database Server
SMS PASSCODE® Database Service
SMS PASSCODE® Web Administration Interface
SMS PASSCODE® Transmitter Service
Active Directory Server
Citrix Web Interface Server
SMS PASSCODE® Citrix Web Interface Protection
Firewall
LAN DMZ
Citrix Presentation
Server farm
AD Sync.
(optional)
TCP 8989
TCP 9090
SMS PASSCODE® Failover server
SMS PASSCODE® Transmitter Service
TCP 8989
TCP
8989
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 33 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
When using several Transmitter services, each Citrix Web Interface server will communicate with
the Transmitter services according to a prioritized list, i.e. failover without load balancing is
provided. If you wish to have real load balancing between the Transmitter services (or if you wish
to make use of Load Balancing Policies), then you must also install the optional Load Balancing
service. You can install any number of Load Balancing services (to have failover on this level as
well). The example below illustrates the usage of two Load Balancing services:
GSM Modem(s)
GSM Modem(s)
Citrix Web Interface Server
SMS PASSCODE® Citrix Web Interface Protection
Citrix Web Interface Server
SMS PASSCODE® Citrix Web Interface Protection
SMS PASSCODE® Database Server
SMS PASSCODE® Database Service
SMS PASSCODE® Web Administration Interface
SMS PASSCODE® Load Balancing Service
SMS PASSCODE® Transmitter Service
Active Directory Server
Citrix Web Interface Server
SMS PASSCODE® Citrix Web Interface Protection
Firewall
LAN DMZ
Citrix Presentation
Server farm
AD Sync.
(optional)
TCP 8988
TCP 8989
TCP 9090
SMS PASSCODE® Failover server
SMS PASSCODE® Load Balancing Service
SMS PASSCODE® Transmitter Service
TCP 8988
TCP 8989
TCP
8988
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 34 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
8.4 Multi Server Installation – RADIUS Clients
In this section a Multi Server Installation example is shown with SMS PASSCODE® being used for
RADIUS authentication. Whereas a possibility is to install all necessary SMS PASSCODE®
components on the RADIUS server itself, the example below illustrates another scenario where the
RADIUS Protection component is installed on the RADIUS server and the remaining components
are installed on a separate server:
Active Directory Server
LAN
Cisco
SMS PASSCODE® Server
GSM Modem(s)
Radius
UDP 1812
UDP 1645
Juniper
Cisco VPN
Client
Juniper
Client
Internet
RADIUS Server
MS IAS or MS NPS
SMS PASSCODE® RADIUS Protection
Citrix Access Gateway
(Standard or Enterprise Edition)
CAG Client
AD Sync.
(optional)
Radius
UDP 1812
UDP 1645
TCP 8989
SMS PASSCODE® Database Service
SMS PASSCODE® Web Administration Interface
SMS PASSCODE® Transmitter Service
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 35 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
8.5 Multi Server Installation – Enterprise Setup
SMS PASSCODE® supports enterprise environments with 24x7 uptime demands. This is achieved
by supporting failover on all levels of the SMS PASSCODE® infrastructure:
Failover on the database level:
The Database service continuously pushes all data changes to all Transmitter services and
Load Balancing services. All data is cached locally which means that all Transmitter
services and Load Balancing services have access to all data even in case the Database
service becomes unavailable.
Failover on the Transmitter service level:
Starting from SMS PASSCODE® version 3.0, failover on the transmitter level can be
achieved in two different ways:
o Failover without Load Balancing service(s): Prior to SMS PASSCODE® version
3.0, the usage of the SMS PASSCODE® Load Balancing service was mandatory to
obtain failover between Transmitter services. Please notice that this is not the case
anymore. Now, on each server with one or more SMS PASSCODE® authentication
clients installed, you can just specify a prioritized list of Transmitter services to use.
In this case, each authentication client will automatically switch to another
Transmitter service in case the currently used Transmitter service becomes
unavailable. If simple failover is your only concern then the above configuration can
be used.
o Failover with Load Balancing service(s): If your concern is both failover and
scalability (expecting heavy loads), or if you need to make use of Load Balancing
Policies, the installation and use of Load Balancing services is required. In this
case, each Load Balancing service will continuously monitor all Transmitter services
and ensure an intelligent load balancing of all incoming SMS requests between all
available Transmitter services and GSM Modems.
The load balancing algorithm is customizable using Load Balancing Policies.
Using these policies it is possible to define in more detail how incoming requests
should be distributed. Please refer to section 12.1.8 (page 122) for more information
regarding this.
Failover on the GSM modem level:
Up to 32 GSM Modems may be connected to each Transmitter service in a modem pool.
Each Transmitter service automatically performs intelligent load balancing between all
available modems in its modem pool. In case a modem becomes unavailable, then the
Transmitter directs incoming requests to other GSM Modems in the modem pool. By using
SIM cards of different GSM service providers, you can even achieve failover on the carrier
level.
Failover on the authentication client level:
Each SMS PASSCODE® Authentication client can be configured to redirect its requests to
either a list of several Transmitter services or a list of several Load Balancing services. In
both cases, if any of the listed services becomes unavailable, then requests are
automatically redirected to the services being available. Please notice that the list of
services can be changed on-the-fly during operation without any downtime.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 36 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
For optimal failover your SMS PASSCODE® installation should include:
At least two Load Balancing services.
At least two Transmitter services.
At least two GSM Modems connected to each Transmitter service (i.e. at least 4 GSM
modems in total).
Each SMS PASSCODE® Authentication client should redirect requests to at least two Load
Balancing services.
The following diagram illustrates an example of a minimum setup for optimal failover. Please note
that the 4 servers running Load Balancing Service and Transmitter Service could be
consolidated on two servers, since a Load Balancing service and a Transmitter service may run on
the same server.
AD Sync.
(optional)
SMS PASSCODE® Database Server
SMS PASSCODE® Database Service
SMS PASSCODE® Web Administration
Active Directory Server
Citrix Web Interface Server 1
SMS PASSCODE® Citrix Web
Interface Protection
SMS Gateway Server 2
SMS PASSCODE®
Transmitter Service
GSM Modems
Load Balancing Server 1
SMS PASSCODE®
Load Balancing Service
Load Balancing Server 2
SMS PASSCODE®
Load Balancing Service
SMS Gateway Server 1
SMS PASSCODE®
Transmitter Service
GSM Modems
TCP 8988 TCP 8988 TCP 8989 TCP 8989
TCP 9090
Citrix Web Interface Server 2
SMS PASSCODE® Citrix Web
Interface Protection
TCP 8988 TCP 8988
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 37 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
8.6 Multi Server Installation – Total Distribution
In this section, the last Multi Server Installation example is shown. This example illustrates how it is
possible to completely distribute all components on separate servers. The first diagram shows a
complete distribution without making use of the Load Balancing Service:
AD Sync.
(optional)
SMS PASSCODE® Database Server
SMS PASSCODE® Database Service
Active Directory Server
Citrix W
eb Interface Server
SM
S P
ASSCODE ®
Citrix W
eb Interface Protection
Terminal S
erver /
Rem
ote Desktop S
erver
SM
S P
ASSCODE ®
Window
s Logon Protection
Firewall
LAN DMZ
Web Server (IIS)
SMS PASSCODE® Web Administration Interface
RADIUS Server
MS IAS or NPS
SMS PASSCODE® RADIUS Protection
RADIUS client
SMS Gateway Servers
SMS PASSCODE® Transmitter Service
GSM Modems
TCP 8989
TC
P 8
98
9TCP 8
989
TC
P 9
09
0
TCP 9091
Citrix A
dvanced Access C
ontrol Server
SM
S P
ASSCODE ®
CAGAE P
rotection
Web S
erver (IIS) – e.g. O
WA S
erver
SM
S P
ASSCODE ®
IIS W
eb Site P
rotection
Web Server (IIS) – e.g. OWA Server
Security G
ateway
MS IS
A/TM
G S
erver
SM
S P
ASSCODE ®
ISA/TM
G W
eb Site P
rotection
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 38 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
The second diagram below shows a complete distribution, including the Load Balancing Service:
AD Sync.
(optional)
SMS PASSCODE® Database Server
SMS PASSCODE® Database Service
Active Directory Server
Firewall
LAN DMZ
Web Server (IIS)
SMS PASSCODE®
Web Administration Interface
RADIUS Server
MS IAS or NPS
SMS PASSCODE® RADIUS Protection
RADIUS client
SMS Gateway Servers
SMS PASSCODE® Transmitter Service
GSM Modems
TCP 8988
TC
P 8
98
8TCP 8988
TC
P 9
09
0
TCP 9091
Load Balancing Servers
SMS PASSCODE®
Load Balancing Service
TC
P 8
98
9
TCP 8989
Citrix W
eb Interface Server
SM
S P
ASSCODE ®
Citrix W
eb Interface Protection
Terminal S
erver /
Rem
ote Desktop S
erver
SM
S P
ASSCODE ®
Window
s Logon Protection
Citrix A
dvanced Access C
ontrol Server
SM
S P
ASSCODE ®
CAGAE P
rotection
Web S
erver (IIS) – e.g. O
WA S
erver
SM
S P
ASSCODE ®
IIS W
eb Site P
rotection
Web Server (IIS) – e.g. OWA Server
Security G
ateway
MS IS
A/TM
G S
erver
SM
S P
ASSCODE ®
ISA/TM
G W
eb Site P
rotection
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 39 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
9 PRE-INSTALLATION ACTIONS
This section describes the actions to perform BEFORE running the SMS PASSCODE® installation
program. Please read this section carefully.
9.1 Check SIM Cards
Before running an SMS PASSCODE® installation, please ensure that all SIM cards are working
correctly.
Important: It is strongly recommended to check each SIM card according to the instructions below
BEFORE the SMS PASSCODE® installation is started. It is our experience that more than 90% of
all installation problems are related to SIM card problems.
The procedure for checking a SIM card is described below. It is recommended to perform the
check at the location where the GSM modem, for which the SIM card is intended, is located.
For each SIM card perform the following actions:
1. Insert the SIM card into a cell phone.
2. Enter PIN code if the SIM card requires this.
3. Wait until the cell phone has been registered on the mobile network.
4. Enter a new SMS and send it to another cell phone. Check that the transmission succeeds
and that the SMS is received correctly on the other cell phone.
If the above check is not successful, it is usually caused by one of the following:
The SIM card is not active or has been closed: Contact your cell phone operator and
request activation of the SIM card.
There is no GSM coverage at the location in question: You have the following
possibilities in this case:
o Move the server together with the GSM modem(s) to another location
o Lengthen the antenna of the modem (e.g. to the roof of the building)
o Move the GSM modem(s) to another location by installing the Transmitter Service
on another server at a different location
o Move the GSM modem(s) to another location by connecting them to a serial port
server (e.g. Moxa NPort or Moxa OnCell) connected to the network
For further information regarding external modem antennas or serial port servers please contact
your SMS PASSCODE® reseller or support@smspasscode.com.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 40 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
9.2 Check System Requirements
Before running an SMS PASSCODE® installation, please make sure that all system requirements
are fulfilled for the components that you are planning to install. System requirements are listed in
section 6 (page 18).
Please remember:
Citrix Web Interface Protection
If you are planning to install the Citrix Web Interface Protection component, then a
supported version of Citrix Web Interface must be installed on the Citrix Web Interface
server beforehand and at least one Citrix Web Interface must have been published.
RADIUS Protection
o If you are planning to install the RADIUS Protection component on a Windows
Server 2003, then the Internet Authentication Service (IAS) must be installed on this
server beforehand. Installation of IAS is described in section 9.2.1.
o If you are planning to install the RADIUS Protection component on a Windows
Server 2008 (R2), then the Network Policy Server (NPS) role must be added to this
server beforehand. Installation of NPS is described in section 9.2.2.
ISA/TMG Web Site Protection
If you are planning to install the ISA/TMG Web Site Protection component on a server,
then a Microsoft ISA Server 2006 or Microsoft TMG 2010 must be installed on this server
beforehand.
IIS Web Site Protection
If you are planning to install the IIS Web Site Protection component on a Windows Server
2003, then the Internet Information Server (IIS) must be installed on this server beforehand
(on Windows Server 2008 (R2) IIS will be installed automatically when missing)
Citrix Access Gateway Advanced Edition Protection
If you are planning to install the Citrix Access Gateway Advanced Edition Protection
component on a server, then the Citrix Advanced Access Control software for Citrix Access
Gateway Advanced Edition, version 4.5, must be installed on this server beforehand.
Microsoft Terminal Services / Remote Desktop Services Protection
If you are planning to protect Microsoft Remote Desktop Services, formerly called Microsoft
Terminal Services, on Windows Server 2008 (R2), please refer to section 9.2.3 (page 44)
before starting the SMS PASSCODE® installation.
Microsoft SharePoint Portal Server Protection
If you are planning to protect Microsoft SharePoint Portal Server, please refer to section
9.2.5 (page 54) before starting the SMS PASSCODE® installation.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 41 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
9.2.1 Installation of IAS
This section describes how to install the Microsoft Internet Authentication Service (IAS) on a
Windows Server 2003. You have to install IAS on a Windows Server 2003 only if you are planning
to install the SMS PASSCODE® RADIUS Protection component on this server. To install IAS,
please follow the instructions below:
1. Click on Add/Remove Programs in the Control Panel:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 42 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
2. Click on Add/Remove Windows Components:
3. A list of Windows Components appears. Scroll down to Networking Services.
a. Mark Networking Services.
b. Click the Details button
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 43 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
4. A list of Networking Services appears.
a. Check Internet Authentication Service.
b. Click the OK button.
5. Click the OK button.
6. Click the Next button.
7. Click the Finish button. IAS has now been installed.
9.2.2 Installation of NPS
This section describes how to install the Microsoft Network Policy Server (NPS) role on a Windows
Server 2008 (R2). You have to install NPS on a Windows Server 2008 (R2) only if you are planning
to install the SMS PASSCODE® RADIUS Protection component on this server.
To install NPS, please run the following command in a command prompt:
ServerManagerCmd -i NPAS-Policy-Server
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 44 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
9.2.3 Protection of TS/RD Web Access on Windows Server 2008 (R2)
In this section the term Remote Desktop Services (RDS) will be used to refer to both the former
term Terminal Services and the new term Remote Desktop Services.
Starting from SMS PASSCODE® version 4.0, the SMS PASSCODE® Windows Logon
Protection component also supports Windows Server 2008. This means that you now
have three different options for protecting RDP access to RDS session hosts. You can
either use SMS PASSCODE® Windows Logon Protection to protect the Windows
Logon on the RDS session hosts directly, or you can use SMS PASSCODE® IIS Web Site
Protection or ISA/TMG Web Site Protection to protect an RD Web Access site being used for
accessing the RD applications.
The latter two cases, i.e. protecting the RD Web Access site, are recommended if you are planning
to provide access to your RD applications using an RD Web Access site. This section describes
the steps necessary to achieve this.
Please note that it is mandatory to access the RD session host servers through an RD Gateway
when protecting access to RDS using an RD Web Access site.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 45 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
The following two diagrams illustrate the required infrastructure setup, respectively, for performing
SMS PASSCODE® authentication on an ISA/TMG server or an RD Web Access server:
SMS PASSCODE® protected RD Web Access site with
two-factor authentication performed on the ISA/TMG Server
External NetworkInternal Network
Microsoft ISA Server 2006
or
Microsoft TMG 2010
SMS PASSCODE® ISA/TMG
Web Site Protection
Web Server
MS Internet Information Server (IIS)
RD Web Access + RD Gateway
RADIUS Server
MS NPS
MS RDS Session
Host Servers
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 46 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
SMS PASSCODE® protected RD Web Access site with
two-factor authentication performed on the Web Server
External NetworkInternal Network
Web Server
MS Internet Information Server (IIS)
RD Web Access + RD Gateway
SMS PASSCODE® IIS
Web Site Protection
RADIUS Server
MS NPS
MS RDS Session
Host Servers
Firewall
(E.g. Cisco,
CheckPoint,
ISA/TMG)
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 47 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Please notice:
If the RD Web Access site has been published through an ISA/TMG Server using a Web
Listener with form-based authentication enabled:
o The SMS PASSCODE® ISA/TMG Web Site Protection component must be
installed on the ISA/TMG Server. You may install any other SMS PASSCODE®
components on the ISA/TMG server as well, but this is not recommended.
o It is mandatory, that the RD Web Access site and the RD Gateway site are
published using the same Web Listener.
o The RD Web Access site and RD Gateway site do not need to be hosted on the
same IIS.
o Single sign-on in the RD Web Access site is not supported (this is a general
restriction when the RD Web Access site is configured to use Basic or Integrated
Windows Authentication).
o Please read section 9.2.3.1 (below) for detailed instructions regarding this setup.
If the RD Web Access site has been published through any firewall (using NAT on port 443)
with authentication being performed on the Web Server:
o The SMS PASSCODE® IIS Web Site Protection component must be installed on
the Web Server (i.e. the RD Web Access server). You may install any other SMS
PASSCODE® components on the Web Server as well. E.g. if no other kind of SMS
PASSCODE® protection is required, then you can perform an SMS PASSCODE®
Single Server Installation on the Web Server.
o It is mandatory, that the RD Web Access site and RD Gateway site are hosted in
the same site on the same IIS.
o Single sign-on in the RD Web Access site is supported.
o Please read section 9.2.3.2 (page 52) for detailed instructions regarding this setup.
Always:
o The SMS PASSCODE® RADIUS protection component must NOT be installed on
the RADIUS server.
o The Web Server and RADIUS server could be consolidated to a single server
(installing both NPS and IIS 7.0/7.5 on the same server).
IMPORTANT: The SMS PASSCODE® RD Web Access protection will ensure that all users
MUST authenticate using the RD Web Access site before any remote applications can be
accessed through the RD Gateway. In other words, any attempt to access remote applications
through the RD Gateway, without any prior authentication in the RD Web Access site, will fail.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 48 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
9.2.3.1 Protecting RD Web Access with 2FA on the ISA/TMG server
This section describes how to protect your RD Web Access site by performing SMS PASSCODE®
authentication directly on an ISA/TMG Server before the authenticated user is forwarded to the RD
Web Access server:
1. Set up the Web Server if this has not been done yet. I.e. install IIS 7.0/7.5, RD Web Access
site and RD Gateway site on the Web Server (it is also supported to install the RD Gateway
and RD Web Access site on two different web servers, if required).
2. Install and configure the ISA/TMG server as described in this article:
http://technet.microsoft.com/en-us/library/cc731249(WS.10).aspx.
In the section To create a Web listener on the ISA Server follow the instructions as
specified, except step 8b where you must select one of the first 3 options instead of
RADIUS OTP:
In the section To publish a Web site on the ISA Server by using the Web Listener
follow the instructions as specified, except step 3 where you should name the rule “TS
Gateway” or “RD Gateway”.
3. Test and verify that remote access from the external network to the MS Remote Desktop
Server(s) through the RD Web Access site works as expected (using only AD credentials
for authentication). If this test succeeds, you are now ready to add SMS PASSCODE®
protection as described in the steps below.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 49 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
4. On each RD Session Host server perform the following actions: In the Server Manager
right-click the RemoteApp Manager and select RD Gateway Settings.
a. Select the Custom RDP Settings tab.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 50 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
b. Enter the following two lines into the Custom RDP settings textbox:
pre-authentication server address:s:https://fqdn/rdroot
require pre-authentication:i:1
…where fqdn must be replaced with the fully qualified domain name of the SSL
certificate used for publishing the RD Web Access site, and rdroot must be
replaced with the RD Web Access URL (“TS” and “RDWeb” by default on Windows
Server 2008 and Windows Server 2008 R2, respectively).
5. On the ISA/TMG server perform the following additional configuration steps:
a. Copy the Web Site Publishing Rule “TS Gateway” / ”RD Gateway” that you have
created earlier (right-click and select Copy; then right-click and select Paste). The
new copy will be called the “RD Web Access” rule below.
b. Edit the Web Site Publishing Rule “TS Gateway” / “RD Gateway” (right-click and
select Properties) and make the following changes:
i. On the Paths tab remove any existing paths and add the path “/rpc/*”.
ii. Click OK
c. Edit the “RD Web Access” rule created in step 6a (right-click and select
Properties). Enter the name “TS Web Access” or “RD Web Access” on the General
tab and make the following changes:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 51 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
i. Select NTLM
authentication on the
Authentication
Delegation tab:
ii. On the Paths tab
remove any existing
paths and add the
path “/ts/*” or
“/rdweb/*” on
Windows Server
2008 or Windows
Server 2008 R2,
respectively:
iii. Click OK.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 52 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
6. Now, install SMS PASSCODE® ISA/TMG Web Site Protection on the ISA/TMG Server.
7. Enable SMS PASSCODE® authentication on the Web Listener used on the Web publishing
rule RD Web Access. Please read section 0 (page 198) for instructions on how SMS
PASSCODE® authentication is enabled on a Web Listener.
8. Test that SMS PASSCODE® authentication works as expected.
Please notice that users will have to re-enter the AD credentials when starting a Remote
Desktop application. This is expected behavior because single sign-on is not supported by
the RD Web Access site in general when it is published through an ISA/TMG server using a
Web Listener.
9.2.3.2 Protecting RD Web Access directly on the IIS
This section describes how to protect your RD Web Access site by performing SMS PASSCODE®
authentication directly on the Web Server, i.e. the IIS hosting the RD Web Access site.
1. Set up the Web Server if this has not been done yet. I.e. install IIS 7.0/7.5, RD Web Access
site and RD Gateway site on the Web Server. Do NOT install SMS PASSCODE® IIS Web
Site Protection on the Web Server yet.
2. Test and verify that remote access (from the external network) to the MS Remote Desktop
Server(s) through the RD Web Access site works as expected (using only AD credentials
for authentication). If you are planning to use single sign-on (SSO), please also test and
verify that this works as expected. If these tests succeed, you are ready to add SMS
PASSCODE® protection as described in the steps below.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 53 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
3. Perform the following actions on each RD host session server: In the Server Manager right-
click the RemoteApp Manager and select RD Gateway Settings.
a. Select the Custom RDP Settings tab.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 54 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
b. Enter the following two lines into the Custom RDP settings textbox:
pre-authentication server address:s:https://fqdn/rdroot
require pre-authentication:i:1
…where fqdn must be replaced with the fully qualified domain name of the SSL
certificate used for publishing the RD Web Access site, and rdroot must be
replaced with the RD Web Access URL (“TS” and “RDWeb” by default on Windows
Server 2008 and Windows Server 2008 R2, respectively).
4. Now, install SMS PASSCODE® IIS Web Site Protection on the Web Server. During the
installation, enable SMS PASSCODE® protection of the RD Web Access site:
5. Test that SMS PASSCODE® authentication works as expected.
9.2.4 Protecting VMware View 4.0
SMS PASSCODE® 4.0 supports protection of VMware View 4.0 virtual clients. To achieve this,
please proceed as follows:
Install SMS PASSCODE® Windows Logon Protection on all virtual clients.
If the virtual clients have Windows XP installed, please note that the single sign-on
component of the VMware agent must not be installed, since it will conflict with the SMS
PASSCODE® Windows Logon Protection component. There is no such restriction when
the virtual clients have Windows Vista or Windows 7 installed.
Configure VMware View users to access the virtual clients using RDP when SMS
PASSCODE® authentication is required, and using PCoIP when SMS PASSCODE®
authentication is not required. A recommended setup is to use RDP for remote access and
PCoIP for access on the internal LAN.
You can run the SMS PASSCODE® Configuration Tool with the new command line arguments to
distribute any necessary SMS PASSCODE® settings to all VMware View clients (please read
section 0, page 229, for more details).
9.2.5 Protection of SharePoint Portal Server
SMS PASSCODE® can efficiently protect SharePoint Portal Server (version 2003 and newer) and
other application web sites.
The general requirement for successful SMS PASSCODE® protection is that the web application
must only request a user authentication on the initial user log on, or alternatively, a security
gateway that ensures this behavior must be used.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 55 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
SharePoint Portal server is an example of a web application that might request user authentication
multiple times during a session, e.g. when a user is editing a Word document. Therefore, to make
SMS PASSCODE® protection of a SharePoint Portal server work it is mandatory to publish it
through a security gateway that will prevent the additional user authentications during a session.
Examples of scenarios for successful SMS PASSCODE® protection of a SharePoint Portal server:
Publish the SharePoint Portal server through a Microsoft Intelligent Application Gateway
(IAG), a Microsoft Unified Application Gateway (UAG), a Citrix Access Gateway Enterprise
Edition or a Juniper SA. Configure the gateway to use RADIUS authentication from a
RADIUS server with SMS PASSCODE® RADIUS Protection installed. The advantage of
this setup is that the listed security gateways have built-in features for cleaning up the client
machines, e.g. removing any documents downloaded from the SharePoint Portal.
Publish the SharePoint Portal server through a Microsoft ISA/TMG server using a Web
Listener with persistent cookies and enable SMS PASSCODE® authentication on the Web
Listener by installing SMS PASSCODE® ISA/TMG Web Site Protection on the ISA/TMG
server. The disadvantage of this setup is that the ISA/TMG server will not perform any
clean up on the client machines. I.e. any downloaded documents might remain on the client
machine afterwards.
Recommendation
Prior to installing SMS PASSCODE® protection, please always test and verify that the published
SharePoint Portal site works as required, i.e. that authentication occurs only once during the initial
logon.
The following section shows an example on how to publish a SharePoint Portal server using a
Microsoft IAG.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 56 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
9.2.5.1 Example: Protecting a SharePoint Portal server using IAG
This section describes the necessary actions to apply SMS PASSCODE® protection to a
SharePoint Portal server published through a MS IAG.
1. Prepare an SMS PASSCODE® RADIUS server by installing the SMS PASSCODE®
RADIUS protection component on a Windows server with IAS/NPS installed.
2. Add an Authentication Server in the IAG that uses the SMS PASSCODE® RADIUS server
for authentication:
o In the Advanced Trunk Configuration dialog, click Add… to create a new
authentication server:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 57 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
o Select Type = RADIUS and configure the RADIUS settings to use the SMS
PASSCODE® RADIUS server. Remember to check the Support Challenge
Response checkbox:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 58 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
3. Configure each application within IAG that must be protected by SMS PASSCODE®
authentication, to use the credentials provided by the SMS PASSCODE® authentication
server. This is done by selecting the SMS PASSCODE® authentication server on the Web
Settings tab while editing the application:
Please contact support@smspasscode.com if you need further information regarding SharePoint
Portal server protection.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 59 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
10 UPGRADE
You can upgrade the following versions of SMS PASSCODE® directly to version 4.0:
SMS PASSCODE® 3.0
SMS PASSCODE® 3.0.1
SMS PASSCODE® 3.1
To perform the upgrade you just have to run the SMS PASSCODE® 4.0 installation like a “First-
time installation” (cf. section 11). Do not uninstall any earlier version of SMS PASSCODE® before
installing version 4.0. The installation package will automatically upgrade the previous version and
convert the database to the new file format.
IMPORTANT: If you are using CAGAE protection, please remember to repeat the actions for
protecting each logon point after the upgrade (cf. section 12.8.1, page 218).
11 FIRST-TIME INSTALLATION
To install SMS PASSCODE® you have to complete 3 steps:
1. Install hardware, i.e. GSM modem(s) (section 11.1, page 59).
2. Install software (section 11.2, page 60).
3. Configure SMS PASSCODE® (section 12, page 98).
These 3 steps are described in the specified sections.
11.1 Installation of Hardware
Before installing the SMS PASSCODE® software, please connect all GSM modems. Prior to a
Single Server Installation you should connect all modems to the server that SMS PASSCODE® is
going to be installed on. Prior to a Multi Server Installation you should connect each modem to a
server on which a Transmitter Service is going to be installed. In a typical scenario, you will
distribute the modems evenly, i.e. connect the same number of modems to each server running
the Transmitter Service.
Please follow the instructions below when connecting each GSM modem:
WARNING: Please follow the instructions below in strict order to avoid damage of the hardware.
Please note, that the power cord is not connected until step 7.
1. Release the SIM card sledge of the GSM modem by sticking a peaked object into the small
hole beside the sledge.
2. Insert a SIM card into the sledge.
3. Carefully push the sledge back into the GSM modem again. DO NOT USE FORCE.
4. Screw the antenna (included) onto the GSM modem.
5. Connect the GSM modem to a serial port using the serial cable (included).
6. Connect the GSM modem to the power supply (included).
7. Put the plug of the power supply in the socket.
8. Check that a green LED is flashing on the modem.
You are now ready to install the SMS PASSCODE® software.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 60 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
11.2 Installation of the SMS PASSCODE® Software
When all GSM modems have been connected following the instructions above then you are ready
to install the SMS PASSCODE® software. Before running the installation, you should decide
whether to perform a Single Server Installation or a Multi Server Installation. Please read section 8
(page 27) if you are in doubt.
The subsections below describe how to perform a Single Server Installation (section 11.2.1, page
60) or a Multi Server Installation (section 11.2.2, page 75). Please note that the choice of
installation type is not permanent. If you start with a Single Server Installation, you can easily
change it to a Multi Server scenario later on – and vice versa.
IMPORTANT: You must have administrator rights to install any SMS PASSCODE® components.
11.2.1 Single Server Installation
This section describes how to perform a Single Server Installation of SMS PASSCODE®. During a
Single Server Installation all components are installed on the same server. The components
Database Service, Web Administration Interface and Transmitter Service are always installed.
This means, that the target server must fulfill the system requirements for all 3 components (cf.
section 5, page 14). In addition, you can optionally install the components Citrix Web Interface
Protection, RADIUS Protection, ISA/TMG Web Site Protection, IIS Web Site Protection,
Windows Logon Protection and/or CAGAE Protection, as long as the system requirements for
these components are fulfilled.
SMS PASSCODE® is installed using one of the installation programs SmsPasscode-400-x86.exe
(32-bit) or SmsPasscode-400-x64.exe (64-bit). Please follow the instructions below:
1. Log on to the server using a user account with local administrator permissions.
2. Copy SmsPasscode-400-x86.exe or SmsPasscode-400-x64.exe to a local path on the
server.
3. Start the installation by double-clicking the setup file:
or
(32-bit) (64-bit)
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 61 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
4. If the Microsoft .NET 3.5 SP1 Framework is not installed, then it will be downloaded and
installed automatically before the main SMS PASSCODE® installation begins.
5. A Welcome dialog appears. Click the Next button.
(During an upgrade from an earlier version of SMS PASSCODE
® a
notice that an upgrade is about to occur will appear in this window)
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 62 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
6. An End-User License Agreement (EULA) appears. Please read the agreement carefully. If
you accept the EULA:
a. Click on I accept the terms in the license agreement.
b. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 63 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
7. A dialog for selecting the type of installation appears:
a. Leave the selection on Single Server Installation.
b. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 64 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
8. A dialog for entering license information appears.
a. Enter name of “Licensed to” from the license e-mail.
Important: Please enter the company name exactly as it is written in the license
e-mail. Use copy & paste.
b. Enter the license code from the license e-mail. Use copy & paste.
c. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 65 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
9. A dialog for selecting the installation folder appears.
a. It is recommended to use the proposed default installation folder. In case you want
to change the path anyhow: Click the Change button and select a new path.
b. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 66 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
10. A dialog for specifying the default prefix appears.
a. Specify the default prefix for mobile phone numbers. All mobile phone numbers
without an explicit prefix will have this prefix automatically added.
b. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 67 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
11. A dialog for configuring the first10 GSM modem appears.
a. Select a serial port to which a GSM modem is connected.
b. Enter the PIN code of the SIM card in the GSM modem. If the SIM card does not
require a PIN code, then leave the field empty.
c. Click the Next button.
10
It is possible to configure only the first GSM modem during installation. If you have connected more modems, then you have to configure these modems using the Web Administration Interface after the installation has completed.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 68 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12. A dialog for setting up the Web Administration Interface appears.
a. It is recommended to use the proposed default path for the Web Administration
Interface installation folder. If you want to change the path anyhow:
Click the Change button and select a new path.
b. It is recommended to use the proposed default TCP port for the Web
Administration Interface site. If you want to change the TCP port anyhow, e.g.
because of a port conflict with another application or another web site, then enter a
different TCP port.
c. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 69 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
13. A dialog for selecting Authentication Clients appears.
a. Select the optional components that you would like to install on this server. Please
read section 5, page 14, for more details on each component. You may also click
the question mark buttons in the dialog window to get more information.
Please note: The selection of Authentication Clients is NOT permanent. In case you
would like to add or remove Authentication Clients, you can always run the
installation again afterwards (cf. section 0).
PLEASE NOTE: If a component is disabled for selection, this is caused by system
requirements not being fulfilled for this component (cf. section 6, page 18).
b. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 70 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
14. If the Citrix Web Interface Protection component was selected, and if more than one
Citrix Web Interface has been published on the server, then a dialog appears for selecting
the Citrix Web Interface that you would like to protect using SMS PASSCODE®. If this
dialog does not appear, then just skip to the next step.
a. Please select the physical path for the Citrix Web Interface11 that should be
protected by SMS PASSCODE® authentication.
b. Click the Next button.
11
The installation program currently supports only activation of SMS PASSCODE® protection for a single
Citrix Web Interface. If you need to protect several Citrix Web Interfaces on the same server, then this is also possible. Please contact support@smspasscode.com for instructions regarding this.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 71 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
15. If the Citrix Web Interface Protection component was selected, then a dialog for selecting
the scenario that you would like to use for the protection of the Citrix Web Interface with
SMS PASSCODE® appears. If this dialog does not appear, then just skip to the next step.
a. Select one of the following three scenarios:
i. Disabled: Select this option to disable SMS PASSCODE® authentication for
now and enable it manually afterwards (as described in section 12.3).
ii. Standalone or Side-by-Side logon: Select this option (recommended) to
activate standard SMS PASSCODE® authentication. If no other kind of two-
factor authentication system is activated, then all users must now
authenticate using SMS PASSCODE® to log on to the Citrix Web Interface –
this is called Standalone logon. If another kind of two-factor authentication
system is activated (e.g. RSA SecurID® or SafeWord®), then the users can
either authenticate using SMS PASSCODE® or the other authentication
system – this is called Side-by-Side logon.
iii. Dual logon: Select this option if you need extra high security. If no other
kind of two-factor authentication system is activated, then this option is
identical with option (ii). I.e. all users are authenticated using SMS
PASSCODE® to log on to the Citrix Web Interface – this is called Standalone
logon. But if another two-factor authentication system is activated (e.g. RSA
SecurID® or SafeWord®), then all users must now authenticate both using
SMS PASSCODE® and the other authentication system to log on – this is
called Dual logon.
b. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 72 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
16. If the IIS Web Site Protection component was selected and Microsoft Outlook Web
Access (OWA) is installed on the server, then a dialog for configuring SMS PASSCODE®
protection of the OWA site appears. If this dialog does not appear, then just skip to the next
step.
a. Check this option if the OWA site on the server should be protected using SMS
PASSCODE® authentication.
b. Check this option to allow ActiveSync clients to synchronize using the OWA site on
this server. In this case, SMS PASSCODE® authentication will be disabled for
ActiveSync requests. Please maintain security by protecting the ActiveSync clients
by other means.
c. Check this option to allow RPC over HTTP/HTTPS connections using the OWA site
on this server. In this case, SMS PASSCODE® authentication will be disabled for
RPC over HTTP/HTTPS requests. Please maintain security by protecting these
clients by other means.
d. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 73 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
17. If the IIS Web Site Protection component was selected and the Microsoft Remote Desktop
Web Access site and the Microsoft Remote Desktop Gateway site both are installed on the
server, then a dialog for configuring SMS PASSCODE® protection of the RD Web Access
site appears. If this dialog does not appear, then just skip to the next step.
a. Check this option if the RD Web Access site on the server should be protected
using SMS PASSCODE® authentication.
b. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 74 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
18. You are now ready to perform the installation according to the choices you have made.
Click the Install button.
19. A dialog showing the progress of the installation appears …
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 75 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
20. When the installation has completed, the following dialog appears. Click the Finish button.
21. You have now completed the SMS PASSCODE® Single Server Installation. Please read
section 12 (page 98) regarding configuration of SMS PASSCODE®.
11.2.2 Multi Server Installation
This section describes how to perform a Multi Server Installation of SMS PASSCODE®.
As explained in section 5 (page 14), SMS PASSCODE® is composed of several software
components. You can install each component by itself or together with other SMS PASSCODE®
components on a machine. In a Multi Server Installation you have complete control of how to
distribute the components on several machines. However, a valid Multi Server Installation must
fulfill the following requirements:
A single Database Service must be installed on a server.
At least one Web Administration interface must be installed – preferably on the same
server as the Database Service.
At least one Transmitter Service must be installed on a server.
At least one GSM modem must be connected to a Transmitter Service.
It is optional to install the Load Balancing Service during a Multi Server Installation (cf. section
8.5, page 35).
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 76 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
The procedure for a Multi Server Installation is to run the installation package on each involved
machine and select the components to be installed on this machine. The recommended order of
actions is:
1. First install the Database Service component on a server (the database server). If other
SMS PASSCODE® components are planned to be installed on the same server, then also
include these components during this installation. It is recommended to include the Web
Administration interface component.
2. Configure SMS PASSCODE® using the Web Administration Interface (cf. section 12.1).
You should already at this time create all planned load balancing servers, transmitter
servers and GSM modems in the database.
3. Now install the Transmitter Service component on all those servers where this component
is planned for installation. If other SMS PASSCODE® components are planned to be
installed on some of these servers, then also include these components during installation.
Please note: In case you have already installed the Transmitter Service component on a
server during step 1, do not run the installation again on this server.
4. If you plan to use the Load Balancing Service, you should now install the Load
Balancing Service component on all those servers where this component is planned for
installation. If other SMS PASSCODE® components are planned to be installed on some of
these servers, then also include these components during installation.
Please note: In case you have already installed the Load Balancing Service on some
servers during step 1 or 3, do not run the installation again on these servers.
5. Finally install SMS PASSCODE® Authentication clients on the machines where these are
planned for installation.
Please note: In case you have already installed some of these components during step 1, 3
or 4, do not run the installation again on these machines.
The actions for installation on a machine are listed below. Please repeat these actions on each
machine being part of the Multi Server Installation.
IMPORTANT: The sequence of dialogs is automatically tailored during a Multi Server Installation
according to the components selected for installation. The work flow below describes all potential
dialogs that may appear during a Multi Server Installation. You may not see all dialogs during your
specific installation – skip forward in the work flow in case a dialog is not shown.
1. Log on to the machine using a user account with local administrator permissions.
2. Copy SmsPasscode-400-x86.exe (32-bit) or SmsPasscode-400-x64.exe (64-bit) to a
local path on the machine.
3. Start the installation by double-clicking the setup file:
or
(32-bit) (64-bit)
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 77 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
4. If the Microsoft .NET 3.5 SP1 Framework is not installed yet, then it will be downloaded
and installed automatically before the main SMS PASSCODE® installation begins.
5. A Welcome dialog appears. Click the Next button.
(During an upgrade from an earlier version of SMS PASSCODE
® a
notice that an upgrade is about to occur will appear in this window)
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 78 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
6. An End-User License Agreement (EULA) appears. Please read the agreement carefully. If
you accept the EULA:
a. Click on I accept the terms in the license agreement.
b. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 79 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
7. A dialog for selecting the type of installation appears:
a. Select Multi Server Installation
b. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 80 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
8. A dialog for component selection appears. This is where you decide which components
are to be installed on the current machine.
a. Make your component selections.
Please note: The selections you make are not permanent. You can always run the
installation again afterwards and change your selections (cf. section 0).
If you are planning to install SMS PASSCODE® Authentication clients only, on the
current machine, then please deselect all core components, i.e. your selection
should look like this:
b. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 81 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
9. If a dialog for entering license information appears:
a. Enter name of “Licensed to” from the license e-mail.
Important: Please enter the company name exactly as it is written in the license
e-mail. Use copy & paste.
b. Enter the license code from the license e-mail. Use copy & paste.
c. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 82 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
10. If a dialog for selecting the installation folder appears:
a. It is recommended to use the proposed default installation folder. In case you want
to change the path anyhow: Click the Change button and select a new path.
b. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 83 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
11. If a dialog for specifying the default prefix appears.
a. Specify the default prefix for mobile phone numbers. All mobile phone numbers
without an explicit prefix will have this prefix automatically added.
b. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 84 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12. If a dialog for configuring the first 12 GSM modem appears:
a. Select a serial port to which a GSM modem is connected.
b. Enter the PIN code of the SIM card in the GSM modem. Just leave the field empty if
the SIM card does not require a PIN code.
c. Click the Next button.
12
It is possible to configure only the first GSM modem during installation. If you have connected more modems, then you have to configure these modems using the Web Administration Interface after the installation has completed.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 85 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
13. If a dialog for setting up the Web Administration Interface appears:
a. It is recommended to use the proposed default path for the Web Administration
Interface installation folder. If you want to change the path anyhow:
Click the Change button and select a new path.
b. It is recommended to use the proposed default TCP port for the Web
Administration Interface site. If you want to change the TCP port anyhow, e.g.
because of a port conflict with another application or another web site, then enter a
different TCP port.
c. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 86 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
14. A dialog for selecting Authentication Clients appears.
a. Select the optional components that you would like to install on this machine.
Please read section 5 (page 14) for more details on each component. Just leave all
components unchecked if none of them are to be installed on the current machine.
You may also click the question mark buttons in the dialog window to get more
information.
