kb 150103 - maintenance - vasco data security to : identikey server 3.4 - dawl kb 150103 –...
TRANSCRIPT
Applies to: IDENTIKEY Server 3.4 - DAWL
KB 150103 – 28/06/2013 2013 VASCO Data Security. All rights reserved.
Page 1 of 5
KB 150103
How to speed up IDENTIKEY DNS lookup of the
Windows Logon DAWL client on Windows 7?
Creation date: 27/05/2013 Last Review: 28/06/2013 Revision number: 2
Document type: How To Security status: EXTERNAL
Summary
This article will explain how DNS lookup is used in the DIGIPASS Authentication
Windows Logon (DAWL) client and how the lookup can be improved for Windows 7.
Details.
When configuring IDENTIKEY Server for use with DAWL, the default DAWL
configuration will resolve the IDENTIKEY Server using DNS Lookup.
IDENTIKEY Server can be configured to register itself (at startup) in the AD DNS
server, so that it can be resolved by the DAWL clients.
Below, you can see IDENTIKEY Server can be found in the DNS server:
In this example: _ikeyserver-seal._tcp.vdsi.local
Applies to: IDENTIKEY Server 3.4 - DAWL
KB 150103 – 28/06/2013 2013 VASCO Data Security. All rights reserved.
Page 2 of 5
When DAWL needs to find IDENTIKEY Server, it will use the following mechanisms in
this order:
1. Send the unqualified Multi-label name to the Microsoft DNS Client 2. Send the qualified Multi-label name to the Microsoft DNS Client 3. Use the Primary and Backup IP Address of the IDENTIKEY Server
1. DAWL sends the unqualified Multi-label name to the Microsoft DNS Client.
The DAWL client will add ._tcp to the DNS server service name (configured in the
DAWL client) and pass the DNS Request to the Microsoft DNS client.
Depending on the OS, the Microsoft DNS Client will handle the DNS request a bit
different.
1.1. On Windows XP. When a Windows XP machine attempts to resolve an unqualified multi-label
name, the DNS client will attempt to resolve the name as specified.
If this DNS Query fails, it will append the domains that are listed in the DNS
suffix search order.
So the DNS queries that are sent are:
� _ikserver-seal._tcp
� _ikserver-seal._tcp.vasco.local
(supposing that the DNS Suffix search list is Vasco.local)
In XP we should see something like this if we do a wireshark trace:
1.2. On Windows 7 and Vista. When a Windows 7 (Vista) machine attempts to resolve an unqualified multi-
label name, the DNS client will attempt to resolve the name as specified. The
DNS suffix search order will NOT be used.
So the DNS querie that is sent is:
� _ikserver-seal._tcp
Remarks:
o When the IDENTIKEY Server cannot be found (DNS query fails), the DAWL client will try this mechanism a second time
(DAWL will send the same unqualified Multi-label name a second time to the
Microsoft DNS Client)
o The DNS Suffix Search List can be seen when you do a ipconfig /all in a DOS window:
Applies to: IDENTIKEY Server 3.4 - DAWL
KB 150103 – 28/06/2013 2013 VASCO Data Security. All rights reserved.
Page 3 of 5
When DHCP is used, the DNS Suffix Search List is filled in automatically.
When a fixed IP/DNS is used, the DNS Suffix Search List is configured in the
advanced internet protocol properties:
2. DAWL sends the qualified Multi-label name to the Microsoft DNS Client.
If IDENTIKEY Server is not found after step 1 described above, the DAWL client will
start his back-up plan.
The DAWL client will combine the Suffix of the PC name with “DNS server service
name” from the DAWL configuration and pass this DNS request to the Microsoft
DNS Client/
In our example: _ikeyserver-seal._tcp.vdsi.local
In case the PC is located in a sub domain DAWL will also try to find IDENTIKEY
Applies to: IDENTIKEY Server 3.4 - DAWL
KB 150103 – 28/06/2013 2013 VASCO Data Security. All rights reserved.
Page 4 of 5
Server in the different domains of the domain tree.
Eg: if the the PC is W7PC.sub2.sub1.mydomain.local, then DAWL will try:
� _ikeyserver-seal._tcp.sub2.sub1.mydomain.local
� _ikeyserver-seal. _tcp.sub1.mydomain.local � _ikeyserver-seal. _tcp.mydomain.local
� _ikeyserver-seal. _tcp.local
3. Use the Primary and Backup IP Address of the IDENTIKEY Server
If the IDENTIKEY Server cannot be resolved via DNS (step 1 and 2 have failed),
DAWL will use the IP Addresses filled in in the DAWL configuration.
Problem Solution.
As explained above the DNS Resolving of IDENTIKEY Server will fail in step 1 on a
Windows 7 machine.
To speed up DNS discovery on a Windows 7 machine we can apply:
http://blogs.technet.com/b/networking/archive/2009/04/16/dns-client-name-
resolution-behavior-in-windows-vista-vs-windows-xp.aspx
As explained in the article, run gpedit.msc, then enable:
Computer Configuration -> Administrative Templates -> Network -> DNS Client ->
“Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries”
In regedit you should see:
Applies to: IDENTIKEY Server 3.4 - DAWL
KB 150103 – 28/06/2013 2013 VASCO Data Security. All rights reserved.
Page 5 of 5
When this Registry key is set, IDENTIKEY Server should also be resolved in step 1 and
not by the DAWL Back-up plan (Step 2) as explained above.
This can also be set in the group policy on the domain level: