Applies to: DIGIPASS Plugin for SBR; IDENTIKEY Authentication Server KB 120217– 15/03/2016 2016 VASCO Data Security. All rights reserved. Page 1 of 7 KB 120217 User attributes are not accessible after upgrade from DIGIPASS Plug-in for SBR with AD data store to IAS with AD data store. Creation date: 15/03/2016 Last Review: 15/03/2016 Revision number: 1 Summary After upgrade from DIGIPASS Plug-in for SBR AD integrated to IDENTIKEY Authentication Server (IAS) AD integrated, DIGIPASS User Attributes become unusable. The User Attributes are not returned anymore in the RADIUS Access-Accept, and they cannot be accessed/edited in the IAS ADUC Extension. Problem symptoms / details. When you try to access the User Attributes in the IAS ADUC extension, you get the error “Failed to get the user attributes” Document type: Known-Issue Security status: EXTERNAL
Transcript
Applies to: DIGIPASS Plugin for SBR; IDENTIKEY Authentication Server
KB 120217– 15/03/2016 2016 VASCO Data Security. All rights reserved.
Page 1 of 7
KB 120217
User attributes are not accessible after upgrade
from DIGIPASS Plug-in for SBR with AD data store
to IAS with AD data store.
Creation date: 15/03/2016 Last Review: 15/03/2016 Revision number: 1
Summary
After upgrade from DIGIPASS Plug-in for SBR AD integrated to IDENTIKEY
Authentication Server (IAS) AD integrated, DIGIPASS User Attributes become unusable. The User Attributes are not returned anymore in the RADIUS Access-Accept, and they cannot be accessed/edited in the IAS ADUC Extension.
Problem symptoms / details.
When you try to access the User Attributes in the IAS ADUC extension, you get the
Applies to: DIGIPASS Plugin for SBR; IDENTIKEY Authentication Server
KB 120217– 15/03/2016 2016 VASCO Data Security. All rights reserved.
Page 2 of 7
The cause is that IAS expects a different syntax for the user attributes than was used in the DIGIPASS Plug-In for SBR.
Problem Solution.
The syntax needs to be modified, to make the User Attributes compatible with IAS. For a limited number of User Attributes, this can be done using the Microsoft tool ADSIEdit. If you have a bigger number of User Attributes to be adapted, this can be done in bulk
with a freeware tool.
• The term Return in Plugin for SBR, must be changed to Reply for IAS. • The start of an attribute is indicated with 1$, 2$, …. in Plugin for SBR, for IAS you
have to add the according 1$, 2$, … to terminate the attribute
Modify the syntax with ADSIEdit.
Open the properties of the user with ADSIEdit and edit the attribute vasco-Profiles
In our example, we have a Reply User Attribute and a Profile User Attribute
• $RADIUS$1$Reply-Message$Return$replymessage created in SBR
plugin$2015/12/23 11:06:43$2015/12/23 11:06:43
Change to $RADIUS$1$Reply-Message$Reply$replymessage created in SBR
plugin$1$2015/12/23 11:06:43$2015/12/23 11:06:43
Return changed into Reply and add 1$ (analog with the 1$ just after $RADIUS$)
Change to: $RADIUS$2$SBR$Profile$SBRPROFILE$2$2015/12/23 11:07:11$2015/12/23
11:07:11
added 2$ (analog with the 2$ just after $RADIUS$)
Modify the syntax in bulk
We used a freeware tool to modify the User Attributes in bulk:
http://www.wisesoft.co.uk/software/bulkadusers/default.aspx The way to use the tool depends on the question:
1. do all users have the same attributes(or are there a limited number of large groups that have each the same attributes)
Applies to: DIGIPASS Plugin for SBR; IDENTIKEY Authentication Server
KB 120217– 15/03/2016 2016 VASCO Data Security. All rights reserved.
Page 3 of 7
or
2. do all users have different attributes
1. All users have the same attributes
In this case, the tool allows you to select a group of users and replace the existing
attribute with a new value (following the syntax for IAS) What you have to do is to logon with an Active Directory Administrator.
• Logon in Active Directory with an administrator account.
• You can get the users you want to manipulate by choosing them by OU’s or groups or even queries. You also can delete the users in the list if you want to exclude them.
• You then go to the “bulk modify” button, the “Other” tab and choose from the dropdown the attribute you want to change.
Applies to: DIGIPASS Plugin for SBR; IDENTIKEY Authentication Server
KB 120217– 15/03/2016 2016 VASCO Data Security. All rights reserved.
Page 4 of 7
• Choose replace as an option, put in the value you want to and press “Add” button
Then press ‘Update”:
Applies to: DIGIPASS Plugin for SBR; IDENTIKEY Authentication Server
KB 120217– 15/03/2016 2016 VASCO Data Security. All rights reserved.
Page 5 of 7
• You now see a progress bar and in the end a report You can choose a log file if you want to rollback and undo the changes in that log
file.
2. All users have the same attributes
In this case, it cannot be done in bulk. The tool will allow to export attributes to a CSV file; in the CSV file make the necessary modifications to the syntax of the attributes and then import the CSV file to
make modifications in Active Directory.
• Modify the properties to load in the grid (add the vasco-Profiles)
• Then export to csv file:
• Now we have a csv textfile, that is easier to manipulate to make the vasco-Profiles
attribute compliant with the new IAS syntax:
Applies to: DIGIPASS Plugin for SBR; IDENTIKEY Authentication Server
KB 120217– 15/03/2016 2016 VASCO Data Security. All rights reserved.
Page 6 of 7
• Use option CSV Update:
• Select to update only the vasco-Profiles attribute
Applies to: DIGIPASS Plugin for SBR; IDENTIKEY Authentication Server
KB 120217– 15/03/2016 2016 VASCO Data Security. All rights reserved.