Please note: The selection of Authentication Clients is NOT permanent. In case you
would like to add or remove Authentication Clients you can always run the
installation again afterwards (cf. section 0)
PLEASE NOTE: If a component is disabled for selection, this is caused by system
requirements not being fulfilled for this component (cf. section 6, page 18)
b. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 87 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
15. If a dialog for selecting the Citrix Web Interface to protect using SMS PASSCODE®
appears:
a. Please select the physical path for the Citrix Web Interface13 to be protected by
SMS PASSCODE® authentication.
b. Click the Next button.
13
Currently the installation program only supports activation of SMS PASSCODE® protection only for a
single Citrix Web Interface. If you need to protect several Citrix Web Interfaces on the same server, then this is also possible. Please contact support@smspasscode.com for instructions on how to do this.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 88 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
16. If a dialog for selecting the scenario you would like to use for the protection of the Citrix
Web Interface with SMS PASSCODE® appears:
a. Select one of the following three scenarios:
i. Disabled: Select this option to disable SMS PASSCODE® authentication for
now and enable it manually afterwards (as described in section 12.3).
ii. Standalone or Side-by-Side logon: Select this option (recommended) to
activate standard SMS PASSCODE® authentication. If no other kind of two-
factor authentication system is activated, then all users must now
authenticate using SMS PASSCODE® to log on to the Citrix Web Interface –
this is called Standalone logon. If another kind of two-factor authentication
system is activated (e.g. RSA SecurID® or SafeWord®), then the users can
either authenticate using SMS PASSCODE® or the other authentication
system – this is called Side-by-Side logon.
iii. Dual logon: Select this option if you need extra high security. If no other
kind of two-factor authentication system is activated, then this option is
identical with option (ii). I.e. all users are authenticated using SMS
PASSCODE® to log on to the Citrix Web Interface – this is called Standalone
logon. But if another two-factor authentication system is activated (e.g. RSA
SecurID® or SafeWord®), then all users must now authenticate both using
SMS PASSCODE® and the other authentication system to log on – this is
called Dual logon.
b. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 89 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
17. If a dialog for configuring SMS PASSCODE® protection of an OWA site appears:
a. Check this option if the OWA site on the server should be protected using SMS
PASSCODE® authentication.
b. Check this option to allow ActiveSync clients to synchronize using the OWA site on
this server. In this case, SMS PASSCODE® authentication will be disabled for
ActiveSync requests. Please maintain security by protecting the ActiveSync clients
by other means.
c. Check this option to allow RPC over HTTP/HTTPS connections using the OWA site
on this server. In this case, SMS PASSCODE® authentication will be disabled for
RPC over HTTP/HTTPS requests. Please maintain security by protecting these
clients by other means.
d. Click the Next button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 90 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
18. If a dialog for configuring SMS PASSCODE® protection of an RD Web Access site appears:
a. Check this option if the RD Web Access site on the server should be protected
using SMS PASSCODE® authentication.
b. Click the Next button.
19. You are now ready to perform the installation according to the choices you have made.
Click the Install button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 91 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
20. A dialog appears showing the progress of the installation...
21. At some stage during the installation the SMS PASSCODE® Configuration Tool is
automatically started:
This tool is used, among others, for configuring the SMS PASSCODE® infrastructure, i.e.
you use this tool to specify where the different SMS PASSCODE® components are located
and how they should communicate with each other. You may not see all the tabs shown in
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 92 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
the picture above because the user interface of the SMS PASSCODE® Configuration Tool
is automatically adapted according to the components installed on the current machine.
You must now configure the SMS PASSCODE® infrastructure and save the settings before
the SMS PASSCODE® installation is complete. Please follow the instructions below.
a. In case you have installed the Load Balancing Service, Transmitter Service or
the Web Administration Interface component on the current machine, and the
Database Service component is not installed on the current machine, you must
specify where the database server is located. To do this, please specify the host
name of the database server in the field Database host on the Database tab:
b. If you have installed an optional SMS PASSCODE® Authentication Client on the
current machine, you must specify where a transmitter server is located. You can
either specify a list of one or more Transmitter services or a list one or more Load
Balancing services. This is configured on the SMS Transmission tab. To specify a
list of Transmitter servers: Select “Transmitter service” (a) and enter the host name
of the servers running the Transmitter Service. Specify the host name of each
server (b) and add it to the list by clicking the Add button (c):
In case you have installed one or more Load Balancing services: Select “Load
balancing service” (a) and enter the host name of the servers running the Load
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 93 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Balancing Service. Specify the host name of each server (b) and add it to the list
by clicking the Add button (c):
The authentication client will always try to locate a Transmitter/Load Balancing
server in the specified order, i.e. the order of the servers in the list is of importance.
In case of communication problems with the higher prioritized servers the
authentication client will automatically communicate with lower prioritized servers
(failover).
c. The Network tab lists the TCP ports used for communication between the SMS
PASSCODE® components (cf. section 8.1, page 28). If some TCP port fields are
disabled and cannot be changed, this is because they are not in use by the current
machine. It is recommended to use the default TCP ports proposed. But in case of
TCP port conflicts with other applications you may change some TCP ports on this
tab.
Important: The TCP ports must match each other on all machines having SMS
PASSCODE® components installed. If you plan to change one or more TCP ports,
please change these TCP ports in the same manner on all machines. If this is not
observed, then communication will fail.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 94 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Finally you must enter a Shared Secret on the Network tab. This is a secret
password that is used for encrypting all messages exchanged between the SMS
PASSCODE® components. To ensure that security is not compromised, a password
with a minimum length of 15 characters is required. It is recommended to use
letters, digits and special characters in the password:
Important: Always remember to specify a Shared Secret.
Please enter the same Shared Secret on all machines having SMS PASSCODE®
components installed. If this is not observed, then communication will fail.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 95 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
d. Click the Save button.
In case a warning message appears regarding error prone entries:
Please correct all errors and click the Save button again.
e. Click the Close button. The installation will now continue.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 96 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Please note: If you have entered incorrect data in the SMS PASSCODE®
Configuration Tool by accident or if you wish to change some settings later on
(because of infrastructure changes), then you can always run the SMS
PASSCODE® Configuration Tool again manually. A shortcut to this tool is created
in the Windows Start menu:
22. The dialog below appears when the installation has completed. Click the Finish button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 97 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
23. The installation of SMS PASSCODE® is now complete on the current machine. You should
now perform any necessary configurations of this machine (cf. section 12). This is
especially important if you have just installed the Database Service and Web
Administration Interface on the current machine. In this case, you should now start the
Web Administration Interface and a) authorize all servers planned to run the Transmitter
Service, b) authorize all servers planned to run the Load Balancing Service, and c) create
all connected GSM modems in the database.
24. If more machines are part of this Multi Server Installation: Please go back to step 1 (page
76) and follow the same instructions for the next machine.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 98 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12 SMS PASSCODE® CONFIGURATION
After having completed the SMS PASSCODE® installation you should perform some
configurations, before SMS PASSCODE® is ready for use:
1) Use the Web Administration Interface for the following tasks:
a. Configuring SMS PASSCODE® settings.
i. Configuring general settings
ii. Configuring passcode settings
iii. Configuring AD Integration settings
iv. Updating license information
b. Maintaining SMS PASSCODE® users.
c. Maintaining SMS infrastructure
i. Maintaining GSM modems
ii. Maintaining transmitter servers
iii. Maintaining load balancing servers
iv. Maintaining modem groups and load balancing policies
Please read section 12.1 for a description of the above.
2) Configuration of SMS PASSCODE® Authentication Clients:
a. Configuration of the Citrix Web Interface Protection component.
Please read section 12.3 (page 153).
b. Configuration of the RADIUS Protection component.
Please read section 12.4 (page 154).
c. Configuration of the ISA/TMG Web Site Protection component.
Please read section 0 (page 198).
d. Configuration of the IIS Web Site Protection component.
Please read section 0 (page 203).
e. Configuration of the Windows Logon Protection component.
Please read section 0 (page 212).
f. Configuration of the CAGAE Protection component.
Please read section 12.8 (page 218).
Additionally, the SMS PASSCODE® Configuration Tool allows you to perform various tasks, like
re-configuring the SMS PASSCODE® infrastructure and changing settings for some authentication
clients. Please read section 12.9 (page 226) for more details regarding the configuration tool.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 99 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1 Web Administration Interface
Using the SMS PASSCODE® Web Administration Interface (WAI) you can:
Configure SMS PASSCODE® settings
Maintain SMS PASSCODE® users
Maintain transmitter servers (Multi Server installation only)
Maintain load balancing servers (Multi Server installation only)
Maintain GSM modems
Maintain modem groups (Multi Server installation with load balancing servers only)
Maintain load balancing policies (Multi Server installation with load balancing servers only)
Maintain license information
In the following subsections WAI is used as a shorthand for Web Administration Interface, and
WAI server designates the server on which WAI is installed.
By default, only members of the Administrators group have permissions to access the WAI. Non-
administrators can be granted permission to access the WAI by adding them to the user group
“SMS PASSCODE Administrators”.
12.1.1 Starting the Web Administration Interface
You can start WAI in three different ways:
1. You can start WAI using a shortcut created on the desktop of the WAI server:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 100 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
2. You can start WAI using a shortcut created in the Windows Start Menu of the WAI server:
3. WAI is also available from any computer on the network using a web browser as long as
this computer can connect to the WAI server on TCP port 200014. Connect to WAI using
the URL http://ip-address:2000, where ip-address should be replaced with the IP address of
the WAI server. By default, only administrators of the WAI server have access to the WAI
using a web browser.
14
Port 2000 is the default TCP port for the Web Administration Interface. The port may be changed during installation.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 101 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
The following user interface is shown on the first start up of WAI:
The left part of the user interface is a navigation menu. Please notice, that this navigation menu is
dynamically adapted according to the different data and settings in the WAI. I.e. the navigation
menu might in your case contain other menu items than shown above.
The complete list of possible menu items is:
Users
Maintain users
Maintain SMS PASSCODE® users, i.e. create, edit and delete users.
Please read section 12.1.2 (page 103) for details.
Import users
Import SMS PASSCODE® users from a comma-separated file.
Please read section 12.1.3 (page 110) for details.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 102 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Transmission
Transmitter Hosts
Maintain Transmitter servers, e.g. authorize additional Transmitter servers.
Please read section 12.1.4 (page 111) for details.
This menu item is only available in a Multi Server Installation.
Load Balancing Hosts
Maintain Load Balancing servers, e.g. authorize additional Load Balancing servers. Please
read section 12.1.5 (page 112) for details.
This menu item is only available in a Multi Server Installation.
Modems
Maintain GSM modems, e.g. create additional GSM modem entries.
Please read section 12.1.6 (page 114) for details.
Modem Groups
Maintain modem groups, which are used by Load Balancing Policies.
Please read section 12.1.7 (page 118) for details.
This menu item is only available in a Multi Server Installation, and only when at least one
Load Balancing Service is in use.
Load Balancing Policies:
Maintain Load Balancing Policies. Please read section 12.1.8 (page 122) for details.
This menu item is only available in a Multi Server Installation, and only when at least one
Load Balancing Service is in use.
Monitoring
Modems:
Inspect the current live status of all GSM modems.
Please read section 12.1.9 (page 137) for details.
Settings
General
Maintain general settings, e.g. enable AD Integration.
Please read section 12.1.10 (page 139) for details.
Passcode
Maintain passcode specific settings, e.g. passcode length and lifetime.
Please read section 12.1.11 (page 140) for details.
AD Integration
Maintain AD Integration settings. Please read section 12.1.12 (page 142) for details.
This menu item is only available, when AD Integration has been enabled.
License
Maintain license information, e.g. when additional licenses have been acquired. Please
read section 12.1.13 (page 151) for details.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 103 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
After the installation of SMS PASSCODE® the recommended order of actions is:
1. Configure the general settings and the passcode settings.
2. AD Integration enabled in step 1?
a. Yes: Configure the AD Integration settings.
b. No: Create users manually.
3. Single Server Installation?
a. Yes: Optionally create additional GSM modems, if you have several modem
licenses for failover.
b. No: Optionally create additional GSM modems and Transmitter servers, if failover is
required. Optionally create Load Balancing servers, if failover and load balancing is
required. Optionally create modem groups and Load Balancing Policies, if advanced
load balancing is required.
The following subsections describe in detail the individual menu items of the WAI.
12.1.2 Maintaining Users
The menu Maintain users of the WAI is used for maintaining SMS PASSCODE® users. Only
users listed on this page will be granted access by SMS PASSCODE®.
Users can be maintained in two different ways – manually or using Active Directory integration.
You can use both ways at the same time. I.e. you can decide to maintain some users manually,
while other users are maintained using Active Directory Integration.
Active Directory Integration is disabled by default. You can enable it using the general settings
menu item (cf. section 12.1.10, page 139).
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 104 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.2.1 Adding Users Manually
This section describes how to manually add a new SMS PASSCODE® user. Please note, that you
also can bulk import users from a comma-separated file (cf. section 12.1.3, page 110).
To add a new user, follow the instructions below:
1. On the Maintain users page enter the data of the new user:
a. Enter the user name (mandatory).
If using a single domain for authentication, you can just enter the user name without
any domain name prefix. However, if you are planning to create users from different
domains, you should always enter the user name in the format domain\username to
avoid name conflicts in case some users from different domains have identical user
names.
b. Enter the user’s mobile phone number (mandatory).
You may explicitly enter an international phone number prefix (e.g. +44). If no prefix
is entered, then the default prefix is assumed. The default prefix is configured on the
general settings page (cf. section 12.1.10, page 139).
c. Enter the user’s PIN code (optional).
This is only necessary if you require the user to enter an additional PIN code during
SMS PASSCODE® authentication.
d. Enable/Disable flash SMS for the user (optional).
You may disable flash SMS if a user’s cell phone does not accept flash SMS for
some reason. The default setting for flash SMS is configured on the general settings
page (cf. section 12.1.10, page 139).
Flash SMS have two advantages: 1) They normally pop up automatically on the
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 105 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
user’s cell phone, and 2) They are normally not stored on the cell phone after
usage.
e. Click the Add new user button.
2. The new user appears highlighted in the list of users:
3. To verify the user’s mobile phone number, you can click the Test SMS button. This will
trigger a transmission of a test SMS to the specified mobile phone number.
4. Please note that the remaining number of user licenses is updated every time you create a
new user. In this way you will instantly notice if you are running low on user licenses.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 106 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.2.2 Deleting Users Manually
This section describes how to manually delete an SMS PASSCODE® user. You can manually
delete only users that have been created manually. I.e. you cannot delete users that have been
imported using Active Directory Integration.
To delete an SMS PASSCODE® user, follow the instructions below:
1. On the Maintain users page, click the Delete button to the right of the user to be deleted:
2. A dialog box appears asking you to confirm the deletion. Click OK.
3. The user has now been removed from the SMS PASSCODE® user list.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 107 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.2.3 Adding and Deleting Users Using AD Integration
When Active Directory Integration has been enabled you can also maintain users using one or
more selected groups in Active Directory. All users belonging to these AD groups are automatically
added to the SMS PASSCODE® user list on the Maintain users page. When a user is removed
from one of the selected AD groups, then the user is automatically removed from the SMS
PASSCODE® user list.
Please note, that when users are added or removed from a selected AD group, then these
changes will not occur immediately in the SMS PASSCODE® user list because SMS PASSCODE®
checks for AD changes only periodically. If you wish to force a change in the Active Directory to
take effect in SMS PASSCODE® immediately, you can manually force an instant refresh. To force
a refresh, click the Sync now button on the Maintain users page:
If some users are not imported into the SMS PASSCODE® user list from the Active Directory, even
though they are member of a selected AD group, this will be displayed as “Users skipped”:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 108 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Users might be skipped due to the following reasons:
Lack of user licenses. Please check the number of remaining licenses.
Missing or incorrect mobile phone number. Please check the content of the field in Active
Directory containing the mobile phone number.
The same user is being imported multiple times (only possible when multi domain mode is
enabled and several AD imports have been setup to import users from the same domain).
Please inspect the Windows event viewer to get the exact details regarding any skipped users. The
AD synchronization event entry will contain the details.
12.1.2.4 Editing Users
If you need to change data or settings for an existing SMS PASSCODE® user, then you can edit
the user. You always have these options for maintaining a user’s data:
Enable/disable PIN code.
Resetting existing PIN code (if PIN code is enabled).
Enable/disable flash SMS.
Lock/unlock user
For manually created users, you can also edit the user name or mobile phone number. This is not
possible for users imported using AD Integration, because in this case these attributes are
maintained in the AD.
To edit a user, please follow the instructions below:
1. Click the Edit button to the right of the user to be edited:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 109 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
2. The user is now ready for editing:
a. You can change the user name in this field
(the field is locked for changes if the user is imported using AD Integration).
b. You can change the mobile phone number in this field
(the field is locked for changes if the user is imported using AD Integration).
c. Check/Uncheck this checkbox to enable/disable a PIN code for this user.
d. If a PIN code is enabled for this user, then you can enter/change the PIN code in
this field.
e. Check/Uncheck this checkbox to enable/disable flash SMS for this user.
f. You can manually lock out a user by checking this checkbox. If a user has been
locked out automatically, you can unlock the user by clearing this checkbox.
g. Click the Update button to save all changes.
h. Click the Cancel button to undo all changes.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 110 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.3 Importing Users
Instead of creating each user manually you can also bulk import users into SMS PASSCODE®. To
perform an import, you need a comma-separated (CSV) file containing the user data.
To start the import process, select Import users in the navigation menu:
The Import users page contains information regarding the expected syntax of the comma-
separated file. The file must at least contain two fields per line containing the user name and
mobile phone number of each user, respectively.
Please note, that it is also possible to initiate the import of users using a command line tool. This is
especially useful if you would like to schedule an automated periodic import or synchronization of
users from a comma-separated file. Please read section 12.2 (page 152) for more details regarding
this.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 111 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.4 Transmitter Hosts
An SMS PASSCODE® Single Server Installation always contains one single Transmitter service,
whereas a Multi Server Installation might contain several Transmitter services on different servers.
When using several Transmitter services in a Multi Server Installation setup, you must authorize
each Transmitter service. Authorization is carried out by specifying the host name of each server
allowed to run the Transmitter service. The procedure for this is described in the following
subsection.
IMPORTANT – authorize before installation:
Remember to authorize each Transmitter service BEFORE it is installed. If this is not observed,
then the Transmitter service will shut down after installation because of missing authorization. You
will then need to manually restart the Transmitter service after it has been authorized.
12.1.4.1 Maintaining Authorized Transmitter Servers
To authorize a Transmitter server, please follow the instructions below:
1. Select the Transmitter Hosts page.
2. Add the authorized server to the list of authorized Transmitter servers:
a. Enter the host name (or IP-address) of the server to be authorized.
b. Click the Add button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 112 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
3. The server has now been added to the list:
If you need to correct the name of the server afterwards, then click the Edit button to the right of
the authorized Transmitter server.
If you need to remove the authorization, then click the Delete button to the right of the authorized
Transmitter server.
12.1.5 Load Balancing Hosts
A SMS PASSCODE® Single Server Installation never contains any Load Balancing service,
whereas a Multi Server Installation might contain one or more Load Balancing services (on
different servers).
When using Load Balancing services in a Multi Server Installation setup, you must authorize each
Load Balancing service. Authorization is carried out by specifying the host name of each server
allowed to run the Load Balancing service. The procedure for this is described in the following
subsection.
IMPORTANT – authorize before installation:
Remember to authorize each Load Balancing service BEFORE it is installed. If this is not
observed, then the Load Balancing service will shut down after installation because of missing
authorization. You will then need to manually restart the Load Balancing service after it has been
authorized.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 113 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.5.1 Maintaining Load Balancing Servers
To authorize a Load Balancing server, please follow the instructions below:
1. Select the Load Balancing Hosts page.
2. Add the authorized server to the list of authorized Load Balancing servers:
a. Enter the host name (or IP-address) of the server to be authorized.
b. Click the Add button
3. The server has now been added to the list:
If you need to correct the name of the server afterwards, then click the Edit button to the right of
the authorized Load Balancing server.
If you need to remove the authorization, then click the Delete button to the right of the authorized
Load Balancing server.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 114 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.6 GSM Modems
You can connect up to 32 GSM Modems to each Transmitter service. To inform each Transmitter
service which modems to initialize and use, you must add each modem to the database.
Please note, that you can add and remove modems on-the-fly, e.g. you can connect more modems
and create them in the database without restarting any Transmitter service – which means zero
downtime while reconfiguring modems.
The following subsections describe how to add, edit and remove modem settings.
12.1.6.1 Adding GSM Modems
Whenever you have connected an additional GSM modem to a Transmitter service, you must add
the settings for this modem to the database. The Transmitter service will not make use of the new
modem before it has been added to the database.
To add a new GSM modem, please follow the instructions below:
1. Select the Modems page.
2. Enter the settings for the new modem:
a. Select the Transmitter server to which the new modem has been connected.
b. Select the serial port to which the modem has been connected.
c. Enter the PIN code for the SIM card in the GSM modem. Leave this field empty if
the SIM card is not protected by a PIN code.
d. Click the Add new modem button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 115 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
3. The GSM modem has now been added to the database and is shown in the modem list:
4. The new modem is now automatically initialized on-the-fly if the Transmitter service is up
and running on the specified server and the modem has been connected to the specified
serial port. If you would like to verify this, then inspect the SMS PASSCODE Transmission
event log on the Transmitter server.
Notice, that the number of remaining modem licenses is updated every time you add a new
modem:
12.1.6.2 Deleting Modems
Whenever you are planning to disconnect a GSM modem from a Transmitter service, you should
remove this modem from the database beforehand. This allows the Transmitter service to
terminate the modem gracefully before it is disconnected.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 116 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
To remove a GSM modem, please follow the instructions below:
1. Select the Modems page.
2. Click the Delete button to the right of the modem to be deleted:
3. A dialog box appears, asking you to confirm the deletion. Click OK.
4. The modem has now been removed from the modem list.
5. If the modem has not already been disconnected, then the modem is now automatically
terminated on-the-fly (if the Transmitter service is up and running on the specified server).
The modem is terminated gracefully, i.e. any queued SMS messages will be sent before
the modem is terminated. If you would like to verify the modem termination, then inspect
the SMS PASSCODE Transmission event log on the Transmitter server.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 117 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.6.3 Editing Modems
This section describes how to edit the settings of a GSM modem in the database. Editing might be
necessary in the following cases:
A modem has been moved to another Transmitter server.
A modem has been moved to another serial port.
The PIN code of a SIM card has changed (e.g. because a new SIM card has been
inserted).
A modem should be disabled temporarily.
To edit a modem, please follow the instructions below:
1. Select the Modems page.
2. Click the Edit button to the right of the modem to be edited:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 118 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
3. The modem is now ready for editing:
a. Check/uncheck this checkbox to enable/disable a modem. This is useful for
temporary disabling a modem without deleting it.
b. Change the Transmitter server using this drop-down list, e.g. if a modem has been
moved from one Transmitter server to another.
c. Change the serial port using this drop-down list, e.g. if a modem has been moved
from one serial port to another.
d. Enter/change the PIN code of the SIM card in the modem. Leave this field empty, if
the SIM card is not protected by a PIN code.
e. Click the Update button to save all changes.
f. Click the Cancel button to undo all changes.
12.1.7 GSM Modem Groups
All GSM modems created in the database can be grouped into modem groups. The modem groups
are maintained on the Modem Groups page. Please notice, that this page is only available when
at least one Load Balancing Host has been authorized. This is due to the fact that modem groups
are only useful when using Load Balancing servers and Load Balancing Policies, because modem
groups are used by Load Balancing Policies to restrict the load balancing to subsets of all modems
in specific circumstances. E.g. you can group the modems according to country location or GSM
service provider.
The following subsections describe how to create, edit and delete modem groups.
NOTE: Please note, that the built-in modem group All modems is a dynamic group which will
always contain all modems currently created in the database. You cannot edit or delete this
modem group.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 119 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.7.1 Creating Modem Groups
To create a new modem group, follow this procedure:
1. Select the Modem Groups page.
2. Create a new modem group:
a. Enter the name of the new modem group.
b. Click the Add button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 120 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
3. The modem group has now been created and is shown in the modem group list:
12.1.7.2 Editing Modem Groups
You can edit a modem group to change the name of the group and to add/remove modem
members. To edit an existing modem group, please follow this procedure:
1. Select the Modem Groups page.
2. Click the Edit button to the right of the modem group to be edited.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 121 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
3. The modem group is now ready for editing:
a. Change the name of the modem group, if needed.
b. Check/uncheck modems as needed, leaving only those modems checked that
should be members of the modem group in question.
c. Click the Update button to save all changes.
d. Click the Cancel button to undo all changes.
4. All changes are immediately pushed to all Load Balancing services, thereby being taken
into account on-the-fly.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 122 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.7.3 Deleting Modem Groups
To delete an existing modem group, please follow this procedure:
IMPORTANT: Please note when deleting a modem group that all Load Balancing Policies referring
to this modem group will be deleted as well.
1. Select the Modem Groups page.
2. Click the Delete button to the right of the modem group to be deleted:
3. A dialog box appears, asking you to confirm the deletion. Click OK.
4. The modem group has now been removed from the modem group list.
12.1.8 Load Balancing Policies
Load Balancing Policies (LB Policies) allow for advanced load balancing and failover of SMS
transmissions. LB Policies are maintained on the Load Balancing Policies page. This menu item
is only available when at least one Load Balancing Host has been authorized (since LB Policies
are used by Load Balancing services only).
The configuration of LB Policies is very flexible and allows for many different setups. The following
subsections describe in detail, how the LB Policies are configured. First Section 12.1.8.1 explains
the overall idea of having a sequence of LB Policy items. The subsequent sections describe, how
the individual LB Policy items are maintained, i.e. how you can create, re-arrange, delete and edit
LB Policy items. Following the detailed explanation, section 12.1.8.6 (page 133) lists a couple of
examples on how you could configure the LB Policies to fulfill specific requirements.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 123 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.8.1 Load Balancing Policy Sequence
LB Policies are configured by creating a sequence of prioritized LB Policy items, e.g. a specific
sequence could consist of LB Policy items 1 to 5. Whenever a Load Balancing service is receiving
an authentication request, it will evaluate the sequence of LB Policy items to determine the action
to be taken. The sequence is always evaluated in strict order from the first to the last item. I.e. if
the sequence consists of n LB Policy items, then the items are evaluated in this order:
LB Policy 1
LB Policy 2
LB Policy 3
…
LB Policy n-1
LB Policy n
The Load Balancing service will stop the evaluation of the sequence as soon as the first matching
LB policy is found. I.e. the LB Policy sequence can be seen as an “if-then-else” chain:
IF LB Policy 1 applies THEN use LB Policy 1
ELSE IF LB Policy 2 applies THEN use LB Policy 2
ELSE IF LB Policy 3 applies THEN use LB Policy 3
…
ELSE IF LB Policy n-1 applies THEN use LB Policy n-1
ELSE use LB Policy n
Please note, that the last LB Policy item of the sequence will always be a built-in default LB
Policy which applies to all authentication requests. This is to ensure, that every authentication
request is handled even though no other LB Policy of the sequence would apply.
The possibilities using LB Policies are very wide-ranging. You can create any number of LB Policy
items and you can re-arrange the order of them as needed afterwards.
The subsequent sections describe how you maintain the individual LB Policy items of the
sequence.
Section 12.1.8.2 (page 124) describes how new LB Policy items are added to the
sequence.
Section 12.1.8.3 (page 125) describes how LB Policies are re-arranged within the
sequence.
Section 12.1.8.4 (page 126) describes how LB Policy items are removed from the
sequence.
Section 12.1.8.5 (page 127) explains the settings of each LB Policy item, and how they are
configured.
Please note, that you can make any number of changes to the LB Policy sequence without
affecting any current behavior. All changes do not take effect until you click the Save button. I.e. as
long as the Save button has not been clicked, you can undo all changes by leaving the page or
clicking the Cancel button. However, when clicking the Save button, all changes are immediately
pushed to all Load Balancing services on-the-fly and will take effect immediately.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 124 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.8.2 Adding New LB Policy Items
To add a new item to the LB Policy sequence, proceed as follows:
1. Select the Load Balancing Policies page.
2. Scroll up/down the page to find the correct position in the sequence.
3. Click the Add new policy here link at the position where the new LB Policy item should be
added.
4. A new LB Policy item with default settings is now added to the sequence. Configure this
item according to your requirements.
5. No changes are saved until you click the Save button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 125 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.8.3 Re-Arranging LB Policy Items
You can always re-arrange the LB Policy items within the LB Policy sequence to change priority,
except the last item of the sequence which is a built-in default LB Policy – this LB Policy item is
fixed and cannot be moved.
To re-arrange a LB Policy item, proceed as follows:
1. Select the Load Balancing Policies page.
2. Scroll up/down the page to find the item to be re-arranged.
3. Click the Move up or Move down link on the item to move it one position up or down in the
sequence, respectively.
4. No changes are saved until you click the Save button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 126 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.8.4 Deleting LB Policy Items
You can delete all LB Policy items in the LB Policy sequence, except the last item of the sequence
which is a built-in default LB Policy – this LB Policy item cannot be deleted.
To delete a LB Policy item, proceed as follows:
1. Select the Load Balancing Policies page.
2. Scroll up/down the page to find the item to be deleted.
3. Click the Delete this policy link on the item.
4. The LB Policy is removed from the sequence immediately. But please remember, that no
changes are saved, until you click the Save button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 127 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.8.5 Configuring LB Policy Settings
Each LB Policy item contains settings that can be configured according to your specific
requirements. The different settings are explained in this section.
To configure the settings of a LB Policy item, proceed as follows:
1. Select the Load Balancing Policies page.
2. Scroll up/down the page to find the item to be configured.
3. The LB Policy item shows these settings:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 128 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
a. Enabled: This check box specifies whether the LB Policy is enabled (active). If you
uncheck this setting, the LB Policy will be skipped during evaluation. This might be
useful for temporary de-activation of the LB Policy.
b. Description: This is just an informative text for your own information. You can use it
to describe the intention of the LB policy.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 129 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
c. Pre-conditions: This section contains settings, defining when the LB Policy item
should be applied to an incoming authentication request. The following options are
available:
i. Always apply this policy: Check this checkbox if the LB Policy item should
be valid for all incoming authentication requests.
ii. Only apply this policy, if the mobile phone number: Check this checkbox
if the LB Policy item should only be valid for authentication requests resulting
in SMS passcodes being send to specific mobile numbers. E.g. you can
specify that the LB Policy will only be valid for passcodes being sent to
mobile numbers starting with a specific international prefix.
iii. Only apply this policy, if the user name: Check this checkbox if the LB
Policy item should only be valid for authentication requests coming from
specific user names. E.g. you can specify that the LB Policy will only be valid
for user names starting with a specific domain name.
If both checkboxes (ii) and (iii) are checked, then the LB Policy will not be applied
unless both conditions are fulfilled (“AND condition”).
Please note, that although an authentication request passes the specified pre-
conditions, the LB Policy item might still be skipped due to other settings (in the
Passcode type section).
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 130 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
d. If passcode expires: This section contains a setting defining the behavior when a
passcode has expired.
i. Authentication fails (default): Select this option if the authentication should
fail when the passcode has expired. This is the default behavior.
ii. Send new passcode using next valid policy: When this option is selected
and a passcode expires during an authentication attempt, the Load
Balancing service will continue the evaluation of the LB Policy sequence and
look for the next LB Policy item that applies to the current authentication
request. When the next valid LB Policy has been determined, a new
passcode is generated for the same authentication session. This might be
useful for automatic failover in the rare event of GSM network problems or if
the user uses two mobile phones for different purposes. E.g. if an SMS
passcode expires, a new passcode could automatically be send using a
different modem group – or a new passcode could be send to the user’s
secondary mobile phone.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 131 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
e. Passcode type: This section contains settings regarding the passcode generation
and transmission during an authentication request.
i. Send random SMS PASSCODE using this modem group: Select this
option to generate a random one-time-passcode (OTP) on each new
authentication attempt which will be sent to the user by SMS. This is the
default and recommended behavior to provide real, secure, session-based
two-factor authentication. Select the modem group containing the modems
that are allowed for transmission of the passcodes being generated by the
LB Policy. Selecting All modems will provide traditional, intelligent load
balancing between all modems created in the SMS PASSCODE® database,
whereas selecting a specific modem group will restrict the load balancing to
the modems of this group. E.g. you could restrict the transmission of
passcodes to modems of a specific GSM service provider or modems
located in a specific country.
Please note, that when sending One-Time-Passcodes using GSM modems
(i), you have up to three additional options:
Use next valid policy, if all modems of the selected modem group are
down: When this option is checked, and all modems of the selected modem
group are unavailable for some reason, the Load Balancing service will skip
this LB Policy item, continue the evaluation of the LB Policy sequence and
look for the next LB Policy item that applies to the current authentication
request. In this way, you can select a prioritized modem group to be used by
default, but still have another modem group (e.g. All modems) in another
LB Policy item for failover. When this option is NOT checked, and all
modems of the selected modem group are unavailable for some reason,
authentication will fail and logging on will not be possible.
Use next valid policy, if the shortest queue length exceeds: When
checking this option, you must also enter the longest acceptable queue
length. The Load Balancing service will skip this LB Policy item, continue the
evaluation of the LB Policy sequence and look for the next LB Policy item
that applies to the current authentication request, whenever the current
queue length of all modems in the selected modem group exceeds the
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 132 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
specified longest acceptable queue length. In this way, you can select a
prioritized modem group to be used by default, but still have another modem
group (e.g. All modems) in another LB Policy item for periods of high loads
on the default modems. When this option is NOT checked, the modems of
the selected modem group will always be used, irrespective of the current
queue lengths.
Send passcode to: Select, whether the OTP should be send to the user’s
primary or secondary mobile phone number. If the secondary mobile number
is selected, then the LB Policy item will be skipped for all users, who have
not been assigned a secondary mobile number.
Please note: This option is only available if secondary mobile numbers have
been enabled on the General Settings page.
ii. Use static passcode: Select this option to allow the user to log in using a
pre-defined static passcode on each authentication attempt. The user can
perform several logins with the same passcode.
IMPORTANT: Use this option only in case of emergency. Selecting this
option reduces the security from two-factor to one-factor authentication.
It is possible to enable this option for a subset of users only (using the Pre-
conditions), but you should still only do this in case of emergency, because
the total security level is never better than the weakest link. You should
never configure an LB Policy with static passcodes to be used as automatic
failover when the OTP of a higher prioritized LB Policy item expires. This
would still reduce the security to one-factor-authentication because a hacker
could let the OTP expire on purpose on each authentication attempt.
f. Passcode life time: This section contains settings regarding the life time of the
passcode (i.e. the duration before a passcode expires).
i. Use system default: Select this option if the default passcode lifetime
defined on the General settings page should be used.
ii. Use custom duration: Select this option if you would like to override the
default passcode lifetime and enter a passcode lifetime of own choice
(allowed range: 30-3600 seconds). E.g. when configuring a second
passcode to be sent when the first passcode expires, it might be desirable to
lower the lifetime of the first passcode.
4. No changes are saved, until you click the Save button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 133 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.8.6 Load Balancing Policy Examples
This section shows different examples on how LB Policies can be applied usefully.
Example 1 (Prefix Load Balancing):
A large enterprise has acquired 8 GSM modems which are distributed between 4 different
countries (2 modems at each location): United States, United Kingdom, Germany and France. A
SIM card from a national GSM service provider has been inserted into each GSM modem. Users
from all 4 countries are logging into a Citrix Web Interface. To provide the most efficient SMS
transmission and to lower the SMS transmission costs, it is desirable, that a modem is selected for
each transmission that uses a SIM card with the same international mobile number prefix as the
SIM card of the user requesting the SMS. This is also called prefix load balancing. To achieve
this, you should proceed as follows:
1. Create 4 modems groups, one for each Country. E.g. you could call the modem groups
“US”, “UK”, “DE” and “FR”. For each modem group, assign the two modems located in the
corresponding country.
2. Create a sequence of 5 LB Policies (the last one being the built-in default LB Policy):
Load Balancing Policy
Configuration
#1
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 134 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Load Balancing Policy
Configuration
#2
#3
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 135 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Load Balancing Policy
Configuration
#4
With these LB Policies in place, each SMS passcode will be sent using a modem from the same
country as the user, as long as both modems of the country are available and have a short queue
with 5 pending messages at most. Otherwise, the built-in default LB Policy will take over, i.e. the
message will be load balanced between all available modems, including the modems located in the
other countries.
Example 2 (GSM service provider failover):
A company has acquired 4 GSM modems. Two of the modems are equipped with SIM cards from
GSM service provider A, while the other two modems are equipped with SIM cards from GSM
service provider B. Below, the modems are called Provider A and Provider B modems,
respectively. By default, all passcodes should be sent using the Provider A modems and all users
have been assigned mobile phones with SIM cards from GSM service provider A. However, in
case of any problems with Provider A, the Provider B modems should be used instead. This means
that if the Provider A modems are unavailable or cannot sent any SMS, or if the users do not
receive any SMS from Provider A, then the system should failover to the Provider B modems.
Selected important users have also been given SIM cards from GSM service provider B. The SMS
passcodes should be send to the Provider B mobile number in the failover situation. In this way,
GSM network failover is realized at both the sending and receiving end. To achieve this, you
should proceed as follows:
1. Create 2 modem groups, one called “Provider A” and one called “Provider B”. For each
modem group, allocate the two modems with SIM cards from the corresponding GSM
service provider.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 136 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
2. Create a sequence of 3 LB Policies (the last one being the built-in default LB Policy):
Load Balancing Policy
Configuration
#1
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 137 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Load Balancing Policy
Configuration
#2
12.1.9 Modem Monitoring
The Modem Monitoring page is used to monitor all GSM modems. The page is dynamically
updated to show the live status of every GSM modem attached to the SMS PASSCODE®
infrastructure. The modem monitoring page displays 3 sections of information for each GSM
modem:
a. Modem device information:
i. The COM port that the modem is attached to
ii. Modem description (modem type and revision number)
iii. The IMEI number of the GSM modem
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 138 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
b. Modem state information:
i. Status: Current status of the modem (should be “Ready” or “Sending” under
normal circumstances)
ii. Queue length: The current number of queued messages for the modem.
This number should be close to 0. If this number increases periodically, this
could indicate that too few modems have been assigned to handle the load.
iii. Signal strength: The currently detected GSM signal strength.
iv. SIM ID: A unique identifier for the SIM card inserted into the modem.
v. Operators: Click the hyperlink “Show” to display a list of detectable
operators. Please note, that retrieval of the opeator list can take up to 1
minute and will delay any queued messages.
c. Transmission statistics:
i. Started: The date and time the modem thread was started the last time.
ii. # Successful transmissions: The number of successfully transmitted
messages since the modem thread was started
iii. # Failed transmissions: The number of failed message transmissions since
the modem thread was started
iv. # Modem initializations: The number of attempted modem initializations
since the modem thread was started. Should be 1 under normal
circumstances. If this number is large, then the modem is being re-initialized
periodically which could indicate GSM network problems, e.g. a weak GSM
signal strength.
v. Avg. transmission time: The average time per transmission measured
since the modem thread was started.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 139 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.10 General Settings
The General settings page allows configuration of the following miscellaneous settings:
Changes do not take effect until you click the Save button.
Setting Explanation
Default prefix for mobile numbers
This prefix is automatically added to the beginning of each user’s mobile phone number if no explicit international prefix is specified. You can always explicitly specify another prefix for individual users.
Enable AD Integration
This setting controls whether the AD Integration feature is enabled. You can enable the AD Integration in two different modes:
Single domain mode: Users are imported from a user group in a single domain.
Multi domain mode: Users are imported from several user groups, possibly from separate domains.
Please read section 12.1.12.1 (page 142) for more details regarding the difference of the AD Integration modes.
Default setting for Flash SMS
This setting specifies whether new users should have flash SMS enabled or disabled by default. You can always override this setting for individual users. It is recommended to keep the Flash SMS setting enabled by default unless Flash SMS is not supported by your GSM service provider in general.
Secondary mobile numbers
When this setting is enabled, you can optionally allocate a secondary mobile number to each user. Secondary numbers can be used during configuration of Load Balancing Policies for failover scenarios.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 140 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.11 Passcode Settings
The Passcode settings page allows configuration of several settings regarding the generation of
passcodes send to the users’ cell phones:
Changes do not take effect until you click the Save button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 141 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Setting Explanation
Passcode length This setting controls the length of the generated passcodes, i.e. the number of characters in each passcode. Longer passcodes mean higher security because the probability of guessing a passcode decreases. Shorter passcodes are easier to enter for the users, on the other hand. The default setting is: 6. Allowed range: 5-20.
Passcode type This setting defines whether the generated passcodes are only allowed to contain digits, or a combination of digits and letters. Passcodes containing only digits are usually easier to enter for the users. Passcodes containing both digits and letters, on the other hand, are more secure because there are more combinations, meaning less probability of guessing a passcode.
SMS PASSCODE® 4.0 offers a new option called memoPasscodes™. memoPasscodes™ are constructed in a special way, making them easier for users to memorize, thereby providing improved user convenience during authentication. At
the same time, memoPasscodes™ still offer maximum security by building the passcodes using random patterns. memoPasscodes™ is the recommended passcode type. The default setting is: memoPasscodes™
Passcode life time This setting controls for how long a passcode is valid15 after it has been sent to the user. A user must complete the logon within this time limit to be successfully authenticated using SMS PASSCODE®. The default setting is 120 seconds = 2 minutes. Allowed range: 30-3600 seconds (30 seconds - 1 hour)
15
When using Load Balancing Policies, it is possible to overrule this setting and define different Passcode life times for different cases.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 142 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.12 Active Directory Integration Settings
Active Directory Integration makes it possible to maintain SMS PASSCODE® users in one or more
Active Directories. No schema extension of any of your ADs is necessary to make use of this
functionality. You simply select a group of own choice in (each) AD to contain SMS PASSCODE®
users and the SMS PASSCODE® database service will automatically synchronize all users, being
members of this/these group(s), to the SMS PASSCODE® user database. The Active Directory
Integration supports several advanced features:
Multi domain support: It is possible to import users from one or several separate AD
domains.
Group nesting: The chosen AD group may contain other groups in a nested hierarchy,
thereby making administration of SMS PASSCODE® users even easier.
Child domains and trusted domains: When using nested groups, all groups and/or users
in the group hierarchy are allowed to be located in child domains and/or trusted domains.
Configurable protocol: Synchronization can occur either using the LDAP or the Global
Catalog (GC) protocol.
Optional secondary mobile number: Up to two mobile numbers can be imported per
user.
Configurable mobile attributes: It is configurable which AD user attribute(s) the mobile
phone numbers are retrieved from.
Configurable user group: It is configurable which AD group should contain your SMS
PASSCODE® users.
Data transformations: Data transformations can be applied to all imported user names
and mobile phone numbers.
Using nested group from child domains / trusted domains
Please note that in order to make use of nested groups from Child Domains and/or Trusted
Domains, an AD user account that has read-access to all involved domains (or Global Catalog
servers) must exist. If the SMS PASSCODE® Database Service is not started using this user
account, the credentials of this user account must be specified as part of the AD Integration
settings.
Alternatively, instead of using nested groups from child/trusted domains, you could enable Multi
domain mode and enter settings (credentials) for each child/trusted domain explicitly.
12.1.12.1 Single Versus Multi Domain Mode
Active Directory integration can be enabled in two different modes: Single domain mode and
multi domain mode.
Single domain mode is the traditional way to implement Active Directory Integration, i.e. the AD
Integration works in this mode exactly as in the previous versions of SMS PASSCODE®. In this
mode, a single user group is selected in a single AD, and all users being member of this group are
synchronized to the SMS PASSCODE® database. Please note, that the synchronization might
nevertheless span several AD domains, because the selected group might contain nested groups,
including nested groups from child domains and trusted domains. All users from nested groups are
synchronized as well.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 143 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
The multi domain mode allows the setup of “multiple AD Integrations”. I.e. you can think of this
mode as working exactly like the “single domain mode”, except that you can now configure several
AD integrations, each having individual settings and synchronizing in parallel.
The single domain mode is recommended for companies or organizations having one AD domain
(forest). The multi domain mode is especially useful for hosting providers that are hosting multiple
separate domains for different customers.
12.1.12.2 Single Domain Mode
This section describes how to configure AD Integration in single domain mode.
Simple setup
In the simplest case, if the SMS PASSCODE® database service is running on a domain member
server (or domain controller), and no child or trusted domains are involved, you will typically need
to do only the following to enable Active Directory Integration:
1. Select the General settings page.
2. Enable Active Directory Integration in single domain mode:
a. Select the Enabled (single domain mode) option.
b. Click the Save button.
After this, Active Directory Integration is ready for use – simply create a group called SMS
PASSCODE USERS in your AD and add users or nested groups to this group.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 144 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Advanced setup
In more complex cases, where a) the SMS PASSCODE® database service is NOT running on a
domain member server (e.g. because it is located in a DMZ), or b) nested groups from child
domains or trusted domains are involved, or c) you wish to change some of the more advanced
settings, please follow the instructions below:
1. Enable AD Integration in single domain mode according to the instructions above (“Simple
setup”).
2. You are now ready to configure the AD settings. Go to the AD Integration page:
3. Configure the AD Settings:
a. AD refresh interval: Enter into this field how often the AD synchronization engine
should check for changes in the AD. The default value is every 5 minutes.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 145 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
b. Data Repository: Select the protocol for synchronization. LDAP is normally
recommended, but the Global Catalog protocol might provide performance
advantages in environments with one or more child domains, because all
information can be collected from the Global Catalog server instead of contacting
each child domain controller sequentially.
c. AD Server: If the SMS PASSCODE® database service is running on a domain
member server (or domain controller), then you can leave this field empty. The
database service will then automatically locate a domain controller of the domain, to
which it belongs. You may specify the host name or IP address of a domain
controller anyhow, if you would like the AD synchronization to always communicate
with a specific domain controller.
On the other hand, if the SMS PASSCODE® database service is NOT running on a
domain member server (or domain controller), then you must specify either the DNS
name of a domain, or the host name or IP address of a domain controller that
should be used for AD synchronization.
d. AD Credentials: By default the SMS PASSCODE® Database Service will connect
to the AD using the permissions of the user account executing the Database
service. If this is sufficient, e.g. because the Database service is running on a
domain member server or a domain controller, then you can leave this field empty.
AD credentials are normally only necessary if the SMS PASSCODE® database
service is NOT running on a domain member server (or domain controller), or if a
specific user account is needed for read access to child domains and/or trusted
domains. In this case, you should specify AD credentials (user name and password)
for a user account having read access to all involved Active Directories.
e. AD Group: Enter the name of the AD group containing all SMS PASSCODE® users
into this field. The default name is SMS PASSCODE USERS.
f. AD Group Base DN: When searching for the group entered in (e), SMS
PASSCODE® will by default search from the root of the root domain naming context.
If you wish to restrict the search (e.g. to a child domain), please specify a base DN.
This base DN will then be used as the root of the search. Example of a base DN:
OU=DepartmentEast,DC=testdomain,DC=com
g. Finally, you can perform an AD authentication test by clicking the Test AD
authentication button. This will perform an authentication test and verify whether
your settings are correct. The test verifies:
i. If a domain controller can be located.
ii. If it is possible to authenticate and read data from the AD of the located
domain controller.
iii. If the specified AD group can be located.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 146 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Further settings are available by scrolling down the page:
h. User name attribute: Select, which LDAP attribute contains the user name. SAM-
Account-Name is the recommended default setting that works with all
authentication clients. Select User-Principal-Name (UPN) only when you have a
specific requirement for users authenticating using UPN syntax and the
authentication client in question does not convert the user names to SAM account
format by itself.
i. Mobile number attribute(s): Enter into this field the LDAP name of the AD user
attribute16 that contains the mobile phone number to be extracted for each user. You
can even specify multiple attributes separated by a comma. In this case the
synchronization engine will perform a prioritized search for the mobile phone
number. E.g. if you enter “mobile,otherMobile”, then the synchronization
engine will first look for each user’s mobile phone number in the user attribute
mobile. If this field does not contain any mobile number, then the field
otherMobile is searched.
Please note: Users not having any valid mobile phone number in any of the
specified attributes will be skipped during AD synchronization, i.e. these users will
not be able to authenticate using SMS PASSCODE®.
j. Secondary mobile number attribute(s): This option is only available when
Secondary mobile numbers have been enabled on the General Settings page.
You should only enter anything into this field if you would like to allocate secondary
mobile numbers to users and provide mobile phone (GSM receiver) failover for
these users using Load Balancing Policies. In this case, enter into this field the
16
When using LDAP, you can enter any valid LDAP attributes (http://msdn.microsoft.com/en-us/library/ms683980(VS.85).aspx). However, when using the Global Catalog, you must ensure that the specified attributes are actually replicated to the Global Catalog. E.g. the default attribute mobile is in fact NOT replicated to the Global Catalog by default. For more information about how to add attributes to the Global Catalog, please read http://technet2.microsoft.com/windowsserver/en/library/8c76ff67-9e9d-4fc7-bfac-ffedee8a04d41033.mspx and http://technet2.microsoft.com/windowsserver/en/library/42ae2845-a7aa-4f02-8944-175f6541125f1033.mspx
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 147 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
LDAP name of the AD user attribute16 that contains the secondary mobile phone
number to be extracted for each user. You can even specify multiple attributes
separated by a comma. In this case the synchronization engine will perform a
prioritized search for the secondary mobile phone number. E.g. if you enter
“pager,otherMobile”, then the synchronization engine will first look for each
user’s secondary mobile phone number in the user attribute pager. If this field does
not contain any mobile number, then the field otherMobile is searched.
IMPORTANT: Changes do not take effect until you click the Save button.
Note: The page contains some additional settings regarding data transformations. These settings
are described in section 0, page 149.
12.1.12.3 Multi Domain Mode
This section describes how to configure AD Integration in multi domain mode.
Basically, in multi domain mode, you can create any number of domain settings entries. Each
entry represents an AD synchronization with its own settings which can be configured exactly like
the AD settings in single domain mode.
The procedure is as follows:
1. Select the General settings page.
2. Enable Active Directory Integration in multi domain mode:
a. Select the Enabled (multi domain mode) option.
b. Click the Save button.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 148 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
3. Now go to the AD Integration page to configure the AD settings. Here you can add, edit
and delete domain settings entries.
a. To add a new entry, click the Add new domain button, configure the new entry, and
click Save.
b. To edit an entry, click the Select link on the entry, change the settings, and click
Save.
c. To delete an entry, click the Delete button on the entry.
In general, the settings on each Domain settings entry are similar to the settings in single domain
mode (cf. section 12.1.12.2 above). However, there are some additional settings:
Description: You can assign a description to each Domain settings entry. This description
is shown in the table of all Domain settings entries and is useful for identification when you
have a lot of entries. It can also be used when searching for specific entries using the Filter
feature.
Enabled: Using this option you can enable and disable individual AD synchronizations.
Default mobile number prefix: Using this option you can overrule the default mobile
number prefix defined on the General Settings page. I.e. you can define a default mobile
number prefix that is used for all users created using this specific AD synchronization.
Default setting for flash SMS: Using this option you can overrule the default setting for
flash SMS defined on the General Settings page. I.e. you can define a flash SMS setting
that is used for all users created using this specific AD synchronization.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 149 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.12.4 Data Transformations
When importing users from Active Directories, or custom CSV-files, it might sometimes be useful to
apply some kind of data transformations. E.g. all mobile numbers in an AD might be prefixed with a
zero (“0”) due to some technical reasons for calling the number from the office. In this case, it
would be useful to apply a data transformation that would remove any leading zeroes from all
mobile numbers. This is actually possibly using the data transformation feature of SMS
PASSCODE®.
Data transformations can be applied to any user names and mobile numbers imported into the
SMS PASSCODE® database. The transformation is specified using regular expression syntax
(please read http://msdn.microsoft.com/en-us/library/6wzad2b2(VS.85).aspx or www.regular-
expressions.info for a detailed description of regular expressions).
Data transformations are configured as part of the AD Integration settings at the bottom of the AD
Integration page:
The procedure for applying a data transformation to user names or mobile phone numbers is the
same. In both cases, you enter a search pattern and a replacement string. During the import of
new data, the search pattern will be applied to all user names and mobile phone numbers being
imported, and in case of any search pattern matches, the matching pattern will be replaced
according to the replacement string. Every user name or mobile phone number not matching the
search pattern will be imported unaltered.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 150 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Below are some data transformation examples:
Example 1: Changing the domain name for imported users from “mydomain” to
“yourdomain”:
o Search pattern: ^mydomain\\(.*)$
o Replacement string: yourdomain\$1
o Transformation example:
mydomain\alex yourdomain\alex
Example 2: Changing imported user names from NETBIOS to UPN syntax:
o Search pattern: ^mydomain\\(.*)$
o Replacement string: $1@mydomain.com
o Transformation example:
mydomain\alex alex@mydomain.com
Example 3: Removing any leading zeroes from mobile phone numbers:
o Search pattern: ^(0*)(.*)$
o Replacement string: $2
o Transformation examples:
234 456 234 456
0 234 456 234 456
00 234 456 234 456
Example 4: Removing parentheses and dashes from mobile phone numbers in the format
“(xxxx) xxxx-xxxxx”:
o Search pattern: ^(\((\d*)\))?\s*(\d*)\s*-?\s*(\d*)$
o Replacement string: $2 $3 $4
o Transformation examples:
(461) 345-456 461 345 456
345 456 345 456
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 151 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.1.13 Maintaining License Information
The WAI has also a page for maintaining license information. You will typically only make changes
on this page when you receive a new license code, i.e. when more user or modem licenses have
been acquired.
To change license information, please follow the instructions below:
1. Select the License page.
2. Edit the license information:
a. Change the company name in the Licensed to field, if necessary. This will normally
only be necessary if you have misspelled the company name during installation of
SMS PASSCODE®. Please note that the company name must be spelled exactly as
stated in the license e-mail. If this is not observed, the license code will not be
accepted.
b. Change the License code, if necessary – e.g. if you have received a new license
code. It is recommended to copy&paste the license code from the license e-mail.
c. Click the Save button.
d. Check, if the new license information was accepted.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 152 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.2 Importing and Synchronizing Users from other Data Sources
If you need to import users into the SMS PASSCODE® database from another source than
Microsoft Active Directory, this is possible using comma-separated files. I.e. you should export all
users from your data source to a comma-separated file, and afterwards import this file into the
SMS PASSCODE® database. If the user export/import is a one-time task, you can simply import
the comma-separated file using the SMS PASSCODE® Web Administration interface (cf. section
12.1.3, page 110).
However, if you wish to set up an automated periodic import or synchronization from a comma-
separated file, you should make use of the DbAdmin command line tool.
The DbAdmin tool is installed on the server hosting the SMS PASSCODE® Database Service.
The default path is:
C:\Program Files\SMS PASSCODE\DbAdmin.exe
If you run this tool without any arguments, it will display the expected syntax and valid arguments.
To import users from a comma-separated file, use this syntax:
DbAdmin –user –import “csv file name”
Replace csv file name with the path to your comma-separated file. You can add additional
arguments to obtain different behaviors. Different examples are listed below:
Add new users: Import users from a comma-separated file. Any users already present in
the database are not overwritten. No users are removed from the database:
DbAdmin –user –import “csv file name”
Add new users, overwriting existing users: Import users from a comma-separated file.
Any users already present in the database are overwritten with possibly new data. No users
are removed from the database:
DbAdmin –user –import “csv file name” -replaceExistingUsers
Synchronize users: Import users from a comma-separated file. Any users already present
in the database are overwritten with possibly new data. Any users present in the database,
but NOT present in the comma-separated file, are removed from the database:
DbAdmin –user –import “csv file name” –replaceExistingUsers –removeUsers
Using the DbAdmin tool it is possible to set up a periodic custom synchronization of users from
your specific data source to SMS PASSCODE®. This custom synchronization will work exactly as
the built-in AD Integration. To configure a custom synchronization, please proceed as follows:
Schedule a periodic task, e.g. using the Windows Task Scheduler. This task should perform
the following actions:
a. Export the required users from the data source to a comma-separated file.
b. Call DbAdmin with the generated comma-separated file as input and with the
arguments shown above at Synchronize users.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 153 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
You can even set up multiple custom synchronizations that will work in parallel on their own subset
of users, analogously to the built-in AD integration running in multi domain mode. And you can
have several custom synchronizations and several AD-integrations run simultaneously. Please
contact support@smspasscode.com if you would like to receive more information about this.
12.3 Configuring Citrix Web Interface Protection
If you have installed the optional Citrix Web Interface Protection component, you will normally
not need to perform any further configuration of this.
Manual configuration of the Citrix Web Interface scenario is only necessary if you decide to change
the scenario to a different setting than selected during installation. This might, for example, be the
case if the scenario Disabled was selected during installation, and you would like to activate SMS
PASSCODE® authentication for the Citrix Web Interface afterwards.
The procedure for changing the Citrix Web Interface Protection scenario is:
1. Open the file WebInterface.conf using Notepad. This file is located in the subfolder
Conf of the root folder of the Citrix Web Interface. The default path is:
Citrix Web Interface 4.0 / 4.2: C:\Inetpub\wwwroot\Citrix\MetaFrame\conf\WebInterface.conf
Citrix Web Interface 4.5 / 4.6: C:\Inetpub\wwwroot\Citrix\AccessPlatform\conf\WebInterface.conf
Citrix Web Interface 5.x: C:\Inetpub\wwwroot\Citrix\XenApp\conf\WebInterface.conf
2. Edit the line containing “SMSPASSCODE=xxxx”. Change it to:
SMSPASSCODE=Off:
SMS PASSCODE® is disabled.
SMSPASSCODE=On:
SMS PASSCODE® is enabled (Standalone or Side-By-Side logon).
SMSPASSCODE=Both:
SMS PASSCODE® is enabled (Standalone or Dual logon).
3. Save the WebInterface.conf file.
IMPORTANT
If you have enabled Active Directory Integration, and you are receiving the error message ”No
mobile number for user, please contact your administrator” during Citrix Web Interface logon,
please read section 14.2 (page 233) for solving this problem.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 154 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.4 Configuring RADIUS Protection
If you have installed the optional RADIUS Protection component, you should configure your
RADIUS clients and your RADIUS server (IAS/NPS server). Below IAS/NPS server designates the
server that the SMS PASSCODE® RADIUS Protection component is installed on.
The configuration procedure is slightly different on Windows Server 2003 and Windows Server
2008. Please follow the instructions in section 12.4.1 for Windows Server 2003 and the instructions
in section 12.4.2 for Windows Server 2008.
12.4.1 Configuring RADIUS Protection on Windows Server 2003
The procedure for configuring RADIUS authentication using SMS PASSCODE® on a Windows
Server 2003 is:
1. Configure all RADIUS clients in the usual way by specifying the IAS server as the RADIUS
server. If you are in doubt how to perform the configuration, please refer to the
configuration guide of the specific RADIUS client in question.
Important: The user experience is best for RADIUS clients supporting Challenge
Response. If Challenge Response support is configurable on the RADIUS client, please
enable it.
2. Start the IAS Management Console:
a. Select Run… in the Windows Start menu
b. Enter ias.msc
c. Click OK
3. The IAS Management Console is shown.
4. Now you must create all your RADIUS Clients in the IAS Management Console. If these
have already been created beforehand, you can skip to step 10.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 155 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
5. To create a RADIUS Client:
a. Right-click the RADIUS Clients node.
b. Select New RADIUS Client.
6. The New RADIUS Client dialog appears.
a. Enter a “friendly name” of the RADIUS Client.
b. Enter the IP address of the RADIUS Client.
c. Click Next.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 156 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
7. New fields appear in the New RADIUS Client dialog.
a. Enter and confirm the Shared Secret. It must match the shared secret configured
on the RADIUS Client.
b. Click Finish.
8. The RADIUS Client that you have created will appear in the right-hand pane:
9. Repeat steps 5-8 if you need to create more RADIUS Clients.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 157 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
10. It is recommended to create a Connection Request Policy for SMS PASSCODE®
authentications. To do so, right-click the Connection Request Policies node and select
New Connection Request Policy:
11. The New Connection Request Policy Wizard dialog appears. Click Next.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 158 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12. New fields appear in the New Connection Request Policy Wizard dialog. Set up a
custom policy.
a. Select A custom policy.
b. Enter a name for the policy, e.g. SMS PASSCODE authentication.
c. Click Next.
13. Now you should define the conditions that define when this policy is used. Click Add…
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 159 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
14. First you should define that this policy is not restricted by day or time:
a. Select Day-And-Time-Restrictions
b. Click Add…
c. Select Permitted.
d. Click OK.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 160 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
15. Now you should add the conditions that determine that SMS PASSCODE authentication should occur. E.g. you could add a “Client-IP-Address” condition and filter on the RADIUS client. Finally, after you have added all your conditions of choice, click Next.
16. Click Edit Profile…
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 161 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
17. Now specify that the IAS extension should take full authentication control.
a. Select Accept users without validating credentials
b. Click OK
18. Click Next
19. Click Finish
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 162 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
20. This completes the configuration of RADIUS authentication using SMS PASSCODE®. Please test each RADIUS client to make sure that RADIUS authentication works as expected.
12.4.2 Configuring RADIUS Protection on Windows Server 2008
The procedure for configuring RADIUS authentication using SMS PASSCODE® on a Windows
Server 2008 is:
1. Configure all RADIUS clients in the usual way by specifying the NPS server as the
RADIUS server. If you are in doubt how to perform the configuration, please refer to the
configuration guide of the specific RADIUS client in question.
Important: The user experience is best for RADIUS clients supporting Challenge
Response. If Challenge Response support is configurable on the RADIUS client, please
enable it.
2. Start the NPS Management Console:
a. Select Run… in the Windows Start menu
b. Enter nps.msc
c. Click OK
3. The NPS Management Console is shown.
4. Now you must create all your RADIUS Clients in the NPS Management Console. If these
have already been created beforehand, you can skip to step 9.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 163 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
5. To create a RADIUS Client:
a. Right-click the RADIUS Clients node.
b. Select New RADIUS Client.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 164 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
6. The New RADIUS Client dialog appears.
a. Enter a “friendly name” of the RADIUS Client.
b. Enter the IP address of the RADIUS Client.
c. Enter and confirm the Shared Secret. It must match the shared secret configured
on the RADIUS Client.
d. Click OK.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 165 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
7. The RADIUS Client that you have created will appear in the right-hand pane:
8. Repeat steps 5-7 if you need to create more RADIUS Clients.
9. It is recommended to create a Connection Request Policy for SMS PASSCODE®
authentications. To do so, right-click the Connection Request Policies node and select
New:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 166 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
10. The New Connection Request Policy dialog appears.
a. Enter a name for the policy, e.g. SMS PASSCODE authentication.
b. Select Type of network access server.
c. Click Next.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 167 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
11. Now you should define the conditions that define when this policy is used. Click Add…
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 168 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12. First you should define that this policy is not restricted by day or time:
a. Select Day-And-Time-Restrictions
b. Click Add…
c. Select Permitted.
d. Click OK.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 169 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
13. Now you should add the conditions that determine that SMS PASSCODE authentication should occur. E.g. you could add an “Access Client IPv4 Address” condition and filter on the RADIUS client. Finally, after you have added all your conditions of choice, click Next.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 170 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
14. Now specify, that the NPS extension should take full authentication control: a. Select Accept users without validating credentials.
b. Click Next.
15. Click Next
16. Click Finish
17. This completes the configuration of RADIUS authentication using SMS PASSCODE®. Please test each RADIUS client to make sure that RADIUS authentication works as expected.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 171 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.4.3 Advanced Configuration of the RADIUS Protection Component
The sections above describe the standard configuration of SMS PASSCODE® RADIUS Protection.
This is usually sufficient.
However, the SMS PASSCODE® Configuration Tool located in the Windows Start Menu
offers a graphical user interface for maintaining a number of advanced RADIUS settings
which can be configured to tailor the RADIUS Protection component to your specific
RADIUS authentication requirements.
After opening the SMS PASSCODE® Configuration Tool from the Windows Start Menu…
…the application will display a number of tabs. Select the RADIUS Client Protection tab to
configure the advanced RADIUS settings:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 172 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
The RADIUS Client Protection tab contains three sub-tabs:
Authentication:
This tab contains settings that affect the authentication behavior of the RADIUS
Protection component. Please read section 12.4.3.1 (page 173) for further details.
Authorization:
This tab allows to enable/disable the inclusion of a RADIUS authorization attribute in
each RADIUS accept packet being send to the RADIUS client on successful
authentication, and to configure the authorization attribute. Please read section
12.4.3.2 (page 177) for further details.
Miscellaneous:
This tab contains miscellaneous settings of the RADIUS Protection component
regarding text encoding, challenge/response behavior and more. Please read
section 0 (page 181) for further details.
The different tabs and settings are described in detail in the subsequent sections.
IMPORTANT:
Whenever you change any of the RADIUS Client Protection settings, you must restart the Internet
Authentication Service (Windows Server 2003) or the Network Policy Server service (Windows
Server 2008), before the changes take effect. The SMS PASSCODE® Configuration Tool will
automatically suggest performing this action for you when the changed settings are saved.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 173 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.4.3.1 RADIUS Authentication Settings
The Authentication tab on the RADIUS Client Protection tab contains the following settings:
The settings have the following purposes:
a. Format of user names forwarded to the SMS PASSCODE system
This setting specifies whether the user names should be send to the SMS PASSCODE®
authentication infrastructure in SAM (domain\username) or UPN (username@domain) format.
It is important that the user names are sent in the same format as they are stored in the SMS
PASSCODE® database. If this is not fulfilled, the users will not be recognized and
authentication will fail.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 174 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
b. Allow login when
By default, the SMS PASSCODE® RADIUS Protection component will reject an authentication
attempt from a user using an expired password or using a password that has been flagged
“must be changed at next logon”. However, you can change this behavior. This might make
sense when a user is requesting remote access using a VPN connection. In this case it might
be acceptable to give the user network access and in this way allow the user to renew/change
the password.
Password has expired: Check this setting to allow successful authentication with a password
that has expired.
Password must change: Check this setting to allow successful authentication with a
password that has been flagged “must change at next logon”.
c. Side-by-side
These settings are used to configure the RADIUS Protection component to work side-by-side
with other RADIUS authentication systems, e.g. hardware-token based two-factor
authentication systems.
If side-by-side functionality is needed in your environment, please consider these two cases:
Case 1: All users can be divided into two separate groups. One group uses only SMS
PASSCODE®, the other group uses only a different system for RADIUS
authentication. In this case you should use the following settings:
Using this setup both groups of users can log in using the standard authentication
workflow that they are used to.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 175 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Case 2: You have two different RADIUS authentication systems, but you cannot divide your
users into two separate groups. I.e. some users might use both types of
authentication. In this case you have two options.
1) You can let the users explicitly select the type of authentication that they would
like to use. Use these settings in this case:
Using this setup all users have to trigger SMS PASSCODE® authentication explicitly
by either leaving the password empty or entering the password “sms”. In all other
cases the other RADIUS authentication system will be used.
2) The type of authentication is automatically determined by the type of password
entered. In this case, use these settings…
…and also specify a regular expression into the Skip password
validation for the following type of passwords setting that will identify
the passwords of the other authentication system.
The individual side-by-side settings are described in detail below:
Forward failed request:
i. Unchecked (default behavior):
Failed authentications are not forwarded, i.e. a RADIUS reject package will be sent
back to the RADIUS client whenever SMS PASSCODE® authentication fails.
ii. Checked (forwarding behavior):
Authentication requests are forwarded to another RADIUS authentication system
whenever SMS PASSCODE® authentication fails. Authentication requests can be
forwarded to either another IAS/NPS extension (on the same server) or another
RADIUS server.
RADIUS forwarding
When Forward failed request is enabled, you have the option of forwarding
requests to another IAS/NPS extension or another RADIUS server. Please note,
that you cannot use both types of forwarding at the same time – forwarding to
another IAS/NPS extension on the same server always has highest priority. Please
read section 12.4.4 (page 183) for the additional required actions to make the
IAS/NPS service forward RADIUS requests to another IAS/NPS extension or
another RADIUS server.
WARNING:
When enabling “forwarding behavior”, always ensure that authentication is
forwarded correctly to another authentication system. Otherwise, all users will have
access without any authentication!
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 176 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Explicit side-by-side:
i. Unchecked (default workflow):
SMS PASSCODE® authentication is always performed first. In case SMS
PASSCODE® authentication succeeds, the user authentication is accepted.
Whenever SMS PASSCODE® authentication fails, behavior is controlled by the
Forward failed request setting.
ii. Checked (side-by-side workflow):
If a username is entered and no password is specified, or the password “sms” is
specified, then SMS PASSCODE® authentication is carried out in two steps. First a
challenge will ask for the Windows password, followed by another challenge that will
ask for the SMS passcode.
If an authentication request is received with a non-empty password different from
“sms”, then SMS PASSCODE® authentication fails immediately. The behavior is
then controlled by the Forward failed request setting.
Skip password validation for the following type of passwords:
i. Empty (default):
This setting has no effect.
ii. Non-empty (password filtering):
If you enter a regular expression into this field, SMS PASSCODE® will
check, on each authentication attempt, whether the regular expression
matches the password entered. When this is the case, SMS
PASSCODE® authentication will fail immediately, i.e. no Windows
authentication is performed by SMS PASSCODE®. The behavior is then controlled
by the Forward failed request setting.
If the regular expression does NOT match the password entered by the user, then
the Forward failed request setting is ignored. I.e. if SMS PASSCODE®
authentication fails (e.g. due to an incorrect password or passcode), then the
request will not be forwarded to another RADIUS system even though the setting
Forward failed request has been checked.
d. Password validation
By default, SMS PASSCODE® will validate user passwords using the WinNT provider (i.e.
validating the user’s Windows password). This will work for both AD users and local Windows
users created on the RADIUS server. You can select Custom LDAP if you wish to validate
user passwords against some specific LDAP attribute in the AD instead. Please specify the
name of an existing LDAP attribute in the AD in this case. Custom LDAP validation will only
work for AD users.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 177 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
e. Default domains
The Default domains setting is useful if you need to authenticate users from different
domains, but do not wish to force the users to enter or select the domain explicitly during
authentication.
In case SMS PASSCODE® RADIUS protection is authenticating a user with a user name that
explicitly contains a domain using SAM (domain\username) or UPN format
(username@domain), then the user is always authenticated in the domain specified.
If no domain is specified explicitly, then SMS PASSCODE® RADIUS protection will
try to authenticate the user using the list of domains specified in the Default
domains setting. Authentication is attempted according to the prioritized order of
the domains in the list. Please note, that you can also specify the name of the
RADIUS server itself in the list. This entry will cause the RADIUS server to authenticate the
user as a local Windows user on the RADIUS server itself.
Eventually, if authentication fails in all the specified domains or if the Default domains setting
list is empty, SMS PASSCODE® RADIUS protection will always make a last attempt to
authenticate the user in the local domain, i.e. the domain that the RADIUS server is a member
of. If the RADIUS server is a standalone server, then this last authentication attempt is
performed using the local Windows user storage.
f. Skip password validation
This setting allows adding a list of RADIUS clients for which password validation should be
skipped completely by SMS PASSCODE® RADIUS protection. I.e. if an authentication request
is received from any RADIUS client in this list, then a SMS PASSCODE will be send to the
user without validating the user password at all.
WARNING:
Use this setting with great caution. It is only recommended to skip password validation for
RADIUS clients that will check the user password by themselves, before the RADIUS
request is send to the RADIUS server.
12.4.3.2 RADIUS Authorization Settings
When a user has been authenticated successfully by SMS PASSCODE® RADIUS protection, a
RADIUS accept package is returned to the RADIUS client. This package does NOT contain any
authorization information by default.
However, if your RADIUS client supports authorization, you can enable the authorization feature of
the SMS PASSCODE® RADIUS protection component. When authorization is enabled, SMS
PASSCODE® RADIUS protection will automatically determine the names of all AD groups that the
authenticated user is a member of. All or some of these group names are then added to the
RADIUS authorization attribute and send along with the RADIUS accept message to the RADIUS
client. The RADIUS client can subsequently retrieve all these group names from the attribute and
allocate permissions depending on the AD group memberships of the user. It is even possible to
apply transformations to the AD group names if the RADIUS client expects specific group names
that you do not wish to create in your AD.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 178 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Authorization is configured on the Authorization tab on the RADIUS Client Protection tab:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 179 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
The settings have the following purposes:
a. Enable authorization
This is the main setting to enable or disable authorization.
i. Unchecked (default):
Authorization is disabled, i.e. no authorization attribute is included in any RADIUS accept
package.
ii. Checked:
Authorization is enabled, i.e. each RADIUS accept package will contain an authorization
attribute. The properties and content of the authorization attribute are defined using the
settings below.
b. Authorization attribute properties
This group of settings defines the main characteristics of the authorization attribute. The
default settings are the settings expected by a Citrix Access Gateway with default settings.
Max size of attribute: Defines the maximum allowed size of the content of the authorization
attribute in multiples of 249 bytes. I.e. a value of 4 (the default value) means 4 x 249 = 996
bytes. The content of the authorization attribute will be cut off if it exceeds the specified
maximum size.
Vendor code: Use this setting to specify a vendor code in case your RADIUS client expects a
specific vendor code in the authorization attribute.
Attribute number: Use this setting to specify an attribute number in case your RADIUS client
expects a specific attribute number in the authorization attribute.
Prefix/Separator: The content of the authorization attribute will have a format like this:
[Prefix][Group1][Separator][Group2][Separator]….[GroupN][Separator]
Where [Group1], [Group2],…,[GroupN] are the names of the AD groups that the authenticated
user is a member of, and [Prefix] and [Separator] contain customizable content to be
configured using the settings Prefix and Separator, respectively. E.g. if you set Prefix to
“CTXSUserGroups=” and Separator to “;” and the user is a member of 3 groups called
“OwaAccess”, “CitrixAccess” and “SharePointAccess”, then the content of the authorization
attribute will be like this:
CTXSUserGroups=OwaAccess;CitrixAccess;SharePointAccess;
c. Active Directory resolve provider
This setting defines whether the Global catalog or LDAP should be used for
retrieving the AD groups that the authenticating user is a member of. Please note,
that only direct group memberships are retrieved.
When using Global catalog, a single GC server will be contacted. When using LDAP, all
necessary domain controllers that are available will be contacted even including child domains
and trusted domains.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 180 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
d. Restrict groups collected into the authorization attribute
SMS PASSCODE® RADIUS protection will collect all direct group memberships by default and
put the names of the groups into the authorization attribute. If your users have a lot of group
memberships, the total length of the group names might exceed the maximum size of the
RADIUS attribute, which will cause some of the group names to be cut off. Since you cannot
predict which groups will be cut off, it might be better to select a restricted number of group
names that you will actually need in your authorization attribute. This is just what the setting
Restrict groups collected into the authorization attribute allows you to define.
You can add a number of group names to the list which will cause SMS PASSCODE®
RADIUS protection to only collect group names from this list into the authorization attribute.
Group name transformation: When entering group names into the restriction list,
you may enter the group names in a special format to perform transformation of the
group names. The syntax is:
[AD Group Name];[RADIUS Client Group Name]
For example, if you have an AD group called “Sales People” and you would like to report the
group “OwaAccess” to the RADIUS Client in this case, then you should add the following entry
to the restriction list:
Sales People;OwaAccess
Only collect first matching group: If you check this setting, then SMS PASSCODE®
RADIUS protection will at most put one single group name into the authorization attribute. This
will be the first group in the restriction list that the authenticated user is a member of.
Restricting to a single group is useful if your RADIUS client will only accept a single value in
the authorization attribute.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 181 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.4.3.3 Miscellaneous RADIUS settings
The remaining RADIUS settings are collected on the Miscellaneous tab on the RADIUS Client
Protection tab:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 182 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
The settings have the following purposes:
a. Text settings
Code Page used for encoding: This settings specifies the Windows Code Page used for
encoding input texts, i.e. user names, passwords and passcodes.
Custom challenge message: By default SMS PASSCODE® RADIUS protection will send the
message “Please enter SMS PASSCODE” when the user should enter the SMS PASSCODE
on the RADIUS challenge. Using this setting you can change this message to a different text.
This is useful for localization of the message or in case your RADIUS client will only accept
specific text(s) in the RADIUS challenge.
b. Only apply SMS PASSCODE authentication to the following Connection Request
Policies
By default SMS PASSCODE® RADIUS protection will apply to all incoming RADIUS requests.
However, if you wish to apply SMS PASSCODE® authentication only to specific requests, you
have the option to restrict SMS PASSCODE® authentication to incoming requests matching
specific Connection Request Policies defined in the IAS/NPS manager.
IMPORTANT:
When creating Connection Request Policies for SMS PASSCODE® authentication, you
should assign the option “Accept Users without validating credentials” to them (cf. section
12.4.1/12.4.2).
c. Forced Challenge Response Clients / Clients not supporting challenge packets
SMS PASSCODE® RADIUS protection supports both RADIUS clients that support or do not
support challenge/response. When the first request is received from a RADIUS client after the
IAS/NPS service has started, the IAS/NPS service will auto-detect whether the RADIUS client
supports challenge/response or not. If the client does not support challenge/response, then
SMS PASSCODE® authentication is performed in two steps, first validating the user password
in a first RADIUS authentication and then validating the SMS PASSCODE in a second
RADIUS authentication. This means a non-session-specific two-factor authentication is
performed, opposite to a challenge/response two-factor authentication, which will always be
session-specific.
If you do not wish to allow the auto-detection mechanism described above, you can enter the
host names or IP addresses of RADIUS clients either into the Forced Challenge Response
Clients list or into the Clients not supporting challenge packets list. RADIUS clients in
these two lists will be forced to always or never use challenge/response, respectively.
d. Do not send the state attribute to the following clients
According to the RADIUS RFC, all RADIUS challenge packets should contain a state attribute
(which is a session identifier). However, some RADIUS clients seem not to support this state
attribute. In this case, you can add the host name or IP address of the RADIUS client to the
Do not send the state attribute to the following clients list which will force SMS
PASSCODE® protection not to insert the state attribute. This is not recommended unless it is
really required.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 183 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.4.4 RADIUS Forwarding
This section describes how you can configure RADIUS forwarding when you enable the Forward
failed request option on the Authentication tab.
Configuring RADIUS forwarding on a Windows Server 2003 (IAS) to another RADIUS
server: Please read section 12.4.4.1 (page 183).
Configuring RADIUS forwarding on a Windows Server 2008 (NPS) to another RADIUS
server: Please read section 12.4.4.2 (page 190).
Configuring RADIUS forwarding to another IAS/NPS extension on the same server.
Please read section 12.4.4.3 (page 197).
12.4.4.1 Forwarding to another Radius Server (Windows Server 2003)
This section describes how to configure forwarding of RADIUS authentication requests to another
RADIUS server when using IAS (Windows Server 2003). To achieve this, you have to create:
A Remote RADIUS Server Group that defines the RADIUS server(s) to receive the
forwarded authentication requests.
A Connection Request Policy defining the condition(s) for forwarding requests to
the remote RADIUS Server Group.
You can even create multiple Remote RADIUS Server Groups and multiple Connection Request
Policies – in this case the Connection Request Policies can define different conditions for
forwarding to different RADIUS servers.
The procedure for creating a Remote RADIUS Server Group and a Connection Request Policy
is:
1. First, you need to create a group of remote RADIUS severs. To do this: In the IAS
Management Console, right-click the Remote RADIUS Server Groups node and select
New Remote RADIUS Server Group.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 184 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
2. The New Remote RADIUS Server Group Wizard dialog appears. Click Next and add one
or more RADIUS servers to this group using the wizard.
3. When the last page of the Wizard is reached: Leave the check box checked and click on
Finish:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 185 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
4. The New Connection Request Policy Wizard dialog appears. Click Next.
5. New fields appear in the New Connection Request Policy Wizard dialog. Set up a
custom policy.
a. Select A custom policy.
b. Enter a name for the policy, e.g. Forward requests.
c. Click Next.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 186 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
6. Now you should define the conditions that define when this policy is used. Click Add…
7. First, you should define when forwarding occurs:
a. Select Day-And-Time-Restrictions
b. Click Add…
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 187 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
c. Select Permitted.
d. Click OK.
8. If other conditions should be applied for this policy, click Add… and select other conditions. This could for example be useful if you plan to have multiple forwarding policies that should forward to different RADIUS servers depending on different conditions. Click Next when you have finished adding your conditions of choice.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 188 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
9. Now we need to define which servers authentication requests should be forwarded to. Click Edit Profile…
a. Select Forwarding requests to the following remote RADIUS server group for
authentication.
b. Select the RADIUS Server Group that you created earlier (in step 2).
c. Click OK.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 189 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
10. Click Next.
11. Click Finish.
You have now successfully setup authentication forwarding. Please remember to test all
authentication systems thoroughly – test both, successful and failure authentication attempts.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 190 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.4.4.2 Forwarding to another Radius Server (Windows Server 2008)
This section describes how to configure forwarding of RADIUS authentication requests to another
RADIUS server, when using NPS (Windows Server 2008). To achieve this, you have to create:
A Remote RADIUS Server Group that defines the RADIUS server(s) to receive the
forwarded authentication requests.
A Connection Request Policy defining the condition(s) for forwarding requests to
the remote RADIUS Server Group.
You can even create multiple Remote RADIUS Server Groups and multiple Connection Request
Policies – in this case the Connection Request Policies can define different conditions for
forwarding to different RADIUS servers.
The procedure for creating a Remote RADIUS Server Group and a Connection Request Policy
is:
1. First you need to create a group of remote RADIUS severs. To do this: In the NPS
Management Console, right-click the Remote RADIUS Server Groups node and select
New.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 191 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
2. The New Remote RADIUS Server Group dialog appears. Add one or more RADIUS
servers to this group, and afterwards click OK to create the group.
3. When the Remote RADIUS Server Group has been created successfully, create a new
Connection Request Policy. To do so, right-click the Connection Request Policies node
and select New.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 192 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
4. The New Connection Request Policy dialog appears..
a. Enter a name for the policy, e.g. Forward Requests.
b. Select Type of network access server.
c. Click Next.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 193 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
5. Now you should specify the conditions that define when this policy is used. Click Add…
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 194 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
6. First you should define when forwarding occurs:
a. Select Day-And-Time-Restrictions
b. Click Add…
c. Select Permitted.
d. Click OK.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 195 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
7. If other conditions should be applied for this policy, click Add… and select other conditions. This could for example be useful, if you plan to have multiple forwarding policies that should forward to different RADIUS servers depending on different conditions. Click Next when you have finished adding your conditions of choice.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 196 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
8. Now we need to define, which servers authentication requests should be forwarded to. a. Select Forward requests to the following remote RADIUS server group for
authentication.
b. Select the RADIUS Server Group that you created earlier (in step 2).
c. Click Next.
9. Click Next again.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 197 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
10. Click Finish.
You have now successfully setup authentication forwarding. Please remember to test all
authentication systems thoroughly – test both, successful and failure authentication attempts.
12.4.4.3 Forwarding to Another IAS/NPS Extension
If the SMS PASSCODE® RADIUS Protection component is installed on an IAS/NPS server and
another IAS/NPS extension was already installed on the system, SMS PASSCODE® will
automatically forward authentication requests to the other extension as soon as forwarding is
enabled.
When multiple IAS/NPS extensions are installed on the same server, the SMS PASSCODE®
IAS/NPS extension should always be the last one installed.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 198 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.5 Configuring ISA/TMG Web Site Protection
The SMS PASSCODE® ISA/TMG Web Site Protection component allows you to apply
SMS PASSCODE® authentication to web sites that have been published through a
Microsoft ISA Server 2006 or Microsoft Forefront TMG 2010.
The following requirements must be fulfilled to apply SMS PASSCODE® ISA/TMG Web Site
Protection to a web site successfully:
The web site has to be published using a Web Listener.
The Web Listener used must be configured like this:
i. Client Authentication Method = HTML Form Authentication.
ii. Authentication Validation Method = Windows (Active Directory), LDAP
(Active Directory) or RADIUS.
iii. A Cookie Name must be specified for the Form Authentication.
iv. SMS PASSCODE® authentication must be enabled.
The necessary actions to apply SMS PASSCODE® ISA/TMG Web Site Protection to a web site
are described in more detail below:
1. Open the ISA/TMG Management Console.
2. Create a new Web Site Publishing Rule to publish your web site through the ISA/TMG
Server (if this has not been done yet).
3. Open the Properties dialog for the Web Listener assigned to the Web Site Publishing Rule.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 199 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
4. Select the Authentication tab and ensure that
a. The Client Authentication Method is set to HTML Form Authentication
b. The Authentication Validation Method is set to either Windows (Active
Directory), LDAP (Active Directory) or RADIUS.
(It is not of importance whether the SMS PASSCODE tab is displayed or not in your case)
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 200 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
5. Select the Forms tab and click the Advanced… button:
6. On the Advanced Form Options tab, enter a Cookie Name of your own choice and then
click OK.
7. Save the new Web Listener settings and apply the changes to the ISA/TMG server
configuration.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 201 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
8. Ensure that the published web site is accessible (from the external network) with standard
authentication (i.e. without SMS PASSCODE® authentication).
9. Now enable SMS PASSCODE® ISA/TMG Web Site Protection. To do this, open the Web
Listener Properties dialog again. It is mandatory this time that the Properties dialog is
opened through the Toolbox of the ISA/TMG Management Console17:
IMPORTANT:
Always access the Properties dialog of a Web Listener through the ISA/TMG Toolbox when you
want to enable or disable SMS PASSCODE® authentication for a Web Listener.
The SMS PASSCODE tab will only appear if the Properties tab is accessed in this way.
17
This is required, because the ISA/TMG Management Console does not show custom tabs on the Properties dialog of a Web Listener if this dialog is opened from a Web Publishing Rule.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 202 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
10. Select the SMS PASSCODE tab.
a. Ensure that the SMS Passcode Compatibility text box shows the text “Ok”. This
should be the case if all the preceding steps have been completed properly. If not,
then the text box will contain a message describing which actions are missing.
b. Check the Enable SMSPASSCODE authentication for the listener option.
c. Click the OK button
11. Apply the changes to the ISA/TMG server configuration.
12. Now check that the published web site is accessible (from the external network) with SMS
PASSCODE® authentication.
This completes the procedure for applying SMS PASSCODE® authentication to a web site
published through an ISA/TMG server.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 203 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.6 Configuring IIS Web Site Protection
If you have installed the optional IIS Web Site Protection component on a server hosting
Microsoft Outlook Web Access (OWA) or Microsoft RD Web Access, you will normally enable
protection of the OWA or RD Web Access site during installation and will not have to make any
further configuration changes afterwards. However, you may decide to perform further
configuration of the IIS Web Site Protection component in the following cases:
a. If a new web site is added to the IIS, then access to this site will by default be
disallowed by the SMS PASSCODE® IIS Web Site Protection component. In this
case you have to refresh the IIS Web Site Protection configuration file to allow
access to this web site.
b. If you wish to protect other web sites than OWA or RD Web Access by SMS
PASSCODE® authentication, then you have to enable this manually. Please note,
that the SMS PASSCODE® IIS Web Site Protection component currently only
supports protection of OWA sites, RD Web Access sites and web sites using Basic
or Integrated Windows Authentication.
c. If you wish to disable SMS PASSCODE® authentication for specific web sites, then
you can do this manually.
d. The SMS PASSCODE® IIS Web Site Protection component also offers advanced
configuration options. E.g. it is possible to configure authentication rules depending
on e.g. the clients’ source IP-addresses.
12.6.1 ISAPI Filter
The SMS PASSCODE® IIS Web Site Protection component is implemented using an ISAPI filter.
This ISAPI filter is added to the IIS running on the server and extends the behavior of the IIS.
The default path of the ISAPI filter is:
C:\Program Files\SMS PASSCODE\ISAPI\SMSPasscodeISAPIFilter.dll
12.6.2 ISAPI Filter Configuration File
The behavior of the ISAPI filter is controlled by a XML configuration file. The default path of this
configuration file is:
C:\Program Files\SMS PASSCODE\ISAPI\Config.xml
You can control the behavior of the ISAPI filter by making changes to this configuration file. The
most common configuration changes are made easiest using the command line tool called
IsapiAdmin. This tool is by default located here:
C:\Program Files\SMS PASSCODE\ISAPI\IsapiAdmin.exe
The syntax and usage of the IsapiAdmin tool is described in section 12.6.3 below.
Another way to change the configuration file is by making changes to this file manually using a text
editor (e.g. Notepad). This allows for more advanced configuration changes. The syntax of the
configuration file is described in detail in section 12.6.4.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 204 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
IMPORTANT:
Whenever changes are made to the ISAPI filter configuration file using the IsapiAdmin tool, these
changes take effect immediately.
Whenever changes are made to the ISAPI filter configuration file manually, these changes do not
take effect until the SMS PASSCODE ISAPI Service has been restarted.
12.6.3 The IsapiAdmin Tool
The default path of the command line tool IsapiAdmin is:
C:\Program Files\SMS PASSCODE\ISAPI\IsapiAdmin.exe
This tool has four main features:
a. Enable SMS PASSCODE® authentication for a specific web site on the local IIS.
b. Disable SMS PASSCODE® authentication for a specific web site on the local IIS.
c. Refresh the ISAPI filter configuration file, allowing access to all newly added web
sites on the local IIS.
d. List the web sites on the local IIS.
The following sub-sections describe the syntax of the IsapiAdmin tool.
12.6.3.1 Enable Protection of a Web Site
To enable SMS PASSCODE® authentication for a specific web site, use the -protect option in
one of the following two ways:
IsapiAdmin -protect -name “Web Site Name”
[-DirName “Virtual Dir Name”]
[-owa [-allowActiveSync] [-allowRpcOverHttps] | -rdweb]
- or -
IsapiAdmin -protect -siteID “Web Site ID”
[-DirName “Virtual Dir Name”]
[-owa [-allowActiveSync] [-allowRpcOverHttps] | -rdweb]
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 205 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
The different arguments of the command are described in the table below.
Argument Description
-protect This argument instructs the tool to protect a web site.
-name This argument is used to specify the name of the web site to protect. Example:
IsapiAdmin -protect -name “Default Web Site”
-siteID This argument is used to specify the ID of the web site to protect. The default web site always has ID 1. Example: IsapiAdmin -protect -siteID 1
Use IsapiAdmin –list to get a list of the IDs of the different web sites
(described in section 12.6.3.4, page 207).
-DirName
(optional) This optional argument is used to specify the name of the virtual directory that is created within the web site that is being protected. This virtual directory contains files needed by the ISAPI filter. If the argument is not present, the default name SmsPasscodeLogon is used. Example: IsapiAdmin -protect -name “Default Web Site” -DirName “MyName"
-owa
(optional) This argument is required if the web site is an OWA Web Site using form- based authentication. For web sites using Basic or Integrated Windows Authentication, please omit this argument.
-allowActiveSync
(optional) This argument is only allowed together with the -owa argument. It instructs
the ISAPI filter to disable SMS PASSCODE® authentication for ActiveSync
connections.
-allowRpcOverHttps
(optional) This argument is only allowed together with the -owa argument. It instructs
the ISAPI filter to disable SMS PASSCODE® authentication for RPC over
HTTP/HTTPS connections.
-rdweb This argument is required if the web site is an RD Web Access site using form-based authentication. For web sites using Basic or Integrated Windows Authentication, please omit this argument.
Examples:
Enable SMS PASSCODE® authentication for an OWA site using form-based authentication,
allow ActiveSync, disallow RPC over HTTP/HTTPS connections: IsapiAdmin -protect –name “Default Web Site” -owa -allowActiveSync
...or since the Default Web Site always has ID 1, you could also enter:
IsapiAdmin -protect –siteID 1 -owa -allowActiveSync
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 206 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Enable SMS PASSCODE® authentication for the SMS PASSCODE® Web Administration
Interface: IsapiAdmin –protect –name “SMS PASSCODE Admin”
Enable SMS PASSCODE® authentication for an OWA site using Basic or Integrated
Windows Authentication: IsapiAdmin –protect –name “Default Web Site”
12.6.3.2 Disable Protection of a Web Site
To disable SMS PASSCODE® authentication for a specific web site, use the
-unprotect option in one of the following two ways:
IsapiAdmin -unprotect -name “Web Site Name”
- or -
IsapiAdmin -unprotect -siteID “Web Site ID”
The different arguments of the command are described in the table below.
Argument Description
-unprotect This argument instructs the tool to disable protection of a web site.
-name This argument is used to specify the name of the web site to unprotect. Example:
IsapiAdmin –unprotect –name “Default Web Site”
-siteID This argument is used to specify the ID of the web site to unprotect. The default web site always has ID 1. Example: IsapiAdmin –unprotect –siteID 1
Use IsapiAdmin –list to get a list of the IDs of the different web sites
(described in section 12.6.3.4, page 207).
Examples:
Disable SMS PASSCODE® authentication for an OWA site: IsapiAdmin –unprotect –name “Default Web Site”
...or since the Default Web Site always has ID 1, you could also enter:
IsapiAdmin –unprotect –siteID 1
Disable SMS PASSCODE® authentication for the SMS PASSCODE® Web Administration
Interface: IsapiAdmin –unprotect –name “SMS PASSCODE Admin”
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 207 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.6.3.3 Refresh the Configuration File
The ISAPI filter configuration file specifies, for each web site, whether SMS PASSCODE®
authentication is enabled or disabled. However, if a new web site is added to the local IIS, and this
web site is not listed in the ISAPI filter Configuration file, then the ISAPI filter will disallow access to
this site. If you try to access the web site, then you will see the following error message:
To allow access to the web site, you must either enable or disable SMS PASSCODE®
authentication as described above in section 12.6.3.1 or 12.6.3.2, respectively. Another possibility
is to use the “refresh” option using the following syntax:
IsapiAdmin –refresh
Executing this command will automatically detect all web sites present in the local IIS and add all
missing web sites to the ISAPI filter configuration file. All missing web sites are added with SMS
PASSCODE® authentication disabled.
12.6.3.4 List ID of Web Sites
The IsapiAdmin command line tool also has a feature for showing a list of all web sites present in
the local IIS. This list displays the name and ID of each site. The syntax for showing the list of web
sites is:
IsapiAdmin –list
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 208 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.6.4 ISAPI Filter Configuration File Syntax
The configuration of the ISAPI filter is stored in a XML configuration file. The default path of this file
is:
C:\Program Files\SMS PASSCODE\ISAPI\Config.xml
The following subsections describe the anatomy (syntax) of this file in detail.
IMPORTANT:
Whenever changes are made to the ISAPI filter configuration file manually, these changes do not
take effect until the SMS PASSCODE ISAPI Service has been restarted.
12.6.4.1 <CONFIG> Element
At the top level, the configuration file contains one <CONFIG> element, which again contains one
or more <SITE> elements.
<CONFIG>
<SITE />
...
<SITE />
</CONFIG>
The configuration file must contain a <SITE> element for each web site in the local IIS.
12.6.4.2 <SITE> Element
Each site element of the configuration file contains the settings for a specific web site in the local
IIS:
<SITE name=”Web Site Name” smspasscodedir=”virtual dir name” >
<URL />
...
<URL />
</SITE>
Each SITE element contains the following attributes:
name: Specifies the name of the web site that is configured by this <SITE> element.
smspasscodedir: Specifies the URL of the virtual directory containing the files that are
needed by the SMS PASSCODE® ISAPI filter during SMS PASSCODE® authentication.
Recommended value is ”/SmsPasscodeLogon/”. It is recommended to enable SMS
PASSCODE® authentication for a web site using the IsapiAdmin tool because this tool will
automatically create the required virtual directory and configure it correctly (please read
section 12.6.3.1, page 204).
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 209 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
SMS PASSCODE® authentication is enabled by default for each web site that is named by a SITE
element. However, each SITE element may contain one or more <URL> elements that configure
authentication behavior of the web site.
12.6.4.3 <URL> Element
The <URL> elements within a <SITE> element define the authentication behavior of the web site.
The syntax is:
<URL path=”URL path” smspasscode=”true|false” type=”authentication
type” credentials=”credentials source” >
<HOST />
...
<HOST />
</URL>
Each <URL> element contains the following attributes:
path: Specifies the URL that this element applies to. Please note, that the configuration of
this element applies to all sub-URLs as well, unless these are overruled by another, more
specific <URL> element.
smspasscode: Boolean attribute defining whether SMS PASSCODE® authentication
should be enabled (smspasscode=”true”) or disabled (smspasscode=”false”) for the
specified URL.
type / credentials: These are optional attributes. These attributes should not be
specified for web sites or virtual directories that are using Basic or Integrated Windows
Authentication.
For OWA sites using form-based authentication, type=”FormAuthentication” and
credentials=”OWA” should be specified for the following virtual directories:
o /exchange
o /exchweb
o /owa
For RD Web Access sites using form-based authentication,
type=”FormAuthentication” and credentials=”rdweb” should be specified for the
following virtual directories:
o /rdweb
Normally, you will not set the attributes type and credentials manually. Use the tool
IsapiAdmin with the -owa or -rdweb option to protect an OWA site or RD Web access site,
respectively (please read section 12.6.3.1, page 204).
12.6.4.4 <HOST> Element
Each <URL> element may contain one or more <HOST> elements. Using a <HOST> element you
can override the configuration of the parent <URL> element depending on the client’s source IP
address. The syntax is:
<HOST ip=”x.x.x.x” smspasscode=”true|false” />
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 210 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
I.e. each <HOST> element contains the following attributes:
ip: Specifies the source IP address of the client(s) that this element applies to. Wildcards
are allowed, e.g. ip=”192.168.*”. Also, you may specify ip=”localhost”; in this case the
element applies to all requests from the local host, no matter if the requests are coming
from IP address 127.0.0.1 or from any other locally assigned IP address.
smspasscode: Boolean attribute defining whether SMS PASSCODE® authentication
should be enabled (smspasscode=”true”) or disabled (smspasscode=”false”) for the
specified client(s).
12.6.4.5 Configuration Examples
This section shows different examples for configuring web sites:
Enable SMS PASSCODE® authentication for the default web site:
<CONFIG>
<SITE name=”Default Web Site” smspasscodedir=”/SmsPasscodeLogon/” >
<URL path=”/” smspasscode=”true” />
<URL path=”/SmsPasscodeLogon” smspasscode=”false” />
</SITE>
</CONFIG>
Disable SMS PASSCODE® authentication for the default web site:
<CONFIG>
<SITE name=”Default Web Site” smspasscodedir=”/SmsPasscodeLogon/” >
<URL path=”/” smspasscode=”false” />
</SITE>
</CONFIG>
Enable SMS PASSCODE® authentication for the default web site, but only for the URL’s
starting with “/secure”:
<CONFIG>
<SITE name=”Default Web Site” smspasscodedir=”/SmsPasscodeLogon/” >
<URL path=”/” smspasscode=”false” />
<URL path=”/secure” smspasscode=”true” />
</SITE>
</CONFIG>
Enable SMS PASSCODE® authentication for the default web site, but not for clients
requesting from IP addresses 192.168.*:
<CONFIG>
<SITE name=”Default Web Site” smspasscodedir=”/SmsPasscodeLogon/” >
<URL path=”/” smspasscode=”true”>
<HOST ip=”192.168.*” smspasscode=”false” />
</URL>
</SITE>
</CONFIG>
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 211 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Enable SMS PASSCODE® authentication for an OWA site using form-based authentication:
<CONFIG>
<SITE name=”Default Web Site” smspasscodedir=”/SmsPasscodeLogon/” >
<URL path=”/” smspasscode=”false” />
<URL path=”/exchange” smspasscode=”true”
type=”FormAuthentication” credentials=”OWA” />
<URL path=”/exchweb” smspasscode=”true”
type=”FormAuthentication” credentials=”OWA” />
<URL path=”/OWA” smspasscode=”true”
type=”FormAuthentication” credentials=”OWA” />
<URL path=”/rpc” smspasscode=”true” >
<host ip=”localhost” smspasscode=”false” >
</URL >
</SITE>
</CONFIG>
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 212 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.7 Configuring Windows Logon Protection
If you have installed the optional SMS PASSCODE® Windows Logon Protection component, you
will normally not have to perform any further configuration of this.
The Windows Logon Protection component is implemented by means of a custom GINA for
Windows XP and Windows Server 2003, and by means of a custom Credential Provider for
Windows Vista, Windows 7 and Windows Server 2008 (R2).
IMPORTANT (Windows XP / Windows Server 2003)
When installing the Windows Logon Protection component on Windows XP or Windows Server
2003, please remember to restart the computer after installation. The new GINA will not work
correctly before the system has been rebooted.
Ensure that all necessary SMS PASSCODE® users have been created BEFORE the system
is rebooted. If the system is rebooted before any SMS PASSCODE® users have been
created, only local administrators will be able to log on, and only locally using the console –
not using remote access by RDP!
12.7.1 Windows Logon User Exclusion Groups
You may optionally configure users who should be excluded from SMS PASSCODE®
authentication during Windows Logon. To support this, two local18 user groups have been created
on the computer during installation:
SMS PASSCODE console exclusion: All users being member of this group are subject to the
following rules:
o They must authenticate using SMS PASSCODE® when they log on to the computer using
Terminal Service (RDP).
o They will not authenticate using SMS PASSCODE® when they log on locally using the
console. I.e. only user name and Windows password is required to log on in this case.
SMS PASSCODE general exclusion: All users being member of this group will log on to the
computer without SMS PASSCODE® authentication – whether they log on using Terminal
Service (RDP) or locally using the console.
By default, all users being member of the local Administrators group are automatically added
during installation to the SMS PASSCODE console exclusion group. This ensures that local
administrators will always be able to log on using the local console.
18
The groups are created as AD groups when the SMS PASSCODE® GINA component is installed on a
Domain Controller. Still, the groups only have effect on Windows Logon on the local computer.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 213 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.7.2 Windows Logon Lock Time
By default, SMS PASSCODE® authentication is activated on every Windows Logon and also every
time the user’s session has been locked and the user wishes to unlock it. You can change this
behavior if you do not wish the SMS PASSCODE® authentication to become active immediately
whenever the user’s session has been locked.
To do this, start the SMS PASSCODE® Configuration Tool from the Windows Start Menu…
…and select the Windows Logon Protection tab, where you can configure the time to pass after
a session has been locked, before SMS PASSCODE® authentication is required.
A value of 0 will provide the default behavior, i.e. SMS PASSCODE® authentication is required
whenever a locked session is unlocked. If you select a value of e.g. 5, then the SMS PASSCODE®
authentication will not become active until 5 minutes after the user’s session was locked. If the user
tries to unlock his session before 5 minutes have passed, the user is allowed to unlock the session
using user name and Windows password only – i.e. without entering a passcode.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 214 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
IMPORTANT (Windows XP / Windows Server 2003)
Windows XP and Windows Server 2003 only:
Whenever you change the Locked session re-authentication timeout setting, the new value
does not take effect until the computer has been restarted.
12.7.3 RDP Listener Exclusion
Whenever you log on to a Windows session on a Windows machine, your session is
established through a specific WinStation. The most common WinStations are
Console and Rdp-Tcp. The Console WinStation is used when logging on using the
local console, whereas the Rdp-Tcp WinStation is used when logging on using an RDP
connection (tcp port 3389 by default). The Rdp-Tcp Winstation is also called an RDP Listener.
You can see which WinStation has been used to establish each session on a machine by
inspecting the Users tab in the Task Manager. Each session will be named using the name of the
corresponding WinStation.
By default, when SMS PASSCODE® Windows Logon Protection has been installed on a
computer, all Windows sessions will be protected using SMS PASSCODE® authentication, unless
SMS PASSCODE® authentication is skipped due to the rules of exclusion groups (cf. section
12.7.1, page 212).
However, it is also possible to disable SMS PASSCODE® Windows Logon Protection for
individual WinStations. E.g. you can disable Windows Logon Protection for the Console
WinStation to disable SMS PASSCODE® authentication for all local console logons, independent
of group exclusion membership; or you can disable Windows Logon Protection for individual
RDP Listeners, in case you have created some custom RDP Listeners by yourself.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 215 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
WinStations / RDP Listeners exclusion is configured on the Windows Logon Protection tab of the
SMS PASSCODE® Configuration Tool:
12.7.3.1 Creating a custom RDP Listener
You can create new custom RDP Listeners on a Windows machine. Why would you like to do this?
It might, for example, be useful in the following scenario: A machine is accessible through RDP,
but you only want users to be authenticated by SMS PASSCODE® Windows Logon Protection
when users are logging on from the external network. When logging on from the internal LAN,
users should be allowed to log on using standard Windows authentication. This can be achieved
using the following setup:
On the target machine: Create a new RDP Listener and assign a non-standard RDP
port to this listener, e.g. port 4000.
Configure your firewall to allow access on port 4000 from the external network.
Configure your firewall to use Network-Address-Translation (NAT) regarding all
RDP requests on port 4000 from the external network. NAT should be configured to
transfer all RDP requests from port 3389 to port 4000. This means that all external
RDP requests will connect to the target machine using the new custom RDP
Listener.
Exclude the standard RDP Listener from SMS PASSCODE® Windows Logon
Protection.
Using this setup all users on the internal LAN can make a standard RDP connection (using TCP
port 3389) to the standard RDP Listener on the target machine and will be allowed to log in using
standard Windows authentication, because the standard RDP Listener has been excluded from
SMS PASSCODE® Windows Logon Protection. All external requests will hit the target machine
using the custom RDP Listener (on TCP port 4000), i.e. these users are required to perform SMS
PASSCODE® authentication to establish a Windows session on the target machine.
The scenario above is also possible without configuring NAT in the firewall. But in this case, the
external users will manually have to change the TCP port of the RDP connection to the TCP port of
the custom RDP Listener.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 216 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
To create a custom RDP Listener, please follow this procedure:
1. Make a backup of your registry.
2. Open the registry using regedit.exe.
3. Locate the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
Right-click the key and export it to a file.
4. Open the exported file. Change the name of the key “RDP-Tcp” to a new name of own
choice. This will be the name of the custom RDP Listener. Also change any other required
settings, e.g. PortNumber. Save the file.
5. Import the modified file into the registry. The registry will now contain a new key with the
name of the custom RDP Listener. This new key is located below the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 217 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.7.4 Credential Provider Filtering
On Windows Vista, Windows 7 and Windows Server 2008 (R2), the SMS PASSCODE®
Windows Logon Protection component is implemented by means of a custom
Credential Provider. Please notice, that the SMS PASSCODE® installation will
automatically disable all other installed credential providers19 by default, restricting
users to log on only using SMS PASSCODE® authentication.
If you wish to allow users to log on using other installed Credential Providers, you can enable these
Credential providers on the Windows Logon Protection tab of the SMS PASSCODE®
Configuration Tool:
19
Actually the SMS PASSCODE® installation might leave some specific 3rd party credential providers
enabled that are known to co-exist with SMS PASSCODE® without disabling or conflicting with SMS
PASSCODE® authentication during the Windows Logon. The VMware Credential Provider installed on
VMware View 4.0 clients is an example of this.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 218 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.7.5 GINA Chaining
On Windows XP and Windows Server 2003, the SMS PASSCODE® Windows Logon Protection
component is implemented by means of a custom GINA. The SMS PASSCODE® GINA supports
GINA chaining – i.e. you can install the SMS PASSCODE® GINA together with other 3rd party
GINAs on the same computer, thereby building a GINA chain.
It is very important to keep track of the order of installation and uninstallation of the different GINAs
when making use of GINA chaining. Please observe the following rules:
GINAs are activated in opposite order of installation. I.e. the GINA installed last will be the
GINA activated first when Windows Logon is requested.
GINA’s must always be uninstalled in opposite order of installation. I.e. the GINA installed last
must be uninstalled first. The GINA chain is broken if this rule is not observed.
All GINAs must support GINA chaining except the GINA installed first. The GINA chain is
broken if this rule is not observed
Please contact your SMS PASSCODE® reseller or SMS PASSCODE A/S if you would like to get
more information regarding GINA chaining.
12.8 Configuring CAGAE Protection
If you have installed the optional CAGAE Protection component, you will have to enable SMS
PASSCODE® authentication for each CAGAE logon point that requires SMS PASSCODE®
authentication. By default, no CAGAE Logon Points are protected by SMS PASSCODE®
authentication.
The following subsection describes the actions necessary to protect and unprotect a CAGAE logon
point using SMS PASSCODE®.
12.8.1 Protecting and Unprotecting Logon Points
SMS PASSCODE® includes a command-line tool called HttpModuleDeploy.exe. This tool is used
for enabling and disabling SMS PASSCODE® authentication for CAGAE logon points.
HttpModuleDeploy.exe is located in the subfolder HttpModule\CAG_Advanced of the SMS
PASSCODE® installation folder. The complete default path is:
C:\Program Files\SMS PASSCODE\HttpModule\CAG_Advanced
The syntax of the tool is:
Enable SMS PASSCODE® authentication for the logon point “logon point name”: HttpModuleDeploy install “logon point name”
Disable SMS PASSCODE® authentication for the logon point “logon point name”: HttpModuleDeploy uninstall “logon point name”
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 219 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
E.g. if you wish to enable SMS PASSCODE® authentication for the logon point
SampleLogonPoint, you should enter: HttpModuleDeploy install samplelogonpoint
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 220 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
If you afterwards wish to disable SMS PASSCODE® authentication for the logon point
SampleLogonPoint, you should enter: HttpModuleDeploy uninstall samplelogonpoint
IMPORTANT:
Whenever SMS PASSCODE® authentication is enabled or disabled for a CAGAE logon point,
please remember to refresh the logon page information for this logon point subsequently.
If this is not observed, the logon pages will not show correctly on the CAG appliance box.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 221 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
To refresh the logon point page of a CAGAE logon point, please follow the instructions below:
1. Start the Citrix Access Management Console (using the Windows Start Menu):
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 222 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
2. Right-click the logon point that needs to be refreshed and select Refresh logon page
information:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 223 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.8.2 Redundant CAGAE Setup
SMS PASSCODE® supports redundant CAGAE setups, i.e. setups with multiple servers running
the Citrix Advanced Access Control (AAC) software.
When using the Citrix Access Gateway appliance box version 4.6, it is recommended to clear the
“Load Balance initial Logon requests” setting in the Access Gateway Administration Tool:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 224 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Only if you do not wish to clear this setting or if you are using an earlier version of the Citrix Access
Gateway appliance box, then the following additional requirements must be fulfilled to support
redundant CAGAE setups:
When configuring a prioritized list of Transmitter services or Load Balancing
services using the SMS PASSCODE® Configuration Tool on each AAC server, use
the same type of services on all AAC servers and list the hosts in the same order on
all AAC servers.
All AAC servers must use the same session encryption keys. To achieve this,
please follow the procedure described below.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 225 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.8.2.1 Distributing Identical Encryption Keys to AAC Servers
To distribute identical session encryption keys to multiple AAC servers, please follow the
procedure below:
1. On the first AAC server, generate a new encryption key and add it to the web.config file of
the Logon Point base folder:
a. Open a command prompt
b. Run the KeyGenerator command line tool (default path: "C:\Program Files\SMS
PASSCODE\HttpModule\CAG_Advanced\KeyGenerator.exe"). Specify the path of
the web.config file that the encryption keys should be added to, as the argument to
KeyGenerator. I.e. using default paths, the command should look like this:
KeyGenerator “C:\Inetpub\wwwroot\CitrixLogonPoint\Web.Config”
2. Now open the updated web.config file using Notepad and verify that the keys
Passcode.EncryptionKey and Passcode.EncryptionIV have been added to the
<appSettings> section:
3. Copy the two lines highlighted in the screen shot above to the clipboard, and insert them
into the <appSettings> section of the web.config file located in the Logon Point base folder
on all other AAC servers.
4. Now all AAC servers are using the same session encryption keys.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 226 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.8.3 Uninstalling CAGAE Protection
If you wish to uninstall the CAGAE Protection component, you can either remove this component
only (cf. section 0) or uninstall SMS PASSCODE® completely.
In both cases, please remember to disable SMS PASSCODE® authentication for all CAGAE logon
points BEFORE uninstalling the CAGAE Protection component – i.e. you should run
HttpModuleDeploy uninstall on each logon point (cf. section 12.8.1) for which SMS
PASSCODE® authentication has been enabled.
12.9 Configuration Tool
The SMS PASSCODE® Configuration Tool is used to configure machine specific SMS
PASSCODE® settings. It is located in the Windows Start Menu:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 227 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
When you start this tool, you will see a number of tabs:
The actual number of tabs shown depends on the current configuration and the components that
have been installed. The different tabs have the following purposes:
General:
This tab allows you to switch between Single Server Installation and Multi Server
Installation mode, e.g. if you need to upgrade a single server installation to a multi server
installation.
Database:
In a multi server installation setup, you can specify on this tab the server that the SMS
PASSCODE® database service is located on. This tab also contains a button Test
Connection which will perform a test whether the connection to the specified database
server operates properly.
SMS Transmission:
This tab appears in a multi server installation setup when a SMS PASSCODE®
authentication client has been installed. Using this tab, you can specify whether the
authentication client(s) on the local machine should communicate directly with SMS
PASSCODE® Transmitter hosts or with SMS PASSCODE® Load Balancing hosts. Also, the
priority is specified, i.e. in which order the authentication client(s) should attempt to
communicate with the specified hosts. This tab also contains a button Test Connection
which will perform a test whether the connections to the specified hosts operate properly.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 228 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Network:
This tab appears only in multi server installation setups. On this tab you can specify which
TCP ports should be used by the different SMS PASSCODE® components, and specify a
shared secret (password) that is used for encrypting all communication between the
different machines with SMS PASSCODE® components installed. Please ensure that the
TCP ports and shared secret are configured identically on all involved SMS PASSCODE®
machines. If this is not observed, communication between the machines will fail.
Windows Logon Protection:
This tab appears only when SMS PASSCODE® Windows Logon Protection
has been installed on the local machine. The tab allows configuring different
settings related to the Windows Logon Protection component. Please read
section 0 (page 212) for more details.
RADIUS Client Protection:
This tab appears only when SMS PASSCODE® RADIUS Protection has been
installed on the local server. The tab allows configuring different settings related
to the RADIUS Protection component. Please read section 12.4.3 (page 171)
for more details.
Import/Export:
This tab allows importing and exporting all settings configured in the SMS
PASSCODE® Configuration Tool. You can either export all settings to a text file
or import settings from a text file. This might be useful for backup purposes or for
transferring settings from one machine to another one. When exporting settings
that include a shared secret, you will be prompted to enter a password that is used for
protecting (encrypting) the shared secret in the text file. This password will be requested,
when you try to import the settings file. Please note, that it is possible to import and export
settings from the command line (e.g. from a batch file or login script). This is useful, if you
would like to mass-import SMS PASSCODE® settings to a large number of machines, e.g.
when protecting virtual machines like VMware View clients with SMS PASSCODE®
Windows Logon Protection, and you need to apply the same network settings including a
shared secret to all these clients. The syntax for importing and exporting settings is
described in the next section.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 229 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
12.9.1 Command line arguments
The SMS PASSCODE® Configuration Tool can be started from a command line. The executable
is named Config.exe. It is located in the SMS PASSCODE® installation folder, which by default is:
C:\Program Files\SMS PASSCODE
When starting the Configuration Tool from a command line, you may specify some
optional arguments.
To export all current settings, use the following syntax:
Config.exe -export:”filename” [-password:”password”] [-quiet]
To import settings from a file, use this syntax:
Config.exe -import:”filename” [-password:”password”] [-quiet]
The command line arguments are described in the table below:
Argument Description
-export:”filename” This argument instructs the configuration tool to export all current settings to the file with the name filename. Please remember to use quotes if the filename contains spaces.
-import:”filename” This argument instructs the configuration tool to import settings from the file with the name filename. Please remember to use quotes if the filename contains spaces.
-password This optional argument specifies the password for encrypting and decrypting the shared secret during export and import, respectively. The password must contain at least 5 characters. This argument is only required if the exported/imported settings contain a shared secret.
-quiet This argument instructs the configuration tool to perform the requested action quietly, i.e. without any user interaction.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 230 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Examples:
Open the Configuration Tool and export all current settings to a file named
mySettings.xml. Encrypt the shared secret using the password 12345:
Config.exe -export:”mySettings.xml” -password:”12345”
Export all current settings to a file named mySettings.xml. Encrypt the shared secret using
the password 12345. Perform the action quietly, i.e. do not open the Configuration Tool:
Config.exe -export:”mySettings.xml” -password:”12345” –quiet
Open the Configuration Tool and import settings from a file named mySettings.xml.
Decrypt the shared secret using the password 12345:
Config.exe -import:”mySettings.xml” -password:”12345”
Please note, that this will import the settings to the Configuration Tool user interface without
actually saving them. I.e. you will have the chance to inspect all the imported settings
before clicking the Save button and applying the settings.
Import settings from a file named mySettings.xml. Decrypt the shared secret using the
password 12345. Perform the action quietly, i.e. do not open the Configuration Tool, but
instead apply all imported settings right away:
Config.exe -import:”mySettings.xml” -password:”12345” -quiet
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 231 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
13 ADD/REMOVE COMPONENTS
If you wish to add or remove some components from the SMS PASSCODE® installation, you can
always run the SMS PASSCODE® installation again – as often as you like. In this way you can add
or remove SMS PASSCODE® Authentication Clients.
You can also add or remove core components (Database Service, Web Administration
Interface, Transmitter Service, Load Balancing Service) in case of a Multi Server Installation.
To add/remove components, simply run the SMS PASSCODE® installation program again – just as
you would do during a first-time installation. You will notice that a different dialog is shown in this
case:
Please select Modify in this dialog and click the Next button. After this, follow the same procedure
as you did during first-time installation.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 232 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
14 TROUBLESHOOTING
This section describes some common errors and the corresponding solutions:
No SMS is received during SMS PASSCODE® authentication:
Section 14.1 (page 232)
Error message “No mobile number for user” is shown during authentication:
Section 14.2 (page 233)
Component communication problems in a multi server setup:
Section 14.3 (page 236)
Active directory integration does not work as expected:
Section 14.4 (page 237)
14.1 SMS Transmission Problems
In case of SMS Transmission issues, please always start with opening the Windows Event Viewer
and check the SMS PASSCODE Transmission event log (a) to verify whether any SMS was
send. Look for “Transmission events” (b). Also look, if any Initialization errors have occurred (c). In
case of any error or warning events, please inspect these events for details.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 233 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Problem Error message in the SMS PASSCODE Transmission event log
Possible reasons
SMS transmissions fail permanently
Error during initialization of SMS Modem (COMx): ERROR: SMS modem not ready. Or Error during initialization of SMS Modem (COMx): Device not found on COMx. Event ID: 292
No connection to the GSM modem due to:
GSM modem not powered on
GSM modem not connected to the COM port specified in the SMS PASSCODE setup
COM port is damaged
GSM modem is damaged
SMS transmissions fail permanently
Error during initialization of SMS Modem (COMx): Port Open Failure Event ID: 292
No connection to the GSM modem due to:
A different application is using the COM port specified in the SMS PASSCODE setup
COM port is damaged
The specified COM port does not exist
SMS transmissions fail permanently
Error during initialization of SMS Modem (COMx): ERROR: Could not register PIN code. Event ID: 292
Initialization of GSM Modem fails because an incorrect SIM PIN code has been entered. Please correct the PIN code in the SMS PASSCODE
® Web Administration interface.
SMS transmissions fail permanently or periodically
Error occured while trying to send SMS to +xxxxxxxx on COMx: ERROR (Fx): Unable to send SMS (Mobile: xxxxxxxx). Modem reply='xxxxxxx ERROR'. Event ID: 10000
This could be due to a deactivated SIM card or insufficient GSM coverage. To determine the exact reason, please power off the GSM Modem, pull out the SIM card and verify that it works (e.g. put it into a mobile phone and try to send a SMS). If the SIM card does not work in a mobile phone, then replace it with another SIM card. If it works fine in a mobile phone, then the problem is most probably due to insufficient GSM coverage. You can inspect the GSM signal strength on the Modem Monitoring page in the Web Administration Interface. In case of low signal strength, please try to move the GSM modem to a location with better GSM coverage or try a better antenna.
A specific user does not receive SMS, even though it is send correctly according to the event log
None The user’s mobile phone might not support flash SMS. Please try to disable flash SMS for this user (you can disable flash SMS for a specific user in the SMS PASSCODE
® Web
Administration interface).
14.2 Error message “No mobile number for user” During Authentication
This error message is shown during authentication, if a user, who has not been created as a SMS
PASSCODE® user, tries to authenticate. This might be due to different reasons:
1. The user has not been created:
o If users are created manually in the SMS PASSCODE® Web Administration interface,
please check if the user in question is in fact present in the user list.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 234 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
o If users are created using AD Integration, please check if the user in question is in fact
present in the user list of the SMS PASSCODE® Web Administration interface. If the
user is not present, this is most probably due to one of the following reasons:
The user is not member of the SMS PASSCODE® user group in AD
- or -
No mobile phone number or an invalid mobile number has been entered on the
user’s account in AD
2. The authentication client is sending an incorrect domain name:
o If you have enabled AD Integration and are not using UPN names, then please
note, that SMS PASSCODE will add the NETBIOS domain name in front of all user
names. Therefore, authentication will fail if the authentication client prepends the
user name with a different domain name, e.g. the DNS domain name. Please
ensure for all authentication clients that are automatically adding a domain name,
that the NETBIOS domain name is added. If this is not possible, you could consider
changing the prepended domain name in the SMS PASSCODE® database using
Data Transformations (cf. section 0, page 149), or using the UPN format.
o The note above applies in particular to Citrix Web Interfaces. Please note during
configuration of Citrix Web Interfaces, when entering a fixed domain name or a list
of fixed domain names, that these must be NETBIOS domain names.
To check this, configure the authentication method “Explicit” of the Citrix Web
Interface. The following dialog box will appear. Click the button Settings…
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 235 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
A new dialog box appears. Check that the list of domain names contains only
NETBIOS domain names:
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 236 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
14.3 Component Communication Problems in a Multi Server Setup
If you are experiencing problems related to communication between components in a multi server
setup, please note the following requirements:
All machines must run the same version of SMS PASSCODE®.
All machines must be in the multi server mode to communicate with each other correctly. You
can verify this using the SMS PASSCODE® Configuration Tool and inspecting the General tab
on each machine:
If any machine is in the Single Server Installation mode, please switch to Multi Server
Installation mode and restart the machine.
The same shared secret must be entered on all machines.
The TCP ports used for communication must be open between the different machines (please
read section 8.1, page 28, for TCP port details). If any default TCP port is changed to a
different port number during installation, then this port change must be performed on all
involved machines.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 237 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Diagnosing component communication
If you wish to check whether the communication between different machines works correctly, you
can test the communication using the SMS PASSCODE® Configuration Tool. The tabs Database
and SMS Transmission contain Test Connection buttons for diagnosing component
communication.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 238 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
14.4 Active Directory Integration does not Work as Expected
It is recommended to install the SMS PASSCODE® Database service on a domain member server
or a domain controller. Enabling Active Directory Integration is very easy in this case, cf. section
12.1.12.
If Active Directory Integration does not work, please use the button Test AD authentication on the
AD Integration page of the SMS PASSCODE® Web Administration interface and check the result:
Common problems regarding Active Directory Integration:
Error message “AD group xxx not found”: Please verify, that the group name is spelled
identically in the SMS PASSCODE® Web Administration interface and in the Active Directory.
Also, please ensure that the group has been replicated to the domain controller that SMS
PASSCODE® is connecting to.
A specific user is not synchronized to the SMS PASSCODE® Web Administration interface:
Please verify in AD that the user is a direct or indirect member of the SMS PASSCODE® AD
Group and that a valid mobile phone number has been entered on this user’s account.
No users are synchronized to the SMS PASSCODE® Web Administration interface when using
Global Catalog: Please ensure that the field containing the users’ mobile phone numbers is
replicated to the Global Catalog.
SMS PASSCODE 4.0 / ADMINISTRATOR’S GUIDE 239 OF 239
© 2010 SMS PASSCODE A/S. ALL RIGHTS RESERVED.
Confidential information
Please note that the information above is intended for SMS PASSCODE® customers and partners
only with the purpose of implementing and maintaining SMS PASSCODE®. Any other use needs to
be authorized by SMS PASSCODE A/S prior to disclosing information from this document.
top related